MapColonies · CptSchnitz · Jun 14, 2026 · Jun 14, 2026 · Jun 15, 2026 · Jun 16, 2026
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -85,3 +85,26 @@ jobs:
 
       - name: Run knip
         run: pnpm run knip
+  lint-rego:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: open-policy-agent/setup-regal@v2.0.0
+        with:
+          version: 0.41.1
+
+      - name: Lint
+        run: regal lint --format=github ./policy
+  test-rego:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v6
+
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v2
+        with:
+          version: 1.17.1
+
+      - name: Run OPA Tests
+        run: opa test ./policy -v
diff --git a/.regal/config.yaml b/.regal/config.yaml
@@ -0,0 +1,17 @@
+rules:
+  imports:
+    unresolved-reference:
+      level: error
+      except-paths:
+        - data.keys
+        - data.possibleLocations
+        - data.users
+        - data.keys.kid
+        - data.users.avi.allowNoBrowser
+        - data.users.avi.allowNoOrigin
+  style:
+    line-length:
+      level: ignore
+  idiomatic:
+    directory-package-mismatch:
+      level: ignore
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -10,5 +10,7 @@
   ],
   "[github-actions-workflow]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode"
-  }
+  },
+  "opa.dependency_paths.opa": "${workspaceFolder}/policy/opa",
+  "opa.dependency_paths.regal": "${workspaceFolder}/policy/regal"
 }
diff --git a/example/README.md b/example/README.md
diff --git a/example/data/policy.rego b/example/data/policy.rego
diff --git a/example/nginx/Dockerfile b/example/nginx/Dockerfile
diff --git a/example/nginx/auth.js b/example/nginx/auth.js
diff --git a/example/nginx/default.conf b/example/nginx/default.conf
diff --git a/example/nginx/nginx.conf b/example/nginx/nginx.conf
diff --git a/example/opa.yaml b/example/opa.yaml
diff --git a/policy/.gitignore b/policy/.gitignore
@@ -0,0 +1,2 @@
+regal
+opa
diff --git a/policy/Makefile b/policy/Makefile
@@ -0,0 +1,19 @@
+.PHONY: lint test check all
+
+all: lint check test
+
+lint:
+	./regal lint .
+
+check:
+	./opa check . --strict
+
+test:
+	./opa test . -v
+
+init:
+	curl -L -o regal https://github.com/open-policy-agent/regal/releases/download/v0.41.1/regal_Linux_x86_64
+	chmod 755 ./regal
+	curl -L -o opa https://openpolicyagent.org/downloads/v1.17.1/opa_linux_amd64_static
+	chmod 755 ./opa
+
diff --git a/example/data/data.json → policy/data.json b/example/data/data.json → policy/data.json
diff --git a/example/data/logs.rego → policy/logs.rego b/example/data/logs.rego → policy/logs.rego
@@ -1,7 +1,8 @@
 package system.log
 
 # Mask the 'token' field in the query parameters
-mask contains "/input/query/token" 
+mask contains "/input/query/token"
+
 # Mask the 'x-api-key' field in the headers parameters
 mask contains "/input/headers/x-api-key"