Author, validate, debug, and explain OPA Rego policies through any MCP-compatible client.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"opa": {
"env": {
"OPA_URL": "http://localhost:8181",
"OPA_BINARY": "/usr/local/bin/opa",
"REGAL_BINARY": "/usr/local/bin/regal",
"OPA_MCP_ALLOWED_PATHS": "/path/to/your/policies"
},
"args": [
"-y",
"@orygn/opa-mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A Model Context Protocol (MCP) server that turns any MCP-compatible client (Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, Zed, and others) into a first-class Open Policy Agent and Rego authoring
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@orygn/opa-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked @orygn/opa-mcp against OSV.dev.
Click any tool to inspect its schema.
OPA Built-in FunctionsCatalog of OPA built-in functions
opa://builtins
Rego Style GuideOfficial Rego style guide formatted for LLMs
opa://style-guide
Pattern LibraryCurated pattern library covering RBAC, ABAC, Kubernetes admission, IaC gates, API authz, and rate limiting
opa://patterns
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in other
Compress tool outputs, logs, files, and RAG chunks before they reach the LLM. 60-95% fewer tokens, same answers. Library, proxy, MCP server.
Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.
97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server
Autonomous spec-to-product coding-agent CLI with an MCP server exposing 34 tools over stdio.
MCP Security Weekly
Get CVE alerts and security updates for io.github.OrygnsCode/opa-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
A Model Context Protocol (MCP) server that turns any MCP-compatible client (Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, Zed, and others) into a first-class Open Policy Agent and Rego authoring environment.
+--------------------+ MCP/stdio +-----------------+ spawn/HTTP +---------------------+
| Claude · Cursor · |----------> | @orygn/opa-mcp |----------> | opa · regal |
| VS Code · ... |<---------- | |<---------- | conftest · REST API |
+--------------------+ 52 tools +-----------------+ +---------------------+
Status: v0.2.1. Tool surface, error codes, and environment variables follow SemVer from v0.1.0 forward.
Once an MCP client is connected, an agent can:
opa fmt and opa parse so output is byte-identical to
what you'd get on the command line, and regal (optional) surfaces
idiomatic suggestions.--explain, --profile, and --coverage flags
surface execution traces, hot rules, and per-line coverage.rego_explain_decision walks the agent through every
rule that fired (and every one that didn't), so it can answer "why was
this rejected" without you reading the trace by hand.opa run --server or a production deployment with bearer-token auth..tar.gz
the agent can hand to your delivery system.rego_lint runs Regal across a directory or a single file
and returns categorized findings (style, bugs, performance, idioms).A walk-through of a typical session lives in Cookbook.
OPA already has a perfectly good CLI and REST API. So why an MCP wrapper?
rego_eval gets a
validated input schema, a structured output envelope, and stable error
codes, instead of parsing free-form CLI text and inventing its own
failure taxonomy. That alone makes Rego usable to an agent the way a
langu