Add regula-wasi OPA test infrastructure

[NikhilVerma]

Summary

• Add regula-wasi dependency for running OPA/Rego policy tests (uses OPA v1.12.2)
• Add .scripts/run-opa-tests.ts script to run tests across all terraform policies
• Add npm scripts: test:opa, test:opa:verbose
• Add CLAUDE.md with project documentation

Test Results

All 73 test directories and 839 IaC configurations pass:

=== Summary ===
Directories: 73
IaC Configs: 839
Passed: 73
Failed: 0

✓ All tests passed!

Usage

# Run all OPA tests
npm run test:opa

# Run with verbose output
npm run test:opa:verbose

# Filter to specific policies
bun ./.scripts/run-opa-tests.ts --filter "AWS Lambda"
bun ./.scripts/run-opa-tests.ts --filter gcp

Test plan

• Verified regula-wasi installs correctly
• All existing OPA tests pass
• Script works with filters
• CI lint checks pass

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added OPA/Rego policy testing for Terraform configurations with new npm scripts (test:opa and test:opa:verbose).

• Documentation

  • Added comprehensive project documentation detailing repository structure, policy testing procedures, and available CLI commands.

[coderabbitai]

Walkthrough

A new OPA test orchestration script was added at .scripts/run-opa-tests.ts that discovers Terraform policy directories containing .rego files, verifies Regula-WASI installation and version compatibility, executes tests via npx regula-wasi test, collects per-directory results including pass/fail status and parsed IaC configuration counts, and outputs a consolidated summary. Supporting changes include documentation in CLAUDE.md describing project structure and testing workflows, plus npm scripts test:opa and test:opa:verbose in package.json, along with the new regula-wasi ^3.2.3 dev dependency.

Poem

🔍 A script born to wrangle the Rego test suite,
Discovering policies scattered in the wild,
Regula-WASI stands ready, precise and astute,
From terraform depths to a summary compiled.
Tests now orchestrated, chaos reconciled ✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding regula-wasi OPA test infrastructure with new test scripts and dependencies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch publish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.scripts/run-opa-tests.ts:
- Around line 70-77: The current spawnSync call in .scripts/run-opa-tests.ts
assigns proc to the child result but doesn’t surface spawn errors or timeouts;
update the handling after spawnSync (the proc variable) to explicitly check for
proc.error and for proc.status === null (timeout or killed) and set
result.success = false, populate result.output with proc.stdout/proc.stderr as
before and add a result.error or result.failureReason string that includes
proc.error.message or a clear timeout/killed message (include proc.signal if
present) so failures from missing npx or timeouts are surfaced for callers of
this script.
- Around line 91-116: The code currently allows "--filter" with no following
value which yields null/empty and silently continues; update the parsing around
args, filterIndex and filter so that after computing filterIndex you verify
args[filterIndex + 1] exists and is not another flag (e.g., startsWith("-")),
and if it's missing or invalid print a clear error (e.g., console.error) and
exit(1); apply this validation before using filter to filter testDirs (the block
that sets filter and filters testDirs), keeping references to args, filterIndex,
filter and leaving the rest of the flow (findTestDirectories and TERRAFORM_DIR
usage) unchanged.

In `@CLAUDE.md`:
- Around line 7-17: The fenced code block containing the project tree in
CLAUDE.md is missing a language tag (MD040); update the opening fence from ```
to ```text (or another suitable info string) so the block is recognized as a
text code fence; ensure only the opening fence is changed and the rest of the
block content (the tree lines) remains unchanged.

🧹 Nitpick comments (1)

.scripts/run-opa-tests.ts (1)

20-20: Use path.relative for cross‑platform paths.
String replace breaks on Windows separators.

Proposed fix

-import { join, dirname } from "path";
+import { join, dirname, relative } from "path";
@@
-		const relativePath = dir.replace(TERRAFORM_DIR + "/", "");
+		const relativePath = relative(TERRAFORM_DIR, dir);
@@
-				const relativePath = result.path.replace(TERRAFORM_DIR + "/", "");
+				const relativePath = relative(TERRAFORM_DIR, result.path);

Also applies to: 131-133, 160-163

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Handle spawnSync errors/timeouts explicitly.
If npx is missing or a timeout occurs, proc.error/proc.status === null should be surfaced.

Proposed fix

 	const proc = spawnSync("npx", ["regula-wasi", "test", dir], {
 		encoding: "utf-8",
 		timeout: 120000,
 		cwd: process.cwd()
 	});
 
-	result.output = (proc.stdout || "") + (proc.stderr || "");
-	result.success = proc.status === 0;
+	if (proc.error) {
+		result.output = String(proc.error);
+		return result;
+	}
+	if (proc.status === null) {
+		result.output = (proc.stdout || "") + (proc.stderr || "") + "\nProcess terminated (timeout or signal).";
+		return result;
+	}
+	result.output = (proc.stdout || "") + (proc.stderr || "");
+	result.success = proc.status === 0;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const proc = spawnSync("npx", ["regula-wasi", "test", dir], {
	encoding: "utf-8",
	timeout: 120000,
	cwd: process.cwd()
	});
	result.output = (proc.stdout || "") + (proc.stderr || "");
	result.success = proc.status === 0;
	const proc = spawnSync("npx", ["regula-wasi", "test", dir], {
	encoding: "utf-8",
	timeout: 120000,
	cwd: process.cwd()
	});
	if (proc.error) {
	result.output = String(proc.error);
	return result;
	}
	if (proc.status === null) {
	result.output = (proc.stdout || "") + (proc.stderr || "") + "\nProcess terminated (timeout or signal).";
	return result;
	}
	result.output = (proc.stdout || "") + (proc.stderr || "");
	result.success = proc.status === 0;

🤖 Prompt for AI Agents

In @.scripts/run-opa-tests.ts around lines 70 - 77, The current spawnSync call
in .scripts/run-opa-tests.ts assigns proc to the child result but doesn’t
surface spawn errors or timeouts; update the handling after spawnSync (the proc
variable) to explicitly check for proc.error and for proc.status === null
(timeout or killed) and set result.success = false, populate result.output with
proc.stdout/proc.stderr as before and add a result.error or result.failureReason
string that includes proc.error.message or a clear timeout/killed message
(include proc.signal if present) so failures from missing npx or timeouts are
surfaced for callers of this script.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Guard against --filter without a value.
Right now it silently becomes falsy; better to fail fast.

Proposed fix

 	const verbose = args.includes("--verbose");
 	const filterIndex = args.indexOf("--filter");
-	const filter = filterIndex !== -1 ? args[filterIndex + 1] : null;
+	const filter = filterIndex !== -1 ? args[filterIndex + 1] : null;
+	if (filterIndex !== -1 && !filter) {
+		console.error("Error: --filter requires a value.");
+		process.exit(1);
+	}

🤖 Prompt for AI Agents

In @.scripts/run-opa-tests.ts around lines 91 - 116, The code currently allows
"--filter" with no following value which yields null/empty and silently
continues; update the parsing around args, filterIndex and filter so that after
computing filterIndex you verify args[filterIndex + 1] exists and is not another
flag (e.g., startsWith("-")), and if it's missing or invalid print a clear error
(e.g., console.error) and exit(1); apply this validation before using filter to
filter testDirs (the block that sets filter and filters testDirs), keeping
references to args, filterIndex, filter and leaving the rest of the flow
(findTestDirectories and TERRAFORM_DIR usage) unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language to the fenced block.
MD040 warning; use text (or similar).

Proposed fix

-```
+```text
 starchitect-cloudguard/
 ├── terraform/              # OPA/Rego security policies (IaC scanning)
 │   ├── aws/               # AWS policies (66 service categories)
 │   └── gcp/               # GCP policies (11 service categories)
 ├── runtime/               # TypeScript runtime checks (live cloud API)
 │   ├── aws/               # AWS runtime checks with tests
 │   └── gcp/               # GCP runtime checks with tests
 ├── cli/                   # CLI application (oclif-based)
 └── .scripts/              # Build and test scripts

</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.20.0)</summary>

[warning] 7-7: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

In @CLAUDE.md around lines 7 - 17, The fenced code block containing the project
tree in CLAUDE.md is missing a language tag (MD040); update the opening fence
from totext (or another suitable info string) so the block is recognized
as a text code fence; ensure only the opening fence is changed and the rest of
the block content (the tree lines) remains unchanged.

</details>

<!-- fingerprinting:phantom:poseidon:eagle -->

<!-- This is an auto-generated comment by CodeRabbit -->