Tessera
Built by Vladimir Kamenevburademirung@gmail.com512 3369618GitHub

← All technologies

TECHNOLOGY

OPA / Rego v1 · Regorus

OPA / Rego v1 · Regorus

Rego v1 policy authored and `opa test`-ed, evaluated at the edge by Microsoft Regorus (pure-Rust Rego), fail-closed.

Policy-as-code in Tessera is authored as OPA Rego v1 (OPA 1.0, Jan 2025, where if and contains are mandatory) and unit-tested with opa test, Regal lint, and conftest over Terraform plan JSON. But at runtime the edge cannot nest OPA-compiled-WASM inside a V8 Worker, so evaluation is done by Regorus — a pure-Rust Rego interpreter (Microsoft) that compiles to wasm32 and becomes the Worker.

The policy is role-centric RBAC-A: a role sets the envelope and ABAC may only narrow it. default allow := false, and the policy-enforcement point (the edge Worker) fails closed on any error, timeout, or undefined result. Because Regorus has no decision-log plugin, the Rust host emits OPA-shaped decision logs with masking applied before anything leaves the edge.

Code

rego
# Rego v1: `if` / `contains` mandatory. Default-deny; role-centric RBAC-A
# where ABAC may only narrow, never expand.
package authz

default allow := false

allow if {
    role_permits
    every constraint in abac_constraints { constraint }
}

role_permits if {
    some role in input.subject.roles
    data.role_permissions[role][input.action][input.resource.type]
}

Standards it follows

Open Policy Agent / Rego v1 (OPA 1.0)
https://www.openpolicyagent.org/docs/latest/policy-language/
OPA Policy Style Guide
https://docs.styra.com/opa/rego-style-guide
Regorus (Rust-native Rego)
https://github.com/microsoft/regorus

Best practices applied

  • Author all policy in Rego v1 (`if`/`contains` mandatory) and gate CI with `opa fmt --rego-v1` then `opa check --strict` then Regal. source
  • Default `allow := false` and have the PEP fail closed on any error, timeout, or undefined decision. source
  • Evaluate at the edge with Regorus (pure-Rust Rego that compiles to wasm32 and IS the Worker), pinned and gated behind a conformance suite (it is pre-1.0). source
  • Inject time/random/HTTP results as `input`/`data` to keep evaluation deterministic — Regorus does not do network or non-determinism. source
  • Emit decision logs from the Rust host (Regorus has no decision-log plugin), mirroring OPA's event shape with masking before logs leave the Worker. source