StyraOSS · andreaTP · Jan 6, 2026 · Jan 5, 2026 · Jan 5, 2026 · Jan 5, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -43,7 +43,7 @@ jobs:
       matrix:
         java-version: [11, 17, 21]
         opa-version:
-        - 0.70.0 # latest
+        - 1.12.1 # latest
 
     steps:
     - uses: actions/checkout@v6

diff --git a/core/src/test/java/com/styra/opa/wasm/testcases/Case.java b/core/src/test/java/com/styra/opa/wasm/testcases/Case.java
@@ -32,6 +32,9 @@ public class Case {
     @JsonProperty("wasm")
     private String wasm;
 
+    @JsonProperty("ignore_generated_vars")
+    private boolean ignoreGeneratedVars;
+
     Case() {}
 
     public String note() {
@@ -70,6 +73,10 @@ public String wasm() {
         return wasm;
     }
 
+    public boolean ignoreGeneratedVars() {
+        return ignoreGeneratedVars;
+    }
+
     @Override
     public String toString() {
         return "Case{"

diff --git a/core/src/test/resources/fixtures/base/policy.rego b/core/src/test/resources/fixtures/base/policy.rego
@@ -1,8 +1,8 @@
 package opa.wasm.test
 
-default allowed = false
+default allowed := false
 
-allowed {
+allowed if {
     user := input.user
     data.role[user] == "admin"
 }
diff --git a/core/src/test/resources/fixtures/custom-builtins/capabilities.json b/core/src/test/resources/fixtures/custom-builtins/capabilities.json
@@ -1,4 +1,5 @@
 {
+  "features": ["rego_v1"],
   "builtins": [
     {
       "name": "custom.zeroArgBuiltin",

diff --git a/core/src/test/resources/fixtures/custom-builtins/custom-builtins-policy.rego b/core/src/test/resources/fixtures/custom-builtins/custom-builtins-policy.rego
@@ -1,25 +1,27 @@
 package custom_builtins
 
-zero_arg = x {
-  x = custom.zeroArgBuiltin()
-}
+zero_arg := custom.zeroArgBuiltin()
 
-one_arg = x {
-    x = custom.oneArgBuiltin(input.args[0])
-}
+one_arg := custom.oneArgBuiltin(input.args[0])
 
-two_arg = x {
-    x = custom.twoArgBuiltin(input.args[0], input.args[1])
-}
+two_arg := custom.twoArgBuiltin(
+    input.args[0],
+    input.args[1],
+)
 
-three_arg = x {
-    x = custom.threeArgBuiltin(input.args[0], input.args[1], input.args[2])
-}
+three_arg := custom.threeArgBuiltin(
+    input.args[0],
+    input.args[1],
+    input.args[2],
+)
 
-four_arg = x {
-    x = custom.fourArgBuiltin(input.args[0], input.args[1], input.args[2], input.args[3])
-}
+four_arg := custom.fourArgBuiltin(
+    input.args[0],
+    input.args[1],
+    input.args[2],
+    input.args[3],
+)
 
-valid_json {
+valid_json if {
     json.is_valid("{}")
 }
diff --git a/core/src/test/resources/fixtures/issue78-sprintf/policy.rego b/core/src/test/resources/fixtures/issue78-sprintf/policy.rego
@@ -3,7 +3,7 @@ package armo_builtins
 
 ################################################################################
 # Rules
-deny[msga] {
+deny contains msga if {
     pod := input[_]
     pod.kind == "Pod"
 	container := pod.spec.containers[i]
@@ -29,7 +29,7 @@ deny[msga] {
 }
 
 
-deny[msga] {
+deny contains msga if {
     wl := input[_]
 	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
 	spec_template_spec_patterns[wl.kind]
@@ -56,7 +56,7 @@ deny[msga] {
 }
 
 # Fails if cronjob has a container configured to run as root
-deny[msga] {
+deny contains msga if {
 	wl := input[_]
 	wl.kind == "CronJob"
 	container = wl.spec.jobTemplate.spec.template.spec.containers[i]
@@ -83,7 +83,7 @@ deny[msga] {
 }
 
 
-get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}, {"path":replace(all_fixpaths[1].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[1].value}]{
+get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}, {"path":replace(all_fixpaths[1].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[1].value}] if {
 	count(all_fixpaths) == 2
 } else = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}]
 
@@ -93,7 +93,7 @@ get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"contai
 # if runAsUser is set to 0 and runAsNonRoot is set to false/ not set - suggest to set runAsUser to 1000
 # if runAsUser is not set and runAsNonRoot is set to false/ not set - suggest to set runAsNonRoot to true
 # all checks are both on the pod and the container level
-evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath {
+evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath if {
 	runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path)
 	runAsNonRootValue.value == false
 
@@ -107,7 +107,7 @@ evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath {
 
 # if runAsGroup is set to 0/ not set - suggest to set runAsGroup to 1000
 # all checks are both on the pod and the container level
-evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath {
+evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath if {
 	runAsGroupValue := get_run_as_group_value(container, pod, start_of_path)
 	runAsGroupValue.value == 0
 
@@ -119,32 +119,32 @@ evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath {
 # Value resolution functions
 
 
-get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot {
+get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot if {
     runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true}
-} else = runAsNonRoot {
+} else = runAsNonRoot if {
     runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true}
 }  else = {"value" : false, "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}], "defined" : false}
 
-get_run_as_user_value(container, pod, start_of_path) = runAsUser {
+get_run_as_user_value(container, pod, start_of_path) = runAsUser if {
 	path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path])
     runAsUser := {"value" : container.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}], "defined" : true}
-} else = runAsUser {
+} else = runAsUser if {
 	path := sprintf("%v.securityContext.runAsUser", [start_of_path])
     runAsUser := {"value" : pod.spec.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}],"defined" : true}
 } else = {"value" : 0, "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],
 	"defined" : false}
 
-get_run_as_group_value(container, pod, start_of_path) = runAsGroup {
+get_run_as_group_value(container, pod, start_of_path) = runAsGroup if {
 	path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path])
     runAsGroup := {"value" : container.securityContext.runAsGroup, "fixPath": [{"path": path, "value": "1000"}],"defined" : true}
-} else = runAsGroup {
+} else = runAsGroup if {
 	path := sprintf("%v.securityContext.runAsGroup", [start_of_path])
     runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "fixPath":[{"path": path, "value": "1000"}], "defined" : true}
 } else = {"value" : 0, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]), "value":"1000"}],
  	"defined" : false
 }
 
-choose_first_if_defined(l1, l2) = c {
+choose_first_if_defined(l1, l2) = c if {
     l1.defined
     c := l1
 } else = l2
diff --git a/core/src/test/resources/fixtures/memory/policy.rego b/core/src/test/resources/fixtures/memory/policy.rego
@@ -1,5 +1,7 @@
 package test
 
-default allow = false
+default allow := false
 
-allow { input == "open sesame" }
+allow if {
+    input == "open sesame"
+}
diff --git a/core/src/test/resources/fixtures/multiple-entrypoints/example-one.rego b/core/src/test/resources/fixtures/multiple-entrypoints/example-one.rego
@@ -2,14 +2,13 @@ package example.one
 
 import data.example.one.myCompositeRule
 
-default myRule = false
+default myRule := false
+default myOtherRule := false
 
-default myOtherRule = false
-
-myRule {
-	input.someProp == "thisValue"
+myRule if {
+    input.someProp == "thisValue"
 }
 
-myOtherRule {
-	input.anotherProp == "thatValue"
+myOtherRule if {
+    input.anotherProp == "thatValue"
 }
diff --git a/core/src/test/resources/fixtures/multiple-entrypoints/example-two.rego b/core/src/test/resources/fixtures/multiple-entrypoints/example-two.rego
@@ -2,14 +2,13 @@ package example.two
 
 import data.example.two.coolRule
 
-default theirRule = false
+default theirRule := false
+default ourRule := false
 
-default ourRule = false
-
-theirRule {
-	input.anyProp == "aValue"
+theirRule if {
+    input.anyProp == "aValue"
 }
 
-ourRule {
-	input.ourProp == "inTheMiddleOfTheStreet"
+ourRule if {
+    input.ourProp == "inTheMiddleOfTheStreet"
 }
diff --git a/core/src/test/resources/fixtures/string-builtins/policy.rego b/core/src/test/resources/fixtures/string-builtins/policy.rego
@@ -1,13 +1,13 @@
 package string_builtins
 
-invoke_sprintf = x {
-   x = { "printed": sprintf("hello %s your number is %d!", ["user", 321]) }
+invoke_sprintf := {
+  "printed": sprintf("hello %s your number is %d!", ["user", 321])
 }
 
-integer_fastpath = x {
-   x = { "printed": sprintf("%d", [123]) }
+integer_fastpath := {
+  "printed": sprintf("%d", [123])
 }
 
-string_example = x {
-   x = { "printed": sprintf("%s", ["my string"]) }
+string_example := {
+  "printed": sprintf("%s", ["my string"])
 }
diff --git a/core/src/test/resources/fixtures/stringified-support/stringified-support-policy.rego b/core/src/test/resources/fixtures/stringified-support/stringified-support-policy.rego
@@ -1,26 +1,26 @@
 package stringified.support
 
-default hasPermission = false
-default plainInputBoolean = false
-default plainInputNumber = false
-default plainInputString = false
+default hasPermission := false
+default plainInputBoolean := false
+default plainInputNumber := false
+default plainInputString := false
 
-hasPermission {
+hasPermission if {
     input.secret == data.secret
 }
 
-hasPermission {
+hasPermission if {
     input.permissions[_] == data.roles["1"].permissions[_].id
 }
 
-plainInputBoolean {
-    input = true
+plainInputBoolean if {
+    input == true
 }
 
-plainInputNumber {
-    input = 5
+plainInputNumber if {
+    input == 5
 }
 
-plainInputString {
-    input = "test"
-}
+plainInputString if {
+    input == "test"
+}
diff --git a/core/src/test/resources/fixtures/yaml-support/yaml-support-policy.rego b/core/src/test/resources/fixtures/yaml-support/yaml-support-policy.rego
@@ -22,37 +22,37 @@ x-amazon-apigateway-policy:
       Resource: '*'
 `
 
-canParseYAML {
+canParseYAML if {
 	resource := yaml.unmarshal(fixture)
 	resource.info.title == "test"
 }
 
-hasSemanticError {
+hasSemanticError if {
 	# see: https://github.com/eemeli/yaml/blob/395f892ec9a26b9038c8db388b675c3281ab8cd3/tests/doc/errors.js#L22
 	yaml.unmarshal("a:\n\t1\nb:\n\t2\n")
 }
 
-hasSyntaxError {
+hasSyntaxError if {
 	# see: https://github.com/eemeli/yaml/blob/395f892ec9a26b9038c8db388b675c3281ab8cd3/tests/doc/errors.js#L49
 	yaml.unmarshal("{ , }\n---\n{ 123,,, }\n")
 }
 
-hasReferenceError {
+hasReferenceError if {
 	# see: https://github.com/eemeli/yaml/blob/395f892ec9a26b9038c8db388b675c3281ab8cd3/tests/doc/errors.js#L245
 	yaml.unmarshal("{ , }\n---\n{ 123,,, }\n")
 }
 
-hasYAMLWarning {
+hasYAMLWarning if {
 	# see: https://github.com/eemeli/yaml/blob/395f892ec9a26b9038c8db388b675c3281ab8cd3/tests/doc/errors.js#L224
 	yaml.unmarshal("%FOO\n---bar\n")
 }
 
-canMarshalYAML[x] {
+canMarshalYAML contains x if {
 	string := yaml.marshal(input)
 	x := yaml.unmarshal(string)
 }
 
-isValidYAML {
+isValidYAML if {
 	yaml.is_valid(fixture) == true
 	yaml.is_valid("foo: {") == false
 	yaml.is_valid("{\"foo\": \"bar\"}") == true