feat: add kosli evaluate input subcommand (#743)

- Adds `kosli evaluate input` — evaluate a local JSON file (or stdin) against a Rego policy, with no API dependency
- Enables local policy development and testing without needing a running Kosli server
- Input shape is opaque to the command — the policy defines what it expects

Prompted by [this discussion](https://kosli-internal.slack.com/archives/C08R3H7TQPQ/p1774640547890899) where we realised `kosli evaluate trail` always hits the API, so there's no way to iterate on policies locally. Dan raised conftest as the alternative, but our tooling should support this natively — Rego is our language choice, and local testing should be turnkey.

In response to Alex's [comparison of Rego vs pipeline controls](https://kosli-internal.slack.com/archives/C08R3H7TQPQ/p1774638408769049) — as more controls move into `kosli evaluate`, a fast local feedback loop becomes essential.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

Author: 3 people

TODO.md

@@ -34,3 +34,16 @@
 - [x] Slice 17: Align test method naming
 - [x] Slice 18: Fail evaluation when rehydration errors occur (instead of silently swallowing them)
 - [x] Slice 19: Add Long descriptions, Example blocks, and docs feedback (policy contract hint, snyk trail example)
+
+## kosli evaluate input
+
+- [x] Slice 1: `evaluate input --input-file` with a file path
+- [x] Slice 2: stdin support (omit --input-file to read stdin; `-` not supported by cobra)
+- [x] Slice 3: help text and examples
+- [x] Slice 4: PR review feedback
+  - [x] Remove "using OPA" from all evaluate command long descriptions
+  - [x] Add test cases for policy validation errors (missing package policy, missing allow rule, deny without violations)
+  - [x] Update help text examples with fixture-capture workflow
+  - [x] Refactor: use `cmd.InOrStdin()` for testable stdin
+  - [x] Refactor: embed `commonEvaluateOptions` to remove flag duplication
+- [x] Slice 5: Detect terminal stdin and error when no input is piped

cmd/kosli/evaluate.go

@@ -6,13 +6,16 @@ import (
 	"github.com/spf13/cobra"
 )
 
-const evaluateShortDesc = `Evaluate Kosli trail data against OPA/Rego policies.`
+const evaluateShortDesc = `Evaluate data against Rego policies.`
 
 // Backtick breaks (`"` + "`x`" + `"`) are needed to embed markdown
 // inline code spans inside raw string literals.
 const evaluateLongDesc = evaluateShortDesc + `
-Fetch trail data from Kosli and evaluate it against custom policies written
-in Rego, the policy language used by Open Policy Agent (OPA).
+Evaluate trail data or local JSON input against custom Rego policies.
+
+Use ` + "`evaluate trail`" + ` or ` + "`evaluate trails`" + ` to fetch data from Kosli and evaluate it.
+Use ` + "`evaluate input`" + ` to evaluate a local JSON file or stdin without any API calls.
+
 The policy must use ` + "`package policy`" + ` and define an ` + "`allow`" + ` rule.
 An optional ` + "`violations`" + ` rule (a set of strings) can provide human-readable denial reasons.
 The command exits with code 0 when allowed and code 1 when denied.`
@@ -28,6 +31,7 @@ func newEvaluateCmd(out io.Writer) *cobra.Command {
 	cmd.AddCommand(
 		newEvaluateTrailCmd(out),
 		newEvaluateTrailsCmd(out),
+		newEvaluateInputCmd(out),
 	)
 
 	return cmd

cmd/kosli/evaluateHelpers.go

@@ -28,11 +28,6 @@ func (o *commonEvaluateOptions) addFlags(cmd *cobra.Command, policyDesc string)
 	cmd.Flags().StringVarP(&o.output, "output", "o", "table", outputFlag)
 	cmd.Flags().BoolVar(&o.showInput, "show-input", false, "[optional] Include the policy input data in the output.")
 	cmd.Flags().StringSliceVar(&o.attestations, "attestations", nil, "[optional] Limit which attestations are included. Plain name for trail-level, dot-qualified (artifact.name) for artifact-level.")
-
-	err := RequireFlags(cmd, []string{"flow", "policy"})
-	if err != nil {
-		logger.Error("failed to configure required flags: %v", err)
-	}
 }
 
 func fetchAndEnrichTrail(flowName, trailName string, attestations []string) (interface{}, error) {

cmd/kosli/evaluateInput.go

@@ -0,0 +1,119 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/term"
+)
+
+type evaluateInputOptions struct {
+	commonEvaluateOptions
+	inputFile string
+}
+
+const evaluateInputShortDesc = `Evaluate a local JSON input against a Rego policy.`
+
+const evaluateInputLongDesc = evaluateInputShortDesc + `
+Read JSON from a file or stdin and evaluate it against a Rego policy.
+The input file should contain the raw JSON object your policy expects —
+not the wrapper produced by ` + "`--show-input`" + `. Use ` + "`jq '.input'`" + ` to extract
+the policy input from a ` + "`--show-input --output json`" + ` capture.
+
+The policy must use ` + "`package policy`" + ` and define an ` + "`allow`" + ` rule.
+An optional ` + "`violations`" + ` rule (a set of strings) can provide human-readable denial reasons.
+The command exits with code 0 when allowed and code 1 when denied.
+
+When ` + "`--input-file`" + ` is omitted, JSON is read from stdin.`
+
+const evaluateInputExample = `
+# capture trail data for local policy iteration:
+kosli evaluate trail TRAIL --flow FLOW \
+	--policy allow-all.rego \
+	--show-input --output json | jq '.input' > trail-data.json
+
+# then iterate on your policy locally:
+kosli evaluate input \
+	--input-file trail-data.json \
+	--policy policy.rego
+
+# evaluate and show the data passed to the policy:
+kosli evaluate input \
+	--input-file trail-data.json \
+	--policy policy.rego \
+	--show-input \
+	--output json
+
+# read input from stdin:
+cat trail-data.json | kosli evaluate input \
+	--policy policy.rego`
+
+func newEvaluateInputCmd(out io.Writer) *cobra.Command {
+	o := new(evaluateInputOptions)
+	cmd := &cobra.Command{
+		Use:     "input",
+		Short:   evaluateInputShortDesc,
+		Long:    evaluateInputLongDesc,
+		Example: evaluateInputExample,
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return o.run(out, cmd.InOrStdin())
+		},
+	}
+
+	o.addFlags(cmd, "Path to a Rego policy file to evaluate against the input.")
+	cmd.Flags().StringVarP(&o.inputFile, "input-file", "i", "", "[optional] Path to a JSON input file. Reads from stdin if omitted.")
+
+	cmd.Flags().Lookup("flow").Hidden = true
+	cmd.Flags().Lookup("attestations").Hidden = true
+
+	err := RequireFlags(cmd, []string{"policy"})
+	if err != nil {
+		logger.Error("failed to configure required flags: %v", err)
+	}
+
+	return cmd
+}
+
+func (o *evaluateInputOptions) run(out io.Writer, in io.Reader) error {
+	var input map[string]interface{}
+	var err error
+
+	if o.inputFile == "" {
+		if f, ok := in.(*os.File); ok && term.IsTerminal(int(f.Fd())) {
+			return fmt.Errorf("no input provided: use --input-file or pipe JSON to stdin")
+		}
+		input, err = loadInput(in)
+	} else {
+		input, err = loadInputFromFile(o.inputFile)
+	}
+	if err != nil {
+		return err
+	}
+
+	return evaluateAndPrintResult(out, o.policyFile, input, o.output, o.showInput)
+}
+
+func loadInputFromFile(filePath string) (result map[string]interface{}, err error) {
+	f, err := os.Open(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read input file: %w", err)
+	}
+	defer func() {
+		if cerr := f.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()
+	return loadInput(f)
+}
+
+func loadInput(r io.Reader) (map[string]interface{}, error) {
+	var input map[string]interface{}
+	if err := json.NewDecoder(r).Decode(&input); err != nil {
+		return nil, fmt.Errorf("failed to parse input: %w", err)
+	}
+	return input, nil
+}

cmd/kosli/evaluateInput_test.go

@@ -0,0 +1,107 @@
+package main
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
+)
+
+type EvaluateInputCommandTestSuite struct {
+	suite.Suite
+}
+
+func (suite *EvaluateInputCommandTestSuite) TestEvaluateInputCmd() {
+	tests := []cmdTestCase{
+		{
+			wantError: true,
+			name:      "missing --policy flag fails",
+			cmd:       "evaluate input",
+			golden:    "Error: required flag(s) \"policy\" not set\n",
+		},
+		{
+			name:        "allow-all policy with input file returns ALLOWED",
+			cmd:         "evaluate input --input-file testdata/evaluate/trail-input.json --policy testdata/policies/allow-all.rego",
+			goldenRegex: `RESULT:\s+ALLOWED`,
+		},
+		{
+			wantError:   true,
+			name:        "deny-all policy with input file returns DENIED",
+			cmd:         "evaluate input --input-file testdata/evaluate/trail-input.json --policy testdata/policies/deny-all.rego",
+			goldenRegex: `RESULT:\s+DENIED`,
+		},
+		{
+			wantError:   true,
+			name:        "non-existent input file returns error",
+			cmd:         "evaluate input --input-file testdata/evaluate/no-such-file.json --policy testdata/policies/allow-all.rego",
+			goldenRegex: `failed to read input file:`,
+		},
+		{
+			wantError:   true,
+			name:        "invalid JSON input file returns error",
+			cmd:         "evaluate input --input-file testdata/policies/allow-all.rego --policy testdata/policies/allow-all.rego",
+			goldenRegex: `failed to parse input:`,
+		},
+		{
+			wantError:   true,
+			name:        "missing --input-file reads from stdin (empty stdin fails)",
+			cmd:         "evaluate input --policy testdata/policies/allow-all.rego",
+			goldenRegex: `failed to parse input:`,
+		},
+		{
+			name: "JSON output with allow-all policy",
+			cmd:  "evaluate input --input-file testdata/evaluate/trail-input.json --policy testdata/policies/allow-all.rego --output json",
+			goldenJson: []jsonCheck{
+				{"allow", true},
+			},
+		},
+		{
+			wantError:   true,
+			name:        "policy with wrong package returns error",
+			cmd:         "evaluate input --input-file testdata/evaluate/trail-input.json --policy testdata/policies/no-package-policy.rego",
+			goldenRegex: `policy package must be 'package policy', got 'foo'`,
+		},
+		{
+			wantError:   true,
+			name:        "policy missing allow rule returns error",
+			cmd:         "evaluate input --input-file testdata/evaluate/trail-input.json --policy testdata/policies/no-allow-rule.rego",
+			goldenRegex: `policy must declare an 'allow' rule`,
+		},
+		{
+			wantError:   true,
+			name:        "deny without violations rule returns DENIED with no violation messages",
+			cmd:         "evaluate input --input-file testdata/evaluate/trail-input.json --policy testdata/policies/deny-no-violations.rego",
+			goldenRegex: `RESULT:\s+DENIED`,
+		},
+		{
+			name: "show-input includes input in JSON output",
+			cmd:  "evaluate input --input-file testdata/evaluate/trail-input.json --policy testdata/policies/allow-all.rego --output json --show-input",
+			goldenJson: []jsonCheck{
+				{"allow", true},
+				{"input.trail.name", "test-trail"},
+			},
+		},
+	}
+	runTestCmd(suite.T(), tests)
+}
+
+func TestLoadInput(t *testing.T) {
+	reader := strings.NewReader(`{"trail": {"name": "from-reader"}}`)
+	input, err := loadInput(reader)
+	require.NoError(t, err)
+	trail, ok := input["trail"].(map[string]interface{})
+	require.True(t, ok)
+	require.Equal(t, "from-reader", trail["name"])
+}
+
+func TestLoadInputInvalidJSON(t *testing.T) {
+	reader := strings.NewReader(`not json`)
+	_, err := loadInput(reader)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "failed to parse input")
+}
+
+func TestEvaluateInputCommandTestSuite(t *testing.T) {
+	suite.Run(t, new(EvaluateInputCommandTestSuite))
+}

cmd/kosli/evaluateTrail.go

@@ -9,7 +9,7 @@ import (
 const evaluateTrailShortDesc = `Evaluate a trail against a policy.`
 
 const evaluateTrailLongDesc = evaluateTrailShortDesc + `
-Fetch a single trail from Kosli and evaluate it against a Rego policy using OPA.
+Fetch a single trail from Kosli and evaluate it against a Rego policy.
 The trail data is passed to the policy as ` + "`input.trail`" + `.
 
 Use ` + "`--attestations`" + ` to enrich the input with detailed attestation data
@@ -67,6 +67,11 @@ func newEvaluateTrailCmd(out io.Writer) *cobra.Command {
 
 	o.addFlags(cmd, "Path to a Rego policy file to evaluate against the trail.")
 
+	err := RequireFlags(cmd, []string{"flow", "policy"})
+	if err != nil {
+		logger.Error("failed to configure required flags: %v", err)
+	}
+
 	return cmd
 }
 

cmd/kosli/evaluateTrails.go

@@ -9,7 +9,7 @@ import (
 const evaluateTrailsShortDesc = `Evaluate multiple trails against a policy.`
 
 const evaluateTrailsLongDesc = evaluateTrailsShortDesc + `
-Fetch multiple trails from Kosli and evaluate them together against a Rego policy using OPA.
+Fetch multiple trails from Kosli and evaluate them together against a Rego policy.
 The trail data is passed to the policy as ` + "`input.trails`" + ` (an array), unlike
 ` + "`evaluate trail`" + ` which passes ` + "`input.trail`" + ` (a single object).
 
@@ -68,6 +68,11 @@ func newEvaluateTrailsCmd(out io.Writer) *cobra.Command {
 
 	o.addFlags(cmd, "Path to a Rego policy file to evaluate against the trails.")
 
+	err := RequireFlags(cmd, []string{"flow", "policy"})
+	if err != nil {
+		logger.Error("failed to configure required flags: %v", err)
+	}
+
 	return cmd
 }
 

cmd/kosli/testHelpers.go

@@ -63,6 +63,7 @@ func executeCommandC(cmd string) (*cobra.Command, string, string, string, error)
 	root.SilenceErrors = false
 	root.SetOut(outWriter)
 	root.SetErr(errWriter)
+	root.SetIn(new(bytes.Buffer))
 	root.SetArgs(args)
 
 	c, err := root.ExecuteC()

cmd/kosli/testdata/evaluate/trail-input.json

@@ -0,0 +1 @@
+{"trail": {"name": "test-trail", "compliance_status": {}}}

cmd/kosli/testdata/policies/deny-no-violations.rego

@@ -0,0 +1,3 @@
+package policy
+
+allow = false