Ashutosh Narkar

[Token-Permissions](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) seems ok as well. This probably involves adding 👇 on the workflows unless I'm missing something here. ```yaml permissions: contents: read ```

Seems like a good addition to the existing ways to fetch AWS creds. Feel free to contribute if you'd like.

If you take a look at the code [here](https://github.com/open-policy-agent/opa/blob/main/ast/builtins.go) you'll see the non-deterministic builtins are marked with the `Nondeterministic: true` property. As you mentioned, `nd_builtin_cache` is disabled by default and...

@srenatus @johanfylling any ideas about the repeated function calls in the optimized policy? If that's contributing to an increased eval latency, then we should investigate this.

I think you'll have to set `distributed_tracing.type=grpc` in the OPA [config](https://www.openpolicyagent.org/docs/v0.67.0/configuration/#distributed-tracing) to enable this.

> Also, since the [Decision Log Service API documentation](https://www.openpolicyagent.org/docs/v0.67.0/management-decision-logs/#decision-log-service-api) is the only place referring to the trace_id, maybe add a link to the distributed_tracing documentation when the trace_id is required....

@rudrakhp the return status code is something that's controlled by Envoy. By default, when OPA returns an error, Envoy should send back a `HTTP 403 Forbidden`. This behavior can be...

> For example, the incorrect path error should return a different status (4XX) than say an OPA internal server error (5XX). That's not possible today? Currently OPA is configured to...

> while I have a look at this can you also confirm if the status that the plugin returns can be transparently exposed to envoy as well? The `status_on_error `...

Closing this for now. Feel free to re-open. Thanks!