feat: add direct OPA evaluator with shared base infrastructure

acceptance/cli/cli.go

@@ -859,6 +859,12 @@ func AddStepsTo(sc *godog.ScenarioContext) {
 	sc.Step(`^the "([^"]*)" file should match the snapshot$`, matchFileSnapshot)
 	sc.Step(`^a file named "([^"]*)" containing$`, createGenericFile)
 	sc.Step(`^a track bundle file named "([^"]*)" containing$`, createTrackBundleFile)
+	sc.Before(func(ctx context.Context, _ *godog.Scenario) (context.Context, error) {
+		if v := os.Getenv("EC_USE_OPA"); v != "" {
+			ctx, _ = theEnvironmentVarilableIsSet(ctx, "EC_USE_OPA="+v)
+		}
+		return ctx, nil
+	})
 	sc.After(func(ctx context.Context, sc *godog.Scenario, err error) (context.Context, error) {
 		if err != nil {
 			logExecution(ctx)

acceptance/go.mod

@@ -25,6 +25,7 @@ require (
 	github.com/sigstore/cosign/v3 v3.0.4
 	github.com/sigstore/rekor v1.5.0
 	github.com/sigstore/sigstore v1.10.4
+	github.com/sigstore/sigstore-go v1.1.4
 	github.com/stretchr/testify v1.11.1
 	github.com/tektoncd/cli v0.44.1
 	github.com/tektoncd/pipeline v1.9.2
@@ -205,7 +206,6 @@ require (
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sigstore/protobuf-specs v0.5.0 // indirect
 	github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect
-	github.com/sigstore/sigstore-go v1.1.4 // indirect
 	github.com/sigstore/timestamp-authority/v2 v2.0.4 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect

cmd/validate/image.go

@@ -320,7 +320,8 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 				var c evaluator.Evaluator
 				var err error
 				if utils.IsOpaEnabled() {
-					c, err = newOPAEvaluator()
+					c, err = newOPAEvaluator(
+						cmd.Context(), policySources, data.policy, sourceGroup, nil)
 				} else {
 					// Use the unified filtering approach with the specified filter type
 					c, err = evaluator.NewConftestEvaluatorWithFilterType(