BCH-1290: Include certificate domain name in evidence title

[saltpy-cs]

Suffixes each evidence title with the certificate domain name so users can identify which ACM certificate a piece of evidence relates to.

Example: "ACM certificate must carry all required tags [api.example.com]"

Summary by CodeRabbit

• Bug Fixes

  • Evidence titles now include the associated domain name for clearer results.

• New Features

  • Evaluations now apply per-request bundle data merged with operator overrides; failures loading bundle data stop evaluation.

• Tests

  • Added unit tests covering bundle-data merging and lookup: overrides precedence, fallback when no bundle data, and locating bundle data in parent directories.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 90c6d91b-28e9-4378-a674-825442e24e40

📥 Commits

Reviewing files that changed from the base of the PR and between a2283f7 and fb30406.

📒 Files selected for processing (2)

• internal/eval.go
• internal/eval_test.go

---

📝 Walkthrough

Walkthrough

CompliancePlugin.Eval builds a request-scoped merged policyData (l.policyData plus bundle root data for the first policy path). PolicyEvaluator.Eval consumes the provided policyData (no per-policy bundle load) and appends the certificate DomainName to each evidence Title. The bundle loader was exported and now applies overrides last or returns overrides when no bundle data exists.

Changes

Policy evaluation and bundle data loading

Layer / File(s)	Summary
Eval caller wiring main.go	CompliancePlugin.Eval creates a request-scoped policyData from l.policyData and, if policy paths exist, merges bundle root data.json for paths[0] (fails fast on load error).
Eval runtime: use provided policyData & title enrichment internal/eval.go	PolicyEvaluator.Eval no longer loads bundle data per policyPath; it initializes the policy processor with the provided policyData and appends [<cert.DomainName>] to each evidence Title after GenerateResults.
LoadBundleRootData export & merge semantics internal/eval.go	loadBundleRootData was renamed/exported to LoadBundleRootData(policyPath, overrides). It searches candidate data.json locations, returns a copy of bundle data with overrides applied last (overrides win), or returns overrides when no bundle data.json exists.
Unit tests for LoadBundleRootData internal/eval_test.go	Adds imports and tests (using t.TempDir() fixtures) covering override precedence, fallback-to-overrides when no bundle data exists, policy-path-local data.json winning over parent, and locating parent data.json from a policies/ subdirectory.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• compliance-framework/plugin-aws-acm#3: Modifies internal/eval.go and bundle data.json loading/merging behavior overlapping with the loader/export changes in this PR.

Poem

A rabbit nibbles code by moonlight,
Copies data, then makes it right,
Titles tagged with domains so bright,
Tests hop round fixtures in the night,
Hooray — the plugin springs to life! 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: appending certificate domain names to evidence titles. This matches the primary functional update in the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/eval.go`:
- Line 137: The code reads the protobuf field directly via ev.Title; change it
to use the proto getter to avoid nil panics and follow protobuf conventions:
replace reading ev.Title with ev.GetTitle() when building the new title (e.g.,
in the expression used with fmt.Sprintf), so use ev.GetTitle() and keep the rest
of the logic that appends cert.DomainName unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 2816d0b3-f571-4811-be9d-b1bf4e8364eb

📥 Commits

Reviewing files that changed from the base of the PR and between d10dc77 and c9a68d5.

📒 Files selected for processing (1)

• internal/eval.go

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/eval.go (1)

163-166: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Check policyPath/data.json before the parent directory.

The current candidate order loads the parent data.json first, so a local source tree can pick up unrelated defaults whenever both locations exist. That inverts the behavior described in the comment here. Swap the order so the file inside policyPath wins, then fall back to the parent only for OCI bundles.

Suggested fix

 	candidates := []string{
-		filepath.Join(filepath.Dir(policyPath), "data.json"),
 		filepath.Join(policyPath, "data.json"),
+		filepath.Join(filepath.Dir(policyPath), "data.json"),
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/eval.go` around lines 163 - 166, The candidate list currently checks
the parent directory before the local policy directory; update the candidates
construction so filepath.Join(policyPath, "data.json") comes first and the
parent (filepath.Join(filepath.Dir(policyPath), "data.json")) is only appended
as a fallback when handling OCI bundles (check the bundle/OCI flag used by this
code path). Modify the creation of the candidates slice in internal/eval.go (the
candidates variable that uses policyPath) to prefer the local data.json and
conditionally include the parent entry only for OCI scenarios.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/eval_test.go`:
- Around line 53-73: Add a regression test to cover the precedence when both
policyPath/data.json and its parent directory's data.json exist: create both
files (one at filepath.Join(policiesDir, "data.json") and one at
filepath.Join(root, "data.json")) inside
TestLoadBundleRootData_FindsDataJsonOneDirectoryUp (or a new test named e.g.
TestLoadBundleRootData_LocalOverridesParent) and call
LoadBundleRootData(policiesDir, nil); assert that the returned map uses the
value from the policyPath/data.json (the local file) rather than the parent file
by checking the specific key (expiry_warning_days) matches the local file's
value. Ensure file creation, permissions, and cleanup mirror existing test
patterns and keep error checks identical to the current test.

---

Outside diff comments:
In `@internal/eval.go`:
- Around line 163-166: The candidate list currently checks the parent directory
before the local policy directory; update the candidates construction so
filepath.Join(policyPath, "data.json") comes first and the parent
(filepath.Join(filepath.Dir(policyPath), "data.json")) is only appended as a
fallback when handling OCI bundles (check the bundle/OCI flag used by this code
path). Modify the creation of the candidates slice in internal/eval.go (the
candidates variable that uses policyPath) to prefer the local data.json and
conditionally include the parent entry only for OCI scenarios.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: bf12d4be-e286-4668-bfaf-f40dce4c9973

📥 Commits

Reviewing files that changed from the base of the PR and between c9a68d5 and 19a382c.

📒 Files selected for processing (3)

• internal/eval.go
• internal/eval_test.go
• main.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/eval.go (1)

162-165: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Prefer the local bundle data.json before the parent directory.

Parent-first lookup makes policyPath/data.json unreachable whenever both locations exist. In a local source tree, that can load an unrelated parent data.json and evaluate policies with the wrong defaults.

Suggested fix

 	candidates := []string{
-		filepath.Join(filepath.Dir(policyPath), "data.json"),
 		filepath.Join(policyPath, "data.json"),
+		filepath.Join(filepath.Dir(policyPath), "data.json"),
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/eval.go` around lines 162 - 165, The candidate paths for data.json
are currently parent-first which can hide a local bundle; in internal/eval.go
update the candidates slice (the variable named candidates that uses policyPath)
to list filepath.Join(policyPath, "data.json") before
filepath.Join(filepath.Dir(policyPath), "data.json") so the local
policyPath/data.json is preferred over the parent directory file.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@internal/eval.go`:
- Around line 162-165: The candidate paths for data.json are currently
parent-first which can hide a local bundle; in internal/eval.go update the
candidates slice (the variable named candidates that uses policyPath) to list
filepath.Join(policyPath, "data.json") before
filepath.Join(filepath.Dir(policyPath), "data.json") so the local
policyPath/data.json is preferred over the parent directory file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 8eec3b61-a8b0-4010-bff1-4365e3494398

📥 Commits

Reviewing files that changed from the base of the PR and between 19a382c and a2283f7.

📒 Files selected for processing (2)

• internal/eval.go
• main.go