From ed1a7c19d465b5a46f6e429d52c65dc785ddcec4 Mon Sep 17 00:00:00 2001
From: Reece Bedding <reecebedding@hotmail.co.uk>
Date: Wed, 3 Jun 2026 11:23:51 +0100
Subject: [PATCH] fix: issue with misconfiguration of data.json

---
 internal/eval.go | 43 +------------------------------------------
 1 file changed, 1 insertion(+), 42 deletions(-)

diff --git a/internal/eval.go b/internal/eval.go
index 6874abd..38a6d38 100644
--- a/internal/eval.go
+++ b/internal/eval.go
@@ -2,11 +2,8 @@ package internal
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
-	"path/filepath"
 	"strings"
 
 	policyManager "github.com/compliance-framework/agent/policy-manager"
@@ -117,10 +114,6 @@ func (pe *PolicyEvaluator) Eval(ctx context.Context, cert CertificateContext, po
 	}
 
 	for _, policyPath := range policyPaths {
-		rootData, err := loadBundleRootData(policyPath, policyData)
-		if err != nil {
-			return nil, fmt.Errorf("loading bundle data for %s: %w", policyPath, err)
-		}
 		processor := policyManager.NewPolicyProcessor(
 			pe.logger,
 			labels,
@@ -129,7 +122,7 @@ func (pe *PolicyEvaluator) Eval(ctx context.Context, cert CertificateContext, po
 			inventory,
 			actors,
 			pe.stepActivities,
-			rootData,
+			policyData,
 		)
 
 		evidence, perr := processor.GenerateResults(ctx, policyPath, input)
@@ -153,40 +146,6 @@ func certificateBaseLabels() map[string]string {
 	}
 }
 
-// loadBundleRootData reads data.json from the OPA bundle root and merges it
-// with base. When the agent downloads a policy OCI artifact it returns the
-// policies/ subdirectory as policyPath; the bundle's data.json lives one level
-// up in the bundle root. For local source trees the data.json lives inside the
-// policies/ directory itself, so we check both locations.
-func loadBundleRootData(policyPath string, base map[string]interface{}) (map[string]interface{}, error) {
-	candidates := []string{
-		filepath.Join(filepath.Dir(policyPath), "data.json"),
-		filepath.Join(policyPath, "data.json"),
-	}
-	for _, p := range candidates {
-		raw, err := os.ReadFile(p)
-		if errors.Is(err, os.ErrNotExist) {
-			continue
-		}
-		if err != nil {
-			return nil, fmt.Errorf("reading bundle data %s: %w", p, err)
-		}
-		var bundleData map[string]interface{}
-		if err := json.Unmarshal(raw, &bundleData); err != nil {
-			return nil, fmt.Errorf("parsing bundle data %s: %w", p, err)
-		}
-		merged := make(map[string]interface{}, len(bundleData)+len(base))
-		for k, v := range bundleData {
-			merged[k] = v
-		}
-		for k, v := range base {
-			merged[k] = v
-		}
-		return merged, nil
-	}
-	return base, nil
-}
-
 // arnCertID extracts the certificate UUID from an ACM ARN.
 // ARN format: arn:aws:acm:<region>:<account-id>:certificate/<uuid>
 func arnCertID(arn string) string {