Feat/bch 1290

[saltpy-cs]

Summary by CodeRabbit

• New Features

  • Support loading policy data from compressed bundle archives (.tar.gz)
  • Operator-supplied configuration overrides are applied when loading bundled policy data

• Tests

  • Added test coverage for compressed-bundle data loading and override precedence

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: add70eaa-cb7b-427f-9aa0-b82a9e918c50

📥 Commits

Reviewing files that changed from the base of the PR and between c68ce32 and 8cb9c73.

📒 Files selected for processing (3)

• internal/eval.go
• internal/eval_test.go
• main.go

💤 Files with no reviewable changes (2)

• internal/eval_test.go
• internal/eval.go

---

📝 Walkthrough

Walkthrough

internal/eval.go adds .tar.gz support: LoadBundleRootData extracts root data.json from archives and merges it with overrides. main.go changes Eval to build a single policyEvaluator once and reuse it for per-certificate evaluations.

Changes

Bundle loading and evaluator flow

Layer / File(s)	Summary
Tar.gz loader implementation internal/eval.go	Imports extend for archive/tar, compress/gzip, and IO support. LoadBundleRootData checks .tar.gz suffix, opens the archive, finds root data.json, unmarshals JSON, merges with overrides (overrides win), and returns the merged map.
Eval: single policyEvaluator construction main.go	CompliancePlugin.Eval now initializes policyEvaluator once before iterating certificates; per-evaluation-cycle loading/merging of bundle defaults was removed and policyEvaluator.Eval is called with l.policyData directly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• compliance-framework/plugin-aws-acm#3: Both PRs modify bundle-root data.json loading logic; this PR extends loading to extract from .tar.gz archives.
• compliance-framework/plugin-aws-acm#5: Both PRs change LoadBundleRootData behavior around locating/merging data.json with operator overrides, with this PR adding .tar.gz support.

Poem

A rabbit nudged a tarball tight,
Peeked inside to find JSON light,
Overrides hopped to take the crown,
One evaluator now runs the town,
🐇📦✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.14% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Feat/bch 1290' is vague and does not clearly describe the actual changes. While it references a ticket number, it provides no meaningful information about what the PR accomplishes.	Replace with a descriptive title summarizing the main change, such as 'Add support for OPA bundles in tar.gz format' or similar that reflects the core functionality addition.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/eval_test.go`:
- Around line 33-65: Add unit tests around TestLoadBundleRootData to cover
tar.gz edge cases: create separate tests that (1) provide a tar.gz without a
data.json entry and assert LoadBundleRootData(bundlePath, overrides) returns
only the overrides and no error, (2) create a tar.gz with malformed JSON in
data.json and assert LoadBundleRootData returns an error, (3) include data.json
inside a subdirectory in the tar.gz and assert it is ignored (LoadBundleRootData
should return overrides/no error), and (4) create a corrupted tar.gz archive and
assert LoadBundleRootData returns an error; reuse the existing helpers like
writeTarGz, t.TempDir, bundlePath, and the LoadBundleRootData call and assert
behavior consistently with the existing tests.
- Around line 13-31: The deferred Close() calls in writeTarGz (f.Close(),
gw.Close(), tw.Close()) currently ignore errors; update the defers to check and
fail the test on close errors by capturing and handling each Close() return
(e.g., defer func(){ if err := tw.Close(); err != nil { t.Fatalf("tw.Close: %v",
err) } }()), similarly for gw and f) so any cleanup/write flush failures are
surfaced via t.Fatal/t.Fatalf; keep the existing t.Helper() and body handling
unchanged.

In `@internal/eval.go`:
- Around line 198-242: The deferred f.Close() and gr.Close() in
loadDataFromTarGz currently ignore returned errors; change loadDataFromTarGz to
use named return values (e.g., result map[string]interface{}, err error) and
replace the simple defers with deferred functions that call Close() and, if they
return a non-nil error and the named err is nil, assign or wrap that error into
the named err (so cleanup errors are surfaced), ensuring you still return the
proper merged result or overrides when appropriate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 7ba0b8b0-ab25-4be8-a4e9-8372e51c27fa

📥 Commits

Reviewing files that changed from the base of the PR and between ec8c8a7 and c68ce32.

📒 Files selected for processing (2)

• internal/eval.go
• internal/eval_test.go