compliance-framework · saltpy-cs · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
diff --git a/internal/eval.go b/internal/eval.go
@@ -2,11 +2,8 @@ package internal
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
-	"path/filepath"
 	"strings"
 
 	policyManager "github.com/compliance-framework/agent/policy-manager"
@@ -152,41 +149,6 @@ func certificateBaseLabels() map[string]string {
 	}
 }
 
-// LoadBundleRootData reads data.json from the OPA bundle root and merges it
-// with overrides. When the agent downloads a policy OCI artifact it returns the
-// policies/ subdirectory as policyPath; the bundle's data.json lives one level
-// up in the bundle root. For local source trees the data.json lives inside the
-// policies/ directory itself, so both locations are checked. overrides win on
-// conflict, so operator-supplied policy_data takes precedence over bundle defaults.
-func LoadBundleRootData(policyPath string, overrides map[string]interface{}) (map[string]interface{}, error) {
-	candidates := []string{
-		filepath.Join(policyPath, "data.json"),
-		filepath.Join(filepath.Dir(policyPath), "data.json"),
-	}
-	for _, p := range candidates {
-		raw, err := os.ReadFile(p)
-		if errors.Is(err, os.ErrNotExist) {
-			continue
-		}
-		if err != nil {
-			return nil, fmt.Errorf("reading bundle data %s: %w", p, err)
-		}
-		var bundleData map[string]interface{}
-		if err := json.Unmarshal(raw, &bundleData); err != nil {
-			return nil, fmt.Errorf("parsing bundle data %s: %w", p, err)
-		}
-		merged := make(map[string]interface{}, len(bundleData)+len(overrides))
-		for k, v := range bundleData {
-			merged[k] = v
-		}
-		for k, v := range overrides {
-			merged[k] = v
-		}
-		return merged, nil
-	}
-	return overrides, nil
-}
-
 // arnCertID extracts the certificate UUID from an ACM ARN.
 // ARN format: arn:aws:acm:<region>:<account-id>:certificate/<uuid>
 func arnCertID(arn string) string {

diff --git a/internal/eval_test.go b/internal/eval_test.go
diff --git a/main.go b/main.go
@@ -72,23 +72,12 @@ func (l *CompliancePlugin) Eval(request *proto.EvalRequest, apiHelper runner.Api
 		}, fmt.Errorf("failed to fetch data: %w", err)
 	}
 
-	// Load bundle data.json defaults and merge with operator overrides once per
-	// evaluation cycle. All policy paths share the same bundle so one load suffices.
-	policyData := l.policyData
-	if paths := request.GetPolicyPaths(); len(paths) > 0 {
-		merged, err := internal.LoadBundleRootData(paths[0], l.policyData)
-		if err != nil {
-			return &proto.EvalResponse{Status: proto.ExecutionStatus_FAILURE}, fmt.Errorf("loading bundle data for %s: %w", paths[0], err)
-		}
-		policyData = merged
-	}
-
 	policyEvaluator := internal.NewPolicyEvaluator(ctx, l.logger, activities)
 
 	var allEvidences []*proto.Evidence
 	var evalErrors error
 	for _, cert := range certs {
-		certEvidences, err := policyEvaluator.Eval(ctx, cert, request.GetPolicyPaths(), policyData, l.config.PolicyLabels)
+		certEvidences, err := policyEvaluator.Eval(ctx, cert, request.GetPolicyPaths(), l.policyData, l.config.PolicyLabels)
 		allEvidences = append(allEvidences, certEvidences...)
 		if err != nil {
 			evalErrors = errors.Join(evalErrors, fmt.Errorf("evaluating cert %s: %w", cert.CertificateArn, err))