diff --git a/.gitignore b/.gitignore
index 825d16f..23ab873 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 sample.federal_policy.yaml
 __pycache__/
 .DS_Store
+.generated/
 
 # Virtru DSP Bundle
 virtru-dsp-bundle-*.tar.gz
diff --git a/docker-compose.yaml b/docker-compose.yaml
index f5253dd..801c7a8 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -155,6 +155,7 @@ services:
     restart: always
     volumes:
       - ./dsp-keys:/dsp-keys:z
+      - ./.generated/tagging-pdp-workflows.yaml:/config/tagging-pdp-workflows.yaml:ro,z
     environment:
       DSP_DB_HOST: localhost
       DSP_DB_PORT: 35433
diff --git a/dsp.yaml b/dsp.yaml
index 22baaf5..5926a84 100644
--- a/dsp.yaml
+++ b/dsp.yaml
@@ -53,7 +53,7 @@ services:
     realm: 'opentdf'
     tokenendpoint: *tokenEndpoint
   taggingpdp:
-    configFilePath: "dsp.yaml"
+    configFilePath: "/config/tagging-pdp-workflows.yaml"
     tikaServerUrl: "http://localhost:9998"
   sharepoint:
     encryptedSearchKeyPath: dsp-keys/encrypted-search.key
@@ -120,4 +120,4 @@ server:
     # Sets whether credentials are included in the CORS request
     allowcredentials: true
     # Sets the maximum age (in seconds) of a specific CORS preflight request
-    maxage: 3600
\ No newline at end of file
+    maxage: 3600
diff --git a/setup_and_validate.sh b/setup_and_validate.sh
index 641e84c..e10902e 100755
--- a/setup_and_validate.sh
+++ b/setup_and_validate.sh
@@ -167,6 +167,8 @@ fi
 # Script must run from DSP-standalone/
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 cd "$SCRIPT_DIR"
+GENERATED_DIR="$SCRIPT_DIR/.generated"
+GENERATED_TAGGING_PDP_WORKFLOW="$GENERATED_DIR/tagging-pdp-workflows.yaml"
 log_ok "Working directory: $SCRIPT_DIR"
 
 # ---------------------------------------------------------------------------
@@ -223,6 +225,69 @@ validate_tools() {
   fi
 }
 
+resolve_tagging_pdp_workflow_source() {
+  local bundle_dir="${1:-}"
+  local default_bundle_dir="$SCRIPT_DIR/virtru-dsp-bundle"
+  local candidate=""
+  local prompt_path=""
+
+  if [[ -n "$bundle_dir" && -f "$bundle_dir/kubernetes/tagging-pdp-workflows.yaml" ]]; then
+    candidate="$bundle_dir/kubernetes/tagging-pdp-workflows.yaml"
+    log_info "Using tagging PDP workflow from bundle: $candidate"
+    TAGGING_PDP_WORKFLOW_SOURCE="$candidate"
+    return 0
+  fi
+
+  if [[ -f "$default_bundle_dir/kubernetes/tagging-pdp-workflows.yaml" ]]; then
+    candidate="$default_bundle_dir/kubernetes/tagging-pdp-workflows.yaml"
+    log_info "Using tagging PDP workflow from unpacked bundle: $candidate"
+    TAGGING_PDP_WORKFLOW_SOURCE="$candidate"
+    return 0
+  fi
+
+  echo
+  log_warn "tagging-pdp-workflows.yaml was not found in the bundle at ./kubernetes/tagging-pdp-workflows.yaml."
+  while true; do
+    read -rp "  Enter the path to your tagging PDP workflow YAML: " prompt_path
+    prompt_path="${prompt_path/#\~/$HOME}"
+    if [[ -z "$prompt_path" ]]; then
+      echo "  Path cannot be empty."
+      continue
+    fi
+    if [[ ! -f "$prompt_path" ]]; then
+      echo "  File not found: $prompt_path"
+      continue
+    fi
+    TAGGING_PDP_WORKFLOW_SOURCE="$prompt_path"
+    return 0
+  done
+}
+
+stage_tagging_pdp_workflow() {
+  local source_path="$1"
+
+  mkdir -p "$GENERATED_DIR"
+  if grep -q '^taggingpdpWorkflows:$' "$source_path" && grep -q '^  config\.yaml:$' "$source_path"; then
+    awk '
+      /^  config\.yaml:$/ { emit=1; next }
+      emit {
+        if ($0 ~ /^    /) {
+          sub(/^    /, "")
+          print
+        } else if ($0 ~ /^$/) {
+          print ""
+        } else {
+          exit
+        }
+      }
+    ' "$source_path" > "$GENERATED_TAGGING_PDP_WORKFLOW"
+    log_info "Extracted inner tagging PDP workflow from bundle wrapper format"
+  else
+    cp "$source_path" "$GENERATED_TAGGING_PDP_WORKFLOW"
+  fi
+  log_ok "Staged tagging PDP workflow: $GENERATED_TAGGING_PDP_WORKFLOW"
+}
+
 # ---------------------------------------------------------------------------
 # Prerequisites — delegate to OS-specific script
 # ---------------------------------------------------------------------------
@@ -550,7 +615,8 @@ print('Updated $DAEMON_JSON')
     echo "  The proprietary DSP image must be loaded from a Virtru bundle."
     echo "  Expected layout inside the bundle:"
     echo "    virtru-dsp-bundle/"
-    echo "    └── dsp   (the DSP CLI binary)"
+    echo "    ├── dsp   (the DSP CLI binary)"
+    echo "    └── kubernetes/tagging-pdp-workflows.yaml"
     echo
 
     # If the prereqs script already unpacked the bundle, use it automatically
@@ -613,6 +679,10 @@ if [[ "$VALIDATE_ONLY" == false ]]; then
   DSP_IMAGE="localhost:5000/virtru/data-security-platform:${DSP_TAG}"
   log_ok "DSP image: $DSP_IMAGE"
 
+  log_section "Resolving tagging PDP workflow"
+  resolve_tagging_pdp_workflow_source "${BUNDLE_DIR:-}"
+  stage_tagging_pdp_workflow "$TAGGING_PDP_WORKFLOW_SOURCE"
+
   log_section "Starting Docker Compose stack"
 
   # On Linux, strip the 'sharepoint' block from dsp.yaml before the build —