PR #43 follow-up: rabbit nits + nil guards (batch 1)

[entlein]

Summary

First batch of CodeRabbit feedback from the merged PR #43 review (merge: upstream/main + recover wildcards/signing on projection-v1). Scope is the trivial/minor entries only — five small fixes, no behavioural change to security-sensitive paths.

Critical and major items from the same review need dedicated PRs (with pinning tests per the project's regression-harness rule) and are tracked separately — see the "Deferred to follow-up PRs" section below.

Fixes in this PR

File	Severity	Change
pkg/rulemanager/profilehelper/profilehelper.go	🟡 Minor	Nil-guard objectCache before dereferencing ContainerProfileCache()
pkg/rulemanager/cel/libraries/cache/function_cache.go	🟡 Minor	Skip nil extraKeyFn callbacks in WithCache variadic to avoid panic
pkg/objectcache/containerprofilecache/projection_trie.go	🟡 Minor	Doc comment said byte-level trie; implementation is rune-keyed (matters for ⋯)
README.md	🟡 Minor	wasExecutedWithArgs table entry refreshed — argument matching is active post-PR #43 (ExecsByPath composite-key surface)
tests/resources/network-wildcards/README.md	🟡 Minor + 🔵 Trivial	Fixture 14 description aligned with actual content (["**.example.com."]); SBoBs → SBOBs

Validation

• go build ./... clean
• go test ./pkg/rulemanager/cel/libraries/cache/ ./pkg/objectcache/containerprofilecache/ — green
• No behaviour change for hot paths; the only runtime-visible effect is that two nil-dereference panics now return an error / continue instead.

Deferred to follow-up PRs

These need dedicated work + pinning tests; intentionally NOT bundled here so this batch can land cleanly without holding up the trivial fixes.

🔴 Critical

• pkg/rulemanager/cel/libraries/parse/parse.go — getExecPathWithExePath trusts absolute argv[0] over event.exepath. argv[0] is process-controlled (caller of execve can set it to anything), so an attacker can present an allowlisted absolute path while executing a different binary. The existing comment defends this but is wrong about the kernel guaranteeing argv[0] faithfulness.
• pkg/rulemanager/cel/libraries/networkneighborhood/network.go — ProjectedField.All treated as unconditional true match; should mean "retain all entries", not "match anything".
• pkg/objectcache/containerprofilecache/projection.go — projectUserProfiles may be called on already-projected/stamped ContainerProfiles; need a guard or call-graph audit.

🟠 Major

• pkg/rulemanager/cel/libraries/applicationprofile/exec.go — Exact-path-match falls through to pattern matching when args don't match, defeating the strict-match semantics.
• pkg/rulemanager/cel/libraries/applicationprofile/open.go — Uses strings.HasPrefix/HasSuffix on wildcardised Patterns; produces false negatives for concrete paths.
• pkg/rulemanager/cel/libraries/applicationprofile/http.go — was_endpoint_accessed_with_method[s] ignores HTTP method semantics (path-match only).
• pkg/rulemanager/cel/libraries/networkneighborhood/network.go (Line 181) — was_address_port_protocol_in_* only calls matchIPField, ignoring port and protocol.
• pkg/rulebindingmanager/cache/cache.go — Blocking sends in refresh-notifier fan-out + watch handlers; context not propagated through rule-binding branches.
• cmd/main.go — LoadServiceURLs failure / empty SBOM URL receiver fails silently.
• pkg/objectcache/containerprofilecache/projection_apply.go (PolicyByRuleId site, separate from the Args-clone fix already in PR merge: upstream/main + recover wildcards/signing on projection-v1 #43) — Shallow-copy hazard for nested maps.
• tests/component_test.go — R0001-silence subtests need an explicit "ExecIntoPod succeeded" pre-check before treating silence as evidence the matcher was exercised.
• go.mod — k8s.io/api v0.35.x mixed with k8s.io/kubectl v0.34.1; verify compatibility guidance.

🟡 Minor / further nits

• pkg/objectcache/containerprofilecache/tamper_alert_test.go — Add operational-error coverage path.
• pkg/objectcache/containerprofilecache/test32_projection_test.go — Pin overlay-removal transition (currently tests add/update only).
• pkg/rulemanager/cel/libraries/applicationprofile/integration_test.go — Restore flag-aware assertion coverage that the swap to path-only reduced.
• pkg/rulemanager/cel/libraries/applicationprofile/open_test.go — was_path_opened_with_flags expectation flipped to expect true on flag mismatch; bakes in path-only semantics under a flag-aware function name.
• pkg/objectcache/v1/mock.go — Args == nil should mean "no map entry", not []string{}; mirror selective endpoint projection instead of forcing Endpoints.All=true.
• tests/resources/network-wildcards/19-port-protocol-with-cidr.yaml — The fixture documents strict (IP, port, protocol) enforcement which the matcher currently doesn't honour (see the network.go major above). The fixture is correct; the matcher needs to catch up.
• pkg/objectcache/containerprofilecache/containerprofilecache.go — Document the nudge channel's buffered-cap-1 coalescing semantics.
• .github/workflows/component-tests.yaml — actions/setup-go@v4 → @v5.

Test plan

• go build ./... passes
• go test ./pkg/rulemanager/cel/libraries/cache/ ./pkg/objectcache/containerprofilecache/ green
• Reviewer: confirm batch-1 scope is appropriate or request specific deferred items be pulled in here

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces defensive nil-checks in cache composition and profile initialization to prevent panics, updates documentation to clarify argument matching behavior and internal data structure design, and corrects test fixture descriptions and migration guidance.

Changes

Defensive validations and documentation clarifications

Layer / File(s)	Summary
Cache function nil-safety pkg/rulemanager/cel/libraries/cache/function_cache.go	WithCache now checks for and skips nil entries in extraKeyFn instead of invoking them directly, preventing panics while maintaining cache key construction for valid functions.
Profile helper object-cache validation pkg/rulemanager/profilehelper/profilehelper.go	GetProjectedContainerProfile validates that objectCache is non-nil before accessing methods, returning early with an error when the cache is unavailable rather than dereferencing nil.
Documentation and code comment updates README.md, pkg/objectcache/containerprofilecache/projection_trie.go, tests/resources/network-wildcards/README.md	wasExecutedWithArgs documentation clarified to describe true per-argument matching with wildcard semantics; trie implementation comment updated to document rune-keyed (UTF-8 codepoint) behavior; fixture documentation corrected to specify **.example.com. wildcard pattern and migration guidance capitalization adjusted.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change as a batch of minor fixes and nil guards from PR #43 feedback.
Description check	✅ Passed	The description is directly related to the changeset, detailing exactly which files were modified and why, with clear rationale for each fix.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pr43-rabbit-feedback

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/rulemanager/profilehelper/profilehelper.go (2)

27-40: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Consider adding nil-check for consistency.

GetContainerName dereferences objectCache on line 28 without checking for nil. For consistency with the nil-guard added to GetProjectedContainerProfile (lines 13-15), consider adding the same defensive check here to prevent potential panics.

🛡️ Proposed nil-guard

 func GetContainerName(objectCache objectcache.ObjectCache, containerID string) string {
+	if objectCache == nil {
+		return ""
+	}
 	sharedData := objectCache.K8sObjectCache().GetSharedContainerData(containerID)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/rulemanager/profilehelper/profilehelper.go` around lines 27 - 40,
GetContainerName currently dereferences objectCache without guarding for nil;
add the same defensive nil-check used in GetProjectedContainerProfile by
returning "" early if objectCache == nil (before calling
objectCache.K8sObjectCache().GetSharedContainerData), so that calls to
GetContainerName, and subsequent calls to K8sObjectCache() and
GetSharedContainerData(containerID), cannot panic when objectCache is nil.

---

42-54: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Consider adding nil-check for consistency.

GetPodSpec dereferences objectCache on line 43 without checking for nil. For consistency with the nil-guard added to GetProjectedContainerProfile (lines 13-15), consider adding the same defensive check here to prevent potential panics.

🛡️ Proposed nil-guard

 func GetPodSpec(objectCache objectcache.ObjectCache, containerID string) error {
+	if objectCache == nil {
+		return nil, errors.New("no object cache available")
+	}
 	sharedData := objectCache.K8sObjectCache().GetSharedContainerData(containerID)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/rulemanager/profilehelper/profilehelper.go` around lines 42 - 54, Add a
nil-guard at the start of GetPodSpec: check if the objectCache parameter is nil
and return an appropriate error (consistent with GetProjectedContainerProfile's
nil-check) before calling objectCache.K8sObjectCache(), so you avoid panics when
dereferencing objectCache; update the error text to something like "object cache
is nil" and keep the existing checks for sharedData and podSpec (referencing
GetPodSpec, objectCache.K8sObjectCache, and GetProjectedContainerProfile for the
pattern).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/rulemanager/profilehelper/profilehelper.go`:
- Around line 27-40: GetContainerName currently dereferences objectCache without
guarding for nil; add the same defensive nil-check used in
GetProjectedContainerProfile by returning "" early if objectCache == nil (before
calling objectCache.K8sObjectCache().GetSharedContainerData), so that calls to
GetContainerName, and subsequent calls to K8sObjectCache() and
GetSharedContainerData(containerID), cannot panic when objectCache is nil.
- Around line 42-54: Add a nil-guard at the start of GetPodSpec: check if the
objectCache parameter is nil and return an appropriate error (consistent with
GetProjectedContainerProfile's nil-check) before calling
objectCache.K8sObjectCache(), so you avoid panics when dereferencing
objectCache; update the error text to something like "object cache is nil" and
keep the existing checks for sharedData and podSpec (referencing GetPodSpec,
objectCache.K8sObjectCache, and GetProjectedContainerProfile for the pattern).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 07a74fa0-ec35-48b8-bd11-97b410d5f5de

📥 Commits

Reviewing files that changed from the base of the PR and between 58247d7 and e16c134.

📒 Files selected for processing (5)

• README.md
• pkg/objectcache/containerprofilecache/projection_trie.go
• pkg/rulemanager/cel/libraries/cache/function_cache.go
• pkg/rulemanager/profilehelper/profilehelper.go
• tests/resources/network-wildcards/README.md

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.213	0.213	-0.1%
Peak CPU (cores)	0.223	0.222	-0.2%
Avg Memory (MiB)	304.789	269.524	-11.6%
Peak Memory (MiB)	308.125	270.543	-12.2%

Dedup Effectiveness (AFTER only)

Event Type	Passed	Deduped	Ratio
capabilities	0	0	N/A
hardlink	6001	0	0.0%
http	1760	119402	98.5%
network	901	77927	98.9%
open	31726	620041	95.1%
symlink	6001	0	0.0%
syscall	976	1901	66.1%

Event Counters

Metric	BEFORE	AFTER
capability_counter	10	9
dns_counter	1420	1418
exec_counter	7102	7128
network_counter	93414	93670
open_counter	772977	776179
syscall_counter	3498	3496