SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper

[entlein]

Umbrella PR consolidating the SBOB-wildcards feature surface for node-agent. Tier-by-tier breakdown per CodeRabbit's atomic-split advisory on kubescape/storage#323:

• Tier 0 — opens: kubescape/node-agent#811 (was_path_opened* CEL helpers)
• Tier 2 — execs: kubescape/node-agent#805 (resolveExecPath + 3-arg parse), #807 (R0040 args consumer), #812 (ExecsByPath projection surface)
• Tier 3 — network: kubescape/node-agent#806 (network wildcards CEL)
• Tier 4 — tamper/sign: kubescape/node-agent#808 (projection overlay + tamper R1016 + non-blocking fanout + NN resource), #809 (cosign sign/verify + tamper detection)

This umbrella carries the union of the above, plus the projection-feature chart restorations and cross-theme component tests (Test_29..Test_33) for end-to-end coverage. If the maintainer prefers to cherry-merge the small per-feature PRs, this umbrella shrinks naturally as each one lands.

Performance evidence

Validated on workflow run 25959674209:

Metric	Baseline (v0.3.113)	Candidate	Delta
Avg CPU (cores)	0.214	0.209	-2.2%
Peak CPU (cores)	0.223	0.218	-2.2%
Avg Memory (MiB)	277.659	259.997	-6.4%
Peak Memory (MiB)	279.367	264.609	-5.3%

Storage companion

Storage umbrella: kubescape/storage#326. Storage and node-agent run on different syft chains by design (storage on anchore/syft v1.42.4, node-agent on kubescape/syft v1.32.0-ks.2 via replace) per the upstream-NA decision in PR #798 — see node-agent issue #45 for context on the moby/moby umbrella vs moby/moby/client submodule transitive coupling that gates a single-chain alignment.

Notes

• CompareDynamic perf: rabbit flagged the recursive splitPath allocation pattern on kubescape/storage#326; matthyx indicated earlier he'd own the zero-alloc rewrite. We've not touched it here.
• was_path_opened_with_flags CEL helper restored after we initially removed it — it's a public CEL surface, removing was a mistake.
• Three minor rule-spec divergences carried from earlier fork work (R0005 isTriggerAlert, R0011 enabled+isTriggerAlert, R0008 uniqueId) are flagged in the audit document and open for discussion.

[coderabbitai]

Warning

Rate limit exceeded

@entlein has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 58 minutes and 30 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1eeb68a5-e955-4715-a2d6-d1d20978cc68

📥 Commits

Reviewing files that changed from the base of the PR and between cc59fa0 and 90cfaaa.

📒 Files selected for processing (90)

• cmd/main.go
• cmd/sign-object/Dockerfile
• cmd/sign-object/main.go
• pkg/config/config.go
• pkg/containerprofilemanager/v1/event_reporting.go
• pkg/containerprofilemanager/v1/event_reporting_test.go
• pkg/containerprofilemanager/v1/lifecycle.go
• pkg/exporters/alert_manager.go
• pkg/objectcache/containerprofilecache/containerprofilecache.go
• pkg/objectcache/containerprofilecache/projection.go
• pkg/objectcache/containerprofilecache/projection_apply.go
• pkg/objectcache/containerprofilecache/tamper_alert.go
• pkg/objectcache/containerprofilecache/tamper_alert_test.go
• pkg/objectcache/containerprofilecache/test32_projection_test.go
• pkg/objectcache/projection_types.go
• pkg/objectcache/shared_container_data.go
• pkg/objectcache/v1/mock.go
• pkg/rulebindingmanager/cache/cache.go
• pkg/rulebindingmanager/cache/cache_test.go
• pkg/rulemanager/cel/libraries/applicationprofile/ap.go
• pkg/rulemanager/cel/libraries/applicationprofile/exec.go
• pkg/rulemanager/cel/libraries/applicationprofile/exec_test.go
• pkg/rulemanager/cel/libraries/applicationprofile/open.go
• pkg/rulemanager/cel/libraries/applicationprofile/open_test.go
• pkg/rulemanager/cel/libraries/cache/function_cache.go
• pkg/rulemanager/cel/libraries/networkneighborhood/fixtures_test.go
• pkg/rulemanager/cel/libraries/networkneighborhood/network.go
• pkg/rulemanager/cel/libraries/networkneighborhood/wildcard_test.go
• pkg/rulemanager/cel/libraries/parse/parse.go
• pkg/rulemanager/cel/libraries/parse/parselib.go
• pkg/rulemanager/cel/libraries/parse/parsing_test.go
• pkg/rulemanager/ruleswatcher/watcher.go
• pkg/signature/annotations.go
• pkg/signature/cluster_flow_test.go
• pkg/signature/cluster_scenario_test.go
• pkg/signature/cosign_adapter.go
• pkg/signature/cosign_adapter_test.go
• pkg/signature/interface.go
• pkg/signature/profiles/adapter_test.go
• pkg/signature/profiles/applicationprofile_adapter.go
• pkg/signature/profiles/empty_typemeta_test.go
• pkg/signature/profiles/networkneighborhood_adapter.go
• pkg/signature/profiles/networkneighborhood_adapter_test.go
• pkg/signature/profiles/rules_adapter.go
• pkg/signature/profiles/rules_adapter_test.go
• pkg/signature/profiles/seccompprofile_adapter.go
• pkg/signature/sign.go
• pkg/signature/sign_test.go
• pkg/signature/signer.go
• pkg/signature/verifier.go
• pkg/signature/verify.go
• pkg/signature/verify_test.go
• tests/chart/crds/runtime-rule-binding.crd.yaml
• tests/chart/templates/node-agent/default-rule-binding.yaml
• tests/chart/templates/node-agent/default-rules.yaml
• tests/chart/values.yaml
• tests/component_test.go
• tests/resources/aplint_test.go
• tests/resources/crypto-miner-deployment.yaml
• tests/resources/curl-exec-arg-wildcards-deployment.yaml
• tests/resources/curl-plain-deployment.yaml
• tests/resources/curl-signed-deployment.yaml
• tests/resources/curl-user-network-deployment.yaml
• tests/resources/curl-user-profile-wildcards-deployment.yaml
• tests/resources/known-application-profile.yaml
• tests/resources/known-network-neighborhood.yaml
• tests/resources/network-wildcards/01-literal-ipv4.yaml
• tests/resources/network-wildcards/02-literal-ipv6.yaml
• tests/resources/network-wildcards/03-cidr-ipv4.yaml
• tests/resources/network-wildcards/04-cidr-ipv6.yaml
• tests/resources/network-wildcards/05-any-ip-sentinel.yaml
• tests/resources/network-wildcards/06-any-as-cidr.yaml
• tests/resources/network-wildcards/07-mixed-ip-list.yaml
• tests/resources/network-wildcards/08-deprecated-ipaddress.yaml
• tests/resources/network-wildcards/09-dns-literal.yaml
• tests/resources/network-wildcards/10-dns-leading-wildcard.yaml
• tests/resources/network-wildcards/11-dns-mid-ellipsis.yaml
• tests/resources/network-wildcards/12-dns-trailing-star.yaml
• tests/resources/network-wildcards/13-dns-trailing-dot-normalisation.yaml
• tests/resources/network-wildcards/14-recursive-star-rejected.yaml
• tests/resources/network-wildcards/15-egress-and-ingress.yaml
• tests/resources/network-wildcards/16-egress-none.yaml
• tests/resources/network-wildcards/17-realistic-stripe-api.yaml
• tests/resources/network-wildcards/18-cluster-dns-via-mid-ellipsis.yaml
• tests/resources/network-wildcards/19-port-protocol-with-cidr.yaml
• tests/resources/network-wildcards/20-multi-container-mixed-wildcards.yaml
• tests/resources/network-wildcards/README.md
• tests/resources/nginx-user-defined-deployment.yaml
• tests/resources/nginx-user-profile-deployment.yaml
• tests/resources/user-profile.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[entlein]

@CodeRabbit review this together with kubescape/storage#326 please

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch details of storage PR `#326`
gh pr view 326 --repo kubescape/storage --json title,body,files,commits,additions,deletions,changedFiles 2>&1 | head -200

echo "---FILES CHANGED---"
gh pr view 326 --repo kubescape/storage --json files 2>&1 | jq -r '.files[].path' 2>&1

echo "---PR DIFF (first 300 lines)---"
gh pr diff 326 --repo kubescape/storage 2>&1 | head -300

Length of output: 27018

---

🏁 Script executed:

#!/bin/bash
echo "=== node-agent PR `#810` details ==="
gh pr view 810 --repo kubescape/node-agent --json title,body,files,changedFiles,additions,deletions 2>&1 | head -100

echo "=== node-agent PR `#810` files ==="
gh pr view 810 --repo kubescape/node-agent --json files 2>&1 | jq -r '.files[].path' 2>&1

echo "=== node-agent PR `#810` diff (first 400 lines) ==="
gh pr diff 810 --repo kubescape/node-agent 2>&1 | head -400

echo "=== storage PR `#326` diff (lines 300-700) ==="
gh pr diff 326 --repo kubescape/storage 2>&1 | sed -n '300,700p'

Length of output: 38600

---

🏁 Script executed:

#!/bin/bash
echo "=== storage: networkmatch/match_dns.go ==="
gh pr diff 326 --repo kubescape/storage 2>&1 | grep -A 300 'diff --git a/pkg/registry/file/networkmatch/match_dns.go'| head -220

echo "=== storage: networkmatch/match_ip.go ==="
gh pr diff 326 --repo kubescape/storage 2>&1 | grep -A 150 'diff --git a/pkg/registry/file/networkmatch/match_ip.go' | head -120

echo "=== storage: dynamicpathdetector/compare_exec_args.go ==="
gh pr diff 326 --repo kubescape/storage 2>&1 | grep -A 120 'diff --git a/pkg/registry/file/dynamicpathdetector/compare_exec_args.go' | head -110

echo "=== storage: collapse_config_from_crd.go ==="
gh pr diff 326 --repo kubescape/storage 2>&1 | grep -A 140 'diff --git a/pkg/registry/file/dynamicpathdetector/collapse_config_from_crd.go' | head -130

echo "=== storage: networkneighborhood/strategy.go ==="
gh pr diff 326 --repo kubescape/storage 2>&1 | grep -A 120 'diff --git a/pkg/registry/softwarecomposition/networkneighborhood/strategy.go' | head -110

echo "=== node-agent: pkg/signature/cosign_adapter.go (first 100 lines) ==="
gh pr diff 810 --repo kubescape/node-agent 2>&1 | grep -A 120 'diff --git a/pkg/signature/cosign_adapter.go' | head -110

echo "=== node-agent: pkg/objectcache/containerprofilecache/tamper_alert.go ==="
gh pr diff 810 --repo kubescape/node-agent 2>&1 | grep -A 220 'diff --git a/pkg/objectcache/containerprofilecache/tamper_alert.go' | head -210

echo "=== node-agent: pkg/rulemanager/cel/libraries/networkneighborhood/network.go ==="
gh pr diff 810 --repo kubescape/node-agent 2>&1 | grep -A 180 'diff --git a/pkg/rulemanager/cel/libraries/networkneighborhood/network.go' | head -170

Length of output: 43360

---

@entlein — here's a combined review of kubescape/node-agent #810 and kubescape/storage #326. The benchmark results are excellent (−11.7 % avg memory) and the overall architecture is clean. Comments below are grouped by severity.

---

🔴 High – should address before individual PRs are merged

[storage #326] Dependency downgrades in go.mod

- github.com/anchore/syft           v1.42.3  →  v1.32.0   (−10 minor versions)
- github.com/anchore/stereoscope    v0.1.22  →  v0.1.9    (−13 patch versions)
- github.com/opencontainers/runtime-spec v1.3.0  →  v1.2.1

These are all downgrades, which is the opposite of the usual direction. If this is to resolve a build conflict in the summary PR, the individual split PRs should carry the explanation. Downgrading syft by 10 minor versions in particular may reintroduce fixed CVEs.

---

[node-agent #810] Hardcoded Sigstore infrastructure URLs in cosign_adapter.go

fulcioURL = "https://fulcio.sigstore.dev"
rekorURL  = "https://rekor.sigstore.dev"

These are compile-time constants with no override path. Air-gapped clusters and enterprise Sigstore deployments (e.g. using Sigstore Scaffold) will be unable to use keyless signing at all. Consider promoting them to a config struct or env-var overrides.

---

[node-agent #810] Package-level mutable globals for flags in cmd/sign-object/main.go

var (
    inputFile  string
    outputFile string
    keyFile    string
    objectType string
    useKeyless bool
    ...
)

All flag state lives in package globals. This is not goroutine-safe and makes unit-testing individual subcommands effectively impossible without spawning a subprocess. Consider using a struct per subcommand and passing it through flag.FlagSet.Parse.

---

🟡 Medium – worth fixing in the individual split PRs

[storage #326] Dead / unreachable code block in matchDNSPattern

In match_dns.go, after the leading-* branch (isFirst) and the trailing-* branch (isLast && !isFirst) are checked, the remaining fallthrough:

// Mid-position "*" (declaration-illegal but defensive): treat as one label.
if tok == DNSWildcardLabel {

…is unreachable. When tok == "*" and !isLast, the leading branch already matches (isFirst is possible), and the trailing branch requires isLast. A mid-position "*" (e.g., foo.*.bar) is actually not rejected by compileDNSPattern — only "**" and the single-label "*" are. So the path foo.*.bar would reach this dead branch at pi=1. The comment says admission validates this, but ValidateDNSEntry should be verified to explicitly reject mid-position *, otherwise the dead branch becomes live on a malformed-but-admitted pattern.

---

[storage #326] No threshold bounds validation on CollapseConfiguration

The CollapseConfiguration strategy (collapseconfiguration/strategy.go) should reject or warn on OpenDynamicThreshold == 0 or EndpointDynamicThreshold == 0, which would cause the trie to collapse every path immediately. Similarly a very large threshold (e.g. MaxInt32) would disable collapsing entirely. A +kubebuilder:validation:Minimum=1 marker or an explicit strategy-level check would prevent misconfiguration.

---

[node-agent #810] cmd/sign-object/Dockerfile uses Debian unstable

FROM --platform=$BUILDPLATFORM golang:1.25-trixie AS builder

trixie is the current Debian testing branch (not stable). Production container images should pin to bookworm (Debian 12, stable) or use a digest-pinned image. The distroless final image is fine.

---

[node-agent #810] InfectedPID: 1 hardcoded in emitTamperAlert

BaseRuntimeAlert: armotypes.BaseRuntimeAlert{
    InfectedPID: 1,
    ...
}

PID 1 (init) has no relation to a tamper event — it's carried over from the legacy shape but is misleading in dashboards. Consider using 0 or omitting if the field is optional, or filing a follow-up to introduce a sentinel value for "no associated PID."

---

[storage #326] Silent discard of malformed IPAddresses/DNSNames entries in matchers

CompileIP and CompileDNS silently drop malformed entries with a continue. The comment correctly notes that admission is the right gate, but a logger.L().Debug(...) on the discard would greatly help production troubleshooting (e.g., a profile stored before the admission webhook was active).

---

🟢 Low / Nits

[storage #326] DNSDynamicLabel = "⋯" (U+22EF) as a sentinel

Using a Unicode character as a profile token is creative but fragile through JSON/YAML round-trips in tools that assume ASCII (shell scripts, kubectl --edit, etc.). The existing DynamicIdentifier in dynamicpathdetector already uses the same token, so consistency argues for keeping it — just worth documenting the encoding requirement prominently (it's currently in the README, which is good).

[node-agent #810] rulesWatcher now takes &cfg (pointer)

rulesWatcher := ruleswatcher.NewRulesWatcher(k8sClient, ruleCreator, func() {
    ruleBindingCache.RefreshRuleBindingsRules()
}, &cfg)

cfg is a stack-local config.Config in main(). Passing a pointer to a stack-local that lives for the duration of main is fine here, but if cfg is ever mutated after this point the watcher will see the mutation without synchronization. Worth a cfg freeze comment or converting to a value copy if RulesWatcher only reads it.

---

✅ Things done well

• tamper_alert.go error classification — distinguishing errors.Is(err, signature.ErrSignatureMismatch) from operational errors is exactly right; false R1016s from transient hash failures would be very noisy.
• matchIPField — correctly does NOT short-circuit on ProjectedField.All — the comment about CR #43 / R-NET-7 is the right call.
• CompareExecArgs memoization — the O(m × n) memoized backtracker with a clear comment citing the prior CodeRabbit finding is a solid fix.
• networkneighborhood/strategy.go admission validation — both IPAddresses and the deprecated IPAddress are validated, which closes the "old field smuggling" path.
• CollapseSettingsFromCRD nil guard — falls back to DefaultCollapseSettings() cleanly.
• 20 fixture YAML files for network wildcard cases — excellent coverage of edge cases (CIDR, trailing-dot normalisation, mid-ellipsis, recursive-star rejection).

[entlein]

Dear @CodeRabbit,

• The cmd/sign-object/Dockerfile is not used by the main code at all, so please dont consider it blocking. It is a CLI-tool, I will use in the documentation. Thanks for the review. I ll address it. Just please dont block the other code with it.
• The downgrades of syft etc -> given that the entire codebase was now upgraded, I dont see any dependencies on these tools. So, fully agree, but unless you can see that the go code needs to change due to the upgrades, I d consider it a chore to do once the rest is acceptable.

Will wait for matthyx general direction of how he wants me to address all the other points . Happy Weekend :)

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@entlein — thanks for the context, that's helpful!

• cmd/sign-object/main.go (globals / keyless URLs) — Completely understood. Since it's a standalone documentation/ops CLI and not wired into the main binary, neither the flag-globals concern nor the hardcoded Sigstore URLs are blocking for the core review. I'll keep the suggestions on record for when you polish the CLI itself.

• go.mod downgrades (syft / stereoscope / runtime-spec) — Agreed. If there are no direct Go import paths in the changed code that rely on APIs introduced after the downgraded versions, this is purely a housekeeping item and shouldn't gate the functional changes. Worth a quick go list -m all | grep anchore sanity-check at cleanup time to confirm nothing is silently pulling an older transitive dependency.

Happy to re-evaluate once matthyx weighs in on direction. Happy weekend! 🐇

---

✏️ Learnings added

Learnt from: entlein
URL: https://github.com/kubescape/node-agent/pull/810

Timestamp: 2026-05-16T07:56:01.849Z
Learning: In kubescape/node-agent PR `#810`, `cmd/sign-object/main.go` is a standalone CLI tool intended for documentation/ops use only. It is NOT wired into the main node-agent binary. Review concerns about it (e.g., package-level globals, hardcoded Sigstore URLs) should not be treated as blocking for the core node-agent changes.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@entlein — fully noted on both points, and they're reflected in my records:

• cmd/sign-object/Dockerfile — Removed from any blocking consideration. It's a standalone docs/ops CLI; the Debian-testing base and similar nits are cosmetic concerns for a future polish pass on that tool.
• go.mod downgrades (syft / stereoscope / runtime-spec) — Agreed to defer. Unless go list -m all reveals a live code path importing a post-downgrade API, this is housekeeping and shouldn't gate the functional work in this PR.

Enjoy the weekend, and feel free to ping me again once matthyx shares direction on the remaining medium items! 🐇

[entlein]

┌───────────────────┬──────────────────────────────┬───────────┬───────┐
│ Metric │ Baseline (upstream v0.3.113) │ Candidate │ Delta │
├───────────────────┼──────────────────────────────┼───────────┼───────┤
│ Avg CPU (cores) │ 0.214 │ 0.209 │ -2.2% │
├───────────────────┼──────────────────────────────┼───────────┼───────┤
│ Peak CPU (cores) │ 0.223 │ 0.218 │ -2.2% │
├───────────────────┼──────────────────────────────┼───────────┼───────┤
│ Avg Memory (MiB) │ 277.659 │ 259.997 │ -6.4% │
├───────────────────┼──────────────────────────────┼───────────┼───────┤
│ Peak Memory (MiB) │ 279.367 │ 264.609 │ -5.3% │
└───────────────────┴──────────────────────────────┴───────────┴───────┘

Numbers shrank from the earlier -11.7%/-12.4% (commit 8b34f59) after the ctx-prop revert

[entlein]

@coderabbitai review

Collective re-review request after applying your atomic-split advisory + rabbit-feedback fixes across the full SBOB upstream PR set. Each PR is now scoped to a single tier per your dependency map:

Tier 0 (opens):

• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args storage#323 (path-wildcards core: anchored trailing-*, per-port key, WildcardIdentifier + CollapseConfig API — squash per your "merge first / or squash together" note)
• feat(cel): was_path_opened* CEL helpers in applicationprofile library #811 (was_path_opened* CEL helpers — NEW)

Tier 2 (execs):

• allowing wildcards in exec args storage#322 (CompareExecArgs)
• profile-compaction: CollapseConfig CRD + projection overlay + user-maged lifecycle storage#325 (CollapseConfig CRD + processors)
• allowing wildcards in exec args #805 (resolveExecPath + 3-arg parse)
• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args #807 (R0040 args consumer)
• feat(projection): add ExecsByPath composite-key surface to ProjectedContainerProfile #812 (ExecsByPath composite-key surface — NEW)

Tier 3 (network):

• allowing CIDRs, wildcards and Plural in IP and DNS storage#324 (networkmatch package)
• allowing CIDRs, wildcards and Plural in IP and DNS #806 (network wildcards CEL)

Tier 4 (tamper/sign):

• profile-compaction: CollapseConfig CRD + projection overlay + user-ma… #808 (projection overlay + tamper + non-blocking fanout + NN resource)
• sign and detect tampering #809 (cosign sign/verify + tamper detection)

Umbrellas:

• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  storage#326
• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  #810

Please confirm atomicity per your earlier advisory and flag any remaining cross-PR coupling we missed.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch all atomic PRs in parallel — titles + file lists

echo "=== storage#322 ==="
gh pr view 322 --repo kubescape/storage --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== storage#323 ==="
gh pr view 323 --repo kubescape/storage --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== storage#324 ==="
gh pr view 324 --repo kubescape/storage --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== storage#325 ==="
gh pr view 325 --repo kubescape/storage --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== storage#326 ==="
gh pr view 326 --repo kubescape/storage --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

Length of output: 10027

---

🏁 Script executed:

#!/bin/bash
echo "=== node-agent#805 ==="
gh pr view 805 --repo kubescape/node-agent --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== node-agent#806 ==="
gh pr view 806 --repo kubescape/node-agent --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== node-agent#807 ==="
gh pr view 807 --repo kubescape/node-agent --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== node-agent#808 ==="
gh pr view 808 --repo kubescape/node-agent --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== node-agent#809 ==="
gh pr view 809 --repo kubescape/node-agent --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== node-agent#811 ==="
gh pr view 811 --repo kubescape/node-agent --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

echo "=== node-agent#812 ==="
gh pr view 812 --repo kubescape/node-agent --json title,state,files 2>&1 | jq '{title, state, files: [.files[].path]}'

Length of output: 5186

---

@entlein — here is the atomicity confirmation and coupling map after reviewing all 13 atomic PRs + 2 umbrellas.

---

✅ Atomicity confirmation by tier

graph TD
    subgraph storage
        S322["`#322` CompareExecArgs"]
        S323["`#323` path-wildcards core"]
        S324["`#324` networkmatch pkg"]
        S325["`#325` CollapseConfig CRD"]
        S326["`#326` umbrella"]
        S322 --> S323
        S323 --> S325
        S322 --> S326
        S323 --> S326
        S324 --> S326
        S325 --> S326
    end
    subgraph node-agent
        NA811["`#811` was_path_opened* CEL"]
        NA805["`#805` resolveExecPath + parse"]
        NA807["`#807` R0040 args consumer"]
        NA812["`#812` ExecsByPath surface"]
        NA806["`#806` network wildcards CEL"]
        NA808["`#808` projection + tamper + fanout"]
        NA809["`#809` cosign sign/verify"]
        NA810["`#810` umbrella"]
        NA811 --> NA807
        NA805 --> NA807
        NA808 --> NA809
        NA808 --> NA812
        NA805 --> NA810
        NA806 --> NA810
        NA807 --> NA810
        NA808 --> NA810
        NA809 --> NA810
        NA811 --> NA810
        NA812 --> NA810
    end
    S323 --> NA807
    S324 --> NA806
    S325 --> NA808

Loading

---

🔴 Three atomicity violations — file-level conflicts between sibling PRs

These three require resolution before the atomic PRs can be merged independently:

1. applicationprofile/open.go — shared by #807 (Tier 2) and #811 (Tier 0)

PR	Tier	Files touched
#811	0	applicationprofile/ap.go, applicationprofile/open.go
#807	2	applicationprofile/exec.go, applicationprofile/open.go, exec_test.go, open_test.go

Fix: #807 must be rebased on top of #811 (Tier 0 merges first, Tier 2 picks up the open.go changes). The current graph already has #811 → #807``, so the rebase is the right action — just needs to be done explicitly.

---

2. tamper_alert.go + tamper_alert_test.go — shared by #808 (Tier 4) and #809 (Tier 4)

PR	Files touched
#808	containerprofilecache/tamper_alert.go, containerprofilecache/tamper_alert_test.go (+ projection/cache infra)
#809	containerprofilecache/tamper_alert.go, containerprofilecache/tamper_alert_test.go (+ full pkg/signature/ package)

Fix options (pick one):

• Option A: Keep tamper infrastructure (struct + non-cosign path) entirely in #808 and strip tamper_alert.* from #809, having #809 only add cosign wiring via the interface defined in #808.
• Option B: Move all tamper logic (including cosign wiring) into #809 and remove tamper_alert.* from #808 entirely. Then #808 merges first without tamper alert code, and #809 adds it in full.

Option A is cleaner for atomicity (infra in #808, cosign-specific wiring in #809) since #808 already has the alert structure.

---

3. projection_apply.go + projection_types.go — shared by #808 (Tier 4) and #812 (Tier 2)

PR	Files touched
#808	projection_apply.go, projection_types.go, containerprofilecache.go, projection.go, ...
#812	projection_apply.go, projection_apply_test.go, projection_types.go

This is the most problematic one: #812 (Tier 2, ExecsByPath) modifies the same projection files as #808 (Tier 4). This is a tier ordering violation — Tier 2 should not depend on Tier 4 infrastructure.

Fix: Either:

• Option A: Promote #812 into Tier 4 (merge after #808), since it adds to the projection surface that #808 defines. Update the tier chart accordingly.
• Option B: Move the projection_types.go / projection_apply.go base shape (the type definitions ExecsByPath needs) out of #808 into a new earlier PR or into #807, so #812 can sit cleanly in Tier 2.

---

✅ Clean PRs — no intra-tier coupling

PR	Assessment
storage#322	✅ Atomic — only compare_exec_args.go + its own test
storage#323	✅ Atomic — path-wildcards core; depends on #322 (expected)
storage#324	✅ Atomic — full networkmatch package, self-contained
storage#325	✅ Atomic — CollapseConfig CRD; depends on #323's types.go (expected)
node-agent#805	✅ Atomic — parse/ library + event_reporting.go only
node-agent#806	✅ Atomic — network.go + 20 YAML fixtures; depends on storage#324 (expected)

---

Revised merge order

storage:  `#322` → `#323` → `#324` (parallel) → `#325` → `#326`
                                 ↓           ↓
node-agent: `#811` → `#805` (parallel) → `#807`   `#808` → `#809`
                                       ↓      ↓
                                      `#806`  `#812` (resolve tier conflict first)
                                              ↓
                                            `#810`

The three violations above are the only blockers to being able to cherry-merge the atomic PRs independently. Happy to look at the specific diff hunks for any of them if it helps decide which split approach to take. 🐇

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.