feat(exceptions): add cluster-matching and control-ID helpers for external callers

[RohanKaran]

Overview

Add three exported helpers on Processor to support the manual-control exception path in kubescape:

• MatchesCluster — nil-safe cluster designator check; delegates to private matchesCluster
• RegexCompareControlID — case-insensitive regex match for control IDs
• getAttributes / matchesCluster — private helpers that centralise the designator cache lookup and cluster check, removing the redundant lookup in hasException and the existing TODO comment

How to Test

No behaviour change — refactor only.

go test ./exceptions/... -count=1

Checklist before requesting a review

• My code follows the style guidelines of this project
• I have commented on my code, particularly in hard-to-understand areas
• I have performed a self-review of my code
• New and existing unit tests pass locally with my changes

[coderabbitai]

📝 Walkthrough

Walkthrough

Centralized exception-matching logic: hasException now uses a cache-aware getAttributes and a matchesCluster helper. Two new exported entrypoints were added: RegexCompareControlID and MatchesCluster for nil-safe cluster matching via PortalDesignator.

Changes

Cohort / File(s)	Summary
Exception processor core exceptions/exceptionprocessor.go	Refactored cluster-constraint logic into matchesCluster and moved attribute digestion to a cache-backed getAttributes. Updated hasException to use these helpers. Added exported MatchesCluster(designator *identifiers.PortalDesignator, clusterName string) bool for nil-safe matching.
New compare helper exceptions/exceptionprocessor.go	Added exported RegexCompareControlID(pattern, target string) bool that wraps case-insensitive regex equality comparison.

Sequence Diagram(s)

sequenceDiagram
    participant Caller as Caller
    participant Processor as Processor
    participant Cache as AttributeCache
    participant Comparator as ClusterComparator

    Caller->>Processor: MatchesCluster(designator, clusterName)
    Processor->>Cache: getAttributes(designator) (cache-aware)
    Cache-->>Processor: attributes (digested)
    Processor->>Comparator: matchesCluster(attributes, clusterName)
    Comparator-->>Processor: matchResult (empty constraint => match any / else compareCluster)
    Processor-->>Caller: bool (matchResult)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through code, tidy and spry,
I cached the clues and watched constraints fly.
Regex whiskers twitched with a careful cheer,
Now clusters greet matches when they draw near.
A tiny rabbit applauds this refactor here. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main changes: adding two new exported helper methods (RegexCompareControlID and MatchesCluster) for cluster-matching and control-ID functionality that external callers can use.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

exceptions/exceptionprocessor.go (1)

183-185: Add a defensive nil guard in hasException.

Line 184 assumes designator is non-nil. Current call paths are safe, but guarding here prevents future panic risk if this helper is reused with nil input.

Patch suggestion

 func (p *Processor) hasException(clusterName string, designator *identifiers.PortalDesignator, workload workloadinterface.IMetadata) bool {
+	if designator == nil {
+		return false
+	}
 	attributes := p.getAttributes(designator)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@exceptions/exceptionprocessor.go` around lines 183 - 185, The hasException
helper assumes designator is non-nil and calls p.getAttributes(designator); add
a defensive nil-check at the start of hasException to return false (no
exception) when designator == nil to avoid panics if it is ever called with nil;
ensure the nil guard is placed before calling p.getAttributes and mentions
identifiers.PortalDesignator and the hasException method name so reviewers can
find the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@exceptions/exceptionprocessor.go`:
- Around line 183-185: The hasException helper assumes designator is non-nil and
calls p.getAttributes(designator); add a defensive nil-check at the start of
hasException to return false (no exception) when designator == nil to avoid
panics if it is ever called with nil; ensure the nil guard is placed before
calling p.getAttributes and mentions identifiers.PortalDesignator and the
hasException method name so reviewers can find the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ea5a363c-a6be-4e78-86cb-439755e97fd7

📥 Commits

Reviewing files that changed from the base of the PR and between df2b90a and 4803a61.

📒 Files selected for processing (1)

• exceptions/exceptionprocessor.go

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[matthyx]

thanks @RohanKaran !