feat: risk worker redesign (#360)

* feat: risk worker redesign

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

* fix: small performance tuning

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

* feat: resolve failed evidence

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

* fix: copilot issues

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

* Fix Copilot review comments: optimize preloads, batch-load templates, return errors for unknown operators

* fix: risk transition

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

---------

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

Author: gusfcarvalho

.env.example

@@ -16,3 +16,8 @@ CCF_ENVIRONMENT="" # Defaults to production.
 ## This configuration disables cookie setting to allow testing on Safari
 ## It is insecure so use it with caution
 #CCF_ENVIRONMENT="local"
+
+# Pprof debugging (disabled by default)
+# Enable this for profiling during load tests
+CCF_PPROF_ENABLED=false
+CCF_PPROF_PORT=6060

cmd/root.go

@@ -29,6 +29,8 @@ func setDefaultEnvironmentVariables() {
 	viper.SetDefault("evidence_default_expiry_months", "1")
 	viper.SetDefault("digest_enabled", "true")
 	viper.SetDefault("digest_schedule", "@weekly")
+	viper.SetDefault("pprof_enabled", "false")
+	viper.SetDefault("pprof_port", ":6060")
 }
 
 func bindEnvironmentVariables() {
@@ -53,6 +55,8 @@ func bindEnvironmentVariables() {
 	viper.MustBindEnv("evidence_default_expiry_months")
 	viper.MustBindEnv("digest_enabled")
 	viper.MustBindEnv("digest_schedule")
+	viper.MustBindEnv("pprof_enabled")
+	viper.MustBindEnv("pprof_port")
 }
 
 func init() {

cmd/run.go

@@ -3,6 +3,8 @@ package cmd
 import (
 	"context"
 	"log"
+	"net/http"
+	_ "net/http/pprof"
 
 	"github.com/compliance-framework/api/internal/api"
 	"github.com/compliance-framework/api/internal/api/handler"
@@ -155,6 +157,15 @@ func RunServer(cmd *cobra.Command, args []string) {
 		metrics.StartMetricsServer(cfg.MetricsPort)
 	}
 
+	if cfg.PprofEnabled {
+		sugar.Infow("Starting pprof server", "port", cfg.PprofPort)
+		go func() {
+			if err := http.ListenAndServe(cfg.PprofPort, nil); err != nil {
+				sugar.Errorw("Failed to start pprof server", "error", err)
+			}
+		}()
+	}
+
 	if err := server.Start(cfg.AppPort); err != nil {
 		sugar.Fatalw("Failed to start server", "error", err)
 	}

internal/api/handler/risks.go

@@ -1993,6 +1993,10 @@ func validateStatusTransition(oldStatus, newStatus string) error {
 		string(riskrel.RiskStatusRiskAccepted): {
 			string(riskrel.RiskStatusClosed): {},
 		},
+		string(riskrel.RiskStatusRemediated): {
+			string(riskrel.RiskStatusOpen):   {},
+			string(riskrel.RiskStatusClosed): {},
+		},
 		string(riskrel.RiskStatusClosed): {},
 	}
 

internal/config/config.go

@@ -39,6 +39,8 @@ type Config struct {
 	DigestSchedule              string // Cron schedule for digest emails
 	Workflow                    *WorkflowConfig
 	Risk                        *RiskConfig
+	PprofEnabled                bool   // Enable or disable pprof debugging server
+	PprofPort                   string // Port for pprof debugging server
 }
 
 func NewConfig(logger *zap.SugaredLogger) *Config {
@@ -197,6 +199,17 @@ func NewConfig(logger *zap.SugaredLogger) *Config {
 		workerConfig.Queue = viper.GetString("worker_queue")
 	}
 
+	pprofEnabled := viper.GetBool("pprof_enabled")
+	pprofPort := viper.GetString("pprof_port")
+	if pprofPort == "" {
+		pprofPort = "6060"
+	}
+	// Normalize pprofPort: if it's a bare port like "6060", prefix with ":" to form ":6060".
+	// If it already contains a colon (e.g. "127.0.0.1:6060"), leave it unchanged.
+	if !strings.Contains(pprofPort, ":") {
+		pprofPort = ":" + pprofPort
+	}
+
 	return &Config{
 		AppPort:                     appPort,
 		Environment:                 environment,
@@ -218,6 +231,8 @@ func NewConfig(logger *zap.SugaredLogger) *Config {
 		DigestSchedule:              digestSchedule,
 		Workflow:                    workflowConfig,
 		Risk:                        riskConfig,
+		PprofEnabled:                pprofEnabled,
+		PprofPort:                   pprofPort,
 	}
 
 }

internal/converters/labelfilter/matcher.go

@@ -0,0 +1,101 @@
+package labelfilter
+
+import (
+	"fmt"
+	"slices"
+	"strings"
+)
+
+// NormalizeLabels converts a slice of name/value label pairs into a map keyed
+// by lowercased label name, with each value being a slice of lowercased values.
+// This supports labels where a single name can have multiple values (e.g. multiple
+// "_policy" labels on the same evidence).
+func NormalizeLabels(labels []struct{ Name, Value string }) map[string][]string {
+	result := make(map[string][]string, len(labels))
+	for _, l := range labels {
+		key := strings.ToLower(strings.TrimSpace(l.Name))
+		val := strings.ToLower(strings.TrimSpace(l.Value))
+		if key == "" {
+			continue
+		}
+		result[key] = append(result[key], val)
+	}
+	return result
+}
+
+// MatchLabels evaluates a filter Scope against a normalized label map.
+// A nil scope matches everything (empty filter = match all).
+// Semantics mirror the SQL evaluator in evidence.go (case-insensitive via pre-normalized map).
+// Returns an error if an unknown query operator is encountered.
+func MatchLabels(scope *Scope, labels map[string][]string) (bool, error) {
+	if scope == nil {
+		return true, nil
+	}
+	return matchScope(*scope, labels)
+}
+
+func matchScope(scope Scope, labels map[string][]string) (bool, error) {
+	if scope.IsCondition() {
+		return matchCondition(*scope.Condition, labels), nil
+	}
+	if scope.IsQuery() {
+		return matchQuery(*scope.Query, labels)
+	}
+	// Empty scope (neither condition nor query) matches everything.
+	return true, nil
+}
+
+func matchCondition(cond Condition, labels map[string][]string) bool {
+	key := strings.ToLower(strings.TrimSpace(cond.Label))
+	val := strings.ToLower(strings.TrimSpace(cond.Value))
+
+	values, exists := labels[key]
+
+	switch cond.Operator {
+	case "!=":
+		// Not-equals: true if the label doesn't exist or none of its values match.
+		if !exists {
+			return true
+		}
+		if slices.Contains(values, val) {
+			return false
+		}
+		return true
+	default:
+		// Equals (default): true if any value for this label matches.
+		if !exists {
+			return false
+		}
+		return slices.Contains(values, val)
+	}
+}
+
+func matchQuery(query Query, labels map[string][]string) (bool, error) {
+	op := strings.ToLower(query.Operator)
+	switch op {
+	case "and":
+		for _, scope := range query.Scopes {
+			match, err := matchScope(scope, labels)
+			if err != nil {
+				return false, err
+			}
+			if !match {
+				return false, nil
+			}
+		}
+		return true, nil
+	case "or":
+		for _, scope := range query.Scopes {
+			match, err := matchScope(scope, labels)
+			if err != nil {
+				return false, err
+			}
+			if match {
+				return true, nil
+			}
+		}
+		return len(query.Scopes) == 0, nil
+	default:
+		return false, fmt.Errorf("unrecognised query operator: %s", query.Operator)
+	}
+}