fix: component suggestion bugs

[gusfcarvalho]

Summary by CodeRabbit

• New Features

  • Catalog-scoped control resolution when an SSP is linked to profiles, including bulk-apply behavior
  • Better multi-requirement handling with per-requirement suggestion evaluation

• Bug Fixes

  • Prevented applying a suggestion for one requirement from removing suggestions for another
  • Reuse of existing system components when applying the same component to additional requirements

• Tests

  • Expanded integration and unit tests covering scoped resolution, ambiguity, and apply paths

[coderabbitai]

Warning

Review limit reached

@gusfcarvalho, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 27 minutes and 38 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5541436d-9185-49ba-a163-88f1324f78ec

📥 Commits

Reviewing files that changed from the base of the PR and between 88bfbcd and 8ad857f.

📒 Files selected for processing (6)

• internal/api/handler/filter.go
• internal/service/migrator.go
• internal/service/relational/system_component_suggestions.go
• internal/service/relational/system_component_suggestions_test.go
• internal/service/worker/risk_evidence_worker.go
• internal/tests/migrate.go

📝 Walkthrough

Walkthrough

Refactors suggestion generation to evaluate filters and exclusions per parent (requirement/statement), adds optional catalog-scoped filter resolution via SSP→profile→profile_controls links, aligns apply paths to parent-scoped suggestions, and expands unit and integration tests for multi-catalog and multi-requirement scenarios.

Changes

Parent-scoped suggestions and catalog scoping

Layer / File(s)	Summary
Parent-scoped suggestion logic and control resolution internal/service/relational/system_component_suggestions.go	SuggestForImplementedRequirement and SuggestForStatement now delegate to suggestForParent. suggestForParent conditionally scopes filter resolution through ssp_profiles→profile_controls to match (control_catalog_id, control_id) when profiles are reachable, otherwise falls back to global filter_controls.control_id.
Parent-specific exclusion and apply flow alignment internal/service/relational/system_component_suggestions.go	Candidate exclusion is evaluated per (parentID,parentType) via by_components joined to system_components. applyForParent and applySuggestionForParent use suggestForParent. ensureSystemComponent now reloads the persisted row after ON CONFLICT DO NOTHING.
Unit test infrastructure and catalog scoping validation internal/service/relational/system_component_suggestions_test.go	Add scopedEvidenceQuerier for label-joined evidence lookup; extend in-memory schema with profile_controls and ssp_profiles; add seedFilterForControlInCatalog and linkSSPToProfileWithControls; add tests for catalog-scoped resolution, case-insensitive matching, global fallbacks, and parent-scoped exclusion semantics.
Integration test helpers and multi-requirement validation internal/api/handler/oscal/system_security_plan_suggestions_integration_test.go	Refactor buildFilterAndEvidence to catalog-aware buildFilterAndEvidenceInCatalog, add Catalog+Control and SSP→profile/linking helpers, introduce multi-requirement SSP/evidence builders, and add endpoint tests for ambiguous control ID scoping, bulk-apply scoping, per-requirement suggestion granularity, and SystemComponent reuse when applied to multiple requirements.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hop through profiles, catalogs, and code,

Scoping suggestions down each parent road.
Two requirements, one shared piece of seed—
Apply one link, the other's still freed.
Reused components hum — a tidy deed.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'fix: component suggestion bugs' is vague and generic, using non-specific terminology that doesn't convey meaningful information about the actual changes made.	Consider a more descriptive title that highlights the core improvement, such as 'fix: add catalog-scoped control resolution for component suggestions' or 'fix: implement per-requirement suggestion evaluation and catalog scoping'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}