feat: whitelist ocm config types

[frewilhelm]

What this PR does / why we need it

The OCM configuration can be used to change OCMs behaviour drastically. To ensure no malicious activities can be done on the controllers, we want to whitelist for certain OCM configurations.

Which issue(s) this PR fixes

Fixes open-component-model/ocm-project#628

Summary by CodeRabbit

• New Features

  • Introduced allowlist-based filtering for OCM configuration entries, enabling selective configuration type retention.
  • Added automatic removal of deprecated configuration fields for improved compatibility.

• Improvements

  • Enhanced configuration processing for credentials integration.
  • Expanded test coverage for configuration filtering behavior across various entry types and scenarios.

• Chores

  • Updated Go module dependencies.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This change implements a whitelist-based filtering mechanism for OCM configuration entries. It introduces allowlist validation to retain only credentials.config.ocm.software and resolvers.config.ocm.software entries, filters out deprecated Aliases fields from ocm.config.ocm.software entries, updates configuration conversion logic, and adds comprehensive test coverage for the new filtering behavior.

Changes

Cohort / File(s)	Summary
Configuration Filtering Implementation kubernetes/controller/internal/configuration/config.go	Added allowedConfigTypes and ocmConfigTypes allowlists; implemented filterAllowedConfigTypes() to enforce type filtering, strip deprecated Aliases fields from ocm.config.ocm.software entries via OCM v1 spec conversion, and log dropped types at verbosity level 1; integrated filtering into LoadConfigurations post-flattening; updated docker-credentials conversion to use credentialsv1spec instead of credentialsv1.
Configuration Test Suite kubernetes/controller/internal/configuration/config_test.go	Updated test fixtures with credentials.config.ocm.software/v1 and resolvers.config.ocm.software/v1alpha1 entries; refactored TestLoadConfigurationsInOrder to reduce inline JSON duplication via shared secret objects; added credentialsConfigJSON() helper; introduced comprehensive TestFilterAllowedConfigTypes test suite validating nil handling, allowlist enforcement, alias stripping, and logging at V(1).
Integration Test Updates kubernetes/controller/internal/setup/integration_test.go	Replaced plugin.config.ocm.software/v1 test data with resolvers.config.ocm.software/v1alpha1 entry; updated assertion message and maintained total configuration count at 2.
Dependency Updates kubernetes/controller/go.mod	Bumped ocm.software/open-component-model/bindings/go/configuration from v0.0.11 to v0.0.12; bumped indirect go.yaml.in/yaml/v2 from v2.4.3 to v2.4.4.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Suggested reviewers

• Skarlso
• matthiasbruns

Poem

🐰 A whitelist bounds the config's way,
Credentials and resolvers stay,
Old Aliases stripped clean and neat,
Security's task, now complete!
Hopping toward safety, bright and true. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat: whitelist ocm config types' accurately summarizes the main change: introducing an allowlist-based filtering layer for OCM configuration entries.
Linked Issues check	✅ Passed	The code changes fully implement issue #628 requirements: whitelist filtering for credentials.config.ocm.software and ocm.config.ocm.software, alias stripping for ocm.config entries, comprehensive unit and integration tests, and dependency updates.
Out of Scope Changes check	✅ Passed	All code changes directly support the whitelist filtering objective; the docker-credentials-to-OCM conversion update aligns with filtering requirements, and the dependency bump supports the new filtering functionality.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[frewilhelm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (3)

kubernetes/controller/internal/configuration/config.go (2)

64-75: Consider using slices.Contains for type checking.

The library's genericv1.Filter function uses slices.Contains for type matching. Using the same pattern here would improve consistency and reduce boilerplate.

♻️ Simplified type check using slices.Contains

+import "slices"
+
 // ...
 
-	for i, entry := range filtered.Configurations {
-		entryType := entry.GetType()
-		isOCMConfig := false
-		for _, t := range ocmConfigTypes {
-			if entryType == t {
-				isOCMConfig = true
-				break
-			}
-		}
-		if !isOCMConfig {
+	for i, entry := range filtered.Configurations {
+		if !slices.Contains(ocmConfigTypes, entry.GetType()) {
 			continue
 		}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/configuration/config.go` around lines 64 - 75,
Replace the manual loop used to check whether entry.GetType() is one of
ocmConfigTypes with slices.Contains to match the pattern used by
genericv1.Filter: call slices.Contains(ocmConfigTypes, entryType) instead of the
for-loop and isOCMConfig flag, and add the "slices" import if not already
present; update the block that iterates over filtered.Configurations and
references entry.GetType() accordingly.

---

48-52: Consider adding nil-check for defensive safety.

If genericv1.FlatMap returns nil (which can happen in certain edge cases based on the library implementation), genericv1.Filter will panic on config.Type access.

🛡️ Proposed fix to add nil guard

 func filterAllowedConfigTypes(cfg *genericv1.Config) (*genericv1.Config, error) {
+	if cfg == nil {
+		return nil, nil
+	}
 	filtered, err := genericv1.Filter(cfg, &genericv1.FilterOptions{ConfigTypes: allowedConfigTypes})
 	if err != nil {
 		return nil, fmt.Errorf("failed to filter config types: %w", err)
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/configuration/config.go` around lines 48 - 52,
filterAllowedConfigTypes can panic if genericv1.FlatMap returns nil because
genericv1.Filter will access config.Type; before calling genericv1.Filter, call
genericv1.FlatMap(cfg) (or inspect cfg.FlatMap result if available), check that
the returned map/slice is not nil and that entries are non-nil (and have a valid
Type), and if it is nil return a clear error (e.g. fmt.Errorf("empty config
map")) or an empty filtered config; update filterAllowedConfigTypes to perform
this nil-guard around the FlatMap result before invoking genericv1.Filter,
referencing filterAllowedConfigTypes, genericv1.FlatMap, genericv1.Filter, and
allowedConfigTypes.

kubernetes/controller/internal/configuration/config_test.go (1)

664-671: Minor: Test name could be more precise.

The test is named "nil config returns nil configurations" but it actually tests an empty Configurations slice, not a nil *genericv1.Config. Consider renaming to "empty config returns empty configurations" for clarity.

📝 Suggested rename

-	t.Run("nil config returns nil configurations", func(t *testing.T) {
+	t.Run("empty config returns empty configurations", func(t *testing.T) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/configuration/config_test.go` around lines 664
- 671, The test name is misleading: the t.Run case "nil config returns nil
configurations" actually constructs an empty genericv1.Config and verifies an
empty Configurations slice; rename the test case string to "empty config returns
empty configurations" to reflect intent, keeping the body unchanged (the test
uses cfg := &genericv1.Config{...} and calls filterAllowedConfigTypes), so
update only the t.Run description to the suggested name.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@kubernetes/controller/internal/configuration/config_test.go`:
- Around line 664-671: The test name is misleading: the t.Run case "nil config
returns nil configurations" actually constructs an empty genericv1.Config and
verifies an empty Configurations slice; rename the test case string to "empty
config returns empty configurations" to reflect intent, keeping the body
unchanged (the test uses cfg := &genericv1.Config{...} and calls
filterAllowedConfigTypes), so update only the t.Run description to the suggested
name.

In `@kubernetes/controller/internal/configuration/config.go`:
- Around line 64-75: Replace the manual loop used to check whether
entry.GetType() is one of ocmConfigTypes with slices.Contains to match the
pattern used by genericv1.Filter: call slices.Contains(ocmConfigTypes,
entryType) instead of the for-loop and isOCMConfig flag, and add the "slices"
import if not already present; update the block that iterates over
filtered.Configurations and references entry.GetType() accordingly.
- Around line 48-52: filterAllowedConfigTypes can panic if genericv1.FlatMap
returns nil because genericv1.Filter will access config.Type; before calling
genericv1.Filter, call genericv1.FlatMap(cfg) (or inspect cfg.FlatMap result if
available), check that the returned map/slice is not nil and that entries are
non-nil (and have a valid Type), and if it is nil return a clear error (e.g.
fmt.Errorf("empty config map")) or an empty filtered config; update
filterAllowedConfigTypes to perform this nil-guard around the FlatMap result
before invoking genericv1.Filter, referencing filterAllowedConfigTypes,
genericv1.FlatMap, genericv1.Filter, and allowedConfigTypes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c6264cc6-c33c-45a0-ae2b-742e51bd9abd

📥 Commits

Reviewing files that changed from the base of the PR and between 9901759 and d75fa7b.

📒 Files selected for processing (3)

• kubernetes/controller/internal/configuration/config.go
• kubernetes/controller/internal/configuration/config_test.go
• kubernetes/controller/internal/setup/integration_test.go

[frewilhelm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (2)

kubernetes/controller/internal/configuration/config_test.go (2)

651-789: Add an explicit nil-config test case for filterAllowedConfigTypes.

The suite is comprehensive, but nil-input behavior isn’t asserted yet. Since nil handling was recently touched, codifying it here would lock in expected behavior.

Proposed test addition

 func TestFilterAllowedConfigTypes(t *testing.T) {
+	t.Run("nil config is handled", func(t *testing.T) {
+		result, err := filterAllowedConfigTypes(nil)
+		require.NoError(t, err)
+		assert.Nil(t, result)
+	})
+
 	makeGenericConfig := func(entries ...string) *genericv1.Config {
 		cfg := &genericv1.Config{
 			Type: ocmruntime.Type{Version: genericv1.Version, Name: genericv1.ConfigType},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/configuration/config_test.go` around lines 651
- 789, Add a new subtest inside TestFilterAllowedConfigTypes that passes a nil
*genericv1.Config to filterAllowedConfigTypes and asserts it returns no error
and an empty (or nil) Configurations slice; call filterAllowedConfigTypes(nil),
require.NoError(t, err) and require.Empty(t, result.Configurations) (or allow
nil), referencing the existing test harness in TestFilterAllowedConfigTypes and
the function filterAllowedConfigTypes to locate where to add this case.

---

439-444: Consider extracting a fixture helper for repeated credential JSON.

These blocks are repeated with minor value changes. A small helper (e.g., host order input → JSON output) would reduce noise and future update risk.

Also applies to: 459-464, 517-522, 537-542, 595-600, 616-621

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/configuration/config_test.go` around lines 439
- 444, The test file contains repeated credential JSON blocks (e.g., the inline
objects with "type": "credentials.config.ocm.software/v1" and "consumers":
[{"identities": [{"hostname": "registry-a.io"}], "credentials": []}]) across
multiple cases; extract a small fixture helper (e.g., buildCredentialsJSON or
makeCredentialsFixture that accepts host(s) or host-order and returns the
corresponding JSON string/object) in config_test.go and replace the duplicated
literal blocks with calls to that helper; update tests that currently embed the
repeated snippets (the blocks shown in the diff and the other repeated
occurrences) to use the helper so future edits only change the generator, not
every test occurrence.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@kubernetes/controller/internal/configuration/config_test.go`:
- Around line 651-789: Add a new subtest inside TestFilterAllowedConfigTypes
that passes a nil *genericv1.Config to filterAllowedConfigTypes and asserts it
returns no error and an empty (or nil) Configurations slice; call
filterAllowedConfigTypes(nil), require.NoError(t, err) and require.Empty(t,
result.Configurations) (or allow nil), referencing the existing test harness in
TestFilterAllowedConfigTypes and the function filterAllowedConfigTypes to locate
where to add this case.
- Around line 439-444: The test file contains repeated credential JSON blocks
(e.g., the inline objects with "type": "credentials.config.ocm.software/v1" and
"consumers": [{"identities": [{"hostname": "registry-a.io"}], "credentials":
[]}]) across multiple cases; extract a small fixture helper (e.g.,
buildCredentialsJSON or makeCredentialsFixture that accepts host(s) or
host-order and returns the corresponding JSON string/object) in config_test.go
and replace the duplicated literal blocks with calls to that helper; update
tests that currently embed the repeated snippets (the blocks shown in the diff
and the other repeated occurrences) to use the helper so future edits only
change the generator, not every test occurrence.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0ba744ee-2b0f-4329-aa59-370128692868

📥 Commits

Reviewing files that changed from the base of the PR and between d75fa7b and 6d4fa35.

📒 Files selected for processing (2)

• kubernetes/controller/internal/configuration/config.go
• kubernetes/controller/internal/configuration/config_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• kubernetes/controller/internal/configuration/config.go

[frewilhelm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

kubernetes/controller/internal/configuration/config.go (1)

59-62: Consider moving ocmConfigTypes to package level.

This slice is recreated on every call to filterAllowedConfigTypes. Since it's a constant set of values, it could be defined alongside allowedConfigTypes for a minor efficiency gain.

♻️ Suggested refactor

 var allowedConfigTypes = []runtime.Type{
 	// credentials
 	runtime.NewVersionedType(credentialsv1spec.ConfigType, credentialsv1spec.Version),
 	runtime.NewUnversionedType(credentialsv1spec.ConfigType),
 	// legacy fallback resolvers
 	runtime.NewVersionedType(ocmconfigv1spec.ConfigType, ocmconfigv1spec.Version),
 	runtime.NewUnversionedType(ocmconfigv1spec.ConfigType),
 	// path-matcher resolvers (v1alpha1)
 	runtime.NewVersionedType(resolversv1alpha1spec.ConfigType, resolversv1alpha1spec.Version),
 	runtime.NewUnversionedType(resolversv1alpha1spec.ConfigType),
 }

+// ocmConfigTypes are the types that may contain the deprecated Aliases field.
+var ocmConfigTypes = []runtime.Type{
+	runtime.NewVersionedType(ocmconfigv1spec.ConfigType, ocmconfigv1spec.Version),
+	runtime.NewUnversionedType(ocmconfigv1spec.ConfigType),
+}

Then in filterAllowedConfigTypes, remove lines 59-62 and use the package-level variable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/configuration/config.go` around lines 59 - 62,
Move the locally-constructed slice ocmConfigTypes out of
filterAllowedConfigTypes and declare it at package level alongside
allowedConfigTypes (e.g., var ocmConfigTypes = []runtime.Type{...} using
runtime.NewVersionedType(...), runtime.NewUnversionedType(...)); then remove the
creation lines from filterAllowedConfigTypes and reference the package-level
ocmConfigTypes there so the constant set of types is reused instead of recreated
on every call.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@kubernetes/controller/internal/configuration/config.go`:
- Around line 59-62: Move the locally-constructed slice ocmConfigTypes out of
filterAllowedConfigTypes and declare it at package level alongside
allowedConfigTypes (e.g., var ocmConfigTypes = []runtime.Type{...} using
runtime.NewVersionedType(...), runtime.NewUnversionedType(...)); then remove the
creation lines from filterAllowedConfigTypes and reference the package-level
ocmConfigTypes there so the constant set of types is reused instead of recreated
on every call.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a105d65a-c3ec-4038-8a99-1a74d183c393

📥 Commits

Reviewing files that changed from the base of the PR and between 6d4fa35 and 589260c.

📒 Files selected for processing (2)

• kubernetes/controller/internal/configuration/config.go
• kubernetes/controller/internal/configuration/config_test.go

[frewilhelm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

kubernetes/controller/internal/configuration/config.go (1)

61-74: Consider surfacing how many config entries were dropped by the allowlist.

Silent dropping is good for safety, but a debug/info metric or log of drop count/type would improve incident triage and explain “missing config” behavior during operations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/configuration/config.go` around lines 61 - 74,
The code silently skips configurations not in the ocmConfigTypes allowlist (loop
over filtered.Configurations using slices.Contains(ocmConfigTypes,
entry.GetType())), which makes dropped entries invisible; update the loop to
count and log (or emit a metric) the number of skipped entries by type before
returning so operators can see how many/which config entries were dropped—e.g.,
maintain a map[string]int droppedByType, increment it when an entry is skipped,
and after the loop call the logger/metrics exporter with the aggregate
(reference filtered.Configurations, entry.GetType(), ocmConfigTypes, and
slices.Contains).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@kubernetes/controller/internal/configuration/config.go`:
- Around line 61-74: The code silently skips configurations not in the
ocmConfigTypes allowlist (loop over filtered.Configurations using
slices.Contains(ocmConfigTypes, entry.GetType())), which makes dropped entries
invisible; update the loop to count and log (or emit a metric) the number of
skipped entries by type before returning so operators can see how many/which
config entries were dropped—e.g., maintain a map[string]int droppedByType,
increment it when an entry is skipped, and after the loop call the
logger/metrics exporter with the aggregate (reference filtered.Configurations,
entry.GetType(), ocmConfigTypes, and slices.Contains).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2f123c27-4d9b-42ec-b418-4387c94e6071

📥 Commits

Reviewing files that changed from the base of the PR and between 589260c and 745bfd1.

📒 Files selected for processing (1)

• kubernetes/controller/internal/configuration/config.go

[frewilhelm]

@coderabbitai The last finding is not accurate. The loop at L71–87 is not a loop that skips disallowed config types — it only iterates over entries that have already passed the allowlist filter (via genericv1.Filter on L61). The !slices.Contains(ocmConfigTypes, entry.GetType()) check on L72 is simply selecting which of the already-allowed entries are ocm.config.ocm.software entries that need their Aliases field stripped. Entries that don't match that subset are correctly left unchanged via continue — they are not dropped.

The actual dropping of disallowed types happens inside genericv1.Filter on L61, which is a library call. The loop does not silently drop anything; entries that continue past the ocmConfigTypes check are still present in filtered.Configurations and returned at L89.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@frewilhelm You're absolutely right, and I apologize for the inaccurate finding. The logic is clear upon closer reading:

1. genericv1.Filter at L61 is the sole mechanism for dropping disallowed config types.
2. The loop at L71–87 operates only on the already-filtered set; the !slices.Contains(ocmConfigTypes, entry.GetType()) guard at L72 simply skips alias-stripping for entries that aren't ocm.config.ocm.software — those entries remain untouched in filtered.Configurations and are returned normally at L89.
3. continue inside that loop does not drop any entries; it only bypasses the alias-stripping branch.

I'll record this for future reviews.

---

✏️ Learnings added

Learnt from: frewilhelm
URL: https://github.com/open-component-model/open-component-model/pull/1998

Timestamp: 2026-03-17T09:20:29.169Z
Learning: In `kubernetes/controller/internal/configuration/config.go` (open-component-model/open-component-model PR `#1998`), inside `filterAllowedConfigTypes`, the loop at L71–87 iterates only over entries that have already passed the allowlist filter via `genericv1.Filter` at L61. The `!slices.Contains(ocmConfigTypes, entry.GetType())` check at L72 selects which of those already-allowed entries are `ocm.config.ocm.software` entries requiring their `Aliases` field to be stripped. Entries that do not match this subset are left unchanged in `filtered.Configurations` (the `continue` does not drop them). The actual removal of disallowed config types is performed exclusively by the `genericv1.Filter` library call at L61.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: matthiasbruns
Repo: open-component-model/open-component-model PR: 1943
File: kubernetes/controller/internal/cel/functions/oci.go:149-159
Timestamp: 2026-03-11T12:29:15.764Z
Learning: In `kubernetes/controller/internal/cel/functions/oci.go` (open-component-model/open-component-model), the `extractImageReference` function intentionally falls through (rather than returning an error) when `m["globalAccess"]` is present but is not a `map[string]any`. This is by design because `globalAccess` is optional and `referenceName` is the more commonly used fallback path. Do not flag the silent fall-through on a non-object `globalAccess` as a bug.

---

Learnt from: morri-son
Repo: open-component-model/open-component-model PR: 1900
File: .github/workflows/kubernetes-controller.yml:431-436
Timestamp: 2026-03-05T18:57:29.740Z
Learning: In `.github/workflows/kubernetes-controller.yml` (open-component-model/open-component-model PR `#1900`), the reusable workflow `.github/workflows/publish-ocm-component-version.yml` is intentionally absent from this PR. It is being introduced in a separate PR (referenced as PR `#1901`). Do not flag the missing file as a blocking issue in reviews of PR `#1900`.

[piotrjanik]

minor comments, LGTM in general

[Skarlso]

LGTM after the notification change that the config was dropped. :)

[frewilhelm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[frewilhelm]

Successfully tested for the ApeiroShowroom

[matthiasbruns]

some improvements, logic LGTM

[matthiasbruns]

lgtm :)