perf(exchange): rec-driven cross-family alternatives via cached Cost Explorer recommendations

[cristim]

Summary

• Replaces the hand-curated peerFamilyGroups allowlist + per-recommendation DescribeReservedInstancesOfferings API call with a single region-scoped read against the cached AWS Cost Explorer purchase recommendations table that the scheduler already populates.
• Drops peerFamilyGroups / candidateFamilies / alternativesForTarget from pkg/exchange/reshape.go; renames OfferingLookup + AnalyzeReshapingWithOfferings → PurchaseRecLookup + AnalyzeReshapingWithRecs. The existing passesDollarUnitsCheck gate stays unchanged.
• New internal/api/exchange_lookup.go::purchaseRecLookupFromStore adapter calls store.ListStoredRecommendations(...) filtered by provider/service/region (+ optional source CloudAccount UUID for cross-account leak guard). providers/aws/services/ec2/client.go::FindConvertibleOfferings and its dedicated test file deleted (no remaining callers).
• auto.go keeps using the base AnalyzeReshaping (no alternatives, primary target only) — auto-exchange contract is preserved.

Closes #40.

Test plan

• go build ./... (all 3 modules)
• go test -race -count=1 ./... for the main module — all packages green
• go test -race -count=1 ./pkg/exchange/... — all green
• go test -race -count=1 ./providers/aws/services/ec2/... ./providers/aws/recommendations/... — green (the only pre-existing failure in providers/aws is TestAWSProvider_GetDefaultRegion and is unrelated to this refactor)
• New unit tests:
  • pkg/exchange/reshape_crossfamily_test.go: TestAnalyzeReshapingWithRecs_* (recommendation-driven, cold cache, dollar-units filter, lookup error, primary-target exclusion, legacy m4 family).
  • internal/api/exchange_lookup_test.go: region/account filter, empty-account degraded mode, no-recs cold cache, error propagation, UpfrontCost / (Term × 12) + MonthlyCost mapping.
• Integration test (build-tagged) internal/api/handler_ri_exchange_integration_test.go rewritten to seed recs into the test container's recommendations table instead of mocking FindConvertibleOfferings.
• Reshape page on the deployed Lambda URL surfaces alternatives sourced from Cost Explorer recs (verified post-deploy).

Summary by CodeRabbit

• Performance
  • Cross-family alternatives now come from cached purchase recommendations, reducing latency and external API calls.
• New Features
  • Alternatives include commitment duration (term) and enforce term-matching; same-family and primary targets are excluded and alternatives are sorted by effective monthly cost.
  • Empty region requests now adopt the resolved/configured region for correct scoping.
• Bug Fixes
  • Handler returns primary target and succeeds when no recommendations exist; account-resolution errors now abort scoped lookups.
• Refactor
  • AWS identity/config loading made more robust to avoid poisoning shared config.
• Tests
  • Expanded unit and integration tests for mapping, ordering, term behavior, region/account scoping, and caching.

[coderabbitai]

Warning

Rate limit exceeded

@cristim has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 14 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5aabb618-b0eb-4b32-a1dd-6c794386810e

📥 Commits

Reviewing files that changed from the base of the PR and between b877b80 and fa371a4.

📒 Files selected for processing (1)

• internal/api/handler_test.go

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Replaces per-recommendation EC2 offerings fan-out with a Postgres-backed purchase-recommendation lookup; maps cached Cost Explorer recommendations to exchange.OfferingOption (amortized upfront, normalization, term seconds), threads the lookup into reshape analysis, removes the peer-family allowlist and offerings API, and updates handlers/tests for rec-driven alternatives.

Changes

Cohort / File(s)	Summary
New Recommendation Lookup internal/api/exchange_lookup.go, internal/api/exchange_lookup_test.go	Adds purchaseRecLookupFromStore closure that maps store.ListStoredRecommendations → []exchange.OfferingOption via recommendationToOffering (amortize upfront cost, compute NormalizationFactor, set TermSeconds); adds resolveAWSCloudAccountID and splitInstanceType. Tests cover filter scoping, cost/term math, parsing, and error propagation.
Reshape Analysis Refactor pkg/exchange/reshape.go, pkg/exchange/reshape_crossfamily_test.go	Removes peerFamilyGroups, candidateFamilies, and OfferingLookup flow; adds PurchaseRecLookup, AnalyzeReshapingWithRecs, and TermSeconds on RIInfo/OfferingOption. Alternatives are now built from cached recs with family/primary/term filters and existing dollar-units gating. Tests adapted for lookup-driven behavior and edge cases.
Handler & Integration Updates internal/api/handler_ri_exchange.go, internal/api/handler_ri_exchange_integration_test.go, internal/api/handler.go, internal/api/exchange_lookup.go	Handler now resolves tenant-scoped AWS cloud-account UUID (resolveAWSCloudAccountID), defaults region from resolved AWS config when missing, selects page currency from first RI, exposes reshapeAccountResolver for tests, and wires purchaseRecLookupFromStore into AnalyzeReshapingWithRecs. Integration tests seed recs and validate scoped and unscoped lookup behavior.
EC2 Client Cleanup providers/aws/services/ec2/client.go, providers/aws/services/ec2/client_offerings_test.go	Removes FindConvertibleOfferings and its effectiveMonthlyCost helper; deletes unit tests that validated the removed batched DescribeReservedInstancesOfferings behavior.
Misc Handler Tests internal/api/handler_test.go	Adds regression test ensuring loadAPIKey does not poison the shared AWS config cache (loads AWS config locally per call).

Sequence Diagram(s)

sequenceDiagram
    participant H as Handler
    participant S as Store/Postgres
    participant L as PurchaseRecLookup
    participant A as AnalyzeReshapingWithRecs

    H->>H: resolveAWSCloudAccountID(ctx)
    H->>S: ListCloudAccounts(provider="aws")
    S-->>H: cloud account UUID or none

    H->>L: build purchaseRecLookupFromStore(region,currency,accountUUID)
    L-->>H: lookup closure

    H->>A: AnalyzeReshapingWithRecs(RIs, utilization, threshold, region, currency, L)
    A->>L: lookup(ctx, region, currency)
    L->>S: ListStoredRecommendations(filter: provider="aws", service="ec2", region, currency, accountIDs?)
    S-->>L: []RecommendationRecord
    L->>L: map records -> OfferingOption (amortize upfront, parse instance, set TermSeconds)
    L-->>A: []OfferingOption

    A->>A: filter offerings (exclude same-family, primary, term mismatch, $-units)
    A-->>H: ReshapeRecommendations with AlternativeTargets

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• test(api): pin reshape security paths — STS-error fail-closed + region normalization regression guards #151 — Adds tests and exercise points related to STS error handling and account/region resolution changed by resolveAWSCloudAccountID.
• audit(reshape): verify Cost-Explorer-driven cross-family alternatives match AWS RI Exchange API rules #152 — Concerns replacing peer-family allowlist with CE-backed recommendations; this PR implements that swap (purchaseRecLookupFromStore, AnalyzeReshapingWithRecs).

Possibly related PRs

• fix(security/onboarding): External ID lifecycle hardening (#126/#127/#128/#130) #146 — Overlaps on AWS caller-identity/account-resolution changes in internal/api/handler.go.

Poem

🐰 I hopped through cached recs with glee,

Amortized upfront costs set free,
No fan‑out calls across the sky,
Postgres hummed the wiser buy,
Alternatives now sail merrily.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: replacing hand-curated peer family groups with recommendation-driven alternatives sourced from cached Cost Explorer data.
Linked Issues check	✅ Passed	The pull request comprehensively addresses all coding objectives from issue #40: removed peerFamilyGroups/candidateFamilies/alternativesForTarget, implemented PurchaseRecLookup with store.ListStoredRecommendations filtering, replaced AnalyzeReshapingWithOfferings with AnalyzeReshapingWithRecs, updated handler wiring, deleted FindConvertibleOfferings, added per-instance cost normalization (divide by rec.Count), and included comprehensive unit and integration tests validating region/account/currency filtering and failure modes.
Out of Scope Changes check	✅ Passed	All changes are properly scoped to the objectives: AWS SDK signature refactoring (resolveAWSAccountID, resolveAWSCallerIdentity) is necessary for fail-closed multi-tenant safety; loadAPIKey fix prevents config cache poisoning in tests; reshapeAccountResolver injection supports hermetic testing. No unrelated features or refactorings were introduced.
Docstring Coverage	✅ Passed	Docstring coverage is 89.13% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch perf/exchange-rec-driven-alternatives

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/api/handler_ri_exchange.go (1)

227-257: ⚠️ Potential issue | 🟠 Major

Normalize region before the recommendations lookup.

Line 227 keeps the raw query-string value, so if the client omits region, loadAWSConfigWithRegion can still operate with a default AWS region while AnalyzeReshapingWithRecs receives "". That makes the store read unscoped by region and can surface alternatives from unrelated regions on the reshape page.

Suggested fix

 	region := req.QueryStringParameters["region"]
 	cfg, err := h.loadAWSConfigWithRegion(ctx, region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load AWS config: %w", err)
 	}
+	if region == "" {
+		region = cfg.Region
+	}
 
 	ec2Client := h.buildReshapeEC2Client(cfg)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/handler_ri_exchange.go` around lines 227 - 257, The handler is
using the raw query-string region value which may be empty while
loadAWSConfigWithRegion returns a concrete cfg.Region; normalize the region
after loading cfg (e.g., set resolvedRegion := region; if resolvedRegion == ""
&& cfg.Region != "" then resolvedRegion = cfg.Region) and use resolvedRegion
instead of region when calling getRIUtilizationCache().getOrFetch and
exchange.AnalyzeReshapingWithRecs (and any other downstream region-scoped calls)
so the recommendations lookup and utilization cache are scoped to the actual AWS
region returned by loadAWSConfigWithRegion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/api/exchange_lookup.go`:
- Around line 113-129: The resolver currently hides runtime failures by
returning an empty string; change resolveAWSCloudAccountID(ctx) to return
(string, error) and propagate errors up so callers can fail closed: call
resolveAWSAccountID(ctx) and if empty return ("", nil) to indicate intentionally
unregistered, but if h.config.ListCloudAccounts(...) returns an error then
return ("", err) (and if it returns zero accounts treat as a non-match with nil
error); update callers such as purchaseRecLookupFromStore to check the error
and, on a non-nil error from resolveAWSCloudAccountID, abort/return the error
rather than treating an empty string as “omit AccountIDs”; keep the matching
loop logic (comparing a.ExternalID to awsAccountID) and return the matched a.ID
on success.

In `@pkg/exchange/reshape.go`:
- Around line 67-80: The PurchaseRecLookup contract currently loses
term/duration info so AnalyzeReshapingWithRecs cannot reject term-mismatched
alternatives; change the PurchaseRecLookup signature to return OfferingOption
values that include a term/duration field (e.g., add a Term or Duration
string/int to OfferingOption) and update all callers to populate that field,
then modify AnalyzeReshapingWithRecs to filter returned OfferingOption entries
by matching term/duration before building AlternativeTargets (ensure the term
check is applied prior to amortisation/cost comparisons so AlternativeTargets
never contains incompatible-term alternatives).

---

Outside diff comments:
In `@internal/api/handler_ri_exchange.go`:
- Around line 227-257: The handler is using the raw query-string region value
which may be empty while loadAWSConfigWithRegion returns a concrete cfg.Region;
normalize the region after loading cfg (e.g., set resolvedRegion := region; if
resolvedRegion == "" && cfg.Region != "" then resolvedRegion = cfg.Region) and
use resolvedRegion instead of region when calling
getRIUtilizationCache().getOrFetch and exchange.AnalyzeReshapingWithRecs (and
any other downstream region-scoped calls) so the recommendations lookup and
utilization cache are scoped to the actual AWS region returned by
loadAWSConfigWithRegion.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 206c0346-1819-46ea-9651-e5861f2f7a28

📥 Commits

Reviewing files that changed from the base of the PR and between 006b9d3 and 1d76df7.

📒 Files selected for processing (8)

• internal/api/exchange_lookup.go
• internal/api/exchange_lookup_test.go
• internal/api/handler_ri_exchange.go
• internal/api/handler_ri_exchange_integration_test.go
• pkg/exchange/reshape.go
• pkg/exchange/reshape_crossfamily_test.go
• providers/aws/services/ec2/client.go
• providers/aws/services/ec2/client_offerings_test.go

💤 Files with no reviewable changes (2)

• providers/aws/services/ec2/client_offerings_test.go
• providers/aws/services/ec2/client.go

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

♻️ Duplicate comments (1)

internal/api/exchange_lookup.go (1)

141-143: ⚠️ Potential issue | 🔴 Critical

Fail closed when source AWS account resolution fails at runtime.

Line 141 treats unresolved account identity as ("", nil). Combined with Line 48 (AccountIDs omitted), transient STS/config failures become unscoped recommendation reads across accounts in the region.

🔧 Suggested direction

- awsAccountID := h.resolveAWSAccountID(ctx)
- if awsAccountID == "" {
-   return "", nil
- }
+ awsAccountID, err := h.resolveAWSAccountID(ctx)
+ if err != nil {
+   return "", fmt.Errorf("resolve source aws account for reshape scope: %w", err)
+ }
+ if awsAccountID == "" {
+   // keep as nil only for explicitly unsupported/unregistered mode
+   return "", nil
+ }

Also update resolveAWSAccountID to return (string, error) so STS/config failures are distinguishable from intentional “no scope” mode.

Also applies to: 48-50

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/exchange_lookup.go` around lines 141 - 143, Change
resolveAWSAccountID to return (string, error) instead of (string, nil) so
runtime STS/config failures are distinguishable from an intentional empty scope;
update the implementation to return a non-nil error when account resolution
fails, and update all call sites in exchange_lookup.go (e.g., the branch that
currently does `if awsAccountID == "" { return "", nil }` and the code around
the `AccountIDs` omission at the top of the file) to propagate the error and
fail closed (return the error up the call chain) rather than treating an empty
string as success/unscoped; ensure function signatures and any tests are updated
accordingly.

🧹 Nitpick comments (1)

pkg/exchange/reshape.go (1)

449-454: Use a fallback normalization factor in pricingGatePasses for defensive compatibility.

Line 453 uses src.NormalizationFactor directly. If a caller provides MonthlyCost but leaves NormalizationFactor unset, all alternatives are rejected even when src.InstanceType is parseable.

♻️ Suggested refactor

 func pricingGatePasses(src RIInfo, off OfferingOption, hasSrc bool) bool {
 	if !hasSrc || src.MonthlyCost <= 0 {
 		return true
 	}
-	return passesDollarUnitsCheck(src.NormalizationFactor, src.MonthlyCost, src.CurrencyCode, off)
+	srcNF := src.NormalizationFactor
+	if srcNF <= 0 {
+		_, size := parseInstanceType(src.InstanceType)
+		srcNF = NormalizationFactorForSize(size)
+	}
+	return passesDollarUnitsCheck(srcNF, src.MonthlyCost, src.CurrencyCode, off)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/exchange/reshape.go` around lines 449 - 454, pricingGatePasses currently
uses src.NormalizationFactor directly which can be zero/unset and wrongly reject
alternatives; modify pricingGatePasses to compute a fallback normalization
factor when src.NormalizationFactor <= 0 by attempting to derive it from
src.InstanceType (e.g. parse vCPU/memory or call an existing parseNormalization
helper) and if that fails default to 1.0, then pass that computed value to
passesDollarUnitsCheck instead of src.NormalizationFactor; update references to
RIInfo fields (NormalizationFactor, MonthlyCost, CurrencyCode, InstanceType) and
the call to passesDollarUnitsCheck in pricingGatePasses.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@internal/api/exchange_lookup.go`:
- Around line 141-143: Change resolveAWSAccountID to return (string, error)
instead of (string, nil) so runtime STS/config failures are distinguishable from
an intentional empty scope; update the implementation to return a non-nil error
when account resolution fails, and update all call sites in exchange_lookup.go
(e.g., the branch that currently does `if awsAccountID == "" { return "", nil }`
and the code around the `AccountIDs` omission at the top of the file) to
propagate the error and fail closed (return the error up the call chain) rather
than treating an empty string as success/unscoped; ensure function signatures
and any tests are updated accordingly.

---

Nitpick comments:
In `@pkg/exchange/reshape.go`:
- Around line 449-454: pricingGatePasses currently uses src.NormalizationFactor
directly which can be zero/unset and wrongly reject alternatives; modify
pricingGatePasses to compute a fallback normalization factor when
src.NormalizationFactor <= 0 by attempting to derive it from src.InstanceType
(e.g. parse vCPU/memory or call an existing parseNormalization helper) and if
that fails default to 1.0, then pass that computed value to
passesDollarUnitsCheck instead of src.NormalizationFactor; update references to
RIInfo fields (NormalizationFactor, MonthlyCost, CurrencyCode, InstanceType) and
the call to passesDollarUnitsCheck in pricingGatePasses.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ca274271-69c6-4985-baa2-78fef6f57ae6

📥 Commits

Reviewing files that changed from the base of the PR and between 1d76df7 and 272a175.

📒 Files selected for processing (5)

• internal/api/exchange_lookup.go
• internal/api/exchange_lookup_test.go
• internal/api/handler_ri_exchange.go
• pkg/exchange/reshape.go
• pkg/exchange/reshape_crossfamily_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• internal/api/exchange_lookup_test.go

[cristim]

Pushed f44b06567 — addresses both outstanding review items plus the nit:

CRITICAL (fail-closed on STS): resolveAWSAccountID signature changes string → (string, error). Three distinct return shapes:

• ("", nil) — AWS SDK config never loaded (Azure/GCP host) — legitimate "no scope" signal.
• ("", err) — config loaded but STS GetCallerIdentity failed — fail-closed signal for security-sensitive paths.
• (accountID, nil) — success.

resolveAWSCloudAccountID (the reshape wrapper) now propagates the STS error verbatim. Multi-tenant deploys can no longer leak alternatives across tenants on a transient STS hiccup. resolveSourceIdentity keeps best-effort semantics (drops the error explicitly with a comment) since populateSourceAccountID already fails loud on empty AccountID for the AWS-source federation case.

NIT (pricingGatePasses NF fallback): when src.NormalizationFactor <= 0, derive NF from InstanceType via NormalizationFactorForSize. Avoids silently rejecting every alternative when callers leave NF unset.

Full internal/api + pkg/exchange test suites green. Will file follow-ups for the broader tests-for-failure-paths gap and the other items raised.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

Filed four follow-up issues for items I flagged in the review but that are out of scope for this PR:

• ux(reshape): surface freshness/staleness banner when cached Cost Explorer recs are old #150 — ux(reshape): surface freshness/staleness banner when cached Cost Explorer recs are old — addresses the freshness-lag concern (cache age never surfaced to UI). Reuses the existing frontend/src/freshness.ts pattern.
• test(api): pin reshape security paths — STS-error fail-closed + region normalization regression guards #151 — test(api): pin reshape security paths — STS-error fail-closed + region normalization regression guards — adds the regression tests for the failure paths the just-pushed f44b06567 hardens but doesn't yet exercise.
• audit(reshape): verify Cost-Explorer-driven cross-family alternatives match AWS RI Exchange API rules #152 — audit(reshape): verify Cost-Explorer-driven cross-family alternatives match AWS RI Exchange API rules — one-shot audit to confirm the new alternatives set has parity with the dropped peerFamilyGroups allowlist.
• ux(reshape): rank cross-family alternatives by composite score (price + family/arch/confidence) #153 — ux(reshape): rank cross-family alternatives by composite score (price + family/arch/confidence) — adds quality signals to alternative ordering beyond price-only.

None block this PR. The CRITICAL + MAJOR + nit are all addressed in f44b06567.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

internal/api/exchange_lookup.go (1)

155-165: ⚠️ Potential issue | 🔴 Critical

Don't treat a resolved-but-unregistered AWS account as “no filter”.

Lines 160-165 still return ("", nil) on “no matching ExternalID”. purchaseRecLookupFromStore interprets that as “omit AccountIDs”, which will read every account's cached recs if other AWS accounts are already registered. The zero-row bootstrap case is fine, but a resolved non-match should fail closed or suppress alternatives.

Suggested fix

 	accounts, err := h.config.ListCloudAccounts(ctx, config.CloudAccountFilter{Provider: &provider})
 	if err != nil {
 		return "", fmt.Errorf("list cloud accounts for reshape scope: %w", err)
 	}
+	if len(accounts) == 0 {
+		return "", nil
+	}
 	for _, a := range accounts {
 		if a.ExternalID == awsAccountID {
 			return a.ID, nil
 		}
 	}
-	return "", nil
+	return "", fmt.Errorf("source aws account %q is not registered", awsAccountID)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/exchange_lookup.go` around lines 155 - 165, The code currently
returns ("", nil) when an awsAccountID is resolved but no matching
account.ExternalID is found, which causes purchaseRecLookupFromStore to treat
this as "no filter" and query all accounts; instead, in the function that calls
h.config.ListCloudAccounts (the block using awsAccountID, provider, and
config.CloudAccountFilter), return a non-nil error when a resolved awsAccountID
does not match any account.ExternalID so callers (e.g.,
purchaseRecLookupFromStore) can fail closed or suppress alternatives; update the
return to something like fmt.Errorf("aws account %s not registered",
awsAccountID) and propagate that error to prevent omitting AccountIDs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/api/handler.go`:
- Around line 496-503: The current resolveAWSAccountID swallows all
awsconfig.LoadDefaultConfig errors by returning ("", nil); change it to only
ignore the error if the host is not AWS using sourceCloud(), and otherwise
return the load error so AWS-hosted deployments fail closed. Specifically,
inside Handler.resolveAWSAccountID (the block that sets h.awsCfg and h.awsCfgErr
via h.awsCfgOnce), after checking h.awsCfgErr use sourceCloud() to determine the
runtime cloud: if sourceCloud(ctx) indicates non-AWS return ("", nil) as before,
otherwise return ("", h.awsCfgErr) so callers like resolveAWSCloudAccountID can
handle real AWS config failures; keep existing h.awsCfg and awsCfgOnce usage
unchanged.

---

Duplicate comments:
In `@internal/api/exchange_lookup.go`:
- Around line 155-165: The code currently returns ("", nil) when an awsAccountID
is resolved but no matching account.ExternalID is found, which causes
purchaseRecLookupFromStore to treat this as "no filter" and query all accounts;
instead, in the function that calls h.config.ListCloudAccounts (the block using
awsAccountID, provider, and config.CloudAccountFilter), return a non-nil error
when a resolved awsAccountID does not match any account.ExternalID so callers
(e.g., purchaseRecLookupFromStore) can fail closed or suppress alternatives;
update the return to something like fmt.Errorf("aws account %s not registered",
awsAccountID) and propagate that error to prevent omitting AccountIDs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7c3710fc-ef99-406a-83e3-fcbae4c243f6

📥 Commits

Reviewing files that changed from the base of the PR and between 272a175 and f44b065.

📒 Files selected for processing (3)

• internal/api/exchange_lookup.go
• internal/api/handler.go
• pkg/exchange/reshape.go

[cristim]

Rebased onto current feat/multicloud-web-frontend (PRs #81, #142, #146 merged today). Resolved the conflict in internal/api/handler.go by integrating both changes: resolveAWSCallerIdentity(ctx) (accountID, partition string, err error) — keeps the AWS GovCloud/China partition logic from #146 and adds the fail-closed error propagation from this PR. Tests green on both internal/api and pkg/exchange after rebase. Force-with-lease push only — no commits dropped or reordered.

[cristim]

@coderabbitai review

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/api/handler_ri_exchange_integration_test.go (1)

63-75: ⚠️ Potential issue | 🟠 Major

Don't hard-wire the unscoped recommendations path in the shared helper.

reshapeAccountResolver always returning "" means every integration test skips AccountIDs filtering. A regression in the scoped lookup would still go green here, even though cross-account isolation is one of the behaviors this PR hardens. Please make the helper accept a resolver override and add one scoped-account case that proves only the resolved tenant's recommendations are returned.

Possible helper tweak

-func buildReshapeHandler(store *config.PostgresStore, ec2Fake *fakeReshapeEC2, recsFake *fakeReshapeRecs) *Handler {
+func buildReshapeHandler(
+	store *config.PostgresStore,
+	ec2Fake *fakeReshapeEC2,
+	recsFake *fakeReshapeRecs,
+	resolveAccount func(context.Context) (string, error),
+) *Handler {
+	if resolveAccount == nil {
+		resolveAccount = func(_ context.Context) (string, error) { return "", nil }
+	}
 	h := &Handler{
 		config:             store,
 		auth:               &mockAuthForExchange{},
 		apiKey:             "test-api-key",
 		reshapeEC2Factory:  func(_ aws.Config) reshapeEC2Client { return ec2Fake },
 		reshapeRecsFactory: func(_ aws.Config) reshapeRecsClient { return recsFake },
-		reshapeAccountResolver: func(_ context.Context) (string, error) { return "", nil },
+		reshapeAccountResolver: resolveAccount,
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/handler_ri_exchange_integration_test.go` around lines 63 - 75,
The helper buildReshapeHandler always sets reshapeAccountResolver to return ""
causing all tests to exercise the unscoped path; update buildReshapeHandler (the
Handler construction) to accept a reshapeAccountResolver override parameter
(e.g., resolver func(context.Context)(string,error)) and use that instead of the
hard-coded lambda, then add at least one integration test that passes a resolver
returning a specific tenant/cloud-account ID and asserts that reshape
recommendations returned by the Handler are filtered to that account only
(verifying scoped lookup behavior).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/api/handler_ri_exchange_integration_test.go`:
- Around line 119-126: The test's seeded same-family record uses the identical
size as the primary target (m5.large), so it doesn't prove the family-exclusion
logic; update the seed in seedRecsForRegion to use a different size within the
same family (e.g., change the same-family entry from "m5.large" to "m5.2xlarge"
in the RecommendationRecord) and add/assert that this m5.* record is not present
in the cross-family alternatives returned by the handler (repeat the same change
for the other occurrence around lines 149-155) to ensure the same-family filter
is independently validated.

In `@internal/api/handler.go`:
- Around line 552-570: In resolveAWSCallerIdentity, short-circuit non-AWS hosts
before any AWS SDK work: at the top of the function check sourceCloud() != "aws"
and immediately return "", "", nil so you do not call h.awsCfgOnce.Do /
awsconfig.LoadDefaultConfig, create an sts client, or call GetCallerIdentity on
non-AWS deployments; keep existing handling of h.awsCfgErr and the
sts.GetCallerIdentity error path for actual AWS hosts (references:
resolveAWSCallerIdentity, h.awsCfgOnce, h.awsCfgErr,
awsconfig.LoadDefaultConfig, sts.NewFromConfig, GetCallerIdentity, sourceCloud).

---

Outside diff comments:
In `@internal/api/handler_ri_exchange_integration_test.go`:
- Around line 63-75: The helper buildReshapeHandler always sets
reshapeAccountResolver to return "" causing all tests to exercise the unscoped
path; update buildReshapeHandler (the Handler construction) to accept a
reshapeAccountResolver override parameter (e.g., resolver
func(context.Context)(string,error)) and use that instead of the hard-coded
lambda, then add at least one integration test that passes a resolver returning
a specific tenant/cloud-account ID and asserts that reshape recommendations
returned by the Handler are filtered to that account only (verifying scoped
lookup behavior).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9af3d361-3262-4c5f-8f09-787d9eb2d9f6

📥 Commits

Reviewing files that changed from the base of the PR and between 1593007 and 62667c8.

📒 Files selected for processing (4)

• internal/api/exchange_lookup.go
• internal/api/handler.go
• internal/api/handler_ri_exchange.go
• internal/api/handler_ri_exchange_integration_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• internal/api/handler_ri_exchange.go
• internal/api/exchange_lookup.go

[cristim]

CodeRabbit pass-5 follow-up — both findings addressed.

Finding 1 (9d1cba173): Added TestLoadAPIKey_DoesNotPoisonSharedAWSConfigCache to lock in commit 62667c8d2's fix. The test asserts logical isolation rather than provoking a LoadDefaultConfig failure (which rarely errs — credential failures surface later at the SDK call). Two halves per subtest: h.awsCfgErr stays nil regardless of loadAPIKey's outcome, and h.awsCfgOnce is still virgin afterwards (verified with a sentinel sync.Once.Do trick — Do only runs the func if it hasn't been called, so if loadAPIKey had touched the shared Once, the sentinel would no-op). Two table-style subtests cover both code paths (empty-ARN short-circuit, and non-empty ARN that goes through awsconfig.LoadDefaultConfig); AWS env vars are pinned via t.Setenv to keep CI deterministic without ambient credentials. If a future refactor reintroduces h.awsCfgOnce.Do inside loadAPIKey, the second subtest fails on the fired assertion — preventing the multi-tenant reshape scope filter from being permanently broken by a transient cold-start AWS config failure.

Finding 2 (e775264db): Added TestReshapeRecommendations_Integration_ScopedAccount_FiltersToAccount. The existing reshape integration tests all wired reshapeAccountResolver to ("", nil), so only the unscoped "no AccountIDs filter" path had coverage. The scoped branch — the multi-tenant cross-account leak guard — was untested. The new test seeds two CloudAccounts (Tenant A + Tenant B) and one cross-family rec per tenant in the same region (A's c5.large, B's r5.large, each tagged with its account UUID), overrides h.reshapeAccountResolver to return Tenant A's UUID (production-equivalent of resolveAWSCloudAccountID returning a registered match), and asserts the response surfaces only c5.large in alternatives — never r5.large. Also tightens the existing EndToEnd test's same-family seed: was m5.large (same SIZE as the primary target, which trivial exact-match dedupe would also strip), now m5.2xlarge (different size, exercising the FAMILY-exclusion contract that's actually under test) with an independent regression-guard loop that asserts no m5.* of any size leaks through.

@coderabbitai review

[coderabbitai]

@cristim: Both pass-5 findings look well addressed:

• Finding 1 (9d1cba173): The sync.Once sentinel approach is a clean way to assert that loadAPIKey never touches h.awsCfgOnce — it will catch any future regression that reintroduces shared-cache writes without requiring a LoadDefaultConfig failure to be induced artificially. Pinning t.Setenv for AWS env vars is good practice for CI determinism.

• Finding 2 (e775264db): Seeding two tenants with distinct account-scoped recs and asserting strict per-tenant isolation closes the previously untested multi-tenant leak path. The EndToEnd seed tightening from m5.large → m5.2xlarge is a meaningful improvement — it now exercises family-exclusion rather than relying on exact-match deduplication as a side effect.

Triggering review of the new commits now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

internal/api/handler_test.go (1)

91-137: Make this regression test hermetic.

The test still exercises the real AWS credential/provider chain and Secrets Manager client, so it can vary with ambient profiles or IMDS and become flaky on some CI hosts. Consider disabling metadata lookup explicitly or injecting a stubbed AWS seam so the test only verifies the shared-cache contract.

Suggested tweak

 t.Setenv("AWS_REGION", "us-east-1")
+t.Setenv("AWS_EC2_METADATA_DISABLED", "true")
 t.Setenv("AWS_ACCESS_KEY_ID", "")
 t.Setenv("AWS_SECRET_ACCESS_KEY", "")
 t.Setenv("AWS_SESSION_TOKEN", "")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/handler_test.go` around lines 91 - 137, The test is still
hitting the real AWS provider chain; make it hermetic by disabling metadata
lookups and/or injecting a fake Secrets Manager: in the test set
AWS_EC2_METADATA_DISABLED="true" (alongside the existing AWS_* env vars) to stop
IMDS lookups, and refactor the Handler to accept an injectable secrets-fetch
seam (e.g., a SecretsClient interface or a loadSecretFunc) used by loadAPIKey so
tests can pass a stub that simulates failures without calling AWS; update the
test to construct Handler with the stubbed client when invoking
Handler.loadAPIKey(secretsARN) to verify the shared-cache behavior
deterministically.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal/api/handler_test.go`:
- Around line 91-137: The test is still hitting the real AWS provider chain;
make it hermetic by disabling metadata lookups and/or injecting a fake Secrets
Manager: in the test set AWS_EC2_METADATA_DISABLED="true" (alongside the
existing AWS_* env vars) to stop IMDS lookups, and refactor the Handler to
accept an injectable secrets-fetch seam (e.g., a SecretsClient interface or a
loadSecretFunc) used by loadAPIKey so tests can pass a stub that simulates
failures without calling AWS; update the test to construct Handler with the
stubbed client when invoking Handler.loadAPIKey(secretsARN) to verify the
shared-cache behavior deterministically.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e0c3896a-e413-41d9-ac4a-8fc863289ada

📥 Commits

Reviewing files that changed from the base of the PR and between 62667c8 and e775264.

📒 Files selected for processing (2)

• internal/api/handler_ri_exchange_integration_test.go
• internal/api/handler_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• internal/api/handler_ri_exchange_integration_test.go

[cristim]

Pushed b877b80cf — addresses CodeRabbit pass-6 inline finding 1 (resolveAWSCallerIdentity short-circuit). Non-AWS hosts now skip LoadDefaultConfig + STS entirely; AWS hosts continue to fail closed on broken SDK config.

Combined with the concurrent session's e775264db (scoped-account integration test + same-family m5.2xlarge seed) and 9d1cba173 (loadAPIKey regression test), all CodeRabbit findings from passes 5 and 6 should now be addressed.

The buildReshapeHandler signature refactor CodeRabbit suggested isn't applied — e775264db instead added the scoped-branch test by overriding h.reshapeAccountResolver directly post-construction, which closes the underlying coverage gap (the MAJOR's actual ask) without the helper-arg shape change.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

Pushed fa371a42c — applies the CodeRabbit nitpick by setting AWS_EC2_METADATA_DISABLED=true in the loadAPIKey regression test. Skipped the deeper SecretsClient injection seam suggestion — that's a wider refactor than the regression test needs, and IMDS-disable plus the existing zero-credential env vars is enough to make the test deterministic.

All CodeRabbit findings from passes 1–7 should now be addressed.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.