env(dev): enable SpaceRequestController

[xcoulon]

Enabled by default since we now support SpaceRequests on staging and prod for OpenClaw

so I don't have to patch the config on my temp cluster everytime I need to do some testing ;)

Signed-off-by: Xavier Coulon xcoulon@redhat.com

Summary by CodeRabbit

• New Features
  • Added space configuration controls to enable space requests by default while disabling space binding request functionality.
• Security / Maintenance
  • Updated vulnerability scanning suppression settings to extend the silence window and include additional known issues with reference links.

[coderabbitai]

Walkthrough

A new spec.host.spaceConfig block is added to the dev ToolchainConfig manifest with space binding and space request settings. Separately, vulnerability silence-until dates are extended to 2026-07-17 for existing entries, and four new vulnerability entries are added to the govulncheck configuration.

Changes

ToolchainConfig space configuration

Layer / File(s)	Summary
Add spaceConfig to dev ToolchainConfig deploy/host-operator/dev/toolchainconfig.yaml	Adds spec.host.spaceConfig with spaceBindingRequestEnabled: false and spaceRequestEnabled: true.

Vulnerability silence management

Layer / File(s)	Summary
Update silence-until dates .govulncheck.yaml	Extends the silence-until date from 2026-06-18 to 2026-07-17 for existing ignored vulnerabilities GO-2026-4601 through GO-2026-4971.
Add new vulnerability entries .govulncheck.yaml	Adds four new ignored vulnerability entries (GO-2026-5026, GO-2026-5037, GO-2026-5038, GO-2026-5039) with silence-until set to 2026-07-17.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective of enabling SpaceRequestController in the development environment configuration, which is the primary change described in the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.govulncheck.yaml:
- Line 7: Rather than extending the silence-until date in the govulncheck
configuration, update the project dependencies to address the actual
vulnerabilities. Update the Go version from 1.24.4 to at least 1.25.8 or later
(to fix stdlib vulnerabilities) and upgrade golang.org/x/net from v0.47.0 to
v0.53.0 or later (to fix golang.org/x/net vulnerabilities). After updating these
dependencies, re-run the vulnerability check and then modify the silence-until
field based on the actual vulnerability status, or remove it entirely if all
vulnerabilities are resolved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 94b61486-b5f5-465b-b39f-0061e43654ef

📥 Commits

Reviewing files that changed from the base of the PR and between 87aefb5 and e399fe8.

📒 Files selected for processing (1)

• .govulncheck.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• codeready-toolchain/api (manual)
• codeready-toolchain/toolchain-common (manual)
• codeready-toolchain/host-operator (manual)
• codeready-toolchain/toolchain-e2e (manual)

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🧰 Additional context used

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/host-operator, codeready-toolchain/toolchain-common

Based on my verification of the shell results, the previous research findings are accurate and comprehensive. The cross-repository exploration confirms:

Linked repositories findings

codeready-toolchain/api

ToolchainConfig SpaceConfig definition [::codeready-toolchain/api::]

• File: api/v1alpha1/toolchainconfig_types.go
• Defines SpaceConfig struct with:
  • SpaceRequestEnabled *bool — controls SpaceRequest controller initialization
  • SpaceBindingRequestEnabled *bool — controls SpaceBindingRequest controller initialization
• Documentation explicitly states these fields are "disabled by default in Sandbox and enabled only for AppStudio stage/prod"

codeready-toolchain/host-operator

Controller initialization guard [::codeready-toolchain/host-operator::]

• File: cmd/main.go
• SpaceRequest controller is conditionally initialized: if crtConfig.SpaceConfig().SpaceRequestIsEnabled()
• SpaceBindingRequest controller is conditionally initialized: if crtConfig.SpaceConfig().SpaceBindingRequestIsEnabled()

Configuration safety [::codeready-toolchain/host-operator::]

• File: controllers/toolchainconfig/configuration.go
• Methods SpaceRequestIsEnabled() and SpaceBindingRequestIsEnabled() use commonconfig.GetBool() with default value of false
• Safely handles nil pointers in boolean fields

Existing test coverage [::codeready-toolchain/host-operator::]

• Multiple test files already verify SpaceRequest/SpaceBindingRequest behavior with configuration options
• Tests use testconfig.SpaceConfig().SpaceRequestEnabled(true) pattern

codeready-toolchain/toolchain-common

Test configuration helpers [::codeready-toolchain/toolchain-common::]

• File: pkg/test/config/toolchainconfig.go
• Provides SpaceConfig() helper with SpaceRequestEnabled(value bool) and SpaceBindingRequestEnabled(value bool) methods
• Supports the test infrastructure for configuration validation

Summary

The PR's configuration change to enable spaceRequestEnabled: true in the dev environment is:

• Well-integrated — Infrastructure to support this flag is already present across all three repositories
• Safe — Controllers are properly gated behind configuration checks with safe defaults (false)
• Aligned with design intent — The SpaceConfig struct documentation explicitly anticipates this use case for enabling features in different environments
• Low risk — Configuration-only change with no API or code modifications

🔇 Additional comments (1)

.govulncheck.yaml (1)

44-67: ⚡ Quick win

Add remediation tracking metadata per new ignore entry.

Please add a short reference (owner or ticket) next to each new ignored vulnerability so expiry follow-up is explicit and auditable.

[ suggest_recommended_refactor ]

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod toolchain/go version =="
rg -n '^(go|toolchain)\s+' go.mod || true

echo
echo "== Direct dependency pins relevant to this file =="
rg -n 'golang\.org/x/net|golang\.org/x/text' go.mod || true

echo
echo "== Ignored vuln entries in .govulncheck.yaml =="
rg -n 'id: GO-2026-|silence-until:' .govulncheck.yaml

echo
echo "== Optional: show all fixed-version notes in .govulncheck.yaml =="
rg -n '# Fixed in:' .govulncheck.yaml

Repository: codeready-toolchain/toolchain-e2e

Length of output: 1440

---

Address unfixed vulnerabilities rather than extending silence dates.

The project is running Go 1.24.4 and golang.org/x/net v0.47.0, which are prior to all fixed versions for the 8 vulnerabilities listed in this file (stdlib fixes in Go 1.25.8–1.25.11; golang.org/x/net fixes in v0.53.0–v0.55.0). Extending silence-until to 2026-07-17 masks active, unfixed security vulnerabilities in the development environment.

Update dependencies to pick up fixes, or document a clear remediation plan before extending silence dates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.govulncheck.yaml at line 7, Rather than extending the silence-until date in
the govulncheck configuration, update the project dependencies to address the
actual vulnerabilities. Update the Go version from 1.24.4 to at least 1.25.8 or
later (to fix stdlib vulnerabilities) and upgrade golang.org/x/net from v0.47.0
to v0.53.0 or later (to fix golang.org/x/net vulnerabilities). After updating
these dependencies, re-run the vulnerability check and then modify the
silence-until field based on the actual vulnerability status, or remove it
entirely if all vulnerabilities are resolved.

[MatousJobanek]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MatousJobanek, xcoulon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,xcoulon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment