Address code review feedback

- Fix typo: Polices -> Policies in test name
- Add defensive length check before accessing line[0] in parsePolicy
- Add defensive length check before accessing line[0] in parseRoles
- Clarify log location in workflow documentation

Co-authored-by: nomeguy <85475922+nomeguy@users.noreply.github.com>

Author: Copilot

examples/workflow-example.md

@@ -44,7 +44,7 @@ EOF
 
 ## Step 2: Monitor Violations
 
-Watch the logs to see what would be blocked:
+Watch the logs to see what would be blocked. Since the webhook runs as part of the controller:
 
 ```bash
 kubectl logs -n policywall-system deployment/policywall-controller -f | grep "DRY-RUN"
@@ -55,6 +55,8 @@ You'll see output like:
 W0116 01:19:54.677559 [DRY-RUN] Policy 'production-protection' violation: DELETE Pod/myapp in namespace production not allowed
 ```
 
+Note: The DRY-RUN violations are logged by the webhook handler within the controller pod.
+
 ## Step 3: Identify False Positives
 
 Review the violations and adjust your policy if needed:

pkg/webhook/webhook.go

@@ -295,7 +295,7 @@ func parsePolicy(policyStr string) [][]string {
 
 	for _, line := range lines {
 		line = trimSpace(line)
-		if line == "" || line[0] == '#' {
+		if len(line) == 0 || line[0] == '#' {
 			continue
 		}
 
@@ -319,7 +319,7 @@ func parseRoles(policyStr string) [][]string {
 
 	for _, line := range lines {
 		line = trimSpace(line)
-		if line == "" || line[0] == '#' {
+		if len(line) == 0 || line[0] == '#' {
 			continue
 		}
 

pkg/webhook/webhook_test.go

@@ -359,7 +359,7 @@ m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`,
 	}
 }
 
-func TestWebhookServer_MultiplePolices(t *testing.T) {
+func TestWebhookServer_MultiplePolicies(t *testing.T) {
 	server := NewWebhookServer()
 
 	// Add a dry-run policy