Skip to content

fix(controlplane): exempt batch-local policy refs in contract apply#3230

Merged
javirln merged 2 commits into
chainloop-dev:mainfrom
javirln:fix/contract-dryrun-batch-policy-refs
Jun 22, 2026
Merged

fix(controlplane): exempt batch-local policy refs in contract apply#3230
javirln merged 2 commits into
chainloop-dev:mainfrom
javirln:fix/contract-dryrun-batch-policy-refs

Conversation

@javirln

@javirln javirln commented Jun 22, 2026

Copy link
Copy Markdown
Member

Contract apply resolved every policy and policy-group reference against the persisted registry. As a result, a dry-run apply failed when a contract referenced a policy or policy group that was created in the same batch and therefore not yet persisted.

This adds batch_policy_names and batch_policy_group_names to the WorkflowContractService.Apply request. References whose name is in those sets are treated as known instead of being resolved against the registry, while remote references continue to be validated in both dry-run and real applies.

Assisted-by: Claude Code

Review in cubic

Contract apply resolved every policy and policy-group reference against the
persisted registry, so a dry-run apply failed when a contract referenced a
policy or policy group created in the same batch that was not yet persisted.

Add batch_policy_names and batch_policy_group_names to the apply request and
treat references to those names as known instead of resolving them, while
still validating remote references in both dry-run and real applies.

Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Chainloop-Trace-Sessions: f56037fd-1000-4118-9de7-d532c82f30a2
@chainloop-platform

Copy link
Copy Markdown
Contributor

AI Session Analysis

Missing AI Coding Sessions

We detected commits in this PR that were AI-assisted, but the matching Chainloop Trace session(s) could not be found in Chainloop.

Please make sure the AI coding session evidence has been sent by the Chainloop CLI, or add the skip-ai-session label to this PR to bypass this check.

Learn more about Chainloop Trace.


Powered by Chainloop and Chainloop Trace

@javirln javirln self-assigned this Jun 22, 2026
@javirln javirln requested a review from a team June 22, 2026 13:30

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 9 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread app/controlplane/internal/service/workflowcontract.go Outdated
Comment thread app/controlplane/pkg/biz/workflowcontract.go Outdated
Comment thread app/controlplane/pkg/biz/workflowcontract.go Outdated
Address review feedback on contract apply batch exemption:

- Only honor the client-supplied batch name lists on a dry-run. A real apply
  persists batch resources before the contract, so it must always validate
  fully and never trust the client lists to skip validation.
- Only exempt bare references (no provider/org). References that explicitly
  target a remote provider or org are always validated, so a bare-name
  collision with a batch-local resource can no longer bypass validation.

Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Chainloop-Trace-Sessions: f56037fd-1000-4118-9de7-d532c82f30a2
@javirln javirln merged commit 175338b into chainloop-dev:main Jun 22, 2026
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants