Skip to content

feat(controlplane): filter referrer discovery by project name and version#3158

Open
migmartri wants to merge 1 commit into
chainloop-dev:mainfrom
migmartri:3155-referrer-discovery-version-filter
Open

feat(controlplane): filter referrer discovery by project name and version#3158
migmartri wants to merge 1 commit into
chainloop-dev:mainfrom
migmartri:3155-referrer-discovery-version-filter

Conversation

@migmartri
Copy link
Copy Markdown
Member

@migmartri migmartri commented May 27, 2026

Closes #3155

Adds optional project_name and project_version filters to the private referrer discovery endpoint (DiscoverPrivate). When both are supplied, the discovered referrer and its references are confined to the matching project version:

  • An attestation is returned only if it belongs to the requested project version.
  • A material/subject (e.g. an SBOM or image shared across many projects and versions) is returned only if it is referenced by an attestation in that project version, and its references are scoped accordingly.

Version membership is resolved by entering from the project version's workflow runs, so the lookup stays bounded regardless of how widely a material is shared. The two fields must be provided together (a version name is unique only within a project), enforced via proto validation.

The deprecated public shared discovery endpoint is marked as deprecated in the proto.

This change was developed with AI assistance (Claude Code).

@migmartri migmartri requested a review from a team May 27, 2026 11:20
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 15 files

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread app/controlplane/pkg/data/referrer.go Outdated
@migmartri migmartri force-pushed the 3155-referrer-discovery-version-filter branch from 36d60ab to 92f57b3 Compare May 27, 2026 12:38
@chainloop-platform
Copy link
Copy Markdown
Contributor

chainloop-platform Bot commented May 27, 2026
edited
Loading

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟢 88% 1 ✅ 0 62% AI / 38% Human 7 +372 / -13 100h7m56s

🟢 88% — 62% AI — ✅ All policies passing

May 27, 2026 10:08 UTC · 100h7m56s · $91.59 · 12.1k in / 500.1k out · claude-code 2.1.152 (claude-opus-4-7)

View session details ↗

Change Summary

  • Adds version-filter capability to referrer discovery API threaded through proto, business, data, and service layers.
  • Adds integration tests covering positive, negative, RBAC, and cursor-bypass cases against real Postgres.
  • Fixes RBAC bypass where version filter leaked cross-project referrers.
  • Applies simplify pass that caught a pagination guard bug and CEL validation gap.

AI Session Overall Score

🟢 88% — Strong end-to-end delivery with real tests, RBAC fix, and high user trust.

AI Session Analysis Breakdown

🟢 92% · verification

🟢 8 integration subtests run 7 times cover positive, negative, RBAC, and cursor-bypass cases against real Postgres. · High Impact

🟡 One test build failure occurred after rebase; caught and resolved within the session. · Low Severity

🟢 90% · alignment

🟢 AI delivered all task phases without misinterpretation; claims matched actual command outputs throughout. · High Impact

🟢 88% · scope-discipline

🟡 Simplify pass invoked proactively after implementation, outside strict TDD discipline. · Low Severity

🟢 88% · solution-quality

🟢 Version filter threaded through all four layers; RBAC bypass found and fixed. · High Impact

🟡 nolint directives added on deprecated RPC call sites without inline explanation. · Low Severity

💡 Add a brief inline comment explaining why the deprecated path must be retained.

🟢 87% · user-trust-signal

No notes.

🟡 72% · context-and-planning

🟠 RBAC/project-access check omitted from initial plan; surfaced only by user late in session. · Medium Severity

💡 Surface authorization implications when designing APIs scoped to user-owned resources.

🟠 Initial prompt had no stated scope, constraints, or access-control requirements. · Medium Severity

💡 Ask for scope, performance targets, and access-control requirements before exploring.

File Attribution

████████████░░░░░░░░ 62% AI / 38% Human

Status Attribution File Lines
modified ai app/controlplane/pkg/biz/referrer_integration_test.go +158 / -0
modified ai app/controlplane/pkg/data/referrer.go +138 / -3
modified ai app/controlplane/pkg/biz/referrer.go +22 / -8
modified human app/controlplane/api/controlplane/v1/referrer.proto +20 / -0
modified human app/controlplane/api/gen/openapi/openapi.yaml +19 / -0
modified human app/controlplane/internal/service/referrer.go +12 / -2
modified human app/cli/pkg/action/referrer_discover.go +3 / -0

Policies (4)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-593298 -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-593298 -
✅ Passed ai-config-no-secrets ai-coding-session-593298 -
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-593298 -

Powered by Chainloop and Chainloop Trace

@migmartri migmartri force-pushed the 3155-referrer-discovery-version-filter branch from 92f57b3 to 1641767 Compare May 27, 2026 15:27
jiparis
jiparis previously approved these changes May 27, 2026
View reviewed changes
@migmartri migmartri force-pushed the 3155-referrer-discovery-version-filter branch 4 times, most recently from a7836a3 to b9eb8ec Compare May 31, 2026 14:42
@migmartri migmartri requested a review from a team May 31, 2026 14:58
@migmartri migmartri mentioned this pull request May 31, 2026
Open
4 tasks
@migmartri migmartri force-pushed the 3155-referrer-discovery-version-filter branch from b9eb8ec to af0aa09 Compare May 31, 2026 15:48
@migmartri
feat(controlplane): filter referrer discovery by project name and ver…
e472c08 
…sion

Add optional project_name and project_version filters to the private referrer
discovery endpoint (DiscoverPrivate). When both are provided, the discovered
referrer and its references are confined to the matching project version,
resolved by entering from the project version's workflow runs so the lookup
stays bounded regardless of how widely a material is shared.

Mark the deprecated public shared discovery endpoint as deprecated in the proto.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Chainloop-Trace-Sessions: 593298f0-05bd-408b-9767-5472afe1caec
@migmartri migmartri force-pushed the 3155-referrer-discovery-version-filter branch from af0aa09 to e472c08 Compare May 31, 2026 15:53
@migmartri migmartri enabled auto-merge (squash) May 31, 2026 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jiparis jiparis jiparis left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Extend referrer (discovery) API to filter by project name and project version

2 participants

@migmartri @jiparis