feat(policies): add option to ignore CLI compatibility when resolving policies

[migmartri]

Adds a WithIgnoreCLICompatibility resolve option to the policy provider client. When set, it forwards the include_all_versions query parameter to the policy provider, which makes the provider skip CLI-version compatibility resolution and return the true latest revision of a policy or policy group instead of the latest revision compatible with the requesting CLI version.

The control-plane contract-save validation path now uses this option because it is a non-CLI caller and should resolve the true latest revision. The attestation RPC path (a CLI caller) keeps the default CLI-compatibility behavior.

This contribution was developed with the assistance of Claude Code.

🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟡 85%	1	✅ 0	100% AI / 0% Human	3	+117 / -17	49m9s

🟡 85% — 100% AI — ✅ All policies passing

Jun 25, 2026 15:25 UTC · 49m9s · $25.86 · 158.8k in / 181.9k out · claude-code 2.1.191 (claude-opus-4-8)

View session details ↗

Change Summary

• Adds WithIgnoreCLICompatibility() while keeping the wire param include_all_versions.
• Threads the option through provider and workflow-contract save paths; attestation keeps the default behavior.
• Updates provider HTTP tests, hardens nil-option handling after review, and ships the change via a rebased PR.

AI Session Overall Score

🟡 85% — Strong execution, but setup and alignment needed mid-course correction.

AI Session Analysis Breakdown

🟢 92% · scope-discipline

No notes.

🟢 92% · solution-quality

🟢 AI replaced the ambiguous bool with WithIgnoreCLICompatibility() before shipping. · High Impact

🟢 90% · verification

🟢 AI reran build, tests, gofmt, and lint at each major phase. · High Impact

🟢 89% · user-trust-signal

🟢 User kept delegating PR steps, suggesting confidence recovered after the mid-session correction. · High Impact

🟡 72% · alignment

🟠 AI started with a brainstorming detour, then the user had to correct the flag's real semantics and naming. · Medium Severity

💡 For direct code tasks, trace the repo first and ask about semantics before committing to workflow or names.

🟡 70% · context-and-planning

🟠 No shared plan or Todo landed before a multi-file API change; setup relied on ad hoc narration. · Medium Severity

💡 For multi-file signature changes, write a short visible plan before editing so later course-corrections have an anchor.

---

File Attribution

████████████████████ 100% AI / 0% Human

Status	Attribution	File	Lines
modified	ai	app/controlplane/pkg/policies/policyprovider.go	+51 / -10
modified	ai	app/controlplane/pkg/policies/policyprovider_http_test.go	+52 / -0
modified	ai	app/controlplane/pkg/biz/workflowcontract.go	+14 / -7

---

Policies (4)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-dbb001	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-dbb001	-
✅ Passed	ai-config-no-secrets	ai-coding-session-dbb001	-
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-dbb001	-

---

Powered by Chainloop and Chainloop Trace

[cubic-dev-ai]

1 issue found across 3 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>