fix: remove CUE workflow-contract support

[matiasinsaurralde]

Refs PFM-6499

Summary

Drops CUE as a supported workflow-contract format. JSON and YAML remain the supported formats for contracts, policies, frameworks and requirements.

• Contracts are no longer parsed or accepted as CUE; the cuelang.org/go dependency is removed.
• The existing format enum value is retained as inert, so contracts already stored in CUE and the current API stay compatible and no database migration is required.
• Removes the CUE fixtures and the CUE contract example from the docs.

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟢 90%	1	✅ 0	37% AI / 63% Human	12	+40 / -231	28h14m24s

🟢 90% — 37% AI — ✅ All policies passing

Jun 25, 2026 10:15 UTC · 28h14m24s · $85.46 · 62.9k in / 737.7k out · claude-code 2.1.190 (claude-opus-4-8)

View session details ↗

Change Summary

• Removes CUE workflow-contract handling from unmarshal and CLI-side metadata extraction.
• Updates unmarshal, biz, integration, and crafter tests to reject CUE and drops .cue fixtures/docs examples.
• Drops cuelang.org/go via go mod tidy while keeping inert format enums for compatibility.
• Fixes the CI tidy drift by restoring // indirect on github.com/digitorus/timestamp.

AI Session Overall Score

🟢 90% — Clean execution: scoped removal, strong validation, and no visible user trust drop.

AI Session Analysis Breakdown

🟢 92% · scope-discipline

🟢 AI staged only CUE-removal files and left unrelated config edits untouched. · High Impact

🟢 91% · user-trust-signal

No notes.

🟢 90% · alignment

No notes.

🟢 89% · solution-quality

No notes.

🟢 88% · verification

🟢 AI added rejection tests and reran the affected Go test suites. · High Impact

🟢 84% · context-and-planning

🟢 AI mapped callers, compatibility risks, and test surface before editing removal. · High Impact

---

File Attribution

███████░░░░░░░░░░░░░ 37% AI / 63% Human

Status	Attribution	File	Lines
deleted	human	docs/examples/contracts/skynet/contract.cue	+0 / -56
deleted	human	app/controlplane/pkg/biz/testdata/contracts/contract.cue	+0 / -48
deleted	human	app/controlplane/pkg/unmarshal/testdata/contracts/contract.cue	+0 / -48
modified	ai	app/controlplane/pkg/unmarshal/unmarshal.go	+16 / -28
modified	ai	app/controlplane/pkg/unmarshal/unmarshal_test.go	+24 / -14
modified	human	go.sum	+0 / -12
modified	ai	app/cli/pkg/action/util.go	+0 / -5
modified	ai	app/controlplane/pkg/biz/workflowcontract_integration_test.go	+0 / -5
modified	ai	pkg/attestation/crafter/crafter_test.go	+0 / -5
modified	ai	app/controlplane/pkg/biz/workflowcontract_test.go	+0 / -4
modified	human	go.mod	+0 / -4
deleted	human	pkg/attestation/crafter/testdata/contracts/empty_github.cue	+0 / -2

---

Policies (4)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-cc2bbc	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-cc2bbc	-
✅ Passed	ai-config-no-secrets	ai-coding-session-cc2bbc	-
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-cc2bbc	-

---

Powered by Chainloop and Chainloop Trace

[cubic-dev-ai]

1 issue found across 12 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="go.mod">

<violation number="1" location="go.mod:357">
P2: `digitorus/timestamp` is not imported by any Go file in the module, so its `// indirect` annotation should be kept. Removing it makes go.mod inconsistent with the actual dependency graph.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>