Summary
When running an attestation, the CLI/UI should surface all materials that are expected for the workflow — both required and optional. Materials that are defined as part of a policy group attached to the contract are not being shown during attestation, so users have no visibility into them.
Expected behavior
During attestation (e.g. chainloop attestation status / add), the list of expected materials should include materials contributed by any policy group bound to the contract, alongside the materials declared directly in the contract.
Actual behavior
Materials that originate from a policy group are omitted from the materials shown during attestation. Only materials declared directly on the contract appear; the policy-group materials are silently missing.
Related: confusing warning on duplicate materials
If the same material is declared in both the contract's materials list and inside an attached policy group, the user gets a confusing warning during attestation. The two sources of materials aren't reconciled cleanly: instead of treating the contract + policy-group definitions as a single merged set, the overlap is flagged in a way that's unclear to the user (it reads like an error/misconfiguration rather than the expected "same material defined in two places" case). The warning text and the condition that triggers it should be clarified — or the duplicate should be merged silently when the definitions are compatible.
Impact
- Users can't tell which materials a policy group expects, so they may not provide them.
- Reduced visibility makes it hard to satisfy policy-group requirements and to debug failing/incomplete attestations.
- The duplicate-material warning adds confusion when a material legitimately appears in both the contract and a policy group.
Notes
The materials are still defined correctly inside the policy group — the bug is specifically in how the expected-materials list is assembled/displayed during attestation, where policy-group materials are not merged in cleanly with the contract materials.
🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri
Summary
When running an attestation, the CLI/UI should surface all materials that are expected for the workflow — both required and optional. Materials that are defined as part of a policy group attached to the contract are not being shown during attestation, so users have no visibility into them.
Expected behavior
During attestation (e.g.
chainloop attestation status/add), the list of expected materials should include materials contributed by any policy group bound to the contract, alongside the materials declared directly in the contract.Actual behavior
Materials that originate from a policy group are omitted from the materials shown during attestation. Only materials declared directly on the contract appear; the policy-group materials are silently missing.
Related: confusing warning on duplicate materials
If the same material is declared in both the contract's
materialslist and inside an attached policy group, the user gets a confusing warning during attestation. The two sources of materials aren't reconciled cleanly: instead of treating the contract + policy-group definitions as a single merged set, the overlap is flagged in a way that's unclear to the user (it reads like an error/misconfiguration rather than the expected "same material defined in two places" case). The warning text and the condition that triggers it should be clarified — or the duplicate should be merged silently when the definitions are compatible.Impact
Notes
The materials are still defined correctly inside the policy group — the bug is specifically in how the expected-materials list is assembled/displayed during attestation, where policy-group materials are not merged in cleanly with the contract materials.
🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri