fix(controlplane): remediate migrations image and moby/moby vulnerabilities

[migmartri]

Summary

Remediates the vulnerability policy violations flagged for chainloop v1.100.7.

• Bumps the arigaio/atlas base image in the control-plane migrations Dockerfile to a build with an updated Go toolchain and golang.org/x/crypto / golang.org/x/net, resolving 13 vulnerabilities (7 critical, 6 high) in the migrations image.
• Removes the github.com/moby/moby dependency, which was pulled in only for its pkg/namesgenerator helper used to generate random organization names in test setups. That legacy +incompatible import path carried 5 high-severity advisories in unrelated daemon/engine code and has no fixed version available. The helper is replaced with a short UUID-based prefix, eliminating the dependency and all 5 advisories.

AI assistance

This change was produced with the assistance of Claude Code.

🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟢 85%	1	✅ 0	83% AI / 17% Human	5	+7 / -11	19m18s

🟢 85% — 83% AI — ✅ All policies passing

Jun 14, 2026 14:11 UTC · 19m18s · $17.33 · 84.0k in / 114.1k out · claude-code 2.1.177 (claude-opus-4-8)

View session details ↗

Change Summary

• Reviews the Chainloop vulnerability policy output for chainloop v1.100.7.
• Updates app/controlplane/Dockerfile.migrations to pin a clean arigaio/atlas digest.
• Removes legacy github.com/moby/moby by switching random org-name generation to a UUID prefix.
• Refreshes go.mod/go.sum and updates the stale biz.go comment.

AI Session Overall Score

🟢 85% — Strong remediation work, with one verification gap around end-to-end Dockerfile validation.

AI Session Analysis Breakdown

🟢 92% · alignment

No notes.

🟢 91% · scope-discipline

No notes.

🟢 89% · solution-quality

🟢 AI shrank the moby fix to a UUID prefix after tracing real usage. · High Impact

🟢 88% · context-and-planning

🟢 User front-loaded a detailed remediation skill with concrete files and steps. · High Impact

🟢 84% · user-trust-signal

No notes.

🟡 72% · verification

🟢 AI ran targeted biz tests and full builds before committing. · High Impact

🟠 Atlas and Go checks passed, but the rebuilt migrations image itself was never exercised end-to-end. · Medium Severity

💡 For Dockerfile changes, run the rebuilt image once and capture the result.

---

File Attribution

████████████████░░░░ 83% AI / 17% Human

Status	Attribution	File	Lines
modified	ai	app/controlplane/Dockerfile.migrations	+4 / -4
modified	ai	app/controlplane/pkg/biz/organization.go	+2 / -3
modified	ai	app/controlplane/pkg/biz/biz.go	+1 / -1
modified	human	go.sum	+0 / -2
modified	human	go.mod	+0 / -1

---

Policies (4)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-d9c471	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-d9c471	-
✅ Passed	ai-config-no-secrets	ai-coding-session-d9c471	-
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-d9c471	-

---

Powered by Chainloop and Chainloop Trace

[cubic-dev-ai]

No issues found across 5 files

_{Re-trigger cubic}