feat(contract): support "at least one of" material choke groups

[jiparis]

Add new group field to contract materials to denote oneOf behaviour and validation

Ungrouped materials (group == ""): unchanged — required unless optional.
Grouped materials: partition by group value. For each group, at least one member
must be present in the crafted materials; otherwise the group is reported missing
(e.g. at least one material from group "sbom-source" is required: cyclonedx-sbom, spdx-sbom).
A member’s individual optional flag is ignored for grouped materials (the group rule governs).

Closes #3234

Example:

apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: $C
spec:
  materials:
    - name: build-ref
      type: STRING
    - name: sbom-cyclonedx
      type: SBOM_CYCLONEDX_JSON
      group: sbom
    - name: sbom-spdx
      type: SBOM_SPDX_JSON
      group: sbom
EOF

> go run app/cli/main.go --insecure attestation status 2>&1
...

┌────────────────────────────────────────┐
│ Materials                              │
├───────────┬────────────────────────────┤
│ Name      │ build-ref                  │
│ Type      │ STRING                     │
│ Set       │ No                         │
│ Required  │ Yes                        │
├───────────┼────────────────────────────┤
│ Group     │ sbom                       │
│ Rule      │ at least one of 2 required │
│ Satisfied │ No                         │
├───────────┼────────────────────────────┤
│ Name      │ ↳ sbom-cyclonedx           │
│ Type      │ SBOM_CYCLONEDX_JSON        │
│ Set       │ No                         │
├───────────┼────────────────────────────┤
│ Name      │ ↳ sbom-spdx                │
│ Type      │ SBOM_SPDX_JSON             │
│ Set       │ No                         │
└───────────┴────────────────────────────┘

---

AI assistance: this contribution was produced with assistance from Claude Code (disclosed via the Assisted-by trailer on the commits).

[cubic-dev-ai]

No issues found across 13 files

_{Re-trigger cubic}

[matiasinsaurralde]

LGTM - A test failed though

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟡 60%	1	⚠️ 1	100% AI / 0% Human	11	+354 / -10	5h54m7s

🟡 60% — 100% AI — ⚠️ 1 policies failing

Jun 23, 2026 10:18 UTC · 5h54m7s · $104.18 · 164.1k in / 369.3k out · claude-code 2.1.170 (claude-opus-4-8)

View session details ↗

Change Summary

• Adds a group field to contract materials for explicit one-of semantics.
• Makes raw contract parsing discard unknown fields for forward compatibility.
• Updates CLI status and add flows to surface grouped materials and enforcement.
• Adds tests, a docs example, and a follow-up fixture fix after CI exposed a regression.

AI Session Overall Score

🟡 60% — Strongly planned and verified, but two alignment misses keep review warranted.

AI Session Analysis Breakdown

🟢 95% · context-and-planning

🟢 AI wrote and revised a detailed plan before most edits began. · High Impact

🟢 94% · verification

🟢 AI exercised the local stack and observed contract, status, failure, and success paths. · High Impact

🟢 90% · solution-quality

No notes.

🟢 88% · user-trust-signal

🟢 User kept delegating follow-up work instead of abandoning the session. · Medium Impact

🟡 74% · scope-discipline

🟡 License header year updates were bundled into edited test files without user request. · Low Severity

🔴 35% · alignment

🔴 AI declared the PR complete before CI exposed failing controlplane tests on the branch. · High Severity

💡 Before calling a PR done, check remote CI once after the final push.

🟠 AI first described group as backward-compatible, then discovered raw YAML/JSON re-parsing rejected unknown fields by default. · Medium Severity

💡 Verify compatibility claims against every parsing path before presenting them as settled.

---

File Attribution

████████████████████ 100% AI / 0% Human

Status	Attribution	File	Lines
modified	ai	pkg/attestation/crafter/api/attestation/v1/crafting_state_validations_test.go	+123 / -1
modified	ai	app/controlplane/pkg/unmarshal/unmarshal_test.go	+95 / -1
modified	ai	app/cli/pkg/action/attestation_status_test.go	+40 / -1
modified	ai	pkg/attestation/crafter/api/attestation/v1/crafting_state_validations.go	+36 / -2
created	ai	docs/examples/contracts/material-groups/contract.yaml	+27 / -0
modified	ai	app/controlplane/pkg/unmarshal/unmarshal.go	+8 / -3
modified	ai	app/cli/pkg/action/attestation_status.go	+7 / -1
modified	ai	app/controlplane/api/workflowcontract/v1/crafting_schema.proto	+8 / -0
modified	ai	app/cli/cmd/attestation_add.go	+4 / -0
modified	ai	app/controlplane/pkg/biz/testdata/contracts/invalid_contract.yaml	+3 / -1
modified	ai	app/cli/cmd/attestation_status.go	+3 / -0

---

Policies (4, 1 failing)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-ec69dd	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-ec69dd	-
⚠️ Failed	ai-config-no-secrets	ai-coding-session-ec69dd	Potential secret (JWT) found in session content [turn=472, source=tool_result, line=6, value=eyJhbGci...T73k] Potential secret (Quoted API key/password) found in session content [turn=375, source=tool_result, line=9, value=secret: ...mV0"]
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-ec69dd	-

---

Powered by Chainloop and Chainloop Trace

[migmartri]

Can we visualize this differently? As in gruping them, etc?

[javirln]

+1 to try to show them in a different way like a box surrounding them or something. Not a blocker though but nice to have

[jiparis]

Can we visualize this differently? As in gruping them, etc?

Do you mean in the CLI output? I'll check what we can do.

[javirln]

Yes it's only the CLI output, at least on my side

[migmartri]

Yes it's only the CLI output, at least on my side

same here

[jiparis]

done, I've updated the description