Skip to content

fix(crafter): surface DNS-1123 validation errors instead of masking them#2983

Open
waveywaves wants to merge 1 commit intochainloop-dev:mainfrom
waveywaves:fix/dns1123-error-masking
Open

fix(crafter): surface DNS-1123 validation errors instead of masking them#2983
waveywaves wants to merge 1 commit intochainloop-dev:mainfrom
waveywaves:fix/dns1123-error-masking

Conversation

@waveywaves
Copy link
Copy Markdown
Contributor

@waveywaves waveywaves commented Apr 3, 2026

Summary

  • Fix variable shadowing in AddMaterialContactFreeWithAutoDetectedKind: the m, err := inside the for loop created a new err that never propagated to the outer scope, so the final fallthrough error was always nil
  • Add DNS-1123 name validation at the top of AddMaterialContractFree using a regex check matching the same rule as the proto CEL constraint, returning a clear error message immediately instead of letting invalid names flow through the auto-discovery loop
  • Detect protovalidate.ValidationError in the auto-discovery loop and break early, since schema-level validation failures (like invalid names) are not kind mismatches and should not be retried across all material types

Fixes #2394

Test plan

  • Added test case non-dns-1123 name surfaces clear error (name with underscores and dots)
  • Added test case uppercase name surfaces dns-1123 error (uppercase letters)
  • All existing TestAddMaterialsAutomatic tests continue to pass (12/12)
  • Full go test ./pkg/attestation/crafter/... passes
  • go vet ./pkg/attestation/crafter/... passes
  • Verify manually with chainloop att add --value <file> --name My_Invalid.Name that a clear error is shown

🤖 Generated with Claude Code

@waveywaves waveywaves force-pushed the fix/dns1123-error-masking branch from 9241f71 to 2c1b24b Compare April 3, 2026 11:26
@javirln
Copy link
Copy Markdown
Member

javirln commented Apr 7, 2026

@waveywaves is this ready to be reviewed?

@waveywaves waveywaves force-pushed the fix/dns1123-error-masking branch from 2c1b24b to 7fb43ea Compare April 7, 2026 08:16
@waveywaves waveywaves marked this pull request as ready for review April 7, 2026 08:16
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/attestation/crafter/crafter.go">

<violation number="1" location="pkg/attestation/crafter/crafter.go:670">
P2: DNS-1123 invalid-name errors are generic errors and are not treated as terminal in auto-detect, so they are retried and wrapped by the generic auto-discovery failure instead of being surfaced immediately.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.

@waveywaves @claude
fix(crafter): surface DNS-1123 validation errors instead of masking them
a1b71af 
The material auto-discovery loop in AddMaterialContactFreeWithAutoDetectedKind
silently swallowed DNS-1123 validation errors because:

1. Variable shadowing: `m, err :=` inside the for loop created a new `err`
   that never propagated to the outer scope, so the final error message was
   always nil when all kinds failed.

2. No early validation: invalid material names (uppercase, underscores, dots)
   were passed through the entire kind-probing loop before failing deep in
   proto validation, with the real cause buried.

3. Proto-validation errors not detected: the loop treated schema-level
   validation failures the same as kind mismatches, continuing to probe
   instead of stopping.

Fixes:
- Replace `:=` with `=` to avoid shadowing the outer `err`
- Add DNS-1123 regex check at the top of AddMaterialContractFree
- Detect protovalidate.ValidationError in the auto-discovery loop and
  break immediately instead of masking the real error

Fixes chainloop-dev#2394

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
@waveywaves waveywaves force-pushed the fix/dns1123-error-masking branch from 7fb43ea to a1b71af Compare April 8, 2026 10:20
@waveywaves
Copy link
Copy Markdown
Contributor Author

waveywaves commented Apr 8, 2026

@jiparis Ready for review — all commits GPG-signed and rebased on main. This fixes a variable shadowing bug that silently masks DNS-1123 validation errors in AddMaterialContractFree (issue #2394).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Material type auto-discovery hides material name not being dns-1123 compliant

2 participants

@waveywaves @javirln