feat(controlplane): filter referrer discovery by project name and version

[migmartri]

Closes #3155

Adds optional project_name and project_version filters to the private referrer discovery endpoint (DiscoverPrivate). When both are supplied, the discovered referrer and its references are confined to the matching project version:

• An attestation is returned only if it belongs to the requested project version.
• A material/subject (e.g. an SBOM or image shared across many projects and versions) is returned only if it is referenced by an attestation in that project version, and its references are scoped accordingly.

Version membership is resolved by entering from the project version's workflow runs, so the lookup stays bounded regardless of how widely a material is shared. The two fields must be provided together (a version name is unique only within a project), enforced via proto validation.

The deprecated public shared discovery endpoint is marked as deprecated in the proto.

This change was developed with AI assistance (Claude Code).

[cubic-dev-ai]

1 issue found across 15 files

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟢 88%	1	✅ 0	24% AI / 76% Human	7	+251 / -13	5h19m18s

🟢 88% — 24% AI — ✅ All policies passing

May 27, 2026 10:08 UTC · 5h19m18s · $63.94 · 4.6k in / 356.2k out · claude-code 2.1.152 (claude-opus-4-7)

View session details ↗

Change Summary

Added version-filter support to the referrer API, implemented at the ent query layer for scalability. Proto, business logic, data, service, CLI, and integration test layers were all updated. A cursor-bypass regression bug was caught via CI review and fixed with a dedicated test. Rebase merged concurrent upstream changes (OTel tracing, renamed interface method) without loss.

AI Session Overall Score

🟢 88% — Strong delivery with thorough testing and clean CI; initial framing was thin.

AI Session Analysis Breakdown

🟢 92% · alignment

🟢 AI executed all five explicit tasks in the final implementation turn without omission. · High Impact

🟡 Initial exploration was interrupted before completing; minor scope overshoot on the first turn. · Low Severity

🟢 92% · verification

🟢 8-subtest integration suite runs against a real database, covering new feature with negative cases. · High Impact

🟡 Tests broke mid-session after rebase renamed SaveAttestation; required a fix before final pass. · Low Severity

🟢 88% · solution-quality

🟢 Version filtering implemented at the ent query layer, avoiding in-memory post-filtering on millions of rows. · High Impact

🟡 Two nolint directives added at call sites using a deprecated proto field retained for backward compatibility. · Low Severity

💡 Document the nolint rationale inline to clarify intent for future maintainers.

🟢 87% · scope-discipline

🟡 SSH gitconfig cleanup removed 24 duplicate rewrites beyond the single remote the user asked to fix. · Low Severity

🟢 85% · user-trust-signal

No notes.

🟡 72% · context-and-planning

🟠 Scale, scope, and children-scoping were established through reactive follow-up rather than stated upfront. · Medium Severity

💡 State scale, scope, and key constraints upfront rather than through reactive clarification.

🟡 Implementation was kicked off with a terse multi-command instruction with no explicit reference to the spec. · Low Severity

💡 Reference the written spec when kicking off implementation to anchor scope.

---

File Attribution

████░░░░░░░░░░░░░░░░ 24% AI / 76% Human

Status	Attribution	File	Lines
modified	ai	app/controlplane/pkg/biz/referrer_integration_test.go	+91 / -0
modified	ai	app/controlplane/pkg/data/referrer.go	+84 / -3
modified	ai	app/controlplane/pkg/biz/referrer.go	+22 / -8
modified	human	app/controlplane/api/controlplane/v1/referrer.proto	+20 / -0
modified	human	app/controlplane/api/gen/openapi/openapi.yaml	+19 / -0
modified	human	app/controlplane/internal/service/referrer.go	+12 / -2
modified	human	app/cli/pkg/action/referrer_discover.go	+3 / -0

---

Policies (4)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-593298	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-593298	-
✅ Passed	ai-config-no-secrets	ai-coding-session-593298	-
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-593298	-

---

Powered by Chainloop and Chainloop Trace