feat(policies): allow disabling gating restrictions for specific policies

[migmartri]

Problem

Currently, policy gating (control gates) can be configured at two levels:

1. Organization-wide: Enable enforcement globally via chainloop org update --name <org> --block
2. Per-policy opt-in: Enable gating on individual policies in a contract with gate: true

policies:
  attestation:
    - ref: my-policy
      gate: true  # opt-in to gating

However, there is no way to disable gating for a specific policy when organization-wide enforcement is enabled. If you turn on --block at the org level, all policy violations become blocking — you cannot exempt individual policies.

Proposed Solution

Allow gate: false in contract policy definitions to explicitly disable gating for specific policies, even when organization-wide enforcement is active.

policies:
  attestation:
    - ref: critical-security-policy
      # inherits org-wide gating (blocking)
    - ref: informational-lint-policy
      gate: false  # explicitly non-blocking, overrides org default

This would enable a "default-on, opt-out per policy" model — the inverse of the current "default-off, opt-in per policy" approach.

Use Case

Organizations that want strict enforcement by default but need to:

• Roll out new experimental policies in a non-blocking/advisory mode
• Keep informational or low-severity policies as warnings without blocking pipelines
• Gradually migrate policies from advisory to enforced without toggling the org-wide setting

References

• Control Gates documentation