Policy evaluation fails on older CLIs when policies use newer custom builtins #2979
Description
Problem
When a Rego policy uses a custom builtin function (e.g. chainloop.vulnerability) that was introduced in a newer CLI version, older CLI clients fail with a hard error during attestation:
ERR adding material: error applying policy groups to material: failed to execute policy: failed to evaluate policy: 1 error occurred: vulnerabilities:115: rego_type_error: undefined function chainloop.vulnerability
OPA performs static type checking at compile time. If a builtin isn't registered in the client's engine, the entire policy is rejected before evaluation — there's no way to catch or guard against this in Rego.
This means any policy updated to use a new builtin becomes incompatible with all older CLI versions.
Proposed fix
Graceful degradation: In executeScript (pkg/policies/policies.go), catch rego_type_error: undefined function errors and degrade the policy to skipped with a reason instead of hard-failing the attestation. This uses the existing skipped/skip_reasons proto fields. This will not fix existing CLIs but will help moving fowarwd.