perf(crafter): avoid redundant SHA256 pass on every CAS upload

[matiasinsaurralde]

Summary

When uploading a material to a CAS backend, the file's SHA256 was being computed twice and the file opened three times:

1. fileStats opens the file, computes SHA256, rewinds — producing an *os.File that the caller holds.
2. uploadAndCraft then called Uploader.UploadFile, which re-opened the file, recomputed SHA256, rewound, then streamed it.

The reader from step 1 was already in the right state to be streamed. This change calls Uploader.Upload with that reader and the digest already produced by fileStats, eliminating the redundant open + hash pass while leaving the CAS protocol and on-the-wire bytes unchanged.

Per material, local work drops from 3 reads + 2 SHA256 passes to 2 reads + 1 SHA256 pass. Savings scale linearly with material size.

Also closes a file-handle leak in fileStats when SHA256 or Seek returns an error.

Uploader.UploadFile is retained — the CLI's artifact upload command still uses it.

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟢 87%	1	✅ 0	4% AI / 96% Human	26	+76 / -49	39m24s

🟢 87% — 4% AI — ✅ All policies passing

May 21, 2026 01:44 UTC · 39m24s · $11.55 · 181 in / 112.5k out · claude-code 2.1.145 (claude-opus-4-7)

View session details ↗

Change Summary

• Fixes redundant SHA256 hashing in materials.go by reusing the already-computed digest
• Updates 25+ test call-sites to match the new function signature
• Fixes a file-handle leak on error paths in fileStats
• Updates broken documentation links and adds a pre-change analysis document
• Adds mandatory license headers to all touched files per repo policy

AI Session Overall Score

🟢 87% — Strong, well-verified refactor; only gap is absent upfront planning for bulk edits.

AI Session Analysis Breakdown

🟢 92% · alignment

🟢 AI followed all three user requests exactly: fix links, produce analysis doc, implement with tests. · High Impact

🟢 92% · solution-quality

🟢 AI traced redundant SHA256 hashing to root cause and fixed it by reusing already-computed digest. · High Impact

🟢 90% · scope-discipline

No notes.

🟢 88% · user-trust-signal

No notes.

🟢 88% · verification

🟢 AI ran go test on affected packages four times, all passing, including post-license-edit re-run. · High Impact

🟡 No new test cases added; only existing mock call signatures updated to match new interface. · Low Severity

🟡 62% · context-and-planning

🟠 No written plan or TODO produced before bulk-editing 25+ test files and core logic. · Medium Severity

💡 Produce a step-by-step plan before bulk edits so scope and sequencing are explicit.

🟠 Implementation request lacked upfront constraints on test strategy or rollback approach. · Medium Severity

💡 Include test scope and rollback expectations when requesting multi-file refactors.

---

File Attribution

░░░░░░░░░░░░░░░░░░░░ 4% AI / 96% Human

Status	Attribution	File	Lines
modified	human	pkg/attestation/crafter/materials/ghas_test.go	+5 / -4
modified	human	pkg/attestation/crafter/materials/cyclonedxjson_test.go	+4 / -3
modified	human	pkg/attestation/crafter/materials/openapi_test.go	+4 / -3
modified	human	pkg/attestation/crafter/materials/sarif_test.go	+4 / -3
modified	ai	pkg/attestation/crafter/materials/materials.go	+5 / -1
modified	human	pkg/attestation/crafter/crafter_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/asyncapi_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/blackduck_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/evidence_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/gitlab_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/helmchart_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/jacoco_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/junit_xml_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/openvex_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/runnercontext_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/twistcli_scan_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/zap_test.go	+3 / -2
modified	human	pkg/attestation/crafter/materials/attestation_test.go	+2 / -2
modified	human	pkg/attestation/crafter/materials/slsaprovenance_test.go	+2 / -2
modified	human	pkg/attestation/crafter/materials/artifact_test.go	+2 / -1
modified	human	pkg/attestation/crafter/materials/chainloop_ai_agent_config_test.go	+2 / -1
modified	human	pkg/attestation/crafter/materials/chainloop_ai_coding_session_test.go	+2 / -1
modified	human	pkg/attestation/crafter/materials/csaf_test.go	+2 / -1
modified	human	pkg/attestation/crafter/materials/gitleaks_test.go	+2 / -1
modified	human	pkg/attestation/crafter/materials/graphql_test.go	+2 / -1

…and 1 more file(s).

---

Policies (4)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-70c6c7	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-70c6c7	-
✅ Passed	ai-config-no-secrets	ai-coding-session-70c6c7	-
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-70c6c7	-

---

Powered by Chainloop and Chainloop Trace

[cubic-dev-ai]

No issues found across 26 files

_{Re-trigger cubic}