chainloop-dev · jiparis · Nov 25, 2025 · Nov 21, 2025 · Nov 24, 2025 · Nov 24, 2025
diff --git a/app/cli/cmd/policy_develop_eval.go b/app/cli/cmd/policy_develop_eval.go
@@ -33,7 +33,6 @@ func newPolicyDevelopEvalCmd() *cobra.Command {
 		policyPath       string
 		inputs           []string
 		allowedHostnames []string
-		debug            bool
 	)
 
 	cmd := &cobra.Command{
@@ -53,7 +52,7 @@ evaluates the policy against the provided material or attestation.`,
 				PolicyPath:       policyPath,
 				Inputs:           parseKeyValue(inputs),
 				AllowedHostnames: allowedHostnames,
-				Debug:            debug,
+				Debug:            flagDebug,
 			}
 
 			policyEval, err := action.NewPolicyEval(opts, ActionOpts)
@@ -77,7 +76,6 @@ evaluates the policy against the provided material or attestation.`,
 	cmd.Flags().StringVarP(&policyPath, "policy", "p", "policy.yaml", "Policy reference (./my-policy.yaml, https://my-domain.com/my-policy.yaml, chainloop://my-stored-policy)")
 	cmd.Flags().StringArrayVar(&inputs, "input", []string{}, "Key-value pairs of policy inputs (key=value)")
 	cmd.Flags().StringSliceVar(&allowedHostnames, "allowed-hostnames", []string{}, "Additional hostnames allowed for http.send requests in policies")
-	cmd.Flags().BoolVarP(&debug, "debug", "", false, "Include detailed evaluation inputs/outputs in JSON output and enable verbose logging")
 
 	return cmd
 }

diff --git a/app/cli/documentation/cli-reference.mdx b/app/cli/documentation/cli-reference.mdx
@@ -2869,7 +2869,6 @@ Options
 ```
 --allowed-hostnames strings   Additional hostnames allowed for http.send requests in policies
 --annotation strings          Key-value pairs of material annotations (key=value)
---debug                       Include detailed evaluation inputs/outputs in JSON output and enable verbose logging
 -h, --help                        help for eval
 --input stringArray           Key-value pairs of policy inputs (key=value)
 --kind string                 Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
@@ -2885,6 +2884,7 @@ Options inherited from parent commands
 -c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
 --control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
 --control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
 -i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
 -n, --org string                organization name
 -o, --output string             Output format, valid options are json and table (default "table")

diff --git a/app/cli/internal/policydevel/eval.go b/app/cli/internal/policydevel/eval.go
@@ -120,7 +120,7 @@ func verifyMaterial(pol *v1.Policies, material *v12.Attestation_Material, materi
 	}
 
 	if len(policyEvs) == 0 || policyEvs[0] == nil {
-		return nil, fmt.Errorf("no execution branch matched for kind %s", material.MaterialType.String())
+		return nil, fmt.Errorf("no execution branch matched, or all of them were ignored, for kind %s", material.MaterialType.String())
 	}
 
 	// Only one evaluation expected for a single policy attachment