fix: workflow creation fails with "contract is scoped to a different project" for valid project-scoped contract #2753
Description
Bug
When creating a workflow using a contract that is correctly scoped to the target project, the command fails with an authorization error.
Steps to reproduce
chainloop wf contract describe --name deploy
# Shows: Scope = project/smart-docs-ai
chainloop wf create --name miguel-test --project smart-docs-ai --contract deploy
# ERR can't create the workflow: authorization error: contract "deploy" is scoped to a different project
Root cause
In app/controlplane/pkg/data/workflow.go, workflow creation upserts the project using a partial unique index (WHERE deleted_at IS NULL). If the project was previously soft-deleted, the upsert creates a new project with a different UUID. The contract still references the old project UUID, so the scope check at line 183 — which compares UUIDs directly — incorrectly rejects the operation even though the project name matches.
// This UUID comparison is fragile when a project is recreated
if existingContract.ScopedResourceID != uuid.Nil &&
existingContract.ScopedResourceID != projectID && // <-- stale UUID
existingContract.ScopedResourceType == biz.ContractScopeProject {
return biz.NewErrUnauthorizedStr(...)
}Fix
Replace the UUID comparison with a name-based check: look up the project that the contract is scoped to and compare its name against the target project name.