feat(controlplane): allow system tokens to flag CAS credentials as internal#3199
Merged
Conversation
…ternal Add an opt-in source_internal field to CASCredentialsServiceGetRequest that marks the minted CAS token as internal platform traffic so the Artifact CAS skips audit event emission for it. The flag is only honored when the caller authenticates with a system API token; any other caller requesting it is rejected. Closes #3198 Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev> Chainloop-Trace-Sessions: a7b18cae-6c02-4a48-9f17-dd88f510e6f2
Contributor
AI Session AnalysisMissing AI Coding SessionsWe detected commits in this PR that were AI-assisted, but the matching Chainloop Trace session(s) could not be found in Chainloop. Please make sure the AI coding session evidence has been sent by the Chainloop CLI, or add the Learn more about Chainloop Trace. Powered by Chainloop and Chainloop Trace |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
jiparis
approved these changes
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an opt-in
source_internalfield toCASCredentialsServiceGetRequestso platform-side background processing can mark the CAS tokens it exchanges as internal traffic, suppressingCASArtifactUploaded/CASArtifactDownloadedaudit events for it.The flag is only honored when the caller authenticates with a system API token; any other caller requesting it is rejected with a forbidden error. User-token and regular API-token exchanges are unaffected and keep emitting transfer events. This implements the opt-in option from the linked issue, so sandbox and platform-generated uploads remain visible in transfer accounting unless explicitly flagged.
Closes #3198
AI disclosure: this contribution was produced with AI assistance (Claude Code).
🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri