refactor(controlplane): make CAS source_internal resolution best-effort

[migmartri]

Summary

Follow-up to #3199.

Resolving whether a CAS credential should be flagged as internal platform traffic (source_internal) is now best-effort. The flag is set only when a system API token explicitly requests it. Any other caller requesting it is silently not flagged instead of being rejected with a Forbidden error.

This tolerates outdated systems whose token store does not yet mark their tokens as system: rather than failing the request, the credential is simply minted without the internal flag.

AI assistance

This change was developed with the assistance of Claude Code.

🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟢 91%	1	✅ 0	100% AI / 0% Human	2	+16 / -32	5m10s

🟢 91% — 100% AI — ✅ All policies passing

Jun 12, 2026 10:34 UTC · 5m10s · $3.76 · 56.0k in / 23.0k out · claude-code 2.1.175 (claude-opus-4-8)

View session details ↗

Change Summary

• Changes resolveSourceInternal to return true only for requested system tokens.
• Removes the forbidden-error path and falls back to false for other callers.
• Updates cascredential_test.go to cover the new best-effort behavior.

AI Session Overall Score

🟢 91% — Focused, well-verified fix; user-trust signal is absent because there was no reaction arc.

AI Session Analysis Breakdown

🟢 96% · scope-discipline

No notes.

🟢 92% · alignment

🟢 The landed diff cleanly matches the user's requested best-effort fallback. · High Impact

🟢 90% · solution-quality

No notes.

🟢 90% · verification

🟢 The AI updated the behavior test first and re-ran build plus targeted tests twice. · High Impact

🟢 85% · context-and-planning

🟢 The user supplied the behavior change and rationale up front, giving the AI a clear target. · High Impact

abstained · user-trust-signal

🟡 User-trust signal was not assessed because the session has only the opening user turn. · Low Severity

---

File Attribution

████████████████████ 100% AI / 0% Human

Status	Attribution	File	Lines
modified	ai	app/controlplane/internal/service/cascredential.go	+9 / -17
modified	ai	app/controlplane/internal/service/cascredential_test.go	+7 / -15

---

Policies (4)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-873406	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-873406	-
✅ Passed	ai-config-no-secrets	ai-coding-session-873406	-
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-873406	-

---

Powered by Chainloop and Chainloop Trace

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}