Skip to content

feat: resolve policy evaluations from CAS in workflow-run View API#2953

Open
migmartri wants to merge 1 commit intochainloop-dev:mainfrom
migmartri:2950-do-not-use-inline-policy-eval
Open

feat: resolve policy evaluations from CAS in workflow-run View API#2953
migmartri wants to merge 1 commit intochainloop-dev:mainfrom
migmartri:2950-do-not-use-inline-policy-eval

Conversation

@migmartri
Copy link
Copy Markdown
Member

@migmartri migmartri commented Mar 28, 2026

Summary

  • WorkflowRunService.View() now resolves policy evaluations from the CAS-stored bundle (PolicyEvaluationsRef) instead of relying on inline attestation predicate data
  • Added PolicyEvaluationsFromBundle helper and exported RenderEvaluation in the renderer package
  • Results are cached with a 24h TTL using the existing cache.Cache[[]byte] infrastructure (NATS KV or in-memory LRU)
  • Graceful fallback to inline evaluations on any CAS resolution failure

Closes #2950

@migmartri migmartri requested review from javirln and jiparis March 28, 2026 17:53
@migmartri migmartri force-pushed the 2950-do-not-use-inline-policy-eval branch from 7649a0c to be91cda Compare March 28, 2026 17:55
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 6 files

Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/controlplane/internal/service/workflowrun.go">

<violation number="1" location="app/controlplane/internal/service/workflowrun.go:102">
P1: Authorize policy-evaluation bundles before serving a cache hit. As written, a digest warmed by one org can be returned to another request without running the CAS org/public access check.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@migmartri migmartri force-pushed the 2950-do-not-use-inline-policy-eval branch from be91cda to 382dc2f Compare March 28, 2026 18:02
@migmartri
feat: resolve policy evaluations from CAS in workflow-run View API
ffc1981 
Update WorkflowRunService.View() to resolve policy evaluations from the
CAS-stored bundle (via PolicyEvaluationsRef) instead of relying solely on
inline attestation predicate data. This prepares consumers for the eventual
removal of inline policy evaluation content.

On any CAS resolution failure, gracefully falls back to inline evaluations
with a warning log.

Closes chainloop-dev#2950

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri force-pushed the 2950-do-not-use-inline-policy-eval branch from 382dc2f to ffc1981 Compare March 28, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

@matiasinsaurralde matiasinsaurralde Awaiting requested review from matiasinsaurralde

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Migrate policy evaluation consumers to read from CAS instead of inline predicate

1 participant

@migmartri