Skip to content

feat(controlplane): add attestation bundle cache with layered resolution#3006

Merged
migmartri merged 2 commits into
chainloop-dev:mainfrom
migmartri:feat/attestation-bundle-cache
Apr 8, 2026
Merged

feat(controlplane): add attestation bundle cache with layered resolution#3006
migmartri merged 2 commits into
chainloop-dev:mainfrom
migmartri:feat/attestation-bundle-cache

Conversation

@migmartri

Copy link
Copy Markdown
Member

Summary

  • Add a NATS KV / in-memory cache for attestation bundles in the controlplane, following the same dual-backend pattern used by existing caches (JWT claims, memberships, policy evaluation bundles)
  • Update addAttestationFromBundle to resolve bundles via a 3-layer strategy: cache by digest → DB fallback → CAS download, caching on every successful resolution
  • Refactor NewWorkflowRunUseCase to accept an options struct, injecting the new cache alongside CASClient and CASMappingUseCase for the CAS download fallback

Closes #3003

Add a NATS KV / in-memory cache for attestation bundles in the
controlplane, consistent with the platform's caching strategy.

The bundle resolution in addAttestationFromBundle now follows a 3-layer
strategy: cache lookup by digest, DB fallback, and CAS download. This
prepares for eventually dropping the attestation/bundle DB columns.

Closes: chainloop-dev#3003

Signed-off-by: Miguel Martinez Trivino <migmartri@gmail.com>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 7 files

@migmartri migmartri requested a review from a team April 8, 2026 12:49
@migmartri migmartri force-pushed the feat/attestation-bundle-cache branch 3 times, most recently from 22f9e21 to 270552e Compare April 8, 2026 15:39
Move AttestationBundleCache and policy eval bundle cache types into
their own packages (pkg/cache/attestationbundle and
pkg/cache/policyevalbundle) so they can be initialized outside of
the controlplane. Each package provides a Cache wrapper type, a New
constructor, and default constants for TTL, bucket name, and
description.

Signed-off-by: Miguel Martinez Trivino <migmartri@gmail.com>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri force-pushed the feat/attestation-bundle-cache branch from 270552e to 403661f Compare April 8, 2026 15:44

@matiasinsaurralde matiasinsaurralde left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@migmartri migmartri merged commit 8f7b02d into chainloop-dev:main Apr 8, 2026
14 checks passed
@migmartri migmartri deleted the feat/attestation-bundle-cache branch April 8, 2026 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add NATS KV cache for attestation bundle resolution in controlplane

2 participants