feat(cas): add managed flag

app/controlplane/api/controlplane/v1/response_messages.proto

@@ -407,6 +407,8 @@ message CASBackendItem {
   google.protobuf.Timestamp updated_at = 13;
   // Wether it's the fallback backend in the organization
   bool fallback = 14;
+  // Whether this backend is provisioned and operated by Chainloop using
+  bool is_managed = 15;
 
   message Limits {
     // Max number of bytes allowed to be stored in this backend

app/controlplane/internal/service/casbackend.go

@@ -203,6 +203,7 @@ func bizCASBackendToPb(in *biz.CASBackend) *pb.CASBackendItem {
 		Default:     in.Default,
 		Fallback:    in.Fallback,
 		IsInline:    in.Inline,
+		IsManaged:   in.Managed,
 	}
 
 	if in.Limits != nil {

app/controlplane/pkg/biz/casbackend.go

@@ -72,6 +72,8 @@ type CASBackend struct {
 	Inline bool
 	// It's a fallback backend, used when the default backend is unreachable
 	Fallback bool
+	// Managed indicates this backend is provisioned and operated by Chainloop
+	Managed bool
 
 	Limits *CASBackendLimits
 }
@@ -88,6 +90,7 @@ type CASBackendOpts struct {
 	Provider             CASBackendProvider
 	Default              *bool
 	Fallback             *bool
+	Managed              *bool
 	ValidationStatus     CASBackendValidationStatus
 	ValidationError      *string
 }
@@ -450,6 +453,11 @@ func (uc *CASBackendUseCase) Update(ctx context.Context, orgID, id string, descr
 		return nil, NewErrValidationStr("inline backends cannot have their max_bytes updated")
 	}
 
+	// Managed backends are owned and operated by Chainloop and cannot be modified by users.
+	if before.Managed {
+		return nil, NewErrValidationStr("managed CAS backends cannot be modified")
+	}
+
 	// Validate max_bytes if provided
 	if maxBytes != nil && *maxBytes < MinCASBackendMaxBytes {
 		return nil, NewErrValidationStr(fmt.Sprintf("max_bytes must be at least %s", bytefmt.ByteSize(uint64(MinCASBackendMaxBytes))))
@@ -612,6 +620,11 @@ func (uc *CASBackendUseCase) SoftDelete(ctx context.Context, orgID, id string) e
 		return NewErrValidation(errors.New("can't delete the inline CAS backend"))
 	}
 
+	// Prevent deletion of managed backends - they are owned and operated by Chainloop
+	if backend.Managed {
+		return NewErrValidation(errors.New("can't delete a managed CAS backend"))
+	}
+
 	if err := uc.repo.SoftDelete(ctx, backendUUID); err != nil {
 		return err
 	}

app/controlplane/pkg/data/casbackend.go

@@ -155,6 +155,7 @@ func (r *CASBackendRepo) Create(ctx context.Context, opts *biz.CASBackendCreateO
 			SetNillableFallback(opts.Fallback).
 			SetProvider(opts.Provider).
 			SetNillableDefault(opts.Default).
+			SetNillableManaged(opts.Managed).
 			SetSecretName(opts.SecretName).
 			SetMaxBlobSizeBytes(opts.MaxBytes).
 			Save(ctx)
@@ -404,6 +405,7 @@ func entCASBackendToBiz(backend *ent.CASBackend) *biz.CASBackend {
 		Inline:           backend.Provider == biz.CASBackendInline,
 		Limits:           limits,
 		Fallback:         backend.Fallback,
+		Managed:          backend.Managed,
 	}
 
 	if org := backend.Edges.Organization; org != nil {