diff --git a/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto b/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto
new file mode 100644
index 0000000..fe43fab
--- /dev/null
+++ b/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto
@@ -0,0 +1,47 @@
+syntax = "proto3";
+
+package capabilities.compute.confidentialworkflow.v1alpha;
+
+import "tools/generator/v1alpha/cre_metadata.proto";
+
+message SecretIdentifier {
+  string key = 1;
+  // namespace defaults to "main" when unset.
+  optional string namespace = 2;
+}
+
+// WorkflowExecution is the public data sent to the enclave.
+// Becomes ComputeRequest.PublicData after proto serialization.
+message WorkflowExecution {
+  // workflow_id identifies the workflow to execute.
+  string workflow_id = 1;
+  // binary_url is the URL from which the enclave fetches the compiled WASM binary.
+  string binary_url = 2;
+  // binary_hash is the expected SHA-256 hash of the WASM binary, for integrity verification.
+  bytes binary_hash = 3;
+  // execute_request is a serialized sdk.v1alpha.ExecuteRequest proto.
+  // Contains either a subscribe request or a trigger execution request.
+  bytes execute_request = 4;
+}
+
+// ConfidentialWorkflowRequest is the input provided to the confidential workflows capability.
+// It combines a WorkflowExecution with secrets from VaultDON.
+message ConfidentialWorkflowRequest {
+  repeated SecretIdentifier vault_don_secrets = 1;
+  WorkflowExecution execution = 2;
+}
+
+// ConfidentialWorkflowResponse is the output from the confidential workflows capability.
+message ConfidentialWorkflowResponse {
+  // execution_result is a serialized sdk.v1alpha.ExecutionResult proto.
+  bytes execution_result = 1;
+}
+
+service Client {
+  option (tools.generator.v1alpha.capability) = {
+    mode: MODE_DON
+    capability_id: "confidential-workflows@1.0.0-alpha"
+  };
+
+  rpc Execute(ConfidentialWorkflowRequest) returns (ConfidentialWorkflowResponse);
+}
diff --git a/cre/go/installer/pkg/embedded_gen.go b/cre/go/installer/pkg/embedded_gen.go
index d20b63c..eac22b9 100755
--- a/cre/go/installer/pkg/embedded_gen.go
+++ b/cre/go/installer/pkg/embedded_gen.go
@@ -753,6 +753,55 @@ service Client {
 }
 `
 
+const computeConfidentialworkflowV1alphaClientEmbedded = `syntax = "proto3";
+
+package capabilities.compute.confidentialworkflow.v1alpha;
+
+import "tools/generator/v1alpha/cre_metadata.proto";
+
+message SecretIdentifier {
+  string key = 1;
+  // namespace defaults to "main" when unset.
+  optional string namespace = 2;
+}
+
+// WorkflowExecution is the public data sent to the enclave.
+// Becomes ComputeRequest.PublicData after proto serialization.
+message WorkflowExecution {
+  // workflow_id identifies the workflow to execute.
+  string workflow_id = 1;
+  // binary_url is the URL from which the enclave fetches the compiled WASM binary.
+  string binary_url = 2;
+  // binary_hash is the expected SHA-256 hash of the WASM binary, for integrity verification.
+  bytes binary_hash = 3;
+  // execute_request is a serialized sdk.v1alpha.ExecuteRequest proto.
+  // Contains either a subscribe request or a trigger execution request.
+  bytes execute_request = 4;
+}
+
+// ConfidentialWorkflowRequest is the input provided to the confidential workflows capability.
+// It combines a WorkflowExecution with secrets from VaultDON.
+message ConfidentialWorkflowRequest {
+  repeated SecretIdentifier vault_don_secrets = 1;
+  WorkflowExecution execution = 2;
+}
+
+// ConfidentialWorkflowResponse is the output from the confidential workflows capability.
+message ConfidentialWorkflowResponse {
+  // execution_result is a serialized sdk.v1alpha.ExecutionResult proto.
+  bytes execution_result = 1;
+}
+
+service Client {
+  option (tools.generator.v1alpha.capability) = {
+    mode: MODE_DON
+    capability_id: "confidential-workflows@1.0.0-alpha"
+  };
+
+  rpc Execute(ConfidentialWorkflowRequest) returns (ConfidentialWorkflowResponse);
+}
+`
+
 const internalActionandtriggerV1ActionAndTriggerEmbedded = `syntax = "proto3";
 
 package capabilities.internal.actionandtrigger.v1;
@@ -1603,6 +1652,10 @@ var allFiles = []*embeddedFile{
 		name:    "capabilities/blockchain/solana/v1alpha/client.proto",
 		content: blockchainSolanaV1alphaClientEmbedded,
 	},
+	{
+		name:    "capabilities/compute/confidentialworkflow/v1alpha/client.proto",
+		content: computeConfidentialworkflowV1alphaClientEmbedded,
+	},
 	{
 		name:    "capabilities/internal/actionandtrigger/v1/action_and_trigger.proto",
 		content: internalActionandtriggerV1ActionAndTriggerEmbedded,