From d15e712c0c804e25b334e54e897d19e83c0027cc Mon Sep 17 00:00:00 2001 From: Tejaswi Nadahalli Date: Tue, 24 Feb 2026 23:51:52 +0100 Subject: [PATCH 1/4] Add confidential-workflows capability proto New capability proto at cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto following the confidential-http pattern: ConfidentialWorkflowRequest wraps SecretIdentifier list + WorkflowExecution (public data for the enclave). --- .../confidentialworkflow/v1alpha/client.proto | 47 ++++++++++++++++ cre/go/installer/pkg/embedded_gen.go | 53 +++++++++++++++++++ cre/go/sdk/sdk.pb.go | 2 +- cre/go/tools/generator/cre_metadata.pb.go | 2 +- cre/go/values/pb/values.pb.go | 2 +- 5 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto diff --git a/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto b/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto new file mode 100644 index 00000000..0bc0b156 --- /dev/null +++ b/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto @@ -0,0 +1,47 @@ +syntax = "proto3"; + +package capabilities.compute.confidentialworkflow.v1alpha; + +import "tools/generator/v1alpha/cre_metadata.proto"; + +message SecretIdentifier { + string key = 1; + string namespace = 2; + optional string owner = 3; +} + +// WorkflowExecution is the public data sent to the enclave. +// Becomes ComputeRequest.PublicData after proto serialization. +message WorkflowExecution { + // workflow_id identifies the workflow to execute. + string workflow_id = 1; + // binary_url is the URL from which the enclave fetches the compiled WASM binary. + string binary_url = 2; + // binary_hash is the expected SHA-256 hash of the WASM binary, for integrity verification. + bytes binary_hash = 3; + // execute_request is a serialized sdk.v1alpha.ExecuteRequest proto. + // Contains either a subscribe request or a trigger execution request. + bytes execute_request = 4; +} + +// ConfidentialWorkflowRequest is the input provided to the confidential workflows capability. +// It combines a WorkflowExecution with secrets from VaultDON. +message ConfidentialWorkflowRequest { + repeated SecretIdentifier vault_don_secrets = 1; + WorkflowExecution execution = 2; +} + +// ConfidentialWorkflowResponse is the output from the confidential workflows capability. +message ConfidentialWorkflowResponse { + // execution_result is a serialized sdk.v1alpha.ExecutionResult proto. + bytes execution_result = 1; +} + +service Client { + option (tools.generator.v1alpha.capability) = { + mode: MODE_DON + capability_id: "confidential-workflows@1.0.0-alpha" + }; + + rpc Execute(ConfidentialWorkflowRequest) returns (ConfidentialWorkflowResponse); +} diff --git a/cre/go/installer/pkg/embedded_gen.go b/cre/go/installer/pkg/embedded_gen.go index d20b63cf..1646b8df 100755 --- a/cre/go/installer/pkg/embedded_gen.go +++ b/cre/go/installer/pkg/embedded_gen.go @@ -753,6 +753,55 @@ service Client { } ` +const computeConfidentialworkflowV1alphaClientEmbedded = `syntax = "proto3"; + +package capabilities.compute.confidentialworkflow.v1alpha; + +import "tools/generator/v1alpha/cre_metadata.proto"; + +message SecretIdentifier { + string key = 1; + string namespace = 2; + optional string owner = 3; +} + +// WorkflowExecution is the public data sent to the enclave. +// Becomes ComputeRequest.PublicData after proto serialization. +message WorkflowExecution { + // workflow_id identifies the workflow to execute. + string workflow_id = 1; + // binary_url is the URL from which the enclave fetches the compiled WASM binary. + string binary_url = 2; + // binary_hash is the expected SHA-256 hash of the WASM binary, for integrity verification. + bytes binary_hash = 3; + // execute_request is a serialized sdk.v1alpha.ExecuteRequest proto. + // Contains either a subscribe request or a trigger execution request. + bytes execute_request = 4; +} + +// ConfidentialWorkflowRequest is the input provided to the confidential workflows capability. +// It combines a WorkflowExecution with secrets from VaultDON. +message ConfidentialWorkflowRequest { + repeated SecretIdentifier vault_don_secrets = 1; + WorkflowExecution execution = 2; +} + +// ConfidentialWorkflowResponse is the output from the confidential workflows capability. +message ConfidentialWorkflowResponse { + // execution_result is a serialized sdk.v1alpha.ExecutionResult proto. + bytes execution_result = 1; +} + +service Client { + option (tools.generator.v1alpha.capability) = { + mode: MODE_DON + capability_id: "confidential-workflows@1.0.0-alpha" + }; + + rpc Execute(ConfidentialWorkflowRequest) returns (ConfidentialWorkflowResponse); +} +` + const internalActionandtriggerV1ActionAndTriggerEmbedded = `syntax = "proto3"; package capabilities.internal.actionandtrigger.v1; @@ -1603,6 +1652,10 @@ var allFiles = []*embeddedFile{ name: "capabilities/blockchain/solana/v1alpha/client.proto", content: blockchainSolanaV1alphaClientEmbedded, }, + { + name: "capabilities/compute/confidentialworkflow/v1alpha/client.proto", + content: computeConfidentialworkflowV1alphaClientEmbedded, + }, { name: "capabilities/internal/actionandtrigger/v1/action_and_trigger.proto", content: internalActionandtriggerV1ActionAndTriggerEmbedded, diff --git a/cre/go/sdk/sdk.pb.go b/cre/go/sdk/sdk.pb.go index 3ab84306..a5fc1326 100644 --- a/cre/go/sdk/sdk.pb.go +++ b/cre/go/sdk/sdk.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 +// protoc-gen-go v1.36.11 // protoc v5.29.3 // source: sdk/v1alpha/sdk.proto diff --git a/cre/go/tools/generator/cre_metadata.pb.go b/cre/go/tools/generator/cre_metadata.pb.go index 7026ea3f..c13018c4 100644 --- a/cre/go/tools/generator/cre_metadata.pb.go +++ b/cre/go/tools/generator/cre_metadata.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 +// protoc-gen-go v1.36.11 // protoc v5.29.3 // source: tools/generator/v1alpha/cre_metadata.proto diff --git a/cre/go/values/pb/values.pb.go b/cre/go/values/pb/values.pb.go index 743cba4c..7e8fcb1e 100644 --- a/cre/go/values/pb/values.pb.go +++ b/cre/go/values/pb/values.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 +// protoc-gen-go v1.36.11 // protoc v5.29.3 // source: values/v1/values.proto From 32095df0b2866be0441743dcdb678a5f209b1280 Mon Sep 17 00:00:00 2001 From: "app-token-issuer-engops[bot]" <144731339+app-token-issuer-engops[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 22:57:22 +0000 Subject: [PATCH 2/4] Auto-fix: buf format, gofmt, go generate, go mod tidy --- cre/go/sdk/sdk.pb.go | 2 +- cre/go/tools/generator/cre_metadata.pb.go | 2 +- cre/go/values/pb/values.pb.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cre/go/sdk/sdk.pb.go b/cre/go/sdk/sdk.pb.go index a5fc1326..3ab84306 100644 --- a/cre/go/sdk/sdk.pb.go +++ b/cre/go/sdk/sdk.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.11 +// protoc-gen-go v1.36.6 // protoc v5.29.3 // source: sdk/v1alpha/sdk.proto diff --git a/cre/go/tools/generator/cre_metadata.pb.go b/cre/go/tools/generator/cre_metadata.pb.go index c13018c4..7026ea3f 100644 --- a/cre/go/tools/generator/cre_metadata.pb.go +++ b/cre/go/tools/generator/cre_metadata.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.11 +// protoc-gen-go v1.36.6 // protoc v5.29.3 // source: tools/generator/v1alpha/cre_metadata.proto diff --git a/cre/go/values/pb/values.pb.go b/cre/go/values/pb/values.pb.go index 7e8fcb1e..743cba4c 100644 --- a/cre/go/values/pb/values.pb.go +++ b/cre/go/values/pb/values.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.11 +// protoc-gen-go v1.36.6 // protoc v5.29.3 // source: values/v1/values.proto From 2fedc0c568948401fdec0fbcebb38bb5e12d4619 Mon Sep 17 00:00:00 2001 From: Tejaswi Nadahalli Date: Wed, 25 Feb 2026 00:14:58 +0100 Subject: [PATCH 3/4] Make SecretIdentifier.namespace optional, default to "main" --- .../compute/confidentialworkflow/v1alpha/client.proto | 3 ++- cre/go/installer/pkg/embedded_gen.go | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto b/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto index 0bc0b156..aece07c7 100644 --- a/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto +++ b/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto @@ -6,7 +6,8 @@ import "tools/generator/v1alpha/cre_metadata.proto"; message SecretIdentifier { string key = 1; - string namespace = 2; + // namespace defaults to "main" when unset. + optional string namespace = 2; optional string owner = 3; } diff --git a/cre/go/installer/pkg/embedded_gen.go b/cre/go/installer/pkg/embedded_gen.go index 1646b8df..a704cd85 100755 --- a/cre/go/installer/pkg/embedded_gen.go +++ b/cre/go/installer/pkg/embedded_gen.go @@ -761,7 +761,8 @@ import "tools/generator/v1alpha/cre_metadata.proto"; message SecretIdentifier { string key = 1; - string namespace = 2; + // namespace defaults to "main" when unset. + optional string namespace = 2; optional string owner = 3; } From 3cd9870b671e13ecc9072e0849363f197f3d486f Mon Sep 17 00:00:00 2001 From: Tejaswi Nadahalli Date: Wed, 25 Feb 2026 20:58:20 +0100 Subject: [PATCH 4/4] Remove owner field from SecretIdentifier --- .../compute/confidentialworkflow/v1alpha/client.proto | 1 - cre/go/installer/pkg/embedded_gen.go | 1 - 2 files changed, 2 deletions(-) diff --git a/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto b/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto index aece07c7..fe43fab6 100644 --- a/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto +++ b/cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto @@ -8,7 +8,6 @@ message SecretIdentifier { string key = 1; // namespace defaults to "main" when unset. optional string namespace = 2; - optional string owner = 3; } // WorkflowExecution is the public data sent to the enclave. diff --git a/cre/go/installer/pkg/embedded_gen.go b/cre/go/installer/pkg/embedded_gen.go index a704cd85..eac22b9e 100755 --- a/cre/go/installer/pkg/embedded_gen.go +++ b/cre/go/installer/pkg/embedded_gen.go @@ -763,7 +763,6 @@ message SecretIdentifier { string key = 1; // namespace defaults to "main" when unset. optional string namespace = 2; - optional string owner = 3; } // WorkflowExecution is the public data sent to the enclave.