Skip to content

Allow pre-hook for restrictions on capability calls and secrets#411

Merged
nolag merged 37 commits into
capabilities-developmentfrom
rtinianov_teeAndRestrictions
Jun 22, 2026
Merged

Allow pre-hook for restrictions on capability calls and secrets#411
nolag merged 37 commits into
capabilities-developmentfrom
rtinianov_teeAndRestrictions

Conversation

@nolag

@nolag nolag commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

No description provided.

amit-momin and others added 30 commits March 4, 2026 11:18
@amit-momin @app-token-issuer-engops
Add Pharos Atlantic support (#306)
4962d40 
* Added Pharos Atlantic support

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@cawthorne @app-token-issuer-engops
aptos proto: add ledger_version to ViewRequest (#310)
ecda729 
* aptos proto: add ledger_version to ViewRequest

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@amit-momin @app-token-issuer-engops
Add xlayer, megaeth, cronos, mantle, tac, unichain, scroll, sonic tes…
49d3e11 
…tnet support (#308)

* Added xlayer megaeth cronos mantle tac unichain scroll sonic support

* Auto-fix: buf format, gofmt, go generate, go mod tidy

* Added celo sepolia

* Auto-fix: buf format, gofmt, go generate, go mod tidy

* Added gnosis chiado

* Auto-fix: buf format, gofmt, go generate, go mod tidy

* Removed celo sepolia

* Auto-fix: buf format, gofmt, go generate, go mod tidy

* Removed gnosis chiado

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@amit-momin @app-token-issuer-engops
Add andesite chain (#313)
ca9c257 
* Added andesite chain

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@amit-momin @app-token-issuer-engops
Add new mainnet chains to client proto (#315)
5662168 
* Added new mainnet chains to client proto

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@yashnevatia @app-token-issuer-engops
Remove aptos (moved to capabilities-development branch) (#316)
1124ff8 
* remove aptos

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@nadahalli
Add owner and execution_id to WorkflowExecution proto (#317)
93a6faf 
Adds workflow-level context to the app-specific proto rather than
the generic ComputeRequest type, per vreff's feedback on CC PR #277.
The enclave app reads these from the deserialized WorkflowExecution
for runtime secret fetching from VaultDON via the relay DON.
@vreff
Add Privacy as codeowners of protos embedded gen files (#318)
4cecf73
@gheorghestrimtu
feat: add NodeBuildInfo proto and register it in chip schemas (#320)
b5808c9
@yashnevatia
Revert "Remove aptos (moved to capabilities-development branch) (#316)…
ad04ed6 
…" (#321)

This reverts commit 1124ff8.
@amit-momin @app-token-issuer-engops
Add hyperliquid mainnet to client proto (#322)
ba0bee7 
* Added hyperliquid mainnet to client proto

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@amit-momin @app-token-issuer-engops
Add gnosis chiado to client proto (#324)
314ec8d 
* Added gnosis chiado to client proto

* Auto-fix: buf format, gofmt, go generate, go mod tidy

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@karen-stepanyan @app-token-issuer-engops
add WorkflowUserMetric (#319)
faea187 
* add WorkflowUserMetric

* fix metric suffix

* bot: regenerate protobuf files

* add USER_METRIC_TYPE_UNSPECIFIED

* bot: regenerate protobuf files

* update WorkflowUserMetric value to double

* drop histogram support

* bot: regenerate protobuf files

---------

Co-authored-by: app-token-issuer-engops[bot] <144731339+app-token-issuer-engops[bot]@users.noreply.github.com>
@yashnevatia
Revert "Revert "Remove aptos (moved to capabilities-development branc…
e0fb416 
…h) (#316…" (#331)

This reverts commit ad04ed6.
@amit-momin
Add capability-development branch protection CI (#327)
93f52c3 
* Add capability-development branch protection ci

* Upgraded checkout action to major version tag

* Updated validation to only occur when target branch is main

* Addressed feedback
@karen-stepanyan
beholder: publish workflows/v2/workflow_user_metric (#333)
bd561fb 
* beholder: publish workflows/v2/workflow_user_metric.proto

* remove entry from deprecated files
@mchain0
cre-1835: steady and transition indicators (#334)
f08a616
@nolag
Add TEE metadata to http capabilities
e2dad57
@nolag
Merge branch 'capabilities-development' into rtinianov_tee
3e8d88d
@nolag
Add regions to TEE
2c8da85
@nolag
Use additional_environments instead of boolean for tees
c2ff1c3
@nolag
Put requirements in the trigger, since init needs to run with the tri…
3b32049 
…gger, subscriptions need to be outside the TEE
@nolag
Allow restriction pre-hook to CRE
7123431
@nolag
Add a hook to verify the regions in a TEE. It's not a trigger because…
a1ec54d 
… that would stream results
@nolag
Use exec request directly and accept the Tee requirements
06c6d21
@nolag
Take all requirements
474ca53
@nolag
Return list of TEEs instead of regions
5806971
@nolag
Add unspecified tee type
7061fbf
@app-token-issuer-engops
Auto-fix: buf format, gofmt, go generate, go mod tidy
95fa2df
@nolag
Merge branch 'rtinianov_tee' into rtinianov_teeAndRestrictions
ddbdbbe
@nolag nolag requested review from a team as code owners June 22, 2026 13:46
@changeset-bot

changeset-bot Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: ce294bd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

The latest Buf updates on your PR. Results from workflow Regenerate Protobuf Files / buf (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed✅ passed✅ passed⏩ skippedJun 22, 2026, 3:15 PM

@nolag nolag enabled auto-merge (squash) June 22, 2026 13:51
russell-stern
russell-stern previously approved these changes Jun 22, 2026
View reviewed changes
Comment thread cre/sdk/v1alpha/sdk.proto
}

message SecretPrefixRestriction {
string prefix = 1;

@russell-stern russell-stern Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any use cases where prefix is a better restriction than namespace? The Vault lets you define as many namespaces as you want so it might simplify things if we only restrict on namespace

@nolag nolag Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prefix has namespace in it. If you want to allow the whole namespace you can use the empty prefix.

IIUC, namespaces can restrict which workflows/owners can access a secret (or at least can in future). This is more locked down, as it's per execution. Essentially, the vault can say "Don't let the workflow/owner access anything outside these namespace" and the execution can then say "for this run, only these secrets.

Depending on how people group namespaces, they could make a lot of them and achieve the same but it might be harder to track.

Eg: Namespace 1 is for workflows 1, 2, and 3. Within that, when running a workflow triggered by user X, I can only get keys for user X (prefixed with USER_X_) or groups they belong to (GROUP_Y_ prefix).

@nolag nolag force-pushed the rtinianov_teeAndRestrictions branch from e4cc86d to e31af15 Compare June 22, 2026 15:07
@nolag nolag requested a review from russell-stern June 22, 2026 15:10
@nolag nolag force-pushed the rtinianov_teeAndRestrictions branch from 7f2423c to 0d91d7e Compare June 22, 2026 15:13
@nolag nolag merged commit c8e1293 into capabilities-development Jun 22, 2026
11 checks passed
@nolag nolag deleted the rtinianov_teeAndRestrictions branch June 22, 2026 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vreff vreff vreff approved these changes

@russell-stern russell-stern russell-stern approved these changes

@ChrisAmora ChrisAmora Awaiting requested review from ChrisAmora

@Krish-vemula Krish-vemula Awaiting requested review from Krish-vemula

@vyzaldysanchez vyzaldysanchez Awaiting requested review from vyzaldysanchez

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@nolag @vreff @russell-stern @amit-momin @cawthorne @yashnevatia @nadahalli @gheorghestrimtu @karen-stepanyan @mchain0