Confidential relay types, WorkflowExecution proto fields, and package move

[nadahalli]

Summary

• Adds WorkflowOwner and WorkflowExecutionID to SecretsRequestParams. The relay DON handler needs these to build a valid vault secrets.get request (owner matching and execution ID validation).
• Removes MasterPublicKey and Threshold from SecretsResponseResult. The enclave has both from its own config (EnclaveConfig.MasterPublicKey and EnclaveConfig.T, populated from on-chain DON config after DKG). The relay handler is a pass-through for encrypted shares only.
• Bumps chainlink-protos (cre/go/v1alpha.23) and regenerates WorkflowExecution proto. Adds Owner and ExecutionId fields so workflow-level context flows inside the app-specific proto rather than the generic ComputeRequest type (per vreff's feedback on CC PR Add tests for reading an event #277).

Part of the remote-only secret fetching work where the enclave fetches secrets dynamically at runtime via enclave -> gateway -> relay DON -> VaultDON.

[github-actions]

👋 nadahalli, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[github-actions]

⚠️ API Diff Results - github.com/smartcontractkit/chainlink-common

⚠️ Breaking Changes (1)

package github (1)

• com/smartcontractkit/chainlink-common/pkg/capabilities/actions/confidentialrelay — 🗑️ Removed

✅ Compatible Changes (5)

package github (1)

• com/smartcontractkit/chainlink-common/pkg/capabilities/v2/actions/confidentialrelay — ➕ Added

pkg/capabilities/v2/actions/confidentialworkflow.(*WorkflowExecution) (2)

• GetExecutionId — ➕ Added

• GetOwner — ➕ Added

pkg/capabilities/v2/actions/confidentialworkflow.WorkflowExecution (2)

• ExecutionId — ➕ Added

• Owner — ➕ Added

---

📄 View full apidiff report

[Copilot]

Pull request overview

Updates the confidential relay protocol request type so the relay DON handler can include workflow ownership and execution metadata when building a vault secrets.get request.

Changes:

• Extend SecretsRequestParams with WorkflowOwner.
• Extend SecretsRequestParams with WorkflowExecutionID.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[prashantkumar1982]

We explicitly removed Owner from SecretIdentifier.

Is this field accessible or settable by the customer/user?

This field should be only set by our internal framework, and not the user.

Further, going forward, we will change the workflow owner to org_id as owner, so even if we need this, i would prefer to name it as owner

[nadahalli]

This field is set by the enclave from attested workflow metadata. The user never touches it. The plumbing is: CRE engine populates WorkflowOwner from the on-chain workflow spec, the enclave includes it in the relay request, and VaultDON uses it to enforce that secret owners match (the check in capability.go lines 113-121 in core).

I can change the name to just owner if that's the preferred direction wrto the org_id migration. The semantics stay the same either way.

[prashantkumar1982]

Yes, owner name is better going forward.

[vreff]

Looks like there is failing CI. Also is this an action? Does it go in that folder?

[nadahalli]

Looks like there is failing CI. Also is this an action? Does it go in that folder?

failing CI is for some other unrelated thing. Not our changes. Not sure how to fix that.

[nadahalli]

Looks like there is failing CI. Also is this an action? Does it go in that folder?

And no, it's not an action. It stays in capabilities. If it has to move, it can be a TODO for after the release.