Skip to content

Commit a7d01d2

Browse files
feat(cresettings): add RemoteExecutableWorkflowDONBindingEnabled gate (#2257)
Global bool (default false) that, when enabled, lets the remote executable capability server reject requests whose RequestMetadata.WorkflowDonID does not match the authenticated calling DON. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 9a2491f commit a7d01d2

4 files changed

Lines changed: 13 additions & 0 deletions

File tree

pkg/settings/cresettings/README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,10 @@ flowchart
5252
VaultSignedResponseRequestIDEnabled[/VaultSignedResponseRequestIDEnabled\]:::gate
5353
end
5454
55+
subgraph executableServer[remote executable capability server.OnMessage]
56+
RemoteExecutableWorkflowDONBindingEnabled[/RemoteExecutableWorkflowDONBindingEnabled\]:::gate
57+
end
58+
5559
subgraph HandleNodeMessage[gatewayHandler.HandleNodeMessage]
5660
%% DON nodes → gateway (separate from the inbound trigger flow)
5761
GatewayHTTPGlobalRate[\GatewayHTTPGlobalRate/]:::rate

pkg/settings/cresettings/defaults.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
"GatewayVaultManagementEnabled": "true",
66
"VaultJWTAuthEnabled": "false",
77
"CentralizedWorkflowOwnerVerificationEnabled": "false",
8+
"RemoteExecutableWorkflowDONBindingEnabled": "false",
89
"TenantID": "0",
910
"VaultOrgIdAsSecretOwnerEnabled": "false",
1011
"PropagateOrgIDInRequestMetadata": "false",

pkg/settings/cresettings/defaults.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ GatewayIncomingPayloadSizeLimit = '1mb'
44
GatewayVaultManagementEnabled = 'true'
55
VaultJWTAuthEnabled = 'false'
66
CentralizedWorkflowOwnerVerificationEnabled = 'false'
7+
RemoteExecutableWorkflowDONBindingEnabled = 'false'
78
TenantID = '0'
89
VaultOrgIdAsSecretOwnerEnabled = 'false'
910
PropagateOrgIDInRequestMetadata = 'false'

pkg/settings/cresettings/settings.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ var Default = Schema{
5858
GatewayVaultManagementEnabled: Bool(true),
5959
VaultJWTAuthEnabled: Bool(false),
6060
CentralizedWorkflowOwnerVerificationEnabled: Bool(false),
61+
RemoteExecutableWorkflowDONBindingEnabled: Bool(false),
6162
TenantID: Uint64(0),
6263
// Deprecated: retained for backwards compatibility; workflow owner identifies secret ownership.
6364
VaultOrgIdAsSecretOwnerEnabled: Bool(false),
@@ -318,6 +319,12 @@ type Schema struct {
318319
GatewayVaultManagementEnabled Setting[bool]
319320
VaultJWTAuthEnabled Setting[bool]
320321
CentralizedWorkflowOwnerVerificationEnabled Setting[bool]
322+
// RemoteExecutableWorkflowDONBindingEnabled, when true, makes the remote
323+
// executable capability server reject any request whose
324+
// RequestMetadata.WorkflowDonID does not match the authenticated calling DON
325+
// (msg.CallerDonId). Binds caller-supplied WorkflowDonID to the authenticated
326+
// sender DON so it cannot be spoofed by a colluding calling DON.
327+
RemoteExecutableWorkflowDONBindingEnabled Setting[bool]
321328
TenantID Setting[uint64]
322329
VaultOrgIdAsSecretOwnerEnabled Setting[bool] // Deprecated
323330
PropagateOrgIDInRequestMetadata Setting[bool]

0 commit comments

Comments
 (0)