Add a hook to verify the regions in a TEE. It's not a trigger because that would stream results

Author: nolag

cre/capabilities/compute/confidentialworkflow/v1alpha/client.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package capabilities.compute.confidentialworkflow.v1alpha;
 
 import "tools/generator/v1alpha/cre_metadata.proto";
+import "google/protobuf/empty.proto";
 
 message SecretIdentifier {
   string key = 1;
@@ -31,6 +32,8 @@ message WorkflowExecution {
   // org_id is the organization identifier for the workflow owner.
   // Used by the enclave when fetching secrets from VaultDON with org-based ownership.
   string org_id = 7;
+  // regions that the workflow is allowed to run in.
+  repeated string regions = 8;
 }
 
 // ConfidentialWorkflowRequest is the input provided to the confidential workflows capability.
@@ -46,11 +49,16 @@ message ConfidentialWorkflowResponse {
   bytes execution_result = 1;
 }
 
+message VerifyRegionsResponse {
+  repeated string regions = 1;
+}
+
 service Client {
   option (tools.generator.v1alpha.capability) = {
     mode: MODE_DON
     capability_id: "confidential-workflows@1.0.0-alpha"
   };
 
   rpc Execute(ConfidentialWorkflowRequest) returns (ConfidentialWorkflowResponse);
+  rpc GetRegions(com.google.protobuf.Empty) returns (VerifyRegionsResponse);
 }