fix: pin icu_calendar <2.2 to work around temporal_rs/deno_core incompatibility

KubernetesServiceProvider for infrastructure services

.cargo/config.toml

@@ -1,2 +1,5 @@
+[build]
+rustc-wrapper = "/opt/homebrew/bin/sccache"
+
 [registries.sunbeam]
 index = "sparse+https://src.sunbeam.pt/api/packages/studio/cargo/"

.gitignore

@@ -3,4 +3,4 @@ Cargo.lock
 *.swp
 *.swo
 .DS_Store
-.env
+.env*

.gitmodules

@@ -1,6 +0,0 @@
-[submodule "wfe-containerd-protos/vendor/containerd"]
-	path = wfe-containerd-protos/vendor/containerd
-	url = https://github.com/containerd/containerd.git
-[submodule "wfe-buildkit-protos/vendor/buildkit"]
-	path = wfe-buildkit-protos/vendor/buildkit
-	url = https://github.com/moby/buildkit.git

CHANGELOG.md

@@ -2,6 +2,56 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.8.0] - 2026-04-06
+
+### Added
+
+- **wfe-kubernetes**: New crate -- Kubernetes executor for running workflow steps as K8s Jobs
+  - Namespace-per-workflow isolation with automatic cleanup
+  - Job manifest builder with env, resources, pull policy, node selector support
+  - Pod log streaming to LogSink with real-time output capture
+  - `##wfe[output key=value]` parsing from Job stdout
+  - Timeout handling with Job cleanup on expiry
+  - `KubernetesServiceProvider`: provisions infrastructure services as K8s Pods + Services with DNS resolution and readiness polling
+  - 100% test coverage on service provider, 91% overall crate coverage
+- **wfe-core**: `ServiceDefinition`, `ServicePort`, `ReadinessProbe`, `ServiceEndpoint` types for declaring infrastructure services
+- **wfe-core**: `ServiceProvider` trait for pluggable service provisioning
+- **wfe-core**: `services` field on `WorkflowDefinition` for declaring required services
+- **wfe**: Capability-based workflow routing -- hosts check `can_execute()` before accepting workflows
+  - Verifies all step types are registered in the StepRegistry
+  - Verifies ServiceProvider is configured and can provision required services
+  - Re-queues workflows that can't be handled by this host
+- **wfe**: Service lifecycle in dequeue loop -- provision before execution, teardown after completion/failure
+- **wfe**: `use_service_provider()` on `WorkflowHostBuilder`
+- **wfe-containerd**: `ContainerdServiceProvider` for running services via containerd gRPC API on host network
+- **wfe-yaml**: `services:` block in workflow YAML definitions with readiness probes (exec, tcp, http)
+- **wfe-yaml**: `kubernetes`/`k8s` step type with lazy client creation
+
+## [1.7.0] - 2026-04-05
+
+### Added
+
+- **wfe-deno**: New crate -- Deno/JS/TS bindings for the WFE workflow engine
+  - Full API surface via 23 deno_core ops: host lifecycle, workflow management, fluent builder, step registration, event publishing
+  - Channel-based execution bridge: JS step functions called from tokio executor via mpsc/oneshot channels
+  - High-level JS API classes: `WorkflowHost`, `WorkflowBuilder`, `ExecutionResult`
+  - 52 tests (26 unit + 26 integration), 93% line coverage
+- **wfe-core**: `WorkflowBuilder.steps` and `last_step` fields now public
+
+## [1.6.3] - 2026-04-05
+
+### Fixed
+
+- **wfe-core**: Propagate `step_name` into execution pointers when advancing to next steps, compensation steps, and parallel branch children
+- **wfe**: Set `step_name` on initial execution pointer when starting a workflow instance
+
+## [1.6.2] - 2026-04-05
+
+### Added
+
+- **wfe-core**: `WorkflowBuilder::add_step_typed()` for adding named, configured steps in parallel branch closures
+- **wfe-core**: `WorkflowBuilder::wire_outcome()` now public for custom graph wiring
+
 ## [1.6.1] - 2026-04-05
 
 ### Added

Cargo.toml

@@ -1,9 +1,9 @@
 [workspace]
-members = ["wfe-core", "wfe-sqlite", "wfe-postgres", "wfe-opensearch", "wfe-valkey", "wfe", "wfe-yaml", "wfe-buildkit", "wfe-containerd", "wfe-containerd-protos", "wfe-buildkit-protos", "wfe-rustlang", "wfe-server-protos", "wfe-server"]
+members = ["wfe-core", "wfe-sqlite", "wfe-postgres", "wfe-opensearch", "wfe-valkey", "wfe", "wfe-yaml", "wfe-buildkit", "wfe-containerd", "wfe-containerd-protos", "wfe-buildkit-protos", "wfe-rustlang", "wfe-server-protos", "wfe-server", "wfe-kubernetes", "wfe-deno"]
 resolver = "2"
 
 [workspace.package]
-version = "1.6.1"
+version = "1.8.0"
 edition = "2024"
 license = "MIT"
 repository = "https://src.sunbeam.pt/studio/wfe"
@@ -38,15 +38,16 @@ redis = { version = "0.27", features = ["tokio-comp", "connection-manager"] }
 opensearch = "2"
 
 # Internal crates
-wfe-core = { version = "1.6.1", path = "wfe-core", registry = "sunbeam" }
+wfe-core = { version = "1.8.0", path = "wfe-core", registry = "sunbeam" }
-wfe-sqlite = { version = "1.6.1", path = "wfe-sqlite", registry = "sunbeam" }
+wfe-sqlite = { version = "1.8.0", path = "wfe-sqlite", registry = "sunbeam" }
-wfe-postgres = { version = "1.6.1", path = "wfe-postgres", registry = "sunbeam" }
+wfe-postgres = { version = "1.8.0", path = "wfe-postgres", registry = "sunbeam" }
-wfe-opensearch = { version = "1.6.1", path = "wfe-opensearch", registry = "sunbeam" }
+wfe-opensearch = { version = "1.8.0", path = "wfe-opensearch", registry = "sunbeam" }
-wfe-valkey = { version = "1.6.1", path = "wfe-valkey", registry = "sunbeam" }
+wfe-valkey = { version = "1.8.0", path = "wfe-valkey", registry = "sunbeam" }
-wfe-yaml = { version = "1.6.1", path = "wfe-yaml", registry = "sunbeam" }
+wfe-yaml = { version = "1.8.0", path = "wfe-yaml", registry = "sunbeam" }
-wfe-buildkit = { version = "1.6.1", path = "wfe-buildkit", registry = "sunbeam" }
+wfe-buildkit = { version = "1.8.0", path = "wfe-buildkit", registry = "sunbeam" }
-wfe-containerd = { version = "1.6.1", path = "wfe-containerd", registry = "sunbeam" }
+wfe-containerd = { version = "1.8.0", path = "wfe-containerd", registry = "sunbeam" }
-wfe-rustlang = { version = "1.6.1", path = "wfe-rustlang", registry = "sunbeam" }
+wfe-rustlang = { version = "1.8.0", path = "wfe-rustlang", registry = "sunbeam" }
+wfe-kubernetes = { version = "1.8.0", path = "wfe-kubernetes", registry = "sunbeam" }
 
 # YAML
 serde_yaml = "0.9"
@@ -55,9 +56,15 @@ regex = "1"
 
 # Deno runtime
 deno_core = "0.394"
+
 deno_error = "0.7"
 url = "2"
 
+# Kubernetes
+kube = { version = "3.1", features = ["runtime", "client", "ws"] }
+k8s-openapi = { version = "0.27", features = ["latest"] }
+futures = "0.3"
+
 # Dev/Test
 pretty_assertions = "1"
 rstest = "0.23"

wfe-buildkit-protos/proto/github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options/runhcs.proto

@@ -0,0 +1,124 @@
+syntax = "proto3";
+
+package containerd.runhcs.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options";
+
+// Options are the set of customizations that can be passed at Create time.
+message Options {
+	// Enable debug tracing (sets the logrus log level to debug). This may be deprecated in the future, prefer
+	// log_level as this will override debug if both of them are set.
+	bool debug = 1;
+
+	enum DebugType {
+		NPIPE = 0;
+		FILE = 1;
+		ETW = 2;
+	}
+
+	// debug tracing output type
+	DebugType debug_type = 2;
+
+	// registry key root for storage of the runhcs container state
+	string registry_root = 3;
+
+	// sandbox_image is the image to use for the sandbox that matches the
+	// sandbox_platform.
+	string sandbox_image = 4;
+
+	// sandbox_platform is a CRI setting that specifies the platform
+	// architecture for all sandbox's in this runtime. Values are
+	// 'windows/amd64' and 'linux/amd64'.
+	string sandbox_platform = 5;
+
+	enum SandboxIsolation {
+		PROCESS = 0;
+		HYPERVISOR = 1;
+	}
+
+	// sandbox_isolation is a CRI setting that specifies the isolation level of
+	// the sandbox. For Windows runtime PROCESS and HYPERVISOR are valid. For
+	// LCOW only HYPERVISOR is valid and default if omitted.
+	SandboxIsolation sandbox_isolation = 6;
+
+	// boot_files_root_path is the path to the directory containing the LCOW
+	// kernel and root FS files.
+	string boot_files_root_path = 7;
+
+	// vm_processor_count is the default number of processors to create for the
+	// hypervisor isolated utility vm.
+	//
+	// The platform default if omitted is 2, unless the host only has a single
+	// core in which case it is 1.
+	int32 vm_processor_count = 8;
+
+	// vm_memory_size_in_mb is the default amount of memory to assign to the
+	// hypervisor isolated utility vm.
+	//
+	// The platform default is 1024MB if omitted.
+	int32 vm_memory_size_in_mb = 9;
+
+	// GPUVHDPath is the path to the gpu vhd to add to the uvm
+	// when a container requests a gpu
+	string GPUVHDPath = 10;
+
+	// scale_cpu_limits_to_sandbox indicates that container CPU limits should
+	// be adjusted to account for the difference in number of cores between the
+	// host and UVM.
+	bool scale_cpu_limits_to_sandbox = 11;
+
+	// default_container_scratch_size_in_gb is the default scratch size (sandbox.vhdx)
+	// to be used for containers. Every container will get a sandbox of `size_in_gb` assigned
+	// instead of the default of 20GB.
+	int32 default_container_scratch_size_in_gb = 12;
+
+	// default_vm_scratch_size_in_gb is the default scratch size (sandbox.vhdx)
+	// to be used for the UVM. This only applies to WCOW as LCOW doesn't mount a scratch
+	// specifically for the UVM.
+	int32 default_vm_scratch_size_in_gb = 13;
+
+	// share_scratch specifies if we'd like to reuse scratch space between multiple containers.
+	// This currently only affects LCOW. The sandbox containers scratch space is re-used for all
+	// subsequent containers launched in the pod.
+	bool share_scratch = 14;
+
+	// NCProxyAddr is the address of the network configuration proxy service. If omitted
+	// the network is setup locally.
+	string NCProxyAddr = 15;
+
+	// log_level specifies the logrus log level for the shim. Supported values are a string representation of the
+	// logrus log levels: "trace", "debug", "info", "warn", "error", "fatal", "panic". This setting will override
+	// the `debug` field if both are specified, unless the level specified is also "debug", as these are equivalent.
+	string log_level = 16;
+
+	// io_retry_timeout_in_sec is the timeout in seconds for how long to try and reconnect to an upstream IO provider if a connection is lost.
+	// The typical example is if Containerd has restarted but is expected to come back online. A 0 for this field is interpreted as an infinite
+	// timeout.
+	int32 io_retry_timeout_in_sec = 17;
+
+	// default_container_annotations specifies a set of annotations that should be set for every workload container
+	map<string, string> default_container_annotations = 18;
+
+	// no_inherit_host_timezone specifies to skip inheriting the hosts time zone for WCOW UVMs and instead default to
+	// UTC.
+	bool no_inherit_host_timezone = 19;
+
+	// scrub_logs enables removing environment variables and other potentially sensitive information from logs
+	bool scrub_logs = 20;
+}
+
+// ProcessDetails contains additional information about a process. This is the additional
+// info returned in the Pids query.
+message ProcessDetails {
+	string image_name = 1;
+	google.protobuf.Timestamp created_at = 2;
+	uint64 kernel_time_100_ns = 3;
+	uint64 memory_commit_bytes = 4;
+	uint64 memory_working_set_private_bytes = 5;
+	uint64 memory_working_set_shared_bytes = 6;
+	uint32 process_id = 7;
+	uint64 user_time_100_ns = 8;
+	string exec_id = 9;
+}

wfe-buildkit-protos/proto/github.com/containerd/cgroups/v3/cgroup1/stats/metrics.proto

@@ -0,0 +1,158 @@
+syntax = "proto3";
+
+package io.containerd.cgroups.v1;
+
+option go_package = "github.com/containerd/cgroups/cgroup1/stats";
+
+message Metrics {
+	repeated HugetlbStat hugetlb = 1;
+	PidsStat pids = 2;
+	CPUStat cpu = 3;
+	MemoryStat memory = 4;
+	BlkIOStat blkio = 5;
+	RdmaStat rdma = 6;
+	repeated NetworkStat network = 7;
+	CgroupStats cgroup_stats = 8;
+	MemoryOomControl memory_oom_control = 9;
+}
+
+message HugetlbStat {
+	uint64 usage = 1;
+	uint64 max = 2;
+	uint64 failcnt = 3;
+	string pagesize = 4;
+}
+
+message PidsStat {
+	uint64 current = 1;
+	uint64 limit = 2;
+}
+
+message CPUStat {
+	CPUUsage usage = 1;
+	Throttle throttling = 2;
+}
+
+message CPUUsage {
+	// values in nanoseconds
+	uint64 total = 1;
+	uint64 kernel = 2;
+	uint64 user = 3;
+	repeated uint64 per_cpu = 4;
+
+}
+
+message Throttle {
+	uint64 periods = 1;
+	uint64 throttled_periods = 2;
+	uint64 throttled_time = 3;
+}
+
+message MemoryStat {
+	uint64 cache = 1;
+	uint64 rss = 2;
+	uint64 rss_huge = 3;
+	uint64 mapped_file = 4;
+	uint64 dirty = 5;
+	uint64 writeback = 6;
+	uint64 pg_pg_in = 7;
+	uint64 pg_pg_out = 8;
+	uint64 pg_fault = 9;
+	uint64 pg_maj_fault = 10;
+	uint64 inactive_anon = 11;
+	uint64 active_anon = 12;
+	uint64 inactive_file = 13;
+	uint64 active_file = 14;
+	uint64 unevictable = 15;
+	uint64 hierarchical_memory_limit = 16;
+	uint64 hierarchical_swap_limit = 17;
+	uint64 total_cache = 18;
+	uint64 total_rss = 19;
+	uint64 total_rss_huge = 20;
+	uint64 total_mapped_file = 21;
+	uint64 total_dirty = 22;
+	uint64 total_writeback = 23;
+	uint64 total_pg_pg_in = 24;
+	uint64 total_pg_pg_out = 25;
+	uint64 total_pg_fault = 26;
+	uint64 total_pg_maj_fault = 27;
+	uint64 total_inactive_anon = 28;
+	uint64 total_active_anon = 29;
+	uint64 total_inactive_file = 30;
+	uint64 total_active_file = 31;
+	uint64 total_unevictable = 32;
+	MemoryEntry usage = 33;
+	MemoryEntry swap = 34;
+	MemoryEntry kernel = 35;
+	MemoryEntry kernel_tcp = 36;
+
+}
+
+message MemoryEntry {
+	uint64 limit = 1;
+	uint64 usage = 2;
+	uint64 max = 3;
+	uint64 failcnt = 4;
+}
+
+message MemoryOomControl {
+	uint64 oom_kill_disable = 1;
+	uint64 under_oom = 2;
+	uint64 oom_kill = 3;
+}
+
+message BlkIOStat {
+	repeated BlkIOEntry io_service_bytes_recursive = 1;
+	repeated BlkIOEntry io_serviced_recursive = 2;
+	repeated BlkIOEntry io_queued_recursive = 3;
+	repeated BlkIOEntry io_service_time_recursive = 4;
+	repeated BlkIOEntry io_wait_time_recursive = 5;
+	repeated BlkIOEntry io_merged_recursive = 6;
+	repeated BlkIOEntry io_time_recursive = 7;
+	repeated BlkIOEntry sectors_recursive = 8;
+}
+
+message BlkIOEntry {
+	string op = 1;
+	string device = 2;
+	uint64 major = 3;
+	uint64 minor = 4;
+	uint64 value = 5;
+}
+
+message RdmaStat {
+	repeated RdmaEntry current = 1;
+	repeated RdmaEntry limit = 2;
+}
+
+message RdmaEntry {
+	string device = 1;
+	uint32 hca_handles = 2;
+	uint32 hca_objects = 3;
+}
+
+message NetworkStat {
+	string name = 1;
+	uint64 rx_bytes = 2;
+	uint64 rx_packets = 3;
+	uint64 rx_errors  = 4;
+	uint64 rx_dropped = 5;
+	uint64 tx_bytes = 6;
+	uint64 tx_packets = 7;
+	uint64 tx_errors = 8;
+	uint64 tx_dropped = 9;
+}
+
+// CgroupStats exports per-cgroup statistics.
+message CgroupStats {
+	// number of tasks sleeping
+	uint64 nr_sleeping = 1;
+	// number of tasks running
+	uint64 nr_running = 2;
+	// number of tasks in stopped state
+	uint64 nr_stopped = 3;
+	// number of tasks in uninterruptible state
+	uint64 nr_uninterruptible = 4;
+	// number of tasks waiting on IO
+	uint64 nr_io_wait = 5;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/events/container.proto

@@ -0,0 +1,46 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "google/protobuf/any.proto";
+import "github.com/containerd/containerd/api/types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message ContainerCreate {
+	string id = 1;
+	string image = 2;
+	message Runtime {
+		string name = 1;
+		google.protobuf.Any options = 2;
+	}
+	Runtime runtime = 3;
+}
+
+message ContainerUpdate {
+	string id = 1;
+	string image = 2;
+	map<string, string> labels  = 3;
+	string snapshot_key = 4;
+}
+
+message ContainerDelete {
+	string id = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/events/content.proto

@@ -0,0 +1,33 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "github.com/containerd/containerd/api/types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message ContentCreate {
+	string digest = 1;
+	int64 size = 2;
+}
+
+message ContentDelete {
+	string digest = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/events/image.proto

@@ -0,0 +1,38 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.images.v1;
+
+import "github.com/containerd/containerd/api/types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message ImageCreate {
+	string name = 1;
+	map<string, string> labels = 2;
+}
+
+message ImageUpdate {
+	string name = 1;
+	map<string, string> labels = 2;
+}
+
+message ImageDelete {
+	string name = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/events/namespace.proto

@@ -0,0 +1,38 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "github.com/containerd/containerd/api/types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message NamespaceCreate {
+	string name = 1;
+	map<string, string> labels  = 2;
+}
+
+message NamespaceUpdate {
+	string name = 1;
+	map<string, string> labels  = 2;
+}
+
+message NamespaceDelete {
+	string name = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/events/sandbox.proto

@@ -0,0 +1,37 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+
+message SandboxCreate {
+	string sandbox_id = 1;
+}
+
+message SandboxStart {
+	string sandbox_id = 1;
+}
+
+message SandboxExit {
+	string sandbox_id = 1;
+	uint32 exit_status = 2;
+	google.protobuf.Timestamp exited_at = 3;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/events/snapshot.proto

@@ -0,0 +1,41 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "github.com/containerd/containerd/api/types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message SnapshotPrepare {
+	string key = 1;
+	string parent = 2;
+	string snapshotter = 5;
+}
+
+message SnapshotCommit {
+	string key = 1;
+	string name = 2;
+	string snapshotter = 5;
+}
+
+message SnapshotRemove {
+	string key = 1;
+	string snapshotter = 5;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/events/task.proto

@@ -0,0 +1,93 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "google/protobuf/timestamp.proto";
+import "github.com/containerd/containerd/api/types/mount.proto";
+import "github.com/containerd/containerd/api/types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message TaskCreate {
+	string container_id = 1;
+	string bundle = 2;
+	repeated containerd.types.Mount rootfs = 3;
+	TaskIO io = 4;
+	string checkpoint = 5;
+	uint32 pid = 6;
+}
+
+message TaskStart {
+	string container_id = 1;
+	uint32 pid = 2;
+}
+
+message TaskDelete {
+	string container_id = 1;
+	uint32 pid = 2;
+	uint32 exit_status = 3;
+	google.protobuf.Timestamp exited_at = 4;
+	// id is the specific exec. By default if omitted will be `""` thus matches
+	// the init exec of the task matching `container_id`.
+	string id = 5;
+}
+
+message TaskIO {
+	string stdin = 1;
+	string stdout = 2;
+	string stderr = 3;
+	bool terminal = 4;
+}
+
+message TaskExit {
+	string container_id = 1;
+	string id = 2;
+	uint32 pid = 3;
+	uint32 exit_status = 4;
+	google.protobuf.Timestamp exited_at = 5;
+}
+
+message TaskOOM {
+	string container_id = 1;
+}
+
+message TaskExecAdded {
+	string container_id = 1;
+	string exec_id = 2;
+}
+
+message TaskExecStarted {
+	string container_id = 1;
+	string exec_id = 2;
+	uint32 pid = 3;
+}
+
+message TaskPaused {
+	string container_id = 1;
+}
+
+message TaskResumed {
+	string container_id = 1;
+}
+
+message TaskCheckpointed {
+	string container_id = 1;
+	string checkpoint = 2;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/runtime/sandbox/v1/sandbox.proto

@@ -0,0 +1,149 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.runtime.sandbox.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+
+import "github.com/containerd/containerd/api/types/mount.proto";
+import "github.com/containerd/containerd/api/types/platform.proto";
+import "github.com/containerd/containerd/api/types/metrics.proto";
+
+option go_package = "github.com/containerd/containerd/api/runtime/sandbox/v1;sandbox";
+
+// Sandbox is an optional interface that shim may implement to support sandboxes environments.
+// A typical example of sandbox is microVM or pause container - an entity that groups containers and/or
+// holds resources relevant for this group.
+service Sandbox {
+	// CreateSandbox will be called right after sandbox shim instance launched.
+	// It is a good place to initialize sandbox environment.
+	rpc CreateSandbox(CreateSandboxRequest) returns (CreateSandboxResponse);
+
+	// StartSandbox will start a previously created sandbox.
+	rpc StartSandbox(StartSandboxRequest) returns (StartSandboxResponse);
+
+	// Platform queries the platform the sandbox is going to run containers on.
+	// containerd will use this to generate a proper OCI spec.
+	rpc Platform(PlatformRequest) returns (PlatformResponse);
+
+	// StopSandbox will stop existing sandbox instance
+	rpc StopSandbox(StopSandboxRequest) returns (StopSandboxResponse);
+
+	// WaitSandbox blocks until sandbox exits.
+	rpc WaitSandbox(WaitSandboxRequest) returns (WaitSandboxResponse);
+
+	// SandboxStatus will return current status of the running sandbox instance
+	rpc SandboxStatus(SandboxStatusRequest) returns (SandboxStatusResponse);
+
+	// PingSandbox is a lightweight API call to check whether sandbox alive.
+	rpc PingSandbox(PingRequest) returns (PingResponse);
+
+	// ShutdownSandbox must shutdown shim instance.
+	rpc ShutdownSandbox(ShutdownSandboxRequest) returns (ShutdownSandboxResponse);
+
+	// SandboxMetrics retrieves metrics about a sandbox instance.
+	rpc SandboxMetrics(SandboxMetricsRequest) returns (SandboxMetricsResponse);
+}
+
+message CreateSandboxRequest {
+	string sandbox_id = 1;
+	string bundle_path = 2;
+	repeated containerd.types.Mount rootfs = 3;
+	google.protobuf.Any options = 4;
+	string netns_path = 5;
+	map<string, string> annotations = 6;
+}
+
+message CreateSandboxResponse {}
+
+message StartSandboxRequest {
+	string sandbox_id = 1;
+}
+
+message StartSandboxResponse {
+	uint32 pid = 1;
+	google.protobuf.Timestamp created_at = 2;
+}
+
+message PlatformRequest {
+	string sandbox_id = 1;
+}
+
+message PlatformResponse {
+	containerd.types.Platform platform = 1;
+}
+
+message StopSandboxRequest {
+	string sandbox_id = 1;
+	uint32 timeout_secs = 2;
+}
+
+message StopSandboxResponse {}
+
+message UpdateSandboxRequest {
+	string sandbox_id = 1;
+	google.protobuf.Any resources = 2;
+	map<string, string> annotations = 3;
+}
+
+message WaitSandboxRequest {
+	string sandbox_id = 1;
+}
+
+message WaitSandboxResponse {
+	uint32 exit_status = 1;
+	google.protobuf.Timestamp exited_at = 2;
+}
+
+message UpdateSandboxResponse {}
+
+message SandboxStatusRequest {
+	string sandbox_id = 1;
+	bool verbose = 2;
+}
+
+message SandboxStatusResponse {
+	string sandbox_id = 1;
+	uint32 pid = 2;
+	string state = 3;
+	map<string, string> info = 4;
+	google.protobuf.Timestamp created_at = 5;
+	google.protobuf.Timestamp exited_at = 6;
+	google.protobuf.Any extra = 7;
+}
+
+message PingRequest {
+	string sandbox_id = 1;
+}
+
+message PingResponse {}
+
+message ShutdownSandboxRequest {
+	string sandbox_id = 1;
+}
+
+message ShutdownSandboxResponse {}
+
+message SandboxMetricsRequest {
+	string sandbox_id = 1;
+}
+
+message SandboxMetricsResponse {
+	containerd.types.Metric metrics = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/containers/v1/containers.proto

@@ -0,0 +1,181 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.containers.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/containers/v1;containers";
+
+// Containers provides metadata storage for containers used in the execution
+// service.
+//
+// The objects here provide an state-independent view of containers for use in
+// management and resource pinning. From that perspective, containers do not
+// have a "state" but rather this is the set of resources that will be
+// considered in use by the container.
+//
+// From the perspective of the execution service, these objects represent the
+// base parameters for creating a container process.
+//
+// In general, when looking to add fields for this type, first ask yourself
+// whether or not the function of the field has to do with runtime execution or
+// is invariant of the runtime state of the container. If it has to do with
+// runtime, or changes as the "container" is started and stops, it probably
+// doesn't belong on this object.
+service Containers {
+	rpc Get(GetContainerRequest) returns (GetContainerResponse);
+	rpc List(ListContainersRequest) returns (ListContainersResponse);
+	rpc ListStream(ListContainersRequest) returns (stream ListContainerMessage);
+	rpc Create(CreateContainerRequest) returns (CreateContainerResponse);
+	rpc Update(UpdateContainerRequest) returns (UpdateContainerResponse);
+	rpc Delete(DeleteContainerRequest) returns (google.protobuf.Empty);
+}
+
+message Container {
+	// ID is the user-specified identifier.
+	//
+	// This field may not be updated.
+	string id = 1;
+
+	// Labels provides an area to include arbitrary data on containers.
+	//
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	//
+	// Note that to add a new value to this field, read the existing set and
+	// include the entire result in the update call.
+	map<string, string> labels  = 2;
+
+	// Image contains the reference of the image used to build the
+	// specification and snapshots for running this container.
+	//
+	// If this field is updated, the spec and rootfs needed to updated, as well.
+	string image = 3;
+
+	message Runtime {
+		// Name is the name of the runtime.
+		string name = 1;
+		// Options specify additional runtime initialization options.
+		google.protobuf.Any options = 2;
+	}
+	// Runtime specifies which runtime to use for executing this container.
+	Runtime runtime = 4;
+
+	// Spec to be used when creating the container. This is runtime specific.
+	google.protobuf.Any spec = 5;
+
+	// Snapshotter specifies the snapshotter name used for rootfs
+	string snapshotter = 6;
+
+	// SnapshotKey specifies the snapshot key to use for the container's root
+	// filesystem. When starting a task from this container, a caller should
+	// look up the mounts from the snapshot service and include those on the
+	// task create request.
+	//
+	// Snapshots referenced in this field will not be garbage collected.
+	//
+	// This field is set to empty when the rootfs is not a snapshot.
+	//
+	// This field may be updated.
+	string snapshot_key = 7;
+
+	// CreatedAt is the time the container was first created.
+	google.protobuf.Timestamp created_at = 8;
+
+	// UpdatedAt is the last time the container was mutated.
+	google.protobuf.Timestamp updated_at = 9;
+
+	// Extensions allow clients to provide zero or more blobs that are directly
+	// associated with the container. One may provide protobuf, json, or other
+	// encoding formats. The primary use of this is to further decorate the
+	// container object with fields that may be specific to a client integration.
+	//
+	// The key portion of this map should identify a "name" for the extension
+	// that should be unique against other extensions. When updating extension
+	// data, one should only update the specified extension using field paths
+	// to select a specific map key.
+	map<string, google.protobuf.Any> extensions = 10;
+
+	// Sandbox ID this container belongs to.
+	string sandbox = 11;
+}
+
+message GetContainerRequest {
+	string id = 1;
+}
+
+message GetContainerResponse {
+	Container container = 1;
+}
+
+message ListContainersRequest {
+	// Filters contains one or more filters using the syntax defined in the
+	// containerd filter package.
+	//
+	// The returned result will be those that match any of the provided
+	// filters. Expanded, containers that match the following will be
+	// returned:
+	//
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//
+	// If filters is zero-length or nil, all items will be returned.
+	repeated string filters = 1;
+}
+
+message ListContainersResponse {
+	repeated Container containers = 1;
+}
+
+message CreateContainerRequest {
+	Container container = 1;
+}
+
+message CreateContainerResponse {
+	Container container = 1;
+}
+
+// UpdateContainerRequest updates the metadata on one or more container.
+//
+// The operation should follow semantics described in
+// https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/field-mask,
+// unless otherwise qualified.
+message UpdateContainerRequest {
+	// Container provides the target values, as declared by the mask, for the update.
+	//
+	// The ID field must be set.
+	Container container = 1;
+
+	// UpdateMask specifies which fields to perform the update on. If empty,
+	// the operation applies to all fields.
+	google.protobuf.FieldMask update_mask = 2;
+}
+
+message UpdateContainerResponse {
+	Container container = 1;
+}
+
+message DeleteContainerRequest {
+	string id = 1;
+}
+
+message ListContainerMessage {
+	Container container = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/content/v1/content.proto

@@ -0,0 +1,330 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.content.v1;
+
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/content/v1;content";
+
+// Content provides access to a content addressable storage system.
+service Content {
+	// Info returns information about a committed object.
+	//
+	// This call can be used for getting the size of content and checking for
+	// existence.
+	rpc Info(InfoRequest) returns (InfoResponse);
+
+	// Update updates content metadata.
+	//
+	// This call can be used to manage the mutable content labels. The
+	// immutable metadata such as digest, size, and committed at cannot
+	// be updated.
+	rpc Update(UpdateRequest) returns (UpdateResponse);
+
+	// List streams the entire set of content as Info objects and closes the
+	// stream.
+	//
+	// Typically, this will yield a large response, chunked into messages.
+	// Clients should make provisions to ensure they can handle the entire data
+	// set.
+	rpc List(ListContentRequest) returns (stream ListContentResponse);
+
+	// Delete will delete the referenced object.
+	rpc Delete(DeleteContentRequest) returns (google.protobuf.Empty);
+
+	// Read allows one to read an object based on the offset into the content.
+	//
+	// The requested data may be returned in one or more messages.
+	rpc Read(ReadContentRequest) returns (stream ReadContentResponse);
+
+	// Status returns the status for a single reference.
+	rpc Status(StatusRequest) returns (StatusResponse);
+
+	// ListStatuses returns the status of ongoing object ingestions, started via
+	// Write.
+	//
+	// Only those matching the regular expression will be provided in the
+	// response. If the provided regular expression is empty, all ingestions
+	// will be provided.
+	rpc ListStatuses(ListStatusesRequest) returns (ListStatusesResponse);
+
+	// Write begins or resumes writes to a resource identified by a unique ref.
+	// Only one active stream may exist at a time for each ref.
+	//
+	// Once a write stream has started, it may only write to a single ref, thus
+	// once a stream is started, the ref may be omitted on subsequent writes.
+	//
+	// For any write transaction represented by a ref, only a single write may
+	// be made to a given offset. If overlapping writes occur, it is an error.
+	// Writes should be sequential and implementations may throw an error if
+	// this is required.
+	//
+	// If expected_digest is set and already part of the content store, the
+	// write will fail.
+	//
+	// When completed, the commit flag should be set to true. If expected size
+	// or digest is set, the content will be validated against those values.
+	rpc Write(stream WriteContentRequest) returns (stream WriteContentResponse);
+
+	// Abort cancels the ongoing write named in the request. Any resources
+	// associated with the write will be collected.
+	rpc Abort(AbortRequest) returns (google.protobuf.Empty);
+}
+
+message Info {
+	// Digest is the hash identity of the blob.
+	string digest = 1;
+
+	// Size is the total number of bytes in the blob.
+	int64 size = 2;
+
+	// CreatedAt provides the time at which the blob was committed.
+	google.protobuf.Timestamp created_at = 3;
+
+	// UpdatedAt provides the time the info was last updated.
+	google.protobuf.Timestamp updated_at = 4;
+
+	// Labels are arbitrary data on snapshots.
+	//
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	map<string, string> labels  = 5;
+}
+
+message InfoRequest {
+	string digest = 1;
+}
+
+message InfoResponse {
+	Info info = 1;
+}
+
+message UpdateRequest {
+	Info info = 1;
+
+	// UpdateMask specifies which fields to perform the update on. If empty,
+	// the operation applies to all fields.
+	//
+	// In info, Digest, Size, and CreatedAt are immutable,
+	// other field may be updated using this mask.
+	// If no mask is provided, all mutable field are updated.
+	google.protobuf.FieldMask update_mask = 2;
+}
+
+message UpdateResponse {
+	Info info = 1;
+}
+
+message ListContentRequest {
+	// Filters contains one or more filters using the syntax defined in the
+	// containerd filter package.
+	//
+	// The returned result will be those that match any of the provided
+	// filters. Expanded, containers that match the following will be
+	// returned:
+	//
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//
+	// If filters is zero-length or nil, all items will be returned.
+	repeated string filters = 1;
+}
+
+message ListContentResponse {
+	repeated Info info = 1;
+}
+
+message DeleteContentRequest {
+	// Digest specifies which content to delete.
+	string digest = 1;
+}
+
+// ReadContentRequest defines the fields that make up a request to read a portion of
+// data from a stored object.
+message ReadContentRequest {
+	// Digest is the hash identity to read.
+	string digest = 1;
+
+	// Offset specifies the number of bytes from the start at which to begin
+	// the read. If zero or less, the read will be from the start. This uses
+	// standard zero-indexed semantics.
+	int64 offset = 2;
+
+	// size is the total size of the read. If zero, the entire blob will be
+	// returned by the service.
+	int64 size = 3;
+}
+
+// ReadContentResponse carries byte data for a read request.
+message ReadContentResponse {
+	int64 offset = 1; // offset of the returned data
+	bytes data = 2; // actual data
+}
+
+message Status {
+	google.protobuf.Timestamp started_at = 1;
+	google.protobuf.Timestamp updated_at = 2;
+	string ref = 3;
+	int64 offset = 4;
+	int64 total = 5;
+	string expected = 6;
+}
+
+
+message StatusRequest {
+	string ref = 1;
+}
+
+message StatusResponse {
+	Status status = 1;
+}
+
+message ListStatusesRequest {
+	repeated string filters = 1;
+}
+
+message ListStatusesResponse {
+	repeated Status statuses = 1;
+}
+
+// WriteAction defines the behavior of a WriteRequest.
+enum WriteAction {
+	// WriteActionStat instructs the writer to return the current status while
+	// holding the lock on the write.
+	STAT = 0;
+
+	// WriteActionWrite sets the action for the write request to write data.
+	//
+	// Any data included will be written at the provided offset. The
+	// transaction will be left open for further writes.
+	//
+	// This is the default.
+	WRITE = 1;
+
+	// WriteActionCommit will write any outstanding data in the message and
+	// commit the write, storing it under the digest.
+	//
+	// This can be used in a single message to send the data, verify it and
+	// commit it.
+	//
+	// This action will always terminate the write.
+	COMMIT = 2;
+}
+
+// WriteContentRequest writes data to the request ref at offset.
+message WriteContentRequest {
+	// Action sets the behavior of the write.
+	//
+	// When this is a write and the ref is not yet allocated, the ref will be
+	// allocated and the data will be written at offset.
+	//
+	// If the action is write and the ref is allocated, it will accept data to
+	// an offset that has not yet been written.
+	//
+	// If the action is write and there is no data, the current write status
+	// will be returned. This works differently from status because the stream
+	// holds a lock.
+	WriteAction action = 1;
+
+	// Ref identifies the pre-commit object to write to.
+	string ref = 2;
+
+	// Total can be set to have the service validate the total size of the
+	// committed content.
+	//
+	// The latest value before or with the commit action message will be use to
+	// validate the content. If the offset overflows total, the service may
+	// report an error. It is only required on one message for the write.
+	//
+	// If the value is zero or less, no validation of the final content will be
+	// performed.
+	int64 total = 3;
+
+	// Expected can be set to have the service validate the final content against
+	// the provided digest.
+	//
+	// If the digest is already present in the object store, an AlreadyExists
+	// error will be returned.
+	//
+	// Only the latest version will be used to check the content against the
+	// digest. It is only required to include it on a single message, before or
+	// with the commit action message.
+	string expected = 4;
+
+	// Offset specifies the number of bytes from the start at which to begin
+	// the write. For most implementations, this means from the start of the
+	// file. This uses standard, zero-indexed semantics.
+	//
+	// If the action is write, the remote may remove all previously written
+	// data after the offset. Implementations may support arbitrary offsets but
+	// MUST support reseting this value to zero with a write. If an
+	// implementation does not support a write at a particular offset, an
+	// OutOfRange error must be returned.
+	int64 offset = 5;
+
+	// Data is the actual bytes to be written.
+	//
+	// If this is empty and the message is not a commit, a response will be
+	// returned with the current write state.
+	bytes data = 6;
+
+	// Labels are arbitrary data on snapshots.
+	//
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	map<string, string> labels  = 7;
+}
+
+// WriteContentResponse is returned on the culmination of a write call.
+message WriteContentResponse {
+	// Action contains the action for the final message of the stream. A writer
+	// should confirm that they match the intended result.
+	WriteAction action = 1;
+
+	// StartedAt provides the time at which the write began.
+	//
+	// This must be set for stat and commit write actions. All other write
+	// actions may omit this.
+	google.protobuf.Timestamp started_at = 2;
+
+	// UpdatedAt provides the last time of a successful write.
+	//
+	// This must be set for stat and commit write actions. All other write
+	// actions may omit this.
+	google.protobuf.Timestamp updated_at = 3;
+
+	// Offset is the current committed size for the write.
+	int64 offset = 4;
+
+	// Total provides the current, expected total size of the write.
+	//
+	// We include this to provide consistency with the Status structure on the
+	// client writer.
+	//
+	// This is only valid on the Stat and Commit response.
+	int64 total = 5;
+
+	// Digest, if present, includes the digest up to the currently committed
+	// bytes. If action is commit, this field will be set. It is implementation
+	// defined if this is set for other actions.
+	string digest = 6;
+}
+
+message AbortRequest {
+	string ref = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/diff/v1/diff.proto

@@ -0,0 +1,90 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.diff.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+import "github.com/containerd/containerd/api/types/mount.proto";
+import "github.com/containerd/containerd/api/types/descriptor.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/diff/v1;diff";
+
+// Diff service creates and applies diffs
+service Diff {
+	// Apply applies the content associated with the provided digests onto
+	// the provided mounts. Archive content will be extracted and
+	// decompressed if necessary.
+	rpc Apply(ApplyRequest) returns (ApplyResponse);
+
+	// Diff creates a diff between the given mounts and uploads the result
+	// to the content store.
+	rpc Diff(DiffRequest) returns (DiffResponse);
+}
+
+message ApplyRequest {
+	// Diff is the descriptor of the diff to be extracted
+	containerd.types.Descriptor diff = 1;
+
+	repeated containerd.types.Mount mounts = 2;
+
+	map<string, google.protobuf.Any> payloads = 3;
+	// SyncFs is to synchronize the underlying filesystem containing files.
+	bool sync_fs = 4;
+}
+
+message ApplyResponse {
+	// Applied is the descriptor for the object which was applied.
+	// If the input was a compressed blob then the result will be
+	// the descriptor for the uncompressed blob.
+	containerd.types.Descriptor applied = 1;
+}
+
+message DiffRequest {
+	// Left are the mounts which represent the older copy
+	// in which is the base of the computed changes.
+	repeated containerd.types.Mount left = 1;
+
+	// Right are the mounts which represents the newer copy
+	// in which changes from the left were made into.
+	repeated containerd.types.Mount right = 2;
+
+	// MediaType is the media type descriptor for the created diff
+	// object
+	string media_type = 3;
+
+	// Ref identifies the pre-commit content store object. This
+	// reference can be used to get the status from the content store.
+	string ref = 4;
+
+	// Labels are the labels to apply to the generated content
+	// on content store commit.
+	map<string, string> labels = 5;
+
+	// SourceDateEpoch specifies the timestamp used to provide control for reproducibility.
+	// See also https://reproducible-builds.org/docs/source-date-epoch/ .
+	//
+	// Since containerd v2.0, the whiteout timestamps are set to zero (1970-01-01),
+	// not to the source date epoch.
+	google.protobuf.Timestamp source_date_epoch = 6;
+}
+
+message DiffResponse {
+	// Diff is the descriptor of the diff which can be applied
+	containerd.types.Descriptor diff = 3;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/events/v1/events.proto

@@ -0,0 +1,62 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.events.v1;
+
+import "github.com/containerd/containerd/api/types/event.proto";
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/events/v1;events";
+
+service Events {
+	// Publish an event to a topic.
+	//
+	// The event will be packed into a timestamp envelope with the namespace
+	// introspected from the context. The envelope will then be dispatched.
+	rpc Publish(PublishRequest) returns (google.protobuf.Empty);
+
+	// Forward sends an event that has already been packaged into an envelope
+	// with a timestamp and namespace.
+	//
+	// This is useful if earlier timestamping is required or when forwarding on
+	// behalf of another component, namespace or publisher.
+	rpc Forward(ForwardRequest) returns (google.protobuf.Empty);
+
+	// Subscribe to a stream of events, possibly returning only that match any
+	// of the provided filters.
+	//
+	// Unlike many other methods in containerd, subscribers will get messages
+	// from all namespaces unless otherwise specified. If this is not desired,
+	// a filter can be provided in the format 'namespace==<namespace>' to
+	// restrict the received events.
+	rpc Subscribe(SubscribeRequest) returns (stream containerd.types.Envelope);
+}
+
+message PublishRequest {
+	string topic = 1;
+	google.protobuf.Any event = 2;
+}
+
+message ForwardRequest {
+	containerd.types.Envelope envelope = 1;
+}
+
+message SubscribeRequest {
+	repeated string filters = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/images/v1/images.proto

@@ -0,0 +1,149 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.images.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+import "github.com/containerd/containerd/api/types/descriptor.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/images/v1;images";
+
+// Images is a service that allows one to register images with containerd.
+//
+// In containerd, an image is merely the mapping of a name to a content root,
+// described by a descriptor. The behavior and state of image is purely
+// dictated by the type of the descriptor.
+//
+// From the perspective of this service, these references are mostly shallow,
+// in that the existence of the required content won't be validated until
+// required by consuming services.
+//
+// As such, this can really be considered a "metadata service".
+service Images {
+	// Get returns an image by name.
+	rpc Get(GetImageRequest) returns (GetImageResponse);
+
+	// List returns a list of all images known to containerd.
+	rpc List(ListImagesRequest) returns (ListImagesResponse);
+
+	// Create an image record in the metadata store.
+	//
+	// The name of the image must be unique.
+	rpc Create(CreateImageRequest) returns (CreateImageResponse);
+
+	// Update assigns the name to a given target image based on the provided
+	// image.
+	rpc Update(UpdateImageRequest) returns (UpdateImageResponse);
+
+	// Delete deletes the image by name.
+	rpc Delete(DeleteImageRequest) returns (google.protobuf.Empty);
+}
+
+message Image {
+	// Name provides a unique name for the image.
+	//
+	// Containerd treats this as the primary identifier.
+	string name = 1;
+
+	// Labels provides free form labels for the image. These are runtime only
+	// and do not get inherited into the package image in any way.
+	//
+	// Labels may be updated using the field mask.
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	map<string, string> labels = 2;
+
+	// Target describes the content entry point of the image.
+	containerd.types.Descriptor target = 3;
+
+	// CreatedAt is the time the image was first created.
+	google.protobuf.Timestamp created_at = 7;
+
+	// UpdatedAt is the last time the image was mutated.
+	google.protobuf.Timestamp updated_at = 8;
+}
+
+message GetImageRequest {
+	string name = 1;
+}
+
+message GetImageResponse {
+	Image image = 1;
+}
+
+message CreateImageRequest {
+	Image image = 1;
+
+	google.protobuf.Timestamp source_date_epoch = 2;
+}
+
+message CreateImageResponse {
+	Image image = 1;
+}
+
+message UpdateImageRequest {
+	// Image provides a full or partial image for update.
+	//
+	// The name field must be set or an error will be returned.
+	Image image = 1;
+
+	// UpdateMask specifies which fields to perform the update on. If empty,
+	// the operation applies to all fields.
+	google.protobuf.FieldMask update_mask = 2;
+
+	google.protobuf.Timestamp source_date_epoch = 3;
+}
+
+message UpdateImageResponse {
+	Image image = 1;
+}
+
+message ListImagesRequest {
+	// Filters contains one or more filters using the syntax defined in the
+	// containerd filter package.
+	//
+	// The returned result will be those that match any of the provided
+	// filters. Expanded, images that match the following will be
+	// returned:
+	//
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//
+	// If filters is zero-length or nil, all items will be returned.
+	repeated string filters = 1;
+}
+
+message ListImagesResponse {
+	repeated Image images = 1;
+}
+
+message DeleteImageRequest {
+	string name = 1;
+
+	// Sync indicates that the delete and cleanup should be done
+	// synchronously before returning to the caller
+	//
+	// Default is false
+	bool sync = 2;
+
+	// Target value for image to be deleted
+	//
+	// If image descriptor does not match the same digest,
+	// the delete operation will return "not found" error.
+	optional containerd.types.Descriptor target = 3;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/introspection/v1/introspection.proto

@@ -0,0 +1,133 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.introspection.v1;
+
+import "google/protobuf/any.proto";
+import "github.com/containerd/containerd/api/types/introspection.proto";
+import "github.com/containerd/containerd/api/types/platform.proto";
+import "google/rpc/status.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/introspection/v1;introspection";
+
+service Introspection {
+	// Plugins returns a list of plugins in containerd.
+	//
+	// Clients can use this to detect features and capabilities when using
+	// containerd.
+	rpc Plugins(PluginsRequest) returns (PluginsResponse);
+	// Server returns information about the containerd server
+	rpc Server(google.protobuf.Empty) returns (ServerResponse);
+	// PluginInfo returns information directly from a plugin if the plugin supports it
+	rpc PluginInfo(PluginInfoRequest) returns (PluginInfoResponse);
+}
+
+message Plugin {
+	// Type defines the type of plugin.
+	//
+	// See package plugin for a list of possible values. Non core plugins may
+	// define their own values during registration.
+	string type = 1;
+
+	// ID identifies the plugin uniquely in the system.
+	string id = 2;
+
+	// Requires lists the plugin types required by this plugin.
+	repeated string requires = 3;
+
+	// Platforms enumerates the platforms this plugin will support.
+	//
+	// If values are provided here, the plugin will only be operable under the
+	// provided platforms.
+	//
+	// If this is empty, the plugin will work across all platforms.
+	//
+	// If the plugin prefers certain platforms over others, they should be
+	// listed from most to least preferred.
+	repeated types.Platform platforms = 4;
+
+	// Exports allows plugins to provide values about state or configuration to
+	// interested parties.
+	//
+	// One example is exposing the configured path of a snapshotter plugin.
+	map<string, string> exports = 5;
+
+	// Capabilities allows plugins to communicate feature switches to allow
+	// clients to detect features that may not be on be default or may be
+	// different from version to version.
+	//
+	// Use this sparingly.
+	repeated string capabilities = 6;
+
+	// InitErr will be set if the plugin fails initialization.
+	//
+	// This means the plugin may have been registered but a non-terminal error
+	// was encountered during initialization.
+	//
+	// Plugins that have this value set cannot be used.
+	google.rpc.Status init_err = 7;
+}
+
+message PluginsRequest {
+	// Filters contains one or more filters using the syntax defined in the
+	// containerd filter package.
+	//
+	// The returned result will be those that match any of the provided
+	// filters. Expanded, plugins that match the following will be
+	// returned:
+	//
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//
+	// If filters is zero-length or nil, all items will be returned.
+	repeated string filters = 1;
+}
+
+message PluginsResponse {
+	repeated Plugin plugins = 1;
+}
+
+message ServerResponse {
+	string uuid = 1;
+	uint64 pid = 2;
+	uint64 pidns = 3; // PID namespace, such as 4026531836
+	repeated DeprecationWarning deprecations = 4;
+}
+
+message DeprecationWarning {
+	string id = 1;
+	string message = 2;
+	google.protobuf.Timestamp last_occurrence = 3;
+}
+
+message PluginInfoRequest {
+	string type = 1;
+	string id = 2;
+
+	// Options may be used to request extra dynamic information from
+	// a plugin.
+	// This object is determined by the plugin and the plugin may return
+	// NotImplemented or InvalidArgument if it is not supported
+	google.protobuf.Any options = 3;
+}
+
+message PluginInfoResponse {
+	Plugin plugin = 1;
+	google.protobuf.Any extra = 2;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/leases/v1/leases.proto

@@ -0,0 +1,116 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+syntax = "proto3";
+
+package containerd.services.leases.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/leases/v1;leases";
+
+// Leases service manages resources leases within the metadata store.
+service Leases {
+	// Create creates a new lease for managing changes to metadata. A lease
+	// can be used to protect objects from being removed.
+	rpc Create(CreateRequest) returns (CreateResponse);
+
+	// Delete deletes the lease and makes any unreferenced objects created
+	// during the lease eligible for garbage collection if not referenced
+	// or retained by other resources during the lease.
+	rpc Delete(DeleteRequest) returns (google.protobuf.Empty);
+
+	// List lists all active leases, returning the full list of
+	// leases and optionally including the referenced resources.
+	rpc List(ListRequest) returns (ListResponse);
+
+	// AddResource references the resource by the provided lease.
+	rpc AddResource(AddResourceRequest) returns (google.protobuf.Empty);
+
+	// DeleteResource dereferences the resource by the provided lease.
+	rpc DeleteResource(DeleteResourceRequest) returns (google.protobuf.Empty);
+
+	// ListResources lists all the resources referenced by the lease.
+	rpc ListResources(ListResourcesRequest) returns (ListResourcesResponse);
+}
+
+// Lease is an object which retains resources while it exists.
+message Lease {
+	string id = 1;
+
+	google.protobuf.Timestamp created_at = 2;
+
+	map<string, string> labels = 3;
+}
+
+message CreateRequest {
+	// ID is used to identity the lease, when the id is not set the service
+	// generates a random identifier for the lease.
+	string id = 1;
+
+	map<string, string> labels = 3;
+}
+
+message CreateResponse {
+	Lease lease = 1;
+}
+
+message DeleteRequest {
+	string id = 1;
+
+	// Sync indicates that the delete and cleanup should be done
+	// synchronously before returning to the caller
+	//
+	// Default is false
+	bool sync = 2;
+}
+
+message ListRequest {
+	repeated string filters = 1;
+}
+
+message ListResponse {
+	repeated Lease leases = 1;
+}
+
+message Resource {
+	string id = 1;
+
+	// For snapshotter resource, there are many snapshotter types here, like
+	// overlayfs, devmapper etc. The type will be formatted with type,
+	// like "snapshotter/overlayfs".
+	string type = 2;
+}
+
+message AddResourceRequest {
+	string id = 1;
+
+	Resource resource = 2;
+}
+
+message DeleteResourceRequest {
+	string id = 1;
+
+	Resource resource = 2;
+}
+
+message ListResourcesRequest {
+	string id = 1;
+}
+
+message ListResourcesResponse {
+	repeated Resource resources = 1	;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/mounts/v1/mounts.proto

@@ -0,0 +1,78 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+syntax = "proto3";
+
+package containerd.services.mounts.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "github.com/containerd/containerd/api/types/mount.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/mounts/v1;mounts";
+
+// Mounts service manages mounts
+service Mounts {
+	rpc Activate(ActivateRequest) returns (ActivateResponse);
+	rpc Deactivate(DeactivateRequest) returns (google.protobuf.Empty);
+	rpc Info(InfoRequest) returns (InfoResponse);
+	rpc Update(UpdateRequest) returns (UpdateResponse);
+	rpc List(ListRequest) returns (stream ListMessage);
+}
+
+message ActivateRequest {
+	string name = 1;
+
+	repeated containerd.types.Mount mounts = 2;
+
+	map<string, string> labels = 3;
+
+	bool temporary = 4;
+
+}
+
+message ActivateResponse {
+	containerd.types.ActivationInfo info = 1;
+}
+
+message DeactivateRequest {
+	string name = 1;
+}
+
+message InfoRequest {
+	string name = 1;
+}
+
+message InfoResponse {
+	containerd.types.ActivationInfo info = 1;
+}
+
+message UpdateRequest {
+	containerd.types.ActivationInfo info = 1;
+
+	google.protobuf.FieldMask update_mask = 2;
+}
+
+message UpdateResponse {
+	containerd.types.ActivationInfo info = 1;
+}
+
+message ListRequest {
+	repeated string filters = 1;
+}
+
+message ListMessage {
+	containerd.types.ActivationInfo info = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/namespaces/v1/namespace.proto

@@ -0,0 +1,107 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.namespaces.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/namespaces/v1;namespaces";
+
+// Namespaces provides the ability to manipulate containerd namespaces.
+//
+// All objects in the system are required to be a member of a namespace. If a
+// namespace is deleted, all objects, including containers, images and
+// snapshots, will be deleted, as well.
+//
+// Unless otherwise noted, operations in containerd apply only to the namespace
+// supplied per request.
+//
+// I hope this goes without saying, but namespaces are themselves NOT
+// namespaced.
+service Namespaces {
+	rpc Get(GetNamespaceRequest) returns (GetNamespaceResponse);
+	rpc List(ListNamespacesRequest) returns (ListNamespacesResponse);
+	rpc Create(CreateNamespaceRequest) returns (CreateNamespaceResponse);
+	rpc Update(UpdateNamespaceRequest) returns (UpdateNamespaceResponse);
+	rpc Delete(DeleteNamespaceRequest) returns (google.protobuf.Empty);
+}
+
+message Namespace {
+	string name = 1;
+
+	// Labels provides an area to include arbitrary data on namespaces.
+	//
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	//
+	// Note that to add a new value to this field, read the existing set and
+	// include the entire result in the update call.
+	map<string, string> labels  = 2;
+}
+
+message GetNamespaceRequest {
+	string name = 1;
+}
+
+message GetNamespaceResponse {
+	Namespace namespace = 1;
+}
+
+message ListNamespacesRequest {
+	string filter = 1;
+}
+
+message ListNamespacesResponse {
+	repeated Namespace namespaces = 1;
+}
+
+message CreateNamespaceRequest {
+	Namespace namespace = 1;
+}
+
+message CreateNamespaceResponse {
+	Namespace namespace = 1;
+}
+
+// UpdateNamespaceRequest updates the metadata for a namespace.
+//
+// The operation should follow semantics described in
+// https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/field-mask,
+// unless otherwise qualified.
+message UpdateNamespaceRequest {
+	// Namespace provides the target value, as declared by the mask, for the update.
+	//
+	// The namespace field must be set.
+	Namespace namespace = 1;
+
+	// UpdateMask specifies which fields to perform the update on. If empty,
+	// the operation applies to all fields.
+	//
+	// For the most part, this applies only to selectively updating labels on
+	// the namespace. While field masks are typically limited to ascii alphas
+	// and digits, we just take everything after the "labels." as the map key.
+	google.protobuf.FieldMask update_mask = 2;
+}
+
+message UpdateNamespaceResponse {
+	Namespace namespace = 1;
+}
+
+message DeleteNamespaceRequest {
+	string name = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/sandbox/v1/sandbox.proto

@@ -0,0 +1,204 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+// Sandbox is a v2 runtime extension that allows more complex execution environments for containers.
+// This adds a notion of groups of containers that share same lifecycle and/or resources.
+// A few good fits for sandbox can be:
+// - A "pause" container in k8s, that acts as a parent process for child containers to hold network namespace.
+// - (micro)VMs that launch a VM process and executes containers inside guest OS.
+// containerd in this case remains implementation agnostic and delegates sandbox handling to runtimes.
+// See proposal and discussion here: https://github.com/containerd/containerd/issues/4131
+package containerd.services.sandbox.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+
+import "github.com/containerd/containerd/api/types/sandbox.proto";
+import "github.com/containerd/containerd/api/types/mount.proto";
+import "github.com/containerd/containerd/api/types/platform.proto";
+import "github.com/containerd/containerd/api/types/metrics.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/sandbox/v1;sandbox";
+
+// Store provides a metadata storage interface for sandboxes. Similarly to `Containers`,
+// sandbox object includes info required to start a new instance, but no runtime state.
+// When running a new sandbox instance, store objects are used as base type to create from.
+service Store {
+	rpc Create(StoreCreateRequest) returns (StoreCreateResponse);
+	rpc Update(StoreUpdateRequest) returns (StoreUpdateResponse);
+	rpc Delete(StoreDeleteRequest) returns (StoreDeleteResponse);
+	rpc List(StoreListRequest) returns (StoreListResponse);
+	rpc Get(StoreGetRequest) returns (StoreGetResponse);
+}
+
+message StoreCreateRequest {
+	containerd.types.Sandbox sandbox = 1;
+}
+
+message StoreCreateResponse {
+	containerd.types.Sandbox sandbox = 1;
+}
+
+message StoreUpdateRequest {
+	containerd.types.Sandbox sandbox = 1;
+	repeated string fields = 2;
+}
+
+message StoreUpdateResponse {
+	containerd.types.Sandbox sandbox = 1;
+}
+
+message StoreDeleteRequest {
+	string sandbox_id = 1;
+}
+
+message StoreDeleteResponse {}
+
+message StoreListRequest {
+	repeated string filters = 1;
+}
+
+message StoreListResponse {
+	repeated containerd.types.Sandbox list = 1;
+}
+
+message StoreGetRequest {
+	string sandbox_id = 1;
+}
+
+message StoreGetResponse {
+	containerd.types.Sandbox sandbox = 1;
+}
+
+// Controller is an interface to manage runtime sandbox instances.
+service Controller {
+	rpc Create(ControllerCreateRequest) returns (ControllerCreateResponse);
+	rpc Start(ControllerStartRequest) returns (ControllerStartResponse);
+	rpc Platform(ControllerPlatformRequest) returns (ControllerPlatformResponse);
+	rpc Stop(ControllerStopRequest) returns (ControllerStopResponse);
+	rpc Wait(ControllerWaitRequest) returns (ControllerWaitResponse);
+	rpc Status(ControllerStatusRequest) returns (ControllerStatusResponse);
+	rpc Shutdown(ControllerShutdownRequest) returns (ControllerShutdownResponse);
+	rpc Metrics(ControllerMetricsRequest) returns (ControllerMetricsResponse);
+	rpc Update(ControllerUpdateRequest) returns (ControllerUpdateResponse);
+}
+
+message ControllerCreateRequest {
+	string sandbox_id = 1;
+	repeated containerd.types.Mount rootfs = 2;
+	google.protobuf.Any options = 3;
+	string netns_path = 4;
+	map<string, string> annotations = 5;
+	containerd.types.Sandbox sandbox = 6;
+	string sandboxer = 10;
+}
+
+message ControllerCreateResponse {
+	string sandbox_id = 1;
+}
+
+message ControllerStartRequest {
+	string sandbox_id = 1;
+	string sandboxer = 10;
+}
+
+message ControllerStartResponse {
+	string sandbox_id = 1;
+	uint32 pid = 2;
+	google.protobuf.Timestamp created_at = 3;
+	map<string, string> labels = 4;
+	// Address of the sandbox for containerd to connect,
+	// for calling Task or other APIs serving in the sandbox.
+	// it is in the form of ttrpc+unix://path/to/uds or grpc+vsock://<vsock cid>:<port>.
+	string address = 5;
+	uint32 version = 6;
+}
+
+message ControllerPlatformRequest {
+	string sandbox_id = 1;
+	string sandboxer = 10;
+}
+
+message ControllerPlatformResponse {
+	containerd.types.Platform platform = 1;
+}
+
+message ControllerStopRequest {
+	string sandbox_id = 1;
+	uint32 timeout_secs = 2;
+	string sandboxer = 10;
+}
+
+message ControllerStopResponse {}
+
+message ControllerWaitRequest {
+	string sandbox_id = 1;
+	string sandboxer = 10;
+}
+
+message ControllerWaitResponse {
+	uint32 exit_status = 1;
+	google.protobuf.Timestamp exited_at = 2;
+}
+
+message ControllerStatusRequest {
+	string sandbox_id = 1;
+	bool verbose = 2;
+	string sandboxer = 10;
+}
+
+message ControllerStatusResponse {
+	string sandbox_id = 1;
+	uint32 pid = 2;
+	string state = 3;
+	map<string, string> info = 4;
+	google.protobuf.Timestamp created_at = 5;
+	google.protobuf.Timestamp exited_at = 6;
+	google.protobuf.Any extra = 7;
+	// Address of the sandbox for containerd to connect,
+	// for calling Task or other APIs serving in the sandbox.
+	// it is in the form of ttrpc+unix://path/to/uds or grpc+vsock://<vsock cid>:<port>.
+	string address = 8;
+	uint32 version = 9;
+}
+
+message ControllerShutdownRequest {
+	string sandbox_id = 1;
+	string sandboxer = 10;
+}
+
+message ControllerShutdownResponse {}
+
+message ControllerMetricsRequest {
+	string sandbox_id = 1;
+	string sandboxer = 10;
+}
+
+message ControllerMetricsResponse {
+	types.Metric metrics = 1;
+}
+
+message ControllerUpdateRequest {
+	string sandbox_id = 1;
+	string sandboxer = 2;
+	containerd.types.Sandbox sandbox = 3;
+	repeated string fields = 4;
+}
+
+message ControllerUpdateResponse {
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.proto

@@ -0,0 +1,181 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.snapshots.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+import "github.com/containerd/containerd/api/types/mount.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/snapshots/v1;snapshots";
+
+// Snapshot service manages snapshots
+service Snapshots {
+	rpc Prepare(PrepareSnapshotRequest) returns (PrepareSnapshotResponse);
+	rpc View(ViewSnapshotRequest) returns (ViewSnapshotResponse);
+	rpc Mounts(MountsRequest) returns (MountsResponse);
+	rpc Commit(CommitSnapshotRequest) returns (google.protobuf.Empty);
+	rpc Remove(RemoveSnapshotRequest) returns (google.protobuf.Empty);
+	rpc Stat(StatSnapshotRequest) returns (StatSnapshotResponse);
+	rpc Update(UpdateSnapshotRequest) returns (UpdateSnapshotResponse);
+	rpc List(ListSnapshotsRequest) returns (stream ListSnapshotsResponse);
+	rpc Usage(UsageRequest) returns (UsageResponse);
+	rpc Cleanup(CleanupRequest) returns (google.protobuf.Empty);
+}
+
+message PrepareSnapshotRequest {
+	string snapshotter = 1;
+	string key = 2;
+	string parent = 3;
+
+	// Labels are arbitrary data on snapshots.
+	//
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	map<string, string> labels  = 4;
+}
+
+message PrepareSnapshotResponse {
+	repeated containerd.types.Mount mounts = 1;
+}
+
+message ViewSnapshotRequest {
+	string snapshotter = 1;
+	string key = 2;
+	string parent = 3;
+
+	// Labels are arbitrary data on snapshots.
+	//
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	map<string, string> labels  = 4;
+}
+
+message ViewSnapshotResponse {
+	repeated containerd.types.Mount mounts = 1;
+}
+
+message MountsRequest {
+	string snapshotter = 1;
+	string key = 2;
+}
+
+message MountsResponse {
+	repeated containerd.types.Mount mounts = 1;
+}
+
+message RemoveSnapshotRequest {
+	string snapshotter = 1;
+	string key = 2;
+}
+
+message CommitSnapshotRequest {
+	string snapshotter = 1;
+	string name = 2;
+	string key = 3;
+
+	// Labels are arbitrary data on snapshots.
+	//
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	map<string, string> labels  = 4;
+
+	string parent = 5;
+}
+
+message StatSnapshotRequest {
+	string snapshotter = 1;
+	string key = 2;
+}
+
+enum Kind {
+	UNKNOWN = 0;
+	VIEW = 1;
+	ACTIVE = 2;
+	COMMITTED = 3;
+}
+
+message Info {
+	string name = 1;
+	string parent = 2;
+	Kind kind = 3;
+
+	// CreatedAt provides the time at which the snapshot was created.
+	google.protobuf.Timestamp created_at = 4;
+
+	// UpdatedAt provides the time the info was last updated.
+	google.protobuf.Timestamp updated_at = 5;
+
+	// Labels are arbitrary data on snapshots.
+	//
+	// The combined size of a key/value pair cannot exceed 4096 bytes.
+	map<string, string> labels  = 6;
+}
+
+message StatSnapshotResponse {
+	Info info = 1;
+}
+
+message UpdateSnapshotRequest {
+	string snapshotter = 1;
+	Info info = 2;
+
+	// UpdateMask specifies which fields to perform the update on. If empty,
+	// the operation applies to all fields.
+	//
+	// In info, Name, Parent, Kind, Created are immutable,
+	// other field may be updated using this mask.
+	// If no mask is provided, all mutable field are updated.
+	google.protobuf.FieldMask update_mask = 3;
+}
+
+message UpdateSnapshotResponse {
+	Info info = 1;
+}
+
+message ListSnapshotsRequest{
+	string snapshotter = 1;
+
+	// Filters contains one or more filters using the syntax defined in the
+	// containerd filter package.
+	//
+	// The returned result will be those that match any of the provided
+	// filters. Expanded, images that match the following will be
+	// returned:
+	//
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//
+	// If filters is zero-length or nil, all items will be returned.
+	repeated string filters = 2;
+}
+
+message ListSnapshotsResponse {
+	repeated Info info = 1;
+}
+
+message UsageRequest {
+	string snapshotter = 1;
+	string key = 2;
+}
+
+message UsageResponse {
+	int64 size = 1;
+	int64 inodes = 2;
+}
+
+message CleanupRequest {
+	string snapshotter = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/streaming/v1/streaming.proto

@@ -0,0 +1,31 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.streaming.v1;
+
+import "google/protobuf/any.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/streaming/v1;streaming";
+
+service Streaming {
+	rpc Stream(stream google.protobuf.Any) returns (stream google.protobuf.Any);
+}
+
+message StreamInit {
+	string id = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/tasks/v1/tasks.proto

@@ -0,0 +1,227 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.tasks.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/any.proto";
+import "github.com/containerd/containerd/api/types/mount.proto";
+import "github.com/containerd/containerd/api/types/metrics.proto";
+import "github.com/containerd/containerd/api/types/descriptor.proto";
+import "github.com/containerd/containerd/api/types/task/task.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/tasks/v1;tasks";
+
+service Tasks {
+	// Create a task.
+	rpc Create(CreateTaskRequest) returns (CreateTaskResponse);
+
+	// Start a process.
+	rpc Start(StartRequest) returns (StartResponse);
+
+	// Delete a task and on disk state.
+	rpc Delete(DeleteTaskRequest) returns (DeleteResponse);
+
+	rpc DeleteProcess(DeleteProcessRequest) returns (DeleteResponse);
+
+	rpc Get(GetRequest) returns (GetResponse);
+
+	rpc List(ListTasksRequest) returns (ListTasksResponse);
+
+	// Kill a task or process.
+	rpc Kill(KillRequest) returns (google.protobuf.Empty);
+
+	rpc Exec(ExecProcessRequest) returns (google.protobuf.Empty);
+
+	rpc ResizePty(ResizePtyRequest) returns (google.protobuf.Empty);
+
+	rpc CloseIO(CloseIORequest) returns (google.protobuf.Empty);
+
+	rpc Pause(PauseTaskRequest) returns (google.protobuf.Empty);
+
+	rpc Resume(ResumeTaskRequest) returns (google.protobuf.Empty);
+
+	rpc ListPids(ListPidsRequest) returns (ListPidsResponse);
+
+	rpc Checkpoint(CheckpointTaskRequest) returns (CheckpointTaskResponse);
+
+	rpc Update(UpdateTaskRequest) returns (google.protobuf.Empty);
+
+	rpc Metrics(MetricsRequest) returns (MetricsResponse);
+
+	rpc Wait(WaitRequest) returns (WaitResponse);
+}
+
+message CreateTaskRequest {
+	string container_id = 1;
+
+	// RootFS provides the pre-chroot mounts to perform in the shim before
+	// executing the container task.
+	//
+	// These are for mounts that cannot be performed in the user namespace.
+	// Typically, these mounts should be resolved from snapshots specified on
+	// the container object.
+	repeated containerd.types.Mount rootfs = 3;
+
+	string stdin = 4;
+	string stdout = 5;
+	string stderr = 6;
+	bool terminal = 7;
+
+	containerd.types.Descriptor checkpoint = 8;
+
+	google.protobuf.Any options = 9;
+
+	string runtime_path = 10;
+}
+
+message CreateTaskResponse {
+	string container_id = 1;
+	uint32 pid = 2;
+}
+
+message StartRequest {
+	string container_id = 1;
+	string exec_id = 2;
+}
+
+message StartResponse {
+	uint32 pid = 1;
+}
+
+message DeleteTaskRequest {
+	string container_id = 1;
+}
+
+message DeleteResponse {
+	string id = 1;
+	uint32 pid = 2;
+	uint32 exit_status = 3;
+	google.protobuf.Timestamp exited_at = 4;
+}
+
+message DeleteProcessRequest {
+	string container_id = 1;
+	string exec_id = 2;
+}
+
+message GetRequest {
+	string container_id = 1;
+	string exec_id = 2;
+}
+
+message GetResponse {
+	containerd.v1.types.Process process = 1;
+}
+
+message ListTasksRequest {
+	string filter = 1;
+}
+
+message ListTasksResponse {
+	repeated containerd.v1.types.Process tasks = 1;
+}
+
+message KillRequest {
+	string container_id = 1;
+	string exec_id = 2;
+	uint32 signal = 3;
+	bool all = 4;
+}
+
+message ExecProcessRequest {
+	string container_id = 1;
+	string stdin = 2;
+	string stdout = 3;
+	string stderr = 4;
+	bool terminal = 5;
+	// Spec for starting a process in the target container.
+	//
+	// For runc, this is a process spec, for example.
+	google.protobuf.Any spec = 6;
+	// id of the exec process
+	string exec_id = 7;
+}
+
+message ExecProcessResponse {
+}
+
+message ResizePtyRequest {
+	string container_id = 1;
+	string exec_id = 2;
+	uint32 width = 3;
+	uint32 height = 4;
+}
+
+message CloseIORequest {
+	string container_id = 1;
+	string exec_id = 2;
+	bool stdin = 3;
+}
+
+message PauseTaskRequest {
+	string container_id = 1;
+}
+
+message ResumeTaskRequest {
+	string container_id = 1;
+}
+
+message ListPidsRequest {
+	string container_id = 1;
+}
+
+message ListPidsResponse {
+	// Processes includes the process ID and additional process information
+	repeated containerd.v1.types.ProcessInfo processes = 1;
+}
+
+message CheckpointTaskRequest {
+	string container_id = 1;
+	string parent_checkpoint = 2;
+	google.protobuf.Any options = 3;
+}
+
+message CheckpointTaskResponse {
+	repeated containerd.types.Descriptor descriptors = 1;
+}
+
+message UpdateTaskRequest {
+	string container_id = 1;
+	google.protobuf.Any resources = 2;
+	map<string, string> annotations = 3;
+}
+
+message MetricsRequest {
+	repeated string filters = 1;
+}
+
+message MetricsResponse {
+	repeated types.Metric metrics = 1;
+}
+
+message WaitRequest {
+	string container_id = 1;
+	string exec_id = 2;
+}
+
+message WaitResponse {
+	uint32 exit_status = 1;
+	google.protobuf.Timestamp exited_at = 2;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/transfer/v1/transfer.proto

@@ -0,0 +1,39 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.transfer.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/transfer/v1;transfer";
+
+service Transfer {
+	rpc Transfer(TransferRequest) returns (google.protobuf.Empty);
+}
+
+message TransferRequest {
+	google.protobuf.Any source = 1;
+	google.protobuf.Any destination = 2;
+	TransferOptions options = 3;
+}
+
+message TransferOptions {
+	string progress_stream = 1;
+	// Progress min interval
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/services/version/v1/version.proto

@@ -0,0 +1,33 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.version.v1;
+
+import "google/protobuf/empty.proto";
+
+// TODO(stevvooe): Should version service actually be versioned?
+option go_package = "github.com/containerd/containerd/api/services/version/v1;version";
+
+service Version {
+	rpc Version(google.protobuf.Empty) returns (VersionResponse);
+}
+
+message VersionResponse {
+	string version = 1;
+	string revision = 2;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/descriptor.proto

@@ -0,0 +1,33 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types;
+
+option go_package = "github.com/containerd/containerd/api/types;types";
+
+// Descriptor describes a blob in a content store.
+//
+// This descriptor can be used to reference content from an
+// oci descriptor found in a manifest.
+// See https://godoc.org/github.com/opencontainers/image-spec/specs-go/v1#Descriptor
+message Descriptor {
+	string media_type = 1;
+	string digest = 2;
+	int64 size = 3;
+	map<string, string> annotations = 5;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/event.proto

@@ -0,0 +1,33 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types;
+
+import "github.com/containerd/containerd/api/types/fieldpath.proto";
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/types;types";
+
+message Envelope {
+	option (containerd.types.fieldpath) = true;
+	google.protobuf.Timestamp timestamp = 1;
+	string namespace = 2;
+	string topic = 3;
+	google.protobuf.Any event = 4;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/fieldpath.proto

@@ -0,0 +1,42 @@
+// Protocol Buffers for Go with Gadgets
+//
+// Copyright (c) 2013, The GoGo Authors. All rights reserved.
+// http://github.com/gogo/protobuf
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+syntax = "proto3";
+package containerd.types;
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "github.com/containerd/containerd/api/types;types";
+
+extend google.protobuf.FileOptions {
+	optional bool fieldpath_all = 63300;
+}
+
+extend google.protobuf.MessageOptions {
+	optional bool fieldpath = 64400;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/introspection.proto

@@ -0,0 +1,46 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types;
+
+import "google/protobuf/any.proto";
+
+option go_package = "github.com/containerd/containerd/api/types;types";
+
+message RuntimeRequest {
+	string runtime_path = 1;
+	// Options correspond to CreateTaskRequest.options.
+	// This is needed to pass the runc binary path, etc.
+	google.protobuf.Any options = 2;
+}
+
+message RuntimeVersion {
+	string version = 1;
+	string revision = 2;
+}
+
+message RuntimeInfo {
+	string name = 1;
+	RuntimeVersion version = 2;
+	// Options correspond to RuntimeInfoRequest.Options (contains runc binary path, etc.)
+	google.protobuf.Any options = 3;
+	// OCI-compatible runtimes should use https://github.com/opencontainers/runtime-spec/blob/main/features.md
+	google.protobuf.Any features = 4;
+	// Annotations of the shim. Irrelevant to features.Annotations.
+	map<string, string> annotations = 5;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/metrics.proto

@@ -0,0 +1,30 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/types;types";
+
+message Metric {
+	google.protobuf.Timestamp timestamp = 1;
+	string id = 2;
+	google.protobuf.Any data = 3;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/mount.proto

@@ -0,0 +1,65 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/types;types";
+
+// Mount describes mounts for a container.
+//
+// This type is the lingua franca of ContainerD. All services provide mounts
+// to be used with the container at creation time.
+//
+// The Mount type follows the structure of the mount syscall, including a type,
+// source, target and options.
+message Mount {
+	// Type defines the nature of the mount.
+	string type = 1;
+
+	// Source specifies the name of the mount. Depending on mount type, this
+	// may be a volume name or a host path, or even ignored.
+	string source = 2;
+
+	// Target path in container
+	string target = 3;
+
+	// Options specifies zero or more fstab style mount options.
+	repeated string options = 4;
+}
+
+message ActiveMount {
+	Mount mount = 1;
+
+	google.protobuf.Timestamp mounted_at = 2;
+
+	string mount_point = 3;
+
+	map<string, string> data = 4;
+}
+
+message ActivationInfo {
+	string name = 1;
+
+	repeated ActiveMount active = 2;
+
+	repeated Mount system = 3;
+
+	map<string, string> labels = 4;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/platform.proto

@@ -0,0 +1,30 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types;
+
+option go_package = "github.com/containerd/containerd/api/types;types";
+
+// Platform follows the structure of the OCI platform specification, from
+// descriptors.
+message Platform {
+	string os = 1;
+	string architecture = 2;
+	string variant = 3;
+	string os_version = 4;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/runc/options/oci.proto

@@ -0,0 +1,63 @@
+syntax = "proto3";
+
+package containerd.runc.v1;
+
+option go_package = "github.com/containerd/containerd/api/types/runc/options;options";
+
+message Options {
+	// disable pivot root when creating a container
+	bool no_pivot_root = 1;
+	// create a new keyring for the container
+	bool no_new_keyring = 2;
+	// place the shim in a cgroup
+	string shim_cgroup = 3;
+	// set the I/O's pipes uid
+	uint32 io_uid = 4;
+	// set the I/O's pipes gid
+	uint32 io_gid = 5;
+	// binary name of the runc binary
+	string binary_name = 6;
+	// runc root directory
+	string root = 7;
+	// criu binary path.
+	//
+	// Removed in containerd v2.0: string criu_path = 8;
+	reserved 8;
+	// enable systemd cgroups
+	bool systemd_cgroup = 9;
+	// criu image path
+	string criu_image_path = 10;
+	// criu work path
+	string criu_work_path = 11;
+	// task api address, can be a unix domain socket, or vsock address.
+	// it is in the form of ttrpc+unix://path/to/uds or grpc+vsock://<vsock cid>:<port>.
+	string task_api_address = 12;
+	// task api version, currently supported value is 2 and 3.
+	uint32 task_api_version = 13;
+}
+
+message CheckpointOptions {
+	// exit the container after a checkpoint
+	bool exit = 1;
+	// checkpoint open tcp connections
+	bool open_tcp = 2;
+	// checkpoint external unix sockets
+	bool external_unix_sockets = 3;
+	// checkpoint terminals (ptys)
+	bool terminal = 4;
+	// allow checkpointing of file locks
+	bool file_locks = 5;
+	// restore provided namespaces as empty namespaces
+	repeated string empty_namespaces = 6;
+	// set the cgroups mode, soft, full, strict
+	string cgroups_mode = 7;
+	// checkpoint image path
+	string image_path = 8;
+	// checkpoint work path
+	string work_path = 9;
+}
+
+message ProcessDetails {
+	// exec process id if the process is managed by a shim
+	string exec_id = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/runtimeoptions/v1/api.proto

@@ -0,0 +1,17 @@
+// To regenerate api.pb.go run `make protos`
+syntax = "proto3";
+
+package runtimeoptions.v1;
+
+option go_package = "github.com/containerd/containerd/api/types/runtimeoptions/v1;runtimeoptions";
+
+message Options {
+	// TypeUrl specifies the type of the content inside the config file.
+	string type_url = 1;
+	// ConfigPath specifies the filesystem location of the config file
+	// used by the runtime.
+	string config_path = 2;
+	// Blob specifies an in-memory TOML blob passed from containerd's configuration section
+	// for this runtime. This will be used if config_path is not specified.
+	bytes config_body = 3;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/sandbox.proto

@@ -0,0 +1,54 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/types;types";
+
+// Sandbox represents a sandbox metadata object that keeps all info required by controller to
+// work with a particular instance.
+message Sandbox {
+	// SandboxID is a unique instance identifier within namespace
+	string sandbox_id = 1;
+	message Runtime {
+		// Name is the name of the runtime.
+		string name = 1;
+		// Options specify additional runtime initialization options for the shim (this data will be available in StartShim).
+		// Typically this data expected to be runtime shim implementation specific.
+		google.protobuf.Any options = 2;
+	}
+	// Runtime specifies which runtime to use for executing this container.
+	Runtime runtime = 2;
+	// Spec is sandbox configuration (kin of OCI runtime spec), spec's data will be written to a config.json file in the
+	// bundle directory (similary to OCI spec).
+	google.protobuf.Any spec = 3;
+	// Labels provides an area to include arbitrary data on containers.
+	map<string, string> labels = 4;
+	// CreatedAt is the time the container was first created.
+	google.protobuf.Timestamp created_at = 5;
+	// UpdatedAt is the last time the container was mutated.
+	google.protobuf.Timestamp updated_at = 6;
+	// Extensions allow clients to provide optional blobs that can be handled by runtime.
+	map<string, google.protobuf.Any> extensions = 7;
+	// Sandboxer is the name of the sandbox controller who manages the sandbox.
+	string sandboxer = 10;
+
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/task/task.proto

@@ -0,0 +1,55 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.v1.types;
+
+import "google/protobuf/timestamp.proto";
+import "google/protobuf/any.proto";
+
+option go_package = "github.com/containerd/containerd/api/types/task";
+
+enum Status {
+	UNKNOWN = 0;
+	CREATED = 1;
+	RUNNING = 2;
+	STOPPED = 3;
+	PAUSED = 4;
+	PAUSING = 5;
+}
+
+message Process {
+	string container_id = 1;
+	string id = 2;
+	uint32 pid = 3;
+	Status status = 4;
+	string stdin = 5;
+	string stdout = 6;
+	string stderr = 7;
+	bool terminal = 8;
+	uint32 exit_status = 9;
+	google.protobuf.Timestamp exited_at = 10;
+}
+
+message ProcessInfo {
+	// PID is the process ID.
+	uint32 pid = 1;
+	// Info contains additional process information.
+	//
+	// Info varies by platform.
+	google.protobuf.Any info = 2;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/transfer/imagestore.proto

@@ -0,0 +1,82 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types.transfer;
+
+import "github.com/containerd/containerd/api/types/platform.proto";
+
+option go_package = "github.com/containerd/containerd/api/types/transfer";
+
+message ImageStore {
+	string name = 1;
+	map<string, string> labels = 2;
+
+	// Content filters
+
+	repeated types.Platform platforms = 3;
+	bool all_metadata = 4;
+	uint32 manifest_limit = 5;
+
+	// Import naming
+
+	// extra_references are used to set image names on imports of sub-images from the index
+	repeated ImageReference extra_references = 6;
+
+	// Unpack Configuration, multiple allowed
+
+	repeated UnpackConfiguration unpacks = 10;
+}
+
+message UnpackConfiguration {
+	// platform is the platform to unpack for, used for resolving manifest and snapshotter
+	// if not provided
+	types.Platform platform = 1;
+
+	// snapshotter to unpack to, if not provided default for platform shoudl be used
+	string snapshotter = 2;
+}
+
+// ImageReference is used to create or find a reference for an image
+message ImageReference {
+	string name = 1;
+
+	// is_prefix determines whether the Name should be considered
+	// a prefix (without tag or digest).
+	// For lookup, this may allow matching multiple tags.
+	// For store, this must have a tag or digest added.
+	bool is_prefix = 2;
+
+	// allow_overwrite allows overwriting or ignoring the name if
+	// another reference is provided (such as through an annotation).
+	// Only used if IsPrefix is true.
+	bool allow_overwrite = 3;
+
+	// add_digest adds the manifest digest to the reference.
+	// For lookup, this allows matching tags with any digest.
+	// For store, this allows adding the digest to the name.
+	// Only used if IsPrefix is true.
+	bool add_digest = 4;
+
+	// skip_named_digest only considers digest references which do not
+	// have a non-digested named reference.
+	// For lookup, this will deduplicate digest references when there is a named match.
+	// For store, this only adds this digest reference when there is no matching full
+	// name reference from the prefix.
+	// Only used if IsPrefix is true.
+	bool skip_named_digest = 5;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/transfer/importexport.proto

@@ -0,0 +1,52 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types.transfer;
+
+option go_package = "github.com/containerd/containerd/api/types/transfer";
+
+import "github.com/containerd/containerd/api/types/platform.proto";
+
+message ImageImportStream {
+	// Stream is used to identify the binary input stream for the import operation.
+	// The stream uses the transfer binary stream protocol with the client as the sender.
+	// The binary data is expected to be a raw tar stream.
+	string stream = 1;
+
+	string media_type = 2;
+
+	bool force_compress = 3;
+}
+
+message ImageExportStream {
+	// Stream is used to identify the binary output stream for the export operation.
+	// The stream uses the transfer binary stream protocol with the server as the sender.
+	// The binary data is expected to be a raw tar stream.
+	string stream = 1;
+
+	string media_type = 2;
+
+	// The specified platforms
+	repeated types.Platform platforms = 3;
+	// Whether to include all platforms
+	bool all_platforms = 4;
+	// Skips the creation of the Docker compatible manifest.json file
+	bool skip_compatibility_manifest = 5;
+	// Excludes non-distributable blobs such as Windows base layers.
+	bool skip_non_distributable = 6;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/transfer/progress.proto

@@ -0,0 +1,32 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types.transfer;
+
+import "github.com/containerd/containerd/api/types/descriptor.proto";
+
+option go_package = "github.com/containerd/containerd/api/types/transfer";
+
+message Progress {
+	string event = 1;
+	string name = 2;
+	repeated string parents = 3;
+	int64 progress = 4;
+	int64 total = 5;
+	containerd.types.Descriptor desc = 6;
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/transfer/registry.proto

@@ -0,0 +1,97 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types.transfer;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/types/transfer";
+
+message OCIRegistry {
+	string reference = 1;
+	RegistryResolver resolver = 2;
+}
+
+enum HTTPDebug {
+	DISABLED = 0;
+	// Enable HTTP debugging
+	DEBUG = 1;
+	// Enable HTTP requests tracing
+	TRACE = 2;
+	// Enable both HTTP debugging and requests tracing
+	BOTH = 3;
+}
+
+message RegistryResolver {
+	// auth_stream is used to refer to a stream which auth callbacks may be
+	// made on.
+	string auth_stream = 1;
+
+	// Headers
+	map<string, string> headers = 2;
+
+	string host_dir = 3;
+
+	string default_scheme = 4;
+	// Force skip verify
+	// CA callback? Client TLS callback?
+
+	// Whether to debug/trace HTTP requests to OCI registry.
+	HTTPDebug http_debug = 5;
+
+	// Stream ID to use for HTTP logs (when logs are streamed to client).
+	// When empty, logs are written to containerd logs.
+	string logs_stream = 6;
+}
+
+// AuthRequest is sent as a callback on a stream
+message AuthRequest {
+	// host is the registry host
+	string host = 1;
+
+	// reference is the namespace and repository name requested from the registry
+	string reference = 2;
+
+	// wwwauthenticate is the HTTP WWW-Authenticate header values returned from the registry
+	repeated string wwwauthenticate = 3;
+}
+
+enum AuthType {
+	NONE = 0;
+
+	// CREDENTIALS is used to exchange username/password for access token
+	// using an oauth or "Docker Registry Token" server
+	CREDENTIALS = 1;
+
+	// REFRESH is used to exchange secret for access token using an oauth
+	// or "Docker Registry Token" server
+	REFRESH = 2;
+
+	// HEADER is used to set the HTTP Authorization header to secret
+	// directly for the registry.
+	// Value should be `<auth-scheme> <authorization-parameters>`
+	HEADER = 3;
+}
+
+message AuthResponse {
+	AuthType authType = 1;
+	string secret = 2;
+	string username = 3;
+	google.protobuf.Timestamp expire_at = 4;
+	// TODO: Stream error
+}

wfe-buildkit-protos/proto/github.com/containerd/containerd/api/types/transfer/streaming.proto

@@ -0,0 +1,29 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.types.transfer;
+
+option go_package = "github.com/containerd/containerd/api/types/transfer";
+
+message Data {
+	bytes data = 1;
+}
+
+message WindowUpdate {
+	int32 update = 1;
+}

wfe-buildkit-protos/proto/github.com/containerd/continuity/proto/manifest.proto

@@ -0,0 +1,98 @@
+syntax = "proto3";
+
+package proto;
+option go_package = "github.com/containerd/continuity/proto;proto";
+
+// Manifest specifies the entries in a container bundle, keyed and sorted by
+// path.
+message Manifest {
+    repeated Resource resource = 1;
+}
+
+message Resource {
+    // Path specifies the path from the bundle root. If more than one
+    // path is present, the entry may represent a hardlink, rather than using
+    // a link target. The path format is operating system specific.
+    repeated string path = 1;
+
+    // NOTE(stevvooe): Need to define clear precedence for user/group/uid/gid precedence.
+
+    // Uid specifies the user id for the resource.
+    int64 uid = 2;
+
+    // Gid specifies the group id for the resource.
+    int64 gid = 3;
+
+    // user and group are not currently used but their field numbers have been
+    // reserved for future use. As such, they are marked as deprecated.
+    string user = 4 [deprecated=true]; // "deprecated" stands for "reserved" here
+    string group = 5 [deprecated=true]; // "deprecated" stands for "reserved" here
+
+    // Mode defines the file mode and permissions. We've used the same
+    // bit-packing from Go's os package,
+    // http://golang.org/pkg/os/#FileMode, since they've done the work of
+    // creating a cross-platform layout.
+    uint32 mode = 6;
+
+    // NOTE(stevvooe): Beyond here, we start defining type specific fields.
+
+    // Size specifies the size in bytes of the resource. This is only valid
+    // for regular files.
+    uint64 size = 7;
+
+    // Digest specifies the content digest of the target file. Only valid for
+    // regular files. The strings are formatted in OCI style, i.e. <alg>:<encoded>.
+    // For detailed information about the format, please refer to OCI Image Spec:
+    // https://github.com/opencontainers/image-spec/blob/master/descriptor.md#digests-and-verification
+    // The digests are sorted in lexical order and implementations may choose
+    // which algorithms they prefer.
+    repeated string digest = 8;
+
+    // Target defines the target of a hard or soft link. Absolute links start
+    // with a slash and specify the resource relative to the bundle root.
+    // Relative links do not start with a slash and are relative to the
+    // resource path.
+    string target = 9;
+
+    // Major specifies the major device number for character and block devices.
+    uint64 major = 10;
+
+    // Minor specifies the minor device number for character and block devices.
+    uint64 minor = 11;
+
+    // Xattr provides storage for extended attributes for the target resource.
+    repeated XAttr xattr = 12;
+
+    // Ads stores one or more alternate data streams for the target resource.
+    repeated ADSEntry ads = 13;
+
+}
+
+// XAttr encodes extended attributes for a resource.
+message XAttr {
+    // Name specifies the attribute name.
+    string name = 1;
+
+    // Data specifies the associated data for the attribute.
+    bytes data = 2;
+}
+
+// ADSEntry encodes information for a Windows Alternate Data Stream.
+message ADSEntry {
+    // Name specifices the stream name.
+    string name = 1;
+
+    // Data specifies the stream data.
+    // See also the description about the digest below.
+    bytes data = 2;
+
+    // Digest is a CAS representation of the stream data.
+    //
+    // At least one of data or digest MUST be specified, and either one of them
+    // SHOULD be specified.
+    //
+    // How to access the actual data using the digest is implementation-specific,
+    // and implementations can choose not to implement digest.
+    // So, digest SHOULD be used only when the stream data is large.
+    string digest = 3;
+}

wfe-buildkit-protos/proto/github.com/containerd/ttrpc/request.proto

@@ -0,0 +1,29 @@
+syntax = "proto3";
+
+package ttrpc;
+
+import "proto/status.proto";
+
+option go_package = "github.com/containerd/ttrpc";
+
+message Request {
+	string service = 1;
+	string method = 2;
+	bytes payload = 3;
+	int64 timeout_nano = 4;
+	repeated KeyValue metadata = 5;
+}
+
+message Response {
+	Status status = 1;
+	bytes payload = 2;
+}
+
+message StringList {
+	repeated string list = 1;
+}
+
+message KeyValue {
+	string key = 1;
+	string value = 2;
+}

wfe-buildkit-protos/proto/github.com/containerd/ttrpc/test.proto

@@ -0,0 +1,16 @@
+syntax = "proto3";
+
+package ttrpc;
+
+option go_package = "github.com/containerd/ttrpc/internal";
+
+message TestPayload {
+	string foo = 1;
+	int64 deadline = 2;
+	string metadata = 3;
+}
+
+message EchoPayload {
+	int64 seq = 1;
+	string msg = 2;
+}

wfe-buildkit-protos/proto/github.com/google/certificate-transparency-go/client/configpb/multilog.proto

@@ -0,0 +1,45 @@
+// Copyright 2017 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package configpb;
+
+option go_package = "github.com/google/certificate-transparency-go/client/multilog/configpb";
+
+import "google/protobuf/timestamp.proto";
+
+// TemporalLogConfig is a set of LogShardConfig messages, whose
+// time limits should be contiguous.
+message TemporalLogConfig {
+  repeated LogShardConfig shard = 1;
+}
+
+// LogShardConfig describes the acceptable date range for a single shard of a temporal
+// log.
+message LogShardConfig {
+  string uri = 1;
+
+  // The log's public key in DER-encoded PKIX form.
+  bytes public_key_der = 2;
+
+  // not_after_start defines the start of the range of acceptable NotAfter
+  // values, inclusive.
+  // Leaving this unset implies no lower bound to the range.
+  google.protobuf.Timestamp not_after_start = 3;
+  // not_after_limit defines the end of the range of acceptable NotAfter values,
+  // exclusive.
+  // Leaving this unset implies no upper bound to the range.
+  google.protobuf.Timestamp not_after_limit = 4;
+}

wfe-buildkit-protos/proto/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations.proto

@@ -0,0 +1,51 @@
+syntax = "proto3";
+
+package grpc.gateway.protoc_gen_openapiv2.options;
+
+import "google/protobuf/descriptor.proto";
+import "protoc-gen-openapiv2/options/openapiv2.proto";
+
+option go_package = "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options";
+
+extend google.protobuf.FileOptions {
+  // ID assigned by protobuf-global-extension-registry@google.com for gRPC-Gateway project.
+  //
+  // All IDs are the same, as assigned. It is okay that they are the same, as they extend
+  // different descriptor messages.
+  Swagger openapiv2_swagger = 1042;
+}
+extend google.protobuf.MethodOptions {
+  // ID assigned by protobuf-global-extension-registry@google.com for gRPC-Gateway project.
+  //
+  // All IDs are the same, as assigned. It is okay that they are the same, as they extend
+  // different descriptor messages.
+  Operation openapiv2_operation = 1042;
+}
+extend google.protobuf.MessageOptions {
+  // ID assigned by protobuf-global-extension-registry@google.com for gRPC-Gateway project.
+  //
+  // All IDs are the same, as assigned. It is okay that they are the same, as they extend
+  // different descriptor messages.
+  Schema openapiv2_schema = 1042;
+}
+extend google.protobuf.EnumOptions {
+  // ID assigned by protobuf-global-extension-registry@google.com for gRPC-Gateway project.
+  //
+  // All IDs are the same, as assigned. It is okay that they are the same, as they extend
+  // different descriptor messages.
+  EnumSchema openapiv2_enum = 1042;
+}
+extend google.protobuf.ServiceOptions {
+  // ID assigned by protobuf-global-extension-registry@google.com for gRPC-Gateway project.
+  //
+  // All IDs are the same, as assigned. It is okay that they are the same, as they extend
+  // different descriptor messages.
+  Tag openapiv2_tag = 1042;
+}
+extend google.protobuf.FieldOptions {
+  // ID assigned by protobuf-global-extension-registry@google.com for gRPC-Gateway project.
+  //
+  // All IDs are the same, as assigned. It is okay that they are the same, as they extend
+  // different descriptor messages.
+  JSONSchema openapiv2_field = 1042;
+}

wfe-buildkit-protos/proto/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.proto

@@ -0,0 +1,762 @@
+syntax = "proto3";
+
+package grpc.gateway.protoc_gen_openapiv2.options;
+
+import "google/protobuf/struct.proto";
+
+option go_package = "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options";
+
+// Scheme describes the schemes supported by the OpenAPI Swagger
+// and Operation objects.
+enum Scheme {
+  UNKNOWN = 0;
+  HTTP = 1;
+  HTTPS = 2;
+  WS = 3;
+  WSS = 4;
+}
+
+// `Swagger` is a representation of OpenAPI v2 specification's Swagger object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#swaggerObject
+//
+// Example:
+//
+//  option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+//    info: {
+//      title: "Echo API";
+//      version: "1.0";
+//      description: "";
+//      contact: {
+//        name: "gRPC-Gateway project";
+//        url: "https://github.com/grpc-ecosystem/grpc-gateway";
+//        email: "none@example.com";
+//      };
+//      license: {
+//        name: "BSD 3-Clause License";
+//        url: "https://github.com/grpc-ecosystem/grpc-gateway/blob/main/LICENSE";
+//      };
+//    };
+//    schemes: HTTPS;
+//    consumes: "application/json";
+//    produces: "application/json";
+//  };
+//
+message Swagger {
+  // Specifies the OpenAPI Specification version being used. It can be
+  // used by the OpenAPI UI and other clients to interpret the API listing. The
+  // value MUST be "2.0".
+  string swagger = 1;
+  // Provides metadata about the API. The metadata can be used by the
+  // clients if needed.
+  Info info = 2;
+  // The host (name or ip) serving the API. This MUST be the host only and does
+  // not include the scheme nor sub-paths. It MAY include a port. If the host is
+  // not included, the host serving the documentation is to be used (including
+  // the port). The host does not support path templating.
+  string host = 3;
+  // The base path on which the API is served, which is relative to the host. If
+  // it is not included, the API is served directly under the host. The value
+  // MUST start with a leading slash (/). The basePath does not support path
+  // templating.
+  // Note that using `base_path` does not change the endpoint paths that are
+  // generated in the resulting OpenAPI file. If you wish to use `base_path`
+  // with relatively generated OpenAPI paths, the `base_path` prefix must be
+  // manually removed from your `google.api.http` paths and your code changed to
+  // serve the API from the `base_path`.
+  string base_path = 4;
+  // The transfer protocol of the API. Values MUST be from the list: "http",
+  // "https", "ws", "wss". If the schemes is not included, the default scheme to
+  // be used is the one used to access the OpenAPI definition itself.
+  repeated Scheme schemes = 5;
+  // A list of MIME types the APIs can consume. This is global to all APIs but
+  // can be overridden on specific API calls. Value MUST be as described under
+  // Mime Types.
+  repeated string consumes = 6;
+  // A list of MIME types the APIs can produce. This is global to all APIs but
+  // can be overridden on specific API calls. Value MUST be as described under
+  // Mime Types.
+  repeated string produces = 7;
+  // field 8 is reserved for 'paths'.
+  reserved 8;
+  // field 9 is reserved for 'definitions', which at this time are already
+  // exposed as and customizable as proto messages.
+  reserved 9;
+  // An object to hold responses that can be used across operations. This
+  // property does not define global responses for all operations.
+  map<string, Response> responses = 10;
+  // Security scheme definitions that can be used across the specification.
+  SecurityDefinitions security_definitions = 11;
+  // A declaration of which security schemes are applied for the API as a whole.
+  // The list of values describes alternative security schemes that can be used
+  // (that is, there is a logical OR between the security requirements).
+  // Individual operations can override this definition.
+  repeated SecurityRequirement security = 12;
+  // A list of tags for API documentation control. Tags can be used for logical
+  // grouping of operations by resources or any other qualifier.
+  repeated Tag tags = 13;
+  // Additional external documentation.
+  ExternalDocumentation external_docs = 14;
+  // Custom properties that start with "x-" such as "x-foo" used to describe
+  // extra functionality that is not covered by the standard OpenAPI Specification.
+  // See: https://swagger.io/docs/specification/2-0/swagger-extensions/
+  map<string, google.protobuf.Value> extensions = 15;
+}
+
+// `Operation` is a representation of OpenAPI v2 specification's Operation object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#operationObject
+//
+// Example:
+//
+//  service EchoService {
+//    rpc Echo(SimpleMessage) returns (SimpleMessage) {
+//      option (google.api.http) = {
+//        get: "/v1/example/echo/{id}"
+//      };
+//
+//      option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+//        summary: "Get a message.";
+//        operation_id: "getMessage";
+//        tags: "echo";
+//        responses: {
+//          key: "200"
+//            value: {
+//            description: "OK";
+//          }
+//        }
+//      };
+//    }
+//  }
+message Operation {
+  // A list of tags for API documentation control. Tags can be used for logical
+  // grouping of operations by resources or any other qualifier.
+  repeated string tags = 1;
+  // A short summary of what the operation does. For maximum readability in the
+  // swagger-ui, this field SHOULD be less than 120 characters.
+  string summary = 2;
+  // A verbose explanation of the operation behavior. GFM syntax can be used for
+  // rich text representation.
+  string description = 3;
+  // Additional external documentation for this operation.
+  ExternalDocumentation external_docs = 4;
+  // Unique string used to identify the operation. The id MUST be unique among
+  // all operations described in the API. Tools and libraries MAY use the
+  // operationId to uniquely identify an operation, therefore, it is recommended
+  // to follow common programming naming conventions.
+  string operation_id = 5;
+  // A list of MIME types the operation can consume. This overrides the consumes
+  // definition at the OpenAPI Object. An empty value MAY be used to clear the
+  // global definition. Value MUST be as described under Mime Types.
+  repeated string consumes = 6;
+  // A list of MIME types the operation can produce. This overrides the produces
+  // definition at the OpenAPI Object. An empty value MAY be used to clear the
+  // global definition. Value MUST be as described under Mime Types.
+  repeated string produces = 7;
+  // field 8 is reserved for 'parameters'.
+  reserved 8;
+  // The list of possible responses as they are returned from executing this
+  // operation.
+  map<string, Response> responses = 9;
+  // The transfer protocol for the operation. Values MUST be from the list:
+  // "http", "https", "ws", "wss". The value overrides the OpenAPI Object
+  // schemes definition.
+  repeated Scheme schemes = 10;
+  // Declares this operation to be deprecated. Usage of the declared operation
+  // should be refrained. Default value is false.
+  bool deprecated = 11;
+  // A declaration of which security schemes are applied for this operation. The
+  // list of values describes alternative security schemes that can be used
+  // (that is, there is a logical OR between the security requirements). This
+  // definition overrides any declared top-level security. To remove a top-level
+  // security declaration, an empty array can be used.
+  repeated SecurityRequirement security = 12;
+  // Custom properties that start with "x-" such as "x-foo" used to describe
+  // extra functionality that is not covered by the standard OpenAPI Specification.
+  // See: https://swagger.io/docs/specification/2-0/swagger-extensions/
+  map<string, google.protobuf.Value> extensions = 13;
+  // Custom parameters such as HTTP request headers.
+  // See: https://swagger.io/docs/specification/2-0/describing-parameters/
+  // and https://swagger.io/specification/v2/#parameter-object.
+  Parameters parameters = 14;
+}
+
+// `Parameters` is a representation of OpenAPI v2 specification's parameters object.
+// Note: This technically breaks compatibility with the OpenAPI 2 definition structure as we only
+// allow header parameters to be set here since we do not want users specifying custom non-header
+// parameters beyond those inferred from the Protobuf schema.
+// See: https://swagger.io/specification/v2/#parameter-object
+message Parameters {
+  // `Headers` is one or more HTTP header parameter.
+  // See: https://swagger.io/docs/specification/2-0/describing-parameters/#header-parameters
+  repeated HeaderParameter headers = 1;
+}
+
+// `HeaderParameter` a HTTP header parameter.
+// See: https://swagger.io/specification/v2/#parameter-object
+message HeaderParameter {
+  // `Type` is a supported HTTP header type.
+  // See https://swagger.io/specification/v2/#parameterType.
+  enum Type {
+    UNKNOWN = 0;
+    STRING = 1;
+    NUMBER = 2;
+    INTEGER = 3;
+    BOOLEAN = 4;
+  }
+
+  // `Name` is the header name.
+  string name = 1;
+  // `Description` is a short description of the header.
+  string description = 2;
+  // `Type` is the type of the object. The value MUST be one of "string", "number", "integer", or "boolean". The "array" type is not supported.
+  // See: https://swagger.io/specification/v2/#parameterType.
+  Type type = 3;
+  // `Format` The extending format for the previously mentioned type.
+  string format = 4;
+  // `Required` indicates if the header is optional
+  bool required = 5;
+  // field 6 is reserved for 'items', but in OpenAPI-specific way.
+  reserved 6;
+  // field 7 is reserved `Collection Format`. Determines the format of the array if type array is used.
+  reserved 7;
+}
+
+// `Header` is a representation of OpenAPI v2 specification's Header object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#headerObject
+//
+message Header {
+  // `Description` is a short description of the header.
+  string description = 1;
+  // The type of the object. The value MUST be one of "string", "number", "integer", or "boolean". The "array" type is not supported.
+  string type = 2;
+  // `Format` The extending format for the previously mentioned type.
+  string format = 3;
+  // field 4 is reserved for 'items', but in OpenAPI-specific way.
+  reserved 4;
+  // field 5 is reserved `Collection Format` Determines the format of the array if type array is used.
+  reserved 5;
+  // `Default` Declares the value of the header that the server will use if none is provided.
+  // See: https://tools.ietf.org/html/draft-fge-json-schema-validation-00#section-6.2.
+  // Unlike JSON Schema this value MUST conform to the defined type for the header.
+  string default = 6;
+  // field 7 is reserved for 'maximum'.
+  reserved 7;
+  // field 8 is reserved for 'exclusiveMaximum'.
+  reserved 8;
+  // field 9 is reserved for 'minimum'.
+  reserved 9;
+  // field 10 is reserved for 'exclusiveMinimum'.
+  reserved 10;
+  // field 11 is reserved for 'maxLength'.
+  reserved 11;
+  // field 12 is reserved for 'minLength'.
+  reserved 12;
+  // 'Pattern' See https://tools.ietf.org/html/draft-fge-json-schema-validation-00#section-5.2.3.
+  string pattern = 13;
+  // field 14 is reserved for 'maxItems'.
+  reserved 14;
+  // field 15 is reserved for 'minItems'.
+  reserved 15;
+  // field 16 is reserved for 'uniqueItems'.
+  reserved 16;
+  // field 17 is reserved for 'enum'.
+  reserved 17;
+  // field 18 is reserved for 'multipleOf'.
+  reserved 18;
+}
+
+// `Response` is a representation of OpenAPI v2 specification's Response object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#responseObject
+//
+message Response {
+  // `Description` is a short description of the response.
+  // GFM syntax can be used for rich text representation.
+  string description = 1;
+  // `Schema` optionally defines the structure of the response.
+  // If `Schema` is not provided, it means there is no content to the response.
+  Schema schema = 2;
+  // `Headers` A list of headers that are sent with the response.
+  // `Header` name is expected to be a string in the canonical format of the MIME header key
+  // See: https://golang.org/pkg/net/textproto/#CanonicalMIMEHeaderKey
+  map<string, Header> headers = 3;
+  // `Examples` gives per-mimetype response examples.
+  // See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#example-object
+  map<string, string> examples = 4;
+  // Custom properties that start with "x-" such as "x-foo" used to describe
+  // extra functionality that is not covered by the standard OpenAPI Specification.
+  // See: https://swagger.io/docs/specification/2-0/swagger-extensions/
+  map<string, google.protobuf.Value> extensions = 5;
+}
+
+// `Info` is a representation of OpenAPI v2 specification's Info object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#infoObject
+//
+// Example:
+//
+//  option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+//    info: {
+//      title: "Echo API";
+//      version: "1.0";
+//      description: "";
+//      contact: {
+//        name: "gRPC-Gateway project";
+//        url: "https://github.com/grpc-ecosystem/grpc-gateway";
+//        email: "none@example.com";
+//      };
+//      license: {
+//        name: "BSD 3-Clause License";
+//        url: "https://github.com/grpc-ecosystem/grpc-gateway/blob/main/LICENSE";
+//      };
+//    };
+//    ...
+//  };
+//
+message Info {
+  // The title of the application.
+  string title = 1;
+  // A short description of the application. GFM syntax can be used for rich
+  // text representation.
+  string description = 2;
+  // The Terms of Service for the API.
+  string terms_of_service = 3;
+  // The contact information for the exposed API.
+  Contact contact = 4;
+  // The license information for the exposed API.
+  License license = 5;
+  // Provides the version of the application API (not to be confused
+  // with the specification version).
+  string version = 6;
+  // Custom properties that start with "x-" such as "x-foo" used to describe
+  // extra functionality that is not covered by the standard OpenAPI Specification.
+  // See: https://swagger.io/docs/specification/2-0/swagger-extensions/
+  map<string, google.protobuf.Value> extensions = 7;
+}
+
+// `Contact` is a representation of OpenAPI v2 specification's Contact object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#contactObject
+//
+// Example:
+//
+//  option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+//    info: {
+//      ...
+//      contact: {
+//        name: "gRPC-Gateway project";
+//        url: "https://github.com/grpc-ecosystem/grpc-gateway";
+//        email: "none@example.com";
+//      };
+//      ...
+//    };
+//    ...
+//  };
+//
+message Contact {
+  // The identifying name of the contact person/organization.
+  string name = 1;
+  // The URL pointing to the contact information. MUST be in the format of a
+  // URL.
+  string url = 2;
+  // The email address of the contact person/organization. MUST be in the format
+  // of an email address.
+  string email = 3;
+}
+
+// `License` is a representation of OpenAPI v2 specification's License object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#licenseObject
+//
+// Example:
+//
+//  option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+//    info: {
+//      ...
+//      license: {
+//        name: "BSD 3-Clause License";
+//        url: "https://github.com/grpc-ecosystem/grpc-gateway/blob/main/LICENSE";
+//      };
+//      ...
+//    };
+//    ...
+//  };
+//
+message License {
+  // The license name used for the API.
+  string name = 1;
+  // A URL to the license used for the API. MUST be in the format of a URL.
+  string url = 2;
+}
+
+// `ExternalDocumentation` is a representation of OpenAPI v2 specification's
+// ExternalDocumentation object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#externalDocumentationObject
+//
+// Example:
+//
+//  option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+//    ...
+//    external_docs: {
+//      description: "More about gRPC-Gateway";
+//      url: "https://github.com/grpc-ecosystem/grpc-gateway";
+//    }
+//    ...
+//  };
+//
+message ExternalDocumentation {
+  // A short description of the target documentation. GFM syntax can be used for
+  // rich text representation.
+  string description = 1;
+  // The URL for the target documentation. Value MUST be in the format
+  // of a URL.
+  string url = 2;
+}
+
+// `Schema` is a representation of OpenAPI v2 specification's Schema object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#schemaObject
+//
+message Schema {
+  JSONSchema json_schema = 1;
+  // Adds support for polymorphism. The discriminator is the schema property
+  // name that is used to differentiate between other schema that inherit this
+  // schema. The property name used MUST be defined at this schema and it MUST
+  // be in the required property list. When used, the value MUST be the name of
+  // this schema or any schema that inherits it.
+  string discriminator = 2;
+  // Relevant only for Schema "properties" definitions. Declares the property as
+  // "read only". This means that it MAY be sent as part of a response but MUST
+  // NOT be sent as part of the request. Properties marked as readOnly being
+  // true SHOULD NOT be in the required list of the defined schema. Default
+  // value is false.
+  bool read_only = 3;
+  // field 4 is reserved for 'xml'.
+  reserved 4;
+  // Additional external documentation for this schema.
+  ExternalDocumentation external_docs = 5;
+  // A free-form property to include an example of an instance for this schema in JSON.
+  // This is copied verbatim to the output.
+  string example = 6;
+}
+
+// `EnumSchema` is subset of fields from the OpenAPI v2 specification's Schema object.
+// Only fields that are applicable to Enums are included
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#schemaObject
+//
+// Example:
+//
+//  option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_enum) = {
+//    ...
+//    title: "MyEnum";
+//    description:"This is my nice enum";
+//    example: "ZERO";
+//    required: true;
+//    ...
+//  };
+//
+message EnumSchema {
+  // A short description of the schema.
+  string description = 1;
+  string default = 2;
+  // The title of the schema.
+  string title = 3;
+  bool required = 4;
+  bool read_only = 5;
+  // Additional external documentation for this schema.
+  ExternalDocumentation external_docs = 6;
+  string example = 7;
+  // Ref is used to define an external reference to include in the message.
+  // This could be a fully qualified proto message reference, and that type must
+  // be imported into the protofile. If no message is identified, the Ref will
+  // be used verbatim in the output.
+  // For example:
+  //  `ref: ".google.protobuf.Timestamp"`.
+  string ref = 8;
+  // Custom properties that start with "x-" such as "x-foo" used to describe
+  // extra functionality that is not covered by the standard OpenAPI Specification.
+  // See: https://swagger.io/docs/specification/2-0/swagger-extensions/
+  map<string, google.protobuf.Value> extensions = 9;
+}
+
+// `JSONSchema` represents properties from JSON Schema taken, and as used, in
+// the OpenAPI v2 spec.
+//
+// This includes changes made by OpenAPI v2.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#schemaObject
+//
+// See also: https://cswr.github.io/JsonSchema/spec/basic_types/,
+// https://github.com/json-schema-org/json-schema-spec/blob/master/schema.json
+//
+// Example:
+//
+//  message SimpleMessage {
+//    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
+//      json_schema: {
+//        title: "SimpleMessage"
+//        description: "A simple message."
+//        required: ["id"]
+//      }
+//    };
+//
+//    // Id represents the message identifier.
+//    string id = 1; [
+//        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+//          description: "The unique identifier of the simple message."
+//        }];
+//  }
+//
+message JSONSchema {
+  // field 1 is reserved for '$id', omitted from OpenAPI v2.
+  reserved 1;
+  // field 2 is reserved for '$schema', omitted from OpenAPI v2.
+  reserved 2;
+  // Ref is used to define an external reference to include in the message.
+  // This could be a fully qualified proto message reference, and that type must
+  // be imported into the protofile. If no message is identified, the Ref will
+  // be used verbatim in the output.
+  // For example:
+  //  `ref: ".google.protobuf.Timestamp"`.
+  string ref = 3;
+  // field 4 is reserved for '$comment', omitted from OpenAPI v2.
+  reserved 4;
+  // The title of the schema.
+  string title = 5;
+  // A short description of the schema.
+  string description = 6;
+  string default = 7;
+  bool read_only = 8;
+  // A free-form property to include a JSON example of this field. This is copied
+  // verbatim to the output swagger.json. Quotes must be escaped.
+  // This property is the same for 2.0 and 3.0.0 https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/3.0.0.md#schemaObject  https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#schemaObject
+  string example = 9;
+  double multiple_of = 10;
+  // Maximum represents an inclusive upper limit for a numeric instance. The
+  // value of MUST be a number,
+  double maximum = 11;
+  bool exclusive_maximum = 12;
+  // minimum represents an inclusive lower limit for a numeric instance. The
+  // value of MUST be a number,
+  double minimum = 13;
+  bool exclusive_minimum = 14;
+  uint64 max_length = 15;
+  uint64 min_length = 16;
+  string pattern = 17;
+  // field 18 is reserved for 'additionalItems', omitted from OpenAPI v2.
+  reserved 18;
+  // field 19 is reserved for 'items', but in OpenAPI-specific way.
+  // TODO(ivucica): add 'items'?
+  reserved 19;
+  uint64 max_items = 20;
+  uint64 min_items = 21;
+  bool unique_items = 22;
+  // field 23 is reserved for 'contains', omitted from OpenAPI v2.
+  reserved 23;
+  uint64 max_properties = 24;
+  uint64 min_properties = 25;
+  repeated string required = 26;
+  // field 27 is reserved for 'additionalProperties', but in OpenAPI-specific
+  // way. TODO(ivucica): add 'additionalProperties'?
+  reserved 27;
+  // field 28 is reserved for 'definitions', omitted from OpenAPI v2.
+  reserved 28;
+  // field 29 is reserved for 'properties', but in OpenAPI-specific way.
+  // TODO(ivucica): add 'additionalProperties'?
+  reserved 29;
+  // following fields are reserved, as the properties have been omitted from
+  // OpenAPI v2:
+  // patternProperties, dependencies, propertyNames, const
+  reserved 30 to 33;
+  // Items in 'array' must be unique.
+  repeated string array = 34;
+
+  enum JSONSchemaSimpleTypes {
+    UNKNOWN = 0;
+    ARRAY = 1;
+    BOOLEAN = 2;
+    INTEGER = 3;
+    NULL = 4;
+    NUMBER = 5;
+    OBJECT = 6;
+    STRING = 7;
+  }
+
+  repeated JSONSchemaSimpleTypes type = 35;
+  // `Format`
+  string format = 36;
+  // following fields are reserved, as the properties have been omitted from
+  // OpenAPI v2: contentMediaType, contentEncoding, if, then, else
+  reserved 37 to 41;
+  // field 42 is reserved for 'allOf', but in OpenAPI-specific way.
+  // TODO(ivucica): add 'allOf'?
+  reserved 42;
+  // following fields are reserved, as the properties have been omitted from
+  // OpenAPI v2:
+  // anyOf, oneOf, not
+  reserved 43 to 45;
+  // Items in `enum` must be unique https://tools.ietf.org/html/draft-fge-json-schema-validation-00#section-5.5.1
+  repeated string enum = 46;
+
+  // Additional field level properties used when generating the OpenAPI v2 file.
+  FieldConfiguration field_configuration = 1001;
+
+  // 'FieldConfiguration' provides additional field level properties used when generating the OpenAPI v2 file.
+  // These properties are not defined by OpenAPIv2, but they are used to control the generation.
+  message FieldConfiguration {
+    // Alternative parameter name when used as path parameter. If set, this will
+    // be used as the complete parameter name when this field is used as a path
+    // parameter. Use this to avoid having auto generated path parameter names
+    // for overlapping paths.
+    string path_param_name = 47;
+    // Declares this field to be deprecated. Allows for the generated OpenAPI
+    // parameter to be marked as deprecated without affecting the proto field.
+    bool deprecated = 49;
+  }
+  // Custom properties that start with "x-" such as "x-foo" used to describe
+  // extra functionality that is not covered by the standard OpenAPI Specification.
+  // See: https://swagger.io/docs/specification/2-0/swagger-extensions/
+  map<string, google.protobuf.Value> extensions = 48;
+}
+
+// `Tag` is a representation of OpenAPI v2 specification's Tag object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#tagObject
+//
+message Tag {
+  // The name of the tag. Use it to allow override of the name of a
+  // global Tag object, then use that name to reference the tag throughout the
+  // OpenAPI file.
+  string name = 1;
+  // A short description for the tag. GFM syntax can be used for rich text
+  // representation.
+  string description = 2;
+  // Additional external documentation for this tag.
+  ExternalDocumentation external_docs = 3;
+  // Custom properties that start with "x-" such as "x-foo" used to describe
+  // extra functionality that is not covered by the standard OpenAPI Specification.
+  // See: https://swagger.io/docs/specification/2-0/swagger-extensions/
+  map<string, google.protobuf.Value> extensions = 4;
+}
+
+// `SecurityDefinitions` is a representation of OpenAPI v2 specification's
+// Security Definitions object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#securityDefinitionsObject
+//
+// A declaration of the security schemes available to be used in the
+// specification. This does not enforce the security schemes on the operations
+// and only serves to provide the relevant details for each scheme.
+message SecurityDefinitions {
+  // A single security scheme definition, mapping a "name" to the scheme it
+  // defines.
+  map<string, SecurityScheme> security = 1;
+}
+
+// `SecurityScheme` is a representation of OpenAPI v2 specification's
+// Security Scheme object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#securitySchemeObject
+//
+// Allows the definition of a security scheme that can be used by the
+// operations. Supported schemes are basic authentication, an API key (either as
+// a header or as a query parameter) and OAuth2's common flows (implicit,
+// password, application and access code).
+message SecurityScheme {
+  // The type of the security scheme. Valid values are "basic",
+  // "apiKey" or "oauth2".
+  enum Type {
+    TYPE_INVALID = 0;
+    TYPE_BASIC = 1;
+    TYPE_API_KEY = 2;
+    TYPE_OAUTH2 = 3;
+  }
+
+  // The location of the API key. Valid values are "query" or "header".
+  enum In {
+    IN_INVALID = 0;
+    IN_QUERY = 1;
+    IN_HEADER = 2;
+  }
+
+  // The flow used by the OAuth2 security scheme. Valid values are
+  // "implicit", "password", "application" or "accessCode".
+  enum Flow {
+    FLOW_INVALID = 0;
+    FLOW_IMPLICIT = 1;
+    FLOW_PASSWORD = 2;
+    FLOW_APPLICATION = 3;
+    FLOW_ACCESS_CODE = 4;
+  }
+
+  // The type of the security scheme. Valid values are "basic",
+  // "apiKey" or "oauth2".
+  Type type = 1;
+  // A short description for security scheme.
+  string description = 2;
+  // The name of the header or query parameter to be used.
+  // Valid for apiKey.
+  string name = 3;
+  // The location of the API key. Valid values are "query" or
+  // "header".
+  // Valid for apiKey.
+  In in = 4;
+  // The flow used by the OAuth2 security scheme. Valid values are
+  // "implicit", "password", "application" or "accessCode".
+  // Valid for oauth2.
+  Flow flow = 5;
+  // The authorization URL to be used for this flow. This SHOULD be in
+  // the form of a URL.
+  // Valid for oauth2/implicit and oauth2/accessCode.
+  string authorization_url = 6;
+  // The token URL to be used for this flow. This SHOULD be in the
+  // form of a URL.
+  // Valid for oauth2/password, oauth2/application and oauth2/accessCode.
+  string token_url = 7;
+  // The available scopes for the OAuth2 security scheme.
+  // Valid for oauth2.
+  Scopes scopes = 8;
+  // Custom properties that start with "x-" such as "x-foo" used to describe
+  // extra functionality that is not covered by the standard OpenAPI Specification.
+  // See: https://swagger.io/docs/specification/2-0/swagger-extensions/
+  map<string, google.protobuf.Value> extensions = 9;
+}
+
+// `SecurityRequirement` is a representation of OpenAPI v2 specification's
+// Security Requirement object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#securityRequirementObject
+//
+// Lists the required security schemes to execute this operation. The object can
+// have multiple security schemes declared in it which are all required (that
+// is, there is a logical AND between the schemes).
+//
+// The name used for each property MUST correspond to a security scheme
+// declared in the Security Definitions.
+message SecurityRequirement {
+  // If the security scheme is of type "oauth2", then the value is a list of
+  // scope names required for the execution. For other security scheme types,
+  // the array MUST be empty.
+  message SecurityRequirementValue {
+    repeated string scope = 1;
+  }
+  // Each name must correspond to a security scheme which is declared in
+  // the Security Definitions. If the security scheme is of type "oauth2",
+  // then the value is a list of scope names required for the execution.
+  // For other security scheme types, the array MUST be empty.
+  map<string, SecurityRequirementValue> security_requirement = 1;
+}
+
+// `Scopes` is a representation of OpenAPI v2 specification's Scopes object.
+//
+// See: https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#scopesObject
+//
+// Lists the available scopes for an OAuth2 security scheme.
+message Scopes {
+  // Maps between a name of a scope to a short description of it (as the value
+  // of the property).
+  map<string, string> scope = 1;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit

@@ -1 +0,0 @@
-/Users/sienna/Development/sunbeam/wfe/wfe-buildkit-protos/vendor/buildkit

wfe-buildkit-protos/proto/github.com/moby/buildkit/api/services/control/control.proto

@@ -0,0 +1,253 @@
+syntax = "proto3";
+
+package moby.buildkit.v1;
+
+option go_package = "github.com/moby/buildkit/api/services/control;moby_buildkit_v1";
+
+// import "github.com/containerd/containerd/api/types/descriptor.proto";
+import "github.com/moby/buildkit/api/types/worker.proto";
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+import "github.com/moby/buildkit/sourcepolicy/pb/policy.proto";
+import "google/protobuf/timestamp.proto";
+import "google/rpc/status.proto";
+
+service Control {
+	rpc DiskUsage(DiskUsageRequest) returns (DiskUsageResponse);
+	rpc Prune(PruneRequest) returns (stream UsageRecord);
+	rpc Solve(SolveRequest) returns (SolveResponse);
+	rpc Status(StatusRequest) returns (stream StatusResponse);
+	rpc Session(stream BytesMessage) returns (stream BytesMessage);
+	rpc ListWorkers(ListWorkersRequest) returns (ListWorkersResponse);
+	rpc Info(InfoRequest) returns (InfoResponse);
+
+	rpc ListenBuildHistory(BuildHistoryRequest) returns (stream BuildHistoryEvent);
+	rpc UpdateBuildHistory(UpdateBuildHistoryRequest) returns (UpdateBuildHistoryResponse);
+}
+
+message PruneRequest {
+	repeated string filter = 1;
+	bool all = 2;
+	int64 keepDuration = 3;
+
+	int64 reservedSpace = 4;
+	int64 maxUsedSpace = 5;
+	int64 minFreeSpace = 6;
+}
+
+message DiskUsageRequest {
+	repeated string filter = 1; 
+	int64 ageLimit = 2;
+}
+
+message DiskUsageResponse {
+	repeated UsageRecord record = 1;
+}
+
+message UsageRecord {
+	string ID = 1;
+	bool Mutable = 2;
+	bool InUse = 3;
+	int64 Size = 4;
+	string Parent = 5 [deprecated=true];
+	google.protobuf.Timestamp CreatedAt = 6;
+	google.protobuf.Timestamp LastUsedAt = 7;
+	int64 UsageCount = 8;
+	string Description = 9;
+	string RecordType = 10;
+	bool Shared = 11;
+	repeated string Parents = 12;
+}
+
+message SolveRequest {
+	string Ref = 1;
+	pb.Definition Definition = 2;
+	// ExporterDeprecated and ExporterAttrsDeprecated are deprecated in favor
+	// of the new Exporters. If these fields are set, then they will be
+	// appended to the Exporters field if Exporters was not explicitly set.
+	string ExporterDeprecated = 3;
+	map<string, string> ExporterAttrsDeprecated = 4;
+	string Session = 5;
+	string Frontend = 6;
+	map<string, string> FrontendAttrs = 7;
+	CacheOptions Cache = 8;
+	repeated string Entitlements = 9;
+	map<string, pb.Definition> FrontendInputs = 10;
+	bool Internal = 11; // Internal builds are not recorded in build history
+	moby.buildkit.v1.sourcepolicy.Policy SourcePolicy = 12;
+	repeated Exporter Exporters = 13;
+	bool EnableSessionExporter = 14;
+	string SourcePolicySession = 15;
+}
+
+message CacheOptions {
+	// ExportRefDeprecated is deprecated in favor or the new Exports since BuildKit v0.4.0.
+	// When ExportRefDeprecated is set, the solver appends
+	// {.Type = "registry", .Attrs = ExportAttrs.add("ref", ExportRef)}
+	// to Exports for compatibility. (planned to be removed)
+	string ExportRefDeprecated = 1;
+	// ImportRefsDeprecated is deprecated in favor or the new Imports since BuildKit v0.4.0.
+	// When ImportRefsDeprecated is set, the solver appends
+	// {.Type = "registry", .Attrs = {"ref": importRef}}
+	// for each of the ImportRefs entry to Imports for compatibility. (planned to be removed)
+	repeated string ImportRefsDeprecated = 2;
+	// ExportAttrsDeprecated is deprecated since BuildKit v0.4.0.
+	// See the description of ExportRefDeprecated.
+	map<string, string> ExportAttrsDeprecated = 3;
+	// Exports was introduced in BuildKit v0.4.0.
+	repeated CacheOptionsEntry Exports = 4;
+	// Imports was introduced in BuildKit v0.4.0.
+	repeated CacheOptionsEntry Imports = 5;
+}
+
+message CacheOptionsEntry {
+	// Type is like "registry" or "local"
+	string Type = 1;
+	// Attrs are like mode=(min,max), ref=example.com:5000/foo/bar .
+	// See cache importer/exporter implementations' documentation.
+	map<string, string> Attrs = 2;
+}
+
+message SolveResponse {
+	map<string, string> ExporterResponse = 1;
+}
+
+message StatusRequest {
+	string Ref = 1;
+}
+
+message StatusResponse {
+	repeated Vertex vertexes = 1;
+	repeated VertexStatus statuses = 2;
+	repeated VertexLog logs = 3;
+	repeated VertexWarning warnings = 4;
+}
+
+message Vertex {
+	string digest = 1;
+	repeated string inputs = 2;
+	string name = 3;
+	bool cached = 4;
+	google.protobuf.Timestamp started = 5;
+	google.protobuf.Timestamp completed = 6;
+	string error = 7; // typed errors?
+	pb.ProgressGroup progressGroup = 8;
+}
+
+message VertexStatus {
+	string ID = 1;
+	string vertex = 2;
+	string name = 3;
+	int64 current = 4;
+	int64 total = 5;
+	google.protobuf.Timestamp timestamp = 6;
+	google.protobuf.Timestamp started = 7;
+	google.protobuf.Timestamp completed = 8;
+}
+
+message VertexLog {
+	string vertex = 1;
+	google.protobuf.Timestamp timestamp = 2;
+	int64 stream = 3;
+	bytes msg = 4;
+}
+
+message VertexWarning {
+	string vertex = 1;
+	int64 level = 2;
+	bytes short = 3;
+	repeated bytes detail = 4;
+	string url = 5;
+	pb.SourceInfo info = 6;
+	repeated pb.Range ranges = 7;
+}
+
+message BytesMessage {
+	bytes data = 1;
+}
+
+message ListWorkersRequest {
+	repeated string filter = 1; // containerd style
+}
+
+message ListWorkersResponse {
+	repeated moby.buildkit.v1.types.WorkerRecord record = 1;
+}
+
+message InfoRequest {}
+
+message InfoResponse {
+	moby.buildkit.v1.types.BuildkitVersion buildkitVersion = 1;
+}
+
+message BuildHistoryRequest {
+	bool ActiveOnly = 1;
+	string Ref = 2;
+	bool EarlyExit = 3;
+	repeated string Filter = 4;
+	int32 Limit = 5;
+}
+
+enum BuildHistoryEventType {
+	STARTED = 0;
+	COMPLETE = 1;
+	DELETED = 2;
+}
+
+message BuildHistoryEvent {
+	BuildHistoryEventType type = 1;
+	BuildHistoryRecord record = 2;
+}
+
+message BuildHistoryRecord {
+	string Ref = 1;
+	string Frontend = 2;
+	map<string, string> FrontendAttrs = 3;
+	repeated Exporter Exporters = 4;
+	google.rpc.Status error = 5;
+	google.protobuf.Timestamp CreatedAt = 6;
+	google.protobuf.Timestamp CompletedAt = 7;
+	Descriptor logs = 8;
+	map<string, string> ExporterResponse = 9;
+	BuildResultInfo Result = 10;
+	map<string, BuildResultInfo> Results = 11;
+	int32 Generation = 12;
+	Descriptor trace = 13;
+	bool pinned = 14;
+	int32 numCachedSteps = 15;
+	int32 numTotalSteps = 16;
+	int32 numCompletedSteps = 17;
+	Descriptor externalError = 18;
+	int32 numWarnings = 19;
+	// TODO: tags
+	// TODO: unclipped logs
+}
+
+message UpdateBuildHistoryRequest {
+	string Ref = 1;
+	bool Pinned = 2;
+	bool Delete = 3;
+	bool Finalize = 4;
+}
+
+message UpdateBuildHistoryResponse {}
+
+message Descriptor {
+	string media_type = 1;
+	string digest = 2;
+	int64 size = 3;
+	map<string, string> annotations = 5;
+}
+
+message BuildResultInfo {
+	Descriptor ResultDeprecated = 1;
+	repeated Descriptor Attestations = 2;
+	map<int64, Descriptor> Results = 3;
+}
+
+// Exporter describes the output exporter
+message Exporter {
+	// Type identifies the exporter
+	string Type = 1;
+	// Attrs specifies exporter configuration
+	map<string, string> Attrs = 2;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/api/types/worker.proto

@@ -0,0 +1,40 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.types;
+
+option go_package = "github.com/moby/buildkit/api/types;moby_buildkit_v1_types";
+
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+
+message WorkerRecord {
+	string ID = 1;
+	map<string, string> Labels = 2;
+	repeated pb.Platform platforms = 3;
+	repeated GCPolicy GCPolicy = 4;
+	BuildkitVersion BuildkitVersion = 5;
+	repeated CDIDevice CDIDevices = 6;
+}
+
+message GCPolicy {
+	bool all = 1;
+	int64 keepDuration = 2;
+	repeated string filters = 4;
+
+	// reservedSpace was renamed from freeBytes
+	int64 reservedSpace = 3;
+	int64 maxUsedSpace = 5;
+	int64 minFreeSpace = 6;
+}
+
+message BuildkitVersion {
+	string package = 1;
+	string version = 2;
+	string revision = 3;
+}
+
+message CDIDevice {
+	string Name = 1;
+	bool AutoAllow = 2;
+	map<string, string> Annotations = 3;
+	bool OnDemand = 4;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/cache/contenthash/checksum.proto

@@ -0,0 +1,27 @@
+syntax = "proto3";
+
+package contenthash;
+
+option go_package = "github.com/moby/buildkit/cache/contenthash";
+
+enum CacheRecordType {
+	FILE = 0;
+	DIR = 1;
+	DIR_HEADER = 2;
+	SYMLINK = 3;
+}
+
+message CacheRecord {
+	string digest = 1;
+	CacheRecordType type = 2;
+	string linkname = 3;
+}
+
+message CacheRecordWithPath {
+	string path = 1;
+	CacheRecord record = 2;
+}
+
+message CacheRecords {
+	repeated CacheRecordWithPath paths = 1;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/frontend/gateway/pb/gateway.proto

@@ -0,0 +1,407 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.frontend;
+
+option go_package = "github.com/moby/buildkit/frontend/gateway/pb;moby_buildkit_v1_frontend";
+
+import "github.com/moby/buildkit/api/types/worker.proto";
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+import "github.com/moby/buildkit/sourcepolicy/pb/policy.proto";
+import "github.com/moby/buildkit/util/apicaps/pb/caps.proto";
+import "github.com/tonistiigi/fsutil/types/stat.proto";
+import "google/protobuf/timestamp.proto";
+import "google/rpc/status.proto";
+
+service LLBBridge {
+	// apicaps:CapResolveImage
+	rpc ResolveImageConfig(ResolveImageConfigRequest) returns (ResolveImageConfigResponse);
+	// apicaps:CapSourceMetaResolver
+	rpc ResolveSourceMeta(ResolveSourceMetaRequest) returns (ResolveSourceMetaResponse);
+	// apicaps:CapSolveBase
+	rpc Solve(SolveRequest) returns (SolveResponse);
+	// apicaps:CapReadFile
+	rpc ReadFile(ReadFileRequest) returns (ReadFileResponse);
+	// apicaps:CapReadDir
+	rpc ReadDir(ReadDirRequest) returns (ReadDirResponse);
+	// apicaps:CapStatFile
+	rpc StatFile(StatFileRequest) returns (StatFileResponse);
+	// apicaps:CapGatewayEvaluate
+	rpc Evaluate(EvaluateRequest) returns (EvaluateResponse);
+	rpc Ping(PingRequest) returns (PongResponse);
+	rpc Return(ReturnRequest) returns (ReturnResponse);
+	// apicaps:CapFrontendInputs
+	rpc Inputs(InputsRequest) returns (InputsResponse);
+
+	rpc NewContainer(NewContainerRequest) returns (NewContainerResponse);
+	rpc ReleaseContainer(ReleaseContainerRequest) returns (ReleaseContainerResponse);
+	rpc ExecProcess(stream ExecMessage) returns (stream ExecMessage);
+
+	// apicaps:CapGatewayExecFilesystem
+	rpc ReadFileContainer(ReadFileRequest) returns (ReadFileResponse);
+	rpc ReadDirContainer(ReadDirRequest) returns (ReadDirResponse);
+	rpc StatFileContainer(StatFileRequest) returns (StatFileResponse);
+
+	// apicaps:CapGatewayWarnings
+	rpc Warn(WarnRequest) returns (WarnResponse);
+}
+
+message Result {
+	oneof result {
+		// Deprecated non-array refs.
+		string refDeprecated = 1;
+		RefMapDeprecated refsDeprecated = 2;
+
+		Ref ref = 3;
+		RefMap refs = 4;
+	}
+	map<string, bytes> metadata = 10;
+	// 11 was used during development and is reserved for old attestation format
+	map<string, Attestations> attestations = 12;
+}
+
+message RefMapDeprecated {
+	map<string, string> refs = 1;
+}
+
+message Ref {
+	string id = 1;
+	pb.Definition def = 2;
+}
+
+message RefMap {
+	map<string, Ref> refs = 1;
+}
+
+message Attestations {
+	repeated Attestation attestation = 1;
+}
+
+message Attestation {
+	AttestationKind kind = 1;
+	map<string, bytes> metadata = 2;
+
+	Ref ref = 3;
+	string path = 4;
+	string inTotoPredicateType = 5;
+	repeated InTotoSubject inTotoSubjects = 6;
+}
+
+enum AttestationKind {
+	InToto = 0;
+	Bundle = 1;
+}
+
+message InTotoSubject {
+	InTotoSubjectKind kind = 1;
+
+	repeated string digest = 2;
+	string name = 3;
+}
+
+enum InTotoSubjectKind {
+	Self = 0;
+	Raw = 1;
+}
+
+message ReturnRequest {
+	Result result = 1;
+	google.rpc.Status error = 2;
+}
+
+message ReturnResponse {
+}
+
+message InputsRequest {
+}
+
+message InputsResponse {
+	map<string, pb.Definition> Definitions = 1;
+}
+
+message ResolveImageConfigRequest {
+	string Ref = 1;
+	pb.Platform Platform = 2;
+	string ResolveMode = 3;
+	string LogName = 4;
+	int32 ResolverType = 5;
+	string SessionID = 6;
+	string StoreID = 7;
+	repeated moby.buildkit.v1.sourcepolicy.Policy SourcePolicies = 8;
+}
+
+message ResolveImageConfigResponse {
+	string Digest = 1;
+	bytes Config = 2;
+	string Ref = 3;
+}
+
+message ResolveSourceMetaRequest {
+	pb.SourceOp Source = 1;
+	pb.Platform Platform = 2;
+	string LogName = 3;
+	string ResolveMode = 4;
+	ResolveSourceGitRequest Git = 5;
+	ResolveSourceImageRequest Image = 6;
+	ResolveSourceHTTPRequest HTTP = 7;
+	repeated moby.buildkit.v1.sourcepolicy.Policy SourcePolicies = 8;
+}
+
+message ResolveSourceMetaResponse {
+	pb.SourceOp Source = 1;
+	ResolveSourceImageResponse Image = 2;
+	ResolveSourceGitResponse Git = 3;
+	ResolveSourceHTTPResponse HTTP = 4;
+}
+
+message ResolveSourceImageRequest {
+	bool NoConfig = 1;
+	bool AttestationChain = 2;
+	repeated string ResolveAttestations = 3;
+}
+
+message AttestationChain {
+	string Root = 1;
+	string ImageManifest = 2;
+	string AttestationManifest = 3;
+	repeated string SignatureManifests = 4;
+	map<string, Blob> Blobs = 5;
+}
+
+message ResolveSourceImageResponse {
+	string Digest = 1;
+	bytes Config = 2;
+	AttestationChain AttestationChain = 3;
+}
+
+message ResolveSourceGitRequest {
+	// Return full commit and tag object bytes.
+	bool ReturnObject = 1;
+}
+
+message ResolveSourceGitResponse {
+	string Checksum = 1;
+	string Ref = 2;
+	string CommitChecksum = 3;
+	bytes CommitObject = 4;
+	bytes TagObject = 5;
+}
+
+message ResolveSourceHTTPResponse {
+	string Checksum = 1;
+	string Filename = 2;
+	google.protobuf.Timestamp LastModified = 3;
+	ChecksumResponse ChecksumResponse = 4;
+}
+
+message ResolveSourceHTTPRequest {
+	ChecksumRequest ChecksumRequest = 1;
+}
+
+message ChecksumRequest {
+	enum ChecksumAlgo {
+		CHECKSUM_ALGO_SHA256 = 0;
+		CHECKSUM_ALGO_SHA384 = 1;
+		CHECKSUM_ALGO_SHA512 = 2;
+	}
+	ChecksumAlgo Algo = 1;
+	bytes Suffix = 2;
+}
+
+message ChecksumResponse {
+	string Digest = 1;
+	bytes Suffix = 2;
+}
+
+message SolveRequest {
+	pb.Definition Definition = 1;
+	string Frontend = 2;
+	map<string, string> FrontendOpt = 3;
+	// 4 was removed in BuildKit v0.11.0.
+	bool allowResultReturn = 5;
+	bool allowResultArrayRef = 6;
+
+	// apicaps.CapSolveInlineReturn deprecated
+	bool Final = 10;
+	bytes ExporterAttr = 11;
+	// CacheImports was added in BuildKit v0.4.0.
+	// apicaps:CapImportCaches
+	repeated CacheOptionsEntry CacheImports = 12;
+
+	// apicaps:CapFrontendInputs
+	map<string, pb.Definition> FrontendInputs = 13;
+
+	bool Evaluate = 14;
+
+	repeated moby.buildkit.v1.sourcepolicy.Policy SourcePolicies = 15;
+}
+
+// CacheOptionsEntry corresponds to the control.CacheOptionsEntry
+message CacheOptionsEntry {
+	string Type = 1;
+	map<string, string> Attrs = 2;
+}
+
+message SolveResponse {
+	// deprecated
+	string ref = 1; // can be used by readfile request
+	// deprecated
+	// bytes ExporterAttr = 2;
+
+	// these fields are returned when allowMapReturn was set
+	Result result = 3;
+}
+
+message ReadFileRequest {
+	string Ref = 1;
+	string FilePath = 2;
+	FileRange Range = 3;
+	int32 MountIndex = 4;
+}
+
+message FileRange {
+	int64 Offset = 1;
+	int64 Length = 2;
+}
+
+message ReadFileResponse {
+	bytes Data = 1;
+}
+
+message ReadDirRequest {
+	string Ref = 1;
+	string DirPath = 2;
+	string IncludePattern = 3;
+	int32 MountIndex = 4;
+}
+
+message ReadDirResponse {
+	repeated fsutil.types.Stat entries = 1;
+}
+
+message StatFileRequest {
+	string Ref = 1;
+	string Path = 2;
+	int32 MountIndex = 3;
+}
+
+message StatFileResponse {
+	fsutil.types.Stat stat = 1;
+}
+
+message EvaluateRequest {
+	string Ref = 1;
+}
+
+message EvaluateResponse {
+}
+
+message PingRequest{
+}
+message PongResponse{
+	repeated moby.buildkit.v1.apicaps.APICap FrontendAPICaps = 1;
+	repeated moby.buildkit.v1.apicaps.APICap LLBCaps = 2;
+	repeated moby.buildkit.v1.types.WorkerRecord Workers = 3;
+}
+
+message WarnRequest {
+	string digest = 1;
+	int64 level = 2;
+	bytes short = 3;
+	repeated bytes detail = 4;
+	string url = 5;
+	pb.SourceInfo info = 6;
+	repeated pb.Range ranges = 7;
+}
+
+message WarnResponse{}
+
+message NewContainerRequest {
+	string ContainerID = 1;
+	// For mount input values we can use random identifiers passed with ref
+	repeated pb.Mount Mounts = 2;
+	pb.NetMode Network = 3;
+	pb.Platform platform = 4;
+	pb.WorkerConstraints constraints = 5;
+	repeated pb.HostIP extraHosts = 6;
+	string hostname = 7;
+}
+
+message NewContainerResponse{}
+
+message ReleaseContainerRequest {
+	string ContainerID = 1;
+}
+
+message ReleaseContainerResponse{}
+
+message ExecMessage {
+	string ProcessID = 1;
+	oneof Input {
+		// InitMessage sent from client to server will start a new process in a
+		// container
+		InitMessage Init = 2;
+		// FdMessage used from client to server for input (stdin) and
+		// from server to client for output (stdout, stderr)
+		FdMessage File = 3;
+		// ResizeMessage used from client to server for terminal resize events
+		ResizeMessage Resize = 4;
+		// StartedMessage sent from server to client after InitMessage to
+		// indicate the process has started.
+		StartedMessage Started = 5;
+		// ExitMessage sent from server to client will contain the exit code
+		// when the process ends.
+		ExitMessage Exit = 6;
+		// DoneMessage from server to client will be the last message for any
+		// process.  Note that FdMessage might be sent after ExitMessage.
+		DoneMessage Done = 7;
+		// SignalMessage is used from client to server to send signal events
+		SignalMessage Signal = 8;
+	}
+}
+
+message InitMessage{
+	string ContainerID = 1;
+	pb.Meta Meta = 2;
+	repeated uint32 Fds = 3;
+	bool Tty = 4;
+	pb.SecurityMode Security = 5;
+	repeated pb.SecretEnv secretenv = 6;
+}
+
+message ExitMessage {
+	uint32 Code = 1;
+	google.rpc.Status Error = 2;
+}
+
+message StartedMessage{}
+
+message DoneMessage{}
+
+message FdMessage{
+	uint32 Fd = 1; // what fd the data was from
+	bool EOF = 2;  // true if eof was reached
+	bytes Data = 3;
+}
+
+message ResizeMessage{
+	uint32 Rows = 1;
+	uint32 Cols = 2;
+}
+
+message SignalMessage {
+	// we only send name (ie HUP, INT) because the int values
+	// are platform dependent.
+	string Name = 1;
+}
+
+message Blob {
+	Descriptor descriptor = 1;
+	bytes data = 2;
+}
+
+message Descriptor {
+	string media_type = 1;
+	string digest = 2;
+	int64 size = 3;
+	map<string, string> annotations = 5;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/session/auth/auth.proto

@@ -0,0 +1,54 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "github.com/moby/buildkit/session/auth";
+
+service Auth{
+	rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
+	rpc FetchToken(FetchTokenRequest) returns (FetchTokenResponse);
+	rpc GetTokenAuthority(GetTokenAuthorityRequest) returns (GetTokenAuthorityResponse);
+	rpc VerifyTokenAuthority(VerifyTokenAuthorityRequest) returns (VerifyTokenAuthorityResponse);
+}
+
+message CredentialsRequest {
+	string Host = 1;
+}
+
+message CredentialsResponse {
+	string Username = 1;
+	string Secret = 2;
+}
+
+message FetchTokenRequest {
+	string ClientID = 1;
+	string Host = 2;
+	string Realm = 3;
+	string Service = 4;
+	repeated string Scopes = 5;
+}
+
+message FetchTokenResponse {
+	string Token = 1;
+	int64 ExpiresIn = 2; // seconds
+	int64 IssuedAt = 3; // timestamp
+}
+
+message GetTokenAuthorityRequest {
+	string Host = 1;
+	bytes Salt = 2;
+}
+
+message GetTokenAuthorityResponse {
+	bytes PublicKey = 1;
+}
+
+message VerifyTokenAuthorityRequest {
+	string Host = 1;
+	bytes Payload = 2;
+	bytes Salt = 3;
+}
+
+message VerifyTokenAuthorityResponse {
+	bytes Signed = 1;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/session/exporter/exporter.proto

@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package moby.exporter.v1;
+
+option go_package = "github.com/moby/buildkit/session/exporter";
+
+service Exporter {
+	rpc FindExporters(FindExportersRequest) returns (FindExportersResponse);
+}
+
+message FindExportersRequest{
+	map<string, bytes> metadata = 1;
+	repeated string refs = 2;
+}
+
+message FindExportersResponse {
+	repeated ExporterRequest exporters = 1;
+}
+
+message ExporterRequest {
+	string Type = 1;
+	map<string, string> Attrs = 2;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/session/filesync/filesync.proto

@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "github.com/moby/buildkit/session/filesync";
+
+import "github.com/tonistiigi/fsutil/types/wire.proto";
+
+// FileSync exposes local files from the client to the server.
+service FileSync{
+	rpc DiffCopy(stream fsutil.types.Packet) returns (stream fsutil.types.Packet);
+	rpc TarStream(stream fsutil.types.Packet) returns (stream fsutil.types.Packet);
+}
+
+// FileSend allows sending files from the server back to the client.
+service FileSend{
+	rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
+}
+
+// BytesMessage contains a chunk of byte data
+message BytesMessage {
+	bytes data = 1;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/session/secrets/secrets.proto

@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package moby.buildkit.secrets.v1;
+
+option go_package = "github.com/moby/buildkit/session/secrets";
+
+service Secrets{
+	rpc GetSecret(GetSecretRequest) returns (GetSecretResponse);
+}
+
+
+message GetSecretRequest {
+	string ID = 1;
+	map<string, string> annotations = 2;
+}
+
+message GetSecretResponse {
+	bytes data = 1;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/session/sshforward/ssh.proto

@@ -0,0 +1,22 @@
+syntax = "proto3";
+
+package moby.sshforward.v1;
+
+option go_package = "github.com/moby/buildkit/session/sshforward";
+
+service SSH {
+	rpc CheckAgent(CheckAgentRequest) returns (CheckAgentResponse);
+	rpc ForwardAgent(stream BytesMessage) returns (stream BytesMessage);
+}
+
+// BytesMessage contains a chunk of byte data
+message BytesMessage{
+	bytes data = 1;
+}
+
+message CheckAgentRequest {
+	string ID = 1;
+}
+
+message CheckAgentResponse {
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/session/upload/upload.proto

@@ -0,0 +1,14 @@
+syntax = "proto3";
+
+package moby.upload.v1;
+
+option go_package = "github.com/moby/buildkit/session/upload";
+
+service Upload {
+	rpc Pull(stream BytesMessage) returns (stream BytesMessage);
+}
+
+// BytesMessage contains a chunk of byte data
+message BytesMessage{
+	bytes data = 1;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/solver/errdefs/errdefs.proto

@@ -0,0 +1,52 @@
+syntax = "proto3";
+
+package errdefs;
+
+option go_package = "github.com/moby/buildkit/solver/errdefs";
+
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+
+message Vertex {
+	string digest = 1;
+}
+
+message Source {
+	pb.SourceInfo info = 1;
+	repeated pb.Range ranges = 2;
+}
+
+message Frontend {
+	string name = 1; // frontend name e.g. dockerfile.v0 or gateway.v0
+	string source = 2; // used by the gateway frontend to identify the source, which corresponds to the image name
+}
+
+message FrontendCap {
+	string name = 1;
+}
+
+message Subrequest {
+	string name = 1;
+}
+
+message Solve {
+	repeated string inputIDs = 1;
+	repeated string mountIDs = 2;
+	pb.Op op = 3;
+
+	oneof subject {
+		FileAction file = 4;
+		ContentCache cache = 5;
+	}
+
+	map<string, string> description = 6;
+}
+
+message FileAction {
+	// Index of the file action that failed the exec.
+	int64 index = 1;
+}
+
+message ContentCache {
+	// Original index of result that failed the slow cache calculation.
+	int64 index = 1;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/solver/pb/ops.proto

@@ -0,0 +1,446 @@
+syntax = "proto3";
+
+// Package pb provides the protobuf definition of LLB: low-level builder instruction.
+// LLB is DAG-structured; Op represents a vertex, and Definition represents a graph.
+package pb;
+
+option go_package = "github.com/moby/buildkit/solver/pb";
+
+// Op represents a vertex of the LLB DAG.
+message Op {
+	// changes to this structure must be represented in json.go.
+	// inputs is a set of input edges.
+	repeated Input inputs = 1;
+	oneof op {
+		ExecOp exec = 2;
+		SourceOp source = 3;
+		FileOp file = 4;
+		BuildOp build = 5;
+		MergeOp merge = 6;
+		DiffOp diff = 7;
+	}
+	Platform platform = 10;
+	WorkerConstraints constraints = 11;
+}
+
+// Platform is github.com/opencontainers/image-spec/specs-go/v1.Platform
+message Platform {
+	string Architecture = 1;
+	string OS = 2;
+	string Variant = 3;
+	string OSVersion = 4;
+	repeated string OSFeatures = 5; // unused
+}
+
+// Input represents an input edge for an Op.
+message Input {
+	// digest of the marshaled input Op
+	string digest = 1;
+	// output index of the input Op
+	int64 index = 2;
+}
+
+// ExecOp executes a command in a container.
+message ExecOp {
+	Meta meta = 1;
+	repeated Mount mounts = 2;
+	NetMode network = 3;
+	SecurityMode security = 4;
+	repeated SecretEnv secretenv = 5;
+	repeated CDIDevice cdiDevices = 6;
+}
+
+// Meta is a set of arguments for ExecOp.
+// Meta is unrelated to LLB metadata.
+// FIXME: rename (ExecContext? ExecArgs?)
+message Meta {
+	repeated string args = 1;
+	repeated string env = 2;
+	string cwd = 3;
+	string user = 4;
+	ProxyEnv proxy_env = 5;
+	repeated HostIP extraHosts = 6;
+	string hostname = 7;
+	repeated Ulimit ulimit = 9;
+	string cgroupParent = 10;
+	bool removeMountStubsRecursive = 11;
+	repeated int32 validExitCodes = 12;
+}
+
+message HostIP {
+	string Host = 1;
+	string IP = 2;
+}
+
+message Ulimit {
+	string Name = 1;
+	int64 Soft = 2;
+	int64 Hard = 3;
+}
+
+enum NetMode {
+	UNSET = 0; // sandbox
+	HOST = 1;
+	NONE = 2;
+}
+
+enum SecurityMode {
+	SANDBOX = 0;
+	INSECURE = 1; // privileged mode
+}
+
+// SecretEnv is an environment variable that is backed by a secret.
+message SecretEnv {
+	string ID = 1;
+	string name = 2;
+	bool optional = 3;
+}
+
+// CDIDevice specifies a CDI device information.
+message CDIDevice {
+	// Fully qualified CDI device name (e.g., vendor.com/gpu=gpudevice1)
+	// https://github.com/cncf-tags/container-device-interface/blob/main/SPEC.md
+	string name = 1;
+	// Optional defines if CDI device is required.
+	bool optional = 2;
+}
+
+// Mount specifies how to mount an input Op as a filesystem.
+message Mount {
+	int64 input = 1;
+	string selector = 2;
+	string dest = 3;
+	int64 output = 4;
+	bool readonly = 5;
+	MountType mountType = 6;
+	TmpfsOpt TmpfsOpt = 19;
+	CacheOpt cacheOpt = 20;
+	SecretOpt secretOpt = 21;
+	SSHOpt SSHOpt = 22;
+	string resultID = 23;
+	MountContentCache contentCache = 24;
+}
+
+// MountType defines a type of a mount from a supported set
+enum MountType {
+	BIND = 0;
+	SECRET = 1;
+	SSH = 2;
+	CACHE = 3;
+	TMPFS = 4;
+}
+
+// MountContentCache ...
+enum MountContentCache {
+	DEFAULT = 0;
+	ON = 1;
+	OFF = 2;
+}
+
+// TmpfsOpt defines options describing tpmfs mounts
+message TmpfsOpt {
+	// Specify an upper limit on the size of the filesystem.
+	int64 size = 1;
+}
+
+// CacheOpt defines options specific to cache mounts
+message CacheOpt {
+	// ID is an optional namespace for the mount
+	string ID = 1;
+	// Sharing is the sharing mode for the mount
+	CacheSharingOpt sharing = 2;
+}
+
+// CacheSharingOpt defines different sharing modes for cache mount
+enum CacheSharingOpt {
+	// SHARED cache mount can be used concurrently by multiple writers
+	SHARED = 0;
+	// PRIVATE creates a new mount if there are multiple writers
+	PRIVATE = 1;
+	// LOCKED pauses second writer until first one releases the mount
+	LOCKED = 2;
+}
+
+// SecretOpt defines options describing secret mounts
+message SecretOpt {
+	// ID of secret. Used for quering the value.
+	string ID = 1;
+	// UID of secret file
+	uint32 uid = 2;
+	// GID of secret file
+	uint32 gid = 3;
+	// Mode is the filesystem mode of secret file
+	uint32 mode = 4;
+	// Optional defines if secret value is required. Error is produced
+	// if value is not found and optional is false.
+	bool optional = 5;
+}
+
+// SSHOpt defines options describing ssh mounts
+message SSHOpt {
+	// ID of exposed ssh rule. Used for quering the value.
+	string ID = 1;
+	// UID of agent socket
+	uint32 uid = 2;
+	// GID of agent socket
+	uint32 gid = 3;
+	// Mode is the filesystem mode of agent socket
+	uint32 mode = 4;
+	// Optional defines if ssh socket is required. Error is produced
+	// if client does not expose ssh.
+	bool optional = 5;
+}
+
+// SourceOp specifies a source such as build contexts and images.
+message SourceOp {
+	// TODO: use source type or any type instead of URL protocol.
+	// identifier e.g. local://, docker-image://, git://, https://...
+	string identifier = 1;
+	// attrs are defined in attr.go
+	map<string, string> attrs = 2;
+}
+
+// BuildOp is used for nested build invocation.
+// BuildOp is experimental and can break without backwards compatibility
+message BuildOp {
+	int64 builder = 1;
+	map<string, BuildInput> inputs = 2;
+	Definition def = 3;
+	map<string, string> attrs = 4;
+	// outputs
+}
+
+// BuildInput is used for BuildOp.
+message BuildInput {
+	int64 input = 1;
+}
+
+// OpMetadata is a per-vertex metadata entry, which can be defined for arbitrary Op vertex and overridable on the run time.
+message OpMetadata {
+	// ignore_cache specifies to ignore the cache for this Op.
+	bool ignore_cache = 1;
+	// Description can be used for keeping any text fields that builder doesn't parse
+	map<string, string> description = 2;
+	// index 3 reserved for WorkerConstraint in previous versions
+	// WorkerConstraint worker_constraint = 3;
+	ExportCache export_cache = 4;
+
+	map<string, bool> caps = 5;
+
+	ProgressGroup progress_group = 6;
+}
+
+// Source is a source mapping description for a file
+message Source {
+	map<string, Locations> locations = 1;
+	repeated SourceInfo infos = 2;
+}
+
+// Locations is a list of ranges with a index to its source map.
+message Locations {
+	repeated Location locations = 1;
+}
+
+// Source info contains the shared metadata of a source mapping
+message SourceInfo {
+	string filename = 1;
+	bytes data = 2;
+	Definition definition = 3;
+	string language = 4;
+}
+
+// Location defines list of areas in to source file
+message Location {
+	int32 sourceIndex = 1;
+	repeated Range ranges = 2;
+}
+
+// Range is an area in the source file
+message Range {
+	Position start = 1;
+	Position end = 2;
+}
+
+// Position is single location in a source file
+message Position {
+	int32 line = 1;
+	int32 character = 2;
+}
+
+message ExportCache {
+	bool Value = 1;
+}
+
+message ProgressGroup {
+	string id = 1;
+	string name = 2;
+	bool weak = 3;
+}
+
+message ProxyEnv {
+	string http_proxy = 1;
+	string https_proxy = 2;
+	string ftp_proxy = 3;
+	string no_proxy = 4;
+	string all_proxy = 5;
+}
+
+// WorkerConstraints defines conditions for the worker
+message WorkerConstraints {
+	repeated string filter = 1; // containerd-style filter
+}
+
+// Definition is the LLB definition structure with per-vertex metadata entries
+message Definition {
+	// def is a list of marshaled Op messages
+	repeated bytes def = 1;
+	// metadata contains metadata for the each of the Op messages.
+	// A key must be an LLB op digest string. Currently, empty string is not expected as a key, but it may change in the future.
+	map<string, OpMetadata> metadata = 2;
+	// Source contains the source mapping information for the vertexes in the definition
+	Source Source = 3;
+}
+
+message FileOp {
+	repeated FileAction actions = 2;
+}
+
+message FileAction {
+	// changes to this structure must be represented in json.go.
+	int64 input = 1; // could be real input or target (target index + max input index)
+	int64 secondaryInput = 2; // --//--
+	int64 output = 3;
+	oneof action {
+		// FileActionCopy copies files from secondaryInput on top of input
+		FileActionCopy copy = 4;
+		// FileActionMkFile creates a new file
+		FileActionMkFile mkfile = 5;
+		// FileActionMkDir creates a new directory
+		FileActionMkDir mkdir = 6;
+		// FileActionRm removes a file
+		FileActionRm rm = 7;
+		// FileActionSymlink creates a symlink
+		FileActionSymlink symlink = 8;
+	}
+}
+
+message FileActionCopy {
+	// src is the source path
+	string src = 1;
+	// dest path
+	string dest = 2;
+	// optional owner override
+	ChownOpt owner = 3;
+	// optional permission bits override
+	int32 mode = 4;
+	// followSymlink resolves symlinks in src
+	bool followSymlink = 5;
+	// dirCopyContents only copies contents if src is a directory
+	bool dirCopyContents = 6;
+	// attemptUnpackDockerCompatibility detects if src is an archive to unpack it instead
+	bool attemptUnpackDockerCompatibility = 7;
+	// createDestPath creates dest path directories if needed
+	bool createDestPath = 8;
+	// allowWildcard allows filepath.Match wildcards in src path
+	bool allowWildcard = 9;
+	// allowEmptyWildcard doesn't fail the whole copy if wildcard doesn't resolve to files
+	bool allowEmptyWildcard = 10;
+	// optional created time override
+	int64 timestamp = 11;
+	// include only files/dirs matching at least one of these patterns
+	repeated string include_patterns = 12;
+	// exclude files/dir matching any of these patterns (even if they match an include pattern)
+	repeated string exclude_patterns = 13;
+	// alwaysReplaceExistingDestPaths results in an existing dest path that differs in type from the src path being replaced rather than the default of returning an error
+	bool alwaysReplaceExistingDestPaths = 14;
+	// mode in non-octal format
+	string modeStr = 15;
+	// required paths that must be included in the copy. This is only used when
+	// include_patterns has at least one pattern.
+	repeated string required_paths = 16;
+}
+
+message FileActionMkFile {
+	// path for the new file
+	string path = 1;
+	// permission bits
+	int32 mode = 2;
+	// data is the new file contents
+	bytes data = 3;
+	// optional owner for the new file
+	ChownOpt owner = 4;
+	// optional created time override
+	int64 timestamp = 5;
+}
+
+message FileActionSymlink {
+	// destination path for the new file representing the link
+	string oldpath = 1;
+	// source path for the link
+	string newpath = 2;
+	// optional owner for the new file
+	ChownOpt owner = 3;
+	// optional created time override
+	int64 timestamp = 4;
+}
+
+message FileActionMkDir {
+	// path for the new directory
+	string path = 1;
+	// permission bits
+	int32 mode = 2;
+	// makeParents creates parent directories as well if needed
+	bool makeParents = 3;
+	// optional owner for the new directory
+	ChownOpt owner = 4;
+	// optional created time override
+	int64 timestamp = 5;
+}
+
+message FileActionRm {
+	// path to remove
+	string path = 1;
+	// allowNotFound doesn't fail the rm if file is not found
+	bool allowNotFound = 2;
+	// allowWildcard allows filepath.Match wildcards in path
+	bool allowWildcard = 3;
+}
+
+message ChownOpt {
+	UserOpt user = 1;
+	UserOpt group = 2;
+}
+
+message UserOpt {
+	// changes to this structure must be represented in json.go.
+	oneof user {
+		NamedUserOpt byName = 1;
+		uint32 byID = 2;
+	}
+}
+
+message NamedUserOpt {
+	string name = 1;
+	int64 input = 2;
+}
+
+message MergeInput {
+	int64 input = 1;
+}
+
+message MergeOp {
+	repeated MergeInput inputs = 1;
+}
+
+message LowerDiffInput {
+	int64 input = 1;
+}
+
+message UpperDiffInput {
+	int64 input = 1;
+}
+
+message DiffOp {
+	LowerDiffInput lower = 1;
+	UpperDiffInput upper = 2;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/sourcepolicy/pb/policy.proto

@@ -0,0 +1,66 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.sourcepolicy;
+
+option go_package = "github.com/moby/buildkit/sourcepolicy/pb;moby_buildkit_v1_sourcepolicy";
+
+// Rule defines the action(s) to take when a source is matched
+message Rule {
+	PolicyAction action = 1; 
+	Selector selector = 2;
+	Update updates = 3;
+}
+
+// Update contains updates to the matched build step after rule is applied
+message Update {
+	string identifier = 1;
+	map<string, string> attrs = 2;
+}
+
+// Selector identifies a source to match a policy to
+message Selector {
+	string identifier = 1;
+	// MatchType is the type of match to perform on the source identifier
+	MatchType match_type = 2;
+	repeated AttrConstraint constraints = 3;
+}
+
+// PolicyAction defines the action to take when a source is matched
+enum PolicyAction {
+	ALLOW = 0;
+	DENY = 1;
+	CONVERT = 2;
+}
+
+// AttrConstraint defines a constraint on a source attribute
+message AttrConstraint {
+	string key = 1;
+	string value = 2;
+	AttrMatch condition = 3;
+}
+
+// AttrMatch defines the condition to match a source attribute
+enum AttrMatch {
+	EQUAL = 0;
+	NOTEQUAL = 1;
+	MATCHES = 2;
+}
+
+// Policy is the list of rules the policy engine will perform
+message Policy {
+	int64 version = 1; // Currently 1
+	repeated Rule rules = 2;
+}
+
+// Match type is used to determine how a rule source is matched
+enum MatchType {
+	// WILDCARD is the default matching type.
+	// It may first attempt to due an exact match but will follow up with a wildcard match
+	// For something more powerful, use REGEX
+	WILDCARD = 0;
+	// EXACT treats the source identifier as a litteral string match
+	EXACT = 1;
+	// REGEX treats the source identifier as a regular expression
+	// With regex matching you can also use match groups to replace values in the destination identifier
+	REGEX = 2;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/sourcepolicy/policysession/policysession.proto

@@ -0,0 +1,36 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.sourcepolicy.policysession;
+
+option go_package = "github.com/moby/buildkit/sourcepolicy/policysession";
+
+import "github.com/moby/buildkit/frontend/gateway/pb/gateway.proto";
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+import "github.com/moby/buildkit/sourcepolicy/pb/policy.proto";
+
+service PolicyVerifier {
+	rpc CheckPolicy(CheckPolicyRequest) returns (CheckPolicyResponse);
+}
+
+message CheckPolicyRequest {
+	pb.Platform Platform = 1;
+	moby.buildkit.v1.frontend.ResolveSourceMetaResponse Source = 2;
+	map<string, bool> caps = 3;
+}
+
+message CheckPolicyResponse {
+	oneof result {
+		DecisionResponse decision = 1;
+		moby.buildkit.v1.frontend.ResolveSourceMetaRequest request = 2;
+	}
+}
+
+message DecisionResponse {
+	moby.buildkit.v1.sourcepolicy.PolicyAction action = 1;
+	repeated DenyMessage denyMessages = 2;
+	pb.SourceOp update = 3;
+}
+
+message DenyMessage {
+	string message = 1;
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/util/apicaps/pb/caps.proto

@@ -0,0 +1,15 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.apicaps;
+
+option go_package = "github.com/moby/buildkit/util/apicaps/pb;moby_buildkit_v1_apicaps";
+
+// APICap defines a capability supported by the service
+message APICap {
+	string ID = 1;
+	bool Enabled = 2;
+	bool Deprecated = 3; // Unused. May be used for warnings in the future
+	string DisabledReason = 4; // Reason key for detection code
+	string DisabledReasonMsg = 5; // Message to the user
+	string DisabledAlternative = 6; // Identifier that updated client could catch.
+}

wfe-buildkit-protos/proto/github.com/moby/buildkit/util/stack/stack.proto

@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package stack;
+
+option go_package = "github.com/moby/buildkit/util/stack";
+
+message Stack {
+	repeated Frame frames = 1;
+	repeated string cmdline = 2;
+	int32 pid = 3;
+	string version = 4;
+	string revision = 5;
+}
+
+message Frame {
+	string Name = 1;
+	string File = 2;
+	int32 Line = 3;
+}

wfe-buildkit-protos/proto/github.com/tonistiigi/fsutil

@@ -1 +0,0 @@
-/Users/sienna/Development/sunbeam/wfe/wfe-buildkit-protos/vendor/buildkit/vendor/github.com/tonistiigi/fsutil

wfe-buildkit-protos/proto/github.com/tonistiigi/fsutil/types/stat.proto

@@ -0,0 +1,21 @@
+syntax = "proto3";
+
+package fsutil.types;
+
+option go_package = "github.com/tonistiigi/fsutil/types";
+
+import "github.com/planetscale/vtprotobuf/vtproto/ext.proto";
+
+message Stat {
+  string path = 1;
+  uint32 mode = 2;
+  uint32 uid = 3;
+  uint32 gid = 4;
+  int64 size = 5;
+  int64 modTime = 6;
+  // int32 typeflag = 7;
+  string linkname = 7;
+  int64 devmajor = 8;
+  int64 devminor = 9;
+  map<string, bytes> xattrs = 10;
+}

wfe-buildkit-protos/proto/github.com/tonistiigi/fsutil/types/wire.proto

@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package fsutil.types;
+
+option go_package = "github.com/tonistiigi/fsutil/types";
+
+import "github.com/planetscale/vtprotobuf/vtproto/ext.proto";
+import "github.com/tonistiigi/fsutil/types/stat.proto";
+
+message Packet {
+  option (vtproto.mempool) = true;
+  enum PacketType {
+    PACKET_STAT = 0;
+    PACKET_REQ = 1;
+    PACKET_DATA = 2;
+    PACKET_FIN = 3;
+    PACKET_ERR = 4;
+  }
+  PacketType type = 1;
+  Stat stat = 2;
+  uint32 ID = 3;
+  bytes data = 4;
+}

wfe-buildkit/Cargo.toml

@@ -16,7 +16,7 @@ async-trait = { workspace = true }
 tracing = { workspace = true }
 thiserror = { workspace = true }
 regex = { workspace = true }
-wfe-buildkit-protos = { version = "1.6.1", path = "../wfe-buildkit-protos", registry = "sunbeam" }
+wfe-buildkit-protos = { version = "1.8.0", path = "../wfe-buildkit-protos", registry = "sunbeam" }
 tonic = "0.14"
 tower = { version = "0.4", features = ["util"] }
 hyper-util = { version = "0.1", features = ["tokio"] }

wfe-containerd-protos/build.rs

@@ -1,7 +1,7 @@
 use std::path::PathBuf;
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-    let api_dir = PathBuf::from("vendor/containerd/api");
+    let api_dir = PathBuf::from("proto/api");
 
     // Collect all .proto files, excluding internal runtime shim protos
     let proto_files: Vec<PathBuf> = walkdir(&api_dir)?

wfe-containerd-protos/proto/api/events/container.proto

@@ -0,0 +1,46 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "google/protobuf/any.proto";
+import "types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message ContainerCreate {
+  string id = 1;
+  string image = 2;
+  message Runtime {
+    string name = 1;
+    google.protobuf.Any options = 2;
+  }
+  Runtime runtime = 3;
+}
+
+message ContainerUpdate {
+  string id = 1;
+  string image = 2;
+  map<string, string> labels = 3;
+  string snapshot_key = 4;
+}
+
+message ContainerDelete {
+  string id = 1;
+}

wfe-containerd-protos/proto/api/events/content.proto

@@ -0,0 +1,33 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message ContentCreate {
+  string digest = 1;
+  int64 size = 2;
+}
+
+message ContentDelete {
+  string digest = 1;
+}

wfe-containerd-protos/proto/api/events/image.proto

@@ -0,0 +1,38 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.images.v1;
+
+import "types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message ImageCreate {
+  string name = 1;
+  map<string, string> labels = 2;
+}
+
+message ImageUpdate {
+  string name = 1;
+  map<string, string> labels = 2;
+}
+
+message ImageDelete {
+  string name = 1;
+}

wfe-containerd-protos/proto/api/events/namespace.proto

@@ -0,0 +1,38 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message NamespaceCreate {
+  string name = 1;
+  map<string, string> labels = 2;
+}
+
+message NamespaceUpdate {
+  string name = 1;
+  map<string, string> labels = 2;
+}
+
+message NamespaceDelete {
+  string name = 1;
+}

wfe-containerd-protos/proto/api/events/sandbox.proto

@@ -0,0 +1,37 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+
+message SandboxCreate {
+  string sandbox_id = 1;
+}
+
+message SandboxStart {
+  string sandbox_id = 1;
+}
+
+message SandboxExit {
+  string sandbox_id = 1;
+  uint32 exit_status = 2;
+  google.protobuf.Timestamp exited_at = 3;
+}

wfe-containerd-protos/proto/api/events/snapshot.proto

@@ -0,0 +1,41 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "types/fieldpath.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message SnapshotPrepare {
+  string key = 1;
+  string parent = 2;
+  string snapshotter = 5;
+}
+
+message SnapshotCommit {
+  string key = 1;
+  string name = 2;
+  string snapshotter = 5;
+}
+
+message SnapshotRemove {
+  string key = 1;
+  string snapshotter = 5;
+}

wfe-containerd-protos/proto/api/events/task.proto

@@ -0,0 +1,93 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.events;
+
+import "google/protobuf/timestamp.proto";
+import "types/fieldpath.proto";
+import "types/mount.proto";
+
+option go_package = "github.com/containerd/containerd/api/events;events";
+option (containerd.types.fieldpath_all) = true;
+
+message TaskCreate {
+  string container_id = 1;
+  string bundle = 2;
+  repeated containerd.types.Mount rootfs = 3;
+  TaskIO io = 4;
+  string checkpoint = 5;
+  uint32 pid = 6;
+}
+
+message TaskStart {
+  string container_id = 1;
+  uint32 pid = 2;
+}
+
+message TaskDelete {
+  string container_id = 1;
+  uint32 pid = 2;
+  uint32 exit_status = 3;
+  google.protobuf.Timestamp exited_at = 4;
+  // id is the specific exec. By default if omitted will be `""` thus matches
+  // the init exec of the task matching `container_id`.
+  string id = 5;
+}
+
+message TaskIO {
+  string stdin = 1;
+  string stdout = 2;
+  string stderr = 3;
+  bool terminal = 4;
+}
+
+message TaskExit {
+  string container_id = 1;
+  string id = 2;
+  uint32 pid = 3;
+  uint32 exit_status = 4;
+  google.protobuf.Timestamp exited_at = 5;
+}
+
+message TaskOOM {
+  string container_id = 1;
+}
+
+message TaskExecAdded {
+  string container_id = 1;
+  string exec_id = 2;
+}
+
+message TaskExecStarted {
+  string container_id = 1;
+  string exec_id = 2;
+  uint32 pid = 3;
+}
+
+message TaskPaused {
+  string container_id = 1;
+}
+
+message TaskResumed {
+  string container_id = 1;
+}
+
+message TaskCheckpointed {
+  string container_id = 1;
+  string checkpoint = 2;
+}

wfe-containerd-protos/proto/api/runtime/sandbox/v1/sandbox.proto

@@ -0,0 +1,149 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.runtime.sandbox.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+import "types/metrics.proto";
+import "types/mount.proto";
+import "types/platform.proto";
+
+option go_package = "github.com/containerd/containerd/api/runtime/sandbox/v1;sandbox";
+
+// Sandbox is an optional interface that shim may implement to support sandboxes environments.
+// A typical example of sandbox is microVM or pause container - an entity that groups containers and/or
+// holds resources relevant for this group.
+service Sandbox {
+  // CreateSandbox will be called right after sandbox shim instance launched.
+  // It is a good place to initialize sandbox environment.
+  rpc CreateSandbox(CreateSandboxRequest) returns (CreateSandboxResponse);
+
+  // StartSandbox will start a previously created sandbox.
+  rpc StartSandbox(StartSandboxRequest) returns (StartSandboxResponse);
+
+  // Platform queries the platform the sandbox is going to run containers on.
+  // containerd will use this to generate a proper OCI spec.
+  rpc Platform(PlatformRequest) returns (PlatformResponse);
+
+  // StopSandbox will stop existing sandbox instance
+  rpc StopSandbox(StopSandboxRequest) returns (StopSandboxResponse);
+
+  // WaitSandbox blocks until sandbox exits.
+  rpc WaitSandbox(WaitSandboxRequest) returns (WaitSandboxResponse);
+
+  // SandboxStatus will return current status of the running sandbox instance
+  rpc SandboxStatus(SandboxStatusRequest) returns (SandboxStatusResponse);
+
+  // PingSandbox is a lightweight API call to check whether sandbox alive.
+  rpc PingSandbox(PingRequest) returns (PingResponse);
+
+  // ShutdownSandbox must shutdown shim instance.
+  rpc ShutdownSandbox(ShutdownSandboxRequest) returns (ShutdownSandboxResponse);
+
+  // SandboxMetrics retrieves metrics about a sandbox instance.
+  rpc SandboxMetrics(SandboxMetricsRequest) returns (SandboxMetricsResponse);
+}
+
+message CreateSandboxRequest {
+  string sandbox_id = 1;
+  string bundle_path = 2;
+  repeated containerd.types.Mount rootfs = 3;
+  google.protobuf.Any options = 4;
+  string netns_path = 5;
+  map<string, string> annotations = 6;
+}
+
+message CreateSandboxResponse {}
+
+message StartSandboxRequest {
+  string sandbox_id = 1;
+}
+
+message StartSandboxResponse {
+  uint32 pid = 1;
+  google.protobuf.Timestamp created_at = 2;
+  google.protobuf.Any spec = 3;
+}
+
+message PlatformRequest {
+  string sandbox_id = 1;
+}
+
+message PlatformResponse {
+  containerd.types.Platform platform = 1;
+}
+
+message StopSandboxRequest {
+  string sandbox_id = 1;
+  uint32 timeout_secs = 2;
+}
+
+message StopSandboxResponse {}
+
+message UpdateSandboxRequest {
+  string sandbox_id = 1;
+  google.protobuf.Any resources = 2;
+  map<string, string> annotations = 3;
+}
+
+message WaitSandboxRequest {
+  string sandbox_id = 1;
+}
+
+message WaitSandboxResponse {
+  uint32 exit_status = 1;
+  google.protobuf.Timestamp exited_at = 2;
+}
+
+message UpdateSandboxResponse {}
+
+message SandboxStatusRequest {
+  string sandbox_id = 1;
+  bool verbose = 2;
+}
+
+message SandboxStatusResponse {
+  string sandbox_id = 1;
+  uint32 pid = 2;
+  string state = 3;
+  map<string, string> info = 4;
+  google.protobuf.Timestamp created_at = 5;
+  google.protobuf.Timestamp exited_at = 6;
+  google.protobuf.Any extra = 7;
+}
+
+message PingRequest {
+  string sandbox_id = 1;
+}
+
+message PingResponse {}
+
+message ShutdownSandboxRequest {
+  string sandbox_id = 1;
+}
+
+message ShutdownSandboxResponse {}
+
+message SandboxMetricsRequest {
+  string sandbox_id = 1;
+}
+
+message SandboxMetricsResponse {
+  containerd.types.Metric metrics = 1;
+}

wfe-containerd-protos/proto/api/runtime/task/v2/shim.proto

@@ -0,0 +1,200 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.task.v2;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+import "types/mount.proto";
+import "types/task/task.proto";
+
+option go_package = "github.com/containerd/containerd/api/runtime/task/v2;task";
+
+// Shim service is launched for each container and is responsible for owning the IO
+// for the container and its additional processes.  The shim is also the parent of
+// each container and allows reattaching to the IO and receiving the exit status
+// for the container processes.
+service Task {
+  rpc State(StateRequest) returns (StateResponse);
+  rpc Create(CreateTaskRequest) returns (CreateTaskResponse);
+  rpc Start(StartRequest) returns (StartResponse);
+  rpc Delete(DeleteRequest) returns (DeleteResponse);
+  rpc Pids(PidsRequest) returns (PidsResponse);
+  rpc Pause(PauseRequest) returns (google.protobuf.Empty);
+  rpc Resume(ResumeRequest) returns (google.protobuf.Empty);
+  rpc Checkpoint(CheckpointTaskRequest) returns (google.protobuf.Empty);
+  rpc Kill(KillRequest) returns (google.protobuf.Empty);
+  rpc Exec(ExecProcessRequest) returns (google.protobuf.Empty);
+  rpc ResizePty(ResizePtyRequest) returns (google.protobuf.Empty);
+  rpc CloseIO(CloseIORequest) returns (google.protobuf.Empty);
+  rpc Update(UpdateTaskRequest) returns (google.protobuf.Empty);
+  rpc Wait(WaitRequest) returns (WaitResponse);
+  rpc Stats(StatsRequest) returns (StatsResponse);
+  rpc Connect(ConnectRequest) returns (ConnectResponse);
+  rpc Shutdown(ShutdownRequest) returns (google.protobuf.Empty);
+}
+
+message CreateTaskRequest {
+  string id = 1;
+  string bundle = 2;
+  repeated containerd.types.Mount rootfs = 3;
+  bool terminal = 4;
+  string stdin = 5;
+  string stdout = 6;
+  string stderr = 7;
+  string checkpoint = 8;
+  string parent_checkpoint = 9;
+  google.protobuf.Any options = 10;
+}
+
+message CreateTaskResponse {
+  uint32 pid = 1;
+}
+
+message DeleteRequest {
+  string id = 1;
+  string exec_id = 2;
+}
+
+message DeleteResponse {
+  uint32 pid = 1;
+  uint32 exit_status = 2;
+  google.protobuf.Timestamp exited_at = 3;
+}
+
+message ExecProcessRequest {
+  string id = 1;
+  string exec_id = 2;
+  bool terminal = 3;
+  string stdin = 4;
+  string stdout = 5;
+  string stderr = 6;
+  google.protobuf.Any spec = 7;
+}
+
+message ExecProcessResponse {}
+
+message ResizePtyRequest {
+  string id = 1;
+  string exec_id = 2;
+  uint32 width = 3;
+  uint32 height = 4;
+}
+
+message StateRequest {
+  string id = 1;
+  string exec_id = 2;
+}
+
+message StateResponse {
+  string id = 1;
+  string bundle = 2;
+  uint32 pid = 3;
+  containerd.v1.types.Status status = 4;
+  string stdin = 5;
+  string stdout = 6;
+  string stderr = 7;
+  bool terminal = 8;
+  uint32 exit_status = 9;
+  google.protobuf.Timestamp exited_at = 10;
+  string exec_id = 11;
+}
+
+message KillRequest {
+  string id = 1;
+  string exec_id = 2;
+  uint32 signal = 3;
+  bool all = 4;
+}
+
+message CloseIORequest {
+  string id = 1;
+  string exec_id = 2;
+  bool stdin = 3;
+}
+
+message PidsRequest {
+  string id = 1;
+}
+
+message PidsResponse {
+  repeated containerd.v1.types.ProcessInfo processes = 1;
+}
+
+message CheckpointTaskRequest {
+  string id = 1;
+  string path = 2;
+  google.protobuf.Any options = 3;
+}
+
+message UpdateTaskRequest {
+  string id = 1;
+  google.protobuf.Any resources = 2;
+  map<string, string> annotations = 3;
+}
+
+message StartRequest {
+  string id = 1;
+  string exec_id = 2;
+}
+
+message StartResponse {
+  uint32 pid = 1;
+}
+
+message WaitRequest {
+  string id = 1;
+  string exec_id = 2;
+}
+
+message WaitResponse {
+  uint32 exit_status = 1;
+  google.protobuf.Timestamp exited_at = 2;
+}
+
+message StatsRequest {
+  string id = 1;
+}
+
+message StatsResponse {
+  google.protobuf.Any stats = 1;
+}
+
+message ConnectRequest {
+  string id = 1;
+}
+
+message ConnectResponse {
+  uint32 shim_pid = 1;
+  uint32 task_pid = 2;
+  string version = 3;
+}
+
+message ShutdownRequest {
+  string id = 1;
+  bool now = 2;
+}
+
+message PauseRequest {
+  string id = 1;
+}
+
+message ResumeRequest {
+  string id = 1;
+}

wfe-containerd-protos/proto/api/runtime/task/v3/shim.proto

@@ -0,0 +1,200 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.task.v3;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+import "types/mount.proto";
+import "types/task/task.proto";
+
+option go_package = "github.com/containerd/containerd/api/runtime/task/v3;task";
+
+// Shim service is launched for each container and is responsible for owning the IO
+// for the container and its additional processes.  The shim is also the parent of
+// each container and allows reattaching to the IO and receiving the exit status
+// for the container processes.
+service Task {
+  rpc State(StateRequest) returns (StateResponse);
+  rpc Create(CreateTaskRequest) returns (CreateTaskResponse);
+  rpc Start(StartRequest) returns (StartResponse);
+  rpc Delete(DeleteRequest) returns (DeleteResponse);
+  rpc Pids(PidsRequest) returns (PidsResponse);
+  rpc Pause(PauseRequest) returns (google.protobuf.Empty);
+  rpc Resume(ResumeRequest) returns (google.protobuf.Empty);
+  rpc Checkpoint(CheckpointTaskRequest) returns (google.protobuf.Empty);
+  rpc Kill(KillRequest) returns (google.protobuf.Empty);
+  rpc Exec(ExecProcessRequest) returns (google.protobuf.Empty);
+  rpc ResizePty(ResizePtyRequest) returns (google.protobuf.Empty);
+  rpc CloseIO(CloseIORequest) returns (google.protobuf.Empty);
+  rpc Update(UpdateTaskRequest) returns (google.protobuf.Empty);
+  rpc Wait(WaitRequest) returns (WaitResponse);
+  rpc Stats(StatsRequest) returns (StatsResponse);
+  rpc Connect(ConnectRequest) returns (ConnectResponse);
+  rpc Shutdown(ShutdownRequest) returns (google.protobuf.Empty);
+}
+
+message CreateTaskRequest {
+  string id = 1;
+  string bundle = 2;
+  repeated containerd.types.Mount rootfs = 3;
+  bool terminal = 4;
+  string stdin = 5;
+  string stdout = 6;
+  string stderr = 7;
+  string checkpoint = 8;
+  string parent_checkpoint = 9;
+  google.protobuf.Any options = 10;
+}
+
+message CreateTaskResponse {
+  uint32 pid = 1;
+}
+
+message DeleteRequest {
+  string id = 1;
+  string exec_id = 2;
+}
+
+message DeleteResponse {
+  uint32 pid = 1;
+  uint32 exit_status = 2;
+  google.protobuf.Timestamp exited_at = 3;
+}
+
+message ExecProcessRequest {
+  string id = 1;
+  string exec_id = 2;
+  bool terminal = 3;
+  string stdin = 4;
+  string stdout = 5;
+  string stderr = 6;
+  google.protobuf.Any spec = 7;
+}
+
+message ExecProcessResponse {}
+
+message ResizePtyRequest {
+  string id = 1;
+  string exec_id = 2;
+  uint32 width = 3;
+  uint32 height = 4;
+}
+
+message StateRequest {
+  string id = 1;
+  string exec_id = 2;
+}
+
+message StateResponse {
+  string id = 1;
+  string bundle = 2;
+  uint32 pid = 3;
+  containerd.v1.types.Status status = 4;
+  string stdin = 5;
+  string stdout = 6;
+  string stderr = 7;
+  bool terminal = 8;
+  uint32 exit_status = 9;
+  google.protobuf.Timestamp exited_at = 10;
+  string exec_id = 11;
+}
+
+message KillRequest {
+  string id = 1;
+  string exec_id = 2;
+  uint32 signal = 3;
+  bool all = 4;
+}
+
+message CloseIORequest {
+  string id = 1;
+  string exec_id = 2;
+  bool stdin = 3;
+}
+
+message PidsRequest {
+  string id = 1;
+}
+
+message PidsResponse {
+  repeated containerd.v1.types.ProcessInfo processes = 1;
+}
+
+message CheckpointTaskRequest {
+  string id = 1;
+  string path = 2;
+  google.protobuf.Any options = 3;
+}
+
+message UpdateTaskRequest {
+  string id = 1;
+  google.protobuf.Any resources = 2;
+  map<string, string> annotations = 3;
+}
+
+message StartRequest {
+  string id = 1;
+  string exec_id = 2;
+}
+
+message StartResponse {
+  uint32 pid = 1;
+}
+
+message WaitRequest {
+  string id = 1;
+  string exec_id = 2;
+}
+
+message WaitResponse {
+  uint32 exit_status = 1;
+  google.protobuf.Timestamp exited_at = 2;
+}
+
+message StatsRequest {
+  string id = 1;
+}
+
+message StatsResponse {
+  google.protobuf.Any stats = 1;
+}
+
+message ConnectRequest {
+  string id = 1;
+}
+
+message ConnectResponse {
+  uint32 shim_pid = 1;
+  uint32 task_pid = 2;
+  string version = 3;
+}
+
+message ShutdownRequest {
+  string id = 1;
+  bool now = 2;
+}
+
+message PauseRequest {
+  string id = 1;
+}
+
+message ResumeRequest {
+  string id = 1;
+}

wfe-containerd-protos/proto/api/services/containers/v1/containers.proto

@@ -0,0 +1,181 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.containers.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/containers/v1;containers";
+
+// Containers provides metadata storage for containers used in the execution
+// service.
+//
+// The objects here provide an state-independent view of containers for use in
+// management and resource pinning. From that perspective, containers do not
+// have a "state" but rather this is the set of resources that will be
+// considered in use by the container.
+//
+// From the perspective of the execution service, these objects represent the
+// base parameters for creating a container process.
+//
+// In general, when looking to add fields for this type, first ask yourself
+// whether or not the function of the field has to do with runtime execution or
+// is invariant of the runtime state of the container. If it has to do with
+// runtime, or changes as the "container" is started and stops, it probably
+// doesn't belong on this object.
+service Containers {
+  rpc Get(GetContainerRequest) returns (GetContainerResponse);
+  rpc List(ListContainersRequest) returns (ListContainersResponse);
+  rpc ListStream(ListContainersRequest) returns (stream ListContainerMessage);
+  rpc Create(CreateContainerRequest) returns (CreateContainerResponse);
+  rpc Update(UpdateContainerRequest) returns (UpdateContainerResponse);
+  rpc Delete(DeleteContainerRequest) returns (google.protobuf.Empty);
+}
+
+message Container {
+  // ID is the user-specified identifier.
+  //
+  // This field may not be updated.
+  string id = 1;
+
+  // Labels provides an area to include arbitrary data on containers.
+  //
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  //
+  // Note that to add a new value to this field, read the existing set and
+  // include the entire result in the update call.
+  map<string, string> labels = 2;
+
+  // Image contains the reference of the image used to build the
+  // specification and snapshots for running this container.
+  //
+  // If this field is updated, the spec and rootfs needed to updated, as well.
+  string image = 3;
+
+  message Runtime {
+    // Name is the name of the runtime.
+    string name = 1;
+    // Options specify additional runtime initialization options.
+    google.protobuf.Any options = 2;
+  }
+  // Runtime specifies which runtime to use for executing this container.
+  Runtime runtime = 4;
+
+  // Spec to be used when creating the container. This is runtime specific.
+  google.protobuf.Any spec = 5;
+
+  // Snapshotter specifies the snapshotter name used for rootfs
+  string snapshotter = 6;
+
+  // SnapshotKey specifies the snapshot key to use for the container's root
+  // filesystem. When starting a task from this container, a caller should
+  // look up the mounts from the snapshot service and include those on the
+  // task create request.
+  //
+  // Snapshots referenced in this field will not be garbage collected.
+  //
+  // This field is set to empty when the rootfs is not a snapshot.
+  //
+  // This field may be updated.
+  string snapshot_key = 7;
+
+  // CreatedAt is the time the container was first created.
+  google.protobuf.Timestamp created_at = 8;
+
+  // UpdatedAt is the last time the container was mutated.
+  google.protobuf.Timestamp updated_at = 9;
+
+  // Extensions allow clients to provide zero or more blobs that are directly
+  // associated with the container. One may provide protobuf, json, or other
+  // encoding formats. The primary use of this is to further decorate the
+  // container object with fields that may be specific to a client integration.
+  //
+  // The key portion of this map should identify a "name" for the extension
+  // that should be unique against other extensions. When updating extension
+  // data, one should only update the specified extension using field paths
+  // to select a specific map key.
+  map<string, google.protobuf.Any> extensions = 10;
+
+  // Sandbox ID this container belongs to.
+  string sandbox = 11;
+}
+
+message GetContainerRequest {
+  string id = 1;
+}
+
+message GetContainerResponse {
+  Container container = 1;
+}
+
+message ListContainersRequest {
+  // Filters contains one or more filters using the syntax defined in the
+  // containerd filter package.
+  //
+  // The returned result will be those that match any of the provided
+  // filters. Expanded, containers that match the following will be
+  // returned:
+  //
+  //	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+  //
+  // If filters is zero-length or nil, all items will be returned.
+  repeated string filters = 1;
+}
+
+message ListContainersResponse {
+  repeated Container containers = 1;
+}
+
+message CreateContainerRequest {
+  Container container = 1;
+}
+
+message CreateContainerResponse {
+  Container container = 1;
+}
+
+// UpdateContainerRequest updates the metadata on one or more container.
+//
+// The operation should follow semantics described in
+// https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/field-mask,
+// unless otherwise qualified.
+message UpdateContainerRequest {
+  // Container provides the target values, as declared by the mask, for the update.
+  //
+  // The ID field must be set.
+  Container container = 1;
+
+  // UpdateMask specifies which fields to perform the update on. If empty,
+  // the operation applies to all fields.
+  google.protobuf.FieldMask update_mask = 2;
+}
+
+message UpdateContainerResponse {
+  Container container = 1;
+}
+
+message DeleteContainerRequest {
+  string id = 1;
+}
+
+message ListContainerMessage {
+  Container container = 1;
+}

wfe-containerd-protos/proto/api/services/content/v1/content.proto

@@ -0,0 +1,329 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.content.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/content/v1;content";
+
+// Content provides access to a content addressable storage system.
+service Content {
+  // Info returns information about a committed object.
+  //
+  // This call can be used for getting the size of content and checking for
+  // existence.
+  rpc Info(InfoRequest) returns (InfoResponse);
+
+  // Update updates content metadata.
+  //
+  // This call can be used to manage the mutable content labels. The
+  // immutable metadata such as digest, size, and committed at cannot
+  // be updated.
+  rpc Update(UpdateRequest) returns (UpdateResponse);
+
+  // List streams the entire set of content as Info objects and closes the
+  // stream.
+  //
+  // Typically, this will yield a large response, chunked into messages.
+  // Clients should make provisions to ensure they can handle the entire data
+  // set.
+  rpc List(ListContentRequest) returns (stream ListContentResponse);
+
+  // Delete will delete the referenced object.
+  rpc Delete(DeleteContentRequest) returns (google.protobuf.Empty);
+
+  // Read allows one to read an object based on the offset into the content.
+  //
+  // The requested data may be returned in one or more messages.
+  rpc Read(ReadContentRequest) returns (stream ReadContentResponse);
+
+  // Status returns the status for a single reference.
+  rpc Status(StatusRequest) returns (StatusResponse);
+
+  // ListStatuses returns the status of ongoing object ingestions, started via
+  // Write.
+  //
+  // Only those matching the regular expression will be provided in the
+  // response. If the provided regular expression is empty, all ingestions
+  // will be provided.
+  rpc ListStatuses(ListStatusesRequest) returns (ListStatusesResponse);
+
+  // Write begins or resumes writes to a resource identified by a unique ref.
+  // Only one active stream may exist at a time for each ref.
+  //
+  // Once a write stream has started, it may only write to a single ref, thus
+  // once a stream is started, the ref may be omitted on subsequent writes.
+  //
+  // For any write transaction represented by a ref, only a single write may
+  // be made to a given offset. If overlapping writes occur, it is an error.
+  // Writes should be sequential and implementations may throw an error if
+  // this is required.
+  //
+  // If expected_digest is set and already part of the content store, the
+  // write will fail.
+  //
+  // When completed, the commit flag should be set to true. If expected size
+  // or digest is set, the content will be validated against those values.
+  rpc Write(stream WriteContentRequest) returns (stream WriteContentResponse);
+
+  // Abort cancels the ongoing write named in the request. Any resources
+  // associated with the write will be collected.
+  rpc Abort(AbortRequest) returns (google.protobuf.Empty);
+}
+
+message Info {
+  // Digest is the hash identity of the blob.
+  string digest = 1;
+
+  // Size is the total number of bytes in the blob.
+  int64 size = 2;
+
+  // CreatedAt provides the time at which the blob was committed.
+  google.protobuf.Timestamp created_at = 3;
+
+  // UpdatedAt provides the time the info was last updated.
+  google.protobuf.Timestamp updated_at = 4;
+
+  // Labels are arbitrary data on snapshots.
+  //
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  map<string, string> labels = 5;
+}
+
+message InfoRequest {
+  string digest = 1;
+}
+
+message InfoResponse {
+  Info info = 1;
+}
+
+message UpdateRequest {
+  Info info = 1;
+
+  // UpdateMask specifies which fields to perform the update on. If empty,
+  // the operation applies to all fields.
+  //
+  // In info, Digest, Size, and CreatedAt are immutable,
+  // other field may be updated using this mask.
+  // If no mask is provided, all mutable field are updated.
+  google.protobuf.FieldMask update_mask = 2;
+}
+
+message UpdateResponse {
+  Info info = 1;
+}
+
+message ListContentRequest {
+  // Filters contains one or more filters using the syntax defined in the
+  // containerd filter package.
+  //
+  // The returned result will be those that match any of the provided
+  // filters. Expanded, containers that match the following will be
+  // returned:
+  //
+  //	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+  //
+  // If filters is zero-length or nil, all items will be returned.
+  repeated string filters = 1;
+}
+
+message ListContentResponse {
+  repeated Info info = 1;
+}
+
+message DeleteContentRequest {
+  // Digest specifies which content to delete.
+  string digest = 1;
+}
+
+// ReadContentRequest defines the fields that make up a request to read a portion of
+// data from a stored object.
+message ReadContentRequest {
+  // Digest is the hash identity to read.
+  string digest = 1;
+
+  // Offset specifies the number of bytes from the start at which to begin
+  // the read. If zero or less, the read will be from the start. This uses
+  // standard zero-indexed semantics.
+  int64 offset = 2;
+
+  // size is the total size of the read. If zero, the entire blob will be
+  // returned by the service.
+  int64 size = 3;
+}
+
+// ReadContentResponse carries byte data for a read request.
+message ReadContentResponse {
+  int64 offset = 1; // offset of the returned data
+  bytes data = 2; // actual data
+}
+
+message Status {
+  google.protobuf.Timestamp started_at = 1;
+  google.protobuf.Timestamp updated_at = 2;
+  string ref = 3;
+  int64 offset = 4;
+  int64 total = 5;
+  string expected = 6;
+}
+
+message StatusRequest {
+  string ref = 1;
+}
+
+message StatusResponse {
+  Status status = 1;
+}
+
+message ListStatusesRequest {
+  repeated string filters = 1;
+}
+
+message ListStatusesResponse {
+  repeated Status statuses = 1;
+}
+
+// WriteAction defines the behavior of a WriteRequest.
+enum WriteAction {
+  // WriteActionStat instructs the writer to return the current status while
+  // holding the lock on the write.
+  STAT = 0;
+
+  // WriteActionWrite sets the action for the write request to write data.
+  //
+  // Any data included will be written at the provided offset. The
+  // transaction will be left open for further writes.
+  //
+  // This is the default.
+  WRITE = 1;
+
+  // WriteActionCommit will write any outstanding data in the message and
+  // commit the write, storing it under the digest.
+  //
+  // This can be used in a single message to send the data, verify it and
+  // commit it.
+  //
+  // This action will always terminate the write.
+  COMMIT = 2;
+}
+
+// WriteContentRequest writes data to the request ref at offset.
+message WriteContentRequest {
+  // Action sets the behavior of the write.
+  //
+  // When this is a write and the ref is not yet allocated, the ref will be
+  // allocated and the data will be written at offset.
+  //
+  // If the action is write and the ref is allocated, it will accept data to
+  // an offset that has not yet been written.
+  //
+  // If the action is write and there is no data, the current write status
+  // will be returned. This works differently from status because the stream
+  // holds a lock.
+  WriteAction action = 1;
+
+  // Ref identifies the pre-commit object to write to.
+  string ref = 2;
+
+  // Total can be set to have the service validate the total size of the
+  // committed content.
+  //
+  // The latest value before or with the commit action message will be use to
+  // validate the content. If the offset overflows total, the service may
+  // report an error. It is only required on one message for the write.
+  //
+  // If the value is zero or less, no validation of the final content will be
+  // performed.
+  int64 total = 3;
+
+  // Expected can be set to have the service validate the final content against
+  // the provided digest.
+  //
+  // If the digest is already present in the object store, an AlreadyExists
+  // error will be returned.
+  //
+  // Only the latest version will be used to check the content against the
+  // digest. It is only required to include it on a single message, before or
+  // with the commit action message.
+  string expected = 4;
+
+  // Offset specifies the number of bytes from the start at which to begin
+  // the write. For most implementations, this means from the start of the
+  // file. This uses standard, zero-indexed semantics.
+  //
+  // If the action is write, the remote may remove all previously written
+  // data after the offset. Implementations may support arbitrary offsets but
+  // MUST support reseting this value to zero with a write. If an
+  // implementation does not support a write at a particular offset, an
+  // OutOfRange error must be returned.
+  int64 offset = 5;
+
+  // Data is the actual bytes to be written.
+  //
+  // If this is empty and the message is not a commit, a response will be
+  // returned with the current write state.
+  bytes data = 6;
+
+  // Labels are arbitrary data on snapshots.
+  //
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  map<string, string> labels = 7;
+}
+
+// WriteContentResponse is returned on the culmination of a write call.
+message WriteContentResponse {
+  // Action contains the action for the final message of the stream. A writer
+  // should confirm that they match the intended result.
+  WriteAction action = 1;
+
+  // StartedAt provides the time at which the write began.
+  //
+  // This must be set for stat and commit write actions. All other write
+  // actions may omit this.
+  google.protobuf.Timestamp started_at = 2;
+
+  // UpdatedAt provides the last time of a successful write.
+  //
+  // This must be set for stat and commit write actions. All other write
+  // actions may omit this.
+  google.protobuf.Timestamp updated_at = 3;
+
+  // Offset is the current committed size for the write.
+  int64 offset = 4;
+
+  // Total provides the current, expected total size of the write.
+  //
+  // We include this to provide consistency with the Status structure on the
+  // client writer.
+  //
+  // This is only valid on the Stat and Commit response.
+  int64 total = 5;
+
+  // Digest, if present, includes the digest up to the currently committed
+  // bytes. If action is commit, this field will be set. It is implementation
+  // defined if this is set for other actions.
+  string digest = 6;
+}
+
+message AbortRequest {
+  string ref = 1;
+}

wfe-containerd-protos/proto/api/services/diff/v1/diff.proto

@@ -0,0 +1,90 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.diff.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+import "types/descriptor.proto";
+import "types/mount.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/diff/v1;diff";
+
+// Diff service creates and applies diffs
+service Diff {
+  // Apply applies the content associated with the provided digests onto
+  // the provided mounts. Archive content will be extracted and
+  // decompressed if necessary.
+  rpc Apply(ApplyRequest) returns (ApplyResponse);
+
+  // Diff creates a diff between the given mounts and uploads the result
+  // to the content store.
+  rpc Diff(DiffRequest) returns (DiffResponse);
+}
+
+message ApplyRequest {
+  // Diff is the descriptor of the diff to be extracted
+  containerd.types.Descriptor diff = 1;
+
+  repeated containerd.types.Mount mounts = 2;
+
+  map<string, google.protobuf.Any> payloads = 3;
+  // SyncFs is to synchronize the underlying filesystem containing files.
+  bool sync_fs = 4;
+}
+
+message ApplyResponse {
+  // Applied is the descriptor for the object which was applied.
+  // If the input was a compressed blob then the result will be
+  // the descriptor for the uncompressed blob.
+  containerd.types.Descriptor applied = 1;
+}
+
+message DiffRequest {
+  // Left are the mounts which represent the older copy
+  // in which is the base of the computed changes.
+  repeated containerd.types.Mount left = 1;
+
+  // Right are the mounts which represents the newer copy
+  // in which changes from the left were made into.
+  repeated containerd.types.Mount right = 2;
+
+  // MediaType is the media type descriptor for the created diff
+  // object
+  string media_type = 3;
+
+  // Ref identifies the pre-commit content store object. This
+  // reference can be used to get the status from the content store.
+  string ref = 4;
+
+  // Labels are the labels to apply to the generated content
+  // on content store commit.
+  map<string, string> labels = 5;
+
+  // SourceDateEpoch specifies the timestamp used to provide control for reproducibility.
+  // See also https://reproducible-builds.org/docs/source-date-epoch/ .
+  //
+  // Since containerd v2.0, the whiteout timestamps are set to zero (1970-01-01),
+  // not to the source date epoch.
+  google.protobuf.Timestamp source_date_epoch = 6;
+}
+
+message DiffResponse {
+  // Diff is the descriptor of the diff which can be applied
+  containerd.types.Descriptor diff = 3;
+}

wfe-containerd-protos/proto/api/services/events/v1/events.proto

@@ -0,0 +1,62 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.events.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+import "types/event.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/events/v1;events";
+
+service Events {
+  // Publish an event to a topic.
+  //
+  // The event will be packed into a timestamp envelope with the namespace
+  // introspected from the context. The envelope will then be dispatched.
+  rpc Publish(PublishRequest) returns (google.protobuf.Empty);
+
+  // Forward sends an event that has already been packaged into an envelope
+  // with a timestamp and namespace.
+  //
+  // This is useful if earlier timestamping is required or when forwarding on
+  // behalf of another component, namespace or publisher.
+  rpc Forward(ForwardRequest) returns (google.protobuf.Empty);
+
+  // Subscribe to a stream of events, possibly returning only that match any
+  // of the provided filters.
+  //
+  // Unlike many other methods in containerd, subscribers will get messages
+  // from all namespaces unless otherwise specified. If this is not desired,
+  // a filter can be provided in the format 'namespace==<namespace>' to
+  // restrict the received events.
+  rpc Subscribe(SubscribeRequest) returns (stream containerd.types.Envelope);
+}
+
+message PublishRequest {
+  string topic = 1;
+  google.protobuf.Any event = 2;
+}
+
+message ForwardRequest {
+  containerd.types.Envelope envelope = 1;
+}
+
+message SubscribeRequest {
+  repeated string filters = 1;
+}

wfe-containerd-protos/proto/api/services/images/v1/images.proto

@@ -0,0 +1,149 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.images.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+import "types/descriptor.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/images/v1;images";
+
+// Images is a service that allows one to register images with containerd.
+//
+// In containerd, an image is merely the mapping of a name to a content root,
+// described by a descriptor. The behavior and state of image is purely
+// dictated by the type of the descriptor.
+//
+// From the perspective of this service, these references are mostly shallow,
+// in that the existence of the required content won't be validated until
+// required by consuming services.
+//
+// As such, this can really be considered a "metadata service".
+service Images {
+  // Get returns an image by name.
+  rpc Get(GetImageRequest) returns (GetImageResponse);
+
+  // List returns a list of all images known to containerd.
+  rpc List(ListImagesRequest) returns (ListImagesResponse);
+
+  // Create an image record in the metadata store.
+  //
+  // The name of the image must be unique.
+  rpc Create(CreateImageRequest) returns (CreateImageResponse);
+
+  // Update assigns the name to a given target image based on the provided
+  // image.
+  rpc Update(UpdateImageRequest) returns (UpdateImageResponse);
+
+  // Delete deletes the image by name.
+  rpc Delete(DeleteImageRequest) returns (google.protobuf.Empty);
+}
+
+message Image {
+  // Name provides a unique name for the image.
+  //
+  // Containerd treats this as the primary identifier.
+  string name = 1;
+
+  // Labels provides free form labels for the image. These are runtime only
+  // and do not get inherited into the package image in any way.
+  //
+  // Labels may be updated using the field mask.
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  map<string, string> labels = 2;
+
+  // Target describes the content entry point of the image.
+  containerd.types.Descriptor target = 3;
+
+  // CreatedAt is the time the image was first created.
+  google.protobuf.Timestamp created_at = 7;
+
+  // UpdatedAt is the last time the image was mutated.
+  google.protobuf.Timestamp updated_at = 8;
+}
+
+message GetImageRequest {
+  string name = 1;
+}
+
+message GetImageResponse {
+  Image image = 1;
+}
+
+message CreateImageRequest {
+  Image image = 1;
+
+  google.protobuf.Timestamp source_date_epoch = 2;
+}
+
+message CreateImageResponse {
+  Image image = 1;
+}
+
+message UpdateImageRequest {
+  // Image provides a full or partial image for update.
+  //
+  // The name field must be set or an error will be returned.
+  Image image = 1;
+
+  // UpdateMask specifies which fields to perform the update on. If empty,
+  // the operation applies to all fields.
+  google.protobuf.FieldMask update_mask = 2;
+
+  google.protobuf.Timestamp source_date_epoch = 3;
+}
+
+message UpdateImageResponse {
+  Image image = 1;
+}
+
+message ListImagesRequest {
+  // Filters contains one or more filters using the syntax defined in the
+  // containerd filter package.
+  //
+  // The returned result will be those that match any of the provided
+  // filters. Expanded, images that match the following will be
+  // returned:
+  //
+  //	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+  //
+  // If filters is zero-length or nil, all items will be returned.
+  repeated string filters = 1;
+}
+
+message ListImagesResponse {
+  repeated Image images = 1;
+}
+
+message DeleteImageRequest {
+  string name = 1;
+
+  // Sync indicates that the delete and cleanup should be done
+  // synchronously before returning to the caller
+  //
+  // Default is false
+  bool sync = 2;
+
+  // Target value for image to be deleted
+  //
+  // If image descriptor does not match the same digest,
+  // the delete operation will return "not found" error.
+  optional containerd.types.Descriptor target = 3;
+}

wfe-containerd-protos/proto/api/services/introspection/v1/introspection.proto

@@ -0,0 +1,133 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.introspection.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+import "google/rpc/status.proto";
+import "types/introspection.proto";
+import "types/platform.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/introspection/v1;introspection";
+
+service Introspection {
+  // Plugins returns a list of plugins in containerd.
+  //
+  // Clients can use this to detect features and capabilities when using
+  // containerd.
+  rpc Plugins(PluginsRequest) returns (PluginsResponse);
+  // Server returns information about the containerd server
+  rpc Server(google.protobuf.Empty) returns (ServerResponse);
+  // PluginInfo returns information directly from a plugin if the plugin supports it
+  rpc PluginInfo(PluginInfoRequest) returns (PluginInfoResponse);
+}
+
+message Plugin {
+  // Type defines the type of plugin.
+  //
+  // See package plugin for a list of possible values. Non core plugins may
+  // define their own values during registration.
+  string type = 1;
+
+  // ID identifies the plugin uniquely in the system.
+  string id = 2;
+
+  // Requires lists the plugin types required by this plugin.
+  repeated string requires = 3;
+
+  // Platforms enumerates the platforms this plugin will support.
+  //
+  // If values are provided here, the plugin will only be operable under the
+  // provided platforms.
+  //
+  // If this is empty, the plugin will work across all platforms.
+  //
+  // If the plugin prefers certain platforms over others, they should be
+  // listed from most to least preferred.
+  repeated types.Platform platforms = 4;
+
+  // Exports allows plugins to provide values about state or configuration to
+  // interested parties.
+  //
+  // One example is exposing the configured path of a snapshotter plugin.
+  map<string, string> exports = 5;
+
+  // Capabilities allows plugins to communicate feature switches to allow
+  // clients to detect features that may not be on be default or may be
+  // different from version to version.
+  //
+  // Use this sparingly.
+  repeated string capabilities = 6;
+
+  // InitErr will be set if the plugin fails initialization.
+  //
+  // This means the plugin may have been registered but a non-terminal error
+  // was encountered during initialization.
+  //
+  // Plugins that have this value set cannot be used.
+  google.rpc.Status init_err = 7;
+}
+
+message PluginsRequest {
+  // Filters contains one or more filters using the syntax defined in the
+  // containerd filter package.
+  //
+  // The returned result will be those that match any of the provided
+  // filters. Expanded, plugins that match the following will be
+  // returned:
+  //
+  //	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+  //
+  // If filters is zero-length or nil, all items will be returned.
+  repeated string filters = 1;
+}
+
+message PluginsResponse {
+  repeated Plugin plugins = 1;
+}
+
+message ServerResponse {
+  string uuid = 1;
+  uint64 pid = 2;
+  uint64 pidns = 3; // PID namespace, such as 4026531836
+  repeated DeprecationWarning deprecations = 4;
+}
+
+message DeprecationWarning {
+  string id = 1;
+  string message = 2;
+  google.protobuf.Timestamp last_occurrence = 3;
+}
+
+message PluginInfoRequest {
+  string type = 1;
+  string id = 2;
+
+  // Options may be used to request extra dynamic information from
+  // a plugin.
+  // This object is determined by the plugin and the plugin may return
+  // NotImplemented or InvalidArgument if it is not supported
+  google.protobuf.Any options = 3;
+}
+
+message PluginInfoResponse {
+  Plugin plugin = 1;
+  google.protobuf.Any extra = 2;
+}

wfe-containerd-protos/proto/api/services/leases/v1/leases.proto

@@ -0,0 +1,116 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+syntax = "proto3";
+
+package containerd.services.leases.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/leases/v1;leases";
+
+// Leases service manages resources leases within the metadata store.
+service Leases {
+  // Create creates a new lease for managing changes to metadata. A lease
+  // can be used to protect objects from being removed.
+  rpc Create(CreateRequest) returns (CreateResponse);
+
+  // Delete deletes the lease and makes any unreferenced objects created
+  // during the lease eligible for garbage collection if not referenced
+  // or retained by other resources during the lease.
+  rpc Delete(DeleteRequest) returns (google.protobuf.Empty);
+
+  // List lists all active leases, returning the full list of
+  // leases and optionally including the referenced resources.
+  rpc List(ListRequest) returns (ListResponse);
+
+  // AddResource references the resource by the provided lease.
+  rpc AddResource(AddResourceRequest) returns (google.protobuf.Empty);
+
+  // DeleteResource dereferences the resource by the provided lease.
+  rpc DeleteResource(DeleteResourceRequest) returns (google.protobuf.Empty);
+
+  // ListResources lists all the resources referenced by the lease.
+  rpc ListResources(ListResourcesRequest) returns (ListResourcesResponse);
+}
+
+// Lease is an object which retains resources while it exists.
+message Lease {
+  string id = 1;
+
+  google.protobuf.Timestamp created_at = 2;
+
+  map<string, string> labels = 3;
+}
+
+message CreateRequest {
+  // ID is used to identity the lease, when the id is not set the service
+  // generates a random identifier for the lease.
+  string id = 1;
+
+  map<string, string> labels = 3;
+}
+
+message CreateResponse {
+  Lease lease = 1;
+}
+
+message DeleteRequest {
+  string id = 1;
+
+  // Sync indicates that the delete and cleanup should be done
+  // synchronously before returning to the caller
+  //
+  // Default is false
+  bool sync = 2;
+}
+
+message ListRequest {
+  repeated string filters = 1;
+}
+
+message ListResponse {
+  repeated Lease leases = 1;
+}
+
+message Resource {
+  string id = 1;
+
+  // For snapshotter resource, there are many snapshotter types here, like
+  // overlayfs, devmapper etc. The type will be formatted with type,
+  // like "snapshotter/overlayfs".
+  string type = 2;
+}
+
+message AddResourceRequest {
+  string id = 1;
+
+  Resource resource = 2;
+}
+
+message DeleteResourceRequest {
+  string id = 1;
+
+  Resource resource = 2;
+}
+
+message ListResourcesRequest {
+  string id = 1;
+}
+
+message ListResourcesResponse {
+  repeated Resource resources = 1;
+}

wfe-containerd-protos/proto/api/services/mounts/v1/mounts.proto

@@ -0,0 +1,77 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+syntax = "proto3";
+
+package containerd.services.mounts.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "types/mount.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/mounts/v1;mounts";
+
+// Mounts service manages mounts
+service Mounts {
+  rpc Activate(ActivateRequest) returns (ActivateResponse);
+  rpc Deactivate(DeactivateRequest) returns (google.protobuf.Empty);
+  rpc Info(InfoRequest) returns (InfoResponse);
+  rpc Update(UpdateRequest) returns (UpdateResponse);
+  rpc List(ListRequest) returns (stream ListMessage);
+}
+
+message ActivateRequest {
+  string name = 1;
+
+  repeated containerd.types.Mount mounts = 2;
+
+  map<string, string> labels = 3;
+
+  bool temporary = 4;
+}
+
+message ActivateResponse {
+  containerd.types.ActivationInfo info = 1;
+}
+
+message DeactivateRequest {
+  string name = 1;
+}
+
+message InfoRequest {
+  string name = 1;
+}
+
+message InfoResponse {
+  containerd.types.ActivationInfo info = 1;
+}
+
+message UpdateRequest {
+  containerd.types.ActivationInfo info = 1;
+
+  google.protobuf.FieldMask update_mask = 2;
+}
+
+message UpdateResponse {
+  containerd.types.ActivationInfo info = 1;
+}
+
+message ListRequest {
+  repeated string filters = 1;
+}
+
+message ListMessage {
+  containerd.types.ActivationInfo info = 1;
+}

wfe-containerd-protos/proto/api/services/namespaces/v1/namespace.proto

@@ -0,0 +1,107 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.namespaces.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/namespaces/v1;namespaces";
+
+// Namespaces provides the ability to manipulate containerd namespaces.
+//
+// All objects in the system are required to be a member of a namespace. If a
+// namespace is deleted, all objects, including containers, images and
+// snapshots, will be deleted, as well.
+//
+// Unless otherwise noted, operations in containerd apply only to the namespace
+// supplied per request.
+//
+// I hope this goes without saying, but namespaces are themselves NOT
+// namespaced.
+service Namespaces {
+  rpc Get(GetNamespaceRequest) returns (GetNamespaceResponse);
+  rpc List(ListNamespacesRequest) returns (ListNamespacesResponse);
+  rpc Create(CreateNamespaceRequest) returns (CreateNamespaceResponse);
+  rpc Update(UpdateNamespaceRequest) returns (UpdateNamespaceResponse);
+  rpc Delete(DeleteNamespaceRequest) returns (google.protobuf.Empty);
+}
+
+message Namespace {
+  string name = 1;
+
+  // Labels provides an area to include arbitrary data on namespaces.
+  //
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  //
+  // Note that to add a new value to this field, read the existing set and
+  // include the entire result in the update call.
+  map<string, string> labels = 2;
+}
+
+message GetNamespaceRequest {
+  string name = 1;
+}
+
+message GetNamespaceResponse {
+  Namespace namespace = 1;
+}
+
+message ListNamespacesRequest {
+  string filter = 1;
+}
+
+message ListNamespacesResponse {
+  repeated Namespace namespaces = 1;
+}
+
+message CreateNamespaceRequest {
+  Namespace namespace = 1;
+}
+
+message CreateNamespaceResponse {
+  Namespace namespace = 1;
+}
+
+// UpdateNamespaceRequest updates the metadata for a namespace.
+//
+// The operation should follow semantics described in
+// https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/field-mask,
+// unless otherwise qualified.
+message UpdateNamespaceRequest {
+  // Namespace provides the target value, as declared by the mask, for the update.
+  //
+  // The namespace field must be set.
+  Namespace namespace = 1;
+
+  // UpdateMask specifies which fields to perform the update on. If empty,
+  // the operation applies to all fields.
+  //
+  // For the most part, this applies only to selectively updating labels on
+  // the namespace. While field masks are typically limited to ascii alphas
+  // and digits, we just take everything after the "labels." as the map key.
+  google.protobuf.FieldMask update_mask = 2;
+}
+
+message UpdateNamespaceResponse {
+  Namespace namespace = 1;
+}
+
+message DeleteNamespaceRequest {
+  string name = 1;
+}

wfe-containerd-protos/proto/api/services/sandbox/v1/sandbox.proto

@@ -0,0 +1,203 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+// Sandbox is a v2 runtime extension that allows more complex execution environments for containers.
+// This adds a notion of groups of containers that share same lifecycle and/or resources.
+// A few good fits for sandbox can be:
+// - A "pause" container in k8s, that acts as a parent process for child containers to hold network namespace.
+// - (micro)VMs that launch a VM process and executes containers inside guest OS.
+// containerd in this case remains implementation agnostic and delegates sandbox handling to runtimes.
+// See proposal and discussion here: https://github.com/containerd/containerd/issues/4131
+package containerd.services.sandbox.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+import "types/metrics.proto";
+import "types/mount.proto";
+import "types/platform.proto";
+import "types/sandbox.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/sandbox/v1;sandbox";
+
+// Store provides a metadata storage interface for sandboxes. Similarly to `Containers`,
+// sandbox object includes info required to start a new instance, but no runtime state.
+// When running a new sandbox instance, store objects are used as base type to create from.
+service Store {
+  rpc Create(StoreCreateRequest) returns (StoreCreateResponse);
+  rpc Update(StoreUpdateRequest) returns (StoreUpdateResponse);
+  rpc Delete(StoreDeleteRequest) returns (StoreDeleteResponse);
+  rpc List(StoreListRequest) returns (StoreListResponse);
+  rpc Get(StoreGetRequest) returns (StoreGetResponse);
+}
+
+message StoreCreateRequest {
+  containerd.types.Sandbox sandbox = 1;
+}
+
+message StoreCreateResponse {
+  containerd.types.Sandbox sandbox = 1;
+}
+
+message StoreUpdateRequest {
+  containerd.types.Sandbox sandbox = 1;
+  repeated string fields = 2;
+}
+
+message StoreUpdateResponse {
+  containerd.types.Sandbox sandbox = 1;
+}
+
+message StoreDeleteRequest {
+  string sandbox_id = 1;
+}
+
+message StoreDeleteResponse {}
+
+message StoreListRequest {
+  repeated string filters = 1;
+}
+
+message StoreListResponse {
+  repeated containerd.types.Sandbox list = 1;
+}
+
+message StoreGetRequest {
+  string sandbox_id = 1;
+}
+
+message StoreGetResponse {
+  containerd.types.Sandbox sandbox = 1;
+}
+
+// Controller is an interface to manage runtime sandbox instances.
+service Controller {
+  rpc Create(ControllerCreateRequest) returns (ControllerCreateResponse);
+  rpc Start(ControllerStartRequest) returns (ControllerStartResponse);
+  rpc Platform(ControllerPlatformRequest) returns (ControllerPlatformResponse);
+  rpc Stop(ControllerStopRequest) returns (ControllerStopResponse);
+  rpc Wait(ControllerWaitRequest) returns (ControllerWaitResponse);
+  rpc Status(ControllerStatusRequest) returns (ControllerStatusResponse);
+  rpc Shutdown(ControllerShutdownRequest) returns (ControllerShutdownResponse);
+  rpc Metrics(ControllerMetricsRequest) returns (ControllerMetricsResponse);
+  rpc Update(ControllerUpdateRequest) returns (ControllerUpdateResponse);
+}
+
+message ControllerCreateRequest {
+  string sandbox_id = 1;
+  repeated containerd.types.Mount rootfs = 2;
+  google.protobuf.Any options = 3;
+  string netns_path = 4;
+  map<string, string> annotations = 5;
+  containerd.types.Sandbox sandbox = 6;
+  string sandboxer = 10;
+}
+
+message ControllerCreateResponse {
+  string sandbox_id = 1;
+}
+
+message ControllerStartRequest {
+  string sandbox_id = 1;
+  string sandboxer = 10;
+}
+
+message ControllerStartResponse {
+  string sandbox_id = 1;
+  uint32 pid = 2;
+  google.protobuf.Timestamp created_at = 3;
+  map<string, string> labels = 4;
+  // Address of the sandbox for containerd to connect,
+  // for calling Task or other APIs serving in the sandbox.
+  // it is in the form of ttrpc+unix://path/to/uds or grpc+vsock://<vsock cid>:<port>.
+  string address = 5;
+  uint32 version = 6;
+  google.protobuf.Any spec = 7;
+}
+
+message ControllerPlatformRequest {
+  string sandbox_id = 1;
+  string sandboxer = 10;
+}
+
+message ControllerPlatformResponse {
+  containerd.types.Platform platform = 1;
+}
+
+message ControllerStopRequest {
+  string sandbox_id = 1;
+  uint32 timeout_secs = 2;
+  string sandboxer = 10;
+}
+
+message ControllerStopResponse {}
+
+message ControllerWaitRequest {
+  string sandbox_id = 1;
+  string sandboxer = 10;
+}
+
+message ControllerWaitResponse {
+  uint32 exit_status = 1;
+  google.protobuf.Timestamp exited_at = 2;
+}
+
+message ControllerStatusRequest {
+  string sandbox_id = 1;
+  bool verbose = 2;
+  string sandboxer = 10;
+}
+
+message ControllerStatusResponse {
+  string sandbox_id = 1;
+  uint32 pid = 2;
+  string state = 3;
+  map<string, string> info = 4;
+  google.protobuf.Timestamp created_at = 5;
+  google.protobuf.Timestamp exited_at = 6;
+  google.protobuf.Any extra = 7;
+  // Address of the sandbox for containerd to connect,
+  // for calling Task or other APIs serving in the sandbox.
+  // it is in the form of ttrpc+unix://path/to/uds or grpc+vsock://<vsock cid>:<port>.
+  string address = 8;
+  uint32 version = 9;
+}
+
+message ControllerShutdownRequest {
+  string sandbox_id = 1;
+  string sandboxer = 10;
+}
+
+message ControllerShutdownResponse {}
+
+message ControllerMetricsRequest {
+  string sandbox_id = 1;
+  string sandboxer = 10;
+}
+
+message ControllerMetricsResponse {
+  types.Metric metrics = 1;
+}
+
+message ControllerUpdateRequest {
+  string sandbox_id = 1;
+  string sandboxer = 2;
+  containerd.types.Sandbox sandbox = 3;
+  repeated string fields = 4;
+}
+
+message ControllerUpdateResponse {}

wfe-containerd-protos/proto/api/services/snapshots/v1/snapshots.proto

@@ -0,0 +1,181 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.snapshots.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+import "types/mount.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/snapshots/v1;snapshots";
+
+// Snapshot service manages snapshots
+service Snapshots {
+  rpc Prepare(PrepareSnapshotRequest) returns (PrepareSnapshotResponse);
+  rpc View(ViewSnapshotRequest) returns (ViewSnapshotResponse);
+  rpc Mounts(MountsRequest) returns (MountsResponse);
+  rpc Commit(CommitSnapshotRequest) returns (google.protobuf.Empty);
+  rpc Remove(RemoveSnapshotRequest) returns (google.protobuf.Empty);
+  rpc Stat(StatSnapshotRequest) returns (StatSnapshotResponse);
+  rpc Update(UpdateSnapshotRequest) returns (UpdateSnapshotResponse);
+  rpc List(ListSnapshotsRequest) returns (stream ListSnapshotsResponse);
+  rpc Usage(UsageRequest) returns (UsageResponse);
+  rpc Cleanup(CleanupRequest) returns (google.protobuf.Empty);
+}
+
+message PrepareSnapshotRequest {
+  string snapshotter = 1;
+  string key = 2;
+  string parent = 3;
+
+  // Labels are arbitrary data on snapshots.
+  //
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  map<string, string> labels = 4;
+}
+
+message PrepareSnapshotResponse {
+  repeated containerd.types.Mount mounts = 1;
+}
+
+message ViewSnapshotRequest {
+  string snapshotter = 1;
+  string key = 2;
+  string parent = 3;
+
+  // Labels are arbitrary data on snapshots.
+  //
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  map<string, string> labels = 4;
+}
+
+message ViewSnapshotResponse {
+  repeated containerd.types.Mount mounts = 1;
+}
+
+message MountsRequest {
+  string snapshotter = 1;
+  string key = 2;
+}
+
+message MountsResponse {
+  repeated containerd.types.Mount mounts = 1;
+}
+
+message RemoveSnapshotRequest {
+  string snapshotter = 1;
+  string key = 2;
+}
+
+message CommitSnapshotRequest {
+  string snapshotter = 1;
+  string name = 2;
+  string key = 3;
+
+  // Labels are arbitrary data on snapshots.
+  //
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  map<string, string> labels = 4;
+
+  string parent = 5;
+}
+
+message StatSnapshotRequest {
+  string snapshotter = 1;
+  string key = 2;
+}
+
+enum Kind {
+  UNKNOWN = 0;
+  VIEW = 1;
+  ACTIVE = 2;
+  COMMITTED = 3;
+}
+
+message Info {
+  string name = 1;
+  string parent = 2;
+  Kind kind = 3;
+
+  // CreatedAt provides the time at which the snapshot was created.
+  google.protobuf.Timestamp created_at = 4;
+
+  // UpdatedAt provides the time the info was last updated.
+  google.protobuf.Timestamp updated_at = 5;
+
+  // Labels are arbitrary data on snapshots.
+  //
+  // The combined size of a key/value pair cannot exceed 4096 bytes.
+  map<string, string> labels = 6;
+}
+
+message StatSnapshotResponse {
+  Info info = 1;
+}
+
+message UpdateSnapshotRequest {
+  string snapshotter = 1;
+  Info info = 2;
+
+  // UpdateMask specifies which fields to perform the update on. If empty,
+  // the operation applies to all fields.
+  //
+  // In info, Name, Parent, Kind, Created are immutable,
+  // other field may be updated using this mask.
+  // If no mask is provided, all mutable field are updated.
+  google.protobuf.FieldMask update_mask = 3;
+}
+
+message UpdateSnapshotResponse {
+  Info info = 1;
+}
+
+message ListSnapshotsRequest {
+  string snapshotter = 1;
+
+  // Filters contains one or more filters using the syntax defined in the
+  // containerd filter package.
+  //
+  // The returned result will be those that match any of the provided
+  // filters. Expanded, images that match the following will be
+  // returned:
+  //
+  //	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+  //
+  // If filters is zero-length or nil, all items will be returned.
+  repeated string filters = 2;
+}
+
+message ListSnapshotsResponse {
+  repeated Info info = 1;
+}
+
+message UsageRequest {
+  string snapshotter = 1;
+  string key = 2;
+}
+
+message UsageResponse {
+  int64 size = 1;
+  int64 inodes = 2;
+}
+
+message CleanupRequest {
+  string snapshotter = 1;
+}

wfe-containerd-protos/proto/api/services/streaming/v1/streaming.proto

@@ -0,0 +1,31 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.streaming.v1;
+
+import "google/protobuf/any.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/streaming/v1;streaming";
+
+service Streaming {
+  rpc Stream(stream google.protobuf.Any) returns (stream google.protobuf.Any);
+}
+
+message StreamInit {
+  string id = 1;
+}

wfe-containerd-protos/proto/api/services/tasks/v1/tasks.proto

@@ -0,0 +1,226 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.tasks.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+import "types/descriptor.proto";
+import "types/metrics.proto";
+import "types/mount.proto";
+import "types/task/task.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/tasks/v1;tasks";
+
+service Tasks {
+  // Create a task.
+  rpc Create(CreateTaskRequest) returns (CreateTaskResponse);
+
+  // Start a process.
+  rpc Start(StartRequest) returns (StartResponse);
+
+  // Delete a task and on disk state.
+  rpc Delete(DeleteTaskRequest) returns (DeleteResponse);
+
+  rpc DeleteProcess(DeleteProcessRequest) returns (DeleteResponse);
+
+  rpc Get(GetRequest) returns (GetResponse);
+
+  rpc List(ListTasksRequest) returns (ListTasksResponse);
+
+  // Kill a task or process.
+  rpc Kill(KillRequest) returns (google.protobuf.Empty);
+
+  rpc Exec(ExecProcessRequest) returns (google.protobuf.Empty);
+
+  rpc ResizePty(ResizePtyRequest) returns (google.protobuf.Empty);
+
+  rpc CloseIO(CloseIORequest) returns (google.protobuf.Empty);
+
+  rpc Pause(PauseTaskRequest) returns (google.protobuf.Empty);
+
+  rpc Resume(ResumeTaskRequest) returns (google.protobuf.Empty);
+
+  rpc ListPids(ListPidsRequest) returns (ListPidsResponse);
+
+  rpc Checkpoint(CheckpointTaskRequest) returns (CheckpointTaskResponse);
+
+  rpc Update(UpdateTaskRequest) returns (google.protobuf.Empty);
+
+  rpc Metrics(MetricsRequest) returns (MetricsResponse);
+
+  rpc Wait(WaitRequest) returns (WaitResponse);
+}
+
+message CreateTaskRequest {
+  string container_id = 1;
+
+  // RootFS provides the pre-chroot mounts to perform in the shim before
+  // executing the container task.
+  //
+  // These are for mounts that cannot be performed in the user namespace.
+  // Typically, these mounts should be resolved from snapshots specified on
+  // the container object.
+  repeated containerd.types.Mount rootfs = 3;
+
+  string stdin = 4;
+  string stdout = 5;
+  string stderr = 6;
+  bool terminal = 7;
+
+  containerd.types.Descriptor checkpoint = 8;
+
+  google.protobuf.Any options = 9;
+
+  string runtime_path = 10;
+}
+
+message CreateTaskResponse {
+  string container_id = 1;
+  uint32 pid = 2;
+}
+
+message StartRequest {
+  string container_id = 1;
+  string exec_id = 2;
+}
+
+message StartResponse {
+  uint32 pid = 1;
+}
+
+message DeleteTaskRequest {
+  string container_id = 1;
+}
+
+message DeleteResponse {
+  string id = 1;
+  uint32 pid = 2;
+  uint32 exit_status = 3;
+  google.protobuf.Timestamp exited_at = 4;
+}
+
+message DeleteProcessRequest {
+  string container_id = 1;
+  string exec_id = 2;
+}
+
+message GetRequest {
+  string container_id = 1;
+  string exec_id = 2;
+}
+
+message GetResponse {
+  containerd.v1.types.Process process = 1;
+}
+
+message ListTasksRequest {
+  string filter = 1;
+}
+
+message ListTasksResponse {
+  repeated containerd.v1.types.Process tasks = 1;
+}
+
+message KillRequest {
+  string container_id = 1;
+  string exec_id = 2;
+  uint32 signal = 3;
+  bool all = 4;
+}
+
+message ExecProcessRequest {
+  string container_id = 1;
+  string stdin = 2;
+  string stdout = 3;
+  string stderr = 4;
+  bool terminal = 5;
+  // Spec for starting a process in the target container.
+  //
+  // For runc, this is a process spec, for example.
+  google.protobuf.Any spec = 6;
+  // id of the exec process
+  string exec_id = 7;
+}
+
+message ExecProcessResponse {}
+
+message ResizePtyRequest {
+  string container_id = 1;
+  string exec_id = 2;
+  uint32 width = 3;
+  uint32 height = 4;
+}
+
+message CloseIORequest {
+  string container_id = 1;
+  string exec_id = 2;
+  bool stdin = 3;
+}
+
+message PauseTaskRequest {
+  string container_id = 1;
+}
+
+message ResumeTaskRequest {
+  string container_id = 1;
+}
+
+message ListPidsRequest {
+  string container_id = 1;
+}
+
+message ListPidsResponse {
+  // Processes includes the process ID and additional process information
+  repeated containerd.v1.types.ProcessInfo processes = 1;
+}
+
+message CheckpointTaskRequest {
+  string container_id = 1;
+  string parent_checkpoint = 2;
+  google.protobuf.Any options = 3;
+}
+
+message CheckpointTaskResponse {
+  repeated containerd.types.Descriptor descriptors = 1;
+}
+
+message UpdateTaskRequest {
+  string container_id = 1;
+  google.protobuf.Any resources = 2;
+  map<string, string> annotations = 3;
+}
+
+message MetricsRequest {
+  repeated string filters = 1;
+}
+
+message MetricsResponse {
+  repeated types.Metric metrics = 1;
+}
+
+message WaitRequest {
+  string container_id = 1;
+  string exec_id = 2;
+}
+
+message WaitResponse {
+  uint32 exit_status = 1;
+  google.protobuf.Timestamp exited_at = 2;
+}

wfe-containerd-protos/proto/api/services/transfer/v1/transfer.proto

@@ -0,0 +1,39 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.transfer.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/transfer/v1;transfer";
+
+service Transfer {
+  rpc Transfer(TransferRequest) returns (google.protobuf.Empty);
+}
+
+message TransferRequest {
+  google.protobuf.Any source = 1;
+  google.protobuf.Any destination = 2;
+  TransferOptions options = 3;
+}
+
+message TransferOptions {
+  string progress_stream = 1;
+  // Progress min interval
+}

wfe-containerd-protos/proto/api/services/ttrpc/events/v1/events.proto

@@ -0,0 +1,37 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+package containerd.services.events.ttrpc.v1;
+
+import "google/protobuf/empty.proto";
+import "types/event.proto";
+
+option go_package = "github.com/containerd/containerd/api/services/ttrpc/events/v1;events";
+
+service Events {
+  // Forward sends an event that has already been packaged into an envelope
+  // with a timestamp and namespace.
+  //
+  // This is useful if earlier timestamping is required or when forwarding on
+  // behalf of another component, namespace or publisher.
+  rpc Forward(ForwardRequest) returns (google.protobuf.Empty);
+}
+
+message ForwardRequest {
+  containerd.types.Envelope envelope = 1;
+}