Skip to content

Add opt-in decryption for CLI and web observability#1000

Closed
TooTallNate wants to merge 46 commits intonate/wire-encryptionfrom
nate/opt-in-decrypt
Closed

Add opt-in decryption for CLI and web observability#1000
TooTallNate wants to merge 46 commits intonate/wire-encryptionfrom
nate/opt-in-decrypt

Conversation

@TooTallNate
Copy link
Copy Markdown
Member

@TooTallNate TooTallNate commented Feb 11, 2026
edited
Loading

Summary

Adds encryption-aware observability so users can view encrypted workflow data in the CLI and web UI:

CLI

  • --decrypt flag for workflow inspect commands
  • EncryptedDataRef with util.inspect.custom for styled encrypted data display
  • Fetches WorkflowRun for key resolution, caches per runId

Web UI

  • getEncryptionKeyForRun RPC endpoint with client-side importKey() decryption
  • Decrypt button in title bar with hover tooltip explaining scope
  • Auto-decrypt expanded event data when encryption key becomes available
  • Encrypted marker objects with named constructors and Lucide Lock icon in DataInspector
  • Encryption key lifted to run-level state for consistent decrypt across all tabs

Shared

  • hydrateResourceIOWithKey() for browser-side decryption
  • Event data encryption support across step, hook, and sleep resource types

@TooTallNate TooTallNate mentioned this pull request Feb 11, 2026
Merged
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Feb 11, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
example-nextjs-workflow-turbopack Ready Ready Preview, Comment Feb 19, 2026 5:14pm
example-nextjs-workflow-webpack Ready Ready Preview, Comment Feb 19, 2026 5:14pm
example-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workbench-astro-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workbench-express-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workbench-fastify-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workbench-hono-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workbench-nitro-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workbench-nuxt-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workbench-sveltekit-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workbench-vite-workflow Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workflow-docs Ready Ready Preview, Comment, Open in v0 Feb 19, 2026 5:14pm
workflow-nest Ready Ready Preview, Comment Feb 19, 2026 5:14pm
workflow-swc-playground Ready Ready Preview, Comment Feb 19, 2026 5:14pm

This was referenced Feb 11, 2026
Merged
Closed
Merged
Merged
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 11, 2026
edited
Loading

🧪 E2E Test Results

Some tests failed

Summary

Passed Failed Skipped Total
✅ ▲ Vercel Production 534 0 38 572
✅ 💻 Local Development 556 0 68 624
✅ 📦 Local Production 556 0 68 624
✅ 🐘 Local Postgres 556 0 68 624
✅ 🪟 Windows 49 0 3 52
❌ 🌍 Community Worlds 110 46 9 165
✅ 📋 Other 135 0 21 156
Total 2496 46 275 2817

❌ Failed Tests

🌍 Community Worlds (46 failed)

mongodb (1 failed):

  • webhookWorkflow

turso (45 failed):

  • addTenWorkflow
  • addTenWorkflow
  • should work with react rendering in step
  • promiseAllWorkflow
  • promiseRaceWorkflow
  • promiseAnyWorkflow
  • hookWorkflow
  • webhookWorkflow
  • sleepingWorkflow
  • parallelSleepWorkflow
  • nullByteWorkflow
  • workflowAndStepMetadataWorkflow
  • fetchWorkflow
  • promiseRaceStressTestWorkflow
  • error handling error propagation workflow errors nested function calls preserve message and stack trace
  • error handling error propagation workflow errors cross-file imports preserve message and stack trace
  • error handling error propagation step errors basic step error preserves message and stack trace
  • error handling error propagation step errors cross-file step error preserves message and function names in stack
  • error handling retry behavior regular Error retries until success
  • error handling retry behavior FatalError fails immediately without retries
  • error handling retry behavior RetryableError respects custom retryAfter delay
  • error handling retry behavior maxRetries=0 disables retries
  • error handling retry behavior workflow completes despite transient 5xx on step_completed
  • error handling catchability FatalError can be caught and detected with FatalError.is()
  • hookCleanupTestWorkflow - hook token reuse after workflow completion
  • concurrent hook token conflict - two workflows cannot use the same hook token simultaneously
  • stepFunctionPassingWorkflow - step function references can be passed as arguments (without closure vars)
  • stepFunctionWithClosureWorkflow - step function with closure variables passed as argument
  • closureVariableWorkflow - nested step functions with closure variables
  • spawnWorkflowFromStepWorkflow - spawning a child workflow using start() inside a step
  • health check (queue-based) - workflow and step endpoints respond to health check messages
  • pathsAliasWorkflow - TypeScript path aliases resolve correctly
  • Calculator.calculate - static workflow method using static step methods from another class
  • AllInOneService.processNumber - static workflow method using sibling static step methods
  • ChainableService.processWithThis - static step methods using this to reference the class
  • thisSerializationWorkflow - step function invoked with .call() and .apply()
  • customSerializationWorkflow - custom class serialization with WORKFLOW_SERIALIZE/WORKFLOW_DESERIALIZE
  • instanceMethodStepWorkflow - instance methods with "use step" directive
  • crossContextSerdeWorkflow - classes defined in step code are deserializable in workflow context
  • stepFunctionAsStartArgWorkflow - step function reference passed as start() argument
  • cancelRun - cancelling a running workflow
  • cancelRun via CLI - cancelling a running workflow
  • pages router addTenWorkflow via pages router
  • pages router promiseAllWorkflow via pages router
  • pages router sleepingWorkflow via pages router

Details by Category

✅ ▲ Vercel Production
App Passed Failed Skipped
✅ astro 48 0 4
✅ example 48 0 4
✅ express 48 0 4
✅ fastify 48 0 4
✅ hono 48 0 4
✅ nextjs-turbopack 51 0 1
✅ nextjs-webpack 51 0 1
✅ nitro 48 0 4
✅ nuxt 48 0 4
✅ sveltekit 48 0 4
✅ vite 48 0 4
✅ 💻 Local Development
App Passed Failed Skipped
✅ astro-stable 45 0 7
✅ express-stable 45 0 7
✅ fastify-stable 45 0 7
✅ hono-stable 45 0 7
✅ nextjs-turbopack-canary 49 0 3
✅ nextjs-turbopack-stable 49 0 3
✅ nextjs-webpack-canary 49 0 3
✅ nextjs-webpack-stable 49 0 3
✅ nitro-stable 45 0 7
✅ nuxt-stable 45 0 7
✅ sveltekit-stable 45 0 7
✅ vite-stable 45 0 7
✅ 📦 Local Production
App Passed Failed Skipped
✅ astro-stable 45 0 7
✅ express-stable 45 0 7
✅ fastify-stable 45 0 7
✅ hono-stable 45 0 7
✅ nextjs-turbopack-canary 49 0 3
✅ nextjs-turbopack-stable 49 0 3
✅ nextjs-webpack-canary 49 0 3
✅ nextjs-webpack-stable 49 0 3
✅ nitro-stable 45 0 7
✅ nuxt-stable 45 0 7
✅ sveltekit-stable 45 0 7
✅ vite-stable 45 0 7
✅ 🐘 Local Postgres
App Passed Failed Skipped
✅ astro-stable 45 0 7
✅ express-stable 45 0 7
✅ fastify-stable 45 0 7
✅ hono-stable 45 0 7
✅ nextjs-turbopack-canary 49 0 3
✅ nextjs-turbopack-stable 49 0 3
✅ nextjs-webpack-canary 49 0 3
✅ nextjs-webpack-stable 49 0 3
✅ nitro-stable 45 0 7
✅ nuxt-stable 45 0 7
✅ sveltekit-stable 45 0 7
✅ vite-stable 45 0 7
✅ 🪟 Windows
App Passed Failed Skipped
✅ nextjs-turbopack 49 0 3
❌ 🌍 Community Worlds
App Passed Failed Skipped
✅ mongodb-dev 3 0 0
❌ mongodb 48 1 3
✅ redis-dev 3 0 0
✅ redis 49 0 3
✅ turso-dev 3 0 0
❌ turso 4 45 3
✅ 📋 Other
App Passed Failed Skipped
✅ e2e-local-dev-nest-stable 45 0 7
✅ e2e-local-postgres-nest-stable 45 0 7
✅ e2e-local-prod-nest-stable 45 0 7

📋 View full workflow run

@TooTallNate Graphite App
Copy link
Copy Markdown
Member Author

TooTallNate commented Feb 11, 2026

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Feb 11, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 9ef7740

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 15 packages
Name Type
@workflow/cli Patch
@workflow/core Patch
@workflow/web Patch
@workflow/web-shared Patch
workflow Patch
@workflow/world-testing Patch
@workflow/builders Patch
@workflow/next Patch
@workflow/nitro Patch
@workflow/astro Patch
@workflow/nest Patch
@workflow/rollup Patch
@workflow/sveltekit Patch
@workflow/vite Patch
@workflow/nuxt Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@TooTallNate
Fix review comments: cache stream encryption key, remove redundant ca…
65b06ba 
…sts, fix stale comments
@TooTallNate
Trying to clean up some type non-sense
7dfe3f5
@TooTallNate
Make EventsConsumer async-aware: remove all setTimeout(0) hacks from …
1ec73ba 
…step/hook/sleep callbacks
@TooTallNate
Revert "Make EventsConsumer async-aware: remove all setTimeout(0) hac…
1eff2d5 
…ks from step/hook/sleep callbacks"

This reverts commit 1ec73ba.
@TooTallNate
Add failing test: encrypted Promise.all replay triggers unconsumed ev…
0155949 
…ent race condition
@TooTallNate
Fix failing test
02bfd98
@TooTallNate
.
b8afbd7
@TooTallNate
Add full encryption test suite to workflow.test.ts and attempt fix fo…
c68e1d9 
…r storytime
@TooTallNate
.
d5e1039
@TooTallNate
Redesign EventsConsumer: scan-forward consume, watchdog timer, post-c…
9236bda 
…ompletion corruption check

- Scan-forward consume loop skips past out-of-order events to find ones
  current subscribers can match, fixing deadlocks from async DB writes
- Replace aggressive setTimeout(0) unconsumed check with 1s watchdog
  timer that only fires on true deadlock (no progress for 1 second)
- Add onEventConsumed callback for passive timestamp observation without
  participating in event matching (replaces timestamp subscriber)
- Add post-completion check in runWorkflow: if events remain unconsumed
  after workflow completes, throw WorkflowRuntimeError (catches
  duplicate/orphaned events that scan-forward skipped past)
- Update all tests for new mechanics (splice-based, watchdog timing,
  corruption detection via post-completion check)
@TooTallNate
Make decryption an explicit opt-in for o11y tooling
9ff06de
@TooTallNate
Restore encrypted data handling in o11y hydration layer
18e35f8
@TooTallNate
Use EncryptedDataRef with util.inspect.custom for CLI encrypted data …
9ad205c 
…display
@TooTallNate
Fix Decrypt button crash: use correct 'refresh' callback from useWork…
2b2d9b6 
…flowResourceData
@TooTallNate
Implement client-side decryption for web o11y with getEncryptionKeyFo…
4fb407d 
…rRun RPC
@TooTallNate
Fix CLI decrypt: fetch WorkflowRun for key resolution, cache per runId
3157a45
@TooTallNate
Use named constructor pattern for encrypted data display in web o11y
e6a7388
@TooTallNate
Decrypt event data when encryption key is available after Decrypt but…
6d8bc3e 
…ton click
@TooTallNate
Lift encryption key to run-level state, auto-decrypt on fetch, fix fi…
a07fc21 
…eld pollution
@TooTallNate
Re-load expanded event data when encryption key becomes available
f23c7cb
@TooTallNate
Consolidate Decrypt to title bar Button, remove sidebar decrypt card
7374cbd
@TooTallNate
Add hover tooltip to Decrypt button explaining scope and state
7120677
@TooTallNate
Show flat Encrypted label for encrypted fields, use Lucide Lock icon …
3bfe8ec 
…in DataInspector
@TooTallNate
Render eventData subfields individually to avoid encrypted markers in…
3f10420 
… collapsed preview
@TooTallNate
Revert: render eventData subfields individually
4a0c137
@TooTallNate
Fix Lock icon vertical alignment in DataInspector encrypted label
fbf470e
@TooTallNate
update changeset
288691d
@TooTallNate
Fix loading state never clearing for hook/sleep resource types
7018c6c
@TooTallNate
Update CLI, web, and stream callers for CryptoKey: importKey at resol…
6766332 
…ution sites
@TooTallNate
Pass teamId to the get-key endpoint
9ef7740
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pranaygp pranaygp pranaygp left review comments

@vercel vercel[bot] vercel[bot] left review comments

Copilot code review Copilot Copilot left review comments

@VaguelySerious VaguelySerious VaguelySerious approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@TooTallNate @pranaygp @VaguelySerious