Skip to content

Make decryption an explicit opt-in for o11y tooling#1000

Draft
TooTallNate wants to merge 6 commits intonate/wire-encryptionfrom
nate/opt-in-decrypt
Draft

Make decryption an explicit opt-in for o11y tooling#1000
TooTallNate wants to merge 6 commits intonate/wire-encryptionfrom
nate/opt-in-decrypt

Conversation

@TooTallNate
Copy link
Member

@TooTallNate TooTallNate commented Feb 11, 2026
edited
Loading

Make decryption of encrypted values an explicit opt-in for observability tooling to prevent unnecessary audit-logged key retrieval.

What changed?

  • Encrypted values in workflow data are now shown as "🔒 Encrypted" by default in CLI and web observability tools
  • CLI: Added a new --decrypt flag to workflow inspect commands to explicitly request decryption
  • Web: Encrypted values are shown with a placeholder (decrypt-on-demand coming in a follow-up)
  • Core: hydrateResourceIO now accepts null as the EncryptorResolver to skip decryption
  • Added ENCRYPTED_PLACEHOLDER constant to represent encrypted values when decryption is not requested
  • Modified encryptor resolution to be lazy (only when needed and explicitly requested)

How to test?

  1. Run a workflow that contains encrypted values
  2. Use workflow inspect to view the run - encrypted values should show as "🔒 Encrypted"
  3. Use workflow inspect --decrypt to verify decryption works properly
  4. Check the web interface to confirm encrypted values are shown with the placeholder

Why make this change?

Decryption of encrypted values triggers audit-logged key retrieval from the Vercel API. Making decryption an explicit opt-in ensures that these API calls only happen when the user specifically requests to see the decrypted values, improving security and reducing unnecessary API calls.

@TooTallNate TooTallNate mentioned this pull request Feb 11, 2026
Open
@vercel
Copy link
Contributor

vercel bot commented Feb 11, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
example-nextjs-workflow-turbopack Error Error Feb 14, 2026 7:22am
example-nextjs-workflow-webpack Error Error Feb 14, 2026 7:22am
example-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workbench-astro-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workbench-express-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workbench-fastify-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workbench-hono-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workbench-nitro-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workbench-nuxt-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workbench-sveltekit-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workbench-vite-workflow Ready Ready Preview, Comment Feb 14, 2026 7:22am
workflow-docs Ready Ready Preview, Comment, Open in v0 Feb 14, 2026 7:22am
workflow-nest Ready Ready Preview, Comment Feb 14, 2026 7:22am
workflow-swc-playground Ready Ready Preview, Comment Feb 14, 2026 7:22am

This was referenced Feb 11, 2026
Open
Open
Open
Open
@github-actions
Copy link
Contributor

github-actions bot commented Feb 11, 2026
edited
Loading

🧪 E2E Test Results

Some tests failed

Summary

Passed Failed Skipped Total
✅ ▲ Vercel Production 405 0 36 441
✅ 💻 Local Development 520 0 68 588
✅ 📦 Local Production 336 0 56 392
✅ 🐘 Local Postgres 336 0 56 392
✅ 🪟 Windows 46 0 3 49
❌ 🌍 Community Worlds 104 43 9 156
✅ 📋 Other 126 0 21 147
Total 1873 43 249 2165

❌ Failed Tests

🌍 Community Worlds (43 failed)

mongodb (1 failed):

  • webhookWorkflow

turso (42 failed):

  • addTenWorkflow
  • addTenWorkflow
  • should work with react rendering in step
  • promiseAllWorkflow
  • promiseRaceWorkflow
  • promiseAnyWorkflow
  • hookWorkflow
  • webhookWorkflow
  • sleepingWorkflow
  • nullByteWorkflow
  • workflowAndStepMetadataWorkflow
  • fetchWorkflow
  • promiseRaceStressTestWorkflow
  • error handling error propagation workflow errors nested function calls preserve message and stack trace
  • error handling error propagation workflow errors cross-file imports preserve message and stack trace
  • error handling error propagation step errors basic step error preserves message and stack trace
  • error handling error propagation step errors cross-file step error preserves message and function names in stack
  • error handling retry behavior regular Error retries until success
  • error handling retry behavior FatalError fails immediately without retries
  • error handling retry behavior RetryableError respects custom retryAfter delay
  • error handling retry behavior maxRetries=0 disables retries
  • error handling retry behavior workflow completes despite transient 5xx on step_completed
  • error handling catchability FatalError can be caught and detected with FatalError.is()
  • hookCleanupTestWorkflow - hook token reuse after workflow completion
  • concurrent hook token conflict - two workflows cannot use the same hook token simultaneously
  • stepFunctionPassingWorkflow - step function references can be passed as arguments (without closure vars)
  • stepFunctionWithClosureWorkflow - step function with closure variables passed as argument
  • closureVariableWorkflow - nested step functions with closure variables
  • spawnWorkflowFromStepWorkflow - spawning a child workflow using start() inside a step
  • health check (queue-based) - workflow and step endpoints respond to health check messages
  • pathsAliasWorkflow - TypeScript path aliases resolve correctly
  • Calculator.calculate - static workflow method using static step methods from another class
  • AllInOneService.processNumber - static workflow method using sibling static step methods
  • ChainableService.processWithThis - static step methods using this to reference the class
  • thisSerializationWorkflow - step function invoked with .call() and .apply()
  • customSerializationWorkflow - custom class serialization with WORKFLOW_SERIALIZE/WORKFLOW_DESERIALIZE
  • instanceMethodStepWorkflow - instance methods with "use step" directive
  • crossContextSerdeWorkflow - classes defined in step code are deserializable in workflow context
  • stepFunctionAsStartArgWorkflow - step function reference passed as start() argument
  • pages router addTenWorkflow via pages router
  • pages router promiseAllWorkflow via pages router
  • pages router sleepingWorkflow via pages router

Details by Category

✅ ▲ Vercel Production
App Passed Failed Skipped
✅ astro 45 0 4
✅ example 45 0 4
✅ express 45 0 4
✅ fastify 45 0 4
✅ hono 45 0 4
✅ nitro 45 0 4
✅ nuxt 45 0 4
✅ sveltekit 45 0 4
✅ vite 45 0 4
✅ 💻 Local Development
App Passed Failed Skipped
✅ astro-stable 42 0 7
✅ express-stable 42 0 7
✅ fastify-stable 42 0 7
✅ hono-stable 42 0 7
✅ nextjs-turbopack-canary 46 0 3
✅ nextjs-turbopack-stable 46 0 3
✅ nextjs-webpack-canary 46 0 3
✅ nextjs-webpack-stable 46 0 3
✅ nitro-stable 42 0 7
✅ nuxt-stable 42 0 7
✅ sveltekit-stable 42 0 7
✅ vite-stable 42 0 7
✅ 📦 Local Production
App Passed Failed Skipped
✅ astro-stable 42 0 7
✅ express-stable 42 0 7
✅ fastify-stable 42 0 7
✅ hono-stable 42 0 7
✅ nitro-stable 42 0 7
✅ nuxt-stable 42 0 7
✅ sveltekit-stable 42 0 7
✅ vite-stable 42 0 7
✅ 🐘 Local Postgres
App Passed Failed Skipped
✅ astro-stable 42 0 7
✅ express-stable 42 0 7
✅ fastify-stable 42 0 7
✅ hono-stable 42 0 7
✅ nitro-stable 42 0 7
✅ nuxt-stable 42 0 7
✅ sveltekit-stable 42 0 7
✅ vite-stable 42 0 7
✅ 🪟 Windows
App Passed Failed Skipped
✅ nextjs-turbopack 46 0 3
❌ 🌍 Community Worlds
App Passed Failed Skipped
✅ mongodb-dev 3 0 0
❌ mongodb 45 1 3
✅ redis-dev 3 0 0
✅ redis 46 0 3
✅ turso-dev 3 0 0
❌ turso 4 42 3
✅ 📋 Other
App Passed Failed Skipped
✅ e2e-local-dev-nest-stable 42 0 7
✅ e2e-local-postgres-nest-stable 42 0 7
✅ e2e-local-prod-nest-stable 42 0 7

📋 View full workflow run

Some E2E test jobs failed:

  • Vercel Prod: failure
  • Local Dev: success
  • Local Prod: failure
  • Local Postgres: failure
  • Windows: success

Check the workflow run for details.

@TooTallNate Graphite App
Copy link
Member Author

TooTallNate commented Feb 11, 2026

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@changeset-bot
Copy link

changeset-bot bot commented Feb 11, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 1cf65e0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 15 packages
Name Type
@workflow/core Patch
@workflow/cli Patch
@workflow/web Patch
@workflow/builders Patch
@workflow/next Patch
@workflow/nitro Patch
@workflow/web-shared Patch
workflow Patch
@workflow/world-testing Patch
@workflow/astro Patch
@workflow/nest Patch
@workflow/rollup Patch
@workflow/sveltekit Patch
@workflow/vite Patch
@workflow/nuxt Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

vercel[bot]
vercel bot reviewed Feb 14, 2026
View reviewed changes
Copy link
Contributor

@vercel vercel bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional Suggestion:

useWorkflowResourceData never sets loading to false for 'hook' and 'sleep' resource types, causing a permanent loading state in the UI.

Fix on Vercel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TooTallNate