Skip to content

Wire encryption into serialization layer#957

Open
TooTallNate wants to merge 2 commits intonate/vercel-encryptionfrom
nate/wire-encryption
Open

Wire encryption into serialization layer#957
TooTallNate wants to merge 2 commits intonate/vercel-encryptionfrom
nate/wire-encryption

Conversation

@TooTallNate
Copy link
Member

@TooTallNate TooTallNate commented Feb 6, 2026

Summary

  • Adds maybeEncrypt() / maybeDecrypt() helpers that conditionally encrypt/decrypt based on whether an Encryptor is provided
  • Adds peekFormatPrefix(), isEncrypted() helper functions
  • Adds ENCRYPTED ('encr') format prefix to SerializationFormat
  • Adds getEncryptStream() / getDecryptStream() TransformStream factories for stream encryption
  • Wires encryption into all 8 dehydrate/hydrate functions — dehydrate calls maybeEncrypt after serialization, hydrate calls maybeDecrypt before deserialization
  • Adds stream encryption in WorkflowServerWritableStream (encrypts chunks before writing to storage)
  • Adds stream decryption in WorkflowServerReadableStream (decrypts chunks when reading from storage)
  • Passes runId to WorkflowServerReadableStream for decryption context
  • Adds 8 encryption integration tests using a mock XOR encryptor
  • Adds changeset

This is the "light the fuse" PR that actually enables encryption. When a World implementation provides encrypt/decrypt functions (e.g., via VERCEL_DEPLOYMENT_KEY env var), all workflow user data will be encrypted at rest.

Stack

Test plan

All 311 core tests pass (303 existing + 8 new encryption integration tests). Build succeeds.

Copilot AI review requested due to automatic review settings February 6, 2026 02:35
@vercel
Copy link
Contributor

vercel bot commented Feb 6, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
example-nextjs-workflow-turbopack Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
example-nextjs-workflow-webpack Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
example-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workbench-astro-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workbench-express-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workbench-fastify-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workbench-hono-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workbench-nitro-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workbench-nuxt-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workbench-sveltekit-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workbench-vite-workflow Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workflow-docs Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workflow-nest Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am
workflow-swc-playground Ready Ready Preview, Comment, Open in v0 Feb 11, 2026 5:25am

@changeset-bot
Copy link

changeset-bot bot commented Feb 6, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 80714fd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages
Name Type
@workflow/cli Patch
@workflow/core Patch
@workflow/web-shared Patch
@workflow/world-vercel Patch
@workflow/world Patch
@workflow/world-testing Patch
workflow Patch
@workflow/builders Patch
@workflow/next Patch
@workflow/nitro Patch
@workflow/world-local Patch
@workflow/world-postgres Patch
@workflow/astro Patch
@workflow/nest Patch
@workflow/rollup Patch
@workflow/sveltekit Patch
@workflow/vite Patch
@workflow/nuxt Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions
Copy link
Contributor

github-actions bot commented Feb 6, 2026
edited
Loading

🧪 E2E Test Results

Some tests failed

Summary

Passed Failed Skipped Total
✅ ▲ Vercel Production 490 0 38 528
✅ 💻 Local Development 418 0 62 480
✅ 📦 Local Production 418 0 62 480
✅ 🐘 Local Postgres 418 0 62 480
✅ 🪟 Windows 45 0 3 48
❌ 🌍 Community Worlds 103 41 9 153
✅ 📋 Other 123 0 21 144
Total 2015 41 257 2313

❌ Failed Tests

🌍 Community Worlds (41 failed)

turso (41 failed):

  • addTenWorkflow
  • addTenWorkflow
  • should work with react rendering in step
  • promiseAllWorkflow
  • promiseRaceWorkflow
  • promiseAnyWorkflow
  • hookWorkflow
  • webhookWorkflow
  • sleepingWorkflow
  • nullByteWorkflow
  • workflowAndStepMetadataWorkflow
  • fetchWorkflow
  • promiseRaceStressTestWorkflow
  • error handling error propagation workflow errors nested function calls preserve message and stack trace
  • error handling error propagation workflow errors cross-file imports preserve message and stack trace
  • error handling error propagation step errors basic step error preserves message and stack trace
  • error handling error propagation step errors cross-file step error preserves message and function names in stack
  • error handling retry behavior regular Error retries until success
  • error handling retry behavior FatalError fails immediately without retries
  • error handling retry behavior RetryableError respects custom retryAfter delay
  • error handling retry behavior maxRetries=0 disables retries
  • error handling catchability FatalError can be caught and detected with FatalError.is()
  • hookCleanupTestWorkflow - hook token reuse after workflow completion
  • concurrent hook token conflict - two workflows cannot use the same hook token simultaneously
  • stepFunctionPassingWorkflow - step function references can be passed as arguments (without closure vars)
  • stepFunctionWithClosureWorkflow - step function with closure variables passed as argument
  • closureVariableWorkflow - nested step functions with closure variables
  • spawnWorkflowFromStepWorkflow - spawning a child workflow using start() inside a step
  • health check (queue-based) - workflow and step endpoints respond to health check messages
  • pathsAliasWorkflow - TypeScript path aliases resolve correctly
  • Calculator.calculate - static workflow method using static step methods from another class
  • AllInOneService.processNumber - static workflow method using sibling static step methods
  • ChainableService.processWithThis - static step methods using this to reference the class
  • thisSerializationWorkflow - step function invoked with .call() and .apply()
  • customSerializationWorkflow - custom class serialization with WORKFLOW_SERIALIZE/WORKFLOW_DESERIALIZE
  • instanceMethodStepWorkflow - instance methods with "use step" directive
  • crossContextSerdeWorkflow - classes defined in step code are deserializable in workflow context
  • stepFunctionAsStartArgWorkflow - step function reference passed as start() argument
  • pages router addTenWorkflow via pages router
  • pages router promiseAllWorkflow via pages router
  • pages router sleepingWorkflow via pages router

Details by Category

✅ ▲ Vercel Production
App Passed Failed Skipped
✅ astro 44 0 4
✅ example 44 0 4
✅ express 44 0 4
✅ fastify 44 0 4
✅ hono 44 0 4
✅ nextjs-turbopack 47 0 1
✅ nextjs-webpack 47 0 1
✅ nitro 44 0 4
✅ nuxt 44 0 4
✅ sveltekit 44 0 4
✅ vite 44 0 4
✅ 💻 Local Development
App Passed Failed Skipped
✅ astro-stable 41 0 7
✅ express-stable 41 0 7
✅ fastify-stable 41 0 7
✅ hono-stable 41 0 7
✅ nextjs-turbopack-stable 45 0 3
✅ nextjs-webpack-stable 45 0 3
✅ nitro-stable 41 0 7
✅ nuxt-stable 41 0 7
✅ sveltekit-stable 41 0 7
✅ vite-stable 41 0 7
✅ 📦 Local Production
App Passed Failed Skipped
✅ astro-stable 41 0 7
✅ express-stable 41 0 7
✅ fastify-stable 41 0 7
✅ hono-stable 41 0 7
✅ nextjs-turbopack-stable 45 0 3
✅ nextjs-webpack-stable 45 0 3
✅ nitro-stable 41 0 7
✅ nuxt-stable 41 0 7
✅ sveltekit-stable 41 0 7
✅ vite-stable 41 0 7
✅ 🐘 Local Postgres
App Passed Failed Skipped
✅ astro-stable 41 0 7
✅ express-stable 41 0 7
✅ fastify-stable 41 0 7
✅ hono-stable 41 0 7
✅ nextjs-turbopack-stable 45 0 3
✅ nextjs-webpack-stable 45 0 3
✅ nitro-stable 41 0 7
✅ nuxt-stable 41 0 7
✅ sveltekit-stable 41 0 7
✅ vite-stable 41 0 7
✅ 🪟 Windows
App Passed Failed Skipped
✅ nextjs-turbopack 45 0 3
❌ 🌍 Community Worlds
App Passed Failed Skipped
✅ mongodb-dev 3 0 0
✅ mongodb 45 0 3
✅ redis-dev 3 0 0
✅ redis 45 0 3
✅ turso-dev 3 0 0
❌ turso 4 41 3
✅ 📋 Other
App Passed Failed Skipped
✅ e2e-local-dev-nest-stable 41 0 7
✅ e2e-local-postgres-nest-stable 41 0 7
✅ e2e-local-prod-nest-stable 41 0 7

📋 View full workflow run

Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements end-to-end encryption for workflow user data by wiring encryption functionality into the serialization layer. It builds on previous PRs that generated runId client-side (#954), made serialization functions async (#955), and added the Vercel encryption implementation (#956).

Changes:

  • Adds encryption/decryption helper functions (maybeEncrypt, maybeDecrypt, isEncrypted, peekFormatPrefix) and unused stream encryption utilities (getEncryptStream, getDecryptStream)
  • Adds ENCRYPTED ('encr') format prefix to SerializationFormat enum
  • Wires encryption into all 8 dehydrate/hydrate functions by calling maybeEncrypt after serialization and maybeDecrypt before deserialization
  • Implements inline stream encryption in WorkflowServerWritableStream and WorkflowServerReadableStream
  • Passes runId to WorkflowServerReadableStream for decryption context
  • Adds 8 comprehensive integration tests using a mock XOR encryptor
  • Removes unused _ prefixes from encryptor and runId parameters (now actively used)
  • Adds type casts (as any[], as any, as TResult) to hydration call sites to preserve type information

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
packages/core/src/serialization.ts Core encryption implementation: adds format prefix, helper functions, encryption wiring in dehydrate/hydrate functions, and inline stream encryption/decryption
packages/core/src/workflow.ts Adds type cast for hydrated workflow arguments
packages/core/src/runtime/step-handler.ts Adds type cast for hydrated step arguments
packages/core/src/runtime/run.ts Adds type cast for hydrated workflow return value
packages/core/src/serialization.test.ts Adds 8 encryption integration tests with mock XOR encryptor
.changeset/e2e-encryption.md Documents the end-to-end encryption feature addition

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

This was referenced Feb 6, 2026
Merged
Closed
@TooTallNate Graphite App
Copy link
Member Author

TooTallNate commented Feb 6, 2026
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@TooTallNate TooTallNate mentioned this pull request Feb 6, 2026
Open
@TooTallNate TooTallNate force-pushed the nate/vercel-encryption branch from efd031c to c1795c7 Compare February 7, 2026 10:01
@TooTallNate TooTallNate force-pushed the nate/vercel-encryption branch from c1795c7 to 60fac27 Compare February 7, 2026 10:03
@TooTallNate TooTallNate force-pushed the nate/vercel-encryption branch from 92cb3ef to edad633 Compare February 11, 2026 05:23
@TooTallNate TooTallNate mentioned this pull request Feb 11, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pranaygp pranaygp pranaygp left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TooTallNate @pranaygp