Make decryption an explicit opt-in for o11y tooling

[TooTallNate]

Make decryption of encrypted values an explicit opt-in for observability tooling to prevent unnecessary audit-logged key retrieval.

What changed?

• Encrypted values in workflow data are now shown as "🔒 Encrypted" by default in CLI and web observability tools
• CLI: Added a new --decrypt flag to workflow inspect commands to explicitly request decryption
• Web: Encrypted values are shown with a placeholder (decrypt-on-demand coming in a follow-up)
• Core: hydrateResourceIO now accepts null as the EncryptorResolver to skip decryption
• Added ENCRYPTED_PLACEHOLDER constant to represent encrypted values when decryption is not requested
• Modified encryptor resolution to be lazy (only when needed and explicitly requested)

How to test?

1. Run a workflow that contains encrypted values
2. Use workflow inspect to view the run - encrypted values should show as "🔒 Encrypted"
3. Use workflow inspect --decrypt to verify decryption works properly
4. Check the web interface to confirm encrypted values are shown with the placeholder

Why make this change?

Decryption of encrypted values triggers audit-logged key retrieval from the Vercel API. Making decryption an explicit opt-in ensures that these API calls only happen when the user specifically requests to see the decrypted values, improving security and reducing unnecessary API calls.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
example-nextjs-workflow-turbopack	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
example-nextjs-workflow-webpack	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
example-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workbench-astro-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workbench-express-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workbench-fastify-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workbench-hono-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workbench-nitro-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workbench-nuxt-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workbench-sveltekit-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workbench-vite-workflow	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workflow-docs	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workflow-nest	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am
workflow-swc-playground	Ready	Preview, Comment, Open in v0	Feb 11, 2026 9:25am

[github-actions]

🧪 E2E Test Results

❌ Some tests failed

Summary

	Passed	Failed	Skipped	Total
❌ ▲ Vercel Production	489	1	38	528
✅ 💻 Local Development	418	0	62	480
✅ 📦 Local Production	418	0	62	480
✅ 🐘 Local Postgres	418	0	62	480
✅ 🪟 Windows	45	0	3	48
❌ 🌍 Community Worlds	102	42	9	153
✅ 📋 Other	123	0	21	144
Total	2013	43	257	2313

❌ Failed Tests

▲ Vercel Production (1 failed)

nextjs-turbopack (1 failed):

• crossContextSerdeWorkflow - classes defined in step code are deserializable in workflow context

🌍 Community Worlds (42 failed)

mongodb (1 failed):

• webhookWorkflow

turso (41 failed):

• addTenWorkflow
• addTenWorkflow
• should work with react rendering in step
• promiseAllWorkflow
• promiseRaceWorkflow
• promiseAnyWorkflow
• hookWorkflow
• webhookWorkflow
• sleepingWorkflow
• nullByteWorkflow
• workflowAndStepMetadataWorkflow
• fetchWorkflow
• promiseRaceStressTestWorkflow
• error handling error propagation workflow errors nested function calls preserve message and stack trace
• error handling error propagation workflow errors cross-file imports preserve message and stack trace
• error handling error propagation step errors basic step error preserves message and stack trace
• error handling error propagation step errors cross-file step error preserves message and function names in stack
• error handling retry behavior regular Error retries until success
• error handling retry behavior FatalError fails immediately without retries
• error handling retry behavior RetryableError respects custom retryAfter delay
• error handling retry behavior maxRetries=0 disables retries
• error handling catchability FatalError can be caught and detected with FatalError.is()
• hookCleanupTestWorkflow - hook token reuse after workflow completion
• concurrent hook token conflict - two workflows cannot use the same hook token simultaneously
• stepFunctionPassingWorkflow - step function references can be passed as arguments (without closure vars)
• stepFunctionWithClosureWorkflow - step function with closure variables passed as argument
• closureVariableWorkflow - nested step functions with closure variables
• spawnWorkflowFromStepWorkflow - spawning a child workflow using start() inside a step
• health check (queue-based) - workflow and step endpoints respond to health check messages
• pathsAliasWorkflow - TypeScript path aliases resolve correctly
• Calculator.calculate - static workflow method using static step methods from another class
• AllInOneService.processNumber - static workflow method using sibling static step methods
• ChainableService.processWithThis - static step methods using this to reference the class
• thisSerializationWorkflow - step function invoked with .call() and .apply()
• customSerializationWorkflow - custom class serialization with WORKFLOW_SERIALIZE/WORKFLOW_DESERIALIZE
• instanceMethodStepWorkflow - instance methods with "use step" directive
• crossContextSerdeWorkflow - classes defined in step code are deserializable in workflow context
• stepFunctionAsStartArgWorkflow - step function reference passed as start() argument
• pages router addTenWorkflow via pages router
• pages router promiseAllWorkflow via pages router
• pages router sleepingWorkflow via pages router

Details by Category

❌ ▲ Vercel Production

App	Passed	Failed	Skipped
✅ astro	44	0	4
✅ example	44	0	4
✅ express	44	0	4
✅ fastify	44	0	4
✅ hono	44	0	4
❌ nextjs-turbopack	46	1	1
✅ nextjs-webpack	47	0	1
✅ nitro	44	0	4
✅ nuxt	44	0	4
✅ sveltekit	44	0	4
✅ vite	44	0	4

✅ 💻 Local Development

App	Passed	Failed	Skipped
✅ astro-stable	41	0	7
✅ express-stable	41	0	7
✅ fastify-stable	41	0	7
✅ hono-stable	41	0	7
✅ nextjs-turbopack-stable	45	0	3
✅ nextjs-webpack-stable	45	0	3
✅ nitro-stable	41	0	7
✅ nuxt-stable	41	0	7
✅ sveltekit-stable	41	0	7
✅ vite-stable	41	0	7

✅ 📦 Local Production

App	Passed	Failed	Skipped
✅ astro-stable	41	0	7
✅ express-stable	41	0	7
✅ fastify-stable	41	0	7
✅ hono-stable	41	0	7
✅ nextjs-turbopack-stable	45	0	3
✅ nextjs-webpack-stable	45	0	3
✅ nitro-stable	41	0	7
✅ nuxt-stable	41	0	7
✅ sveltekit-stable	41	0	7
✅ vite-stable	41	0	7

✅ 🐘 Local Postgres

App	Passed	Failed	Skipped
✅ astro-stable	41	0	7
✅ express-stable	41	0	7
✅ fastify-stable	41	0	7
✅ hono-stable	41	0	7
✅ nextjs-turbopack-stable	45	0	3
✅ nextjs-webpack-stable	45	0	3
✅ nitro-stable	41	0	7
✅ nuxt-stable	41	0	7
✅ sveltekit-stable	41	0	7
✅ vite-stable	41	0	7

✅ 🪟 Windows

App	Passed	Failed	Skipped
✅ nextjs-turbopack	45	0	3

❌ 🌍 Community Worlds

App	Passed	Failed	Skipped
✅ mongodb-dev	3	0	0
❌ mongodb	44	1	3
✅ redis-dev	3	0	0
✅ redis	45	0	3
✅ turso-dev	3	0	0
❌ turso	4	41	3

✅ 📋 Other

App	Passed	Failed	Skipped
✅ e2e-local-dev-nest-stable	41	0	7
✅ e2e-local-postgres-nest-stable	41	0	7
✅ e2e-local-prod-nest-stable	41	0	7

---

📋 View full workflow run

---

❌ Some E2E test jobs failed:

• Vercel Prod: failure
• Local Dev: success
• Local Prod: success
• Local Postgres: success
• Windows: success

Check the workflow run for details.

[TooTallNate]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Make decryption an explicit opt-in for o11y tooling #1000 👈 (View in Graphite)
• Wire encryption into serialization layer #957
• Add Vercel encryption implementation (AES-256-GCM with HKDF) #956
• Fix projectConfig.projectId containing project name instead of ID #999
• Add Encryptor interface and thread through serialization layer #979
• Make serialization functions async #978
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[changeset-bot]

🦋 Changeset detected

Latest commit: cfa8bb9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 15 packages

Name	Type
@workflow/core	Patch
@workflow/cli	Patch
@workflow/web	Patch
@workflow/builders	Patch
@workflow/next	Patch
@workflow/nitro	Patch
@workflow/web-shared	Patch
workflow	Patch
@workflow/world-testing	Patch
@workflow/astro	Patch
@workflow/nest	Patch
@workflow/rollup	Patch
@workflow/sveltekit	Patch
@workflow/vite	Patch
@workflow/nuxt	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR