Skip to content

Backport #2145: fix(core,errors): classify SDK encryption failures as RUNTIME_ERROR#2165

Open
github-actions[bot] wants to merge 2 commits into
stablefrom
backport/pr-2145-to-stable
Open

Backport #2145: fix(core,errors): classify SDK encryption failures as RUNTIME_ERROR#2165
github-actions[bot] wants to merge 2 commits into
stablefrom
backport/pr-2145-to-stable

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 29, 2026

Automated backport of #2145 to stable (backport job run).

AI recommendation: This is a self-contained bug fix that corrects misclassification of SDK-level AES-GCM encryption failures from USER_ERROR to RUNTIME_ERROR. The change touches packages/core, packages/errors, and docs/content/ — all of which are maintained on stable. The fix addresses an existing issue in the classifier and encryption layers that almost certainly also exists on stable, making it a strong backport candidate.

Merge conflicts were resolved by AI (opencode with anthropic/claude-opus-4.7). Please review the conflict resolution carefully before merging.

@github-actions
fix(core,errors): classify SDK encryption failures as RUNTIME_ERROR (#…
c71db04 
…2145)

* fix(core,errors): classify SDK encryption failures as RUNTIME_ERROR

SDK-level AES-GCM encrypt/decrypt failures are never the user's fault,
but the run-failure classifier was tagging them as USER_ERROR because
the native Web Crypto OperationError (most commonly raised by
AESCipherJob.onDone on GCM auth-tag mismatch) does not match any
RUNTIME_ERROR_CHECKS entry.

Introduce a new RuntimeDecryptionError (subclass of WorkflowRuntimeError)
that the encryption module throws when subtle.encrypt/subtle.decrypt
fails, with the original DOMException as cause plus diagnostic context
(operation, byteLength, printable/hex format prefix of the input
header). classifyRunError now picks it up via RUNTIME_ERROR_CHECKS, so
these failures surface as RUNTIME_ERROR with a proper named class for
dashboards and triage.

* Trim changeset description to one sentence

* Trim historical-context comments

* docs: add runtime-decryption-failed troubleshooting page (v4 + v5)

* fix(core): round-trip RuntimeDecryptionError context, fix formatPrefix, propagate through serialization wrappers

Addresses review feedback on #2145:

- Add a RuntimeDecryptionError reducer/reviver (+ SerializableSpecial
  entry + globalThis registration) so its `context` (operation,
  byteLength, formatPrefix) survives the dehydrate/hydrate run-error
  round trip instead of being dropped by the generic Error reducer.

- Stop capturing `formatPrefix` in the low-level encryption layer, which
  only sees the stripped AES payload (nonce bytes), not the outer `encr`
  marker. The serialization layer now attaches the real envelope prefix.

- Rethrow RuntimeDecryptionError unchanged from the serialize/dehydrate
  catch blocks instead of reframing it as a SerializationError, so an
  encryption failure during dehydration stays a RUNTIME_ERROR rather than
  being misclassified as USER_ERROR.

* fix(core): enrich stream decrypt errors with envelope prefix + fix lint

- Mirror the catch/enrich/rethrow block from serialization/encryption.ts
  around the stream-path aesGcmDecrypt() call so auth-tag failures on
  encrypted stream frames also carry context.formatPrefix = 'encr'
  (addresses review feedback). Add a tampered-frame test.
- Fix all auto-fixable Biome lint findings in the touched files
  (template literals, useless try/catch wrappers, optional chaining,
  non-null assertions).

Signed-off-by: Nathan Rajlich <n@n8.io>
@github-actions github-actions Bot requested a review from a team as a code owner May 29, 2026 19:03
@github-actions github-actions Bot mentioned this pull request May 29, 2026
Merged
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 29, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 6d72e3b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 20 packages
Name Type
@workflow/errors Patch
@workflow/core Patch
@workflow/builders Patch
@workflow/cli Patch
@workflow/web Patch
workflow Patch
@workflow/world-local Patch
@workflow/world-postgres Patch
@workflow/world-vercel Patch
@workflow/next Patch
@workflow/nitro Patch
@workflow/vitest Patch
@workflow/web-shared Patch
@workflow/world-testing Patch
@workflow/astro Patch
@workflow/nest Patch
@workflow/rollup Patch
@workflow/sveltekit Patch
@workflow/vite Patch
@workflow/nuxt Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 29, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
example-nextjs-workflow-turbopack Ready Ready Preview, Comment May 29, 2026 8:07pm
example-nextjs-workflow-webpack Ready Ready Preview, Comment May 29, 2026 8:07pm
example-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-astro-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-express-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-fastify-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-hono-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-nitro-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-nuxt-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-sveltekit-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-tanstack-start-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workbench-vite-workflow Ready Ready Preview, Comment May 29, 2026 8:07pm
workflow-docs Ready Ready Preview, Comment, Open in v0 May 29, 2026 8:07pm
workflow-swc-playground Ready Ready Preview, Comment May 29, 2026 8:07pm
workflow-tarballs Ready Ready Preview, Comment May 29, 2026 8:07pm
workflow-web Ready Ready Preview, Comment May 29, 2026 8:07pm

vercel[bot]
vercel Bot reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@vercel vercel Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional Suggestion:

The importKey function only accepts one parameter (raw), but the test calls it with a second argument ['decrypt'] that is silently ignored, causing the test to not actually test what it claims to test.

Fix on Vercel

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented May 29, 2026
edited
Loading

🧪 E2E Test Results

Some tests failed

Summary

Passed Failed Skipped Total
✅ ▲ Vercel Production 901 0 67 968
✅ 💻 Local Development 970 0 86 1056
✅ 📦 Local Production 970 0 86 1056
✅ 🐘 Local Postgres 970 0 86 1056
❌ 🌍 Community Worlds 15 69 0 84
✅ 📋 Other 492 0 36 528
Total 4318 69 361 4748

❌ Failed Tests

🌍 Community Worlds (69 failed)

mongodb-dev (1 failed):

  • dev e2e should rebuild on imported step dependency change

redis-dev (1 failed):

  • dev e2e should rebuild on imported step dependency change

turso-dev (1 failed):

  • dev e2e should rebuild on imported step dependency change

turso (66 failed):

  • addTenWorkflow | wrun_01KSTNG1F0PGBK20P1KZ0RMS81
  • addTenWorkflow | wrun_01KSTNG1F0PGBK20P1KZ0RMS81
  • wellKnownAgentWorkflow (.well-known/agent) | wrun_01KSTNGF546KNM2ZB0DA7QGPDT
  • should work with react rendering in step
  • promiseAllWorkflow | wrun_01KSTNG9JVQXWR2M261AK46W06
  • promiseRaceWorkflow | wrun_01KSTNGEWEFCDWYS29EF6CEBB3
  • promiseAnyWorkflow | wrun_01KSTNGH9H4ZN325PV4ADBP9CB
  • importedStepOnlyWorkflow | wrun_01KSTNGT3RJPRA080Y6AX41RSB
  • readableStreamWorkflow | wrun_01KSTNGNP0R2PZSM8S0GW49G6V
  • hookWorkflow | wrun_01KSTNH32QSZET1WPX0X8PCPMJ
  • hookWorkflow is not resumable via public webhook endpoint | wrun_01KSTNHC45054DASPQJZZSM7DJ
  • webhookWorkflow | wrun_01KSTNHHW6R6C5YH8WVKWD2QQ8
  • sleepingWorkflow | wrun_01KSTNHRMH01NBTQSE7R9MQKTR
  • parallelSleepWorkflow | wrun_01KSTNJ7RJV0QVVBKY5DZP4YJP
  • nullByteWorkflow | wrun_01KSTNJCQRNE44WP1DFEDJZVRV
  • workflowAndStepMetadataWorkflow | wrun_01KSTNJG3K2T0K8Y62J803D2QX
  • outputStreamWorkflow no startIndex (reads all chunks)
  • outputStreamWorkflow positive startIndex (skips first chunk)
  • outputStreamWorkflow negative startIndex (reads from end)
  • outputStreamWorkflow - getTailIndex and getStreamChunks getTailIndex returns correct index after stream completes
  • outputStreamWorkflow - getTailIndex and getStreamChunks getTailIndex returns -1 before any chunks are written
  • outputStreamWorkflow - getTailIndex and getStreamChunks getStreamChunks returns same content as reading the stream
  • outputStreamInsideStepWorkflow - getWritable() called inside step functions | wrun_01KSTNN2XSDHY1H4WATPD9NTGR
  • fetchWorkflow | wrun_01KSTNNHZZA37V36SWGHZ96B3C
  • promiseRaceStressTestWorkflow | wrun_01KSTNNNF882TWB4QT0F7195RF
  • error handling error propagation workflow errors nested function calls preserve message and stack trace
  • error handling error propagation workflow errors cross-file imports preserve message and stack trace
  • error handling error propagation step errors basic step error preserves message and stack trace
  • error handling error propagation step errors cross-file step error preserves message and function names in stack
  • error handling retry behavior regular Error retries until success
  • error handling retry behavior FatalError fails immediately without retries
  • error handling retry behavior RetryableError respects custom retryAfter delay
  • error handling retry behavior maxRetries=0 disables retries
  • error handling catchability FatalError can be caught and detected with FatalError.is()
  • error handling not registered WorkflowNotRegisteredError fails the run when workflow does not exist
  • error handling not registered StepNotRegisteredError fails the step but workflow can catch it
  • error handling not registered StepNotRegisteredError fails the run when not caught in workflow
  • hookCleanupTestWorkflow - hook token reuse after workflow completion | wrun_01KSTNS49SBZQ8SFZZ6BPTVAYR
  • concurrent hook token conflict - two workflows cannot use the same hook token simultaneously | wrun_01KSTNSH1AJSFEMTTE2Z637DF0
  • hookDisposeTestWorkflow - hook token reuse after explicit disposal while workflow still running | wrun_01KSTNT10VJDMGXGMCYV94M7W0
  • stepFunctionPassingWorkflow - step function references can be passed as arguments (without closure vars) | wrun_01KSTNTGZP686CPGFEFQ29QR7K
  • stepFunctionWithClosureWorkflow - step function with closure variables passed as argument | wrun_01KSTNTTAHQK99K6YENBFWYDNZ
  • closureVariableWorkflow - nested step functions with closure variables | wrun_01KSTNV03QK4APBMS6C4SZ524F
  • spawnWorkflowFromStepWorkflow - spawning a child workflow using start() inside a step | wrun_01KSTNV2A49Q56ETT04HTNDH99
  • health check (queue-based) - workflow and step endpoints respond to health check messages
  • health check (CLI) - workflow health command reports healthy endpoints
  • pathsAliasWorkflow - TypeScript path aliases resolve correctly | wrun_01KSTNVJH68M8Z8XG9B04KBME7
  • Calculator.calculate - static workflow method using static step methods from another class | wrun_01KSTNVR8T4Q9XWYR395QXKKFE
  • AllInOneService.processNumber - static workflow method using sibling static step methods | wrun_01KSTNVZ0MN2FV71V5DD91WA5K
  • ChainableService.processWithThis - static step methods using this to reference the class | wrun_01KSTNW64ZDB4R7JP6C49BZ6EZ
  • thisSerializationWorkflow - step function invoked with .call() and .apply() | wrun_01KSTNWCZ4K1VEGY5TSFD0HYKG
  • customSerializationWorkflow - custom class serialization with WORKFLOW_SERIALIZE/WORKFLOW_DESERIALIZE | wrun_01KSTNWMBT1GFANR78RADRYT10
  • instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KSTNWWNQA0P6206XKZEEE176
  • crossContextSerdeWorkflow - classes defined in step code are deserializable in workflow context | wrun_01KSTNX9B2CTQ6MMZ79MP8HJ2V
  • stepFunctionAsStartArgWorkflow - step function reference passed as start() argument | wrun_01KSTNXHDCCHVNX63KW9XFCQ4S
  • cancelRun - cancelling a running workflow | wrun_01KSTNXSDA5DV6FSEATZMRA80E
  • cancelRun via CLI - cancelling a running workflow | wrun_01KSTNY2S4EEYRAE5H6WPQPHV5
  • pages router addTenWorkflow via pages router
  • pages router promiseAllWorkflow via pages router
  • pages router sleepingWorkflow via pages router
  • hookWithSleepWorkflow - hook payloads delivered correctly with concurrent sleep | wrun_01KSTNYF1S3Q1DSB8A764ZM5PY
  • sleepInLoopWorkflow - sleep inside loop with steps actually delays each iteration | wrun_01KSTNYZT54ARVHD087C5JK213
  • sleepWithSequentialStepsWorkflow - sequential steps work with concurrent sleep (control) | wrun_01KSTNZA64KGK801VCFV4W2M4H
  • importMetaUrlWorkflow - import.meta.url is available in step bundles | wrun_01KSTNZK11P7QGAPNX14YKQHE0
  • metadataFromHelperWorkflow - getWorkflowMetadata/getStepMetadata work from module-level helper (#1577) | wrun_01KSTNZN5CESF6ZYJKT0X5TECS
  • resilient start: addTenWorkflow completes when run_created returns 500 | wrun_01KSTNZQD7Q477TKPJ95EG54YS

Details by Category

✅ ▲ Vercel Production
App Passed Failed Skipped
✅ astro 81 0 7
✅ example 81 0 7
✅ express 81 0 7
✅ fastify 81 0 7
✅ hono 81 0 7
✅ nextjs-turbopack 86 0 2
✅ nextjs-webpack 86 0 2
✅ nitro 81 0 7
✅ nuxt 81 0 7
✅ sveltekit 81 0 7
✅ vite 81 0 7
✅ 💻 Local Development
App Passed Failed Skipped
✅ astro-stable 82 0 6
✅ express-stable 82 0 6
✅ fastify-stable 82 0 6
✅ hono-stable 82 0 6
✅ nextjs-turbopack-canary 69 0 19
✅ nextjs-turbopack-stable 88 0 0
✅ nextjs-webpack-canary 69 0 19
✅ nextjs-webpack-stable 88 0 0
✅ nitro-stable 82 0 6
✅ nuxt-stable 82 0 6
✅ sveltekit-stable 82 0 6
✅ vite-stable 82 0 6
✅ 📦 Local Production
App Passed Failed Skipped
✅ astro-stable 82 0 6
✅ express-stable 82 0 6
✅ fastify-stable 82 0 6
✅ hono-stable 82 0 6
✅ nextjs-turbopack-canary 69 0 19
✅ nextjs-turbopack-stable 88 0 0
✅ nextjs-webpack-canary 69 0 19
✅ nextjs-webpack-stable 88 0 0
✅ nitro-stable 82 0 6
✅ nuxt-stable 82 0 6
✅ sveltekit-stable 82 0 6
✅ vite-stable 82 0 6
✅ 🐘 Local Postgres
App Passed Failed Skipped
✅ astro-stable 82 0 6
✅ express-stable 82 0 6
✅ fastify-stable 82 0 6
✅ hono-stable 82 0 6
✅ nextjs-turbopack-canary 69 0 19
✅ nextjs-turbopack-stable 88 0 0
✅ nextjs-webpack-canary 69 0 19
✅ nextjs-webpack-stable 88 0 0
✅ nitro-stable 82 0 6
✅ nuxt-stable 82 0 6
✅ sveltekit-stable 82 0 6
✅ vite-stable 82 0 6
❌ 🌍 Community Worlds
App Passed Failed Skipped
❌ mongodb-dev 4 1 0
❌ redis-dev 4 1 0
❌ turso-dev 4 1 0
❌ turso 3 66 0
✅ 📋 Other
App Passed Failed Skipped
✅ e2e-local-dev-nest-stable 82 0 6
✅ e2e-local-dev-tanstack-start-stable 82 0 6
✅ e2e-local-postgres-nest-stable 82 0 6
✅ e2e-local-postgres-tanstack-start-stable 82 0 6
✅ e2e-local-prod-nest-stable 82 0 6
✅ e2e-local-prod-tanstack-start-stable 82 0 6

📋 View full workflow run

Some E2E test jobs failed:

  • Vercel Prod: success
  • Local Dev: success
  • Local Prod: success
  • Local Postgres: success
  • Windows: failure

Check the workflow run for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TooTallNate