Add AES-256-GCM encryption to core and HKDF key derivation to world-vercel#956
Add AES-256-GCM encryption to core and HKDF key derivation to world-vercel#956TooTallNate wants to merge 3 commits intonate/fix-project-configfrom
Conversation
🦋 Changeset detectedLatest commit: e38c65b The changes in this PR will be included in the next version bump. This PR includes changesets to release 15 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
🧪 E2E Test Results❌ Some tests failed Summary
❌ Failed Tests🌍 Community Worlds (42 failed)turso (42 failed):
Details by Category✅ ▲ Vercel Production
✅ 💻 Local Development
✅ 📦 Local Production
✅ 🐘 Local Postgres
✅ 🪟 Windows
❌ 🌍 Community Worlds
✅ 📋 Other
❌ Some E2E test jobs failed:
Check the workflow run for details. |
There was a problem hiding this comment.
Pull request overview
This PR adds AES-256-GCM encryption with HKDF-SHA256 key derivation to the @workflow/world-vercel package. The implementation provides per-run encryption isolation by deriving unique keys from a deployment key, project ID, and run ID. It integrates seamlessly with the async serialization infrastructure added in PR #955 and uses the client-generated run IDs from PR #954.
Changes:
- Implements
createEncryptor()andcreateEncryptorFromEnv()functions with full Encryptor interface support - Adds AES-256-GCM encryption with random nonces and 128-bit authentication tags
- Uses HKDF-SHA256 for per-run key derivation with projectId and runId as context
- Wires encryption into
createVercelWorld()via environment variables (VERCEL_DEPLOYMENT_KEY, VERCEL_PROJECT_ID) - Includes 18 comprehensive tests covering round-trip, format validation, isolation, and tamper detection
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 12 comments.
| File | Description |
|---|---|
| packages/world-vercel/src/encryption.ts | Core encryption implementation with key derivation, encrypt/decrypt, and key material access |
| packages/world-vercel/src/encryption.test.ts | Comprehensive test suite with 18 tests covering functionality and security properties |
| packages/world-vercel/src/index.ts | Integration into World creation and public API exports |
Comments suppressed due to low confidence (1)
packages/world-vercel/src/index.ts:12
- The VercelEncryptionConfig interface is exported from encryption.ts but not re-exported from index.ts. Users who want to use createEncryptor() directly would need to import from the internal encryption module, which is not a typical pattern.
Consider adding to index.ts:
export type { VercelEncryptionConfig } from './encryption.js';
This follows the pattern already established with APIConfig and makes the public API more discoverable.
export { createEncryptor, createEncryptorFromEnv } from './encryption.js';
export { createQueue } from './queue.js';
export { createStorage } from './storage.js';
export { createStreamer } from './streamer.js';
export type { APIConfig } from './utils.js';
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
d880bc8 to
162847a
Compare
efd031c to
c1795c7
Compare
162847a to
ede75a0
Compare
c1795c7 to
60fac27
Compare
2bcab57 to
5c8e92f
Compare

Summary
encrypt()/decrypt()functions in@workflow/core/encryptionusing Web Crypto API (AES-256-GCM)deriveRunKey()andfetchDeploymentKey()to@workflow/world-vercelfor HKDF-SHA256 per-run key derivationgetEncryptionKeyForRunincreateVercelWorld()