Skip to content

nexus security clarification - add limitation warning to Option 3 encryption pattern #4626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jsundai wants to merge 4 commits into
base: main
Choose a base branch
from
Open

nexus security clarification - add limitation warning to Option 3 encryption pattern #4626

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
dbbcf48
warn about wrapper type incompatibility with typed operations
jsundai May 28, 2026
26d9480
fix typed ops failure description, add error example
jsundai May 28, 2026
c9f8bf6
tighter language, match original issue wording
jsundai May 29, 2026
a70ba96
"<WrapperType>" to type "<ActualInputType>"
jsundai May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions docs/encyclopedia/nexus/nexus-security.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,20 @@ See the [encryption sample](https://github.com/temporalio/samples-go/blob/main/e
Use wrapper types (for example, `EndpointValue`) so the Data Converter selects an Endpoint-specific encryption key.
This encrypts only Nexus traffic with a dedicated key, without sharing Namespace keys across teams.

:::warning Limited to string-based operation names

When calling `ExecuteOperation` with a non-string operation (for example, an operation definition or reference), the wrapper changes the input type and `ExecuteOperation` fails type-checking:

```
cannot assign argument of type "<WrapperType>" to type "<ActualInputType>"
```

This approach only works when the operation is passed as a string name.
For typed operations, pass the Nexus endpoint info through the workflow context instead of the wrapped input.
This requires a Nexus workflow outbound interceptor and a context-aware codec converter, and does not work with synchronous operations.
Copy link
Copy Markdown
Contributor

@codemonkeycxy codemonkeycxy May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does not work with synchronous operations

Is this true? I don't have enough knowledge to know for sure, will need to get someone from the Nexus team to confirm

Copy link
Copy Markdown
Contributor

@Quinn-With-Two-Ns Quinn-With-Two-Ns May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we have a concept of a context-aware codec converter so I don't think this section is correct? Where did this information come from?

Copy link
Copy Markdown
Contributor

@codemonkeycxy codemonkeycxy May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think it's referring to a custom implementation like this https://github.com/temporalio/saas-control-plane/blob/94dd6279177060599fef797d4fe647012b7e6f2d/services/codec/converter.go#L73-L86

Copy link
Copy Markdown
Contributor

@Quinn-With-Two-Ns Quinn-With-Two-Ns May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AH but that requires a whole customer DataConverter, not just a context-aware codec converter.


:::

See the [draft endpoint-based encryption sample](https://github.com/temporalio/samples-go/compare/main...bergundy:samples-go:nexus-encryption-by-endpoint).

### Choosing an approach
Expand Down