Skip to content

Commit 63c20ea

Browse files
committed
Merge main into Weaver AI branch
2 parents b73b9d4 + 5871907 commit 63c20ea

253 files changed

Lines changed: 18624 additions & 777 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

Directory.Packages.props

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="9.0.16"/>
3131
<PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.16"/>
3232
<PackageVersion Include="Microsoft.Extensions.DependencyModel" Version="9.0.16"/>
33+
<PackageVersion Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="9.0.16"/>
3334
<PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="9.0.16"/>
3435
<PackageVersion Include="Microsoft.Extensions.Http" Version="9.0.16"/>
3536
<PackageVersion Include="Microsoft.Extensions.Http.Polly" Version="9.0.16"/>
@@ -71,6 +72,7 @@
7172
<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.8"/>
7273
<PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.8"/>
7374
<PackageVersion Include="Microsoft.Extensions.DependencyModel" Version="10.0.8"/>
75+
<PackageVersion Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="10.0.8"/>
7476
<PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="10.0.8"/>
7577
<PackageVersion Include="Microsoft.Extensions.Http" Version="10.0.8"/>
7678
<PackageVersion Include="Microsoft.Extensions.Http.Polly" Version="10.0.8"/>

Elsa.sln

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -211,6 +211,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.SasTokens", "src\modul
211211
EndProject
212212
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Http.UnitTests", "test\unit\Elsa.Http.UnitTests\Elsa.Http.UnitTests.csproj", "{66ACA2B3-DB48-4F68-B26D-62555F3CE69B}"
213213
EndProject
214+
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.SasTokens.UnitTests", "test\unit\Elsa.SasTokens.UnitTests\Elsa.SasTokens.UnitTests.csproj", "{F6A5C27A-D0B0-47A7-B027-BE718F84910A}"
215+
EndProject
214216
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "resilience", "resilience", "{E023660A-162E-498E-BA00-A941FBC82664}"
215217
EndProject
216218
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Resilience.Core", "src\modules\Elsa.Resilience.Core\Elsa.Resilience.Core.csproj", "{58064618-A7BD-4D3E-8D57-B15018110AB5}"
@@ -361,6 +363,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.AI.Persistence.EFCore.
361363
EndProject
362364
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.AI.IntegrationTests", "test\integration\Elsa.AI.IntegrationTests\Elsa.AI.IntegrationTests.csproj", "{871BE947-6EEA-4A13-8560-28058EF13247}"
363365
EndProject
366+
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Workflows.Api.UnitTests", "test\unit\Elsa.Workflows.Api.UnitTests\Elsa.Workflows.Api.UnitTests.csproj", "{81CFD2E0-2E5E-4810-ADB8-A08301199166}"
367+
EndProject
364368
Global
365369
GlobalSection(SolutionConfigurationPlatforms) = preSolution
366370
Debug|Any CPU = Debug|Any CPU
@@ -837,6 +841,18 @@ Global
837841
{66ACA2B3-DB48-4F68-B26D-62555F3CE69B}.Release|x64.Build.0 = Release|Any CPU
838842
{66ACA2B3-DB48-4F68-B26D-62555F3CE69B}.Release|x86.ActiveCfg = Release|Any CPU
839843
{66ACA2B3-DB48-4F68-B26D-62555F3CE69B}.Release|x86.Build.0 = Release|Any CPU
844+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
845+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Debug|Any CPU.Build.0 = Debug|Any CPU
846+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Debug|x64.ActiveCfg = Debug|Any CPU
847+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Debug|x64.Build.0 = Debug|Any CPU
848+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Debug|x86.ActiveCfg = Debug|Any CPU
849+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Debug|x86.Build.0 = Debug|Any CPU
850+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Release|Any CPU.ActiveCfg = Release|Any CPU
851+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Release|Any CPU.Build.0 = Release|Any CPU
852+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Release|x64.ActiveCfg = Release|Any CPU
853+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Release|x64.Build.0 = Release|Any CPU
854+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Release|x86.ActiveCfg = Release|Any CPU
855+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A}.Release|x86.Build.0 = Release|Any CPU
840856
{58064618-A7BD-4D3E-8D57-B15018110AB5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
841857
{58064618-A7BD-4D3E-8D57-B15018110AB5}.Debug|Any CPU.Build.0 = Debug|Any CPU
842858
{58064618-A7BD-4D3E-8D57-B15018110AB5}.Debug|x64.ActiveCfg = Debug|Any CPU
@@ -1485,6 +1501,18 @@ Global
14851501
{871BE947-6EEA-4A13-8560-28058EF13247}.Release|x64.Build.0 = Release|Any CPU
14861502
{871BE947-6EEA-4A13-8560-28058EF13247}.Release|x86.ActiveCfg = Release|Any CPU
14871503
{871BE947-6EEA-4A13-8560-28058EF13247}.Release|x86.Build.0 = Release|Any CPU
1504+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
1505+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Debug|Any CPU.Build.0 = Debug|Any CPU
1506+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Debug|x64.ActiveCfg = Debug|Any CPU
1507+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Debug|x64.Build.0 = Debug|Any CPU
1508+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Debug|x86.ActiveCfg = Debug|Any CPU
1509+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Debug|x86.Build.0 = Debug|Any CPU
1510+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Release|Any CPU.ActiveCfg = Release|Any CPU
1511+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Release|Any CPU.Build.0 = Release|Any CPU
1512+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Release|x64.ActiveCfg = Release|Any CPU
1513+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Release|x64.Build.0 = Release|Any CPU
1514+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Release|x86.ActiveCfg = Release|Any CPU
1515+
{81CFD2E0-2E5E-4810-ADB8-A08301199166}.Release|x86.Build.0 = Release|Any CPU
14881516
EndGlobalSection
14891517
GlobalSection(SolutionProperties) = preSolution
14901518
HideSolutionNode = FALSE
@@ -1551,6 +1579,7 @@ Global
15511579
{9D8FB664-88B4-10BE-58A2-D9A1644AD2E4} = {6EF07978-A6D2-40EB-891D-7D70C5F37E76}
15521580
{A7DE02E3-405B-B6BA-7E47-9E27D4BEFB24} = {5948B0A5-7873-4DBB-BA03-EB283D6EA91B}
15531581
{66ACA2B3-DB48-4F68-B26D-62555F3CE69B} = {18453B51-25EB-4317-A4B3-B10518252E92}
1582+
{F6A5C27A-D0B0-47A7-B027-BE718F84910A} = {18453B51-25EB-4317-A4B3-B10518252E92}
15541583
{E023660A-162E-498E-BA00-A941FBC82664} = {5BA4A8FA-F7F4-45B3-AEC8-8886D35AAC79}
15551584
{58064618-A7BD-4D3E-8D57-B15018110AB5} = {E023660A-162E-498E-BA00-A941FBC82664}
15561585
{467573C9-DDC7-4351-9EC8-22E23F554DA7} = {E023660A-162E-498E-BA00-A941FBC82664}
@@ -1615,6 +1644,7 @@ Global
16151644
{26101AE2-4001-4260-A04C-A80523261918} = {18453B51-25EB-4317-A4B3-B10518252E92}
16161645
{65C8428D-1B85-43B7-A2CC-63C2472DB1D9} = {18453B51-25EB-4317-A4B3-B10518252E92}
16171646
{871BE947-6EEA-4A13-8560-28058EF13247} = {1B8D5897-902E-4632-8698-E89CAF3DDF54}
1647+
{81CFD2E0-2E5E-4810-ADB8-A08301199166} = {18453B51-25EB-4317-A4B3-B10518252E92}
16181648
EndGlobalSection
16191649
GlobalSection(ExtensibilityGlobals) = postSolution
16201650
SolutionGuid = {D4B5CEAA-7D70-4FCB-A68E-B03FBE5E0E5E}

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ docker run -t -i -e ASPNETCORE_ENVIRONMENT='Development' -e HTTP_PORTS=8080 -e H
3434

3535
> This Docker image is based on a reference ASP.NET application that hosts both the workflow server and designer and is not intended for production use.
3636
37+
For any non-development deployment, inject a secure random JWT signing key through environment variables or a secrets manager instead of using committed appsettings values. For code-first hosts such as `Elsa.Server.Web`, set `Identity__Tokens__SigningKey`. For shell-based hosts, set the shell feature key, for example `CShells__Shells__Default__Features__Identity__SigningKey`.
38+
3739
By default, you can access http://localhost:13000 and log in with:
3840

3941
```

doc/changelogs/3.6.0.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ Compare: [`3.5.3...3.6.0`](https://github.com/elsa-workflows/elsa-core/compare/3
66

77
## ⚠️ Breaking changes / upgrade notes
88

9+
- **Identity secret hashing hardened**: New user passwords, client secrets, and API keys are hashed with PBKDF2-SHA256 using 600,000 iterations, per-record salts, and version metadata instead of fast SHA-256 hashes. Existing legacy hashes still verify and are upgraded opportunistically after successful login/API-key validation. Generated identity secrets now use cryptographic randomness. New `DefaultUserCredentialsValidator` and `DefaultApplicationCredentialsValidator` constructor overloads accept `IUserStore` and `IApplicationStore` respectively to persist opportunistic hash upgrades; existing direct instantiations remain supported but do not persist rehashes unless the store dependency is supplied.
10+
- **JWT signing key validation**: Hosts using Elsa Identity now fail startup when the JWT signing key is missing, shorter than 32 ASCII characters, or set to a known public default outside the explicit `Development` or `Demo` environments. Replace committed/sample values with a secure random key from environment variables or a secrets manager, such as `Identity__Tokens__SigningKey` for code-first hosts or the equivalent shell feature configuration key. ([#7476](https://github.com/elsa-workflows/elsa-core/issues/7476))
11+
912
- **EF Core package names have changed**: EF Core persistence packages were renamed from `Elsa.EntityFrameworkCore.*` to `Elsa.Persistence.EFCore.*`. If your application references any of the old package names, you must update them to the new package names when upgrading to 3.6.0. Be sure to review your project files, internal package feeds, CI pipelines, and deployment manifests for old package references.
1013

1114
- **Database migrations required (EF Core — all providers)**: `ActivityNodeId` columns in `ActivityExecutionRecords` and `WorkflowExecutionLogRecords` have been widened to unlimited types (`nvarchar(max)` / `longtext` / `NCLOB`) to support deeply nested workflows. The corresponding B-tree indexes (`IX_ActivityExecutionRecord_ActivityNodeId`, `IX_WorkflowExecutionLogRecord_ActivityNodeId`) are dropped as part of the V3_6 migrations. Run EF Core migrations before upgrading any SQL Server, MySQL, or Oracle deployment to 3.6.0. ([71438596f3](https://github.com/elsa-workflows/elsa-core/commit/71438596f3)) ([#7338](https://github.com/elsa-workflows/elsa-core/pull/7338))
@@ -44,6 +47,10 @@ Compare: [`3.5.3...3.6.0`](https://github.com/elsa-workflows/elsa-core/compare/3
4447

4548
- **`WorkflowDefinitionsReloaded` notification**: `DefaultRegistriesPopulator` now dispatches a `WorkflowDefinitionsReloaded` notification after repopulating the workflow definition store, enabling subscriber nodes to synchronize their registries. ([f5505d66c9](https://github.com/elsa-workflows/elsa-core/commit/f5505d66c9)) ([#7293](https://github.com/elsa-workflows/elsa-core/pull/7293))
4649

50+
### OpenTelemetry workflow instrumentation
51+
52+
- **Workflow and activity telemetry**: Elsa now emits `Elsa.Workflows` `ActivitySource` spans for workflow execution cycles and activity execution, plus optional `Elsa.Workflows` meter instruments for workflow started/completed/faulted counts and activity duration. `SendHttpRequest` and `FlowSendHttpRequest` use the configured `HttpClient`, so standard .NET HTTP client instrumentation can create child HTTP spans and propagate W3C trace context when tracing is enabled. ([#7489](https://github.com/elsa-workflows/elsa-core/issues/7489))
53+
4754
### Consumers API & recursive export
4855

4956
- **`GET /workflow-definitions/{definitionId}/consumers`**: New endpoint returns all recursive consuming workflow definitions for a given definition. Built on a new `IWorkflowReferenceGraphBuilder` / `WorkflowReferenceGraph` model that replaces the previous ad-hoc recursive query approach. ([0a2e99ad42](https://github.com/elsa-workflows/elsa-core/commit/0a2e99ad42)) ([#7309](https://github.com/elsa-workflows/elsa-core/pull/7309))
@@ -62,6 +69,10 @@ Compare: [`3.5.3...3.6.0`](https://github.com/elsa-workflows/elsa-core/compare/3
6269

6370
- **Distributed locks for `Reload` / `Refresh`**: `IWorkflowDefinitionsReloader` and `IWorkflowDefinitionsRefresher` are now wrapped with distributed lock decorators to prevent multiple pods from concurrently executing reload or refresh operations. The refresher key incorporates definition IDs to allow concurrent refreshes of different definitions. ([689f19f2f2](https://github.com/elsa-workflows/elsa-core/commit/689f19f2f2)) ([#7311](https://github.com/elsa-workflows/elsa-core/pull/7311))
6471

72+
### Ingress rate limiting
73+
74+
- **Elsa API and HTTP workflow trigger rate limiting hooks**: Hosts can now apply named ASP.NET Core rate limiter policies to Elsa management API route prefixes and public HTTP workflow trigger base paths. The reference server includes disabled-by-default fixed-window policies under `IngressRateLimiting` with documented tuning and disable paths. ([#7488](https://github.com/elsa-workflows/elsa-core/issues/7488))
75+
6576
---
6677

6778
## 🔧 Improvements

doc/wiki/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ flowchart LR
4848
| [Persistence](persistence.md) | In-memory stores, EF Core stores, provider packages, migrations, and multi-provider rules. |
4949
| [Diagnostics Structured Logs](diagnostics-structured-logs.md) | `ILogger` capture, live feed, REST/SignalR surface, redaction, and SQLite persistence. |
5050
| [Diagnostics Console Logs](diagnostics-console-logs.md) | Raw stdout/stderr capture, live feed, REST/SignalR surface, and redaction. |
51+
| [Health Checks](health-checks.md) | Elsa runtime readiness probes, liveness/readiness mapping, and Kubernetes probe guidance. |
5152
| [Identity, Tenancy, And Security](identity-tenancy-security.md) | Users, applications, roles, API keys, tenant resolution, and authorization touch points. |
5253
| [Testing Guide](testing-guide.md) | Test project layout, fixture choices, and targeted commands. |
5354
| [Extension Guide](extension-guide.md) | How to add features, activities, expression providers, stores, endpoints, and ingress sources. |

doc/wiki/architecture.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ The runtime can use in-memory stores by default or EF Core stores when persisten
102102

103103
## API Layer
104104

105-
[WorkflowsApiFeature](../../src/modules/Elsa.Workflows.Api/Features/WorkflowsApiFeature.cs) registers FastEndpoints from the module and depends on workflow management, workflow instances, workflow runtime, and SAS tokens. The default route prefix is `elsa/api`, defined in [ApiEndpointOptions](../../src/modules/Elsa.Workflows.Api/Options/ApiEndpointOptions.cs) and applied by [UseWorkflowsApi](../../src/common/Elsa.Api.Common/Extensions/WebApplicationExtensions.cs).
105+
[WorkflowsApiFeature](../../src/modules/Elsa.Workflows.Api/Features/WorkflowsApiFeature.cs) registers FastEndpoints from the module and depends on workflow management, workflow instances, workflow runtime, and SAS tokens. The default route prefix is `elsa/api`, defined in [ApiEndpointOptions](../../src/modules/Elsa.Workflows.Api/Options/ApiEndpointOptions.cs) and applied by [MapWorkflowsApi](../../src/common/Elsa.Api.Common/Extensions/WebApplicationExtensions.cs) in endpoint-routed ASP.NET hosts.
106106

107107
Real-time workflow updates are in [RealTimeWorkflowUpdatesFeature](../../src/modules/Elsa.Workflows.Api/Features/RealTimeWorkflowUpdatesFeature.cs) and [WorkflowInstanceHub](../../src/modules/Elsa.Workflows.Api/RealTime/Hubs/WorkflowInstanceHub.cs).
108108

doc/wiki/build-run-operate.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,8 @@ Notable toggles in `Program.cs`:
7676

7777
The sample configures identity, default authentication, workflow management/runtime with SQLite, workflow API, fluent storage, ElsaScript blob storage, scheduling, C#, JavaScript, Python, Liquid, HTTP, and optional tenants/structured logs.
7878

79+
When running outside the explicit `Development` or `Demo` environments, configure a secure random JWT signing key with at least 32 ASCII characters. For the code-first reference server, prefer `Identity__Tokens__SigningKey` from an environment variable or secrets manager instead of committing the value to appsettings. Shell-based hosts use the shell feature path, for example `CShells__Shells__Default__Features__Identity__SigningKey`.
80+
7981
## Docker Quick Try
8082

8183
The root [README](../../README.md) documents the public Docker quick start:
@@ -85,6 +87,8 @@ docker pull elsaworkflows/elsa-server-and-studio-v3:latest
8587
docker run -t -i -e ASPNETCORE_ENVIRONMENT='Development' -e HTTP_PORTS=8080 -e HTTP__BASEURL=http://localhost:13000 -p 13000:8080 elsaworkflows/elsa-server-and-studio-v3:latest
8688
```
8789

90+
Production containers must inject a secure JWT signing key through environment variables or a secrets manager. The appsettings placeholder and known public sample keys are rejected during startup outside `Development` or `Demo`.
91+
8892
Default development login is available only when a development configuration explicitly provisions it:
8993

9094
```text
@@ -135,7 +139,7 @@ Console log diagnostics endpoints include (when `Elsa.Diagnostics.ConsoleLogs` i
135139
- `POST /elsa/api/diagnostics/console-logs/recent`
136140
- `GET /elsa/api/diagnostics/console-logs/sources`
137141

138-
Health checks are mapped to `/` in the reference server.
142+
Health checks are mapped to `/` and `/health/live` for process liveness and `/health/ready` for Elsa runtime readiness in the reference server. See [Health Checks](health-checks.md) for Kubernetes liveness/readiness recommendations and Elsa-specific runtime readiness probes.
139143

140144
## Runtime Knobs
141145

doc/wiki/expressions-and-scripting.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,11 +55,14 @@ Additional JavaScript libraries are in [Elsa.Expressions.JavaScript.Libraries](.
5555
```csharp
5656
elsa.UseCSharp(options =>
5757
{
58+
options.AllowHostCodeExecution = true;
5859
options.DisableWrappers = disableVariableWrappers;
5960
options.AppendScript("string Greet(string name) => $\"Hello {name}!\";");
6061
});
6162
```
6263

64+
Roslyn C# scripting is privileged host-code execution, not a sandbox. Hosts must explicitly set `CSharpOptions.AllowHostCodeExecution` to `true` before C# expressions or `RunCSharp` can be authored or executed. API callers that author, publish, dispatch, or directly execute workflows containing C# must have the `exec:csharp-expressions` permission.
65+
6366
## Python
6467

6568
[PythonFeature](../../src/modules/Elsa.Expressions.Python/Features/PythonFeature.cs) registers pythonnet-based evaluation and configures `PythonGlobalInterpreterManager` as a hosted service. Python.NET execution is privileged host-code execution, not a sandbox. Python code can access host process capabilities through pythonnet and must only be enabled for trusted workflow authors.

doc/wiki/extension-guide.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ Compare existing language modules:
7272
6. Add endpoint tests or component coverage if behavior is important.
7373
7. Update client models if the endpoint is part of the public client surface.
7474

75-
Use route prefixing from `UseWorkflowsApi`; endpoint routes should usually be written without `/elsa/api`.
75+
Use route prefixing from `MapWorkflowsApi`; endpoint routes should usually be written without `/elsa/api`.
7676

7777
## Add A Store Or Persistence Provider
7878

0 commit comments

Comments
 (0)