Merge branch 'main' into gmt/java-standalone-activities-guide

Author: GregoryTravis

docs/cloud/capacity-modes.mdx

@@ -133,12 +133,6 @@ This means that your default limit would be 800 APS.
 
 ## Provisioned Capacity {#provisioned-capacity}
 
-:::tip Support, stability, and dependency info
-
-Provisioned Capacity is currently in [Public Preview](/evaluate/development-production-features/release-stages#public-preview).
-
-:::
-
 Provisioned Capacity provides an alternative to On-Demand Capacity by allowing you to control the limits on your Namespace based on your specific need.
 
 |               | Actions Per Second | Requests Per Second | Operations Per Second|

docs/develop/go/best-practices/data-handling/external-storage.mdx

@@ -41,58 +41,43 @@ The Go SDK includes an S3 storage driver. Follow these steps to set it up:
 1. Load your AWS configuration and create the S3 storage driver. The driver uses your standard [AWS credentials](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html) from the environment (environment variables, IAM role, or AWS config file):
 
    <!--SNIPSTART go-s3-driver-create-->
+[features/snippets/external_storage/s3_setup/s3_driver_create.go](https://github.com/temporalio/features/blob/main/features/snippets/external_storage/s3_setup/s3_driver_create.go)
+```go
+cfg, err := config.LoadDefaultConfig(context.Background(),
+	config.WithRegion("us-east-2"),
+)
+if err != nil {
+	log.Fatalf("load AWS config: %v", err)
+}
 
-   ```go
-   import (
-       "github.com/aws/aws-sdk-go-v2/config"
-       "github.com/aws/aws-sdk-go-v2/service/s3"
-       "go.temporal.io/sdk/contrib/aws/s3driver"
-       "go.temporal.io/sdk/contrib/aws/s3driver/awssdkv2"
-   )
-
-   cfg, err := config.LoadDefaultConfig(context.Background(),
-       config.WithRegion("us-east-2"),
-   )
-   if err != nil {
-       log.Fatalf("load AWS config: %v", err)
-   }
-
-   driver, err := s3driver.NewDriver(s3driver.Options{
-       Client: awssdkv2.NewClient(s3.NewFromConfig(cfg)),
-       Bucket: s3driver.StaticBucket("my-temporal-payloads"),
-   })
-   if err != nil {
-       log.Fatalf("create S3 driver: %v", err)
-   }
-   ```
-
+driver, err := s3driver.NewDriver(s3driver.Options{
+	Client: awssdkv2.NewClient(s3.NewFromConfig(cfg)),
+	Bucket: s3driver.StaticBucket("my-temporal-payloads"),
+})
+if err != nil {
+	log.Fatalf("create S3 driver: %v", err)
+}
+```
    <!--SNIPEND-->
 
 2. Configure the driver on `ExternalStorage` and pass it in your Client options:
 
    <!--SNIPSTART go-s3-external-storage-setup-->
+[features/snippets/external_storage/s3_setup/s3_external_storage_setup.go](https://github.com/temporalio/features/blob/main/features/snippets/external_storage/s3_setup/s3_external_storage_setup.go)
+```go
+c, err := client.Dial(client.Options{
+	HostPort: "localhost:7233",
+	ExternalStorage: converter.ExternalStorage{
+		Drivers: []converter.StorageDriver{driver},
+	},
+})
+if err != nil {
+	log.Fatalf("connect to Temporal: %v", err)
+}
+defer c.Close()
 
-   ```go
-   import (
-       "go.temporal.io/sdk/client"
-       "go.temporal.io/sdk/converter"
-       "go.temporal.io/sdk/worker"
-   )
-
-   c, err := client.Dial(client.Options{
-       HostPort: "localhost:7233",
-       ExternalStorage: converter.ExternalStorage{
-           Drivers: []converter.StorageDriver{driver},
-       },
-   })
-   if err != nil {
-       log.Fatalf("connect to Temporal: %v", err)
-   }
-   defer c.Close()
-
-   w := worker.New(c, "my-task-queue", worker.Options{})
-   ```
-
+w := worker.New(c, "my-task-queue", worker.Options{})
+```
    <!--SNIPEND-->
 
    By default, payloads larger than 256 KiB are offloaded to external storage. You can adjust this with the
@@ -112,21 +97,8 @@ The following example shows a custom driver that uses local disk as the backing
 development and testing only. In production, use a durable storage system that is accessible to all Workers:
 
 <!--SNIPSTART go-custom-storage-driver-->
-
+[features/snippets/external_storage/custom_driver/custom_storage_driver.go](https://github.com/temporalio/features/blob/main/features/snippets/external_storage/custom_driver/custom_storage_driver.go)
 ```go
-package main
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"github.com/google/uuid"
-	commonpb "go.temporal.io/api/common/v1"
-	"go.temporal.io/sdk/converter"
-	"google.golang.org/protobuf/proto"
-)
-
 type LocalDiskStorageDriver struct {
 	storeDir string
 }
@@ -204,7 +176,6 @@ func (d *LocalDiskStorageDriver) Retrieve(
 	return payloads, nil
 }
 ```
-
 <!--SNIPEND-->
 
 The following sections walk through the key parts of the driver implementation.
@@ -262,18 +233,15 @@ are offloaded to external storage. You can adjust this with the `PayloadSizeThre
 externalize all payloads regardless of size. A value of 0 is interpreted as the default (256 KiB).
 
 <!--SNIPSTART go-external-storage-threshold-->
-
+[features/snippets/external_storage/threshold/threshold_config.go](https://github.com/temporalio/features/blob/main/features/snippets/external_storage/threshold/threshold_config.go)
 ```go
-import "go.temporal.io/sdk/converter"
-
 c, err := client.Dial(client.Options{
-    ExternalStorage: converter.ExternalStorage{
-        Drivers:              []converter.StorageDriver{driver},
-        PayloadSizeThreshold: 1,
-    },
+	ExternalStorage: converter.ExternalStorage{
+		Drivers:              []converter.StorageDriver{driver},
+		PayloadSizeThreshold: 1,
+	},
 })
 ```
-
 <!--SNIPEND-->
 
 ## Use multiple storage drivers
@@ -296,29 +264,24 @@ The following example registers two drivers but always selects `preferredDriver`
 is only registered so the Worker can retrieve payloads that were previously stored with it:
 
 <!--SNIPSTART go-external-storage-multiple-drivers-->
-
+[features/snippets/external_storage/multiple_drivers/multiple_drivers.go](https://github.com/temporalio/features/blob/main/features/snippets/external_storage/multiple_drivers/multiple_drivers.go)
 ```go
-import (
-    commonpb "go.temporal.io/api/common/v1"
-    "go.temporal.io/sdk/converter"
-)
-
 type PreferredSelector struct {
-    preferred converter.StorageDriver
+	preferred converter.StorageDriver
 }
 
 func (s *PreferredSelector) SelectDriver(
-    ctx converter.StorageDriverStoreContext,
-    payload *commonpb.Payload,
+	ctx converter.StorageDriverStoreContext,
+	payload *commonpb.Payload,
 ) (converter.StorageDriver, error) {
-    return s.preferred, nil
+	return s.preferred, nil
 }
 
-// Usage:
-converter.ExternalStorage{
-    Drivers:        []converter.StorageDriver{preferredDriver, legacyDriver},
-    DriverSelector: &PreferredSelector{preferred: preferredDriver},
+func MultipleDriversSetup(preferredDriver, legacyDriver converter.StorageDriver) converter.ExternalStorage {
+	return converter.ExternalStorage{
+		Drivers:        []converter.StorageDriver{preferredDriver, legacyDriver},
+		DriverSelector: &PreferredSelector{preferred: preferredDriver},
+	}
 }
 ```
-
 <!--SNIPEND-->

docs/develop/python/nexus/feature-guide.mdx

@@ -245,7 +245,7 @@ class MyNexusServiceHandler:
                 input.name,  # First argument: name
                 input.language,  # Second argument: language
             ],
-            id=str(uuid.uuid4()),
+            id=f"hello-multi-args-{input.name}-{input.language}",
         )
 
 

docs/encyclopedia/workflow/workflow-execution/event.mdx

@@ -24,6 +24,7 @@ This page discusses the following:
 - [Time Constraints](#time-constraints)
 - [Reset](#reset)
 - [Side Effect](#side-effect)
+- [Principal Attribution](#principal-attribution)
 
 The Temporal Service tracks the progress of each Workflow Execution by appending information about Events, such as when the Workflow Execution began or ended, to the Event History associated with that execution.
 This information not only enables developers to know what took place, but is also essential for providing Durable Execution, since it enables the Workflow Execution to recover from a crash and continue making progress.
@@ -123,3 +124,57 @@ A Side Effect does not re-execute upon replay, but instead returns the recorded
 
 Do not ever have a Side Effect that could fail, because failure could result in the Side Effect function executing more than once.
 If there is any chance that the code provided to the Side Effect could fail, use an Activity.
+
+## What is a Principal Attribution? {#principal-attribution}
+
+:::tip SUPPORT, STABILITY, and DEPENDENCY INFO
+
+Principal Attribution is currently available in [Pre-release](/evaluate/development-production-features/release-stages#pre-release).
+
+Email addresses can be displayed, which may be considered Personally Identifiable information (PII data), and should be handled according to your organization’s privacy, access control, logging, and retention policies.
+
+:::
+
+Principal Attribution for Workflow Executions is a server-derived set of non-spoofable `Principal` fields for Workflow history events.
+
+The `Principal` fields represent the authenticated principal responsible for a [dataplane](/cloud/overview#data-plane-and-control-plane) execution action. 
+This allows for identification of the entity that took a given action. 
+
+This is especially valuable for:
+
+- compliance and audit use cases
+- incident investigation and root cause analysis
+- access governance and internal accountability
+
+### Temporal Cloud
+
+When enabled, Temporal Cloud populates the `Principal` value (with `Principal Type` and `Principal Name` fields).
+
+Possible values are as follows:
+
+| Type | Name |
+| ---- | ---- |
+| `users` | user email address |
+| `service-accounts` | service account name |
+| `mtls` | Common Name (CN) or Subject Domain Name (DN) if CN is not present |
+| `temporal` | Temporal internal services |
+
+Anyone who has permission to read Workflow history in the Namespace (ReadOnly access and above) can see the Principal (and the metadata such as email address).
+
+To enable Principal Attribution for a Namespace, contact [Temporal Cloud support](https://docs.temporal.io/cloud/support#support-ticket).
+
+### Self-hosted Temporal
+
+In self-hosted Temporal, you can control Principal Attribution with a dynamic config flag scoped to the Namespace. 
+When enabled, the Principal returned by the `Authorizer` is stamped on Workflow history events.
+To enable, set `frontend.enablePrincipalPropagation` to `true` for the appropriate Namespace.
+
+When using the default `Authorizer` with the default JWT `ClaimMapper`, the following values are populated:
+
+| Type | Name |
+| ---- | ---- |
+| `jwt ` | value of the JWT `sub` claim |
+| `temporal` | `internal` (for internal frontend requests) |
+
+A custom `Authorizer` must set the Principal field on `authorization.Result` for the request to be attributed.
+Custom `ClaimMapper` implementations control the `AuthType` and `Subject` values that the default `Authorizer` then copies into the `Principal`.

docs/encyclopedia/workflow/workflow-execution/workflowid-runid.mdx

@@ -143,3 +143,4 @@ The Workflow Id Conflict Policy can have one of the following values:
   **This is the default policy, if one isn't specified.**
 - **Use Existing:** Prevents the Workflow Execution from spawning and returns a successful response with the Open Workflow Execution's Run Id.
 - **Terminate Existing:** Terminates the Open Workflow Execution then spawns the new Workflow Execution with the same Workflow Id.
+

docs/evaluate/temporal-cloud/pricing.mdx

@@ -269,12 +269,6 @@ On-Demand capacity is automatically adjusted based on past usage.
 Provisioned Capacity modes lets you define the capacity that is needed by your Workflow and is useful to handle traffic outside of the standard on-demand limits.
 See details on how capacity is set and the associated limits at [Capacity Modes](/cloud/capacity-modes).
 
-:::tip Support, stability, and dependency info
-
-Provisioned Capacity is currently in [Public Preview](/evaluate/development-production-features/release-stages#public-preview).
-
-:::
-
 **How does pricing for Capacity Modes work?**
 
 The number of Actions accrued can be impacted by your capacity mode.