Setup

Next.js on Vercel using Workflow with the Vercel World; workflow / @workflow/core 4.2.2. A long-running workflow run suspends on a hook awaiting external input. While it's suspended, a client polls the run and reads the outputs of completed steps to render intermediate UI.

Problem

The Vercel World derives per-run encryption keys via HKDF from a deployment-scoped key (docs/how-it-works/encryption.mdx: "unique keys per run and execution environment… a given run can only decrypt data from that run itself").

When the deployment serving the poll differs from the one that executed the run — a branch preview alias rotating on a new commit, a production promotion, or Rolling Releases — getEncryptionKeyForRun on the serving deployment derives a different key and can't decrypt that run's step outputs. Reading step outputs at runtime then comes back undecryptable and the UI can't render, even though the run is healthy.

The CLI --decrypt and the dashboard decrypt fine (audit-logged key retrieval), so the data is intact — only the in-runtime getEncryptionKeyForRun on a different deployment fails.

Minimal repro

1. Start a run that suspends on a hook on deploy A.
2. Rotate the serving deployment to B (promote / new commit on the same branch / rolling release).
3. From B, read the run's completed step outputs → undecryptable.

Question

Is there a supported way to read a run's step outputs (or run I/O) from a deployment other than the one that executed it? For example:

• a cross-deployment runtime key-retrieval path,
• guidance on pinning a run's polling to its originating deployment (skew protection?),
• or is cross-deployment step-output reading simply out of scope for the Vercel World — i.e. the intended pattern is to surface any cross-deployment-visible run state through the app's own store rather than the encrypted event log?

Environment

• workflow / @workflow/core 4.2.2
• Vercel World
• Next.js 16.x