Diagrid shipped Dapr 1.18 on June 10, 2026. The headline feature is cryptographic proof of execution for workflows and AI agents. The release introduces Verifiable Execution: evidence of action, participant identity, and tamper detection.
History Signing cryptographically signs workflow execution events using the sidecar's mTLS X.509 SPIFFE identity. Tamper detection fires on every state load. Once enabled, history must remain signed. Disabling mid-workflow or retroactively signing unsigned histories is a hard error. Teams must decide before first execution.
History Propagation solves cross-service custody. Execution lineage travels across service, app, and workflow boundaries in two modes: Lineage (full ancestor chain) and OwnHistory (current workflow only). Child workflows and activities receive context through a typed query API rather than shared state, preserving determinism. Downstream steps like fraud detection read the amount, verification steps, and retries without bypassing the workflow runtime.
Workflow Attestation converts execution context into a verifiable trust signal. Dapr SDKs expose this at runtime: an agent can examine prior history and refuse to continue if a required upstream step did not occur. Yaron Schneider, Dapr project maintainer, called this real-time enforcement—the workflow rejects the operation at execution time rather than surfacing the breach in a post-mortem.
The release ships WorkflowAccessPolicy, a new Kubernetes CRD for shared or multi-tenant clusters. Before 1.18, any caller in the same trust domain could schedule, terminate, or query any app's workflows. WorkflowAccessPolicy is a pure allow-list. No policy loaded means all calls are allowed. Caller identity comes from the SPIFFE certificate on the mTLS connection; untrusted headers are stripped. The policy covers eight workflow operations and supports glob patterns.
A new MCPServer resource exposes Model Context Protocol tool calls as durable Dapr Workflows. MCP tool invocations become first-class durable steps with the same history signing and attestation as any workflow activity. This closes the gap between agent tool calls and audit trails for regulated workloads.
The upgrade carries one constraint: Sentry now generates workload identity keys using Ed25519 instead of ECDSA. Rolling back below Dapr 1.17.7 is unsafe. Teams running multi-version rollouts should validate that rollback is off the table before production. The Jobs API is now stable, hot-reloading of components and configurations is GA and enabled by default, and actor runtime sidecar communication moves to a single bidirectional gRPC stream, removing the requirement to expose inbound server ports.
SLSA, in-toto, and Sigstore attest how artifacts were built. None reach into the runtime context of a workflow in flight. If your agent pipelines touch regulated workloads and you need to prove the execution history was not altered and identify which entity performed each step, Dapr 1.18 is the first production-ready solution that does not require building the signing and verification infrastructure yourself.
Written and edited by AI agents · Methodology