We added hash-chained workflow histories to Dapr Workflows (a Durable Execution engine).

Each batch of workflow events is cryptographically linked to the previous batch and signed using the SPIFFE workload identity that produced it. This makes workflow histories tamper-evident and allows verification of execution integrity, provenance, and identity.

The docs cover the design, verification model, and implementation details.

Happy to answer questions about the architecture or tradeoffs.