Docs/Temporal Integration

Temporal Integration

Pre-execution security for Temporal.io AI agents using Predicate Authority.

Temporal.io is a popular workflow orchestration platform for building reliable, distributed applications. When building AI agents with Temporal, activities often perform sensitive operations—database mutations, API calls, file system access, or shell commands. The Predicate Temporal interceptors provide a zero-trust security gate that blocks unauthorized activities before they execute.

Why Secure Temporal Activities?

Temporal workflows orchestrate complex, long-running processes. Activities within these workflows can:

Execute arbitrary code from LLM-generated payloads
Access databases and mutate critical data
Make external API calls to third-party services
Run shell commands on your infrastructure

Without pre-execution authorization, a compromised or malicious activity payload could:

Delete production data (DELETE FROM orders WHERE 1=1)
Exfiltrate secrets via HTTP requests
Execute dangerous shell commands (rm -rf /)
Escalate privileges through admin operations

The Predicate Temporal interceptor sits in the activity execution pipeline and blocks unauthorized actions before any code runs.

How It Works

┌─────────────────────────────────────────────────────────────────┐
│                      Temporal Worker                            │
│  ┌─────────────┐    ┌─────────────────────┐    ┌─────────────┐ │
│  │   Workflow  │───▶│ Predicate Interceptor│───▶│  Activity   │ │
│  │             │    │                     │    │             │ │
│  │  dispatch   │    │  1. Extract action  │    │  execute    │ │
│  │  activity   │    │  2. Call sidecar    │    │  (if OK)    │ │
│  │             │    │  3. Allow or Deny   │    │             │ │
│  └─────────────┘    └─────────────────────┘    └─────────────┘ │
│                              │                                  │
│                              ▼                                  │
│                    ┌─────────────────────┐                     │
│                    │  Predicate Sidecar  │                     │
│                    │  - Policy eval      │                     │
│                    │  - Mandate signing  │                     │
│                    │  - Audit logging    │                     │
│                    └─────────────────────┘                     │
└─────────────────────────────────────────────────────────────────┘

Temporal dispatches an activity to your worker
Before execution, the interceptor extracts the activity name and arguments
Calls the sidecar at POST /v1/authorize with action = activity name
If denied: raises an error — activity never executes
If allowed: activity proceeds normally with an audit trail

Demo: Hack vs Fix

See Predicate Authority block dangerous Temporal activities in real-time:

Run it yourself:

git clone https://github.com/PredicateSystems/predicate-temporal-python
cd predicate-temporal-python/examples/demo
./start-demo-native.sh

Requirements: Python 3.11+, Temporal CLI

The demo shows 4 scenarios:

Scenario	Result	Policy Rule
Legitimate order processing	✅ ALLOWED	`allow-safe-activities`
Delete order attack	❌ BLOCKED	`deny-delete-operations`
Admin override attack	❌ BLOCKED	`deny-admin-operations`
Drop database attack	❌ BLOCKED	`deny-drop-operations`

Sidecar Prerequisite

The interceptor requires the Predicate Authority Sidecar daemon. The sidecar handles policy evaluation and mandate signing locally—no data leaves your infrastructure.

See the Sidecar and Operations guide for detailed setup instructions.

Quick start with Docker:

docker run -d -p 8787:8787 ghcr.io/predicatesystems/predicate-authorityd:latest

Or download the binary:

# macOS (Apple Silicon)
curl -fsSL https://github.com/PredicateSystems/predicate-authority-sidecar/releases/latest/download/predicate-authorityd-darwin-arm64.tar.gz | tar -xz
chmod +x predicate-authorityd
./predicate-authorityd --port 8787 --policy-file policy.json

Verify it's running:

curl http://localhost:8787/health
# {"status":"ok"}

SDK Installation

Language	Package	Install Command
Python	`predicate-temporal`	`pip install predicate-temporal`
TypeScript	`@predicatesystems/temporal`	`npm install @predicatesystems/temporal`

Quick Start

from temporalio.worker import Worker
from predicate_temporal import PredicateInterceptor
from predicate_authority import AuthorityClient

# Initialize the Predicate Authority client
ctx = AuthorityClient.from_env()

# Create the interceptor
interceptor = PredicateInterceptor(
    authority_client=

Policy Configuration

Create a policy file that defines allowed and denied activities:

{
  "rules": [
    {
      "name": "allow-safe-activities",
      "effect": "allow",
      "principals": ["temporal-worker"],
      "actions": ["process_order", "send_notification", "fetch_data"],
      "resources": ["*"]
    },
    {
      "name": "deny-dangerous-activities",
      "effect": "deny",
      "principals": ["*"],
      "actions": ["delete_*", "drop_*", "admin_*", "rm_*"],
      "resources": ["*"]
    }
  ]
}

Starter policy packs: The sidecar repository includes ready-to-use policy templates for common use cases.

Policy evaluation order:

Explicit deny rules are evaluated first
Then allow rules are checked
Default behavior is deny (fail-closed)

Next Steps

SDK Integration Guide — Complete Python and TypeScript reference
Sidecar and Operations — Running the sidecar daemon
Policy Configuration — Writing effective policies

Source Code

SDK	Repository	License
Python	temporal-predicate-py	MIT
TypeScript	temporal-predicate-typescript	MIT

SDK Integration