Make ObjectSerializer configuration user-controllable via serializerTypeFilter parameter

Co-authored-by: danielgerlag <2357007+danielgerlag@users.noreply.github.com>

Author: Copilot

src/providers/WorkflowCore.Persistence.MongoDB/README.md

@@ -18,6 +18,43 @@ Use the .UseMongoDB extension method when building your service provider.
 services.AddWorkflow(x => x.UseMongoDB(@"mongodb://localhost:27017", "workflow"));
 ```
 
+### Configuring the ObjectSerializer
+
+When using MongoDB persistence with user-defined data classes, you need to configure which types are allowed to be deserialized. This is done via the `serializerTypeFilter` parameter:
+
+```C#
+services.AddWorkflow(x => x.UseMongoDB(
+    @"mongodb://localhost:27017", 
+    "workflow",
+    serializerTypeFilter: type =>
+        MongoDB.Bson.Serialization.Serializers.ObjectSerializer.DefaultAllowedTypes(type) || 
+        type.FullName?.StartsWith("MyApp.") == true));
+```
+
+This configuration allows:
+- All default MongoDB allowed types (primitives, collections, etc.)
+- Types in your application namespace (e.g., `MyApp.*`)
+
+**Important:** You must configure the serializer to allow your workflow data types, otherwise you will encounter a `BsonSerializationException` when MongoDB tries to deserialize your data.
+
+Example for multiple namespaces:
+
+```C#
+services.AddWorkflow(x => x.UseMongoDB(
+    @"mongodb://localhost:27017", 
+    "workflow",
+    serializerTypeFilter: type =>
+    {
+        if (MongoDB.Bson.Serialization.Serializers.ObjectSerializer.DefaultAllowedTypes(type))
+            return true;
+            
+        var fullName = type.FullName ?? "";
+        return fullName.StartsWith("MyApp.") || 
+               fullName.StartsWith("MyCompany.Models.") ||
+               fullName.StartsWith("WorkflowCore.");
+    }));
+```
+
 ### State object serialization
 
 By default (to maintain backwards compatibility), the state object is serialized using a two step serialization process using object -> JSON -> BSON serialization.

src/providers/WorkflowCore.Persistence.MongoDB/ServiceCollectionExtensions.cs

@@ -12,8 +12,11 @@ public static WorkflowOptions UseMongoDB(
             this WorkflowOptions options, 
             string mongoUrl, 
             string databaseName, 
-            Action<MongoClientSettings> configureClient = default)
+            Action<MongoClientSettings> configureClient = default,
+            Func<Type, bool> serializerTypeFilter = null)
         {
+            RegisterObjectSerializer(serializerTypeFilter);
+            
             options.UsePersistence(sp =>
             {
                 var mongoClientSettings = MongoClientSettings.FromConnectionString(mongoUrl);
@@ -35,11 +38,14 @@ public static WorkflowOptions UseMongoDB(
 
         public static WorkflowOptions UseMongoDB(
             this WorkflowOptions options, 
-            Func<IServiceProvider, IMongoDatabase> createDatabase)
+            Func<IServiceProvider, IMongoDatabase> createDatabase,
+            Func<Type, bool> serializerTypeFilter = null)
         {
             if (options == null) throw new ArgumentNullException(nameof(options));
             if (createDatabase == null) throw new ArgumentNullException(nameof(createDatabase));
 
+            RegisterObjectSerializer(serializerTypeFilter);
+            
             options.UsePersistence(sp =>
             {
                 var db = createDatabase(sp);
@@ -53,5 +59,14 @@ public static WorkflowOptions UseMongoDB(
 
             return options;
         }
+        
+        private static void RegisterObjectSerializer(Func<Type, bool> serializerTypeFilter)
+        {
+            if (serializerTypeFilter != null)
+            {
+                MongoDB.Bson.Serialization.BsonSerializer.TryRegisterSerializer(
+                    new MongoDB.Bson.Serialization.Serializers.ObjectSerializer(serializerTypeFilter));
+            }
+        }
     }
 }

src/providers/WorkflowCore.Persistence.MongoDB/Services/MongoPersistenceProvider.cs

@@ -27,31 +27,6 @@ public MongoPersistenceProvider(IMongoDatabase database)
 
         static MongoPersistenceProvider()
         {
-            // Register ObjectSerializer to allow deserialization of user types while maintaining security
-            // Allows all default types plus user-defined types (excluding system/framework types)
-            BsonSerializer.TryRegisterSerializer(new ObjectSerializer(type =>
-            {
-                // Allow all default MongoDB allowed types (primitives, collections, etc.)
-                if (ObjectSerializer.DefaultAllowedTypes(type))
-                    return true;
-                    
-                // Allow WorkflowCore types (for backward compatibility)
-                if (type.FullName?.StartsWith("WorkflowCore") == true)
-                    return true;
-                    
-                // Allow user types by excluding system/framework types
-                // This prevents security issues while allowing user data classes
-                var fullName = type.FullName ?? "";
-                if (fullName.StartsWith("System.") ||
-                    fullName.StartsWith("Microsoft.") ||
-                    fullName.StartsWith("System,") ||
-                    fullName.StartsWith("Microsoft,"))
-                    return false;
-                    
-                // Allow all other types (user-defined types)
-                return true;
-            }));
-
             ConventionRegistry.Register(
                 "workflow.conventions",
                 new ConventionPack