chore(core): fix passing inspector token for serverless runners

[NathanFlurry]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-serverless	Ready	Preview	Comment	Oct 5, 2025 0:50am

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat: freestyle example #1317
• chore(core): fix passing inspector token for serverless runners #1348 👈 (View in Graphite)
• chore(core): add support for RIVET_ENDPOINT env var as alternative to RIVET_ENGINE #1347
• fix(core): strip basePath from routes for actor gateway on manager router #1346
• chore(core): enable overriding default server addr for logs & inspector #1345
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Claude finished @NathanFlurry's task —— View job

---

Code Review Complete

Reviewing PR #1348: "chore(core): fix passing inspector token for serverless runners"

Todo List:

• Read and analyze changed files
• Review code quality and best practices
• Check for potential bugs or issues
• Assess performance considerations
• Evaluate security concerns
• Check test coverage implications
• Provide comprehensive feedback

---

Review Summary

This PR addresses inspector token handling for serverless runners. The changes are focused and well-implemented with some minor areas for improvement.

Key Changes Analysis

1. Inspector Token Override (actor-driver.ts:83-88)

// HACK: Override inspector token (which are likely to be
// removed later on) with token from x-rivet-token header
const token = runConfig.token ?? config.token;
if (token && runConfig.inspector && runConfig.inspector.enabled) {
    runConfig.inspector.token = () => token;
}

2. Engine Runner Dependency Update (package.json:166)

• Updated @rivetkit/engine-runner from commit 16cf6cc to 76c2e031

3. Error Message Simplification (default.ts:19)

• Removed verbose explanation from serverless endpoint validation error

4. Async Stream Write Fix (actor-driver.ts:424)

• Added missing await for stream.writeSSE({ data: payload })

Code Quality Assessment

✅ Strengths:

• Clear separation of concerns with token precedence logic
• Proper error handling maintains existing patterns
• Self-documenting code with appropriate comments
• Follows RivetKit naming conventions and code style
• Bug fix for missing await demonstrates attention to detail

⚠️ Areas for Improvement:

1. Comment Clarity (actor-driver.ts:83)

   • The "HACK" comment suggests temporary code, but lacks context about future plans
   • Consider adding a TODO or issue reference for eventual removal

2. Token Validation (actor-driver.ts:87)

   • No validation that the token is non-empty before assignment
   • Could potentially override with empty string

Security Analysis

✅ Secure Practices:

• Token handling follows secure patterns
• No token logging or exposure in error messages
• Proper precedence: runConfig.token → config.token

⚠️ Security Considerations:

• The inspector token override relies on external configuration
• Consider validating token format/length before assignment

Performance & Architecture

✅ Performance:

• Changes are minimal and won't impact runtime performance
• Dependency update likely includes optimizations
• Async/await fix prevents potential blocking

Architecture:

• Changes maintain existing driver pattern
• Token precedence logic is straightforward
• No breaking changes to public APIs

Bug Fixes Identified

Fixed Issues:

1. Missing await (actor-driver.ts:424): Properly awaits SSE stream write
2. Inspector token not passed: Ensures serverless runners receive proper authentication

Test Coverage Implications

Missing Test Coverage:

• No tests for the new inspector token override logic
• Token precedence scenarios should be covered
• Consider adding tests for:
  • runConfig.token takes precedence over config.token
  • Inspector token function is properly set when conditions are met
  • Behavior when inspector is disabled

Recommendations

1. Add Tests: Cover the inspector token override logic
2. Improve Documentation: Replace "HACK" comment with clearer context
3. Token Validation: Add basic validation for token before assignment
4. Future Cleanup: Track removal of temporary token logic with proper issue reference

Potential Issues

Low Risk:

• Token override logic assumes inspector configuration exists
• No explicit validation of token format

Code Example for Improvement:

const token = runConfig.token ?? config.token;
if (token && token.trim() && runConfig.inspector?.enabled) {
    runConfig.inspector.token = () => token;
}

Overall Assessment

Rating: ✅ APPROVE

This is a solid fix that addresses serverless inspector token handling. The changes are focused, maintain backward compatibility, and fix real issues. While there are minor improvement opportunities, the code quality is good and follows project conventions.

The dependency update and bug fixes demonstrate good maintenance practices, and the implementation correctly handles token precedence for serverless environments.

---

[pkg-pr-new]

More templates

• example-ai-agent
• example-better-auth-external-db
• chat-room
• example-cloudflare-workers
• example-cloudflare-workers-hono
• example-counter
• example-crdt
• example-database
• example-deno
• example-sqlite
• example-elysia
• example-express
• example-game
• example-hono
• example-hono-react
• example-kitchen-sink
• example-next-js
• example-rate
• example-raw-fetch-handler
• example-raw-websocket-handler-proxy
• example-react
• starter
• example-stream
• example-sync
• example-tenant
• example-trpc

@rivetkit/actor

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/actor@1348

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/cloudflare-workers@1348

@rivetkit/core

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/core@1348

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/db@1348

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/framework-base@1348

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/next-js@1348

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/react@1348

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivetkit@1348

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/sql-loader@1348

commit: caede9d

[graphite-app]

Merge activity

• Oct 5, 12:50 AM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Oct 5, 12:51 AM UTC: CI is running for this pull request on a draft pull request (#1349) due to your merge queue CI optimization settings.
• Oct 5, 12:52 AM UTC: Merged by the Graphite merge queue via draft PR: #1349.