fix(rivetkit): properly apply clientEndpoint from metadata lookup

[NathanFlurry]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-serverless	Ready	Preview	Comment	Nov 13, 2025 2:48am

3 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-cloud	Ignored			Nov 13, 2025 2:48am
rivet-inspector	Ignored	Preview		Nov 13, 2025 2:48am
rivet-site	Ignored	Preview		Nov 13, 2025 2:48am

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(rivetkit): remove incorrect getEndpoint call in metadata handler #3433 : 2 dependent PRs (#3438 , #3451 )
• feat(rivetkit): add json protocol support #3432
• chore(rivetkit): add required zod validation for json encoding #3431
• chore(rivetkit): add listing actors by only name to manager api #3430
• refactor(rivetkit): extract WebSocket protocol parsing to shared utility #3429
• refactor(rivetkit): restructure connection lifecycle contexts #3428
• chore(rivetkit): add WebSocketContext and RequestContext #3427
• chore(rivetkit): add conn type #3426
• chore(rivetkit): add connection for raw http #3425
• chore(rivetkit): rename onFetch to onRequest #3424
• refactor(rivetkit): add state manager for conn with symbol-based access #3423
• fix(rivetkit): use loggerWithoutContext for websocket error when actor undefined #3412
• feat(rivetkit): add GET /actors/names #3411
• feat(api-public): expose actor kv api #3410
• chore(rivetkit): auto-generate inspector token for engine driver #3409
• chore(rivetkit): close websockets on out of sequence messages #3404
• fix(rivetkit): properly apply clientEndpoint from metadata lookup #3402 👈 (View in Graphite)
• fix(rivetkit): properly handle msgIndex for hibernatable websocket reconnection #3401
• chore(rivetkit): rename onstart/onstop to onwake/onsleep #3422
• chore(rivetkit): split ActorInstance logic in to multiple classes #3421
• chore(rivetkit): move conns to separate persisted kv keys #3420
• chore(rivetkit): remove deprecated conn tokens & sse support #3419
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• example-ai-agent
• example-background-jobs
• example-better-auth-external-db
• example-bots
• chat-room
• example-cloudflare-workers
• example-cloudflare-workers-hono
• example-counter
• example-counter-serverless
• example-crdt
• example-cursors
• example-cursors-raw-websocket
• example-database
• example-deno
• example-sqlite
• example-elysia
• example-express
• example-freestyle
• example-game
• example-hono
• example-hono-bun
• example-hono-react
• example-kitchen-sink
• example-next-js
• example-rate
• example-raw-fetch-handler
• example-raw-websocket-handler
• example-raw-websocket-handler-proxy
• example-react
• starter
• example-stream
• example-sync
• example-tenant
• example-trpc
• example-workflows

@rivetkit/actor

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/actor@3402

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@3402

@rivetkit/core

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/core@3402

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/db@3402

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@3402

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@3402

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@3402

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@3402

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@3402

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@3402

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@3402

commit: 5270367

[claude]

Code Review - PR #3402

Summary

This PR fixes the proper application of clientEndpoint from metadata lookup by refactoring the metadata checking logic into a dedicated module and renaming disableHealthCheck to the more accurate disableMetadataLookup.

Strengths

1. Better Separation of Concerns: Extracting metadata lookup logic into metadata.ts improves code organization and makes the codebase more maintainable.

2. Improved Naming: Renaming disableHealthCheck to disableMetadataLookup is more accurate since this flag controls metadata fetching, not health checks.

3. Proper Endpoint Override: The fix correctly applies clientEndpoint from metadata to this.#config.endpoint before any API calls are made.

4. Cache Implementation: The global metadataLookupCache prevents duplicate metadata requests for the same endpoint, which is good for performance.

5. Retry Logic: Using p-retry with exponential backoff (500ms to 15s) provides resilience against transient failures.

Concerns and Issues

1. Critical: Config Mutation Issue

Line 76 in mod.ts mutates this.#config.endpoint after the cache key has been set. This could cause issues if multiple RemoteManagerDriver instances are created with the same initial endpoint but receive different clientEndpoint values. The cache uses the original endpoint as the key, but the config is modified afterward.

Recommendation: Consider using a separate field or documenting this behavior clearly. The current implementation appears correct but the mutation could be error-prone.

2. Infinite Retry Risk

metadata.ts:42 sets retries to Number.MAX_SAFE_INTEGER, which will retry forever if the metadata endpoint is permanently unavailable or misconfigured. While the exponential backoff caps at 15 seconds, this could still cause the application to hang indefinitely during startup.

Recommendation: Set a reasonable retry limit (e.g., 10-20 retries, which would span 2-5 minutes with the backoff strategy) or add a total timeout.

3. Error Handling in Metadata Promise

No .catch() handler on the promise at mod.ts:72-89. If lookupMetadataCached eventually fails, this promise will reject. When methods await this.#metadataPromise, they will throw, but there is no recovery mechanism or clear error message for users.

Recommendation: Consider adding error handling to log the failure clearly and provide guidance about checking endpoint configuration.

4. Cache Never Expires

The cache at metadata.ts:10 is never cleared. If metadata changes during the application lifecycle, the cached value will be stale.

Recommendation: Document that the cache is intentionally permanent for the lifetime of the process, or add a TTL mechanism if metadata might change.

5. Logging Inconsistency

mod.ts:63 still says disabling health check but should say disabling metadata lookup to match the renamed config field.

Test Coverage

No tests were added or modified in this PR.

Recommendations:

1. Add tests for the metadata caching behavior
2. Test the scenario where clientEndpoint is provided in metadata
3. Test the scenario where clientEndpoint is undefined
4. Test that multiple clients with the same endpoint share the cached metadata
5. Test the retry behavior with mocked failures

Specific Recommendations

1. Fix the log message on line 63 of mod.ts
2. Add a reasonable retry limit instead of Number.MAX_SAFE_INTEGER
3. Consider error handling for the metadata promise
4. Add tests for the new metadata caching behavior
5. Document the cache behavior in code comments

Overall Assessment

This is a solid refactoring that improves code organization and fixes a real bug with endpoint override. The main concerns are around error handling and the infinite retry behavior. With the recommended changes, this would be production-ready.

Recommendation: Approve with minor changes requested

[claude]

Code Review - PR #3402

Summary

This PR refactors the metadata lookup logic by extracting it into a separate module and fixes a critical bug where clientEndpoint from the metadata response wasn't being properly applied to the client configuration. The refactoring improves code organization and maintainability.

---

Positive Observations

✅ Good separation of concerns - Extracting metadata lookup into metadata.ts improves modularity and reusability

✅ Proper caching strategy - Using a global cache with endpoint as the key prevents duplicate requests

✅ Better error handling - The refactored code maintains retry logic with exponential backoff

✅ Correct bug fix - The clientEndpoint is now properly applied to this.#config.endpoint before being used in subsequent operations

✅ Consistent naming - Renaming from disableHealthCheck to disableMetadataLookup is more accurate

---

Issues & Concerns

🔴 Critical: Config Mutation Bug

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/mod.ts:76

this.#config.endpoint = metadataData.clientEndpoint;

Problem: This directly mutates the ClientConfig object that was passed to the constructor. If the same config object is reused to create multiple RemoteManagerDriver instances, the mutation will affect all instances unexpectedly.

Impact: Race conditions and unpredictable behavior when multiple clients share config objects.

Recommendation:

// Option 1: Clone the config
this.#config = { ...runConfig };

// Option 2: Use a separate field for the resolved endpoint
#resolvedEndpoint: string | undefined;

---

🟡 Medium: Infinite Retry Could Cause Resource Exhaustion

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/metadata.ts:42

retries: Number.MAX_SAFE_INTEGER,

Problem: Setting retries to Number.MAX_SAFE_INTEGER means the metadata lookup will retry essentially forever. If the endpoint is permanently unavailable (misconfigured URL, network isolation, etc.), this will:

• Keep promises pending indefinitely
• Accumulate in the cache map
• Block all operations that await this.#metadataPromise
• Consume memory and resources over time

Recommendation:

retries: 30, // Reasonable limit (e.g., ~5 minutes with exponential backoff)

Or add a timeout mechanism to fail fast after a certain duration.

---

🟡 Medium: Missing Error Handling in Constructor

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/mod.ts:72-90

Problem: The metadata lookup promise is created but error handling only logs. If metadata lookup fails, this.#metadataPromise will be a rejected promise, causing all subsequent operations to throw when they await it.

Current code:

this.#metadataPromise = lookupMetadataCached(this.#config).then(
    (metadataData) => {
        // ... success handling
    },
);

Issue: No .catch() handler, so unhandled rejections could occur.

Recommendation:

this.#metadataPromise = lookupMetadataCached(this.#config)
    .then((metadataData) => {
        // ... success handling
    })
    .catch((error) => {
        logger().error({
            msg: "metadata lookup failed permanently",
            error: stringifyError(error),
        });
        // Consider: should we continue without metadata or throw?
        // Current behavior will cause all operations to fail
    });

---

🟡 Medium: Cache Never Cleared

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/metadata.ts:10

const metadataLookupCache = new Map<string, Promise<MetadataResponse>>();

Problem: The cache is a module-level global that persists for the lifetime of the process. If:

• The endpoint configuration changes at runtime
• Metadata changes on the server side (version updates, endpoint changes)
• Long-running processes accumulate stale metadata

Recommendation: Consider adding:

• TTL-based cache expiration
• Cache invalidation mechanism
• Or document that the cache is intentionally permanent for the process lifetime

---

🟢 Minor: Logging Inconsistency

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/mod.ts:78

logger().info({
    msg: "overriding cached client endpoint",
    endpoint: metadataData.clientEndpoint,
});

Issue: The message says "overriding cached client endpoint" but this happens on first lookup too, not just when overriding. The word "cached" is misleading.

Recommendation:

msg: "applying client endpoint from metadata"

---

🟢 Minor: Type Safety

The code assumes metadataData.clientEndpoint is truthy before using it (line 75), which is correct. However, TypeScript would benefit from explicit typing.

---

Test Coverage Concerns

⚠️ No tests found for the new metadata.ts module or the endpoint override behavior.

Recommended test cases:

1. Test that clientEndpoint from metadata properly overrides the config endpoint
2. Test that cache prevents duplicate requests to same endpoint
3. Test that different endpoints get separate cache entries
4. Test retry behavior on transient failures
5. Test behavior when metadata lookup is disabled
6. Test that awaiting metadata promise works correctly in all driver methods

---

Performance Considerations

✅ Caching strategy is good for performance
✅ Retry with exponential backoff is appropriate
⚠️ Consider adding request deduplication if multiple driver instances are created simultaneously with same endpoint

---

Security Considerations

✅ No obvious security issues
✅ Endpoint validation happens in the API call layer
⚠️ Consider validating that clientEndpoint from metadata is a well-formed URL to prevent injection issues

---

Recommendations Summary

Must Fix:

1. Fix config mutation issue - clone config or use separate field for resolved endpoint

Should Fix:
2. Add reasonable retry limit instead of Number.MAX_SAFE_INTEGER
3. Add error handling for metadata lookup failures in constructor
4. Add test coverage for endpoint override behavior

Nice to Have:
5. Add cache invalidation/TTL mechanism
6. Fix logging message clarity
7. Add comprehensive test suite

---

Overall Assessment

This is a good refactoring that properly fixes the clientEndpoint application bug. The code is well-structured and follows TypeScript best practices. However, the config mutation issue should be addressed before merging, and the infinite retry behavior needs consideration for production environments.

Recommendation: Request changes for critical issues, approve after fixes.

[claude]

Review comments posted in thread

[claude]

Pull Request Review

Summary

This PR refactors the metadata lookup functionality in RivetKit's remote manager driver by extracting it into a dedicated module. The key change is ensuring that the clientEndpoint from the metadata response is properly applied to the client config before any API calls are made.

---

Code Quality & Best Practices ✅

Strengths:

• Good separation of concerns: Extracting metadata lookup into metadata.ts improves modularity and maintainability
• Consistent naming: The rename from disableHealthCheck to disableMetadataLookup is more accurate and self-documenting
• Proper caching strategy: The global cache prevents duplicate metadata lookups for the same endpoint
• Race condition handling: Storing the promise immediately prevents concurrent requests from creating multiple lookups

Minor concerns:

1. Module-level cache: The metadataLookupCache Map at line 10 of metadata.ts uses a global module-level variable. While this works, consider whether this cache should be:

   • Cleared/invalidated under certain conditions (endpoint changes, auth failures, etc.)
   • Have a TTL or max size limit to prevent memory leaks in long-running applications
   • Be scoped differently (e.g., per client instance rather than globally)

2. Retry configuration: The retry logic uses Number.MAX_SAFE_INTEGER retries (line 42), which means it will retry indefinitely. This could lead to:

   • Hanging applications if the endpoint is permanently unreachable
   • Resource exhaustion in edge cases
   • Consider adding a reasonable maximum (e.g., 10-20 retries) or a total timeout

[claude]

Potential Bugs & Issues ⚠️

Critical Issue - Config Mutation:
The most significant issue is on line 76 of mod.ts:

this.#config.endpoint = metadataData.clientEndpoint;

This mutates the config object that was passed into the constructor. This is problematic because:

• The original runConfig object is being modified, which could affect the caller
• If the same config object is reused for multiple driver instances, they would all unexpectedly share the same endpoint
• This violates the principle of least surprise

Recommendation: Create a copy of the config or store the override separately:

// Option 1: Store override separately
#endpointOverride: string | undefined;

if (metadataData.clientEndpoint) {
  this.#endpointOverride = metadataData.clientEndpoint;
}

// Then modify getEndpoint calls to check override first

// Option 2: Deep clone config in constructor
this.#config = structuredClone(runConfig);

Race Condition with Cache:
If two different ClientConfig objects point to the same endpoint but have different auth tokens or headers, they would share the cached metadata response. The cache key only uses the endpoint string (line 15 of metadata.ts), not the full config. This could lead to incorrect behavior if:

• Different namespaces use the same endpoint
• Different auth tokens are used for the same endpoint

Recommendation: Include relevant config properties in the cache key

[claude]

Performance Considerations ⚡

Good:

• Caching prevents redundant network calls ✅
• Promise reuse prevents thundering herd ✅
• Async/await pattern is clean and efficient ✅

Consideration:

• The metadata lookup blocks all operations via the await this.#metadataPromise pattern (lines 100-102, 137-139, etc.). While this ensures correctness, it could delay fast operations if the metadata lookup is slow
• Consider documenting the expected latency impact in comments

---

Security Concerns 🔒

Low Risk:

• No obvious security vulnerabilities detected
• The code properly forwards auth headers via the config
• Error messages appropriately use structured logging without leaking sensitive data

Consideration:

• The infinite retry with exponential backoff could be used for a DoS if an attacker can trigger many client creations with invalid endpoints
• Consider rate limiting client creation or capping total retry duration

[claude]

Test Coverage 🧪

Missing:

• No tests found for the metadata lookup functionality
• Critical scenarios to test:
  1. Successful metadata lookup with clientEndpoint override
  2. Successful metadata lookup without clientEndpoint
  3. Failed metadata lookup with retry behavior
  4. Concurrent requests to same endpoint (cache behavior)
  5. Config mutation concerns (original config should not be modified)
  6. Metadata lookup disabled via disableMetadataLookup

Recommendation: Add unit tests in metadata.test.ts and integration tests for the full driver flow.

---

Additional Observations

1. Documentation: The log message on line 63 says "disabling health check" but should say "disabling metadata lookup" to match the new naming

2. Type safety: The code correctly uses TypeScript types throughout ✅

3. Error handling: Errors are properly caught and logged with structured data ✅

4. Consistency: All await points for metadataPromise follow the same pattern ✅

[claude]

Recommendations Summary

Must Fix:

1. Address config mutation issue (create copy or use override pattern)
2. Improve cache key to include namespace/token

Should Fix:

1. Add reasonable retry limits instead of infinite retries
2. Update log message to say "metadata lookup" instead of "health check"
3. Add test coverage for metadata lookup functionality

Consider:

1. Cache invalidation strategy and memory management
2. Document performance implications of blocking on metadata lookup
3. Add cache size limits or TTL

---

Overall, this is a solid refactoring that improves code organization. The main concerns are around config mutation and cache key specificity, which should be addressed before merging.

[claude]

Pull Request Review

Summary

This PR refactors the metadata lookup mechanism in RivetKit to properly apply the clientEndpoint from metadata responses. The main change extracts metadata fetching logic into a dedicated module with proper caching and updates the config endpoint before any API calls are made.

---

✅ Positive Observations

1. Good Separation of Concerns

• Extracting metadata lookup into its own module (metadata.ts) improves code organization and testability
• The caching mechanism is properly isolated and reusable

2. Proper Cache Implementation

• Using a Map with endpoint as the key prevents duplicate metadata fetches for the same endpoint
• Promise caching prevents race conditions when multiple clients try to connect simultaneously

3. Improved Naming

• Renaming disableHealthCheck → disableMetadataLookup is more accurate since this is not just a health check

4. Consistent Retry Logic

• Using p-retry with exponential backoff (500ms-15s) shows good resilience patterns
• forever: true ensures the client keeps trying to connect, which is appropriate for critical metadata

---

🐛 Potential Issues

1. Critical: Config Mutation Bug
The metadata promise modifies this.#config.endpoint directly:

// Line 76 in mod.ts
this.#config.endpoint = metadataData.clientEndpoint;

Problem: If multiple RemoteManagerDriver instances share the same ClientConfig object reference, this mutation will affect all instances. This could cause unexpected behavior when:

• Multiple drivers are created from the same config object
• The config is reused elsewhere in the application

Recommendation: Either:

• Document that each driver should have its own config instance, OR
• Clone the config in the constructor: this.#config = { ...runConfig }

2. Error Handling Gap
The metadata promise in the constructor silently swallows errors (lines 72-90). While logging occurs in lookupMetadataCached, if the metadata fetch fails indefinitely:

• The #metadataPromise will never resolve
• All API methods will hang indefinitely on await this.#metadataPromise

Recommendation: Consider adding a circuit breaker or timeout

3. Cache Never Invalidates
The global metadataLookupCache never clears entries:

// Line 10 in metadata.ts
const metadataLookupCache = new Map<string, Promise<MetadataResponse>>();

Problem:

• In long-running processes, stale metadata could be returned
• If an endpoint clientEndpoint changes, clients will not pick up the new value
• Memory leak potential in edge cases with many different endpoints

Recommendation:

• Add a TTL-based cache invalidation mechanism
• Consider using a proper cache library with expiration
• Or document that cache is intentionally permanent for application lifetime

---

⚡ Performance Considerations

1. Sequential Blocking
Every API method waits for metadata. This is correct behavior, but worth noting that the first API call will have higher latency. The constructor fires the fetch immediately, which is good for minimizing this delay.

2. Retry Forever
forever: true means infinite retries. For some deployment scenarios (like serverless cold starts with timeouts), this could cause issues. Consider if a maximum retry count would be more appropriate.

---

🔒 Security Considerations

No significant security issues identified. The changes maintain existing security patterns:

• Token handling unchanged
• No new external inputs
• Endpoint validation still occurs in getEndpoint

---

🧪 Test Coverage

Missing Test Coverage:

• No tests for the new metadata.ts module
• No tests verifying clientEndpoint override behavior
• No tests for cache behavior (race conditions, multiple instances)
• No tests for error scenarios (metadata fetch failure)

Recommendation: Add tests covering:

1. Successful metadata lookup and endpoint override
2. Cache hit on second lookup for same endpoint
3. Multiple simultaneous lookups to same endpoint (race condition)
4. Behavior when metadata returns no clientEndpoint
5. Retry behavior on transient failures

---

📋 Minor Suggestions

1. Type Safety
Consider adding a more defensive check for empty strings

2. Logging Consistency
Line 78 logs "overriding cached client endpoint" but it is overriding the instance config, not the cache. Consider: "overriding client endpoint from metadata"

3. Comment Update
Line 58 comment mentions "health check" but should say "metadata lookup"

---

🎯 Overall Assessment

Code Quality: Good - Clean refactoring with improved separation of concerns

Correctness: Moderate concerns - Config mutation and error handling need attention

Risk Level: Medium - The config mutation bug could cause subtle issues in production

Recommendation: Request changes to address the config mutation and error handling issues before merging.

---

Action Items

Must Fix:

1. Address config mutation issue (clone config or document requirement)
2. Add timeout/circuit breaker for metadata fetch to prevent indefinite hangs

Should Fix:
3. Add test coverage for new metadata module
4. Consider cache invalidation strategy
5. Update outdated comments

Nice to Have:
6. Add defensive checks for empty clientEndpoint
7. Improve logging message accuracy

[claude]

Code Review

Summary

This PR fixes a race condition in the metadata lookup mechanism and properly applies the clientEndpoint from the metadata response. The refactoring extracts metadata lookup logic into a dedicated module with proper caching.

---

Strengths

1. Proper Race Condition Fix: The extraction of metadata lookup into a separate module (metadata.ts) with a shared cache prevents multiple concurrent metadata requests to the same endpoint.

2. Clear Separation of Concerns: Moving metadata lookup logic out of RemoteManagerDriver into its own module improves code organization and maintainability.

3. Correct Endpoint Override Timing: The fix properly applies clientEndpoint from metadata before logging the connection message, ensuring all subsequent API calls use the correct endpoint.

4. Better Naming: Renaming disableHealthCheck to disableMetadataLookup more accurately describes what the flag does.

5. Retry Logic with Backoff: The use of p-retry with exponential backoff (500ms to 15s) and proper error logging is robust.

---

Observations and Suggestions

1. Potential Memory Leak in Cache
The metadataLookupCache Map never clears entries. If the application connects to many different endpoints over time, this could accumulate indefinitely. Consider implementing cache expiration or a maximum cache size.

2. Error Handling in Constructor
The metadata promise is created but the explicit error handling from the old code was removed. If metadata lookup fails, the error might be unhandled unless something awaits the metadata promise. Consider re-adding explicit error handling in the constructor.

3. Race Condition with Endpoint Override
While the cache prevents duplicate requests, there is still a subtle timing issue: If RemoteManagerDriver is instantiated and API calls happen before the metadata promise resolves, those calls will use the original endpoint, not the overridden one. Consider awaiting the metadata promise before allowing API operations, or document this behavior.

4. Config Mutation
The PR mutates this.config.endpoint in the metadata promise handler. While functional, mutating config objects can lead to surprising behavior. Consider documenting this or using an immutable approach.

---

Test Coverage Concerns

Missing Test Coverage: There are no test files for the metadata lookup functionality. This is a critical path that handles race conditions, retry logic, cache behavior, and endpoint override logic.

Recommendations:

1. Add unit tests for lookupMetadataCached to verify duplicate requests return the same promise, failed requests trigger retries, and cache is properly shared
2. Add integration tests to verify endpoint override is applied correctly

---

Performance Considerations

Positive Impact: Prevents duplicate metadata requests through caching, retry logic ensures eventual consistency

Potential Issue: The forever: true retry option means failed metadata lookups will retry indefinitely. In production, this could mask configuration issues. Consider adding a maximum retry count or a circuit breaker pattern.

---

Verdict

Approve with minor suggestions. The core fix is sound and addresses the race condition properly. The refactoring improves code organization.

Priority Recommendations:

1. Add test coverage for metadata lookup logic (high priority)
2. Consider adding explicit error handling for the metadata promise (medium priority)
3. Document or address the endpoint override timing issue (medium priority)
4. Consider cache memory management (low priority)

Great work on identifying and fixing the race condition! The separation into a dedicated module makes the code much cleaner.

[claude]

PR Review: fix(rivetkit): properly apply clientEndpoint from metadata lookup

Summary

This PR refactors metadata lookup logic in RivetKit by extracting it into a separate module (metadata.ts) and fixing a critical bug where the clientEndpoint from metadata was not being properly applied to subsequent requests.

Code Quality: ✅ Good

Strengths

1. Clean separation of concerns - Extracting metadata lookup into its own module (metadata.ts) improves code organization and testability
2. Improved naming - Renaming disableHealthCheck to disableMetadataLookup better reflects the actual purpose
3. Better error handling - The refactor makes the control flow clearer with explicit promise handling
4. Proper shallow clone - The code correctly clones the config object and documents the limitation with a clear comment (lines 68-70 in mod.ts)

Areas for Improvement

1. Stale comment - Line 63 in mod.ts still says "disabling health check" but should say "disabling metadata lookup" to match the renamed field
2. Magic number - maxTimeout: 15_000 (15 seconds) could be extracted as a named constant for better maintainability

Bug Fix: ✅ Critical Fix Applied

The core issue is fixed on lines 79-86 of mod.ts:

if (metadataData.clientEndpoint) {
    this.#config.endpoint = metadataData.clientEndpoint;
    logger().info({
        msg: "overriding cached client endpoint",
        endpoint: metadataData.clientEndpoint,
    });
}

Before: The metadata was fetched but clientEndpoint was never applied to this.#config
After: The endpoint is properly overridden after metadata lookup completes

This is crucial for serverless runners where the initial endpoint needs to be redirected to the actual manager endpoint.

Performance Considerations: ✅ Good

1. Global caching - metadataLookupCache prevents redundant metadata fetches for the same endpoint
2. Race condition prevention - Promise is stored immediately upon first request to prevent concurrent fetches
3. Async initialization - Metadata lookup runs in background without blocking constructor

Suggestion: Consider adding cache TTL or invalidation mechanism. The current implementation caches metadata forever, which could be problematic if the clientEndpoint changes during long-running processes.

Security Concerns: ⚠️ Minor

1. Infinite retry with exponential backoff - forever: true on line 42 means failed metadata lookups will retry indefinitely. While the backoff helps (500ms-15s), consider:

   • Adding a maximum attempt count for cleaner failure modes
   • Or documenting that this is intentional for resilience

2. Endpoint override - The code allows metadata response to completely override the configured endpoint. While documented as intentional (lines 101-109 in router.ts), ensure:

   • The metadata endpoint is served over HTTPS in production
   • The token auth prevents unauthorized endpoint hijacking

Missing Test Coverage: ⚠️ Important

No test files found for this functionality. Consider adding tests for:

1. Metadata caching - Verify the same endpoint doesn't trigger multiple fetches
2. Endpoint override - Verify clientEndpoint is properly applied
3. Race conditions - Verify concurrent requests don't cause issues
4. Retry behavior - Verify retry logic works correctly
5. Shallow clone behavior - Verify config mutations don't affect caller

Example test structure:

describe('lookupMetadataCached', () => {
  it('should cache metadata by endpoint', async () => { /* ... */ });
  it('should override endpoint when clientEndpoint provided', async () => { /* ... */ });
  it('should handle concurrent requests', async () => { /* ... */ });
  it('should retry on failure', async () => { /* ... */ });
});

Recommendations

Must Fix

1. Update comment on line 63 of mod.ts to say "disabling metadata lookup"

Should Consider

1. Add test coverage for metadata lookup functionality
2. Extract MAX_METADATA_RETRY_TIMEOUT constant
3. Consider adding cache TTL or manual invalidation API
4. Document or add maximum retry attempts for metadata lookup

Nice to Have

1. Add TypeScript JSDoc comments to exported lookupMetadataCached function
2. Consider emitting events/metrics for metadata lookup success/failure for observability

Verdict: ✅ Approve with Minor Suggestions

This is a solid refactor that fixes a critical bug. The code quality is good, and the separation of concerns improves maintainability. The main gaps are test coverage and a stale comment. The PR is safe to merge after addressing the comment update.

[claude]

Code Review for PR #3402

Summary

This PR refactors the metadata lookup mechanism in the remote manager driver to properly apply the clientEndpoint from metadata responses. The changes introduce a new dedicated metadata module, fix config mutation issues, and rename disableHealthCheck to the more accurate disableMetadataLookup.

---

✅ Strengths

1. Better Separation of Concerns: Extracting metadata lookup logic into a dedicated metadata.ts module improves code organization and reusability.

2. Fixed Config Mutation Bug: The shallow clone of runConfig prevents the original config object from being mutated, which is a good defensive programming practice:

   this.#config = { ...runConfig };

3. Improved Naming: Renaming disableHealthCheck to disableMetadataLookup is more semantically accurate since this operation does more than just health checking.

4. Proper Caching: The global cache using Map<string, Promise<MetadataResponse>> prevents duplicate concurrent requests to the same endpoint.

5. Reliable Retry Logic: Using p-retry with forever: true ensures metadata lookup will eventually succeed even with transient network issues.

---

🔍 Issues & Concerns

1. Critical: Race Condition with Config Mutation (High Priority)

The current implementation has a race condition. The config endpoint is mutated after the metadata promise is created and stored:

// In constructor - config cloned here
this.#config = { ...runConfig };

// Metadata promise created with original endpoint
this.#metadataPromise = lookupMetadataCached(this.#config).then(
    (metadataData) => {
        // Endpoint mutated HERE - but only affects THIS instance
        if (metadataData.clientEndpoint) {
            this.#config.endpoint = metadataData.clientEndpoint;
        }
    }
);

Problem: If two RemoteManagerDriver instances are created for the same endpoint, they will share the cached metadata promise (via metadataLookupCache), but each instance mutates its own this.#config. This means:

• The first instance's config gets updated correctly
• The second instance gets the cached promise but its config is never updated
• Subsequent API calls from the second instance use the wrong endpoint

Recommended Fix: Either:

• Return the updated config from the cache and use it directly, OR
• Move the endpoint override logic outside the constructor into a method called before each API request, OR
• Store the resolved clientEndpoint in the cache alongside the metadata response

2. Shallow Clone Limitation (Medium Priority)

The comment in mod.ts:70 notes:

// NOTE: This is a shallow clone, so mutating nested properties will not do anything
this.#config = { ...runConfig };

This is problematic because:

• config.headers is an object that could be mutated
• Future developers might not notice this limitation
• The comment acknowledges the issue but doesn't prevent it

Recommendation: Use a deep clone library or freeze the original config to prevent accidental mutations.

3. Error Handling Inconsistency (Medium Priority)

The metadata lookup uses p-retry with forever: true, which means it will retry indefinitely. While there's logging on retry attempts, there's no timeout or circuit breaker:

{
    forever: true,  // ⚠️ Will retry indefinitely
    minTimeout: 500,
    maxTimeout: 15_000,
    // No maximum attempt count or overall timeout
}

Concerns:

• If the endpoint is permanently unavailable, the promise never resolves
• Application startup could hang indefinitely
• No way for developers to detect or handle this scenario

Recommendation: Add a reasonable timeout (e.g., 5 minutes) or max retry count, and handle the rejection gracefully.

4. Memory Leak Potential (Low Priority)

The metadataLookupCache Map grows unbounded:

const metadataLookupCache = new Map<string, Promise<MetadataResponse>>();

If the application creates clients for many different endpoints (e.g., multi-tenant scenario), this cache will grow indefinitely.

Recommendation: Implement cache eviction (LRU) or expose a method to clear the cache for specific endpoints.

5. Type Safety (Low Priority)

In metadata.ts:14, the return type could be more specific:

export async function lookupMetadataCached(
    config: ClientConfig,
): Promise<MetadataResponse> {

Consider using Readonly<MetadataResponse> to prevent accidental mutations of cached data.

---

🔒 Security Considerations

1. Endpoint Override Security: The clientEndpoint from the metadata response completely overrides the user-configured endpoint. This could be a security concern if:

   • The initial endpoint is compromised
   • An attacker can control the metadata response
   • There's no validation of the clientEndpoint URL

   Recommendation: Add validation to ensure clientEndpoint is a valid URL and optionally restrict to expected domains.

2. No TLS/Certificate Validation Mentioned: Ensure that HTTP requests to fetch metadata enforce proper TLS validation.

---

🧪 Test Coverage

Concern: No tests were added or modified in this PR. Given the complexity of the changes, especially around caching and config mutation, tests would be valuable.

Recommended Test Cases:

1. Multiple instances sharing the same endpoint should both get the correct clientEndpoint
2. Metadata lookup should be called only once per unique endpoint
3. Config mutation should not affect other instances
4. Retry logic should work correctly on transient failures
5. Cache should properly handle concurrent requests to the same endpoint

---

📊 Performance Considerations

Positive:

• Caching prevents redundant network requests ✓
• Async initialization doesn't block the constructor ✓

Consideration:

• The metadata lookup happens in the constructor but isn't awaited. If methods are called before metadata resolves, they might use the wrong endpoint. Review the call sites to ensure this.#metadataPromise is properly awaited where needed.

---

📝 Recommendations Summary

Must Fix (P0):

1. Fix the race condition with config mutation and caching

Should Fix (P1):
2. Add timeout/max retries to prevent infinite retry loops
3. Validate clientEndpoint URLs for security
4. Add test coverage

Nice to Have (P2):
5. Implement cache eviction strategy
6. Use deep cloning or immutable patterns for config
7. Add type safety with readonly types

---

Conclusion

The PR makes good improvements to code organization and fixes a config mutation issue. However, there's a critical race condition that needs to be addressed before merging. The metadata caching mechanism, while well-intentioned, needs refinement to work correctly with multiple instances.

Overall assessment: Needs work before merge.

🤖 Generated with Claude Code

[claude]

Code Review

I've reviewed PR #3402 and here's my feedback:

Overview

This PR refactors the metadata lookup logic in RivetKit by extracting it into a dedicated module with caching and proper endpoint override handling. The key fix is ensuring that clientEndpoint from the metadata response properly overrides the config endpoint for all subsequent requests.

✅ Strengths

1. Better Separation of Concerns: Extracting metadata lookup logic into metadata.ts improves code organization and maintainability.

2. Correct Endpoint Override: The PR fixes a critical bug where the shallow clone of config (this.#config = { ...runConfig }) now properly allows mutating the endpoint property without affecting the original config. This ensures clientEndpoint is respected for all subsequent API calls.

3. Improved Caching Strategy: Moving the cache to a dedicated module makes it more reusable and clearer that the cache is keyed by endpoint.

4. Better Naming: Renaming disableHealthCheck to disableMetadataLookup is more accurate since this isn't strictly a health check but a metadata lookup that can override the endpoint.

5. Consistent Error Handling: The pRetry configuration with exponential backoff and logging is well-structured.

🔍 Potential Issues

1. Cache Invalidation Strategy: The metadataLookupCache is a module-level Map that never gets cleared. In long-running processes, this could lead to:

   • Stale metadata if the server configuration changes
   • Memory leaks if connecting to many different endpoints
   • No way to force a refresh if metadata becomes outdated

   Recommendation: Consider adding:

   • A TTL (time-to-live) mechanism for cache entries
   • A way to manually invalidate the cache
   • Or document that this is intentional for the lifetime of the process

2. Shallow Clone Limitation: The comment on line 69 of mod.ts correctly notes the shallow clone limitation:

   // NOTE: This is a shallow clone, so mutating nested properties will not do anything
   this.#config = { ...runConfig };

   While this works for endpoint (a primitive), it could cause confusion if someone tries to mutate nested properties like headers. Consider using a deep clone or being more explicit about which properties can be safely mutated.

3. Race Condition in Constructor: The metadata promise is created in the constructor but there's a subtle timing issue:

   this.#metadataPromise = lookupMetadataCached(this.#config).then(...)

   If the metadata lookup completes and overrides this.#config.endpoint while the constructor is still running, subsequent instantiations with the same runConfig object could see the mutated endpoint. However, since you're doing a shallow clone first, this should be fine. Consider adding a comment to clarify this is intentional.

4. Retry Strategy - forever: true: The pRetry configuration uses forever: true which means it will retry indefinitely. While this might be desired behavior:

   • If the endpoint is permanently unavailable, this will retry forever
   • Consider if there should be a maximum retry limit or timeout
   • Document this behavior clearly

5. Error Handling Gap: In mod.ts:74-76, the comment says:

   // This should never error, since it uses pRetry. If it does for
   // any reason, we'll surface the error anywhere #metadataPromise is
   // awaited.

   However, if pRetry with forever: true blocks indefinitely, methods like getForId will hang forever waiting for this.#metadataPromise. Consider adding a timeout or making this configurable.

6. Missing Type Safety: The getEndpoint function in api-utils.ts:18-20 uses a fallback:

   return config.endpoint ?? "http://127.0.0.1:6420";

   After the metadata override, config.endpoint should always be set, but there's no type guarantee. Consider making endpoint required after metadata lookup completes.

🛡️ Security Considerations

1. Endpoint Override Security: The clientEndpoint from the server can redirect the client to any URL. Ensure:

   • The initial endpoint is trusted (which should be the case since it's user-configured)
   • Consider validating that clientEndpoint is a reasonable URL (not file://, javascript:, etc.)
   • Add a warning log if the endpoint changes to an unexpected domain

2. Token Reuse: When the endpoint is overridden, the same config.token is used. Ensure this is the intended behavior and that the token is valid for both the original and redirected endpoints.

🎯 Testing Recommendations

1. Test Cases Needed:

   • Test that clientEndpoint properly overrides the initial endpoint
   • Test behavior when metadata lookup is disabled
   • Test multiple clients connecting to the same endpoint (cache reuse)
   • Test endpoint override with different token/namespace combinations
   • Test behavior when server returns different clientEndpoint values on retries
   • Test timeout behavior for unreachable endpoints

2. Edge Cases:

   • What happens if clientEndpoint is an empty string?
   • What happens if clientEndpoint is the same as the original endpoint?
   • What happens if the metadata lookup succeeds but returns malformed data?

📝 Minor Nitpicks

1. Logging Consistency: In metadata.ts:82-85, the log says "overriding cached client endpoint" but it's actually overriding the instance's endpoint, not the cache. Consider renaming to "overriding client endpoint" or "applying client endpoint override".

2. Documentation: The comment on disableMetadataLookup (line 40-41 of config.ts) still says "Whether to automatically perform health checks" but should be updated to reflect it's about metadata lookup.

3. Code Comment Clarity: The comment "We don't need health check for this operation" on line 292 of registry/mod.ts should be updated to say "We don't need metadata lookup for this operation".

Performance

No significant performance concerns. The caching strategy should reduce redundant network calls effectively.

Overall Assessment

This is a solid refactoring that fixes a real bug with endpoint override handling. The main concerns are around cache invalidation strategy and the retry-forever behavior. These might be acceptable depending on the intended use case, but should be documented and potentially made configurable.

Recommendation: Approve with minor changes suggested around cache invalidation and documentation.