fix(rivetkit): fix zod not validating body if content-type header not provided

[NathanFlurry]

No description provided.

[vercel]

Deployment failed with the following error:

Too many requests - try again in 3 minutes (more than 120, code: "api-deployments-flood-pro").

Learn More: https://vercel.com/docs/limits#rate-limits

[NathanFlurry]

• feat(rivetkit): add ability to destroy actors #3458 : 2 dependent PRs (#3459 , #3462 )
• feat(rivet-engine): udb key parser #3457
• fix(rivetkit): fix zod not validating body if content-type header not provided #3456 👈 (View in Graphite)
• fix(rivetkit): fix onError handler not working #3455
• chore(rivetkit): switch dynamic node imports to use require #3461 : 1 other dependent PR (#3280 )
• chore(rivetkit-typescript): remove dependency on node modules #3460
• feat(site): add typedoc docs #3446
• chore(rivetkit): remove deprecated packages #3447
• chore(rivetkit): add support for conn params on onRequest and onWebSocket #3445
• feat(rivetkit): add asyncapi spec #3442
• chore(rivetkit): add actor router to the openapi spec #3441
• fix(rivetkit): skip sending RivetKit messages to conns that do not support it #3440
• fix(rivetkit): fix race condition with websocket open events #3439
• fix(rivetkit): standardize error metadata return type #3438
• fix(rivetkit): remove incorrect getEndpoint call in metadata handler #3433 : 1 other dependent PR (#3451 )
• feat(rivetkit): add json protocol support #3432
• chore(rivetkit): add required zod validation for json encoding #3431
• chore(rivetkit): add listing actors by only name to manager api #3430
• refactor(rivetkit): extract WebSocket protocol parsing to shared utility #3429
• refactor(rivetkit): restructure connection lifecycle contexts #3428
• chore(rivetkit): add WebSocketContext and RequestContext #3427
• chore(rivetkit): add conn type #3426
• chore(rivetkit): add connection for raw http #3425
• chore(rivetkit): rename onFetch to onRequest #3424
• refactor(rivetkit): add state manager for conn with symbol-based access #3423
• fix(rivetkit): use loggerWithoutContext for websocket error when actor undefined #3412
• feat(rivetkit): add GET /actors/names #3411
• feat(api-public): expose actor kv api #3410
• chore(rivetkit): auto-generate inspector token for engine driver #3409
• chore(rivetkit): close websockets on out of sequence messages #3404
• fix(rivetkit): properly apply clientEndpoint from metadata lookup #3402
• fix(rivetkit): properly handle msgIndex for hibernatable websocket reconnection #3401
• chore(rivetkit): rename onstart/onstop to onwake/onsleep #3422
• chore(rivetkit): split ActorInstance logic in to multiple classes #3421
• chore(rivetkit): move conns to separate persisted kv keys #3420
• chore(rivetkit): remove deprecated conn tokens & sse support #3419
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Code Review

Summary

This PR introduces a buildOpenApiRequestBody helper function to standardize request body definitions in OpenAPI route configurations. The refactoring improves code maintainability by eliminating duplication.

Positive Aspects ✅

1. DRY Principle: Excellent refactoring that eliminates code duplication by extracting a common pattern into a reusable helper function.

2. Consistency: The new buildOpenApiRequestBody helper mirrors the existing buildOpenApiResponses pattern (lines 63-80), creating a consistent API design.

3. Correct Implementation: The helper properly sets required: true for request bodies, which is appropriate for POST/PUT endpoints.

4. Clean Refactoring: The change is minimal, focused, and reduces lines of code while maintaining functionality.

Regarding the PR Title

The PR title mentions "fix zod not validating body if content-type header not provided", but I do not see evidence in the diff that this change directly addresses that issue. The refactoring extracts inline code into a helper function but does not appear to change validation behavior.

Questions:

• Was there a validation issue before this change?
• Does @hono/zod-openapi require the required: true field to be present at a specific nesting level for validation to work?
• If this is truly a bug fix, it would be helpful to:
  1. Add a test case demonstrating the issue
  2. Update the PR description to explain the root cause

Minor Suggestions 💡

1. Type Safety: Consider adding a generic type parameter for better type safety:

   function buildOpenApiRequestBody<T extends z.ZodType>(schema: T) {
       return {
           required: true,
           content: {
               "application/json": {
                   schema,
               },
           },
       };
   }

2. Test Coverage: Since this changes how request bodies are validated, consider adding tests to verify:

   • Requests with valid Content-Type: application/json header
   • Requests without Content-Type header (if this was the bug)
   • Requests with invalid content types
   • Schema validation errors

3. Documentation: If this fixes a specific validation issue, adding a code comment above the helper would be valuable:

   // Ensures Zod validation is triggered even when Content-Type header is missing
   function buildOpenApiRequestBody<T>(schema: T) {

Files Changed

• rivetkit-typescript/packages/rivetkit/src/manager/router.ts (+13/-14 lines)

Overall Assessment

This is a solid refactoring that improves code quality. However, clarification is needed on whether this actually fixes a validation bug or is purely a refactoring. If it is a bug fix, additional context and tests would strengthen the PR.

Status: Approve pending clarification on the bug fix claim in the title.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-serverless	Error			Nov 13, 2025 10:28pm

3 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-cloud	Ignored			Nov 13, 2025 10:28pm
rivet-inspector	Ignored	Preview		Nov 13, 2025 10:28pm
rivet-site	Ignored	Preview		Nov 13, 2025 10:28pm

[claude]

Code Review

Summary

This PR fixes a bug where Zod validation wasn't working when the content-type header was not provided. The fix extracts the inline request body definition into a reusable buildOpenApiRequestBody helper function, ensuring consistency across all POST/PUT endpoints.

Positive Feedback ✅

Code Quality

• Good abstraction: Creating the buildOpenApiRequestBody helper follows the DRY principle and matches the existing pattern established by buildOpenApiResponses (lines 63-80)
• Consistent placement: The new helper is placed right after buildOpenApiResponses, maintaining logical code organization
• Proper typing: Uses generic type parameter <T> for schema flexibility, consistent with buildOpenApiResponses

Bug Fix

• Addresses a real issue where request body validation could be silently skipped when the content-type header is missing
• By setting required: true in the OpenAPI spec, this likely helps the framework enforce content-type validation

Code Reduction

• Removes 14 lines of duplicate code and adds 13 lines (net -1, but with improved maintainability)
• Makes future additions of POST/PUT endpoints simpler and less error-prone

Suggestions for Improvement 💡

1. Test Coverage
The PR doesn't include tests to verify the fix. Consider adding a test case that:

• Makes a request without the content-type header
• Verifies that Zod validation still runs correctly
• Ensures the request is rejected if the body doesn't match the schema

Example test location: rivetkit-typescript/packages/rivetkit/tests/ or src/driver-test-suite/tests/

2. Documentation
Consider adding a JSDoc comment to the helper explaining why required: true is important

3. Completeness Check
The PR updates 2 endpoints (PUT and POST /actors). Are there any other endpoints in the codebase that might have the same issue? A quick search might reveal if other routers need similar fixes.

4. Commit Message
The commit message is truncated in the PR view. The full message would be helpful for understanding the exact issue.

Security Considerations 🔒

No security concerns identified. The change actually improves security by ensuring validation runs consistently.

Performance Considerations ⚡

No performance impact - this is purely a refactoring that maintains the same OpenAPI spec structure.

Final Verdict

Approve with minor suggestions ✅

This is a solid bug fix with good code quality. The only missing piece is test coverage to prevent regression. The refactoring improves maintainability and follows established patterns in the codebase.

Action Items:

• Add test coverage for validation without content-type header (recommended)
• Consider adding JSDoc comment explaining the importance of required: true (optional)
• Search for similar patterns in other routers that might need the same fix (optional)

Great work on identifying and fixing this validation issue!

[claude]

Code Review

Summary

This PR extracts the request body definition into a reusable helper function buildOpenApiRequestBody and adds the required: true property, which should fix the issue where Zod validation wasn't occurring when the Content-Type header wasn't provided.

Positive Aspects

1. Good refactoring: The extraction of the request body definition into a helper function (buildOpenApiRequestBody) follows the DRY principle and matches the pattern already used for responses (buildOpenApiResponses)

2. Consistency: The change applies uniformly to both POST and PUT endpoints for actors, ensuring consistent behavior

3. Clean implementation: The helper function is simple, focused, and placed logically next to the buildOpenApiResponses function

4. Follows OpenAPI spec: The required: true field in the request body is a valid OpenAPI 3.0 property that indicates the request body must be present

Potential Issues & Questions

1. Missing test coverage: There's no test included to verify that the validation now works correctly when Content-Type header is missing, still works when present, and returns appropriate error messages when body is missing

2. Root cause unclear: While adding required: true is correct, the PR description is empty. It would help to document what the exact failure mode was before this fix

3. Documentation: Consider adding a comment explaining why required: true is needed to prevent future regressions

Recommendations

1. Add tests to verify the fix works correctly
2. Add PR description explaining the bug, how to reproduce it, and how this change fixes it
3. Check for similar issues in other createRoute calls with request bodies
4. Verify this doesn't break existing functionality

Code Quality: 8/10

The refactoring itself is clean and well-structured. The main concerns are around testing and documentation rather than the implementation itself.

Verdict: Approve pending tests and documentation improvements. The code change is correct, but needs test coverage to prevent regressions.

[vercel]

Deployment failed with the following error:

Too many requests - try again in 1 minute (more than 120, code: "api-deployments-flood-pro").

Learn More: https://vercel.com/docs/limits#rate-limits

[claude]

Pull Request Review

Summary

This PR refactors inline OpenAPI request body definitions into a reusable buildOpenApiRequestBody helper function. The change improves code maintainability and consistency.

Code Quality ✅

Strengths:

• Good DRY principle: The refactor eliminates duplicate code by extracting the common pattern into a reusable helper function
• Consistent pattern: Follows the same approach as the existing buildOpenApiResponses helper (lines 63-80)
• Type-safe: Uses TypeScript generics to maintain type safety across schema validation
• Minimal impact: Only touches the specific areas that need changes without over-refactoring

Architecture & Design ✅

The new buildOpenApiRequestBody function:

• Sets required: true on the body, which ensures proper validation
• Explicitly defines application/json content type in the OpenAPI spec
• This is key to the fix: By marking the body as required: true in the OpenAPI spec, the Hono/zod-openapi middleware will enforce validation even when the Content-Type header is missing or incorrect

Potential Issues & Considerations

1. PR Title vs. Implementation ⚠️

   • The PR title mentions "fix zod not validating body if content-type header not provided"
   • However, the actual fix is setting required: true in the request body definition
   • The refactoring itself doesn't change the validation behavior unless the previous inline definitions were missing the required field
   • Question: Were the original inline definitions missing required: true? If so, this is a bug fix. If not, this is purely a refactor.

2. Missing Test Coverage ⚠️

   • No tests are included to verify the fix works
   • Recommendation: Add a test case that sends a request without a Content-Type header to ensure Zod validation still occurs
   • Example test scenario:

     // Should validate body even without Content-Type header
     const response = await fetch('/actors', {
       method: 'POST',
       body: JSON.stringify({ invalid: 'data' })
       // Note: no Content-Type header
     });
     expect(response.status).toBe(400); // Should fail validation

3. Consistency Check ℹ️

   • The change only updates the PUT /actors and POST /actors endpoints
   • Should verify if any other endpoints in the codebase need the same treatment
   • grep search shows these are the only two places with inline body definitions in this file ✅

Security ✅

No security concerns identified. The change maintains the same validation behavior (or improves it if required was previously missing).

Performance ✅

No performance impact. The helper function is called at route definition time, not at request time.

Best Practices

Suggestions for improvement:

1. Consider adding JSDoc comments to explain why required: true is important:

   /**
    * Builds OpenAPI request body definition with required validation.
    * Setting required: true ensures Zod validation runs even when 
    * Content-Type header is missing or incorrect.
    */
   function buildOpenApiRequestBody<T>(schema: T) {
     // ...
   }

2. Add a test case to prevent regression of this issue

Verdict: ✅ Approve with minor suggestions

This is a clean refactor that improves code maintainability. The main concern is ensuring there's test coverage for the specific bug mentioned in the PR title. Otherwise, the code looks good and follows TypeScript and project conventions well.

---

🤖 Generated with Claude Code

[graphite-app]

Merge activity

• Nov 13, 9:34 PM UTC: The Graphite merge queue removed this pull request due to downstack failures on PR #3441.
• Nov 13, 9:34 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Nov 13, 9:37 PM UTC: The Graphite merge queue removed this pull request due to downstack failures on PR #3441.
• Nov 13, 9:38 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Nov 13, 9:43 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Nov 13, 9:43 PM UTC: The Graphite merge queue removed this pull request due to downstack failures on PR #3441.
• Nov 13, 10:05 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Nov 13, 10:05 PM UTC: The Graphite merge queue removed this pull request due to downstack failures on PR #3441.
• Nov 13, 10:11 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Nov 13, 10:12 PM UTC: The Graphite merge queue removed this pull request due to downstack failures on PR #3442.

[claude]

Code Review - PR #3456

Summary: This PR refactors request body definitions by extracting inline OpenAPI request body configuration into a reusable buildOpenApiRequestBody helper function to fix Zod validation when Content-Type header is not provided.

Positive Aspects:

1. Code Quality - Excellent DRY refactoring that eliminates duplication by extracting a repeated pattern into a reusable helper (router.ts:82-91). Mirrors the existing buildOpenApiResponses pattern creating a cohesive API design.

2. Proper OpenAPI Specification - Correctly sets required: true for request bodies, which is appropriate for POST/PUT endpoints.

Key Finding:

The required: true field was ADDED in this PR and was not present before. This is the actual bug fix! The previous inline definitions were missing this field, which likely caused @hono/zod-openapi to skip validation when Content-Type header was absent.

Before:
body: { content: { "application/json": { schema: ActorsGetOrCreateRequestSchema } } }

After:
body: buildOpenApiRequestBody(ActorsGetOrCreateRequestSchema)
// returns: { required: true, content: { "application/json": { schema } } }

Suggestions for Improvement:

1. Test Coverage (High Priority) - Add tests to verify requests with/without Content-Type header are validated, invalid content types are rejected, and schema validation errors are properly triggered. Suggested location: rivetkit-typescript/packages/rivetkit/src/driver-test-suite/tests/

2. Documentation (Medium Priority) - Add JSDoc comment explaining why required: true is critical for preventing future regressions.

3. Audit Other Endpoints (Medium Priority) - Check if there are other createRoute calls in the codebase that might have the same missing required: true issue.

4. PR Description (Low Priority) - Add details about the bug, how to reproduce it, and how this fixes it.

Security: No concerns. This actually improves security by ensuring validation runs consistently.

Performance: No impact. Same OpenAPI specification structure.

Files Changed:

• rivetkit-typescript/packages/rivetkit/src/manager/router.ts (+13/-14)

Overall Assessment:

Code Quality: 9/10

This is a solid bug fix disguised as a refactoring. The actual fix is adding required: true to the request body definition, which ensures Zod validation runs even without Content-Type headers.

Verdict: Approve with Suggestions

The code change is correct and improves the codebase. Primary recommendation is to add test coverage to verify the fix and prevent future regressions.

Action Items:

1. Add test coverage for validation without Content-Type header (recommended)
2. Add JSDoc comment explaining why required: true is needed (recommended)
3. Audit other endpoints for similar missing required: true issues (optional)
4. Update PR description with bug details (optional)

Great catch on this validation issue! The fix is clean and well-implemented.

[claude]

PR Review: Fix Zod validation for request body without content-type header

Summary

This PR addresses a bug where Zod schemas were not validating request bodies when the Content-Type header was not provided. The fix extracts the repeated OpenAPI request body configuration into a reusable helper function buildOpenApiRequestBody.

---

✅ Positive Observations

1. Good DRY (Don't Repeat Yourself) principle

• Extracting the repeated pattern into buildOpenApiRequestBody mirrors the existing buildOpenApiResponses helper
• Reduces code duplication from ~7 lines to 1 line per endpoint
• Makes the codebase more maintainable

2. Consistent with existing patterns

• Follows the same pattern as buildOpenApiResponses (lines 63-80)
• Both helpers now provide consistent API contract definitions

3. Correct fix for the validation issue

• Adding required: true ensures the body is mandatory, which helps OpenAPI middleware properly validate requests
• The content-type declaration properly signals to Hono/zod-openapi that this is a JSON endpoint

---

🔍 Observations & Suggestions

1. Missing documentation on the actual bug
The PR description is empty. Consider adding:

• What symptoms did this bug cause? (e.g., requests without Content-Type header bypassing validation?)
• How to reproduce the issue
• Test coverage for this fix

2. Incomplete refactoring
The helper function is only applied to 2 endpoints (PUT and POST /actors). However, I noticed there might be other endpoints in the codebase that could benefit from this pattern. Consider checking:

• Other files that might have similar inline request body definitions
• Whether this pattern should be applied workspace-wide

3. Consider adding explicit content-type validation
While the OpenAPI schema now correctly declares application/json, you might want to add explicit middleware to validate/enforce the Content-Type header for better error messages:

// Example middleware (if not already present)
router.use('/actors', async (c, next) => {
  const contentType = c.req.header('content-type');
  if (c.req.method \!== 'GET' && (\!contentType || \!contentType.includes('application/json'))) {
    return c.json({ error: 'Content-Type must be application/json' }, 415);
  }
  await next();
});

4. Test coverage
I don't see any test changes in this PR. Consider adding:

• A test that sends a request without Content-Type header to verify validation works
• A test that sends a request with invalid JSON to verify schema validation
• Integration tests for both PUT and POST /actors endpoints

5. Type safety for the helper
The current implementation uses a generic <T> but doesn't constrain it. Consider being more explicit about what schemas are acceptable:

function buildOpenApiRequestBody<T extends z.ZodType>(schema: T) {
  // ... 
}

---

🔐 Security Considerations

✅ No security concerns identified. The fix actually improves security by ensuring request validation happens consistently.

---

⚡ Performance Considerations

✅ No performance impact. This is a build-time schema definition, not a runtime change.

---

📝 Code Style

✅ Follows TypeScript/RivetKit conventions
✅ Consistent with existing helper pattern
✅ Clean, readable implementation

---

🎯 Recommendation

Approve with suggestions

This is a solid bug fix that improves code quality through better abstraction. The main improvements would be:

1. Add test coverage for the bug fix
2. Document the issue in the PR description
3. Consider applying the pattern consistently across other endpoints
4. Add type constraints to the helper function

---

Overall: Good work on identifying and fixing this validation issue! The refactoring makes the code cleaner and more maintainable. 🚀

[claude]

Final Code Review Summary

This PR introduces a buildOpenApiRequestBody helper function to standardize request body definitions in OpenAPI routes. The refactoring improves code maintainability and consistency while ensuring proper Zod validation.

Strengths

1. Excellent DRY Refactoring: Eliminates code duplication by extracting a common pattern into a reusable helper (lines 82-91)
2. Consistent Pattern: Mirrors the existing buildOpenApiResponses helper (lines 63-80), creating a cohesive API design
3. Clean Implementation: Simple, focused helper function placed logically adjacent to similar helpers
4. Proper OpenAPI Spec: Sets required: true for request bodies, which is correct for POST/PUT endpoints

Code Quality Assessment

Score: 9/10

The refactoring itself is solid and follows established patterns in the codebase. The implementation is clean, reduces code duplication (net -1 line while improving maintainability), and makes future endpoint additions simpler and less error-prone.

Suggestions for Improvement

1. Clarify the Bug Fix (Medium Priority)

The PR title mentions "fix zod not validating body if content-type header not provided", but:

• The PR description is empty
• The diff shows primarily refactoring (extracting duplicate code)
• The inline definitions didn't have required: true before

Questions:

• Was there an actual validation bug where Zod skipped validation when Content-Type was missing?
• Does @hono/zod-openapi require the required: true field to trigger validation?
• Can you provide a reproduction case demonstrating the bug?

Recommendation: Add a PR description explaining:

1. The root cause of the validation issue
2. How required: true fixes it
3. Steps to reproduce the bug

2. Test Coverage (Medium Priority)

No tests are included to verify the fix. Consider adding test cases for:

• Requests with valid Content-Type: application/json header
• Requests without Content-Type header (the reported bug scenario)
• Requests with invalid content types
• Schema validation errors are properly triggered with invalid bodies

Suggested location: rivetkit-typescript/packages/rivetkit/src/driver-test-suite/tests/

3. Type Safety Enhancement (Low Priority - Nice to Have)

Consider adding a type constraint for better type safety:

import type { z } from 'zod';

function buildOpenApiRequestBody<T extends z.ZodType>(schema: T) {
    return {
        required: true,
        content: {
            "application/json": {
                schema,
            },
        },
    };
}

4. Documentation (Low Priority - Nice to Have)

If this fixes a validation bug, add a comment to prevent future regressions:

/**
 * Creates an OpenAPI request body definition with JSON content type.
 * Marks the body as required to ensure Zod validation runs even when
 * the Content-Type header is not provided by the client.
 */
function buildOpenApiRequestBody<T>(schema: T) {
    // ...
}

Files Changed

• rivetkit-typescript/packages/rivetkit/src/manager/router.ts (+13/-14 lines)

Security & Performance

• Security: No concerns. The change improves security by ensuring validation runs consistently
• Performance: No impact. Same runtime behavior, same OpenAPI spec structure

Action Items

Before merge:

• Add PR description explaining the bug and fix
• Consider adding test coverage for validation without Content-Type header

After merge:

• Run existing tests to verify the fix works
• Consider searching for similar patterns in other routers that might need the same fix

---

Verdict: LGTM with suggestions

This is a solid refactoring that improves code quality and maintainability. If it also fixes a validation bug (as the title suggests), adding a clear explanation and test coverage would make this PR excellent. The code change itself is correct and ready to merge.

Great work on maintaining consistency in the codebase!