fix: inspector dev env

[jog1t]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4297 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-inspector	😴 Sleeping (View Logs)	Web	Feb 24, 2026 at 7:36 pm
website	😴 Sleeping (View Logs)	Web	Feb 24, 2026 at 7:35 pm
frontend-cloud	❌ Build Failed (View Logs)	Web	Feb 24, 2026 at 7:28 pm
mcp-hub	✅ Success (View Logs)	Web	Feb 24, 2026 at 7:25 pm
ladle	❌ Build Failed (View Logs)	Web	Feb 24, 2026 at 7:25 pm

[jog1t]

• feat: refetch actor details every 5s #4306
• fix: missing context switcher for engine #4305
• feat: allow ips in runner configs #4304
• fix: workflow statuses #4303
• refactor: tabs visibility #4302
• fix: workflow visualizer styles #4301
• fix: disable selection on drag #4300
• fix: pkg pr new config #4299
• fix: invalid changelog ping position #4298
• fix: inspector dev env #4297 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: fix: inspector dev env

Summary

This PR refactors two files to use the isDev() helper instead of direct getNodeEnv() === "development" comparisons, and includes minor code formatting improvements. The intent is clearly to consolidate environment detection logic, which is a good goal. However, there is a security-relevant semantic change that needs attention before merging.

---

Security Concern: Behavior Change with Unset NODE_ENV

The core issue is that isDev() and getNodeEnv() === "development" are not equivalent:

// env-vars.ts
export const isDev = (): boolean => getNodeEnv() \!== "production";

NODE_ENV value	Old: getNodeEnv() === "development"	New: isDev()
"development"	true	true
"production"	false	false
undefined (unset)	false	true - changed

In manager/router.ts, the affected guard is:

if (\!isDev()) {
    if (\!config.token) {
        throw new RestrictedFeature("KV store access");
    }
    // token verification ...
}

Before this PR: if NODE_ENV was not set, getNodeEnv() !== "development" was true, so the KV store access token check was enforced.

After this PR: if NODE_ENV is not set, !isDev() is false, so the KV store access token check is skipped.

A deployment that does not explicitly set NODE_ENV=production would silently skip auth enforcement on the KV store endpoints. The same semantic shift applies to the inspector auth bypass in actor/router.ts, though that one is lower risk since it only skips a warning log and auth when the token is also absent.

Recommendation: Either update the security gates to use a stricter check, or introduce a dedicated isProd() helper:

// Option: introduce isProd() to be explicit in security gates
export const isProd = (): boolean => getNodeEnv() === "production";

// Then use:
if (\!isProd()) { /* warn in dev */ }
if (isProd()) { /* enforce auth */ }

---

Non-Security Observations

Import reorganization - Moving RegistryConfig between import blocks and replacing getNodeEnv with isDev is clean and consistent with the rest of the codebase where isDev is already the standard helper.

Code formatting - The ternary and method-chain reformatting improves readability with no functional change.

---

PR Description

The PR checklist is entirely unchecked, with no description of what was changed, why, or how it was tested. Given the subtle behavioral difference above, a brief explanation of intent would help reviewers assess whether the semantic shift is intentional.

---

Verdict

The formatting and import changes are fine. The security gate change in manager/router.ts needs a decision: is the new "unset = dev" behavior intentional? If so, document it and confirm it will not affect real deployments. If not, revert those two specific guard conditions to the stricter form.