fix(core): fix inspector cors conflicting with main cors

[NathanFlurry]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-serverless	Ready	Preview	Comment	Oct 1, 2025 5:54pm

[claude]

Claude finished @NathanFlurry's task —— View job

---

Pull Request Review

Reviewing CORS conflict fix changes across 3 files...

Todo List

• Read repository guidelines from CLAUDE.md
• Analyze vitest.config.ts changes
• Analyze router.ts changes
• Analyze mod.ts changes
• Provide comprehensive code review feedback

---

Code Review Summary

This PR fixes a CORS configuration conflict between the inspector and main application routes. The changes address proper CORS middleware ordering and configuration isolation.

File Analysis

✅ examples/chat-room/vitest.config.ts

Change: Added server configuration with port 5173

• Quality: Good - follows standard Vitest configuration patterns
• Purpose: Prevents port conflicts during testing
• No issues identified

⚠️ packages/rivetkit/src/manager/router.ts (Main Changes)

Key Changes: Reordered CORS middleware application to fix conflicts

Positive Aspects:

• ✅ Correct Fix: Moving inspector routes before main CORS middleware prevents conflicts
• ✅ Good Documentation: Comment at lines 148-149 clearly explains the reasoning
• ✅ Isolation: Inspector routes now have their own CORS configuration scope
• ✅ Backward Compatibility: No breaking changes to existing API

Areas of Concern:

1. Code Duplication (Lines 112, 168):

   if (runConfig.cors) router.use("*", corsMiddleware(runConfig.cors));

   This pattern appears twice. Consider extracting to a helper function:

   const applyCorsIfConfigured = (router: OpenAPIHono, cors: any) => {
     if (cors) router.use("*", corsMiddleware(cors));
   };

2. Type Safety (Line 156):

   new Hono<{ Variables: { inspector: any } }>()

   Using any type reduces type safety. Should define proper inspector type.

3. Error Handling: No validation that runConfig.inspector.cors exists before use at line 157.

✅ packages/rivetkit/src/registry/mod.ts

Change: Updated inspector enabled check from object to boolean

• Quality: Good - simplifies boolean logic
• Consistency: Aligns with updated configuration pattern
• No issues identified

Security Assessment

• ✅ No Security Issues: CORS changes are defensive and properly scoped
• ✅ Inspector Security: Continues to use secureInspector() middleware

Performance Considerations

• ✅ Minimal Impact: Changes only affect route initialization, not runtime performance
• ✅ Efficient Routing: Proper route ordering prevents unnecessary middleware execution

Test Coverage Gaps

• ⚠️ Missing Tests: No tests verify the CORS conflict resolution
• ⚠️ Integration Testing: Should test inspector and main routes with different CORS configs

Recommendations

1. Add Type Safety: Replace any types with proper interfaces
2. Extract Helper: Create reusable CORS application function
3. Add Tests: Include integration tests for CORS configuration scenarios
4. Documentation: Add JSDoc comments explaining the CORS ordering requirement

Overall Assessment

✅ APPROVE - This is a solid fix that addresses the reported CORS conflict. The solution is correct and well-documented. While there are minor improvement opportunities around type safety and code organization, the core fix is sound and ready for merge.

[NathanFlurry]

• fix(core): fix inspector cors conflicting with main cors #1325 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• example-ai-agent
• example-better-auth-external-db
• chat-room
• example-cloudflare-workers
• example-cloudflare-workers-hono
• counter
• example-crdt
• example-database
• example-sqlite
• example-elysia
• example-express
• example-game
• example-hono
• example-hono-react
• example-next-js
• example-rate
• example-raw-fetch-handler
• example-raw-websocket-handler-proxy
• example-react
• starter
• example-stream
• example-sync
• example-tenant
• example-trpc

@rivetkit/actor

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/actor@1325

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/cloudflare-workers@1325

@rivetkit/core

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/core@1325

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/db@1325

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/framework-base@1325

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/next-js@1325

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/react@1325

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivetkit@1325

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/sql-loader@1325

commit: ce68b82

[graphite-app]

Merge activity

• Oct 1, 5:55 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Oct 1, 5:56 PM UTC: CI is running for this pull request on a draft pull request (#1327) due to your merge queue CI optimization settings.
• Oct 1, 5:57 PM UTC: Merged by the Graphite merge queue via draft PR: #1327.