feat: inspector http api

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4144 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-inspector	😴 Sleeping (View Logs)	Web	Feb 6, 2026 at 8:09 am
frontend-cloud	😴 Sleeping (View Logs)	Web	Feb 6, 2026 at 8:08 am
website	❌ Build Failed (View Logs)	Web	Feb 6, 2026 at 8:02 am
mcp-hub	✅ Success (View Logs)	Web	Feb 6, 2026 at 8:00 am

[NathanFlurry]

• feat: add optional session webhook config with retries and signing #4145
• feat: inspector http api #4144 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• actor-actions
• actor-actions-vercel
• example-ai-agent
• example-ai-agent-vercel
• example-ai-and-user-generated-actors-freestyle
• chat-room
• chat-room-vercel
• example-cloudflare-workers
• example-cloudflare-workers-hono
• cross-actor-actions
• cross-actor-actions-vercel
• example-cursors
• example-cursors-raw-websocket
• example-cursors-raw-websocket-vercel
• example-cursors-vercel
• custom-serverless
• custom-serverless-vercel
• example-sqlite
• example-elysia
• example-elysia-vercel
• example-experimental-durable-streams-ai-agent
• example-experimental-durable-streams-ai-agent-vercel
• hello-world
• hello-world-vercel
• example-hono
• hono-react
• hono-react-vercel
• example-hono-vercel
• example-kitchen-sink
• example-kitchen-sink-vercel
• multi-region
• multi-region-vercel
• native-websockets
• native-websockets-vercel
• next-js
• queue-sandbox
• queue-sandbox-vercel
• example-raw-fetch-handler
• example-raw-fetch-handler-vercel
• example-raw-websocket-handler
• example-raw-websocket-handler-proxy
• example-raw-websocket-handler-proxy-vercel
• example-raw-websocket-handler-vercel
• example-react
• example-react-vercel
• scheduling
• scheduling-vercel
• state
• state-vercel
• example-stream
• example-stream-vercel
• example-trpc
• example-trpc-vercel
• workflow-sandbox
• workflow-sandbox-vercel

@rivetkit/virtual-websocket

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/virtual-websocket@4144

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@4144

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/db@4144

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@4144

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@4144

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@4144

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@4144

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@4144

@rivetkit/traces

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/traces@4144

@rivetkit/workflow-engine

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/workflow-engine@4144

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@4144

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@4144

commit: d748bef

[claude]

Pull Request Review: Inspector HTTP API

This PR adds HTTP endpoints for the Rivet Actor inspector, enabling agent-based debugging and tooling. The implementation mirrors the existing WebSocket inspector functionality.

✅ Strengths

1. Excellent Documentation: The debugging.mdx file is comprehensive and well-structured with clear examples for all endpoints
2. Comprehensive Test Coverage: All inspector endpoints have corresponding tests in actor-inspector.ts
3. Proper Authentication: Uses timing-safe comparison for token validation
4. OpenAPI Spec: Automated generation ensures API documentation stays in sync
5. CLAUDE.md Updated: Project instructions properly updated per the pattern requirements
6. Consistent API Design: JSON-based methods follow REST conventions
7. Error Handling: Proper 401 responses for authentication failures

🔍 Issues Found

1. Security: Auth bypass in development mode (router.ts:170-175)

The authentication middleware logs a warning but allows unauthenticated access when RIVET_INSPECTOR_TOKEN is not set in development mode. This could lead to accidental exposure if environment detection fails or is misconfigured.

Recommendation: Consider requiring explicit opt-in for auth bypass (e.g., RIVET_INSPECTOR_DISABLE_AUTH=true) rather than implicit behavior based on missing token.

2. Inconsistent OpenAPI Schema (manager-openapi-gen.ts:309)

Line 309 defines rpcs as type: "object" but the actual implementation returns an array of strings.

Fix: Change line 309 rpcs to type: "array" with items: { type: "string" }

3. Missing Type Safety in Inspector Auth (router.ts:169)

The inspectorAuth function parameter uses any type, bypassing TypeScript type safety.

Fix: Use proper Hono context type instead of any.

4. Integer Type Mismatch in Queue Response (manager-openapi-gen.ts:403)

The OpenAPI spec defines id as type: "string" but the implementation returns numbers (actor-inspector.ts:274).

Fix: Change line 403 to id: { type: "integer" }

5. Unused Import Removal (inspector/utils.ts)

The PR removes 24 lines from utils.ts including the secureInspector middleware, but this middleware is not used in router.ts. The inline inspectorAuth function duplicates this logic.

Recommendation: Either use the existing secureInspector middleware from utils.ts (DRY principle) or document why inline implementation is preferred.

6. BigInt Serialization Pattern Duplication (actor-inspector.ts:251-256, router.ts:304-308)

The BigInt-to-Number conversion logic is duplicated in two places.

Recommendation: Extract to a shared utility function to avoid duplication.

🤔 Questions/Considerations

1. Queue Message ID Type: Is the queue message ID actually a string or number? There is inconsistency between the OpenAPI spec and implementation.

2. Inspector Token Storage: Should there be guidance in docs about secure token generation and storage for production deployments?

3. Rate Limiting: Should inspector endpoints have rate limiting to prevent abuse, especially for expensive operations like trace queries?

4. Connection State Size: The /inspector/connections endpoint returns full connection state. Could this be large for actors with many connections? Consider pagination.

📋 Minor Suggestions

1. router.ts:159: Comment says "TODO: This may cause issues" - this should be resolved or elaborated before merge
2. Type annotations: Consider adding explicit return types to all inspector methods for better IntelliSense
3. Documentation: Add examples showing how to use these endpoints with common tools (curl, httpie, Bruno, etc.)

🎯 Verdict

Approval Status: ✅ Approve with minor fixes

The implementation is solid and well-tested. The issues found are mostly minor (type mismatches in OpenAPI spec) with one moderate security consideration (dev mode auth bypass). The core functionality is sound and follows project patterns well.

Priority Fixes Before Merge:

1. Fix OpenAPI schema for rpcs (should be array, not object)
2. Fix OpenAPI schema for queue message id type
3. Replace any type in inspectorAuth function
4. Review dev mode auth bypass behavior

Nice to Have:

• Extract BigInt serialization to shared utility
• Consider using existing secureInspector middleware
• Add production security guidance to docs

Great work on the comprehensive testing and documentation! 🚀