fix(rivetkit): properly apply clientEndpoint from metadata lookup

[NathanFlurry]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-serverless	Ready	Preview	Comment	Nov 9, 2025 5:46am

3 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-cloud	Ignored			Nov 9, 2025 5:46am
rivet-inspector	Ignored	Preview		Nov 9, 2025 5:46am
rivet-site	Ignored	Preview		Nov 9, 2025 5:46am

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat(rivetkit): add asyncapi spec #3442
• chore(rivetkit): add actor router to the openapi spec #3441
• fix(rivetkit): skip sending RivetKit messages to conns that do not support it #3440
• fix(rivetkit): fix race condition with websocket open events #3439
• fix(rivetkit): standardize error metadata return type #3438
• fix(rivetkit): remove incorrect getEndpoint call in metadata handler #3433
• feat(rivetkit): add json protocol support #3432
• chore(rivetkit): add required zod validation for json encoding #3431
• chore(rivetkit): add listing actors by only name to manager api #3430
• refactor(rivetkit): extract WebSocket protocol parsing to shared utility #3429
• refactor(rivetkit): restructure connection lifecycle contexts #3428
• chore(rivetkit): add WebSocketContext and RequestContext #3427
• chore(rivetkit): add conn type #3426
• chore(rivetkit): add connection for raw http #3425
• chore(rivetkit): rename onFetch to onRequest #3424
• refactor(rivetkit): add state manager for conn with symbol-based access #3423
• fix(rivetkit): use loggerWithoutContext for websocket error when actor undefined #3412
• feat(rivetkit): add GET /actors/names #3411
• feat(api-public): expose actor kv api #3410
• chore(rivetkit): auto-generate inspector token for engine driver #3409
• chore(rivetkit): close websockets on out of sequence messages #3404
• fix(rivetkit): properly apply clientEndpoint from metadata lookup #3402 👈 (View in Graphite)
• fix(rivetkit): properly handle msgIndex for hibernatable websocket reconnection #3401
• chore(rivetkit): rename onstart/onstop to onwake/onsleep #3422
• chore(rivetkit): split ActorInstance logic in to multiple classes #3421
• chore(rivetkit): move conns to separate persisted kv keys #3420
• chore(rivetkit): remove deprecated conn tokens & sse support #3419
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• example-ai-agent
• example-background-jobs
• example-better-auth-external-db
• example-bots
• chat-room
• example-cloudflare-workers
• example-cloudflare-workers-hono
• example-counter
• example-counter-serverless
• example-crdt
• example-cursors
• example-cursors-raw-websocket
• example-database
• example-deno
• example-sqlite
• example-elysia
• example-express
• example-freestyle
• example-game
• example-hono
• example-hono-bun
• example-hono-react
• example-kitchen-sink
• example-next-js
• example-rate
• example-raw-fetch-handler
• example-raw-websocket-handler
• example-raw-websocket-handler-proxy
• example-react
• starter
• example-stream
• example-sync
• example-tenant
• example-trpc
• example-workflows

@rivetkit/actor

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/actor@3402

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@3402

@rivetkit/core

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/core@3402

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/db@3402

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@3402

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@3402

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@3402

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@3402

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@3402

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@3402

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@3402

commit: 406bd5a

[claude]

Code Review - PR #3402

Summary

This PR fixes the proper application of clientEndpoint from metadata lookup by refactoring the metadata checking logic into a dedicated module and renaming disableHealthCheck to the more accurate disableMetadataLookup.

Strengths

1. Better Separation of Concerns: Extracting metadata lookup logic into metadata.ts improves code organization and makes the codebase more maintainable.

2. Improved Naming: Renaming disableHealthCheck to disableMetadataLookup is more accurate since this flag controls metadata fetching, not health checks.

3. Proper Endpoint Override: The fix correctly applies clientEndpoint from metadata to this.#config.endpoint before any API calls are made.

4. Cache Implementation: The global metadataLookupCache prevents duplicate metadata requests for the same endpoint, which is good for performance.

5. Retry Logic: Using p-retry with exponential backoff (500ms to 15s) provides resilience against transient failures.

Concerns and Issues

1. Critical: Config Mutation Issue

Line 76 in mod.ts mutates this.#config.endpoint after the cache key has been set. This could cause issues if multiple RemoteManagerDriver instances are created with the same initial endpoint but receive different clientEndpoint values. The cache uses the original endpoint as the key, but the config is modified afterward.

Recommendation: Consider using a separate field or documenting this behavior clearly. The current implementation appears correct but the mutation could be error-prone.

2. Infinite Retry Risk

metadata.ts:42 sets retries to Number.MAX_SAFE_INTEGER, which will retry forever if the metadata endpoint is permanently unavailable or misconfigured. While the exponential backoff caps at 15 seconds, this could still cause the application to hang indefinitely during startup.

Recommendation: Set a reasonable retry limit (e.g., 10-20 retries, which would span 2-5 minutes with the backoff strategy) or add a total timeout.

3. Error Handling in Metadata Promise

No .catch() handler on the promise at mod.ts:72-89. If lookupMetadataCached eventually fails, this promise will reject. When methods await this.#metadataPromise, they will throw, but there is no recovery mechanism or clear error message for users.

Recommendation: Consider adding error handling to log the failure clearly and provide guidance about checking endpoint configuration.

4. Cache Never Expires

The cache at metadata.ts:10 is never cleared. If metadata changes during the application lifecycle, the cached value will be stale.

Recommendation: Document that the cache is intentionally permanent for the lifetime of the process, or add a TTL mechanism if metadata might change.

5. Logging Inconsistency

mod.ts:63 still says disabling health check but should say disabling metadata lookup to match the renamed config field.

Test Coverage

No tests were added or modified in this PR.

Recommendations:

1. Add tests for the metadata caching behavior
2. Test the scenario where clientEndpoint is provided in metadata
3. Test the scenario where clientEndpoint is undefined
4. Test that multiple clients with the same endpoint share the cached metadata
5. Test the retry behavior with mocked failures

Specific Recommendations

1. Fix the log message on line 63 of mod.ts
2. Add a reasonable retry limit instead of Number.MAX_SAFE_INTEGER
3. Consider error handling for the metadata promise
4. Add tests for the new metadata caching behavior
5. Document the cache behavior in code comments

Overall Assessment

This is a solid refactoring that improves code organization and fixes a real bug with endpoint override. The main concerns are around error handling and the infinite retry behavior. With the recommended changes, this would be production-ready.

Recommendation: Approve with minor changes requested

[claude]

Code Review - PR #3402

Summary

This PR refactors the metadata lookup logic by extracting it into a separate module and fixes a critical bug where clientEndpoint from the metadata response wasn't being properly applied to the client configuration. The refactoring improves code organization and maintainability.

---

Positive Observations

✅ Good separation of concerns - Extracting metadata lookup into metadata.ts improves modularity and reusability

✅ Proper caching strategy - Using a global cache with endpoint as the key prevents duplicate requests

✅ Better error handling - The refactored code maintains retry logic with exponential backoff

✅ Correct bug fix - The clientEndpoint is now properly applied to this.#config.endpoint before being used in subsequent operations

✅ Consistent naming - Renaming from disableHealthCheck to disableMetadataLookup is more accurate

---

Issues & Concerns

🔴 Critical: Config Mutation Bug

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/mod.ts:76

this.#config.endpoint = metadataData.clientEndpoint;

Problem: This directly mutates the ClientConfig object that was passed to the constructor. If the same config object is reused to create multiple RemoteManagerDriver instances, the mutation will affect all instances unexpectedly.

Impact: Race conditions and unpredictable behavior when multiple clients share config objects.

Recommendation:

// Option 1: Clone the config
this.#config = { ...runConfig };

// Option 2: Use a separate field for the resolved endpoint
#resolvedEndpoint: string | undefined;

---

🟡 Medium: Infinite Retry Could Cause Resource Exhaustion

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/metadata.ts:42

retries: Number.MAX_SAFE_INTEGER,

Problem: Setting retries to Number.MAX_SAFE_INTEGER means the metadata lookup will retry essentially forever. If the endpoint is permanently unavailable (misconfigured URL, network isolation, etc.), this will:

• Keep promises pending indefinitely
• Accumulate in the cache map
• Block all operations that await this.#metadataPromise
• Consume memory and resources over time

Recommendation:

retries: 30, // Reasonable limit (e.g., ~5 minutes with exponential backoff)

Or add a timeout mechanism to fail fast after a certain duration.

---

🟡 Medium: Missing Error Handling in Constructor

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/mod.ts:72-90

Problem: The metadata lookup promise is created but error handling only logs. If metadata lookup fails, this.#metadataPromise will be a rejected promise, causing all subsequent operations to throw when they await it.

Current code:

this.#metadataPromise = lookupMetadataCached(this.#config).then(
    (metadataData) => {
        // ... success handling
    },
);

Issue: No .catch() handler, so unhandled rejections could occur.

Recommendation:

this.#metadataPromise = lookupMetadataCached(this.#config)
    .then((metadataData) => {
        // ... success handling
    })
    .catch((error) => {
        logger().error({
            msg: "metadata lookup failed permanently",
            error: stringifyError(error),
        });
        // Consider: should we continue without metadata or throw?
        // Current behavior will cause all operations to fail
    });

---

🟡 Medium: Cache Never Cleared

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/metadata.ts:10

const metadataLookupCache = new Map<string, Promise<MetadataResponse>>();

Problem: The cache is a module-level global that persists for the lifetime of the process. If:

• The endpoint configuration changes at runtime
• Metadata changes on the server side (version updates, endpoint changes)
• Long-running processes accumulate stale metadata

Recommendation: Consider adding:

• TTL-based cache expiration
• Cache invalidation mechanism
• Or document that the cache is intentionally permanent for the process lifetime

---

🟢 Minor: Logging Inconsistency

Location: rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/mod.ts:78

logger().info({
    msg: "overriding cached client endpoint",
    endpoint: metadataData.clientEndpoint,
});

Issue: The message says "overriding cached client endpoint" but this happens on first lookup too, not just when overriding. The word "cached" is misleading.

Recommendation:

msg: "applying client endpoint from metadata"

---

🟢 Minor: Type Safety

The code assumes metadataData.clientEndpoint is truthy before using it (line 75), which is correct. However, TypeScript would benefit from explicit typing.

---

Test Coverage Concerns

⚠️ No tests found for the new metadata.ts module or the endpoint override behavior.

Recommended test cases:

1. Test that clientEndpoint from metadata properly overrides the config endpoint
2. Test that cache prevents duplicate requests to same endpoint
3. Test that different endpoints get separate cache entries
4. Test retry behavior on transient failures
5. Test behavior when metadata lookup is disabled
6. Test that awaiting metadata promise works correctly in all driver methods

---

Performance Considerations

✅ Caching strategy is good for performance
✅ Retry with exponential backoff is appropriate
⚠️ Consider adding request deduplication if multiple driver instances are created simultaneously with same endpoint

---

Security Considerations

✅ No obvious security issues
✅ Endpoint validation happens in the API call layer
⚠️ Consider validating that clientEndpoint from metadata is a well-formed URL to prevent injection issues

---

Recommendations Summary

Must Fix:

1. Fix config mutation issue - clone config or use separate field for resolved endpoint

Should Fix:
2. Add reasonable retry limit instead of Number.MAX_SAFE_INTEGER
3. Add error handling for metadata lookup failures in constructor
4. Add test coverage for endpoint override behavior

Nice to Have:
5. Add cache invalidation/TTL mechanism
6. Fix logging message clarity
7. Add comprehensive test suite

---

Overall Assessment

This is a good refactoring that properly fixes the clientEndpoint application bug. The code is well-structured and follows TypeScript best practices. However, the config mutation issue should be addressed before merging, and the infinite retry behavior needs consideration for production environments.

Recommendation: Request changes for critical issues, approve after fixes.

[claude]

Review comments posted in thread

[claude]

Pull Request Review

Summary

This PR refactors the metadata lookup functionality in RivetKit's remote manager driver by extracting it into a dedicated module. The key change is ensuring that the clientEndpoint from the metadata response is properly applied to the client config before any API calls are made.

---

Code Quality & Best Practices ✅

Strengths:

• Good separation of concerns: Extracting metadata lookup into metadata.ts improves modularity and maintainability
• Consistent naming: The rename from disableHealthCheck to disableMetadataLookup is more accurate and self-documenting
• Proper caching strategy: The global cache prevents duplicate metadata lookups for the same endpoint
• Race condition handling: Storing the promise immediately prevents concurrent requests from creating multiple lookups

Minor concerns:

1. Module-level cache: The metadataLookupCache Map at line 10 of metadata.ts uses a global module-level variable. While this works, consider whether this cache should be:

   • Cleared/invalidated under certain conditions (endpoint changes, auth failures, etc.)
   • Have a TTL or max size limit to prevent memory leaks in long-running applications
   • Be scoped differently (e.g., per client instance rather than globally)

2. Retry configuration: The retry logic uses Number.MAX_SAFE_INTEGER retries (line 42), which means it will retry indefinitely. This could lead to:

   • Hanging applications if the endpoint is permanently unreachable
   • Resource exhaustion in edge cases
   • Consider adding a reasonable maximum (e.g., 10-20 retries) or a total timeout

[claude]

Potential Bugs & Issues ⚠️

Critical Issue - Config Mutation:
The most significant issue is on line 76 of mod.ts:

this.#config.endpoint = metadataData.clientEndpoint;

This mutates the config object that was passed into the constructor. This is problematic because:

• The original runConfig object is being modified, which could affect the caller
• If the same config object is reused for multiple driver instances, they would all unexpectedly share the same endpoint
• This violates the principle of least surprise

Recommendation: Create a copy of the config or store the override separately:

// Option 1: Store override separately
#endpointOverride: string | undefined;

if (metadataData.clientEndpoint) {
  this.#endpointOverride = metadataData.clientEndpoint;
}

// Then modify getEndpoint calls to check override first

// Option 2: Deep clone config in constructor
this.#config = structuredClone(runConfig);

Race Condition with Cache:
If two different ClientConfig objects point to the same endpoint but have different auth tokens or headers, they would share the cached metadata response. The cache key only uses the endpoint string (line 15 of metadata.ts), not the full config. This could lead to incorrect behavior if:

• Different namespaces use the same endpoint
• Different auth tokens are used for the same endpoint

Recommendation: Include relevant config properties in the cache key

[claude]

Performance Considerations ⚡

Good:

• Caching prevents redundant network calls ✅
• Promise reuse prevents thundering herd ✅
• Async/await pattern is clean and efficient ✅

Consideration:

• The metadata lookup blocks all operations via the await this.#metadataPromise pattern (lines 100-102, 137-139, etc.). While this ensures correctness, it could delay fast operations if the metadata lookup is slow
• Consider documenting the expected latency impact in comments

---

Security Concerns 🔒

Low Risk:

• No obvious security vulnerabilities detected
• The code properly forwards auth headers via the config
• Error messages appropriately use structured logging without leaking sensitive data

Consideration:

• The infinite retry with exponential backoff could be used for a DoS if an attacker can trigger many client creations with invalid endpoints
• Consider rate limiting client creation or capping total retry duration

[claude]

Test Coverage 🧪

Missing:

• No tests found for the metadata lookup functionality
• Critical scenarios to test:
  1. Successful metadata lookup with clientEndpoint override
  2. Successful metadata lookup without clientEndpoint
  3. Failed metadata lookup with retry behavior
  4. Concurrent requests to same endpoint (cache behavior)
  5. Config mutation concerns (original config should not be modified)
  6. Metadata lookup disabled via disableMetadataLookup

Recommendation: Add unit tests in metadata.test.ts and integration tests for the full driver flow.

---

Additional Observations

1. Documentation: The log message on line 63 says "disabling health check" but should say "disabling metadata lookup" to match the new naming

2. Type safety: The code correctly uses TypeScript types throughout ✅

3. Error handling: Errors are properly caught and logged with structured data ✅

4. Consistency: All await points for metadataPromise follow the same pattern ✅

[claude]

Recommendations Summary

Must Fix:

1. Address config mutation issue (create copy or use override pattern)
2. Improve cache key to include namespace/token

Should Fix:

1. Add reasonable retry limits instead of infinite retries
2. Update log message to say "metadata lookup" instead of "health check"
3. Add test coverage for metadata lookup functionality

Consider:

1. Cache invalidation strategy and memory management
2. Document performance implications of blocking on metadata lookup
3. Add cache size limits or TTL

---

Overall, this is a solid refactoring that improves code organization. The main concerns are around config mutation and cache key specificity, which should be addressed before merging.

[claude]

Pull Request Review

Summary

This PR refactors the metadata lookup mechanism in RivetKit to properly apply the clientEndpoint from metadata responses. The main change extracts metadata fetching logic into a dedicated module with proper caching and updates the config endpoint before any API calls are made.

---

✅ Positive Observations

1. Good Separation of Concerns

• Extracting metadata lookup into its own module (metadata.ts) improves code organization and testability
• The caching mechanism is properly isolated and reusable

2. Proper Cache Implementation

• Using a Map with endpoint as the key prevents duplicate metadata fetches for the same endpoint
• Promise caching prevents race conditions when multiple clients try to connect simultaneously

3. Improved Naming

• Renaming disableHealthCheck → disableMetadataLookup is more accurate since this is not just a health check

4. Consistent Retry Logic

• Using p-retry with exponential backoff (500ms-15s) shows good resilience patterns
• forever: true ensures the client keeps trying to connect, which is appropriate for critical metadata

---

🐛 Potential Issues

1. Critical: Config Mutation Bug
The metadata promise modifies this.#config.endpoint directly:

// Line 76 in mod.ts
this.#config.endpoint = metadataData.clientEndpoint;

Problem: If multiple RemoteManagerDriver instances share the same ClientConfig object reference, this mutation will affect all instances. This could cause unexpected behavior when:

• Multiple drivers are created from the same config object
• The config is reused elsewhere in the application

Recommendation: Either:

• Document that each driver should have its own config instance, OR
• Clone the config in the constructor: this.#config = { ...runConfig }

2. Error Handling Gap
The metadata promise in the constructor silently swallows errors (lines 72-90). While logging occurs in lookupMetadataCached, if the metadata fetch fails indefinitely:

• The #metadataPromise will never resolve
• All API methods will hang indefinitely on await this.#metadataPromise

Recommendation: Consider adding a circuit breaker or timeout

3. Cache Never Invalidates
The global metadataLookupCache never clears entries:

// Line 10 in metadata.ts
const metadataLookupCache = new Map<string, Promise<MetadataResponse>>();

Problem:

• In long-running processes, stale metadata could be returned
• If an endpoint clientEndpoint changes, clients will not pick up the new value
• Memory leak potential in edge cases with many different endpoints

Recommendation:

• Add a TTL-based cache invalidation mechanism
• Consider using a proper cache library with expiration
• Or document that cache is intentionally permanent for application lifetime

---

⚡ Performance Considerations

1. Sequential Blocking
Every API method waits for metadata. This is correct behavior, but worth noting that the first API call will have higher latency. The constructor fires the fetch immediately, which is good for minimizing this delay.

2. Retry Forever
forever: true means infinite retries. For some deployment scenarios (like serverless cold starts with timeouts), this could cause issues. Consider if a maximum retry count would be more appropriate.

---

🔒 Security Considerations

No significant security issues identified. The changes maintain existing security patterns:

• Token handling unchanged
• No new external inputs
• Endpoint validation still occurs in getEndpoint

---

🧪 Test Coverage

Missing Test Coverage:

• No tests for the new metadata.ts module
• No tests verifying clientEndpoint override behavior
• No tests for cache behavior (race conditions, multiple instances)
• No tests for error scenarios (metadata fetch failure)

Recommendation: Add tests covering:

1. Successful metadata lookup and endpoint override
2. Cache hit on second lookup for same endpoint
3. Multiple simultaneous lookups to same endpoint (race condition)
4. Behavior when metadata returns no clientEndpoint
5. Retry behavior on transient failures

---

📋 Minor Suggestions

1. Type Safety
Consider adding a more defensive check for empty strings

2. Logging Consistency
Line 78 logs "overriding cached client endpoint" but it is overriding the instance config, not the cache. Consider: "overriding client endpoint from metadata"

3. Comment Update
Line 58 comment mentions "health check" but should say "metadata lookup"

---

🎯 Overall Assessment

Code Quality: Good - Clean refactoring with improved separation of concerns

Correctness: Moderate concerns - Config mutation and error handling need attention

Risk Level: Medium - The config mutation bug could cause subtle issues in production

Recommendation: Request changes to address the config mutation and error handling issues before merging.

---

Action Items

Must Fix:

1. Address config mutation issue (clone config or document requirement)
2. Add timeout/circuit breaker for metadata fetch to prevent indefinite hangs

Should Fix:
3. Add test coverage for new metadata module
4. Consider cache invalidation strategy
5. Update outdated comments

Nice to Have:
6. Add defensive checks for empty clientEndpoint
7. Improve logging message accuracy

[claude]

Code Review

Summary

This PR fixes a race condition in the metadata lookup mechanism and properly applies the clientEndpoint from the metadata response. The refactoring extracts metadata lookup logic into a dedicated module with proper caching.

---

Strengths

1. Proper Race Condition Fix: The extraction of metadata lookup into a separate module (metadata.ts) with a shared cache prevents multiple concurrent metadata requests to the same endpoint.

2. Clear Separation of Concerns: Moving metadata lookup logic out of RemoteManagerDriver into its own module improves code organization and maintainability.

3. Correct Endpoint Override Timing: The fix properly applies clientEndpoint from metadata before logging the connection message, ensuring all subsequent API calls use the correct endpoint.

4. Better Naming: Renaming disableHealthCheck to disableMetadataLookup more accurately describes what the flag does.

5. Retry Logic with Backoff: The use of p-retry with exponential backoff (500ms to 15s) and proper error logging is robust.

---

Observations and Suggestions

1. Potential Memory Leak in Cache
The metadataLookupCache Map never clears entries. If the application connects to many different endpoints over time, this could accumulate indefinitely. Consider implementing cache expiration or a maximum cache size.

2. Error Handling in Constructor
The metadata promise is created but the explicit error handling from the old code was removed. If metadata lookup fails, the error might be unhandled unless something awaits the metadata promise. Consider re-adding explicit error handling in the constructor.

3. Race Condition with Endpoint Override
While the cache prevents duplicate requests, there is still a subtle timing issue: If RemoteManagerDriver is instantiated and API calls happen before the metadata promise resolves, those calls will use the original endpoint, not the overridden one. Consider awaiting the metadata promise before allowing API operations, or document this behavior.

4. Config Mutation
The PR mutates this.config.endpoint in the metadata promise handler. While functional, mutating config objects can lead to surprising behavior. Consider documenting this or using an immutable approach.

---

Test Coverage Concerns

Missing Test Coverage: There are no test files for the metadata lookup functionality. This is a critical path that handles race conditions, retry logic, cache behavior, and endpoint override logic.

Recommendations:

1. Add unit tests for lookupMetadataCached to verify duplicate requests return the same promise, failed requests trigger retries, and cache is properly shared
2. Add integration tests to verify endpoint override is applied correctly

---

Performance Considerations

Positive Impact: Prevents duplicate metadata requests through caching, retry logic ensures eventual consistency

Potential Issue: The forever: true retry option means failed metadata lookups will retry indefinitely. In production, this could mask configuration issues. Consider adding a maximum retry count or a circuit breaker pattern.

---

Verdict

Approve with minor suggestions. The core fix is sound and addresses the race condition properly. The refactoring improves code organization.

Priority Recommendations:

1. Add test coverage for metadata lookup logic (high priority)
2. Consider adding explicit error handling for the metadata promise (medium priority)
3. Document or address the endpoint override timing issue (medium priority)
4. Consider cache memory management (low priority)

Great work on identifying and fixing the race condition! The separation into a dedicated module makes the code much cleaner.

[claude]

PR Review: fix(rivetkit): properly apply clientEndpoint from metadata lookup

Summary

This PR refactors metadata lookup logic in RivetKit by extracting it into a separate module (metadata.ts) and fixing a critical bug where the clientEndpoint from metadata was not being properly applied to subsequent requests.

Code Quality: ✅ Good

Strengths

1. Clean separation of concerns - Extracting metadata lookup into its own module (metadata.ts) improves code organization and testability
2. Improved naming - Renaming disableHealthCheck to disableMetadataLookup better reflects the actual purpose
3. Better error handling - The refactor makes the control flow clearer with explicit promise handling
4. Proper shallow clone - The code correctly clones the config object and documents the limitation with a clear comment (lines 68-70 in mod.ts)

Areas for Improvement

1. Stale comment - Line 63 in mod.ts still says "disabling health check" but should say "disabling metadata lookup" to match the renamed field
2. Magic number - maxTimeout: 15_000 (15 seconds) could be extracted as a named constant for better maintainability

Bug Fix: ✅ Critical Fix Applied

The core issue is fixed on lines 79-86 of mod.ts:

if (metadataData.clientEndpoint) {
    this.#config.endpoint = metadataData.clientEndpoint;
    logger().info({
        msg: "overriding cached client endpoint",
        endpoint: metadataData.clientEndpoint,
    });
}

Before: The metadata was fetched but clientEndpoint was never applied to this.#config
After: The endpoint is properly overridden after metadata lookup completes

This is crucial for serverless runners where the initial endpoint needs to be redirected to the actual manager endpoint.

Performance Considerations: ✅ Good

1. Global caching - metadataLookupCache prevents redundant metadata fetches for the same endpoint
2. Race condition prevention - Promise is stored immediately upon first request to prevent concurrent fetches
3. Async initialization - Metadata lookup runs in background without blocking constructor

Suggestion: Consider adding cache TTL or invalidation mechanism. The current implementation caches metadata forever, which could be problematic if the clientEndpoint changes during long-running processes.

Security Concerns: ⚠️ Minor

1. Infinite retry with exponential backoff - forever: true on line 42 means failed metadata lookups will retry indefinitely. While the backoff helps (500ms-15s), consider:

   • Adding a maximum attempt count for cleaner failure modes
   • Or documenting that this is intentional for resilience

2. Endpoint override - The code allows metadata response to completely override the configured endpoint. While documented as intentional (lines 101-109 in router.ts), ensure:

   • The metadata endpoint is served over HTTPS in production
   • The token auth prevents unauthorized endpoint hijacking

Missing Test Coverage: ⚠️ Important

No test files found for this functionality. Consider adding tests for:

1. Metadata caching - Verify the same endpoint doesn't trigger multiple fetches
2. Endpoint override - Verify clientEndpoint is properly applied
3. Race conditions - Verify concurrent requests don't cause issues
4. Retry behavior - Verify retry logic works correctly
5. Shallow clone behavior - Verify config mutations don't affect caller

Example test structure:

describe('lookupMetadataCached', () => {
  it('should cache metadata by endpoint', async () => { /* ... */ });
  it('should override endpoint when clientEndpoint provided', async () => { /* ... */ });
  it('should handle concurrent requests', async () => { /* ... */ });
  it('should retry on failure', async () => { /* ... */ });
});

Recommendations

Must Fix

1. Update comment on line 63 of mod.ts to say "disabling metadata lookup"

Should Consider

1. Add test coverage for metadata lookup functionality
2. Extract MAX_METADATA_RETRY_TIMEOUT constant
3. Consider adding cache TTL or manual invalidation API
4. Document or add maximum retry attempts for metadata lookup

Nice to Have

1. Add TypeScript JSDoc comments to exported lookupMetadataCached function
2. Consider emitting events/metrics for metadata lookup success/failure for observability

Verdict: ✅ Approve with Minor Suggestions

This is a solid refactor that fixes a critical bug. The code quality is good, and the separation of concerns improves maintainability. The main gaps are test coverage and a stale comment. The PR is safe to merge after addressing the comment update.

[claude]

Code Review for PR #3402

Summary

This PR refactors the metadata lookup mechanism in the remote manager driver to properly apply the clientEndpoint from metadata responses. The changes extract metadata lookup logic into a dedicated module and fix the config endpoint override behavior.

---

✅ Positive Changes

1. Better Separation of Concerns: Extracting metadata lookup into metadata.ts improves code organization and reusability.

2. Improved Caching Strategy: The cache now stores the full MetadataResponse promise instead of just void, which is more useful and allows the data to be reused.

3. Proper Config Cloning: Using a shallow clone of the config ({ ...runConfig }) allows safe mutation of the endpoint property without affecting the original config passed by the user.

4. Clearer Naming: Renaming disableHealthCheck to disableMetadataLookup better reflects what the flag actually does.

5. Better Retry Strategy: The pRetry configuration with forever: true ensures resilience when connecting to the metadata endpoint.

---

🔍 Issues & Concerns

1. Critical: Shallow Clone Issue ⚠️

Location: remote-manager-driver/mod.ts:70

// Clone config so we can mutate the endpoint in #metadataPromise
// NOTE: This is a shallow clone, so mutating nested properties will not do anything
this.#config = { ...runConfig };

Issue: The comment correctly notes this is a shallow clone, but if ClientConfig contains nested objects (like headers), they will still be shared references. Mutating nested properties could still affect the original config.

Recommendation: Consider using structuredClone() for a deep clone if nested properties might be mutated, or document which properties are safe to mutate.

2. Potential Race Condition ⚠️

Location: remote-manager-driver/mod.ts:77-86

this.#metadataPromise = lookupMetadataCached(this.#config).then(
    (metadataData) => {
        // Override endpoint for all future requests
        if (metadataData.clientEndpoint) {
            this.#config.endpoint = metadataData.clientEndpoint;
            // ...
        }
    }
);

Issue: The .then() callback mutates this.#config.endpoint, but this mutation happens asynchronously. If multiple RemoteManagerDriver instances are created rapidly with the same endpoint, they might all have different timing for when their config gets updated.

Additionally, since lookupMetadataCached uses a global cache keyed by endpoint, but the mutation happens in the instance-level .then() callback, each instance will independently mutate its own config. This is probably fine, but worth noting.

Consideration: This appears to be intentional behavior, but document if this is expected.

3. Forever Retry May Hang Application ⚠️

Location: metadata.ts:42

{
    forever: true,
    minTimeout: 500,
    maxTimeout: 15_000,
    // ...
}

Issue: With forever: true, the metadata lookup will retry indefinitely if the endpoint is unreachable. This could cause the application to hang during startup or when creating a client.

Recommendation: Consider one of the following:

• Add a maximum retry count (e.g., retries: 10)
• Add an overall timeout
• Document this behavior clearly for users
• Provide a way to cancel the retry loop

4. Missing Error Handling for Metadata Promise ⚠️

Location: remote-manager-driver/mod.ts:77-95

The comment says "This should never error, since it uses pRetry", but pRetry with forever: true can still throw errors if:

• The retry function is aborted
• The process runs out of memory
• Other unexpected runtime errors occur

While unlikely, if this.#metadataPromise does reject, all subsequent method calls will fail when they await this.#metadataPromise. Consider adding a .catch() handler to log the error and potentially disable the metadata promise to allow degraded operation.

5. Cache Invalidation 💭

Location: metadata.ts:10

const metadataLookupCache = new Map<string, Promise<MetadataResponse>>();

Consideration: The global cache has no TTL or invalidation mechanism. If the metadata changes (e.g., after a deployment), the application would need to restart to pick up the new values.

Recommendation: Consider:

• Adding cache expiration (TTL)
• Providing a cache clear method for testing
• Documenting that the cache is permanent for the application lifetime

6. Inconsistent Logging Level 💭

Location: remote-manager-driver/mod.ts:82-85

logger().info({
    msg: "overriding cached client endpoint",
    endpoint: metadataData.clientEndpoint,
});

This logs at info level, but it happens every time a RemoteManagerDriver is constructed (even though the actual metadata lookup is cached). Consider:

• Logging at debug level instead
• Only logging when the cache is populated (first time)

---

🔒 Security Considerations

1. No Security Issues Identified: The code doesn't introduce any obvious security vulnerabilities.

2. Endpoint Override: The clientEndpoint override could theoretically be used for redirect attacks if the metadata endpoint is compromised, but this is an inherent feature, not a bug. Ensure the initial endpoint is from a trusted source.

---

🎯 Performance Considerations

1. ✅ Good: Global caching prevents redundant metadata lookups for the same endpoint.

2. ✅ Good: Promises are cached immediately, preventing duplicate concurrent requests.

3. ⚠️ Consideration: Every method in RemoteManagerDriver awaits this.#metadataPromise. If metadata lookup is slow, all operations will be delayed. This seems intentional but worth documenting.

---

🧪 Test Coverage

No tests detected for the new metadata.ts module or the refactored behavior.

Recommendations:

• Add unit tests for lookupMetadataCached:
  • Test caching behavior (multiple calls return same promise)
  • Test retry behavior
  • Test with and without clientEndpoint in response
• Add integration tests for RemoteManagerDriver:
  • Test that config endpoint is properly overridden
  • Test behavior when metadata lookup is disabled
  • Test concurrent client creation with same endpoint

---

📝 Code Style & Best Practices

1. ✅ Good: Follows TypeScript best practices
2. ✅ Good: Proper use of structured logging (following CLAUDE.md guidelines)
3. ✅ Good: Clear comments explaining behavior
4. ✅ Good: Proper error stringification using stringifyError()

---

💡 Recommendations Summary

High Priority:

1. Add a maximum retry count or timeout to pRetry to prevent infinite hanging
2. Consider adding error handling/recovery for metadata promise failures
3. Add test coverage for the new functionality

Medium Priority:
4. Consider cache invalidation strategy or document permanent caching
5. Document the shallow clone behavior and limitations
6. Consider logging at debug level for endpoint override

Low Priority:
7. Add JSDoc comments to lookupMetadataCached explaining the caching behavior

---

✅ Approval Status

The changes are well-structured and improve the codebase. The main concerns are around:

• Infinite retry behavior (potential hang)
• Lack of test coverage

These should be addressed before merging to production.

---

Overall Assessment: Good refactoring with improved separation of concerns, but needs attention to retry configuration and test coverage.

[claude]

Code Review

This PR fixes an important bug where the clientEndpoint from metadata lookup was not being properly applied. The refactoring improves code organization and makes the metadata lookup behavior more explicit. Overall, the changes are well-structured, but I have some observations and suggestions.

Strengths

1. Better naming: Renaming disableHealthCheck to disableMetadataLookup is more accurate since the functionality does more than health checking—it also retrieves the client endpoint and runtime information.

2. Improved separation of concerns: Extracting metadata lookup logic into a dedicated metadata.ts file improves code organization.

3. Bug fix: The core issue is properly addressed. The config is now shallow-cloned (line 70 in mod.ts), and clientEndpoint is applied to the cloned config, ensuring all future API calls use the correct endpoint.

4. Proper caching: The global cache prevents duplicate metadata lookups for the same endpoint, which is good for performance.

[claude]

Observations and Potential Issues

1. Shallow clone limitation (line 70 in remote-manager-driver/mod.ts): The comment correctly notes this is a shallow clone. If config.headers is mutated elsewhere, it could cause unexpected behavior since nested objects are still shared. Consider if a deep clone would be more appropriate.

2. Race condition during initialization (lines 73-93): There is a subtle timing issue - API calls made before metadataPromise resolves will use the old endpoint. Consider awaiting metadataPromise in all API methods to ensure metadata is loaded before making requests.

3. Error handling in metadata lookup (lines 24-53 in metadata.ts): The lookupMetadataCached function uses pRetry with forever: true, which means it will retry indefinitely on failure. What happens if the endpoint is permanently unreachable? The promise hangs forever. Consider adding a reasonable maximum timeout or retry limit for production scenarios.

4. Log message accuracy (line 82): The term cached in overriding cached client endpoint is misleading. Consider: applying client endpoint from metadata or updating endpoint from server metadata.

5. Global cache never evicted (metadata.ts:9): The cache is never cleared. In long-running processes, this could potentially accumulate entries if different endpoints are used over time.

[claude]

Test Coverage

I noticed there are no tests added for this change. Consider adding tests for:

• Metadata lookup caching: Verify that multiple calls to the same endpoint only trigger one metadata request
• Endpoint override behavior: Verify that clientEndpoint from metadata properly overrides the config endpoint
• Error retry behavior: Verify the retry logic works as expected
• Cache keying: Verify that different endpoints get separate cache entries

Summary

The core bug fix is solid, and the refactoring improves code organization. The main concerns are:

1. Race condition risk: API calls before metadata loads may use wrong endpoint
2. Infinite retry: The forever: true option could cause hangs in error scenarios
3. Test coverage: No tests added for this critical functionality

Recommendation: Consider addressing items 1 and 2 before merging, as they could cause production issues. Adding tests would also significantly improve confidence in this change.

Great work on identifying and fixing the endpoint override bug!