chore(site): fix generating examples

[NathanFlurry]

No description provided.

[vercel]

Deployment failed with the following error:

Too many requests - try again in 3 minutes (more than 120, code: "api-deployments-flood-pro").

Learn More: https://vercel.com/docs/limits#rate-limits

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore(site): tweak wording #3454
• chore(site): fix generating examples #3453 👈 (View in Graphite)
• chore: create branch for v3 website changes on v2 #3304
• chore(website): flatten actors docs structure #3280
• chore(rivetkit): switch dynamic node imports to use require #3461 : 1 other dependent PR (#3455 )
• chore(rivetkit-typescript): remove dependency on node modules #3460
• feat(site): add typedoc docs #3446
• chore(rivetkit): remove deprecated packages #3447
• chore(rivetkit): add support for conn params on onRequest and onWebSocket #3445
• feat(rivetkit): add asyncapi spec #3442
• chore(rivetkit): add actor router to the openapi spec #3441
• fix(rivetkit): skip sending RivetKit messages to conns that do not support it #3440
• fix(rivetkit): fix race condition with websocket open events #3439
• fix(rivetkit): standardize error metadata return type #3438
• fix(rivetkit): remove incorrect getEndpoint call in metadata handler #3433 : 1 other dependent PR (#3451 )
• feat(rivetkit): add json protocol support #3432
• chore(rivetkit): add required zod validation for json encoding #3431
• chore(rivetkit): add listing actors by only name to manager api #3430
• refactor(rivetkit): extract WebSocket protocol parsing to shared utility #3429
• refactor(rivetkit): restructure connection lifecycle contexts #3428
• chore(rivetkit): add WebSocketContext and RequestContext #3427
• chore(rivetkit): add conn type #3426
• chore(rivetkit): add connection for raw http #3425
• chore(rivetkit): rename onFetch to onRequest #3424
• refactor(rivetkit): add state manager for conn with symbol-based access #3423
• fix(rivetkit): use loggerWithoutContext for websocket error when actor undefined #3412
• feat(rivetkit): add GET /actors/names #3411
• feat(api-public): expose actor kv api #3410
• chore(rivetkit): auto-generate inspector token for engine driver #3409
• chore(rivetkit): close websockets on out of sequence messages #3404
• fix(rivetkit): properly apply clientEndpoint from metadata lookup #3402
• fix(rivetkit): properly handle msgIndex for hibernatable websocket reconnection #3401
• chore(rivetkit): rename onstart/onstop to onwake/onsleep #3422
• chore(rivetkit): split ActorInstance logic in to multiple classes #3421
• chore(rivetkit): move conns to separate persisted kv keys #3420
• chore(rivetkit): remove deprecated conn tokens & sse support #3419
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: Fix generating examples

Summary

This PR refactors the example generation script to use local examples instead of cloning from a remote repository, and removes the unused README generation script. Overall this is a good improvement that simplifies the build process.

✅ Positive Changes

1. Simplified Architecture

• Removing the git clone dependency makes the build process more reliable and faster
• Using local examples from ../../examples is a cleaner approach for a monorepo
• Good use of fileURLToPath and dirname for proper ESM path resolution

2. Improved Version Management

The new getLatestVersion() function with caching is excellent:

• Fetches real npm versions instead of hardcoding
• Caches versions to avoid repeated lookups
• Has proper error handling with fallback

3. Better Dependency Handling

The refactored replaceWorkspaceDependencies() is more robust:

• Processes both dependencies and devDependencies
• Uses proper JSON parsing/stringification instead of regex
• Maintains proper formatting with tabs

4. Documentation Cleanup

• Removed unused generateReadme.mjs (169 lines)
• Consolidated quickstart navigation in the docs

⚠️ Issues & Recommendations

1. Security: Command Injection Risk (High Priority)

Location: website/scripts/generateExamples.mjs:31

const result = execSync(`npm view ${packageName} version`, { encoding: 'utf-8' });

Issue: If a package.json contains a malicious package name with shell metacharacters, this could execute arbitrary commands.

Recommendation:

function getLatestVersion(packageName) {
  try {
    // Validate package name format
    if (!/^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/.test(packageName)) {
      console.warn(`Warning: Invalid package name "${packageName}", using ^0.9.1`);
      return '0.9.1';
    }
    const result = execSync('npm view ' + JSON.stringify(packageName) + ' version', { 
      encoding: 'utf-8',
      shell: '/bin/sh'
    });
    return result.trim();
  } catch (error) {
    console.warn(`Warning: Could not fetch version for ${packageName}, using ^0.9.1`);
    return '0.9.1';
  }
}

2. Error Handling: Silent Failures

Location: website/scripts/generateExamples.mjs:163-166

The catch block silently skips files but throws an error that interrupts processing:

} catch (readError) {
  // Skip binary files or files that can't be read as text
  throw new Error(`Failed to read file ${relativePath}: ${readError.message}`);
}

Issue: The comment says "skip" but it actually throws. This could fail the entire build for a single unreadable file.

Recommendation:

} catch (readError) {
  // Skip binary files or files that can't be read as text
  console.warn(`Skipping file ${relativePath}: ${readError.message}`);
  continue;
}

3. Platform Compatibility Issue

Location: website/scripts/generateExamples.mjs:138

const allFiles = execSync('find . -type f -not -path "*/.git/*"', {

Issue: The find command is Unix-specific and will fail on Windows.

Recommendation: Use Node.js built-in functions for cross-platform compatibility:

import { readdirSync, statSync } from 'node:fs';

function getAllFilesRecursive(dir, baseDir = dir) {
  const files = [];
  for (const file of readdirSync(dir)) {
    const fullPath = join(dir, file);
    const stat = statSync(fullPath);
    if (stat.isDirectory() && file !== '.git') {
      files.push(...getAllFilesRecursive(fullPath, baseDir));
    } else if (stat.isFile()) {
      files.push(relative(baseDir, fullPath));
    }
  }
  return files;
}

4. Performance: Network Calls

Issue: The script makes an npm registry call for every unique package, which could be slow if there are many packages.

Recommendation: Consider batching or adding a timeout:

execSync('npm view ' + JSON.stringify(packageName) + ' version', { 
  encoding: 'utf-8',
  timeout: 5000  // 5 second timeout
});

5. Minor: Inconsistent Error Messages

Location: Multiple locations

Some errors use template literals, others use concatenation. Choose one style for consistency:

// Line 23
throw new Error(`Examples directory not found at ${EXAMPLES_DIR}`);
// Line 80
throw new Error(`Example defined in metadata but not found in repo: ${exampleName}`);

This is good and consistent.

6. Testing Gap

The PR doesn't include tests for the refactored script. Consider adding:

• Unit tests for getLatestVersion()
• Tests for replaceWorkspaceDependencies()
• Integration test that runs the script on a test example

7. Documentation

The comment on line 1 of examplesData.mjs was updated but could be more descriptive:

// Shared example metadata used by generateExamples.mjs to build the examples gallery

🔍 Code Quality

Good Practices Observed:

• ✅ Proper cleanup with try/finally blocks
• ✅ Clear function names and separation of concerns
• ✅ Good error messages with context
• ✅ Consistent code style

Adherence to CLAUDE.md:

• ✅ Uses pnpm workspace correctly
• ✅ Follows conventional commit format: chore(site): fix generating examples
• ⚠️ The commit message could be more descriptive about what was actually fixed

📊 Impact Assessment

Risk Level: Low-Medium

• The changes are isolated to build scripts
• Removing remote dependency is a positive change
• Security issue should be addressed but impact is limited to development

Breaking Changes: None

• Output format remains the same
• No API changes

Performance Impact: Positive

• No more git cloning during builds
• Faster local file access

🎯 Recommendations Priority

1. High Priority: Fix command injection vulnerability (Security)
2. Medium Priority: Fix platform compatibility (find command)
3. Medium Priority: Fix error handling to not throw on binary files
4. Low Priority: Add timeout to npm calls
5. Low Priority: Add tests for the refactored code

✅ Approval Status

Conditional Approve - The changes are good overall, but the security issue should be addressed before merging. The platform compatibility issue should also be fixed for Windows developers.

Great work simplifying the build process! 🎉

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-site	Error			Nov 13, 2025 3:24am
rivetkit-serverless	Error			Nov 13, 2025 3:24am

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-cloud	Ignored			Nov 13, 2025 3:24am
rivet-inspector	Ignored	Preview		Nov 13, 2025 3:24am

[claude]

PR Review: chore(site): fix generating examples

Summary

This PR refactors the examples generation script to use local examples instead of cloning from a remote repository, removes the unused generateReadme.mjs script, and reorganizes the documentation structure by moving quickstart content to the main docs index.

Code Quality & Best Practices

Positive Changes:

1. Simplified Architecture: Removing the git clone approach in favor of local examples is cleaner and more maintainable
2. Better Dependency Version Resolution: The new getLatestVersion() function dynamically fetches package versions from npm
3. Improved Caching: Added versionCache to avoid redundant npm lookups (line 40)
4. Proper JSON Manipulation: Using JSON.parse() and JSON.stringify() instead of regex replacement is more robust
5. Good Error Handling: Added proper validation and error messages throughout
6. Cleanup Logic: Using try...finally blocks to ensure temp directories are cleaned up

Code Style:

• Consistent with existing patterns
• Good use of early returns and guard clauses
• Clear function naming and separation of concerns

[claude]

Potential Issues & Concerns

1. Error Handling in getLatestVersion() (Line 29-36)

Issue: Silent fallback to hardcoded version 0.9.1 has a version string mismatch

The function returns '0.9.1' but the warning message and later usage (line 56) expect '^0.9.1'

Recommendation:

• Fix: Change line 36 from return '0.9.1' to return '^0.9.1'
• Consider logging the actual error for debugging
• Consider making this a build failure if critical packages cannot be resolved

2. Potential Race Condition with Temp Directories

Issue: Using a shared TEMP_EXAMPLE_DIR could cause issues if multiple instances run concurrently

Recommendation: Use a unique temp directory per invocation (though this may be acceptable for a build script that typically runs sequentially)

3. Binary File Handling (Line 163-166)

Issue: The comment says Skip binary files but the code actually throws an error

Recommendation: Either skip binary files gracefully or update the comment to reflect the actual behavior

4. Documentation Navigation Change

The quickstart section was moved from /docs/quickstart to /docs/index.mdx. This is a breaking change for users with bookmarked links.

Recommendation: Consider adding a redirect from /docs/quickstart to /docs to avoid 404s

[claude]

Performance & Security

Performance - Positive:

1. Version Caching: The versionCache prevents redundant npm calls (good optimization!)
2. No Network Cloning: Using local examples is much faster than cloning

Performance - Potential Improvement:

Running npm install for each example could be slow. Consider parallel processing or caching node_modules between runs

Security Concerns:

Command Injection Risk (Line 138): Using find via shell execution could be vulnerable if directory paths contain special characters

Severity: Low (controlled environment)
Recommendation: Use Node.js native fs.readdirSync with recursive option instead of shell commands

Test Coverage

Missing: No tests were added or modified for this script

Recommendation: Consider adding:

1. Unit tests for replaceWorkspaceDependencies() function
2. Integration test that verifies examples can be generated successfully
3. Test that validates all examples in EXAMPLE_METADATA exist in the examples directory

[claude]

Summary & Recommendations

Overall Assessment: This is a good refactoring that simplifies the build process

Priority Fixes:

1. Fix the version string mismatch in line 36 of website/scripts/generateExamples.mjs (return '0.9.1' should be return '^0.9.1' to match the warning message and usage in line 56)
2. Decide whether binary files should throw or be skipped (line 163-166) - update either code or comment
3. Add a redirect for the removed /docs/quickstart route to avoid broken bookmarks

Nice to Have:

1. Use unique temp directories to avoid race conditions
2. Replace find command with Node.js native file operations
3. Add test coverage for the generation script
4. Consider parallel example processing for performance

Additional Observations:

• generateReadme.mjs removal is justified
• The quickstart page consolidation makes sense for better UX
• Sitemap changes improve navigation by promoting quickstart to main docs level
• Commented-out Use Cases section suggests ongoing restructuring - ensure this is intentional
• Added @vbare/compiler and @biomejs/biome dependencies appear appropriate

Approval: Safe to merge after addressing the version string mismatch in priority fix #1

---

Review conducted following CLAUDE.md conventions

[claude]

PR Review: chore(site): fix generating examples

Thanks for this PR! I've reviewed the changes and here's my feedback:

✅ Positive Changes

1. Simplified Architecture: Removing the git clone step and using local examples directly is much cleaner and faster. This eliminates network dependencies and reduces complexity.

2. Smart Version Resolution: The new getLatestVersion() function with caching is a nice improvement over hardcoded version strings. This ensures examples always use the latest published versions.

3. Better Error Handling: The error messages are more descriptive (e.g., Example directory not found at ${EXAMPLES_DIR}).

4. Cleanup Logic: Good use of try/finally blocks to ensure temp directories are cleaned up even on errors.

5. Documentation Consolidation: Merging the quickstart into the main docs page makes sense for discoverability.

🔍 Issues & Concerns

1. Command Injection Vulnerability (Medium Severity)

Location: website/scripts/generateExamples.mjs:31

const result = execSync(`npm view ${packageName} version`, { encoding: 'utf-8' });

Issue: Direct string interpolation into execSync without sanitization is a command injection risk. If a malicious package name with shell metacharacters is in a package.json, it could execute arbitrary commands.

Recommendation: Use safer alternatives or validate package names:

if (!/^[@a-z0-9-~][a-z0-9-._~]*\/[a-z0-9-._~]*$/.test(packageName)) {
  throw new Error(`Invalid package name: ${packageName}`);
}

2. Hardcoded Fallback Version

Location: website/scripts/generateExamples.mjs:35

The fallback to 0.9.1 when npm view fails could cause issues if:

• The actual version is much newer (breaking changes)
• The package doesn't exist at that version

Recommendation: Consider failing fast instead of silently falling back, or document why 0.9.1 is chosen.

3. Platform Compatibility Issue

Location: website/scripts/generateExamples.mjs:138

const allFiles = execSync('find . -type f -not -path "*/.git/*"', {

Issue: Using the find command won't work on Windows. Since this is a Node.js script, consider using Node's built-in fs APIs for cross-platform compatibility.

Recommendation: Use a recursive directory walker:

import { readdirSync, statSync } from 'node:fs';

function getAllFiles(dir, fileList = []) {
  const files = readdirSync(dir);
  files.forEach(file => {
    const filePath = join(dir, file);
    if (statSync(filePath).isDirectory()) {
      if (file !== '.git' && file !== 'node_modules') {
        getAllFiles(filePath, fileList);
      }
    } else {
      fileList.push(filePath);
    }
  });
  return fileList;
}

Or use a library like glob or fast-glob.

4. Missing Error Context

Location: website/scripts/generateExamples.mjs:165

When file reading fails, the error message doesn't include the example name, making debugging harder.

Current:

throw new Error(`Failed to read file ${relativePath}: ${readError.message}`);

Better:

throw new Error(`Failed to read file ${relativePath} in example ${exampleName}: ${readError.message}`);

5. Potential Memory Issues

Location: website/scripts/generateExamples.mjs:134-169

Reading all files into memory at once could cause issues if examples are large. Consider:

• Adding size limits
• Streaming large files
• Warning if total size exceeds a threshold

6. No Validation of Generated Content

The script doesn't validate that:

• Required files exist in each example
• Package.json files are valid JSON after transformation
• The generated TypeScript file is syntactically valid

Recommendation: Add basic validation before writing the output file.

📝 Minor Suggestions

1. Consistent Quotes: Mix of single and double quotes in the file. Consider using a formatter (Prettier) for consistency.

2. Magic Numbers: Consider extracting hardcoded paths to constants at the top:

   const DEFAULT_FALLBACK_VERSION = '0.9.1';
   const EXCLUDED_FILES = ['turbo.json', 'rivet.json'];

3. Console Output: Consider using a logging library for better control over verbosity levels.

4. Type Safety: Since this generates TypeScript, consider writing the script in TypeScript itself for better type checking.

🎯 Testing Recommendations

1. Test with a package.json that has:

   • Missing workspace dependencies
   • Invalid workspace dependencies
   • Network failures when fetching versions

2. Test on Windows to verify cross-platform compatibility

3. Test with examples containing:

   • Binary files
   • Very large files
   • Deeply nested directories
   • Special characters in filenames

📊 Summary

Overall Assessment: Good refactoring that simplifies the examples generation process. The main concerns are:

• Security: Command injection vulnerability should be addressed
• Portability: Unix-specific find command won't work on Windows
• Robustness: Need better error handling and validation

Recommendation: Address the security and portability issues before merging. The other suggestions can be follow-up improvements.

---

Review generated with assistance from Claude Code