donotmerge: dummy inspector api

[abcxff]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-5085 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-cloud	😴 Sleeping (View Logs)	Web	May 21, 2026 at 3:13 am
frontend-inspector	❌ Build Failed (View Logs)	Web	May 21, 2026 at 3:01 am
kitchen-sink	❌ Build Failed (View Logs)	Web	May 21, 2026 at 3:00 am
website	😴 Sleeping (View Logs)	Web	May 21, 2026 at 12:48 am
ladle	✅ Success (View Logs)	Web	May 21, 2026 at 12:39 am
mcp-hub	✅ Success (View Logs)	Web	May 21, 2026 at 12:35 am

[abcxff]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• donotmerge: dummy inspector api #5085 👈 (View in Graphite)
• feat(inspector): insert and clear actor queue #5065
• fix(rivetkit): wire CancellationToken through waitForNamesAvailable to eliminate KV busy-polling #5063 : 1 other dependent PR (#5050 )
• fix(rivetkit): fix BigInt serialization in inspector workflow history and state deserialization #5058
• fix(workflow-engine): only commit step state after success #5010 : 1 other dependent PR (#5052 )
• fix(rivetkit): bind methods through createWriteThroughProxy #4987
• fix(rivetkit): remove client-side connection request size check #5057
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: donotmerge — dummy inspector eval API

Note: This PR is explicitly marked donotmerge and stacks on 05-19-feat_inspector_insert_and_clear_actor_queue. The review below evaluates it as a preview of the planned feature, not as merge-ready code.

Overview

Adds a POST /inspector/eval endpoint that executes arbitrary JavaScript inside a running actor's context. The code exposes ctx, kv, rawKv, sql, db, state, queue, schedule, conns, and a log collector to the user-supplied snippet and returns the result plus any captured log lines.

---

Auth coverage ✅

The new endpoint falls inside the existing inspector auth guard (actorVerifyInspectorAuth) that runs before the entire inspector route block, so it inherits the same token-based protection as all other /inspector/* routes. Good.

---

Issues and suggestions

1. Overly broad catch on actorCtx.db access

The getter throws exactly two errors: DatabaseNotEnabled and ActorStopping. A bare empty catch swallows both, masking the ActorStopping case that the caller should propagate. Narrow it:

let db: unknown;
try {
    db = actorCtx.db;
} catch (e) {
    if (!(e instanceof errors.DatabaseNotEnabled)) throw e;
    db = undefined;
}

2. Inconsistent 400 error shape

The input-validation error returns { error: "..." } while every other inspector failure routes through errorResponse() and emits the canonical { group, code, message, metadata } shape. Use errorResponse here too for a consistent client contract.

3. Stack traces exposed on eval errors

Returning error.stack is fine for a local-dev inspector behind auth, but if the auth layer is ever weakened or the endpoint surfaces in a non-dev context, internal frames leak. Consider gating stack on a dev-mode flag before this graduates from donotmerge.

4. No size or timeout guard on the eval snippet

There is no cap on body.code length and no timeout on the eval. An infinite-looping snippet will tie up the actor indefinitely. A hard body-size limit and a Promise.race timeout would make this safe to expose more broadly.

5. AsyncFunction parameter list is invisible to callers

The nine positional bindings (ctx, kv, rawKv, sql, db, state, queue, schedule, conns, log) are only discoverable by reading the source. Surfacing them in the 400-error message ("Available bindings: ctx, kv, rawKv, ...") costs nothing and improves DX significantly.

6. Missing tests

No coverage for the new endpoint. At minimum: a happy-path test (snippet runs, result + logs returned) and an error-path test (bad code throws, 500 response).

---

Style nits

• The rawKv object inlined in the handler is verbose. If actorCtx.kv covers the needed surface, drop rawKv and simplify.
• Per CLAUDE.md, inspector error responses should use the RivetError group/code format, not ad-hoc { error: "..." } objects.

---

Summary

The feature direction is sound — an admin eval endpoint behind inspector auth is a useful debugging primitive. Key things to address before merging: narrow the db catch to DatabaseNotEnabled only, unify the 400 error shape with errorResponse, add tests, and settle on a stack-trace/timeout policy.