fix(inspector): allow connection to inspector when using engine driver (#1269)

jog1t · jog1t · commit d30dcda2e9d5 · 2025-09-25T23:36:33.000Z
### TL;DR

Added granular control over inspector enablement for actors and managers, and improved inspector access token configuration.

### What changed?

- Enhanced the inspector configuration to allow enabling/disabling the inspector separately for actors and managers
- Added a `configureInspectorAccessToken` utility function to centralize token management
- Modified the `isInspectorEnabled` function to check if the inspector is enabled for a specific context (actor or manager)
- Updated the `ManagerDriver` interface to include a `getOrCreateInspectorAccessToken` method
- Implemented the new method in various driver implementations
- Added skeleton implementation for `configureInspectorAccessToken` in Cloudflare Workers
- Updated router implementations to use the new context-specific inspector enablement checks
- Set default inspector configurations for engine and Cloudflare Workers drivers

### How to test?

1. Configure a registry with different inspector settings for actors and managers:
   ```typescript
   const registry = new Registry({
     inspector: {
       enabled: {
         actor: true,
         manager: false
       }
     }
   });
   ```

2. Verify that the inspector endpoints are accessible for actors but not for managers
3. Test that inspector access tokens are properly generated and configured

### Why make this change?

This change provides more flexibility in how the inspector is configured, allowing users to enable inspection capabilities selectively for actors or managers based on their needs. It also centralizes and standardizes the inspector access token management, making the codebase more maintainable and consistent across different driver implementations.
diff --git a/packages/cloudflare-workers/src/actor-handler-do.ts b/packages/cloudflare-workers/src/actor-handler-do.ts
@@ -3,7 +3,7 @@ import type { ExecutionContext } from "hono";
 import invariant from "invariant";
 import type { ActorKey, ActorRouter, Registry, RunConfig } from "rivetkit";
 import { createActorRouter, createClientWithDriver } from "rivetkit";
-import type { ActorDriver } from "rivetkit/driver-helpers";
+import type { ActorDriver, ManagerDriver } from "rivetkit/driver-helpers";
 import { serializeEmptyPersistData } from "rivetkit/driver-helpers";
 import { promiseWithResolvers } from "rivetkit/utils";
 import {
@@ -121,6 +121,8 @@ export function createActorDurableObject(
 				runConfig,
 			);
 
+			configureInspectorAccessToken(registry.config, managerDriver);
+
 			// Create inline client
 			const inlineClient = createClientWithDriver(managerDriver);
 
@@ -187,3 +189,9 @@ export function createActorDurableObject(
 		}
 	};
 }
+function configureInspectorAccessToken(
+	config: any,
+	managerDriver: ManagerDriver,
+) {
+	throw new Error("Function not implemented.");
+}
diff --git a/packages/rivetkit/src/actor/router.ts b/packages/rivetkit/src/actor/router.ts
@@ -34,7 +34,7 @@ import {
 	type ActorInspectorRouterEnv,
 	createActorInspectorRouter,
 } from "@/inspector/actor";
-import { secureInspector } from "@/inspector/utils";
+import { isInspectorEnabled, secureInspector } from "@/inspector/utils";
 import type { RunConfig } from "@/registry/run-config";
 import type { ActorDriver } from "./driver";
 import { InternalError } from "./errors";
@@ -206,7 +206,7 @@ export function createActorRouter(
 		}
 	});
 
-	if (runConfig.inspector.enabled) {
+	if (isInspectorEnabled(runConfig, "actor")) {
 		router.route(
 			"/inspect",
 			new Hono<ActorInspectorRouterEnv & { Bindings: ActorRouterBindings }>()
diff --git a/packages/rivetkit/src/driver-test-suite/mod.ts b/packages/rivetkit/src/driver-test-suite/mod.ts
@@ -4,6 +4,7 @@ import { bundleRequire } from "bundle-require";
 import invariant from "invariant";
 import { describe } from "vitest";
 import type { Transport } from "@/client/mod";
+import { configureInspectorAccessToken } from "@/inspector/utils";
 import { createManagerRouter } from "@/manager/router";
 import type { DriverConfig, Registry, RunConfig } from "@/mod";
 import { RunConfigSchema } from "@/registry/run-config";
@@ -193,6 +194,7 @@ export async function createTestRuntime(
 
 		// Create router
 		const managerDriver = driver.manager(registry.config, config);
+		configureInspectorAccessToken(config, managerDriver);
 		const { router } = createManagerRouter(
 			registry.config,
 			config,
diff --git a/packages/rivetkit/src/drivers/file-system/manager.ts b/packages/rivetkit/src/drivers/file-system/manager.ts
@@ -57,10 +57,6 @@ export class FileSystemManagerDriver implements ManagerDriver {
 		this.#driverConfig = driverConfig;
 
 		if (runConfig.inspector.enabled) {
-			if (!this.#runConfig.inspector.token()) {
-				this.#runConfig.inspector.token = () =>
-					this.#state.getOrCreateInspectorAccessToken();
-			}
 			const startedAt = new Date().toISOString();
 			function transformActor(actorState: schema.ActorState): Actor {
 				return {
@@ -317,4 +313,8 @@ export class FileSystemManagerDriver implements ManagerDriver {
 			data: this.#state.storagePath,
 		};
 	}
+
+	getOrCreateInspectorAccessToken() {
+		return this.#state.getOrCreateInspectorAccessToken();
+	}
 }
diff --git a/packages/rivetkit/src/inspector/config.ts b/packages/rivetkit/src/inspector/config.ts
@@ -56,7 +56,16 @@ const defaultCors: CorsOptions = {
 
 export const InspectorConfigSchema = z
 	.object({
-		enabled: z.boolean().optional().default(defaultEnabled),
+		enabled: z
+			.boolean()
+			.or(
+				z.object({
+					actor: z.boolean().optional().default(true),
+					manager: z.boolean().optional().default(true),
+				}),
+			)
+			.optional()
+			.default(defaultEnabled),
 		/** CORS configuration for the router. Uses Hono's CORS middleware options. */
 		cors: z
 			.custom<CorsOptions>()
diff --git a/packages/rivetkit/src/inspector/mod.ts b/packages/rivetkit/src/inspector/mod.ts
@@ -1,2 +1,3 @@
 export * from "./protocol/common";
 export * from "./protocol/mod";
+export * from "./utils";
diff --git a/packages/rivetkit/src/inspector/utils.ts b/packages/rivetkit/src/inspector/utils.ts
@@ -1,5 +1,6 @@
 import crypto from "node:crypto";
 import { createMiddleware } from "hono/factory";
+import type { ManagerDriver } from "@/driver-helpers/mod";
 import type { RunConfig } from "@/mod";
 import type { RunConfigInput } from "@/registry/run-config";
 import { inspectorLogger } from "./log";
@@ -28,10 +29,6 @@ export function compareSecrets(providedSecret: string, validSecret: string) {
 
 export const secureInspector = (runConfig: RunConfig) =>
 	createMiddleware(async (c, next) => {
-		if (!runConfig.inspector.enabled) {
-			return c.text("Inspector is not enabled", 503);
-		}
-
 		const userToken = c.req.header("Authorization")?.replace("Bearer ", "");
 		if (!userToken) {
 			return c.text("Unauthorized", 401);
@@ -74,3 +71,25 @@ export function getInspectorUrl(runConfig: RunConfigInput | undefined) {
 
 	return url.href;
 }
+
+export const isInspectorEnabled = (
+	runConfig: RunConfig,
+	context: "actor" | "manager",
+) => {
+	if (typeof runConfig.inspector?.enabled === "boolean") {
+		return runConfig.inspector.enabled;
+	} else if (typeof runConfig.inspector?.enabled === "object") {
+		return runConfig.inspector.enabled[context];
+	}
+	return false;
+};
+
+export const configureInspectorAccessToken = (
+	runConfig: RunConfig,
+	managerDriver: ManagerDriver,
+) => {
+	if (!runConfig.inspector?.token()) {
+		const token = managerDriver.getOrCreateInspectorAccessToken();
+		runConfig.inspector.token = () => token;
+	}
+};
diff --git a/packages/rivetkit/src/manager/driver.ts b/packages/rivetkit/src/manager/driver.ts
@@ -45,6 +45,13 @@ export interface ManagerDriver {
 	 * @internal
 	 */
 	readonly inspector?: ManagerInspector;
+
+	/**
+	 * Get or create the inspector access token.
+	 * @internal
+	 * @returns creates or returns existing inspector access token
+	 */
+	getOrCreateInspectorAccessToken: () => string;
 }
 
 export interface ManagerDisplayInformation {
diff --git a/packages/rivetkit/src/manager/router.ts b/packages/rivetkit/src/manager/router.ts
@@ -27,7 +27,7 @@ import type {
 	TestInlineDriverCallResponse,
 } from "@/driver-test-suite/test-inline-client-driver";
 import { createManagerInspectorRouter } from "@/inspector/manager";
-import { secureInspector } from "@/inspector/utils";
+import { isInspectorEnabled, secureInspector } from "@/inspector/utils";
 import {
 	type ActorsCreateRequest,
 	ActorsCreateRequestSchema,
@@ -436,7 +436,7 @@ export function createManagerRouter(
 		router as unknown as Hono,
 	);
 
-	if (runConfig.inspector?.enabled) {
+	if (isInspectorEnabled(runConfig, "manager")) {
 		if (!managerDriver.inspector) {
 			throw new Unsupported("inspector");
 		}
diff --git a/packages/rivetkit/src/registry/mod.ts b/packages/rivetkit/src/registry/mod.ts
@@ -1,7 +1,11 @@
 import { type Client, createClientWithDriver } from "@/client/client";
 import { configureBaseLogger, configureDefaultLogger } from "@/common/log";
 import { chooseDefaultDriver } from "@/drivers/default";
-import { getInspectorUrl } from "@/inspector/utils";
+import {
+	configureInspectorAccessToken,
+	getInspectorUrl,
+	isInspectorEnabled,
+} from "@/inspector/utils";
 import { createManagerRouter } from "@/manager/router";
 import pkg from "../../package.json" with { type: "json" };
 import {
@@ -58,11 +62,11 @@ export class Registry<A extends RegistryActors> {
 
 		// TODO: Find cleaner way of disabling by default
 		if (driver.name === "engine") {
-			config.inspector.enabled = false;
+			config.inspector.enabled = { manager: false, actor: true };
 			config.disableServer = true;
 		}
 		if (driver.name === "cloudflare-workers") {
-			config.inspector.enabled = false;
+			config.inspector.enabled = { manager: false, actor: true };
 			config.disableServer = true;
 			config.disableActorDriver = true;
 			config.noWelcome = true;
@@ -76,6 +80,7 @@ export class Registry<A extends RegistryActors> {
 
 		// Create router
 		const managerDriver = driver.manager(this.#config, config);
+		configureInspectorAccessToken(config, managerDriver);
 		const { router: hono } = createManagerRouter(
 			this.#config,
 			config,
@@ -92,7 +97,7 @@ export class Registry<A extends RegistryActors> {
 			definitions: Object.keys(this.#config.use).length,
 			...driverLog,
 		});
-		if (config.inspector?.enabled && managerDriver.inspector) {
+		if (isInspectorEnabled(config, "manager") && managerDriver.inspector) {
 			logger().info({ msg: "inspector ready", url: getInspectorUrl(config) });
 		}
 
@@ -106,8 +111,8 @@ export class Registry<A extends RegistryActors> {
 				const padding = " ".repeat(Math.max(0, 13 - k.length));
 				console.log(`  - ${k}:${padding}${v}`);
 			}
-			if (config.inspector?.enabled && managerDriver.inspector) {
-				console.log(`  - Inspector:    ${getInspectorUrl(config)}`);
+			if (isInspectorEnabled(config, "manager") && managerDriver.inspector) {
+				console.log(`  - Inspector:     ${getInspectorUrl(config)}`);
 			}
 			console.log();
 		}
diff --git a/packages/rivetkit/src/remote-manager-driver/mod.ts b/packages/rivetkit/src/remote-manager-driver/mod.ts
@@ -2,6 +2,7 @@ import * as cbor from "cbor-x";
 import type { Context as HonoContext } from "hono";
 import invariant from "invariant";
 import { deserializeActorKey, serializeActorKey } from "@/actor/keys";
+import { generateRandomString } from "@/actor/utils";
 import type { ClientConfig } from "@/client/client";
 import { noopNext } from "@/common/utils";
 import type {
@@ -252,4 +253,8 @@ export class RemoteManagerDriver implements ManagerDriver {
 	displayInformation(): ManagerDisplayInformation {
 		return { name: "Remote", properties: {} };
 	}
+
+	getOrCreateInspectorAccessToken() {
+		return generateRandomString();
+	}
 }
diff --git a/packages/rivetkit/src/test/mod.ts b/packages/rivetkit/src/test/mod.ts
@@ -5,7 +5,10 @@ import { type TestContext, vi } from "vitest";
 import { type Client, createClient } from "@/client/mod";
 import { chooseDefaultDriver } from "@/drivers/default";
 import { createFileSystemOrMemoryDriver } from "@/drivers/file-system/mod";
-import { getInspectorUrl } from "@/inspector/utils";
+import {
+	configureInspectorAccessToken,
+	getInspectorUrl,
+} from "@/inspector/utils";
 import { createManagerRouter } from "@/manager/router";
 import type { Registry } from "@/registry/mod";
 import { RunConfigSchema } from "@/registry/run-config";
@@ -27,6 +30,7 @@ function serve(registry: Registry<any>, inputConfig?: InputConfig): ServerType {
 	const runConfig = RunConfigSchema.parse(inputConfig);
 	const driver = inputConfig.driver ?? createFileSystemOrMemoryDriver(false);
 	const managerDriver = driver.manager(registry.config, config);
+	configureInspectorAccessToken(config, managerDriver);
 	const { router } = createManagerRouter(
 		registry.config,
 		runConfig,

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`export * from "./protocol/common";`
`2`	`2`	`export * from "./protocol/mod";`
	`3`	`+export * from "./utils";`