fix(core): not applying cors to POST /actors

[NathanFlurry]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-serverless	Error			Sep 26, 2025 0:17am

[claude]

Claude finished @NathanFlurry's task —— View job

---

PR Review: Fix CORS for POST /actors

I've thoroughly reviewed this pull request. Here's my analysis:

Todo List

• Read and analyze the changed file
• Understand the CORS fix implementation
• Check for potential bugs or issues
• Evaluate performance implications
• Assess security considerations
• Review test coverage needs
• Provide comprehensive feedback

Code Quality and Best Practices ✅

Positive aspects:

• The fix correctly changes cors: [cors] to middleware: [cors] which aligns with the proper @hono/zod-openapi API
• The change is consistent with the pattern used in GET and POST routes (lines 99, 225)
• Clean, minimal fix that addresses the root cause

Note on PR title: The PR title mentions "POST /actors" but the actual change is for the PUT /actors route (line 172). This appears to be a minor discrepancy in the title.

Potential Bugs or Issues ✅

No bugs identified:

• The change is semantically correct - cors was not a valid field name in the createRoute configuration object
• The fix properly applies CORS middleware to the PUT /actors route
• The middleware array pattern [cors] is correct and consistent with other routes

Performance Considerations ✅

Minimal performance impact:

• The change doesn't affect performance - it's purely a configuration fix
• CORS middleware was already being applied at the router level (line 87), so this ensures consistent application
• No additional overhead introduced

Security Concerns ✅

Security improvement:

• Important: This fix actually improves security posture by ensuring CORS policies are properly applied to the PUT /actors endpoint
• Without proper CORS configuration, browsers might not enforce CORS restrictions correctly, potentially allowing unauthorized cross-origin requests
• The fix ensures consistent CORS behavior across all actor management endpoints (GET, PUT, POST)

Test Coverage 📝

Considerations for testing:

• Consider adding integration tests to verify CORS headers are properly set on PUT /actors requests
• Test that preflight OPTIONS requests are handled correctly for PUT /actors
• Verify that the fix doesn't break existing functionality

Additional Observations

1. Consistency: All three actor routes (GET, PUT, POST) now use the same middleware: [cors] pattern
2. Documentation: The code is well-structured with clear route comments
3. Error handling: Proper error handling is maintained throughout the router

Recommendation: ✅ APPROVE

This is a clean, necessary fix that resolves a CORS configuration issue for the PUT /actors endpoint. The change is minimal, correct, and improves the security posture of the application by ensuring CORS policies are properly applied.

Minor suggestion: Consider updating the PR title to reflect that this fixes the PUT /actors route rather than POST /actors.

---

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix: fix connection dead #1306
• fix(core): fix raw websocket nonexistent #1304
• chore(core): upgrade hono #1303
• fix(core): not applying cors to POST /actors #1302 👈 (View in Graphite)
• chore(example): update chat example #1301 : 1 other dependent PR (#1299 )
• fix(core): fix passing incorrect actor input to create #1300
• fix(inspector): allow connection to inspector when using engine driver #1269
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• example-ai-agent
• example-better-auth-external-db
• chat-room
• example-cloudflare-workers
• example-cloudflare-workers-hono
• counter
• example-crdt
• example-database
• example-sqlite
• example-elysia
• example-express
• example-game
• example-hono
• example-hono-react
• example-next-js
• example-rate
• example-raw-fetch-handler
• example-raw-websocket-handler-proxy
• example-react
• starter
• example-stream
• example-sync
• example-tenant
• example-trpc

@rivetkit/actor

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/actor@1302

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/cloudflare-workers@1302

@rivetkit/core

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/core@1302

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/db@1302

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/framework-base@1302

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/next-js@1302

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/react@1302

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivetkit@1302

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/sql-loader@1302

commit: 2cab026

[claude]

Claude finished @NathanFlurry's task —— View job

---

PR Review: Fix CORS for PUT /actors

Todo List

• Read and analyze the changed file
• Understand the CORS fix implementation
• Check for potential bugs or issues
• Evaluate performance implications
• Assess security considerations
• Review test coverage needs
• Provide comprehensive feedback

Code Quality and Best Practices ✅

Positive aspects:

• The fix correctly changes cors: [cors] to middleware: [cors] on line 172 which aligns with the proper @hono/zod-openapi API
• The change is consistent with the pattern used in GET and POST routes (lines 99, 225)
• Clean, minimal fix that addresses the root cause
• Code follows the repository's TypeScript and formatting standards

Note on PR title: The PR title mentions "POST /actors" but the actual change is for the PUT /actors route (line 172). This appears to be a minor discrepancy in the title.

Potential Bugs or Issues ✅

No bugs identified:

• The change is semantically correct - cors was not a valid field name in the createRoute configuration object
• The fix properly applies CORS middleware to the PUT /actors route
• The middleware array pattern [cors] is correct and consistent with other routes
• All three actor management routes (GET line 99, PUT line 172, POST line 225) now use identical middleware: [cors] configuration

Performance Considerations ✅

Minimal performance impact:

• The change doesn't affect performance - it's purely a configuration fix
• CORS middleware was already being applied at the router level (line 87), so this ensures consistent application
• No additional overhead introduced - just proper middleware configuration

Security Concerns ✅

Security improvement:

• Important: This fix actually improves security posture by ensuring CORS policies are properly applied to the PUT /actors endpoint
• Without proper CORS configuration, browsers might not enforce CORS restrictions correctly, potentially allowing unauthorized cross-origin requests
• The fix ensures consistent CORS behavior across all actor management endpoints (GET, PUT, POST)
• CORS middleware is properly configured with runConfig.cors settings (lines 82-84)

Test Coverage 📝

Considerations for testing:

• Consider adding integration tests to verify CORS headers are properly set on PUT /actors requests
• Test that preflight OPTIONS requests are handled correctly for PUT /actors
• Verify that the fix doesn't break existing functionality
• Test CORS behavior with various origins and request methods

Additional Observations

1. Consistency: All three actor routes (GET, PUT, POST) now use the same middleware: [cors] pattern
2. Code structure: The router is well-organized with clear route definitions and proper error handling
3. Configuration: CORS middleware is properly configured based on runConfig.cors settings
4. API patterns: The code follows OpenAPI patterns correctly with proper request/response schemas

Recommendation: ✅ APPROVE

This is a clean, necessary fix that resolves a CORS configuration issue for the PUT /actors endpoint. The change is minimal, correct, and improves the security posture of the application by ensuring CORS policies are properly applied.

Minor suggestion: Consider updating the PR title to reflect that this fixes the PUT /actors route rather than POST /actors for accuracy.

---

[claude]

Claude finished @NathanFlurry's task —— View job

---

PR Review: Fix CORS for POST /actors

Todo List

• Read and analyze the changed file
• Understand the CORS fix implementation
• Check for potential bugs or issues
• Evaluate performance implications
• Assess security considerations
• Review test coverage needs
• Provide comprehensive feedback

Code Quality and Best Practices ✅

Positive aspects:

• The fix correctly changes cors: [cors] to middleware: [cors] which aligns with the proper @hono/zod-openapi API
• The change is consistent with the pattern used in GET and POST routes (packages/rivetkit/src/manager/router.ts:99, packages/rivetkit/src/manager/router.ts:225)
• Clean, minimal fix that addresses the root cause

Note on PR title: The PR title mentions "POST /actors" but the actual change is for the PUT /actors route (packages/rivetkit/src/manager/router.ts:172). This appears to be a minor discrepancy in the title.

Potential Bugs or Issues ✅

No bugs identified:

• The change is semantically correct - cors was not a valid field name in the createRoute configuration object
• The fix properly applies CORS middleware to the PUT /actors route
• The middleware array pattern [cors] is correct and consistent with other routes

Performance Considerations ✅

Minimal performance impact:

• The change doesn't affect performance - it's purely a configuration fix
• CORS middleware was already being applied at the router level (packages/rivetkit/src/manager/router.ts:87), so this ensures consistent application
• No additional overhead introduced

Security Concerns ✅

Security improvement:

• Important: This fix actually improves security posture by ensuring CORS policies are properly applied to the PUT /actors endpoint
• Without proper CORS configuration, browsers might not enforce CORS restrictions correctly, potentially allowing unauthorized cross-origin requests
• The fix ensures consistent CORS behavior across all actor management endpoints (GET, PUT, POST)

Test Coverage 📝

Considerations for testing:

• Consider adding integration tests to verify CORS headers are properly set on PUT /actors requests
• Test that preflight OPTIONS requests are handled correctly for PUT /actors
• Verify that the fix doesn't break existing functionality

Additional Observations

1. Consistency: All three actor routes (GET, PUT, POST) now use the same middleware: [cors] pattern
2. Documentation: The code is well-structured with clear route comments
3. Error handling: Proper error handling is maintained throughout the router

Recommendation: ✅ APPROVE

This is a clean, necessary fix that resolves a CORS configuration issue for the PUT /actors endpoint. The change is minimal, correct, and improves the security posture of the application by ensuring CORS policies are properly applied.

Minor suggestion: Consider updating the PR title to reflect that this fixes the PUT /actors route rather than POST /actors.

---

[claude]

Claude finished @NathanFlurry's task —— View job

---

PR Review: Fix CORS for PUT /actors

Todo List

• Read and analyze the changed file
• Understand the CORS fix implementation
• Check for potential bugs or issues
• Evaluate performance implications
• Assess security considerations
• Review test coverage needs
• Provide comprehensive feedback

Code Quality and Best Practices ✅

Positive aspects:

• The fix correctly changes cors: [cors] to middleware: [cors] on line 172 which aligns with the proper @hono/zod-openapi API
• The change is consistent with the pattern used in GET and POST routes (lines 99, 225)
• Clean, minimal fix that addresses the root cause
• Code follows the repository's TypeScript and formatting standards

Note on PR title: The PR title mentions "POST /actors" but the actual change is for the PUT /actors route (line 172). This appears to be a minor discrepancy in the title.

Potential Bugs or Issues ✅

No bugs identified:

• The change is semantically correct - cors was not a valid field name in the createRoute configuration object
• The fix properly applies CORS middleware to the PUT /actors route
• The middleware array pattern [cors] is correct and consistent with other routes
• All three actor management routes (GET line 99, PUT line 172, POST line 225) now use identical middleware: [cors] configuration

Performance Considerations ✅

Minimal performance impact:

• The change doesn't affect performance - it's purely a configuration fix
• CORS middleware was already being applied at the router level (line 87), so this ensures consistent application
• No additional overhead introduced - just proper middleware configuration

Security Concerns ✅

Security improvement:

• Important: This fix actually improves security posture by ensuring CORS policies are properly applied to the PUT /actors endpoint
• Without proper CORS configuration, browsers might not enforce CORS restrictions correctly, potentially allowing unauthorized cross-origin requests
• The fix ensures consistent CORS behavior across all actor management endpoints (GET, PUT, POST)
• CORS middleware is properly configured with runConfig.cors settings (lines 82-84)

Test Coverage 📝

Considerations for testing:

• Consider adding integration tests to verify CORS headers are properly set on PUT /actors requests
• Test that preflight OPTIONS requests are handled correctly for PUT /actors
• Verify that the fix doesn't break existing functionality
• Test CORS behavior with various origins and request methods

Additional Observations

1. Consistency: All three actor routes (GET, PUT, POST) now use the same middleware: [cors] pattern
2. Code structure: The router is well-organized with clear route definitions and proper error handling
3. Configuration: CORS middleware is properly configured based on runConfig.cors settings
4. API patterns: The code follows OpenAPI patterns correctly with proper request/response schemas

Recommendation: ✅ APPROVE

This is a clean, necessary fix that resolves a CORS configuration issue for the PUT /actors endpoint. The change is minimal, correct, and improves the security posture of the application by ensuring CORS policies are properly applied.

Minor suggestion: Consider updating the PR title to reflect that this fixes the PUT /actors route rather than POST /actors for accuracy.

---

[claude]

Claude finished @NathanFlurry's task —— View job

---

PR Review: Fix CORS for PUT /actors

Todo List

• Read and analyze the changed file
• Understand the CORS fix implementation
• Check for potential bugs or issues
• Evaluate performance implications
• Assess security considerations
• Review test coverage needs
• Provide comprehensive feedback

Code Quality and Best Practices ✅

Positive aspects:

• The fix correctly changes cors: [cors] to middleware: [cors] which aligns with the proper @hono/zod-openapi API
• The change is consistent with the pattern used in GET and POST routes (packages/rivetkit/src/manager/router.ts:99, packages/rivetkit/src/manager/router.ts:225)
• Clean, minimal fix that addresses the root cause
• Code follows the repository's TypeScript and formatting standards

Note on PR title: The PR title mentions "POST /actors" but the actual change is for the PUT /actors route (packages/rivetkit/src/manager/router.ts:172). This appears to be a minor discrepancy in the title.

Potential Bugs or Issues ✅

No bugs identified:

• The change is semantically correct - cors was not a valid field name in the createRoute configuration object
• The fix properly applies CORS middleware to the PUT /actors route
• The middleware array pattern [cors] is correct and consistent with other routes
• All three actor management routes (GET line 99, PUT line 172, POST line 225) now use identical middleware: [cors] configuration

Performance Considerations ✅

Minimal performance impact:

• The change doesn't affect performance - it's purely a configuration fix
• CORS middleware was already being applied at the router level (packages/rivetkit/src/manager/router.ts:87), so this ensures consistent application
• No additional overhead introduced - just proper middleware configuration

Security Concerns ✅

Security improvement:

• Important: This fix actually improves security posture by ensuring CORS policies are properly applied to the PUT /actors endpoint
• Without proper CORS configuration, browsers might not enforce CORS restrictions correctly, potentially allowing unauthorized cross-origin requests
• The fix ensures consistent CORS behavior across all actor management endpoints (GET, PUT, POST)
• CORS middleware is properly configured with runConfig.cors settings (lines 82-84)

Test Coverage 📝

Considerations for testing:

• Consider adding integration tests to verify CORS headers are properly set on PUT /actors requests
• Test that preflight OPTIONS requests are handled correctly for PUT /actors
• Verify that the fix doesn't break existing functionality
• Test CORS behavior with various origins and request methods

Additional Observations

1. Consistency: All three actor routes (GET, PUT, POST) now use the same middleware: [cors] pattern
2. Code structure: The router is well-organized with clear route definitions and proper error handling
3. Configuration: CORS middleware is properly configured based on runConfig.cors settings
4. API patterns: The code follows OpenAPI patterns correctly with proper request/response schemas

Recommendation: ✅ APPROVE

This is a clean, necessary fix that resolves a CORS configuration issue for the PUT /actors endpoint. The change is minimal, correct, and improves the security posture of the application by ensuring CORS policies are properly applied.

Minor suggestion: Consider updating the PR title to reflect that this fixes the PUT /actors route rather than POST /actors for accuracy.

---

[claude]

Claude finished @NathanFlurry's task —— View job

---

PR Review: Fix CORS for PUT /actors

Todo List

• Read and analyze the changed file
• Understand the CORS fix implementation
• Check for potential bugs or issues
• Evaluate performance implications
• Assess security considerations
• Review test coverage needs
• Provide comprehensive feedback

Code Quality and Best Practices ✅

Positive aspects:

• The fix correctly changes cors: [cors] to middleware: [cors] on line 172 which aligns with the proper @hono/zod-openapi API
• The change is consistent with the pattern used in GET and POST routes (lines 99, 225)
• Clean, minimal fix that addresses the root cause
• Code follows the repository's TypeScript and formatting standards

Note on PR title: The PR title mentions "POST /actors" but the actual change is for the PUT /actors route (line 172). This appears to be a minor discrepancy in the title.

Potential Bugs or Issues ✅

No bugs identified:

• The change is semantically correct - cors was not a valid field name in the createRoute configuration object
• The fix properly applies CORS middleware to the PUT /actors route
• The middleware array pattern [cors] is correct and consistent with other routes
• All three actor management routes (GET line 99, PUT line 172, POST line 225) now use identical middleware: [cors] configuration

Performance Considerations ✅

Minimal performance impact:

• The change doesn't affect performance - it's purely a configuration fix
• CORS middleware was already being applied at the router level (line 87), so this ensures consistent application
• No additional overhead introduced - just proper middleware configuration

Security Concerns ✅

Security improvement:

• Important: This fix actually improves security posture by ensuring CORS policies are properly applied to the PUT /actors endpoint
• Without proper CORS configuration, browsers might not enforce CORS restrictions correctly, potentially allowing unauthorized cross-origin requests
• The fix ensures consistent CORS behavior across all actor management endpoints (GET, PUT, POST)
• CORS middleware is properly configured with runConfig.cors settings (lines 82-84)

Test Coverage 📝

Considerations for testing:

• Consider adding integration tests to verify CORS headers are properly set on PUT /actors requests
• Test that preflight OPTIONS requests are handled correctly for PUT /actors
• Verify that the fix doesn't break existing functionality
• Test CORS behavior with various origins and request methods

Additional Observations

1. Consistency: All three actor routes (GET, PUT, POST) now use the same middleware: [cors] pattern
2. Code structure: The router is well-organized with clear route definitions and proper error handling
3. Configuration: CORS middleware is properly configured based on runConfig.cors settings
4. API patterns: The code follows OpenAPI patterns correctly with proper request/response schemas

Recommendation: ✅ APPROVE

This is a clean, necessary fix that resolves a CORS configuration issue for the PUT /actors endpoint. The change is minimal, correct, and improves the security posture of the application by ensuring CORS policies are properly applied.

Minor suggestion: Consider updating the PR title to reflect that this fixes the PUT /actors route rather than POST /actors for accuracy.

---

[claude]

Claude finished @NathanFlurry's task —— View job

---

PR Review: Fix CORS for PUT /actors

Todo List

• Read and analyze the changed file
• Understand the CORS fix implementation
• Check for potential bugs or issues
• Evaluate performance implications
• Assess security considerations
• Review test coverage needs
• Provide comprehensive feedback

Code Quality and Best Practices ✅

Positive aspects:

• The fix correctly changes cors: [cors] to middleware: [cors] on line 172, which aligns with the proper @hono/zod-openapi API
• The change is consistent with the pattern used in GET and POST routes (packages/rivetkit/src/manager/router.ts:99, packages/rivetkit/src/manager/router.ts:225)
• Clean, minimal fix that addresses the root cause
• Code follows the repository's TypeScript and formatting standards

Note on PR title: The PR title mentions "POST /actors" but the actual change is for the PUT /actors route (line 172). This appears to be a minor discrepancy in the title.

Potential Bugs or Issues ✅

No bugs identified:

• The change is semantically correct - cors was not a valid field name in the createRoute configuration object
• The fix properly applies CORS middleware to the PUT /actors route
• The middleware array pattern [cors] is correct and consistent with other routes
• All three actor management routes (GET line 99, PUT line 172, POST line 225) now use identical middleware: [cors] configuration

Performance Considerations ✅

Minimal performance impact:

• The change doesn't affect performance - it's purely a configuration fix
• CORS middleware was already being applied at the router level (packages/rivetkit/src/manager/router.ts:87), so this ensures consistent application
• No additional overhead introduced - just proper middleware configuration

Security Concerns ✅

Security improvement:

• Important: This fix actually improves security posture by ensuring CORS policies are properly applied to the PUT /actors endpoint
• Without proper CORS configuration, browsers might not enforce CORS restrictions correctly, potentially allowing unauthorized cross-origin requests
• The fix ensures consistent CORS behavior across all actor management endpoints (GET, PUT, POST)
• CORS middleware is properly configured with runConfig.cors settings (lines 82-84)

Test Coverage 📝

Considerations for testing:

• Consider adding integration tests to verify CORS headers are properly set on PUT /actors requests
• Test that preflight OPTIONS requests are handled correctly for PUT /actors
• Verify that the fix doesn't break existing functionality
• Test CORS behavior with various origins and request methods

Additional Observations

1. Consistency: All three actor routes (GET, PUT, POST) now use the same middleware: [cors] pattern
2. Code structure: The router is well-organized with clear route definitions and proper error handling
3. Configuration: CORS middleware is properly configured based on runConfig.cors settings
4. API patterns: The code follows OpenAPI patterns correctly with proper request/response schemas

Recommendation: ✅ APPROVE

This is a clean, necessary fix that resolves a CORS configuration issue for the PUT /actors endpoint. The change is minimal, correct, and improves the security posture of the application by ensuring CORS policies are properly applied.

Minor suggestion: Consider updating the PR title to reflect that this fixes the PUT /actors route rather than POST /actors for accuracy.

---

[graphite-app]

Merge activity

• Sep 25, 11:36 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Sep 25, 11:36 PM UTC: CI is running for this pull request on a draft pull request (#1307) due to your merge queue CI optimization settings.
• Sep 25, 11:37 PM UTC: Merged by the Graphite merge queue via draft PR: #1307.