fix(guard): handle bypass preflight before query parse

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

• fix(pegboard): align drain grace defaults with stop threshold #4958 : 2 dependent PRs (#4960 , #4966 )
• fix(rivetkit): preserve bridge error messages #4959
• fix(rivetkit): fire abort signal on shutdown finalize #4957
• fix(rivetkit): use startup kv preload #4956
• fix(client): flatten skipReadyWait option #4955
• ci(publish): add manual preview publish flow #4954
• fix(depot): add ltx decode diagnostics #4953
• fix(universaldb): preserve plain set values #4952
• fix(universaldb): align versionstamp operand encoding #4951
• fix(rivetkit): export database provider types #4950
• wip: kitchen sink agentic loop finish #4949
• chore(rivetkit): note duplicate admission logic #4948
• test(rivetkit): cover bypass fetch header forwarding #4947
• feat(kitchen-sink): add actor probe controls #4946
• fix(gateway): split actor response wait errors #4945
• fix(guard): handle bypass preflight before query parse #4944 👈 (View in Graphite)
• feat(kitchen-sink): add mock agent event log copy #4943
• fix(kitchen-sink): default mock agent to local endpoint #4942
• test(rivetkit): enable driver lifecycle regressions #4941
• test(rivetkit): verify cached websocket db refs exceed grace #4940
• fix(rivetkit-core): keep sleeping actors reachable during grace #4939
• test(rivetkit): cover async websocket close db access #4938
• fix(rivetkit): keep actors awake until keepAwake work finishes #4937
• fix(rivetkit): persist native onSleep state on errors #4936
• fix(rivetkit-core): allow dispatch during sleep grace #4935
• fix(rivetkit): make duplicate sleep requests idempotent #4934
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Preview packages published to npm

Install with:

npm install rivetkit@pr-4944

All packages published as 0.0.0-pr.4944.cbab65f with tag pr-4944.

Engine binary is shipped via @rivetkit/engine-cli on linux-x64-musl, linux-arm64-musl, darwin-x64, and darwin-arm64. Windows users should use the release installer or set RIVET_ENGINE_BINARY.

Docker images:

docker pull rivetdev/engine:slim-cbab65f
docker pull rivetdev/engine:full-cbab65f

Individual packages

npm install rivetkit@pr-4944
npm install @rivetkit/react@pr-4944
npm install @rivetkit/rivetkit-napi@pr-4944
npm install @rivetkit/workflow-engine@pr-4944

[claude]

PR Review: fix(guard): handle bypass preflight before query parse

Overview

This PR fixes a bug where CORS preflight (OPTIONS) requests to the actor gateway would fail if query parameters were invalid — because parse_actor_path was called before the OPTIONS method check. The fix adds a lightweight is_actor_gateway_path function that checks only the path prefix (no query parsing) and gates the OPTIONS shortcut on it. The PR also renames runner_name → pool_name in QueryActorQuery::GetOrCreate and adds a bypass_connectable field to both query variants.

---

What's Good

• The fix is well-targeted: moving the OPTIONS check before parse_actor_path eliminates the class of preflight failures caused by malformed query params.
• is_actor_gateway_path is intentionally cheap — no serde, no alloc beyond a split iterator. The // double-slash guard mirrors the same guard in parse_actor_path, keeping the two in sync.
• The rvt-runner → rvt-pool rename uses a graceful fallback (rvt.pool.or(rvt.runner)) so existing clients aren't broken.
• New tests for is_actor_gateway_path and bypass_connectable bool parsing are correct and cover the key cases.

---

Issues

Bug: rvt-pool is not rejected for method=get

In build_actor_query, the get branch validates that disallowed params are absent, but only checks the old runner field — not the new pool field:

// engine/packages/guard/src/routing/actor_path.rs
"get" => {
    if rvt.input.is_some()
        || rvt.region.is_some()
        || rvt.crash_policy.is_some()
        || rvt.runner.is_some()   // pool not checked
    {
        return Err(errors::QueryGetDisallowedParams.build());
    }
    ...
}

A request like /gateway/lobby?rvt-namespace=ns&rvt-method=get&rvt-pool=default silently ignores pool, which should be an error. Fix: add || rvt.pool.is_some() to the condition. A corresponding test covering rvt-pool rejection for get is also missing (the existing rejects_runner_for_get_queries only exercises the legacy name).

Clippy lint: filter().next() in is_actor_gateway_path

base_path
    .split('/')
    .filter(|segment| !segment.is_empty())
    .next()
    == Some("gateway")

This triggers the clippy::filter_next lint. Use .find() instead:

base_path
    .split('/')
    .find(|segment| !segment.is_empty())
    == Some(&"gateway")

TODO left in production path

// engine/packages/guard/src/routing/pegboard_gateway/mod.rs
ParsedActorPath::Direct(path) => (
    ...
    // TODO:
    false,
),

bypass_connectable for direct actor paths is hardcoded to false with an unexplained // TODO:. Either wire it up (the token is already available from path.token) or document what is deferred and add a tracking entry in .agent/todo/ per repo convention.

---

Minor

• parses_bypass_connectable_query_bool_strings sends rvt-runner=default (the deprecated name). Adding a parallel case with rvt-pool=default would confirm both spellings work end-to-end.
• The error message check in rejects_runner_for_get_queries updated to say rvt-pool — the test name should also be updated to rejects_pool_for_get_queries (or a separate test added) to avoid confusion.

---

Summary

The preflight fix is correct and important. The two items that need attention before merging are the missing rvt.pool.is_some() check in the get validation branch (silent no-op today) and the Clippy lint in is_actor_gateway_path. The unresolved TODO should be either wired up or tracked.