fix(rivetkit): skip User-Agent header on browser fetches

[abcxff]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4980 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-inspector	😴 Sleeping (View Logs)	Web	May 6, 2026 at 1:12 am
website	😴 Sleeping (View Logs)	Web	May 6, 2026 at 1:11 am
frontend-cloud	😴 Sleeping (View Logs)	Web	May 6, 2026 at 1:09 am
mcp-hub	✅ Success (View Logs)	Web	May 6, 2026 at 1:00 am
kitchen-sink	❌ Build Failed (View Logs)	Web	May 6, 2026 at 1:00 am
ladle	❌ Build Failed (View Logs)	Web	May 6, 2026 at 1:00 am

[abcxff]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(rivetkit): skip User-Agent header on browser fetches #4980 👈 (View in Graphite)
• fix(cors): use explicit header allowlist fallback instead of wildcard #4965
• DO NOT MERGE: fix(engine-runner): send StopCode.Ok for engine-initiated stops #4861
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR #4980 Code Review

Overview

This PR bundles three distinct fixes into a release-candidate bump from 2.2.1 to 2.2.2-rc.1:

1. fix(rivetkit): skip User-Agent header on browser fetches — primary bug fix
2. fix(frontend): replace zod/v4 import with standard domain regex — removes a build-breaking import
3. fix(frontend): downgrade zod to 3.24.x to fix vite build — pins zod to 3.24.4 for the frontend

The bulk of the diff (190+ lines) is version bumps across package manifests.

---

Fix 1: User-Agent header skipped in browser environments

Files: rivetkit-typescript/packages/rivetkit/src/utils.ts, src/client/utils.ts

What changed:

• httpUserAgent() return type widened from string to string | undefined
• When in a browser context (typeof document !== 'undefined'), _userAgent is cached as null and the function returns undefined
• At the call site, the header is conditionally spread only when a user agent is available

Browser detection heuristic: typeof document !== 'undefined' is a reasonable and widely-used check.

• Service Workers / Web Workers both run in a browser origin but have no document. The check would set a User-Agent header in those environments, which is correct behavior.
• SSR / Next.js: server-side render runs in a Node.js context where document is undefined; the custom user agent will be set there, which is the intended behavior.

Cache pattern concern: The three-state sentinel (undefined = unchecked, null = browser, string = computed) followed by _userAgent ?? undefined to convert null back to undefined works correctly but is slightly convoluted. An explicit if (_userAgent === null) return undefined branch would be clearer.

No tests added. A unit test mocking document existence would be straightforward and would prevent regressions.

---

Fix 2: Replace zod/v4 import with a hand-rolled domain regex

File: frontend/src/app/serverless-connection-check.tsx

The replacement regex matches standard domain names per RFC 952/1123 label rules with a TLD of at least 2 alpha characters. Minor note: a bare single-label hostname like myhost (no dots) passes because the repeating group can match zero times. This is acceptable because localhost is already short-circuited separately, and bare internal hostnames are unlikely to be valid connection endpoints in this context.

The change correctly eliminates the build-breaking zod/v4 import.

---

Fix 3: Zod downgrade in frontend

Files: frontend/package.json, frontend/packages/components/package.json

The version is now pinned to 3.24.4 (no ^ or ~). This avoids accidentally picking up a breaking 3.x version, but also means security patches and non-breaking fixes in the 3.24.x line won't be pulled in automatically. Explicit pinning is defensible for a release-candidate, but should be un-pinned once the underlying Vite/Zod compatibility is resolved.

Note: some example package.json files still specify "zod": "^4.1.0" while the frontend is pinned to 3.24.4. This is intentional (separate packages), but is worth flagging for contributors.

---

Summary

Area	Severity	Finding
httpUserAgent() browser detection	Low	typeof document heuristic is correct; edge cases (Workers) behave as intended
Three-state cache pattern	Low	Works correctly but slightly indirect; explicit null branch would be clearer
No test for browser UA suppression	Medium	A unit test mocking document would prevent regressions
DOMAIN_REGEX single-label match	Low	Bare hostnames pass; acceptable given localhost is already short-circuited
Zod pinned to exact 3.24.4	Low	Intentional workaround; should be un-pinned once Vite compat is resolved
PR description is empty template	Info	The body is the default PR template with no description of what was fixed or why

The core logic changes are correct and address real browser-compatibility and build-breaking bugs. Main actionable gaps: (1) add a unit test for httpUserAgent() browser suppression to prevent regressions, and (2) fill out the PR description to explain the three distinct fixes and their root causes.

[pkg-pr-new]

More templates

• actor-actions
• actor-actions-vercel
• example-agent-os
• example-agent-os-e2e
• ai-agent
• ai-agent-vercel
• example-ai-and-user-generated-actors-freestyle
• chat-room
• chat-room-vercel
• example-cloudflare-workers
• example-cloudflare-workers-hono
• collaborative-document
• collaborative-document-vercel
• cross-actor-actions
• cross-actor-actions-vercel
• example-cursors
• example-cursors-raw-websocket
• example-cursors-raw-websocket-vercel
• example-cursors-vercel
• custom-serverless
• example-elysia
• example-experimental-durable-streams-ai-agent
• example-experimental-durable-streams-ai-agent-vercel
• geo-distributed-database
• geo-distributed-database-vercel
• hello-world
• hello-world-vercel
• example-hono
• hono-react
• hono-react-vercel
• example-kitchen-sink
• example-kitchen-sink-vercel
• multi-region-vercel
• multiplayer-game
• example-multiplayer-game-patterns
• example-multiplayer-game-patterns-vercel
• multiplayer-game-vercel
• native-websockets
• native-websockets-vercel
• next-js
• per-tenant-database
• per-tenant-database-vercel
• example-raw-fetch-handler
• example-raw-fetch-handler-vercel
• example-raw-websocket-handler
• example-raw-websocket-handler-proxy
• example-raw-websocket-handler-proxy-vercel
• example-raw-websocket-handler-vercel
• example-react
• example-react-vercel
• sandbox
• sandbox-coding-agent
• sandbox-coding-agent-vercel
• sandbox-vercel
• scheduling
• scheduling-vercel
• example-sqlite-drizzle
• example-sqlite-raw
• state
• state-vercel
• example-stream
• example-stream-vercel
• example-trpc

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@4980

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@4980

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@4980

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@4980

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@4980

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@4980

@rivetkit/sqlite-vfs

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sqlite-vfs@4980

@rivetkit/traces

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/traces@4980

@rivetkit/workflow-engine

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/workflow-engine@4980

@rivetkit/virtual-websocket

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/virtual-websocket@4980

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@4980

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@4980

commit: 05112c0