feat: sqlite

[NathanFlurry]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
rivetkit-serverless	Error		Jan 2, 2026 8:02pm

3 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
rivet-cloud	Ignored		Jan 2, 2026 8:02pm
rivet-inspector	Ignored	Preview	Jan 2, 2026 8:02pm
rivet-site	Ignored	Preview	Jan 2, 2026 8:02pm

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat: implement actor sandbox example #4140
• chore: migrate sqlite vfs to native rust #4143
• chore: move sqlite-vfs to separate package #4142
• feat: sqlite #3666 👈 (View in Graphite)
• feat: use cases #4100 : 1 other dependent PR (#4124 )
• feat(dashboard): traces timeline ui #4056 : 1 other dependent PR (#4081 )
• fix(traces): separate entrypoints #4119 : 1 other dependent PR (#4126 )
• refactor(rivetkit): migrate granularly to zod v4 #4121
• fix(rivekit): stub traces in browser #4120
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Pull Request Review: SQLite Support

This PR adds SQLite database support to RivetKit with a custom KV-backed VFS implementation.

✅ Strengths

1. Solid Architecture - Clean separation between VFS layer and database providers with well-designed DatabaseProvider abstraction
2. Good Test Coverage - Comprehensive VFS tests and driver integration tests
3. Documentation - Examples follow template with clear READMEs

⚠️ Critical Issues

1. SQL Injection Vulnerability (rivetkit-typescript/packages/db/src/raw/mod.ts:36-38, 64-65)

The raw database wrapper accepts parameterized queries but doesn't bind them. The exec method only takes a callback, so parameters are ignored. This is misleading and potentially unsafe.

Fix: Either implement proper parameter binding or remove the args parameter.

2. Missing Error Handling in AsyncMutex (rivetkit-typescript/packages/sqlite-vfs/src/mod.ts:105-123)

If an error occurs between acquire and release, the mutex stays locked forever.

Fix: Add timeout support or document that callers MUST use try/finally.

High Priority Issues

3. Query Type Detection (rivetkit-typescript/packages/db/src/raw/mod.ts:45-63)

String-based query type detection is fragile and doesn't handle comments or CTEs.

4. Parameter Validation - getChunkKey and getMetaKey should validate inputs

5. Performance - Array operations could be optimized for large reads

Medium Priority

6. Incomplete Cleanup - Database cleanup might not handle all edge cases (failed close, journal files, KV cleanup)

7. Magic Numbers - CHUNK_SIZE and prefix bytes should be named constants

8. Code Duplication - Similar execute wrappers in multiple files

Security Concerns

1. Parameter binding doesn't work (SQL injection risk)
2. File paths should be validated (directory traversal)
3. Error messages might expose schema info

Test Coverage

Good: CRUD, persistence, transactions, large data, multiple databases, actor isolation

Missing: Error conditions, concurrent access, migration failures, cleanup, parameter binding, SQL injection tests

Action Items

Must Fix:

1. Fix or document parameter binding issue
2. Add error handling docs for AsyncMutex
3. Validate file paths

Should Fix:
4. Improve query type detection
5. Add error case tests
6. Document cleanup behavior

Summary

Well-architected implementation with good test coverage for happy paths. Main concerns are parameter binding (appears broken) and missing error handling.

Overall: ⚠️ Needs Revisions

The code is high quality but has a critical parameter binding issue that must be addressed.

Great work on the architecture! 🎉

[claude]

Pull Request Review: SQLite Support

This PR introduces SQLite support to RivetKit with a custom KV-backed VFS implementation.

🎯 Overall Assessment

Quality: High - Well-structured with good separation of concerns
Architecture: Strong - Clean abstraction layers
Risk Level: Medium - Complex VFS implementation

✅ Strengths

1. Clean architecture: VFS layer isolated from database provider logic
2. Per-instance isolation: Each SqliteVfs gets its own WASM module
3. Flexible providers: Both raw SQL and Drizzle ORM support
4. Schema versioning: BARE schema with embedded versioning
5. Efficient chunking: 4KB chunks with batch operations
6. Proper async mutex: Serializes open_v2 calls
7. Good test coverage: Driver test suite included

🔴 Critical Issues

1. SQL Injection Vulnerabilities (HIGH SEVERITY) ⚠️

Location: rivetkit-typescript/packages/rivetkit/fixtures/driver-test-suite/actor-db-raw.ts

Multiple actions use string interpolation instead of parameterized queries. Lines 18-20, 47-49, 58, 64-65, 73-75 are vulnerable.

Fix: Use parameterized queries as shown in examples/sqlite-raw/src/registry.ts

⚠️ Major Concerns

2. Memory Management - Native Database Cleanup

drivers/file-system/actor.ts:37 - Native SQLite databases are cached but never closed when actors are destroyed. This causes resource leaks.

3. Inconsistent Parameter Binding

The execute() method accepts variadic args but doesn't use them. The args are captured but never passed to wa-sqlite.

4. Query Return Type Ambiguity

execute() returns unknown[] but actually returns Record<string, unknown>[]. Update types for better type safety.

💡 Suggestions

5. Make CHUNK_SIZE configurable
6. Add tests for concurrent operations, large files, edge cases
7. Document VFS limitations and migration guide
8. List better-sqlite3 as optional peer dependency
9. Run and share benchmark results
10. Improve error handling consistency

🎯 Priority Action Items

Must Fix:

1. Fix SQL injection vulnerabilities (Critical)
2. Add database cleanup logic
3. Clarify parameter binding behavior

Should Fix:
4. Document migration path
5. Add comprehensive tests
6. Run benchmarks

🏁 Conclusion

Solid implementation with clever VFS design. SQL injection vulnerabilities must be fixed before merging.

Recommendation: Request changes for critical security issues.

---

Generated by Claude Code

[graphite-app]

Parameterized queries silently ignored: The execute method accepts ...args parameters but never uses them. The wa-sqlite exec method only takes a query string and callback, so any arguments passed are silently dropped. This could lead to SQL injection vulnerabilities if developers expect parameterized query support.

execute: async (query, ...args) => {
    // wa-sqlite doesn't support parameterized queries via exec()
    // Either document this limitation or use prepare/bind pattern
    if (args.length > 0) {
        throw new Error('Parameterized queries not supported. Use string interpolation carefully to avoid SQL injection.');
    }
    // ... rest of implementation
}

Spotted by Graphite Agent



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

Merge activity

• Feb 6, 8:22 AM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Feb 6, 8:23 AM UTC: CI is running for this pull request on a draft pull request (#4146) due to your merge queue CI optimization settings.
• Feb 6, 8:24 AM UTC: Merged by the Graphite merge queue via draft PR: #4146.