fix: runner alloc idx logic, api auth for actor get

[MasterPtato]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4443 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-cloud	😴 Sleeping (View Logs)	Web	Mar 25, 2026 at 5:34 am
frontend-inspector	😴 Sleeping (View Logs)	Web	Mar 19, 2026 at 3:17 pm
website	❌ Build Failed (View Logs)	Web	Mar 17, 2026 at 7:41 pm
mcp-hub	✅ Success (View Logs)	Web	Mar 17, 2026 at 7:39 pm
ladle	❌ Build Failed (View Logs)	Web	Mar 17, 2026 at 7:38 pm

[MasterPtato]

• feat(pb): rewrite serverless handlers #4463
• feat(ups): implement queue subs #4486
• feat(cache): add in flight deduping #4459
• fix(cache): clean up lib #4457
• fix(config): allow configuring topo dcs via map, fix pg ssl mode config #4456
• fix(api): dont 500 on cross dc response #4449
• chore: update byte units on frontend #4444
• fix: runner alloc idx logic, api auth for actor get #4443 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• actor-actions
• actor-actions-vercel
• ai-agent
• ai-agent-vercel
• example-ai-and-user-generated-actors-freestyle
• chat-room
• chat-room-vercel
• example-cloudflare-workers
• example-cloudflare-workers-hono
• collaborative-document
• collaborative-document-vercel
• cross-actor-actions
• cross-actor-actions-vercel
• example-cursors
• example-cursors-raw-websocket
• example-cursors-raw-websocket-vercel
• example-cursors-vercel
• custom-serverless
• example-elysia
• example-experimental-durable-streams-ai-agent
• example-experimental-durable-streams-ai-agent-vercel
• geo-distributed-database
• geo-distributed-database-vercel
• hello-world
• hello-world-vercel
• example-hono
• hono-react
• hono-react-vercel
• example-kitchen-sink
• example-kitchen-sink-vercel
• multi-region-vercel
• multiplayer-game
• example-multiplayer-game-patterns
• example-multiplayer-game-patterns-vercel
• multiplayer-game-vercel
• native-websockets
• native-websockets-vercel
• next-js
• per-tenant-database
• per-tenant-database-vercel
• example-raw-fetch-handler
• example-raw-fetch-handler-vercel
• example-raw-websocket-handler
• example-raw-websocket-handler-proxy
• example-raw-websocket-handler-proxy-vercel
• example-raw-websocket-handler-vercel
• example-react
• example-react-vercel
• sandbox
• sandbox-coding-agent
• sandbox-coding-agent-vercel
• sandbox-vercel
• scheduling
• scheduling-vercel
• example-sqlite-drizzle
• example-sqlite-raw
• state
• state-vercel
• example-stream
• example-stream-vercel
• example-trpc

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@4443

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@4443

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@4443

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@4443

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@4443

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@4443

@rivetkit/sqlite-vfs

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sqlite-vfs@4443

@rivetkit/traces

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/traces@4443

@rivetkit/workflow-engine

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/workflow-engine@4443

@rivetkit/virtual-websocket

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/virtual-websocket@4443

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@4443

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@4443

commit: 84dbf32

[claude]

PR Review: fix: runner alloc idx logic, api auth for actor get

Summary

This PR fixes two related issues: (1) runner allocation index logic during drain/eviction, and (2) API auth being required for actor lookups by specific IDs/keys. Overall the approach is correct, but I have some concerns worth discussing.

---

Concerns

1. Auth bypass logic may need clarification (security)

File: engine/packages/api-public/src/actors/list.rs

The comment says “Reading is allowed, list requires auth” — but this allows unauthenticated access to any actor when the caller knows its ID or key. Since ctx.auth() validates an admin token, this means admin auth is only needed to list all actors, but any caller who knows an actor ID can fetch it without credentials.

This may be intentional (e.g., actors have public-readable state by design), but the comment should clarify why unauthenticated reads are safe here — specifically, whether actor IDs/keys are considered non-secret or whether there is another access control layer downstream.

2. Incomplete eviction handling in tunnel_to_ws_task.rs

The PR changes the eviction_sub.next() path to return Ok(Err(LifecycleResult::Evicted)), which correctly skips clearing the alloc idx. However, other eviction paths in the same file still return Err(errors::WsError::Eviction.build()):

• protocol::mk2::ToRunner::ToRunnerClose
• protocol::ToRunner::ToClientClose

If ToRunnerClose / ToClientClose are sent as part of a drain/eviction flow, those paths would still incorrectly clear the alloc idx. It may be that these have distinct semantics (protocol-level close vs. eviction subscription signal), but if they can fire during an eviction it would undermine this fix.

---

Positives

• Draining vs expired distinction — removing the redundant ExpiredTsKey write when setting Draining state (in both runner.rs and runner2.rs) and instead checking DrainTsKey explicitly in update_alloc_idx is a clean fix. Draining and expired are distinct states and conflating them was the root cause.

• LifecycleResult::Evicted variant — threading the eviction signal back through the result type rather than using an error is a good use of the type system. It allows the eviction path to skip the alloc idx clear while still surfacing an error to the caller.

• Path display fix — db_path=%db_path.display() over ?db_path is correct; % (Display) is more appropriate for user-visible paths than ? (Debug).

• Removed “critical:” prefix from the error log — consistent with log style guidelines.

• Warning log for non-empty notifications — useful diagnostic for catching unexpected update_alloc_idx responses during drain.

• OpenAPI description for input — small but helpful documentation improvement.

---

Minor

The else block in lib.rs has else on its own line after }. Idiomatic Rust (and rustfmt) places it on the same line as }. Not blocking, but cargo fmt would change this.