fix: runner alloc idx logic, api auth for actor get

[MasterPtato]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4443 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-cloud	😴 Sleeping (View Logs)	Web	Apr 4, 2026 at 12:50 pm
frontend-inspector	😴 Sleeping (View Logs)	Web	Mar 19, 2026 at 3:17 pm
website	❌ Build Failed (View Logs)	Web	Mar 17, 2026 at 7:41 pm
mcp-hub	✅ Success (View Logs)	Web	Mar 17, 2026 at 7:39 pm
ladle	❌ Build Failed (View Logs)	Web	Mar 17, 2026 at 7:38 pm

[MasterPtato]

• chore: envoy client #4521 : 2 dependent PRs (#4531 , #4534 )
• feat(pb): actors v3 #4463
• feat(ups): implement queue subs #4486
• feat(cache): add in flight deduping #4459
• fix(cache): clean up lib #4457
• fix(config): allow configuring topo dcs via map, fix pg ssl mode config #4456
• fix(api): dont 500 on cross dc response #4449
• chore: update byte units on frontend #4444
• fix: runner alloc idx logic, api auth for actor get #4443 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• actor-actions
• actor-actions-vercel
• example-agent-os
• example-agent-os-e2e
• ai-agent
• ai-agent-vercel
• example-ai-and-user-generated-actors-freestyle
• chat-room
• chat-room-vercel
• example-cloudflare-workers
• example-cloudflare-workers-hono
• collaborative-document
• collaborative-document-vercel
• cross-actor-actions
• cross-actor-actions-vercel
• example-cursors
• example-cursors-raw-websocket
• example-cursors-raw-websocket-vercel
• example-cursors-vercel
• custom-serverless
• example-elysia
• example-experimental-durable-streams-ai-agent
• example-experimental-durable-streams-ai-agent-vercel
• geo-distributed-database
• geo-distributed-database-vercel
• hello-world
• hello-world-vercel
• example-hono
• hono-react
• hono-react-vercel
• example-kitchen-sink
• example-kitchen-sink-vercel
• multi-region-vercel
• multiplayer-game
• example-multiplayer-game-patterns
• example-multiplayer-game-patterns-vercel
• multiplayer-game-vercel
• native-websockets
• native-websockets-vercel
• next-js
• per-tenant-database
• per-tenant-database-vercel
• example-raw-fetch-handler
• example-raw-fetch-handler-vercel
• example-raw-websocket-handler
• example-raw-websocket-handler-proxy
• example-raw-websocket-handler-proxy-vercel
• example-raw-websocket-handler-vercel
• example-react
• example-react-vercel
• sandbox
• sandbox-coding-agent
• sandbox-coding-agent-vercel
• sandbox-vercel
• scheduling
• scheduling-vercel
• example-sqlite-drizzle
• example-sqlite-raw
• state
• state-vercel
• example-stream
• example-stream-vercel
• example-trpc

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@4443

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@4443

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@4443

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@4443

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@4443

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@4443

@rivetkit/sqlite-vfs

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sqlite-vfs@4443

@rivetkit/traces

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/traces@4443

@rivetkit/workflow-engine

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/workflow-engine@4443

@rivetkit/virtual-websocket

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/virtual-websocket@4443

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@4443

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@4443

commit: 0277ea1

[claude]

PR Review: fix runner alloc idx logic, api auth for actor get

Summary

This PR bundles two independent bug fixes:

1. Runner alloc idx / eviction logic — Distinguishes eviction from a normal disconnect so that a draining runner's alloc index entry is not cleared on eviction (only on genuine disconnect). Also fixes update_alloc_idx to check DrainTsKey existence instead of the old alloc key existence when deciding whether to refresh the UpdatePing alloc entry.
2. API auth bypass for actor get-by-id/key — Allows unauthenticated callers to fetch actors by actor_id / actor_ids / key in actors/list, matching the existing behavior of get_or_create and create.

---

Issues and Concerns

1. Security: auth bypass condition is too broad (significant)

The new condition:

if query.actor_ids.is_none() && query.actor_id.is_empty() && query.key.is_none() {
    ctx.auth().await?;
} else {
    ctx.skip_auth();
}

The key field alone is sufficient to skip auth, even without an actor_id. A caller who passes only key (but no actor IDs) and a valid name will hit the fanout path that returns potentially many actors across all datacenters. This may allow unauthenticated actor enumeration with just a key filter.

Consider restricting the bypass to only when direct actor IDs are provided (actor_ids or actor_id), and keeping auth required when only key is provided.

2. ToRunnerClose / ToClientClose still use the old error path (minor)

In tunnel_to_ws_task.rs, ToRunnerClose and ToClientClose still return Err(errors::WsError::Eviction.build()) rather than Ok(LifecycleResult::Evicted). This means a runner receiving an explicit close command via protocol message (rather than via the pubsub eviction topic) will still trigger ClearIdx on disconnect, since the eviction guard in lib.rs only catches Ok(LifecycleResult::Evicted). This seems like a pre-existing gap, but the new Evicted variant creates a subtle split in eviction handling that should be documented or unified.

3. LifecycleResult::Evicted result precedence is implicit (minor)

The result-reduction match in lib.rs does not have explicit arms for Evicted vs Closed. If both tasks complete as non-Aborted, the (res, _, _) fallthrough picks up the first result, making the precedence of Evicted over Closed\ implicit. Adding an explicit arm for Evicted would make the intent clearer.

4. Log field abbreviation (style)

In mark_eligible, the field notifs=?res.notifications uses an abbreviation. Per codebase conventions, use the full name: notifications=?res.notifications. The log message "non-empty update alloc idx response" is also vague — consider something like "unexpected notifications from update_alloc_idx during mark_eligible" to convey that this state is unexpected.

---

Positive Notes

• The DrainTsKey / ExpiredTsKey separation fix is correct and symmetric across both runner.rs and runner2.rs. The root bug (writing ExpiredTsKey at drain time causing immediate expiry) is cleanly addressed.
• The change from ?db_path to %db_path.display() in rocksdb/database.rs is a good improvement — Display via .display() gives a clean path string vs the quoted/escaped Debug output.
• The LifecycleResult::Evicted variant is a clean way to distinguish eviction from normal close at the type level.

---

Missing Test Coverage

The PR checklist marks "I have added tests" as unchecked. The runner alloc idx state machine (drain vs. expired vs. eviction) is complex enough that a targeted integration test covering:

• A draining runner being evicted not losing its alloc entry
• A runner being evicted vs. disconnecting triggering the correct ClearIdx behavior

...would prevent regression. Given the existing test infrastructure, this should be achievable.