rivet-dev
diff --git a/‎CLAUDE.md‎
Lines changed: 7 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎Cargo.lock‎
Lines changed: 42 additions & 27 deletions b/‎Cargo.lock‎
Lines changed: 42 additions & 27 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 2 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎engine/packages/pools/Cargo.toml‎
Lines changed: 0 additions & 1 deletion b/‎engine/packages/pools/Cargo.toml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎examples/sandbox/package.json‎
Lines changed: 1 addition & 0 deletions b/‎examples/sandbox/package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/sandbox/vite.config.ts‎
Lines changed: 1 addition & 0 deletions b/‎examples/sandbox/vite.config.ts‎
Lines changed: 1 addition & 0 deletions
@@ -350,6 +350,13 @@ let error_with_meta = ApiRateLimited { limit: 100, reset_at: 1234567890 }.build(
 
 - Never build a new reqwest client from scratch. Use `rivet_pools::reqwest::client().await?` to access an existing reqwest client instance.
 
+## TLS Trust Roots
+
+- For rustls-based outbound TLS clients (`tokio-tungstenite`, `reqwest`), always enable BOTH `rustls-tls-native-roots` and `rustls-tls-webpki-roots` together so the crates build a union root store — operator-installed corporate CAs work via native, and empty native stores (Distroless / Cloud Run / Alpine without `ca-certificates`) fall through to the bundled Mozilla list.
+- Pinned in workspace `Cargo.toml` (`tokio-tungstenite`) and in `rivetkit-rust/packages/client/Cargo.toml` (`reqwest` + `tokio-tungstenite`). Never enable only one: native-only breaks on Distroless, webpki-only silently breaks corporate CAs.
+- Engine-internal HTTPS clients on `hyper-tls` / `native-tls` (workspace `reqwest`, ClickHouse pool, guard HTTP proxy) intentionally stay on OpenSSL — they run in operator-controlled containers and already honor the system trust store.
+- Bump `webpki-roots` periodically so the bundled Mozilla CA list does not go stale.
+
 ## Documentation
 
 - When talking about "Rivet Actors" make sure to capitalize "Rivet Actor" as a proper noun and lowercase "actor" as a generic noun
 
@@ -134,7 +134,6 @@ members = [
   testcontainers = "0.24"
   thiserror = "1.0.64"
   tokio-cron-scheduler = "0.13.0"
-  tokio-native-tls = "0.3.1"
   tokio-stream = "0.1.15"
   tokio-util = "0.7"
   tower = "0.5"
@@ -147,7 +146,7 @@ members = [
 
     [workspace.dependencies.tokio-tungstenite]
     version = "0.26.0"
-    features = [ "rustls-tls-native-roots" ]
+    features = [ "rustls-tls-native-roots", "rustls-tls-webpki-roots" ]
 
     [workspace.dependencies.vergen]
     version = "9.0.4"
 
@@ -21,7 +21,6 @@ rivet-util.workspace = true
 serde.workspace = true
 tempfile.workspace = true
 thiserror.workspace = true
-tokio-native-tls.workspace = true
 tokio-util.workspace = true
 tokio.workspace = true
 tracing-logfmt.workspace = true