chore: tunnel auth

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

• DO NOT MERGE: sandbox benches #4597 : 2 dependent PRs (#4599 , #4600 )
• fix(envoy-client): add tls #4595
• chore: fix driver test suite #4591
• chore: tunnel auth #4588 👈 (View in Graphite)
• chore: remove udb as a dependency of envoy-client #4587
• chore: revert actor v2 hack #4586
• fix: fix pool metadata protocol version refresh, rivetkit native ws #4585
• feat: US-001 - Define SqliteKv trait in rivetkit-sqlite-native #4584
• feat(rust/engine-runner): minimal rust engine runner #4289
• chore: delete kv channel #4583
• feat(engine): rust runner #4582
• chore: remove non-engine drivers #4574 : 1 other dependent PR (#4581 )
• feat: dynamic actors #4397
• fix: driver test suite & sqlite reliability #4559
• fix: remove serverless token #4572
• fix: misc token fixes #4569
• fix(pb): clean up actor stop decision handling #4566
• fix(envoy): use global instance, add signal handlers #4565
• chore: misc fixes, add pb snapshot test #4561
• fix(cache): make in memory cache global #4560
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: Tunnel Authorization

This PR implements tunnel authorization for pegboard-envoy and pegboard-runner by tracking authorized tunnel routes and validating incoming messages against the authorized set. It also adds trust boundary documentation to CLAUDE.md and cleans up unused dependencies.

Strengths:

• Authorization enforced at tunnel message boundary before publishing to UPS
• Lock-free scc::HashMap prevents race conditions (follows CLAUDE.md pattern for concurrent containers)
• Trust boundaries clearly documented in CLAUDE.md
• insert_async and contains_async do not hold locks across await points
• Authorization logic mirrored in both mk1 and mk2 handlers in both packages

Issues (Should Fix):

1. Disabled tests in pegboard-envoy. engine/packages/pegboard-envoy/tests/support/ws_to_tunnel_task.rs is entirely commented out with TODO: Use TestCtx. pegboard-runner has 4 comprehensive tests for mk1/mk2 auth but the envoy has none enabled. This gap should be resolved or tracked with a .agent/todo/ entry.

2. Missing design comment on authorization key. The key uses (gateway_id, request_id) but not message_index. This appears intentional but a short comment in handle_tunnel_message_mk2 / handle_tunnel_message_mk1 would clarify the intent for future maintainers.

Minor:
3. let _ = insert_async() in tunnel_to_ws_task.rs (both packages) discards the result without a comment explaining why (duplicate inserts for the same key are benign but this is not obvious).
4. Test helpers use magic byte arrays like [1, 2, 3, 4] for IDs. Named constants would improve readability.
5. pegboard-runner refactored handlers to accept max_payload_size as an explicit parameter; pegboard-envoy still reads it from config directly inside the function. Minor inconsistency that could confuse future maintenance.

Security Assessment:

• Authorization check correctly placed before UPS publish
• No bypass vector identified: authorized_tunnel_routes is only populated via the trusted tunnel_to_ws path
• Error messages intentionally generic to avoid leaking routing details

Overall: Core security logic is well-implemented and follows existing conventions. Main gap is the disabled envoy tests. Good to merge once that is tracked or resolved.

[MasterPtato]

Merge activity

• Apr 8, 8:52 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 8, 9:33 PM UTC: Graphite rebased this pull request as part of a merge.
• Apr 8, 9:34 PM UTC: @MasterPtato merged this pull request with Graphite.