🚅 Deployed to the rivet-pr-4680 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
kitchen-sink	❌ Build Failed (View Logs)	Web	Apr 24, 2026 at 12:32 pm
website	😴 Sleeping (View Logs)	Web	Apr 22, 2026 at 8:58 am
frontend-cloud	❌ Build Failed (View Logs)	Web	Apr 22, 2026 at 8:46 am
frontend-inspector	❌ Build Failed (View Logs)	Web	Apr 22, 2026 at 8:46 am
mcp-hub	✅ Success (View Logs)	Web	Apr 22, 2026 at 8:45 am
ladle	❌ Build Failed (View Logs)	Web	Apr 20, 2026 at 12:09 am

• chore: sqlite v1 to v2 data migration #4692 : 2 dependent PRs (#4640 , #4701 )
• chore: move rivetkit to task model #4680 👈 (View in Graphite)
• chore: rivetkit to rust #4679
• feat(rivetkit): sqlite vfs v2 #4673
• chore: rename sandbox -> kitchen sink #4671 : 1 other dependent PR (#4672 )
• chore: configure TLS trust roots for rustls clients #4667
• fix(rivetkit): update config to match envoys & remove manager references #4663
• chore(publish): pin docker base image refs #4652
• chore(engine): publish engine bases in ci #4649 : 2 other dependent PRs (#4650 , #4666 )
• chore: lockfile lefthook #4647
• fix(rivetkit): surface native sqlite kv errors to callers #4645
• fix(rivetkit): prevent sleep races during disconnect and db work #4644
• fix(rivetkit): isolate engine envoys and propagate startup failures #4643
• test(rivetkit): remove wasm sqlite-only fixtures and coverage #4642
• chore(sqlite-vfs): remove wasm sqlite packages and workspace wiring #4641
• chore(rivetkit): remove wasm sqlite runtime #4614
• fix(sqlite-native): restore native startup kv preload #4639
• fix(sqlite-native): delete metadata before chunk range #4638
• fix(sqlite-native): keep truncate cache coherent #4637
• fix(sqlite-vfs): use delete range for truncate cleanup #4636
• fix(sqlite-native): restore kv error hook #4635
• perf(sqlite-native): avoid cloning cached read chunks #4634
• perf(sqlite-native): gate kv operation labels #4633
• perf(sqlite-native): reuse read cache for partial writes #4632
• perf(sqlite-native): remove delete file existence probe #4631
• fix(sqlite-native): gate native read cache behind env var #4630
• fix(pegboard): isolate runner config dc lookup failures #4625 : 1 other dependent PR (#4626 )
• docs(pegboard): note runner config upsert split write risk #4624
• fix(pegboard): unpack global runner config keys correctly #4623
• fix(pegboard-gateway): enforce tunnel message state #4622
• fix(pegboard-runner): clear terminal tunnel routes #4621
• fix(pegboard): skip protocol version keys in runner pool backfill #4620
• fix(pegboard): create missing normal runner configs #4619
• fix(epoxy): reuse cached optimistic value #4618
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Code Review: PR #4680 - chore: move rivetkit to task model

Overview

This is a substantial refactor (~33k lines changed across 218 files) that replaces the old implicit event-loop/lifecycle model in rivetkit-core with an explicit task-based model. The core change is a new ActorTask struct in task.rs (1,646 lines) with a tokio::select! event loop, replacing the deleted lifecycle.rs. Key supporting additions: task_types.rs, work_registry.rs, and the new async_counter.rs utility primitive.

Positive Aspects

• Clean state machine: ShutdownPhase enum and install_shutdown_step drive a well-structured, sequential shutdown with RAII and panic catching via AssertUnwindSafe.
• Event-driven drains: The old 10ms poll loops in sleep.rs are replaced with AsyncCounter::wait_zero(deadline) and Notify, significantly more efficient and correct.
• WorkRegistry/RegionGuard: Clean RAII-based work tracking with atomic counters. The panic-unwind test is a nice safety net.
• async_counter.rs: Well-designed lock-free primitive with correct Relaxed increment / AcqRel decrement / Acquire load ordering. The enable-before-check pattern for notified() correctly avoids the TOCTOU race.
• Buffered actor messages: New buffered_actor_messages in EnvoyContext fixes the race where WebSocket messages arrive before actor registration.
• Hibernation restore as shared map: Moving HWS restore from ToActor::HwsRestore channel message to pending_hibernation_restores removes an ordering dependency between the envoy loop and actor init.
• Test coverage: 2,932-line tests/modules/task.rs with good breadth including shutdown hooks, lifecycle events, and time-controlled tests.

Issues

Issue 1 - Convention Violation: Mutex<HashMap> in envoy-client/src/context.rs

pub actors: Arc<StdMutex<HashMap<String, HashMap<u32, SharedActorEntry>>>>,
pub live_tunnel_requests: Arc<StdMutex<HashMap<[u8; 8], String>>>,
pub pending_hibernation_restores: Arc<StdMutex<HashMap<String, Vec<HibernatingWebSocketMetadata>>>>,

CLAUDE.md explicitly prohibits this: "Never use Mutex<HashMap<...>> or RwLock<HashMap<...>>. Use scc::HashMap (preferred)." These three fields should be scc::HashMap.

Issue 2 - Tracing Style Violations in task.rs

Two tracing::warn! calls embed reason_label directly in the message string, violating the structured logging convention:

tracing::warn!("{reason_label} shutdown timed out waiting for shutdown tasks");
tracing::warn!("{reason_label} shutdown timed out after disconnect callbacks");

Should use structured fields:

tracing::warn!(reason = reason_label, "shutdown timed out waiting for shutdown tasks");

All other warn/error calls in the same function correctly use reason = reason_label as a structured field.

Issue 3 - Double can_sleep().await in on_sleep_tick

on_sleep_tick checks can_sleep(), and if it returns No, calls reset_sleep_deadline() which calls can_sleep() again. The state could change between the two awaits. Consider capturing the result of the first can_sleep() call and threading it into reset_sleep_deadline.

Issue 4 - #[allow(dead_code)] on WorkRegistry and impl WorkRegistry

Both the struct and its impl block carry #[allow(dead_code)]. If fields are truly unused they should be removed; if they are used transitively through SleepController, the attribute should be dropped.

Issue 5 - Unnecessary Re-acquire After teardown() in SleepController

Once teardown_started is set, track_shutdown_task rejects all new tasks. The final re-lock to write the drained JoinSet back is unnecessary; it can simply be dropped after shutdown().await.

Minor Observations

• CountGuard type alias: pub(crate) type CountGuard = RegionGuard; - these represent different concepts (active regions vs task counts). A brief doc comment would help prevent future confusion.
• Test hooks use global OnceLock state: SHUTDOWN_CLEANUP_HOOK, LIFECYCLE_EVENT_HOOK, SHUTDOWN_REPLY_HOOK are process-global statics. Tests using these hooks need to run sequentially. Document this constraint.
• Draft status / checklist: All boxes are unchecked. website/src/content/docs/actors/lifecycle.mdx was touched - verify it is consistent with the new task model before marking ready.

Summary

The architectural direction is sound. The explicit task model with event-driven drains is a meaningful improvement over the previous polling-based lifecycle. Items to address before merge:

1. Replace StdMutex<HashMap> with scc::HashMap in envoy-client/src/context.rs (three fields)
2. Fix the two tracing format string style violations in task.rs
3. Remove the unnecessary re-lock after teardown() in SleepController::teardown