fix(envoy-client): complete command and request lifecycles

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(pegboard): stabilize actor2 validation and lifecycle #4804 : 2 dependent PRs (#4805 , #4808 )
• fix(pegboard): decode envoy actor eviction keys #4803
• fix(pegboard-envoy): subscribe before registering envoy #4802
• fix(envoy-client): clear processed_command_idx after ack send #4812
• fix(envoy-client): dedupe replayed commands by index #4811
• fix(envoy-client): complete command and request lifecycles #4801 👈 (View in Graphite)
• fix(envoy-protocol): advertise current protocol version #4800
• fix(guard): serialize gateway actor keys correctly #4655
• fix(rivetkit-native): expose full hibernation metadata to JS #4657
• chore(rivetkit): remove inline tests #4668
• fix(api): subscribe before namespace workflow dispatch #4654
• fix(rivetkit): restore hibernatable sockets and hydrate serverless starts #4658
• fix(pegboard): persist and replay hibernating requests #4656
• fix(rivetkit): keep internal error exposure behavior consistent #4661
• test(rivetkit): stabilize actor db driver tests #4664
• fix(test): stabilize lifecycle, sleep, queue, and run edge cases #4660 : 1 other dependent PR (#4665 )
• test(rivetkit): re-enable gateway URL and direct-registry coverage #4659
• fix(rivetkit): add lifecycle error retry and gateway HTTP routing #4666
• fix(rivetkit-core): remove legacy timeouts #4799
• docs: add replay guidance notes #4796
• fix(inspector): stream patched state updates #4795
• fix(rivetkit): refresh stale actor handles #4794
• test(rivetkit-napi): move private tests to crate root #4793
• test(rivetkit-core): move private tests to crate root #4792
• test(runner-configs): assert envoy protocol version #4791
• fix(serverless): split metadata protocol errors #4789 : 1 other dependent PR (#4790 )
• chore(sqlite): add open close lifecycle for envoy actors #4788
• fix(rivetkit): share lifecycle shutdown grace #4810
• fix(pegboard): move sqlite v1 migration into actor workflow #4787 : 1 other dependent PR (#4797 )
• test(rivetkit): cover c.db access from onWake/onSleep/onDestroy #4786
• fix(rivetkit-napi): run onMigrate before createState/onCreate/createVars #4785
• refactor(rivetkit-core): merge ready+started into lifecycle_started, drop redundant napi calls #4784
• fix(rivetkit): drain native sleep side tasks reliably #4782 : 1 other dependent PR (#4783 )
• fix(rivetkit): route raw request fetches to actors #4781
• fix(pegboard): refresh runner config after envoy connect #4778 : 2 other dependent PRs (#4779 , #4798 )
• chore(kitchen-sink): configurable endpoint #4766 : 2 other dependent PRs (#4754 , #4777 )
• refactor(rivetkit-core): rename StopReason to ShutdownKind and kill enum fallthroughs #4765
• chore(envoy-client): log command and event payloads #4751
• fix(rivetkit): minor sleep-cleanup follow-ups #4761
• docs(rivetkit): clean up stale setPreventSleep references in docs and JSDoc #4760
• docs(rivetkit): document keepAwake/waitUntil counter-arm race and surface bridge errors #4759
• test(engine): force overdue branch in alarm-during-sleep test with negative offset #4758
• fix(rivetkit-core): return stopping not starting when sleep/destroy called mid-shutdown #4757
• test(rivetkit): remove sleepWithPreventSleep fixture and tests #4756
• test(engine): add regression test for alarm-during-sleep-transition race #4755
• test(rivetkit-core): cover sleep/destroy guards and prevent_sleep no-op #4750
• docs: add keepAwake vs waitUntil table and internal sleep-sequence invariants #4749
• feat(rivetkit): expose c.keepAwake(promise) through native path #4748
• refactor(rivetkit): deprecate setPreventSleep to no-op in TypeScript #4747
• fix(rivetkit-core): enumerate non-drained counters in grace deadline warn log #4746
• fix(rivetkit-core): abort graceful cleanup task when grace deadline elapses #4745
• fix(rivetkit-core): error on sleep/destroy before startup or already-requested #4743
• fix(rivetkit-core): cap SerializeState shutdown timeout at 15s #4742
• refactor(rivetkit-core): remove prevent_sleep field and deprecate set_prevent_sleep to no-op #4741
• fix(api-public): remove orphan import_export actors module #4764
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Code Review: fix(envoy-client): complete command and request lifecycles

Three targeted fixes across the envoy-client. Overall the changes are correct and close real protocol holes. A few minor issues worth addressing are noted below.

---

engine/sdks/rust/envoy-client/src/actor.rs — send_fetch_error_response

Good fix. Before this PR, when the actor's fetch callback returned an error the code logged the error and returned without sending anything back over the tunnel, leaving the gateway request open indefinitely. The new send_fetch_error_response helper closes that lifecycle correctly.

Minor observations:

1. Hard-coded error body. The JSON body {"code":"envoy_fetch_failed","message":"actor fetch failed"} drops the actual error details. For internal/trusted paths (envoy → engine) this is fine from a security perspective, but the original error value is already logged and never surfaced. Consider adding a content-type: application/json header so downstream consumers do not have to guess at the body format. (The existing send_response path does not set this header either, so this is a pre-existing omission rather than a regression.)

2. message_index: 0 with stream: false. This correctly mirrors how send_response handles a non-streaming, single-shot response. Looks intentional and correct.

---

engine/sdks/rust/envoy-client/src/envoy.rs — send_command_ack after handle_commands

Good fix. Previously, command acknowledgements were only sent on the periodic ACK_COMMANDS_INTERVAL_MS timer (every 5 minutes). This meant the engine could wait up to 5 minutes before knowing the envoy had processed a CommandStartActor or CommandStopActor. The PR now sends an ack immediately after each batch of commands is processed, which is the correct behaviour.

No issues with this change.

---

engine/sdks/rust/envoy-client/src/events.rs — remove received_stop guard

Good fix. The old code only removed an actor entry from the local registry when a stopped event arrived and received_stop was true (i.e. a CommandStopActor had already been received). The deleted TODO comment explicitly acknowledged the gap: if the envoy disconnected after the actor stopped but before the stop command arrived, the actor entry would leak. Removing the actor unconditionally on a stopped-state event is correct because an actor cannot un-stop.

One minor follow-up item:

1. Dead parameter in test helper. The insert_actor helper in the #[cfg(test)] block still accepts a received_stop: bool argument and sets the field on the inserted entry. Since received_stop no longer affects actor removal, the parameter is now unused logic. Both call sites happen to pass true, but the stop_event_only_removes_the_stopped_generation test passes received_stop: false for the live actor — previously this was load-bearing; now it is dead. Consider removing the received_stop parameter from the test helper to avoid misleading future readers. The field on ActorEntry can likely be removed entirely in a follow-up since it is only set in commands.rs and its only consumer (the event guard) has been removed.

---

General observations

• Logging follows project conventions (tracing::error!(?error, ...)). No issues.
• No new std::sync::Mutex, no Mutex<HashMap>. No issues.
• No new _ => fall-through arms on enums. No issues.
• The PR is small, focused, and does not touch unrelated code.

---

Summary

All three fixes address real correctness gaps: stuck tunnel requests, delayed command acks, and actor entry leaks on reconnect. The changes are safe to merge. The only actionable item before merging is the stale received_stop parameter in the test helper, which is low-risk but should be cleaned up to avoid confusion. If the received_stop field on ActorEntry is now truly dead code, removing it in a follow-up would complete the simplification.