fix(envoy-client): clear processed_command_idx after ack send

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(pegboard): stabilize actor2 validation and lifecycle #4804 : 2 dependent PRs (#4805 , #4808 )
• fix(pegboard): decode envoy actor eviction keys #4803
• fix(pegboard-envoy): subscribe before registering envoy #4802
• fix(envoy-client): clear processed_command_idx after ack send #4812 👈 (View in Graphite)
• fix(envoy-client): dedupe replayed commands by index #4811
• fix(envoy-client): complete command and request lifecycles #4801
• fix(envoy-protocol): advertise current protocol version #4800
• fix(guard): serialize gateway actor keys correctly #4655
• fix(rivetkit-native): expose full hibernation metadata to JS #4657
• chore(rivetkit): remove inline tests #4668
• fix(api): subscribe before namespace workflow dispatch #4654
• fix(rivetkit): restore hibernatable sockets and hydrate serverless starts #4658
• fix(pegboard): persist and replay hibernating requests #4656
• fix(rivetkit): keep internal error exposure behavior consistent #4661
• test(rivetkit): stabilize actor db driver tests #4664
• fix(test): stabilize lifecycle, sleep, queue, and run edge cases #4660 : 1 other dependent PR (#4665 )
• test(rivetkit): re-enable gateway URL and direct-registry coverage #4659
• fix(rivetkit): add lifecycle error retry and gateway HTTP routing #4666
• fix(rivetkit-core): remove legacy timeouts #4799
• docs: add replay guidance notes #4796
• fix(inspector): stream patched state updates #4795
• fix(rivetkit): refresh stale actor handles #4794
• test(rivetkit-napi): move private tests to crate root #4793
• test(rivetkit-core): move private tests to crate root #4792
• test(runner-configs): assert envoy protocol version #4791
• fix(serverless): split metadata protocol errors #4789 : 1 other dependent PR (#4790 )
• chore(sqlite): add open close lifecycle for envoy actors #4788
• fix(rivetkit): share lifecycle shutdown grace #4810
• fix(pegboard): move sqlite v1 migration into actor workflow #4787 : 1 other dependent PR (#4797 )
• test(rivetkit): cover c.db access from onWake/onSleep/onDestroy #4786
• fix(rivetkit-napi): run onMigrate before createState/onCreate/createVars #4785
• refactor(rivetkit-core): merge ready+started into lifecycle_started, drop redundant napi calls #4784
• fix(rivetkit): drain native sleep side tasks reliably #4782 : 1 other dependent PR (#4783 )
• fix(rivetkit): route raw request fetches to actors #4781
• fix(pegboard): refresh runner config after envoy connect #4778 : 2 other dependent PRs (#4779 , #4798 )
• chore(kitchen-sink): configurable endpoint #4766 : 2 other dependent PRs (#4754 , #4777 )
• refactor(rivetkit-core): rename StopReason to ShutdownKind and kill enum fallthroughs #4765
• chore(envoy-client): log command and event payloads #4751
• fix(rivetkit): minor sleep-cleanup follow-ups #4761
• docs(rivetkit): clean up stale setPreventSleep references in docs and JSDoc #4760
• docs(rivetkit): document keepAwake/waitUntil counter-arm race and surface bridge errors #4759
• test(engine): force overdue branch in alarm-during-sleep test with negative offset #4758
• fix(rivetkit-core): return stopping not starting when sleep/destroy called mid-shutdown #4757
• test(rivetkit): remove sleepWithPreventSleep fixture and tests #4756
• test(engine): add regression test for alarm-during-sleep-transition race #4755
• test(rivetkit-core): cover sleep/destroy guards and prevent_sleep no-op #4750
• docs: add keepAwake vs waitUntil table and internal sleep-sequence invariants #4749
• feat(rivetkit): expose c.keepAwake(promise) through native path #4748
• refactor(rivetkit): deprecate setPreventSleep to no-op in TypeScript #4747
• fix(rivetkit-core): enumerate non-drained counters in grace deadline warn log #4746
• fix(rivetkit-core): abort graceful cleanup task when grace deadline elapses #4745
• fix(rivetkit-core): error on sleep/destroy before startup or already-requested #4743
• fix(rivetkit-core): cap SerializeState shutdown timeout at 15s #4742
• refactor(rivetkit-core): remove prevent_sleep field and deprecate set_prevent_sleep to no-op #4741
• fix(api-public): remove orphan import_export actors module #4764
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Code Review

Overview

This PR fixes a memory management issue in envoy-client by clearing processed_command_idx entries after the command ack is sent to pegboard-envoy. The two-line change to call signature + the cleanup loop together address a scenario where the dedup map grows unboundedly for long-lived processes with many actor lifecycles.

---

Correctness: Scope of the Clear is Right

The cleanup loop iterates last_command_checkpoints, which is built from ctx.actors — meaning only currently active actors get their entries cleared. Entries for already-stopped actors (the ones that survive remove_actor intentionally) are untouched. This is correct per the field's doc comment:

Persists across remove_actor so a replayed CommandStartActor for an already-stopped actor cannot resurrect it.

---

Race Condition (Acknowledged TODO)

The TODO comment is accurate and well-written. The specific scenario:

1. ws_send returns (bytes accepted by OS)
2. processed_command_idx entries cleared ← this PR
3. WS drops / pegboard-envoy crashes before committing the FDB clear_range
4. Reconnect → pegboard-envoy replays the commands
5. No dedup entry → CommandStartActor re-executes → live actor gets replaced

The window is narrow (bytes in flight vs. FDB commit), but it exists. A proper fix would require an explicit ack-of-ack from pegboard-envoy before clearing. Leaving this as a TODO is acceptable, but consider filing it in .agent/todo/ so it doesn't get lost.

---

Minor Issues

Unnecessary full-Vec clone (commands.rs:108)

last_command_checkpoints: last_command_checkpoints.clone(),

The clone is needed because last_command_checkpoints is later iterated to build the removal keys. But cloning the whole Vec<ActorCheckpoint> (each entry contains a heap-allocated String UUID) is avoidable. Prefer extracting keys before the send to keep the original ownership clear:

// Extract keys before consuming last_command_checkpoints
let keys_to_remove: Vec<(String, u32)> = last_command_checkpoints
    .iter()
    .map(|cp| (cp.actor_id.clone(), cp.generation))
    .collect();

ws_send(
    &ctx.shared,
    protocol::ToRivet::ToRivetAckCommands(protocol::ToRivetAckCommands {
        last_command_checkpoints,  // moved, no clone
    }),
)
.await;

for key in keys_to_remove {
    ctx.processed_command_idx.remove(&key);
}

This is semantically clearer (the original goes into the wire message) and avoids allocating a second copy of the index: i64 fields.

Inner clone in the removal loop (commands.rs:124)

ctx.processed_command_idx.remove(&(cp.actor_id.clone(), cp.generation));

HashMap::remove requires an owned key here because the key type is (String, u32). If this ever becomes a hot path, HashMap<(Arc<str>, u32), i64> would allow remove with a borrow. Not a blocker for this change.

---

What's NOT Addressed (pre-existing)

• Stopped-actor entries accumulate forever. After remove_actor, entries stay in processed_command_idx indefinitely. This is intentional to block resurrection, but there's no pruning once pegboard-envoy has confirmed it deleted those commands from FDB. This PR doesn't make it worse, but the map will keep growing for processes that run many actor lifecycles.

---

Checklist

• Signature change &EnvoyContext → &mut EnvoyContext is minimal and correct
• Only active actors (in ctx.actors) are cleared; stopped-actor dedup protection preserved
• Race condition is documented with an actionable TODO
• PR description not filled out (template only) — please describe the motivation
• Consider tracking the ack-of-ack TODO in .agent/todo/
• Minor: restructure to avoid the full-Vec clone