test(engine): cover envoy Sleep crash policy wake and recovery paths

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• test(engine): cover envoy Sleep crash policy wake and recovery paths #4816 👈 (View in Graphite)
• refactor(sqlite-storage): extract DBHead to vbare-versioned protocol crate #4815
• refactor(sqlite-storage): rename SqliteOrigin variants for clarity #4814
• fix(sqlite-storage): allow invalidate_v1_migration on non-migrating META #4813
• test(engine): stabilize runner and envoy suites #4809
• fix(pegboard): reject empty actor kv values #4808
• fix(pegboard): stabilize actor2 validation and lifecycle #4804 : 1 other dependent PR (#4805 )
• fix(pegboard): decode envoy actor eviction keys #4803
• fix(pegboard-envoy): subscribe before registering envoy #4802
• fix(envoy-client): clear processed_command_idx after ack send #4812
• fix(envoy-client): dedupe replayed commands by index #4811
• fix(envoy-client): complete command and request lifecycles #4801
• fix(envoy-protocol): advertise current protocol version #4800
• fix(guard): serialize gateway actor keys correctly #4655
• fix(rivetkit-native): expose full hibernation metadata to JS #4657
• chore(rivetkit): remove inline tests #4668
• fix(api): subscribe before namespace workflow dispatch #4654
• fix(rivetkit): restore hibernatable sockets and hydrate serverless starts #4658
• fix(pegboard): persist and replay hibernating requests #4656
• fix(rivetkit): keep internal error exposure behavior consistent #4661
• test(rivetkit): stabilize actor db driver tests #4664
• fix(test): stabilize lifecycle, sleep, queue, and run edge cases #4660 : 1 other dependent PR (#4665 )
• test(rivetkit): re-enable gateway URL and direct-registry coverage #4659
• fix(rivetkit): add lifecycle error retry and gateway HTTP routing #4666
• fix(rivetkit-core): remove legacy timeouts #4799
• docs: add replay guidance notes #4796
• fix(inspector): stream patched state updates #4795
• fix(rivetkit): refresh stale actor handles #4794
• test(rivetkit-napi): move private tests to crate root #4793
• test(rivetkit-core): move private tests to crate root #4792
• test(runner-configs): assert envoy protocol version #4791
• fix(serverless): split metadata protocol errors #4789 : 1 other dependent PR (#4790 )
• chore(sqlite): add open close lifecycle for envoy actors #4788
• fix(rivetkit): share lifecycle shutdown grace #4810
• fix(pegboard): move sqlite v1 migration into actor workflow #4787 : 1 other dependent PR (#4797 )
• test(rivetkit): cover c.db access from onWake/onSleep/onDestroy #4786
• fix(rivetkit-napi): run onMigrate before createState/onCreate/createVars #4785
• refactor(rivetkit-core): merge ready+started into lifecycle_started, drop redundant napi calls #4784
• fix(rivetkit): drain native sleep side tasks reliably #4782 : 1 other dependent PR (#4783 )
• fix(rivetkit): route raw request fetches to actors #4781
• fix(pegboard): refresh runner config after envoy connect #4778 : 2 other dependent PRs (#4779 , #4798 )
• chore(kitchen-sink): configurable endpoint #4766 : 2 other dependent PRs (#4754 , #4777 )
• refactor(rivetkit-core): rename StopReason to ShutdownKind and kill enum fallthroughs #4765
• chore(envoy-client): log command and event payloads #4751
• fix(rivetkit): minor sleep-cleanup follow-ups #4761
• docs(rivetkit): clean up stale setPreventSleep references in docs and JSDoc #4760
• docs(rivetkit): document keepAwake/waitUntil counter-arm race and surface bridge errors #4759
• test(engine): force overdue branch in alarm-during-sleep test with negative offset #4758
• fix(rivetkit-core): return stopping not starting when sleep/destroy called mid-shutdown #4757
• test(rivetkit): remove sleepWithPreventSleep fixture and tests #4756
• test(engine): add regression test for alarm-during-sleep-transition race #4755
• test(rivetkit-core): cover sleep/destroy guards and prevent_sleep no-op #4750
• docs: add keepAwake vs waitUntil table and internal sleep-sequence invariants #4749
• feat(rivetkit): expose c.keepAwake(promise) through native path #4748
• refactor(rivetkit): deprecate setPreventSleep to no-op in TypeScript #4747
• fix(rivetkit-core): enumerate non-drained counters in grace deadline warn log #4746
• fix(rivetkit-core): abort graceful cleanup task when grace deadline elapses #4745
• fix(rivetkit-core): error on sleep/destroy before startup or already-requested #4743
• fix(rivetkit-core): cap SerializeState shutdown timeout at 15s #4742
• refactor(rivetkit-core): remove prevent_sleep field and deprecate set_prevent_sleep to no-op #4741
• fix(api-public): remove orphan import_export actors module #4764
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review

PR: test(engine): cover envoy Sleep crash policy wake and recovery paths

This is a clean, additive test-only PR that covers three previously untested crash/sleep/wake scenarios. The tests are well-structured and consistent with the surrounding file conventions. A few observations below.

---

Issues

1. No timeout guard on initial sleep-wait polling loops (moderate)

In both envoy_crash_policy_sleep_wakes_on_request and envoy_crash_policy_sleep_recovers_after_wake_crash, the loop waiting for sleep_ts.is_some() && connectable_ts.is_none() has no inner timeout. If that transition never happens, the test will hang silently until the outer common::run budget expires (75s and 90s), making failures hard to diagnose. A tokio::time::timeout wrapping the loop with a descriptive panic message would make failures actionable without changing behavior:

tokio::time::timeout(Duration::from_secs(30), async {
    loop {
        // ... poll sleep_ts ...
    }
})
.await
.expect("actor did not enter crash-induced sleep within 30s");

This is consistent with the 30s inner guard already used for the connectable-wait loop in those same tests.

2. Exact crash count assertion may be brittle (low)

In envoy_crash_policy_sleep_recovers_after_wake_crash, assert_eq!(*crash_count.lock(), 2) assumes the engine will call the actor handler exactly twice. If the workflow internally retries within a single pegboard generation before surfacing a sleep state, the count could exceed 2 without the test's logic being wrong. Either document why exactly 2 is guaranteed by CrashNTimesThenSucceedActor::new(2, ...), or use assert!(*crash_count.lock() >= 2) to be defensive.

3. Discarded JoinHandle in spawn_wake_ping (cosmetic)

The spawned task's handle is silently dropped. If the test runtime exits before the task fires, the wake ping is cancelled without any diagnostic. This is fine in practice given the test structure, but a short comment explaining the fire-and-forget intent (similar to the existing comment) keeps it clear for readers.

---

Test Coverage

The three new tests cover:

• Wake from crash-induced sleep via incoming request (happy path).
• Multi-crash recovery (crash → sleep → wake → crash → sleep → wake → connectable).
• crash_policy field persistence at actor creation time.

One gap worth noting (out of scope for this PR): there is no test for timeout-based wake, where the actor wakes from sleep after the sleep deadline expires with no incoming request.

---

Summary

No blocking issues. The main actionable items before leaving DRAFT are the missing inner timeout guard on the sleep-wait loops (for diagnosability) and clarifying or softening the exact crash-count assertion. Otherwise this is ready to review.