fix: runner alloc idx logic, api auth for actor get

[MasterPtato]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4443 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
frontend-cloud	😴 Sleeping (View Logs)	Web	Mar 24, 2026 at 9:45 am
frontend-inspector	😴 Sleeping (View Logs)	Web	Mar 19, 2026 at 3:17 pm
website	❌ Build Failed (View Logs)	Web	Mar 17, 2026 at 7:41 pm
mcp-hub	✅ Success (View Logs)	Web	Mar 17, 2026 at 7:39 pm
ladle	❌ Build Failed (View Logs)	Web	Mar 17, 2026 at 7:38 pm

[MasterPtato]

• feat(pb): actors v3 #4463
• feat(ups): implement queue subs #4486
• feat(cache): add in flight deduping #4459
• fix(cache): clean up lib #4457
• fix(config): allow configuring topo dcs via map, fix pg ssl mode config #4456
• fix(api): dont 500 on cross dc response #4449
• chore: update byte units on frontend #4444
• fix: runner alloc idx logic, api auth for actor get #4443 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• actor-actions
• actor-actions-vercel
• ai-agent
• ai-agent-vercel
• example-ai-and-user-generated-actors-freestyle
• chat-room
• chat-room-vercel
• example-cloudflare-workers
• example-cloudflare-workers-hono
• collaborative-document
• collaborative-document-vercel
• cross-actor-actions
• cross-actor-actions-vercel
• example-cursors
• example-cursors-raw-websocket
• example-cursors-raw-websocket-vercel
• example-cursors-vercel
• custom-serverless
• example-elysia
• example-experimental-durable-streams-ai-agent
• example-experimental-durable-streams-ai-agent-vercel
• geo-distributed-database
• geo-distributed-database-vercel
• hello-world
• hello-world-vercel
• example-hono
• hono-react
• hono-react-vercel
• example-kitchen-sink
• example-kitchen-sink-vercel
• multi-region-vercel
• multiplayer-game
• example-multiplayer-game-patterns
• example-multiplayer-game-patterns-vercel
• multiplayer-game-vercel
• native-websockets
• native-websockets-vercel
• next-js
• per-tenant-database
• per-tenant-database-vercel
• example-raw-fetch-handler
• example-raw-fetch-handler-vercel
• example-raw-websocket-handler
• example-raw-websocket-handler-proxy
• example-raw-websocket-handler-proxy-vercel
• example-raw-websocket-handler-vercel
• example-react
• example-react-vercel
• sandbox
• sandbox-coding-agent
• sandbox-coding-agent-vercel
• sandbox-vercel
• scheduling
• scheduling-vercel
• example-sqlite-drizzle
• example-sqlite-raw
• state
• state-vercel
• example-stream
• example-stream-vercel
• example-trpc

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@4443

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@4443

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@4443

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@4443

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@4443

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@4443

@rivetkit/sqlite-vfs

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sqlite-vfs@4443

@rivetkit/traces

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/traces@4443

@rivetkit/workflow-engine

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/workflow-engine@4443

@rivetkit/virtual-websocket

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/virtual-websocket@4443

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@4443

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@4443

commit: 84dbf32

[claude]

PR Review\n\nThis PR fixes two distinct issues: runner alloc idx logic during draining and API auth for actor list by ID.\n\n---\n\n### Auth change in list.rs\n\nThe new logic skips auth when actor_ids, actor_id, or key are provided. A few edge cases worth considering:\n\n- actor_ids is Option, so a caller sending actor_ids= (present but empty string) causes actor_ids.is_none() to be false, bypassing auth. The subsequent empty-string parse will fail with a 400 so there is no data leak, but this is a latent inconsistency worth closing.\n- key= (present but empty string) also skips auth and proceeds with an empty-key lookup. Worth verifying that downstream key resolution handles an empty string safely.\n- A short inline comment explaining why unauthenticated read-by-ID is safe would help future readers understand the intent.\n\n---\n\n### Runner eviction and alloc idx fix\n\nThe refactor from returning Err(WsError::Eviction) in tasks to Ok(Err(LifecycleResult::Evicted)) is cleaner and correct. The previous path short-circuited the ClearIdx operation in lib.rs because the error was indistinguishable from a normal connection failure. The new path correctly skips ClearIdx only on eviction, preserving the alloc idx entry for draining runners.\n\nThe cascading fix in update_alloc_idx.rs checking DrainTsKey instead of the presence of the old alloc key is the right abstraction. Checking drain state explicitly is more reliable and self-documenting than inferring intent from key existence.\n\n---\n\n### Removing ExpiredTsKey write on drain\n\nDraining and expiry are now correctly decoupled. Draining inhibits new allocation without marking the runner as fully unavailable. This is a meaningful semantic fix.\n\nRemoving the critical: prefix from the error log is appropriate now that the failure path is non-critical.\n\n---\n\n### Minor notes\n\n- Comment placement in lib.rs: the make-runner-immediately-ineligible comment sits between the closing brace of the if block and the else block. Moving it inside the else block would improve readability.\n- notifs logging in mark_eligible: good defensive logging. Consider whether non-empty notifications here represent a bug that should propagate as an error rather than just a warning, since mark_eligible is called during runner startup.\n- db_path display in rocksdb/database.rs: correct fix. PathBuf with debug format emits extra quotes and OS-specific escaping; Display is cleaner.