fix(envoy-client): add tls

[MasterPtato]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[MasterPtato]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• DO NOT MERGE: sandbox benches #4597
• fix(envoy-client): add tls #4595 👈 (View in Graphite)
• chore: fix driver test suite #4591
• chore: tunnel auth #4588
• chore: remove udb as a dependency of envoy-client #4587
• chore: revert actor v2 hack #4586
• fix: fix pool metadata protocol version refresh, rivetkit native ws #4585
• feat: US-001 - Define SqliteKv trait in rivetkit-sqlite-native #4584
• feat(rust/engine-runner): minimal rust engine runner #4289
• chore: delete kv channel #4583
• feat(engine): rust runner #4582
• chore: remove non-engine drivers #4574 : 1 other dependent PR (#4581 )
• feat: dynamic actors #4397
• fix: driver test suite & sqlite reliability #4559
• fix: remove serverless token #4572
• fix: misc token fixes #4569
• fix(pb): clean up actor stop decision handling #4566
• fix(envoy): use global instance, add signal handlers #4565
• chore: misc fixes, add pb snapshot test #4561
• fix(cache): make in memory cache global #4560
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: fix(envoy-client): add tls

The PRs main goal is clear and necessary — adding TLS to the envoy-client WebSocket connection. It also bundles two related bug fixes for the ProtocolVersionKey key layout and namespace subspace. Overall the changes look correct but I have a few concerns worth addressing.

---

TLS / crypto provider initialization

engine/sdks/rust/envoy-client/src/connection.rs

install_default() is a process-global, one-time operation. Calling it inside single_connection() means it runs on every reconnect in the retry loop. While it is safe (idempotent, error silently ignored), it creates and discards a CryptoProvider on every call after the first.

This should be initialized once before the retry loop — either in start_connection() or at the top of connection_loop(), or guarded by a std::sync::OnceLock.

---

Breaking key layout change in ProtocolVersionKey

engine/packages/pegboard/src/keys/runner_config.rs

The reordering moves PROTOCOL_VERSION from position 4 to the end of the tuple:

• Old: (RUNNER, CONFIG, DATA, PROTOCOL_VERSION, namespace_id, name)
• New: (RUNNER, CONFIG, DATA, namespace_id, name, PROTOCOL_VERSION)

The new layout is semantically correct — it matches the pattern of other keys in this file (DataKey, ByVariantKey) where namespace_id and name come before any trailing field identifier, enabling prefix/range scans by (namespace_id, name).

However, this is a breaking schema change — entries stored under the old key will be orphaned. The conn.rs fix (adding the namespace subspace) similarly changes where new entries are written vs. where old entries exist. If serverful pools are not yet in production this is fine as-is, but a note in the PR description clarifying intent would help.

---

Cosmetic change in resolve_actor_query.rs

The change collapses a chained method call to one line — purely cosmetic and unrelated to the PRs purpose. Harmless, but worth keeping separate in the future for focused diffs.

---

rivet-util-serde workspace declaration removed

The [workspace.dependencies.rivet-util-serde] section is removed from Cargo.toml, but engine/sdks/rust/envoy-client/Cargo.toml still has rivet-util-serde.workspace = true. The Cargo.lock still shows it as a resolved dependency so it compiles, but please confirm this removal was intentional and not accidental.

---

Summary

Area	Status
TLS feature (tokio-tungstenite + native certs)	Correct
Crypto provider init placement	Move out of reconnect loop
Key layout reordering (runner_config.rs)	Correct fix, schema-breaking — note intent
Namespace subspace in conn.rs write	Correct fix, same caveat
rivet-util-serde workspace removal	Verify intentional
Cosmetic cleanup in resolve_actor_query.rs	Fine