fix(pegboard): validate drain_grace_period < request_lifespan

[abcxff]

when drain_grace_period >= request_life_span, we get undefined behaviour. This enforces this on the server side befoe pool config is upserted

[abcxff]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• DO NOT MERGE: queue diagnose #5050
• fix(rivetkit): keep actor alive while workflow waits for queue messages #5052
• [slop]fix(workflow-engine): only commit step state after success #5010
• temp: fix wasm-pack #5048
• fix(rivetkit): bind methods through createWriteThroughProxy #4987
• feat(rivetkit): add ConnectionMap readonly Map wrapper for actor connections #5047
• fix(rivetkit-core): chunk apply_batch puts/deletes at 128 #5046
• fix(pegboard): validate drain_grace_period < request_lifespan #4998 👈 (View in Graphite)
• chore(rivetkit): log inspector errors + standardize pino errorKey error #4986
• fix(rivetkit): remove async drizzle db proxy #4984 : 2 other dependent PRs (#4985 , #4991 )
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[railway-app]

🚅 Deployed to the rivet-pr-4998 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
kitchen-sink	❌ Build Failed (View Logs)	Web	May 12, 2026 at 1:21 pm
website	😴 Sleeping (View Logs)	Web	May 9, 2026 at 2:23 am
mcp-hub	✅ Success (View Logs)	Web	May 7, 2026 at 8:18 pm
frontend-cloud	❌ Build Failed (View Logs)	Web	May 7, 2026 at 8:18 pm
frontend-inspector	❌ Build Failed (View Logs)	Web	May 7, 2026 at 8:18 pm
ladle	❌ Build Failed (View Logs)	Web	May 7, 2026 at 8:15 pm

[claude]

PR Review: fix(pegboard): validate drain_grace_period < request_lifespan

Overview

This PR adds a server-side validation in pegboard_runner_config_upsert that enforces drain_grace_period < request_lifespan for serverless runner configs. The root cause of the undefined behavior is in pegboard-outbound/src/lib.rs:450 where saturating_sub silently returns 0 when drain_grace_period >= request_lifespan, causing the drain to start immediately. The fix is correct and follows existing error-handling patterns.

---

Issues

Missing test coverage

A test for the new validation is absent. The existing upsert_runner_config_serverless_drain_grace_period_exceeds_actor_stop_threshold test in engine/packages/engine/tests/runner/api_runner_configs_upsert.rs shows exactly what a new test should look like. A symmetric test should be added covering the equal case (drain_grace_period == request_lifespan) and the strictly-greater case to verify the boundary.

Default value trap — error message should mention the 1800s default

drain_grace_period is optional in the API and defaults to 1800 s (30 min) when omitted (api-types/src/namespaces/runner_configs.rs:71). A user who only sets request_lifespan: 60 without providing drain_grace_period will see:

`drain_grace_period` must be less than `request_lifespan` (1800s >= 60s)

The 1800 s value will look surprising since the user never set it. The existing actor_stop_threshold error already handles this by appending "If drain_grace_period was omitted, the default is 1800s." The new error message should do the same.

---

Observations (not blocking)

Two code paths for drain timing

pegboard-outbound/src/lib.rs:450 uses the per-runner drain_grace_period field (validated here). pegboard/src/workflows/serverless/conn.rs:443-444 uses the system-level ctx.config().pegboard().serverless_drain_grace_period() and is unaffected by this validation. Both share the same saturating_sub structure, so if the system-level value can exceed request_lifespan the same silent early-drain behavior is possible there. Pre-existing, out of scope, but worth a follow-up.

Validation ordering is correct

Placing the new check before the actor_stop_threshold check is the right order.

---

Summary

The core logic is correct and the change is small and well-targeted. Two actionable items before merging: (1) add a test mirroring the existing drain_grace_period_exceeds_actor_stop_threshold pattern, and (2) append the default-value hint to the new error message to avoid surprising users who omit drain_grace_period.