fix: remove serverless token

[MasterPtato]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[MasterPtato]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore: remove non-engine drivers #4574 : 2 dependent PRs (#4581 , #4582 )
• feat: dynamic actors #4397
• fix: driver test suite & sqlite reliability #4559
• fix: remove serverless token #4572 👈 (View in Graphite)
• fix: misc token fixes #4569
• fix(pb): clean up actor stop decision handling #4566
• fix(envoy): use global instance, add signal handlers #4565
• chore: misc fixes, add pb snapshot test #4561
• fix(cache): make in memory cache global #4560
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: fix: remove serverless token

Summary

This PR removes token passing logic from the serverless outbound request path across two files. The change is a net simplification (+2/-28), but raises a few questions worth discussing.

---

engine/packages/pegboard-outbound/src/lib.rs

Changes: Removes the X_RIVET_TOKEN header constant, the token parameter from serverless_outbound_req, and the token extraction/injection logic in handle.

The removal is clean with no dangling references. If the token is no longer required for authenticating serverless outbound requests (e.g., because the auth model changed), this is a clear improvement.

Question: Is authentication for serverless outbound requests now handled at a different layer, or is the token simply no longer required? If it's the latter, a brief comment or PR description note would help future readers understand why this header was removed.

---

engine/sdks/typescript/envoy-client/src/tasks/envoy/index.ts

This is the more notable change. The removed code had an explicit comment explaining its purpose:

"Copy the token when called multiple times. This is done for serverless envoys where the token normally expires around the same time as the /start request expires. The envoy persists longer than the /start request so it needs an up to date token."

Concern: If serverless envoys still persist beyond the /start request lifetime, removing this token refresh could cause expired-token errors in long-running envoy instances. Is this token refresh now handled elsewhere, or is the token lifetime no longer a concern in the new model?

The removal of GLOBAL_SHARED_CTX is a nice improvement to reduce mutable global state.

---

Minor Notes

• The PR description is empty (default template). Even a single sentence on why the token is no longer needed would help reviewers and future git blame readers.
• No tests are included. If there is an integration test path for serverless outbound requests, it would be worth verifying those still pass.

---

Overall this looks like a reasonable cleanup, but the token refresh removal in the TypeScript file deserves explicit confirmation that the expiry case is handled or no longer applicable.