fix(engine): install rustls provider with pools

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

• refactor(depot-client): split embedded depot transport #4970 : 2 dependent PRs (#4971 , #4972 )
• fix(rivetkit): decode legacy v4 actor schedule args #4976
• fix(engine): install rustls provider with pools #4975 👈 (View in Graphite)
• fix(rivetkit): defer initialized persist until state exists #4974
• test(rivetkit): cover failed preflight disconnect handling #4973
• fix(rivetkit): hide pending connections during preflight #4969
• WIP: more fuzz tests #4962
• fix(rivetkit): wrap onMigrate in savepoints #4960 : 1 other dependent PR (#4963 )
• fix(pegboard): align drain grace defaults with stop threshold #4958 : 1 other dependent PR (#4966 )
• fix(rivetkit): preserve bridge error messages #4959
• fix(rivetkit): fire abort signal on shutdown finalize #4957
• fix(rivetkit): use startup kv preload #4956
• fix(client): flatten skipReadyWait option #4955
• ci(publish): add manual preview publish flow #4954
• fix(depot): add ltx decode diagnostics #4953
• fix(universaldb): preserve plain set values #4952
• fix(universaldb): align versionstamp operand encoding #4951
• fix(rivetkit): export database provider types #4950
• wip: kitchen sink agentic loop finish #4949
• chore(rivetkit): note duplicate admission logic #4948
• test(rivetkit): cover bypass fetch header forwarding #4947
• feat(kitchen-sink): add actor probe controls #4946
• fix(gateway): split actor response wait errors #4945
• fix(guard): handle bypass preflight before query parse #4944
• feat(kitchen-sink): add mock agent event log copy #4943
• fix(kitchen-sink): default mock agent to local endpoint #4942
• test(rivetkit): enable driver lifecycle regressions #4941
• test(rivetkit): verify cached websocket db refs exceed grace #4940
• fix(rivetkit-core): keep sleeping actors reachable during grace #4939
• test(rivetkit): cover async websocket close db access #4938
• fix(rivetkit): keep actors awake until keepAwake work finishes #4937
• fix(rivetkit): persist native onSleep state on errors #4936
• fix(rivetkit-core): allow dispatch during sleep grace #4935
• fix(rivetkit): make duplicate sleep requests idempotent #4934
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: fix(engine): install rustls provider with pools

Overview

This PR moves the rustls CryptoProvider installation into rivet-pools, so any service using Pools::new or Pools::test automatically initializes the provider. This prevents panics in packages that set up TLS connections via pooled clients (reqwest, postgres-rustls, etc.) without going through the guard startup path.

---

Code Quality

Positive:

• The install_rustls_provider helper is a clean extraction that avoids copy-paste between Pools::new and Pools::test.
• The .is_err() pattern with tracing::debug log follows the existing convention in guard/src/lib.rs and envoy-client.
• The updated comment in guard/src/lib.rs now follows project convention: complete sentence, no trailing dash construction.

Concerns:

1. Cargo.lock version drift - The workspace Cargo.toml pins rustls to 0.23.25, but Cargo.lock now resolves to 0.23.29. This is an implicit patch bump from adding the dependency to pools. Semantically fine, but worth noting so reviewers do not mistake the lock file change for noise.

2. Duplicate provider installation - After this change, the engine startup path calls install_rustls_provider twice when guard is also running: once inside Pools::new and once inside guard::start. The second call silently no-ops (by design), but the guard-level call in engine/packages/guard/src/lib.rs is now strictly redundant. Consider removing it to keep a single canonical installation site in pools.

3. envoy-client still has its own copy - engine/sdks/rust/envoy-client/src/connection/native.rs has a third inline install not deduplicated by this change (it does not depend on rivet-pools). Structurally fine since envoy-client is standalone, but worth a follow-up if more callers appear.

---

Correctness

The fix is sound. install_default() is idempotent (second call returns Err which is swallowed), and placing it at the top of Pools::new / Pools::test before tokio::try_join! ensures the provider is ready before any DB connections (which may use TLS) are established.

---

Suggestions

• Remove the now-redundant call in guard/src/lib.rs now that pools always installs it first.
• Optional: Use a std::sync::OnceLock so repeated calls avoid constructing a CryptoProvider struct. Not a real concern at this call frequency, but slightly cleaner.

---

Verdict

Small, low-risk fix. The core change is correct. The main follow-up worth considering is removing the now-redundant guard-level install to avoid confusion about where initialization happens.