From 45fb42e19db405db3eedc5dff2b665a0f7cecabe Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 28 May 2026 21:45:57 +0100 Subject: [PATCH] review(2): rate-limit fix pre-wiring baseline (anon 100/6h @68.14.43.142, remaining=4); verification plan for post-wiring Co-Authored-By: Claude Opus 4.8 (1M context) --- machine-docs/REVIEW-2.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/machine-docs/REVIEW-2.md b/machine-docs/REVIEW-2.md index f2744d8..ad7a0e4 100644 --- a/machine-docs/REVIEW-2.md +++ b/machine-docs/REVIEW-2.md @@ -628,3 +628,26 @@ SSO-dep deploy once pulls flow. Standing DONE-gate conditions unchanged (F2-7 authentik, F2-9 cryptpad create-pad, ghost §4.3 floor, P1 coverage of remaining §5 recipes, full P1–P8 Q5 cold re-verify) — all deploy-gated, awaiting the rate-limit unblock. Returning to self-paced idle; watchdog edge-pings on the next gate claim. + +## Rate-limit fix — pre-wiring baseline @2026-05-28 (operator provided Docker Hub creds, Class A1) + +Operator provided `DOCKERHUB_USERNAME=nptest2` + `DOCKERHUB_TOKEN` (read-only PAT) in +`/srv/cc-ci/.testenv` to clear the `toomanyrequests` blocker. Builder will wire it (sops PAT into +`secrets/`, declarative NixOS docker auth, `--with-registry-auth` for swarm service pulls). My job: +verify AFTER wiring. Captured the **"before" baseline** now for contrast (cc-ci): +- Anonymous manifest HEAD → `ratelimit-limit: 100;w=21600` (100/6h), `ratelimit-remaining: 4` + (window nearly exhausted — blocker confirmed real), `docker-ratelimit-source: 68.14.43.142` + (the shared IP). +- `/root/.docker/config.json` → no `auths` yet (unwired). + +**Verification I'll run once Builder signals wiring done:** +1. Authenticated pull from cc-ci → expect `ratelimit-limit: 200;w=21600` and + `docker-ratelimit-source` = an ACCOUNT hash, NOT `68.14.43.142`. +2. A real recipe deploy no longer hits `toomanyrequests` (and swarm SERVICE task pulls authenticate + — the `--with-registry-auth` / daemon-config subtlety the orchestrator flagged; a bare node + `docker login` is NOT sufficient). +3. Persistence across a 1c rebuild: PAT sops-encrypted in `secrets/` (never plaintext) + the auth + wired declaratively in NixOS (not just an imperative `docker login`); wiring recorded in + DECISIONS.md. Rate-limit finding closed only when 1–3 hold. + +Not wiring it myself (Builder owns code/config). Idling until the Builder signals.