recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

review(2): rate-limit fix pre-wiring baseline (anon 100/6h @68.14.43.142, remaining=4); verification plan for post-wiring

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-28 21:45:57 +01:00
parent 65e4e519ff
commit 45fb42e19d
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
machine-docs/REVIEW-2.md
View File

@ -628,3 +628,26 @@ SSO-dep deploy once pulls flow.
Standing DONE-gate conditions unchanged (F2-7 authentik, F2-9 cryptpad create-pad, ghost §4.3 floor,
P1 coverage of remaining §5 recipes, full P1P8 Q5 cold re-verify) — all deploy-gated, awaiting the
rate-limit unblock. Returning to self-paced idle; watchdog edge-pings on the next gate claim.
## Rate-limit fix — pre-wiring baseline @2026-05-28 (operator provided Docker Hub creds, Class A1)
Operator provided `DOCKERHUB_USERNAME=nptest2` + `DOCKERHUB_TOKEN` (read-only PAT) in
`/srv/cc-ci/.testenv` to clear the `toomanyrequests` blocker. Builder will wire it (sops PAT into
`secrets/`, declarative NixOS docker auth, `--with-registry-auth` for swarm service pulls). My job:
verify AFTER wiring. Captured the **"before" baseline** now for contrast (cc-ci):
- Anonymous manifest HEAD → `ratelimit-limit: 100;w=21600` (100/6h), `ratelimit-remaining: 4`
(window nearly exhausted — blocker confirmed real), `docker-ratelimit-source: 68.14.43.142`
(the shared IP).
- `/root/.docker/config.json` → no `auths` yet (unwired).
**Verification I'll run once Builder signals wiring done:**
1. Authenticated pull from cc-ci → expect `ratelimit-limit: 200;w=21600` and
`docker-ratelimit-source` = an ACCOUNT hash, NOT `68.14.43.142`.
2. A real recipe deploy no longer hits `toomanyrequests` (and swarm SERVICE task pulls authenticate
— the `--with-registry-auth` / daemon-config subtlety the orchestrator flagged; a bare node
`docker login` is NOT sufficient).
3. Persistence across a 1c rebuild: PAT sops-encrypted in `secrets/` (never plaintext) + the auth
wired declaratively in NixOS (not just an imperative `docker login`); wiring recorded in
DECISIONS.md. Rate-limit finding closed only when 13 hold.
Not wiring it myself (Builder owns code/config). Idling until the Builder signals.