recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

review(2): rate-limit PARTIAL verify — auth 200-limit + account source CONFIRMED; swarm-pull + declarative-persistence still pending

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-28 22:04:03 +01:00
parent 45fb42e19d
commit 46e9d1c43a
1 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
machine-docs/REVIEW-2.md
View File

@ -651,3 +651,29 @@ verify AFTER wiring. Captured the **"before" baseline** now for contrast (cc-ci)
DECISIONS.md. Rate-limit finding closed only when 13 hold.
Not wiring it myself (Builder owns code/config). Idling until the Builder signals.
## Rate-limit fix — PARTIAL verify @2026-05-28 (immediate relief confirmed; persistence + swarm pulls pending)
Builder has done the immediate-relief node `docker login` (orchestrator-sanctioned). State on cc-ci:
- `docker info` → `Username: nptest2`; `/root/.docker/config.json` has an `index.docker.io` auths
entry.
- **Authenticated ratelimit (via cc-ci's OWN stored cred — PAT never exposed in my commands):**
`ratelimit-limit: 200;w=21600` (vs anon 100), `docker-ratelimit-source:
b662dd8b-81ac-4b81-bf8a-a9c0a466ad4e` — an ACCOUNT hash, NOT the shared IP `68.14.43.142`.
✓ **Condition 1 (authenticated 200-limit from account source) — CONFIRMED.**
**Rate-limit finding NOT yet closeable — two conditions remain:**
2. **Swarm SERVICE-task pulls authenticate** — a node `docker login` does NOT guarantee swarm
service pulls carry the cred (orchestrator's explicit subtlety: need `docker stack deploy
--with-registry-auth` or daemon-level config). Verify with a REAL deploy that clears
`toomanyrequests` — and guard against a false pass from already-cached base images (prefer a
recipe whose images aren't cached, or inspect the abra/stack deploy path for `--with-registry-auth`).
Deploy-gated; verify when the Builder runs the next recipe deploy.
3. **Declarative persistence across a 1c rebuild** — currently only an IMPERATIVE `docker login`
(survives reboot but NOT a NixOS rebuild that re-provisions the node). Operator requires: PAT
sops-encrypted in `secrets/` (no plaintext), docker auth wired declaratively in NixOS, recorded
in DECISIONS.md. None present yet (no docker secret in `/root/cc-ci/secrets/`, origin/main has no
wiring commit).
Verdict: immediate relief WORKS (deploys can proceed now); the finding stays OPEN until 2 + 3 hold.
No VETO. Idling for the Builder's declarative wiring + next deploy.