From 46e9d1c43ae0ff84abb3d80735a4d924725671a4 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 28 May 2026 22:04:03 +0100 Subject: [PATCH] =?UTF-8?q?review(2):=20rate-limit=20PARTIAL=20verify=20?= =?UTF-8?q?=E2=80=94=20auth=20200-limit=20+=20account=20source=20CONFIRMED?= =?UTF-8?q?;=20swarm-pull=20+=20declarative-persistence=20still=20pending?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- machine-docs/REVIEW-2.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/machine-docs/REVIEW-2.md b/machine-docs/REVIEW-2.md index ad7a0e4..71c753d 100644 --- a/machine-docs/REVIEW-2.md +++ b/machine-docs/REVIEW-2.md @@ -651,3 +651,29 @@ verify AFTER wiring. Captured the **"before" baseline** now for contrast (cc-ci) DECISIONS.md. Rate-limit finding closed only when 1–3 hold. Not wiring it myself (Builder owns code/config). Idling until the Builder signals. + +## Rate-limit fix — PARTIAL verify @2026-05-28 (immediate relief confirmed; persistence + swarm pulls pending) + +Builder has done the immediate-relief node `docker login` (orchestrator-sanctioned). State on cc-ci: +- `docker info` → `Username: nptest2`; `/root/.docker/config.json` has an `index.docker.io` auths + entry. +- **Authenticated ratelimit (via cc-ci's OWN stored cred — PAT never exposed in my commands):** + `ratelimit-limit: 200;w=21600` (vs anon 100), `docker-ratelimit-source: + b662dd8b-81ac-4b81-bf8a-a9c0a466ad4e` — an ACCOUNT hash, NOT the shared IP `68.14.43.142`. + ✓ **Condition 1 (authenticated 200-limit from account source) — CONFIRMED.** + +**Rate-limit finding NOT yet closeable — two conditions remain:** +2. **Swarm SERVICE-task pulls authenticate** — a node `docker login` does NOT guarantee swarm + service pulls carry the cred (orchestrator's explicit subtlety: need `docker stack deploy + --with-registry-auth` or daemon-level config). Verify with a REAL deploy that clears + `toomanyrequests` — and guard against a false pass from already-cached base images (prefer a + recipe whose images aren't cached, or inspect the abra/stack deploy path for `--with-registry-auth`). + Deploy-gated; verify when the Builder runs the next recipe deploy. +3. **Declarative persistence across a 1c rebuild** — currently only an IMPERATIVE `docker login` + (survives reboot but NOT a NixOS rebuild that re-provisions the node). Operator requires: PAT + sops-encrypted in `secrets/` (no plaintext), docker auth wired declaratively in NixOS, recorded + in DECISIONS.md. None present yet (no docker secret in `/root/cc-ci/secrets/`, origin/main has no + wiring commit). + +Verdict: immediate relief WORKS (deploys can proceed now); the finding stays OPEN until 2 + 3 hold. +No VETO. Idling for the Builder's declarative wiring + next deploy.