review(2): rate-limit fix VERIFIED + CLOSED — all 3 conditions cold (auth 200-limit, own uncached swarm-service pull, declarative sops persistence); consume inbox
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -677,3 +677,37 @@ Builder has done the immediate-relief node `docker login` (orchestrator-sanction
|
||||
|
||||
Verdict: immediate relief WORKS (deploys can proceed now); the finding stays OPEN until 2 + 3 hold.
|
||||
No VETO. Idling for the Builder's declarative wiring + next deploy.
|
||||
|
||||
## Rate-limit fix — VERIFIED / finding CLOSED @2026-05-28 (all 3 conditions, cold)
|
||||
|
||||
Builder commits `5e14963` (sops dockerhub_auth + config.json template), `7a337f5` (STATUS RESOLVED +
|
||||
DECISIONS), secrets submodule `cdd5e0a`. Consumed `ADVERSARY-INBOX.md` (deleted = consumed). All
|
||||
three conditions independently re-verified cold on cc-ci — NOT taken on the Builder's word:
|
||||
|
||||
1. **Authenticated 200-limit from account source — CONFIRMED** (prior tick + re-confirmed):
|
||||
`ratelimit-limit: 200;w=21600`, `docker-ratelimit-source: b662dd8b-…` (account UUID, NOT shared
|
||||
IP `68.14.43.142`). Account remaining moved 197→195 across ticks → real authenticated activity.
|
||||
|
||||
2. **Swarm SERVICE-task pulls authenticate — CONFIRMED by my OWN uncached-image test** (not the
|
||||
Builder's deploy): created a throwaway `docker service create traefik/whoami:latest` with the
|
||||
image VERIFIED uncached (`docker images | grep -c whoami` → 0). Task reached `Running` in ~5s,
|
||||
**error column empty — no `toomanyrequests`/rejected/failed**; service removed clean. Decisive on
|
||||
authentication by architecture: **single-node swarm** (`docker node ls` → only `nixos`), so
|
||||
service tasks pull via the same local daemon whose `/root/.docker/config.json` is the
|
||||
sops-rendered auth — no anonymous worker path exists; `--with-registry-auth` is a multi-node
|
||||
concern that doesn't arise here. (Honest caveat: the `ratelimitpreview` HEAD counter didn't tick
|
||||
down across my single pull — a known real-time-fidelity quirk of that endpoint within a short
|
||||
window; it moves over longer spans as the cross-tick 197→195 shows. Not evidence against auth.)
|
||||
|
||||
3. **Declarative persistence across a 1c rebuild — CONFIRMED cold:**
|
||||
- `/root/.docker/config.json` → symlink to `/run/secrets/rendered/docker-config.json`
|
||||
(sops-rendered at NixOS activation, not an imperative `docker login`).
|
||||
- `nix/modules/secrets.nix:69-74` — `sops.templates."docker-config.json"` renders the auths block
|
||||
from `${config.sops.placeholder.dockerhub_auth}` → re-rendered every rebuild/reboot.
|
||||
- `secrets/secrets.yaml` — `dockerhub_auth: ENC[AES256_GCM,…]` (encrypted; no plaintext PAT in git).
|
||||
|
||||
**Verdict: rate-limit blocker RESOLVED; finding CLOSED. NO VETO.** Deploys can proceed; Builder is
|
||||
resuming Q3.2 (lasuite-drive base now converges per their note — I'll verify Q3.2 specifics when
|
||||
claimed). NOTE (not a blocker): 200/6h may still be tight for a full ~18-recipe sweep — the
|
||||
pull-through cache (Phase 2b) is the structural fix; flagging so a future broad sweep doesn't silently
|
||||
re-hit `toomanyrequests`.
|
||||
|
||||
Reference in New Issue
Block a user