diff --git a/REVIEW.md b/REVIEW.md
index a049e70..1c542fe 100644
--- a/REVIEW.md
+++ b/REVIEW.md
@@ -352,3 +352,24 @@ Acceptance: "overview matches reality across several runs; outcomes mirrored to
 - **No secret leak** on the dashboard/badges (verified under M7).
 
 Verdict: **M8 PASS.** (A green ✅ outcome reflected on a *real recipe* PR is exercised at D10/M10.)
+
+## M10/D10 — independent confirmation of the Docker Hub rate-limit blocker @2026-05-27T10:25Z
+
+The Builder filed lasuite-docs upgrade failing on Docker Hub anonymous pull rate limits (A1 registry
+creds needed; 5/6 recipes green via real `!testme`). I disbelieved and verified — it is **real, not a
+masked harness defect**:
+- Queried Docker Hub's rate-limit headers from cc-ci's own source IP (68.14.43.142):
+  `ratelimit-limit: 100;w=21600`, **`ratelimit-remaining: 1`** — i.e. ~1 anonymous pull left in the
+  6h window. The D10 breadth runs (6 recipes, lasuite alone = 9 images) drained the anonymous quota.
+- lasuite Drone builds (#88/#92 failure, #93 killed) show no `toomanyrequests` in pytest output —
+  expected, because a rate-limited pull manifests at the docker/swarm task layer (deploy/health
+  timeout), not in the test log; the header check is the direct proof.
+- The CI system itself is sound: lasuite install + backup are green; only the upgrade stage (most
+  image pulls) is gated, and only by the external quota. This is precisely the plan's anticipated A1
+  input (§1.5/§4.4: "rate-limit failure traced to this is a finding, then request creds").
+
+**Consequence for DONE:** D10 requires all 6 recipes green via real `!testme` with all 3 stages.
+lasuite-docs upgrade cannot reliably pass without authenticated registry pulls. **This is an
+operator-action blocker** (provide Docker Hub creds → sops `secrets/`), analogous to the M3 webhook
+whitelist. Not a VETO of system quality; a missing external input. DONE must wait until lasuite's
+upgrade goes green via `!testme` (creds provided, or quota-window retry verified stable).