Skip to content

fix(github): defer maintenance when rate-limit resetAt is unparseable#1908

Closed
galuis116 wants to merge 3 commits into
JSONbored:mainfrom
galuis116:fix/rate-limit-unparseable-reset-yield
Closed

fix(github): defer maintenance when rate-limit resetAt is unparseable#1908
galuis116 wants to merge 3 commits into
JSONbored:mainfrom
galuis116:fix/rate-limit-unparseable-reset-yield

Conversation

@galuis116

Copy link
Copy Markdown
Contributor

Summary

  • shouldWaitForGitHubRateLimit now returns a present-but-unparseable resetAt when REST budget is at/below the headroom floor, so callers defer via delayUntil's conservative 60s path instead of proceeding immediately.
  • Adds a regression test covering malformed resetAt with low remaining budget.

Scope

  • The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
  • This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
  • This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
  • I linked an issue, or this is small enough that the summary explains why an issue is not needed.

No upstream issue was opened: neither contributor token has CreateIssue permission on JSONbored/gittensory. This is a narrow fail-closed guard matching the existing delayUntil behavior.

Validation

  • git diff --check
  • npm run actionlint
  • npm run typecheck
  • npm run test:coverage locally; codecov/patch requires ≥97% coverage of the lines AND branches you changed (aim for 98%+ on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
  • npm run test:workers
  • npm run build:mcp
  • npm run test:mcp-pack
  • npm run ui:openapi:check
  • npm run ui:lint
  • npm run ui:typecheck
  • npm run ui:build
  • npm audit --audit-level=moderate
  • New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

  • N/A

Safety

  • No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
  • Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
  • Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests.
  • API/OpenAPI/MCP behavior is updated and tested where needed.
  • UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks.
  • Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.
  • Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

N/A — backend-only change.

Notes

Mirrors the fail-closed timestamp parsing pattern used in src/auth/security.ts and src/upstream/ruleset.ts.

Made with Cursor

When REST budget is exhausted but resetAt is malformed, return the raw
timestamp so delayUntil applies its conservative 60s deferral instead of
proceeding immediately.
@galuis116 galuis116 requested a review from JSONbored as a code owner June 30, 2026 20:46
@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jun 30, 2026
@gittensory-orb

gittensory-orb Bot commented Jun 30, 2026

Copy link
Copy Markdown

Caution

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🛑 Gittensory review result - reject/close recommended

Review updated: 2026-06-30 22:38:11 UTC

2 files · 1 AI reviewer · 1 blocker · readiness 57/100 · CI failing · blocked

🛑 Suggested Action - Reject/Close

  • AI reviewers agree on a likely critical defect: src/github/rate-limit.ts:31 returns undefined for a latest REST observation whose remaining budget is still at/below the floor and whose resetAt is unparseable once observedAt + 60s is in the past, so maintenance proceeds even though no fresh usable reset time has replaced the low-budget observation
  • change this path to keep returning the malformed resetAt for delayUntil(resetAt) to apply its 60s conservative fallback, or otherwise continue deferring until a newer observation supersedes it. — Resolve the flagged defect, or override if the AI reviewers are mistaken, then re-run the gate.

Review summary
The change correctly identifies malformed REST reset timestamps as a low-budget condition, but it only defers for one minute from the original observation time and then reopens maintenance without any newer usable reset information. That makes the fix fail open on the exact persisted-observation path this helper protects, and the added regression test bakes in the unsafe behavior after advancing the clock.

Blockers

  • src/github/rate-limit.ts:31 returns undefined for a latest REST observation whose remaining budget is still at/below the floor and whose resetAt is unparseable once observedAt + 60s is in the past, so maintenance proceeds even though no fresh usable reset time has replaced the low-budget observation; change this path to keep returning the malformed resetAt for delayUntil(resetAt) to apply its 60s conservative fallback, or otherwise continue deferring until a newer observation supersedes it.
  • test/unit/rate-limit.test.ts:68 asserts that shouldWaitForGitHubRateLimit stops deferring after 60s for the same malformed low-budget observation, which is a fabricated expectation for the unsafe fail-open behavior rather than coverage of the real desired guard.
Nits — 4 non-blocking
  • src/github/rate-limit.ts:28 can be simpler and closer to the existing contract by returning rest.resetAt for the unparseable branch and letting delayUntil handle the conservative 60s fallback already documented there.
  • test/unit/rate-limit.test.ts:58 should assert repeated calls with the same malformed low-budget persisted observation continue to produce a value that makes delayUntil return 60, then add a separate case showing a newer valid or above-floor observation clears the wait.
  • Pull request duplicates other open work — Check for an existing pull request or issue covering this change and coordinate or consolidate before continuing.
  • Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.

Why this is blocked

  • src/github/rate-limit.ts:31 returns undefined for a latest REST observation whose remaining budget is still at/below the floor and whose resetAt is unparseable once observedAt + 60s is in the past, so maintenance proceeds even though no fresh usable reset time has replaced the low-budget observation; change this path to keep returning the malformed resetAt for delayUntil(resetAt) to apply its 60s conservative fallback, or otherwise continue deferring until a newer observation supersedes it.

CI checks failing

  • validate
  • validate-code
Signal Result Evidence
Code review ❌ 1 blocker 1 reviewer
Linked issue ✅ No-issue rationale PR body explains why no issue is linked.
Related work ⚠️ 1 scoped overlap Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope ❌ 8/20 High review scope from cached public metadata (size label size:S; no linked issue context).
Validation posture ❌ 5/25 Preflight is holding this PR; address the blocker before review.
Contributor workload ✅ 10/10 Author activity: 1704 registered-repo PR(s), 1128 merged, 156 issue(s).
Contributor context ✅ Confirmed Gittensor contributor galuis116; Gittensor profile; 1704 PR(s), 156 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Review context
  • Author: galuis116
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: not available
  • Official Gittensor activity: 1704 PR(s), 156 issue(s).
  • Related work: Titles/paths share 8 meaningful terms. (PR #1910)
Contributor next steps
  • Review top overlaps.
  • Add a concise scope and risk note.
  • Fix the blocker.
  • Triage stale or unlinked PRs.
  • Refresh registry data or choose a registered active repo.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
  • Check active issues and PRs before submitting.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added gittensor Gittensor contributor context gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. labels Jun 30, 2026
When REST budget is exhausted but resetAt is malformed, defer until one
conservative minute after the observation timestamp, then proceed so work
can refresh the stored rate-limit state.
@galuis116 galuis116 force-pushed the fix/rate-limit-unparseable-reset-yield branch from 05717b5 to 4d94fe5 Compare June 30, 2026 21:27
@dosubot dosubot Bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels Jun 30, 2026

@JSONbored JSONbored left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See review for blockers, as well as failed CI.

@JSONbored JSONbored closed this Jun 30, 2026
@github-project-automation github-project-automation Bot moved this from Todo to Done in gittensory - v1 roadmap Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. gittensor Gittensor contributor context size:S This PR changes 10-29 lines, ignoring generated files.

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants