fix(selfhost): defer queue admission when rate-limit resetAt is unparseable

[galuis116]

Summary

• githubObservedRateLimitDelayMs now returns a conservative 60s admission delay when REST budget is at/below the floor but resetAt is malformed, matching delayUntil's fail-closed behavior.
• Adds regression tests for webhook and background admission paths.

Scope

• The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• I linked an issue, or this is small enough that the summary explains why an issue is not needed.

No upstream issue was opened: neither contributor token has CreateIssue permission on JSONbored/gittensory. This is a narrow fail-closed guard for self-host queue admission.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck
• npm run test:coverage locally; codecov/patch requires ≥97% coverage of the lines AND branches you changed (aim for 98%+ on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate
• New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

• N/A

Safety

• No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
• Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
• Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests.
• API/OpenAPI/MCP behavior is updated and tested where needed.
• UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks.
• Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.
• Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

N/A — backend-only change.

Notes

Pairs with the Cloudflare-worker shouldWaitForGitHubRateLimit guard; both defer conservatively when resetAt cannot be parsed.

Made with Cursor

[gittensory-orb]

Caution

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🛑 Gittensory review result - reject/close recommended

_{Review updated: 2026-06-30 22:39:09 UTC}

2 files · 1 AI reviewer · 1 blocker · readiness 50/100 · CI failing · blocked

🛑 Suggested Action - Reject/Close

• AI reviewers agree on a likely critical defect: src/selfhost/queue-common.ts:127 makes malformed exhausted observations without observed_at/observedAt/observedAtMs defer forever because `deferUntilMs` is recalculated as `nowMs + 60_000` on every admission check
• change this to a bounded one-shot policy tied to a real observation time, or ignore malformed reset values when no observation timestamp exists. — Resolve the flagged defect, or override if the AI reviewers are mistaken, then re-run the gate.

Review summary
The change adds fail-closed admission delay for exhausted malformed REST reset timestamps and threads persisted observation timestamps into that calculation. The observed timestamp path is coherent, but the fallback for observations without any observed time is a real liveness bug: every evaluation recomputes the deadline from the current clock, so a malformed exhausted latest observation can park matching work indefinitely until a newer observation replaces it. The regression test covers the timestamped case but misses that reachable persisted/unkeyed legacy shape.

Blockers

• src/selfhost/queue-common.ts:127 makes malformed exhausted observations without observed_at/observedAt/observedAtMs defer forever because `deferUntilMs` is recalculated as `nowMs + 60_000` on every admission check; change this to a bounded one-shot policy tied to a real observation time, or ignore malformed reset values when no observation timestamp exists.

Nits — 6 non-blocking

• nit: src/selfhost/queue-common.ts:264 and src/selfhost/queue-common.ts:275 still expose wrapper parameter types without observed_at/observedAt/observedAtMs even though the new behavior depends on those fields, so the public helper signatures should match the accepted observation shape.
• nit: test/unit/selfhost-queue-common.test.ts should add a regression for the no-observed-time malformed reset case through `githubRateLimitAdmissionDelayMs`, since that is the persisted admission path where this bug is reachable.
• In src/selfhost/queue-common.ts:126, avoid `nowMs + 60_000` for missing observation timestamps; either return `null` for malformed un-timestamped observations or require callers to supply an observation timestamp before applying the 60s fail-closed delay.
• In test/unit/selfhost-queue-common.test.ts, add a case that calls `githubRateLimitAdmissionDelayMs("webhook", null, { remaining: 50, reset_at: "not-a-date" }, now)` and then again at `now + 60_000` to prove the admission path does not keep extending itself.
• In src/selfhost/queue-common.ts:264 and src/selfhost/queue-common.ts:275, reuse `AdmissionObservation` or a shared narrower rate-limit observation type for the wrapper parameters so tests and callers can pass timestamp fields without relying on excess structural compatibility.
• Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.

Why this is blocked

• src/selfhost/queue-common.ts:127 makes malformed exhausted observations without observed_at/observedAt/observedAtMs defer forever because `deferUntilMs` is recalculated as `nowMs + 60_000` on every admission check; change this to a bounded one-shot policy tied to a real observation time, or ignore malformed reset values when no observation timestamp exists.

CI checks failing

• validate
• validate-code

Signal	Result	Evidence
Code review	❌ 1 blocker	1 reviewer
Linked issue	⚠️ Missing	No linked issue or no-issue rationale found.
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope	❌ 8/20	High review scope from cached public metadata (size label size:S; no linked issue context).
Validation posture	❌ 5/25	Preflight is holding this PR; address the blocker before review.
Contributor workload	✅ 10/10	Author activity: 1704 registered-repo PR(s), 1128 merged, 156 issue(s).
Contributor context	✅ Confirmed Gittensor contributor	galuis116; Gittensor profile; 1704 PR(s), 156 issue(s).
Gate result	❌ Blocking	Repo-configured hard blocker found.

Review context

• Author: galuis116
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 1704 PR(s), 156 issue(s).
• Related work: Open PR work references issue perf(selfhost): profile stack resources and tune defaults #1828. (issue #1828, PR #1869, PR #1873)
• Related work: Items reference the same linked issue perf(selfhost): profile stack resources and tune defaults #1828. (issue #1828, PR #1869)
• Related work: Items reference the same linked issue perf(selfhost): profile stack resources and tune defaults #1828. (PR #1869, PR #1873)

Contributor next steps

• Explain no-issue PR.
• Review top overlaps.
• Add a concise scope and risk note.
• Fix the blocker.
• Triage stale or unlinked PRs.
• Refresh registry data or choose a registered active repo.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
• Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
• Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review

[JSONbored]

See review for blockers, as well as failed CI.