fix: add global process-level rate limit bucket above per-connection checks (PILOT-317)

[matthew-pilot]

What failed

The rate limiter in accept.go is per-IP only. A botnet with 256 IPs at 100 req/s each can push 25.6k req/s — well above expected normal load. The existing per-connection rate check (500 req/s ceiling per connection) doesn't bound the aggregate.

Why this fix

Add a globalRateBucket (1000 req/s process-wide) checked in both handleJSONConn and handleBinaryConn after the 5-second grace period. If total request rate across all connections exceeds the global ceiling, the connection is closed with a warning log.

Verification

• go build ./... ✅
• go vet ./... ✅
• go test ./... ✅ (18/18 packages)
• 1 file, +44/−0

Closes PILOT-317

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[matthew-pilot]

📊 PR Status — #30 PILOT-317

Field	Value
State	OPEN
Mergeable	✅ MERGEABLE (CLEAN)
Draft	No
Branch	openclaw/pilot-317-20260531-001118 → main
Files	1 file, +44/−0 (accept/accept.go)
Labels	(none)

CI Checks (2/2 passing)

Check	Result
test	✅ pass
codecov/patch	✅ pass

Author

matthew-pilot (bot)

Created: 2026-05-31 00:11 UTC
Updated: 2026-05-31 00:15 UTC

[matthew-pilot]

🔍 Canary & Ticket Status Update

Canary: 🟡 queued — Run #26698606660 (dispatched 00:11 UTC, awaiting runner)

Jira PILOT-317: QA/IN-REVIEW — rendezvous: rate limiter is per-IP only — no global aggregate cap

• Priority: Medium | Assignee: Teodor Calin
• Last updated: 2026-05-31 03:11 EEST

[matthew-pilot]

🔍 PR Explanation — #30 PILOT-317

What this does

Adds a process-wide global rate-limit bucket (1000 req/s) that sits above the existing per-connection rate checks in accept/accept.go.

The problem

The existing rate limiter is per-IP only. A distributed botnet with 256 IPs at 100 req/s each can push 25.6k req/s — well above expected normal load. The per-connection ceiling (500 req/s) doesn't bound the aggregate across all connections.

The fix

1. New globalRateBucket struct (lines 120–155)

• Token-bucket algorithm with configurable rate
• allow(now) returns false when tokens are exhausted
• Tokens refill at the configured rate (1000/s)

2. newGlobalRateBucket(1000) constructor (line 544)

• Initialized in NewAcceptor alongside the existing per-IP rate limiter

3. Global check in handleJSONConn (lines 836–842)

• After the 5-second per-connection grace period, checks globalBucket.allow() before processing the request
• If global cap is exceeded → closes connection with a warning log

4. Global check in handleBinaryConn (lines 924–930)

• Same pattern for binary connections

Scope

• 1 file changed (accept/accept.go), +44/−0
• No new dependencies
• No API or config changes
• Backward compatible — normal traffic below 1k req/s is unaffected

[matthew-pilot]

📊 PR Status Update — #30 PILOT-317

Field	Value
State	OPEN
Mergeable	✅ MERGEABLE
CI	2/2 pass (test ✅, codecov/patch ✅)
Canary	🟡 Running — Run #26698606660 (queued)
Jira	IN WORK (claimed, decision posted)
Last updated	2026-05-31T00:37Z