fix(sdk): ban rate-limited node for Envoy-advertised reset window

[Claudius-Maginificent]

Why this PR exists

• Problem: rs-dapi-client treats a gRPC ResourceExhausted (per-IP rate-limit / backpressure) the same as a node-down failure — it applies the 60s × e^ban_count health ban to the address. Banning a healthy-but-throttled node doesn't shed load, it relocates it onto the remaining nodes.
• What breaks without it: Under a sustained per-IP rate limit, one high-concurrency client cascades to total failure: node A returns ResourceExhausted → banned 60s → its traffic shifts to B/C → they cross the limit → banned → … → NoAvailableAddressesToRetry, with zero server faults.
• Blocking relationship: none. Independent fix off v3.1-dev.

Redesign note: an earlier revision of this PR rotated to a different node on ResourceExhausted (plus exclusion/backoff bookkeeping). Review feedback flagged that as over-engineered. This revision replaces it with a single, server-driven ban whose duration is dictated by the rate limiter itself. The intermediate commit history reflects that evolution; the net diff is the redesign only.

What was done?

A single rate-limit ban mechanism, driven by the duration Envoy already advertises:

• CanRetry::rate_limit_ban_duration(&self) -> Option<Duration> (default None), implemented for tonic::Status (packages/rs-dapi-client/src/transport/grpc.rs): returns None unless the code is ResourceExhausted; otherwise parses the ratelimit-reset response-metadata header (whole seconds), filters out 0/non-numeric, and clamps to [1s, 600s]. Delegated unchanged through TransportError → DapiClientError / ExecutionError.
• update_address_ban_status dispatch (dapi_client.rs): Some(period) → AddressList::ban_for(address, period); None → the existing ban_with_reason exponential health-ban ladder (the fallback is the normal ladder, not a hardcoded default).
• AddressList::ban_for / AddressStatus::ban_for (address_list.rs): sets banned_until = now + period and raises ban_count to a floor of 1 (so is_banned() stays consistent with banned_until). The rate-limit path is flat — it never inflates the exponential ladder. Reinstatement is the existing banned_until-expiry path.
• dashmate (packages/dashmate/docker-compose.rate_limiter.yml): LIMIT_RESPONSE_HEADERS_ENABLED=true on the Lyft RLS container, so Envoy emits RateLimit-Reset (surfaced to the client as ratelimit-reset gRPC metadata). This is the operator-tunable knob requested in review.

Net effect: a throttled node is banned for exactly the window the server says it needs — no more, no less — instead of a fixed exponential health ban; genuine node ill-health still bans exactly as before.

How Has This Been Tested?

• cargo test -p rs-dapi-client: 119 pass (106 unit + 5 rate_limit_ban integration + 3 failover + 5 doc-tests), 0 failures. cargo clippy -p rs-dapi-client -p dash-sdk -- -D warnings clean; cargo fmt clean.
• Coverage: header → ban_for; clamp edges 1→1s / 600→600s / 601→600s; 0 / garbage / empty / missing header → ladder fallback (assertions bound banned_until to the ≈60s first ladder rung, so they fail if a bad header is wrongly routed to ban_for); full delegation chain; the ban_for ladder-floor side-effect (fresh node ban_count 0→1); and a banned address re-entering rotation after its window expires.
• Operational dependency: the per-duration ban only engages where the rate limiter advertises RateLimit-Reset; the dashmate change above enables it. Where the header is absent, behaviour falls back to the unchanged exponential ban ladder.

Breaking Changes

None. Adds a CanRetry method with a default implementation; the genuine-failure ban path is unchanged.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes (n/a — no breaking changes)
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Attribution

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new is_rate_limited() method to the CanRetry trait and implements it from gRPC tonic::Status up through TransportError, DapiClientError, and ExecutionError. The update_address_ban_status function skips banning nodes on rate-limit signals, and the DapiClient retry loop tracks tried addresses using a new get_live_address_excluding API to rotate across distinct nodes. Rate-limited retries use capped exponential backoff with full jitter, while genuine failures maintain flat delays.

Changes

Rate-limit-aware retry rotation

Layer / File(s)	Summary
CanRetry trait extension and gRPC classification src/lib.rs, src/transport/grpc.rs, src/transport.rs, src/executor.rs	Adds is_rate_limited() -> bool default method to CanRetry; implements it for tonic::Status (ResourceExhausted only), TransportError (delegates to gRPC status), and ExecutionError (delegates to inner error); includes transport-layer unit tests validating the classification.
Exclusion-aware live address selection src/address_list.rs	Adds get_live_address_excluding(&[Address]) filtering both ban-expired and explicitly excluded addresses; refactors get_live_address() to delegate to it; adds tests covering exclusion, ban interaction, and fallback rotation pattern across multiple attempts.
Rate-limit aware retry delay and execution loop src/dapi_client.rs	Introduces rate-limit specific retry timing with capped exponential backoff and full jitter for rate-limited errors vs. flat delay for genuine failures; DapiClientError::is_rate_limited() delegates to TransportError; update_address_ban_status skips banning for rate-limited errors; DapiClient::execute tracks tried addresses and rotates using get_live_address_excluding with fallback, recording each tried address after transport-client creation failures and after transport execution failures.
Unit test invariants src/dapi_client.rs	Tests verify is_rate_limited() delegation, that genuine failures still increment ban_count exponentially, and that repeated ResourceExhausted errors never set banned_until or reduce the live pool.
Integration tests: rotation and sustained congestion tests/rate_limit_rotation.rs	Fake transport returns RESOURCE_EXHAUSTED for configurable attempts; asserts rotation to a different healthy node and that system-wide congestion surfaces a retryable error without banning any address.
SDK error layer rate-limit detection src/error.rs	SDK Error::is_rate_limited() delegates to wrapped DapiClientError when applicable, enabling upper-layer retry logic to recognize rate-limited responses.

Sequence Diagram(s)

sequenceDiagram
  participant App
  participant DapiClient
  participant AddressList
  participant TransportClient
  participant Node

  App->>DapiClient: execute(request)
  DapiClient->>AddressList: get_live_address_excluding(tried)
  AddressList-->>DapiClient: address_A
  DapiClient->>TransportClient: create(address_A)
  TransportClient->>Node: send request
  Node-->>TransportClient: ResourceExhausted
  TransportClient-->>DapiClient: TransportError::Grpc(ResourceExhausted)
  DapiClient->>DapiClient: is_rate_limited() == true → skip ban, push address_A to tried
  DapiClient->>DapiClient: compute delay with jitter, sleep
  DapiClient->>AddressList: get_live_address_excluding([address_A])
  AddressList-->>DapiClient: address_B
  DapiClient->>TransportClient: create(address_B)
  TransportClient->>Node: send request
  Node-->>TransportClient: Ok(response)
  TransportClient-->>DapiClient: Ok(response)
  DapiClient-->>App: ExecutionResponse { inner, retries: 1 }

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related issues

• rs-dapi-client: per-error-class ban policy — don't ban on rate-limit or client-side decode errors #3695: This PR directly implements the fix for the rate-limit banning cascading-failure scenario described in that issue by adding is_rate_limited() classification and skipping address banning for ResourceExhausted errors.

Possibly related PRs

• dashpay/platform#3890: Both PRs modify update_address_ban_status in dapi_client.rs and the address banning logic in address_list.rs; one adds ban-reason threading while this one adds rate-limit bypass in the same function.

Suggested reviewers

• shumkov
• lklimek
• llbartekll
• ZocoLini

Poem

🐇 Hop, hop, skip the ban!
When throttled nodes cry "ResourceExhausted," friend,
I twirl my ears and rotate 'round the plan —
No banning healthy bunnies 'til the end.
The tried list grows, the pool stays full and grand,
Congestion fades — more carrots close at hand! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims to 'ban rate-limited nodes,' but the PR objectives explicitly state rate-limited errors should NOT be banned; they should trigger rotation/retry instead. The title describes the opposite of what the PR implements.	Revise the title to accurately reflect the fix: e.g., 'fix(sdk): rotate to different node on rate-limit instead of banning' or 'fix(sdk): distinguish rate-limited errors from node failures to prevent cascading bans.'

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/rs-dapi-client-rate-limit-rotate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[thepastaclaw]

✅ Review complete (commit dade457)

[Copilot]

Pull request overview

This PR adjusts rs-dapi-client retry/failover behavior so gRPC ResourceExhausted (rate-limiting / backpressure) no longer triggers the exponential “health ban” logic, preventing ban-cascades under sustained rate-limits while keeping genuine node-failure banning unchanged.

Changes:

• Introduces a new CanRetry::is_rate_limited() classification (default false), implemented for gRPC Status::ResourceExhausted and delegated through TransportError, DapiClientError, and ExecutionError.
• Updates update_address_ban_status to not ban rate-limited addresses (log + rotate instead), preserving the existing ban ladder for genuine failures.
• Adds address-rotation across retries via AddressList::get_live_address_excluding(&[Address]), plus new unit/integration tests to assert both invariants and rotation behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
packages/rs-dapi-client/tests/rate_limit_rotation.rs	New integration tests driving the real executor retry loop with a fake transport to validate “rotate, don’t ban” for ResourceExhausted.
packages/rs-dapi-client/src/transport/grpc.rs	Implements CanRetry::is_rate_limited() for gRPC Status (ResourceExhausted only).
packages/rs-dapi-client/src/transport.rs	Delegates is_rate_limited() for TransportError and adds unit tests pinning the “ResourceExhausted only” classification.
packages/rs-dapi-client/src/lib.rs	Extends the public CanRetry trait with is_rate_limited() (default false) and documents intended semantics.
packages/rs-dapi-client/src/executor.rs	Delegates is_rate_limited() through ExecutionError<E>.
packages/rs-dapi-client/src/dapi_client.rs	Skips banning for rate-limited errors and rotates retries away from already-tried addresses. Adds invariants-focused tests for ban ladder vs rate-limit behavior.
packages/rs-dapi-client/src/address_list.rs	Adds get_live_address_excluding and tests ensuring exclusion/rotation semantics and graceful fallback.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Claudius-Maginificent]

Same brittle test-lookup as the parallel thread — acknowledged, left as-is in this pass (test-only, no production impact). Leaving open.

[thepastaclaw]

Code Review

Narrow, well-tested fix that adds an is_rate_limited axis to CanRetry, suppresses banning for gRPC ResourceExhausted, and rotates the next retry off the throttled node via get_live_address_excluding plus a per-execution tried set. The default trait impl preserves prior behavior and the genuine-failure ban ladder is pinned by tests. Only minor docs/test-robustness nits — nothing blocking.

🟡 1 suggestion(s) | 💬 4 nitpick(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-dapi-client/src/lib.rs`:
- [SUGGESTION] packages/rs-dapi-client/src/lib.rs:107-109: Pin `is_rate_limited ⇒ can_retry` with a test or debug_assert
  The fix is load-bearing on the implicit contract that any rate-limited error is also retryable: `update_address_ban_status` only consults `is_rate_limited()` from inside the `if error.can_retry()` branch. If a future change ever marks `ResourceExhausted` non-retryable (e.g. a tweak to `Status::can_retry`), rate-limit handling silently stops firing and the error falls through to the no-op tail — neither ban nor rotation happens. Lock the invariant with either a unit test asserting `is_rate_limited() ⇒ can_retry()` across the gRPC code matrix, or a `debug_assert!(!self.is_rate_limited() || self.can_retry())` on the hot path, so the two predicates can't drift unnoticed.

[thepastaclaw]

💬 Nitpick: Doc overstates the rotation guarantee

The doc states the retry "should rotate to a different node and leave the throttled one in the pool." The executor's documented fallback in dapi_client.rs:761 explicitly re-selects the throttled node when get_live_address_excluding(&tried) returns None (single-node pool, or every live node already in tried). Rotation is best-effort, not guaranteed. A one-line caveat keeps the trait contract honest, e.g. "... and prefer rotating to a different node when one is available."

_{source: ['claude']}

[Claudius-Maginificent]

Partially addressed: M2 makes the retry genuinely rotate to a different live node when one exists (396865f). The doc wording at this site still does not spell out the single-node-pool fallback (where the sole live address is reused with backoff) — that doc caveat was intentionally not added in this pass. Flagging as a known doc nit; leaving open.

[thepastaclaw]

Resolved in this update — Doc overstates the rotation guarantee no longer present.

_{Auto-resolved by the review system based on the latest commit diff. If you believe this was closed in error, reopen the thread.}

[thepastaclaw]

💬 Nitpick: Match the ban-info test entry by exact URI

The invariant test locates the address under test with i.uri.contains("3000"). The current fixture only inserts one address, so this is correct today, but it ties the assertion to a magic substring inside mock_address(). A future fixture adding another URI containing 3000, or a rename of mock_address, would silently match the wrong entry. Match the exact URI from addr so the test is tied to the value it actually inserted.

Suggested change

	let entry = info
	.iter()
	.find(|i| i.uri.contains("3000"))
	.expect("address present in ban info");
	let info = address_list.ban_info();
	let addr_uri = addr.to_string();
	let entry = info
	.iter()
	.find(|i| i.uri == addr_uri)
	.expect("address present in ban info");

_{source: ['codex']}

[Claudius-Maginificent]

Acknowledged — the i.uri.contains("3000") lookup is brittle. It is test-only and unaffected by the production rate-limit changes, so it was left as-is in this pass. Leaving open.

[thepastaclaw]

Resolved in 396865f — Match the ban-info test entry by exact URI no longer present.

_{Auto-resolved by the review system based on the latest commit diff. If you believe this was closed in error, reopen the thread.}

[thepastaclaw]

💬 Nitpick: Fallback re-picks the throttled node when exclusion empties the live pool

When get_live_address_excluding(&tried) returns None, the or_else(|| self.address_list.get_live_address()) fallback can hand back an address already present in tried — i.e. the just-rate-limited node — and tried.push(address.clone()) then appends a duplicate. With a fixed 10ms retry_delay, the remaining retry budget collapses onto the throttled node within tens of ms, which adds no value against a per-minute Envoy rate-limit. The behavior is intentionally documented and bounded by max_retries, so it is non-blocking. Two cheap improvements worth considering: (a) when the exclusion empties the pool, surface the raw ResourceExhausted immediately rather than spinning on the same node; or (b) switch tried to a HashSet<Address> so the contract "already attempted" stays exact (also makes the intent self-documenting).

_{source: ['claude']}

[Claudius-Maginificent]

Addressed in 396865f/b8a8c329: the rate-limit retry path now uses a 3-tier selection that rotates off the just-throttled node whenever any alternative live address exists, plus capped exponential backoff (10 ms → 500 ms) with full jitter. tried is intentionally kept as a Vec — it is bounded by max_retries and the adversarial review agreed a HashSet is not warranted here. Leaving this thread open for maintainer confirmation.

[thepastaclaw]

Resolved in 396865f — Fallback re-picks the throttled node when exclusion empties the live pool no longer present.

_{Auto-resolved by the review system based on the latest commit diff. If you believe this was closed in error, reopen the thread.}

[thepastaclaw]

💬 Nitpick: Wall-clock tolerance on ban-window assertion is thin for CI

The invariant test snapshots chrono::Utc::now() before/after update_address_ban_status and asserts the ban window is within ±50 ms of base × e^(n-1). On a loaded shared CI runner a 50 ms scheduling stall between the before snapshot and the ban write is plausible and would flip the lower-bound check. The assertion itself is exact, but the wall-clock dependence is what flakes. Consider widening the tolerance (e.g. to a few hundred ms) or recomputing the period from a directly observable banned_at field if one is exposed. Not blocking — current headroom is empirically fine — but worth a follow-up if these ever flake.

_{source: ['claude']}

[Claudius-Maginificent]

Left unchanged in this pass — the ±50 ms wall-clock tolerance is a known timing tradeoff in this test. Not modified by the rate-limit fix; leaving open for the maintainer's call.

[thepastaclaw]

Resolved in 396865f — Wall-clock tolerance on ban-window assertion is thin for CI no longer present.

_{Auto-resolved by the review system based on the latest commit diff. If you believe this was closed in error, reopen the thread.}

[Claudius-Maginificent]

Review fixes (adversarial review pass)

Addressed reviewer findings (CodeRabbit / thepastaclaw / internal review). All MEDIUM; two LOW left open by design.

M1 — is_rate_limited ⇒ can_retry invariant locked (thepastaclaw)

• Exhaustive property test over 17 gRPC codes × 4 CanRetry impls (non-vacuous) + debug_assert at the rotation decision in the typed execute() loop.

M2 — rate-limit retry hardening

• Retry now rotates to a different node (3-tier selection; never re-picks the just-throttled node while any alternative exists) — closes a gap where small/single-node pools re-hit the throttled node.
• Flat 10 ms retry replaced with capped exponential backoff (10 ms → 500 ms) + full jitter on the rate-limit path only; genuine-failure path unchanged. Shift amount clamped to avoid pathological window collapse. Server RetryInfo honoring left as a documented TODO (needs grpc-status-details decoding).

M3 — rs-sdk rate-limit classification propagated

• Error::is_rate_limited() now delegates to the inner DapiClientError, future-proofing against a latent SDK-layer ban regression. Zero behavior change today (no consumer reads it outside if can_retry()).

Left open (LOW, by design): ban-evasion blind spot for a node that always returns ResourceExhausted; .read().unwrap() panic on a poisoned routing lock (TODO breadcrumb added).

Commits: 396865fc, b8a8c329. Tests: clippy -D warnings clean; 110 lib + 7 integration + 5 doc-tests pass.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[thepastaclaw]

Code Review

Cumulative review at b8a8c32. The latest delta hardens the rate-limit handling: capped exponential backoff with full jitter, three-tier address selection (excluding tried → just-tried → fallback), debug_assert! invariants on both retry arms, and a property test pinning is_rate_limited() ⇒ can_retry() across all CanRetry implementors. Prior findings #1 and #4 are resolved; #2, #3, #5 are still valid nitpicks. One new latest-delta finding: the new AddressStatus ban-ladder test inherits the same thin 50ms wall-clock tolerance. No blocking issues.

💬 3 nitpick(s)

1 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

[thepastaclaw]

💬 Nitpick: CanRetry::is_rate_limited doc asserts unconditional rotation

The doc says Instead the retry should rotate to a *different* node and leave the throttled one in the pool. The executor at dapi_client.rs:980-990 has a three-tier fallback whose final tier (get_live_address()) intentionally returns the just-tried address when no alternative is live (single-node pool, or every live node already in tried). Rotation is best-effort, not guaranteed. Soften the contract so future maintainers don't read it as a hard invariant.

Suggested change

	/// Rate-limit errors are retryable (see [`CanRetry::can_retry`]) but,
	/// unlike genuine node ill-health, the node must NOT be banned: it is
	/// healthy, just throttled. Banning it would shift its load onto the
	/// remaining nodes and cascade into `NoAvailableAddressesToRetry`.
	/// Instead the retry should rotate to a *different* node and leave the
	/// throttled one in the pool. See `update_address_ban_status`.
	/// Rate-limit errors are retryable (see [`CanRetry::can_retry`]) but,
	/// unlike genuine node ill-health, the node must NOT be banned: it is
	/// healthy, just throttled. Banning it would shift its load onto the
	/// remaining nodes and cascade into `NoAvailableAddressesToRetry`.
	/// Instead the retry path should prefer a different live node while leaving
	/// the throttled one in the pool; if no alternative exists, bounded retries
	/// may reuse it after backoff. See `update_address_ban_status`.

_{source: ['claude', 'codex']}

[thepastaclaw]

💬 Nitpick: Ban-info invariant test matches by URI substring instead of the inserted address

info.iter().find(|i| i.uri.contains("3000")).expect("address present in ban info") ties the assertion to a magic substring inside mock_address(). The test owns the addr it inserted; matching by exact URI is both safer and self-documenting. A future fixture adding another URI that happens to contain 3000, or a rename of mock_address, would silently match the wrong entry.

Suggested change

	let entry = info
	.iter()
	.find(|i| i.uri.contains("3000"))
	.expect("address present in ban info");
	let entry = info
	.iter()
	.find(|i| i.uri == addr.to_string())
	.expect("address present in ban info");

_{source: ['claude', 'codex']}

[thepastaclaw]

💬 Nitpick: debug_assert! placement is inconsistent between the two retry arms

The transport-create-error arm (line 1049) places the debug_assert!(!cloned_error.is_rate_limited() || cloned_error.can_retry(), ...) before update_address_ban_status, while the transport-call-error arm (line 1133) places the equivalent assert after update_address_ban_status. Functionally equivalent (the assert reads nothing the ban-status update mutates), but the two arms otherwise mirror each other. Aligning placement removes a small future-maintainer puzzle about whether the ordering was intentional.

_{source: ['claude']}

[thepastaclaw]

Opened #3956 against this branch to address the Copilot note by matching the ban-info entry on the exact URI instead of a substring search.

[lklimek]

@thepastaclaw review most recent commit,

[thepastaclaw]

Code Review

New latest-delta verification found one in-scope blocking state-management bug: the new exact-window rate-limit ban can overwrite a longer active ban. Two non-blocking latest-delta issues remain around WASM/browser header visibility and misleading logging, and the carried-forward wall-clock tolerance test flake is still present. No CodeRabbit inline findings or comment IDs were supplied.

🔴 1 blocking | 🟡 2 suggestion(s)

1 additional finding(s) omitted (not in diff).

1 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-dapi-client/src/address_list.rs`:
- [BLOCKING] packages/rs-dapi-client/src/address_list.rs:116-119: Rate-limit ban can shorten an active longer ban
  `ban_for` always replaces `banned_until` with `now + period`. Because request completions can arrive out of order for the same shared `AddressList`, a later `ResourceExhausted` response with a short `ratelimit-reset` value can shorten a longer health-ban or longer prior rate-limit ban that was already applied. That reintroduces the address before the existing ban window expires, so genuine failure bans are no longer preserved under overlapping requests.

In `packages/dashmate/templates/platform/gateway/envoy.yaml.dot`:
- [SUGGESTION] packages/dashmate/templates/platform/gateway/envoy.yaml.dot:201: Expose rate-limit reset headers to browser clients
  The PR enables the rate limiter to emit `RateLimit-Reset`, and the Rust client parses it from tonic metadata, but browser/WASM clients go through fetch/CORS. Since Envoy's CORS `expose_headers` list does not include `ratelimit-reset` or the other `ratelimit-*` headers, browser clients cannot read the advertised reset window and will fall back to the exponential health-ban path even when Envoy sent the exact duration.

In `packages/rs-dapi-client/src/dapi_client.rs`:
- [SUGGESTION] packages/rs-dapi-client/src/dapi_client.rs:213-221: Rate-limit ban log is emitted before the ban succeeds
  The `Some(period)` branch logs that it is banning the address before calling `address_list.ban_for`. If the address was removed by an SML update, `ban_for` returns `false` and the code then logs that it was unable to ban the same address. Move the rate-limit-specific debug log behind the `banned` check so logs describe the state transition that actually happened.

[thepastaclaw]

🔴 Blocking: Rate-limit ban can shorten an active longer ban

ban_for always replaces banned_until with now + period. Because request completions can arrive out of order for the same shared AddressList, a later ResourceExhausted response with a short ratelimit-reset value can shorten a longer health-ban or longer prior rate-limit ban that was already applied. That reintroduces the address before the existing ban window expires, so genuine failure bans are no longer preserved under overlapping requests.

Suggested change

	pub fn ban_for(&mut self, period: Duration, reason: Option<String>) {
	self.banned_until = Some(chrono::Utc::now() + period);
	self.ban_count = self.ban_count.max(1);
	self.ban_reason = reason;
	pub fn ban_for(&mut self, period: Duration, reason: Option<String>) {
	let advertised_until = chrono::Utc::now() + period;
	if self
	.banned_until
	.map(|current_until| current_until < advertised_until)
	.unwrap_or(true)
	{
	self.banned_until = Some(advertised_until);
	self.ban_reason = reason;
	}
	self.ban_count = self.ban_count.max(1);
	}

_{source: ['codex']}

[thepastaclaw]

🟡 Suggestion: Rate-limit ban log is emitted before the ban succeeds

The Some(period) branch logs that it is banning the address before calling address_list.ban_for. If the address was removed by an SML update, ban_for returns false and the code then logs that it was unable to ban the same address. Move the rate-limit-specific debug log behind the banned check so logs describe the state transition that actually happened.

_{source: ['claude']}

[shumkov]

I feel like I suggested the wrong direction. I mean, the ban system is correct, but exposing headers that are disabled by default and enabling them via env is risky. Could you please investigate what consequences and why it's disabled by default?