fix(auth): ignore spoofable proxy IP headers

[JSONbored]

Motivation

• The prior change accepted x-real-ip/x-forwarded-for as fallbacks when cf-connecting-ip was missing, which let unauthenticated clients spoof rate-limit identities by supplying attacker-controlled XFF entries.
• The goal is to prevent unauthenticated clients from creating arbitrary pre-auth rate-limit buckets by trusting only unspoofable peer signals.

Description

• Removed the trusted-proxy fallback logic from clientIp() in src/auth/rate-limit.ts so the function now only trusts cf-connecting-ip and otherwise returns "unknown-ip".
• Deleted helper logic that parsed and validated X-Forwarded-For chains and trusted-proxy configuration so header-controlled values are no longer used for rate-limit identities.
• Updated test/unit/auth.test.ts to assert that proxy headers and configured trusted-proxy values do not produce distinct pre-auth rate-limit keys when cf-connecting-ip is absent.
• Left token-based identity behavior unchanged so authenticated requests continue to prefer token keys where applicable.

Testing

• Ran type checking with tsc --noEmit via npm run typecheck, which completed successfully.
• Ran the focused unit tests with vitest via npm test -- --run test/unit/auth.test.ts --reporter=verbose, and all tests in that file passed (18 tests passed).
• The full npm test run was attempted in this environment but did not complete within the session (environmental/time constraints), so only the targeted unit tests and typecheck were verified.

---

Codex Task

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	gittensory-ui	96e8936	Commit Preview URL Branch Preview URL	Jun 12 2026, 07:30 AM

[gittensory]

Important

Gittensory found maintainer review notes

Public GitHub metadata was checked for review readiness. Gittensor-specific context appears only when confirmed.

Readiness score: 91/100

Signal	Result	Evidence	Action
Linked issue	⚠️ Missing	No linked issue or no-issue rationale found.	Explain no-issue PR.
Related work	✅ No active overlap found	No same-issue or scoped active PR overlap found.	No action.
Review load	✅ 20/20	Readiness component derived from cached public PR metadata and labels.	No action.
Validation evidence	✅ 25/25	PR body includes validation/test evidence.	No action.
Open PR queue	⚠️ 8/10	5 open PR(s), 3 likely reviewable, 2 unlinked.	No action.
Contributor context	✅ Confirmed Gittensor contributor	JSONbored; Gittensor profile; 63 PR(s), 348 issue(s).	No action.
Gate result	✅ Passing	No configured blocker found.	No action.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

Review context

• Author: JSONbored
• Role context: owner (maintainer lane)
• Public audience mode: oss maintainer
• Lane context: Repository is configured for direct PR review.
• Public profile languages: Python, TypeScript, JavaScript, Ruby, Go, Kotlin, MDX, Shell
• Official Gittensor activity: 63 PR(s), 348 issue(s).
• PR-specific overlap: none found.

Maintainer notes

• No linked issue detected: The planned PR does not reference a closing issue or explicit linked issue number.

Contributor next steps

• Treat this as maintainer-lane context rather than normal contributor-lane activity.
• Explain no-issue PR.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.

• Re-run Gittensory review

---

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers. Learn more about Gittensor contribution workflows.

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.