fix: reduce session key burst pressure

[olamide226]

Summary

• coalesce concurrent getSecure() calls in the SDK so one page only issues one /rep/session-key fetch during startup
• raise the default gateway session key rate limit from 10 to 15 requests/min/IP for short tab-open bursts
• ignore .worktrees/ so local worktree directories do not pollute repo status

Problem

Opening multiple browser tabs at once could trigger multiple concurrent getSecure() calls per page before the SDK had populated its in-memory sensitive cache. That produced an avoidable burst of /rep/session-key requests and could push clients into 429 Too Many Requests responses even under fairly normal usage.

Changes

SDK

• add a shared in-flight promise for sensitive payload loading
• make concurrent getSecure() callers await the same fetch/decrypt cycle
• clear the in-flight promise after completion so failed requests can be retried cleanly
• add regression tests for coalesced concurrent calls and retry-after-failure behavior

Gateway

• increase the default session-key-max-rate from 10 to 15
• keep the config default, manifest default, and README documentation aligned

Repo hygiene

• add .worktrees/ to .gitignore

Testing

pnpm -r test
env GOCACHE=/Users/olamide/Documents/ruach-projects/rep/.worktrees/session-key-dedupe/.gocache go test ./...

Notes

• The SDK change preserves the synchronous get() contract and only affects async sensitive-variable loading.
• The gateway rate-limit bump is intentionally small; the main mitigation is request coalescing in the client, with the higher default providing a little more room for sudden tab bursts.

[Copilot]

Pull request overview

This PR reduces burst pressure on the /rep/session-key endpoint by deduplicating concurrent getSecure() calls in the SDK, and slightly increases the gateway’s default session key rate limit to better tolerate short tab-open bursts. It also adds a small repo-hygiene ignore for local worktrees.

Changes:

• SDK: coalesce concurrent sensitive-variable loads behind a shared in-flight promise, with retry-after-failure behavior.
• SDK: add regression tests validating request coalescing and retry behavior.
• Gateway/docs: raise default session-key-max-rate from 10 → 15 and keep defaults aligned across config, manifest, and README.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
sdk/src/index.ts	Introduces shared in-flight sensitive load promise and factors sensitive loading into a helper.
sdk/src/tests/index.test.ts	Adds tests for coalesced concurrent calls and retry-after-failure.
gateway/internal/manifest/manifest.go	Bumps manifest default session-key max rate to 15.
gateway/internal/config/config.go	Bumps config default session-key max rate to 15.
gateway/internal/config/config_test.go	Updates default parsing test to expect 15.
gateway/README.md	Updates documented default to 15.
.gitignore	Ignores .worktrees/ directories.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.