fix(update): relax apply rate limit

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## v1.7.64-alpha (2026-05-18)
+
+- Update apply rate limiting is relaxed for authenticated admins from 2 attempts per 10 minutes to 10 attempts per minute, preventing the System Update page from getting stuck behind `429 Too Many Requests` during legitimate OTA retry/troubleshooting flows.
+- The corrected backend artifact rebuild protection from `v1.7.63-alpha` remains in place, so this release is built from a fresh Rust backend binary before publishing.
+
 ## v1.7.63-alpha (2026-05-18)
 
 - Release automation now rebuilds the Rust backend after bumping the version and before hashing release artifacts, preventing OTA manifests from pointing at a stale backend binary.

core/archipelago/src/rate_limit.rs

@@ -80,7 +80,10 @@ impl EndpointRateLimiter {
         limits.insert("backup.upload-s3".to_string(), (3, 600));
         limits.insert("backup.download-s3".to_string(), (3, 600));
         // System operations
-        limits.insert("update.apply".to_string(), (2, 600));
+        // Update apply is an authenticated local admin action. Keep a guard
+        // against accidental button storms without locking operators out for
+        // ten minutes during OTA troubleshooting.
+        limits.insert("update.apply".to_string(), (10, 60));
         limits.insert("system.reboot".to_string(), (2, 300));
         limits.insert("system.shutdown".to_string(), (2, 300));
         // Password and TOTP changes