af_unix_mediation: pathname rate-limits all connect() including allowed AF_INET proxy connects

[mNantern]

Hello 👋

It looks like enabling linux.af_unix_mediation: "pathname" (the documented mitigation for CVE-2026-47128) routes every connect()/bind() through the seccomp-notify supervisor, which applies a small shared token-bucket rate limiter (burst 5, 10/s) to each one, before it distinguishes AF_UNIX from AF_INET.

I'm running the last version of nono inside a Lima VM and with af_unix_mediation on, requests through the injected proxy fail intermittently:

• Serial requests (spaced ≥ ~150 ms): ~100% success.
• Concurrent / bursty connects: most fail instantly with connect(): Operation not permitted (curl exit 7, time_connect=0). git fetch across several repos in parallel, or the agent's own API calls coinciding with a tool's connect, routinely trip it.

Any idea on how to improve this setup without disabling af_unix_mediation?

Thank you!