ao-core 0.1.0

Core traits and types for the ao-rs agent orchestrator framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

//! Shared GitHub API rate-limit state.
//!
//! Both `scm-github` and `tracker-github` plugins invoke `gh` subprocesses.
//! When either plugin observes a rate-limit error, all `gh` calls across
//! the process should back off — otherwise the other plugin keeps firing
//! requests into a 403 response, risking secondary-rate-limit penalties.
//!
//! This module owns the single cooldown instant used by both plugins.

use std::sync::{Mutex, OnceLock};
use std::time::{Duration, Instant};

/// Default cooldown window when a plugin detects a rate-limit error.
///
/// Kept at 120s to match the previous per-plugin behavior. Callers that
/// know the precise reset time (e.g. via `gh api rate_limit`) can pass a
/// custom `Duration` to [`enter_cooldown_for`].
pub const DEFAULT_COOLDOWN: Duration = Duration::from_secs(120);

/// Returns true if the error message looks like a GitHub rate-limit
/// response (REST or GraphQL, primary or secondary).
pub fn is_rate_limited_error(msg: &str) -> bool {
    let m = msg.to_lowercase();
    m.contains("api rate limit")
        || m.contains("secondary rate limit")
        || m.contains("rate limit exceeded")
        || m.contains("graphql: api rate limit")
}

fn cooldown_until() -> &'static Mutex<Option<Instant>> {
    static COOLDOWN: OnceLock<Mutex<Option<Instant>>> = OnceLock::new();
    COOLDOWN.get_or_init(|| Mutex::new(None))
}

/// Returns true if we are currently in a rate-limit cooldown window.
///
/// Clears the stored instant once it has elapsed so subsequent checks
/// are cheap and logs accurately reflect recovery.
pub fn in_cooldown_now() -> bool {
    let Ok(mut guard) = cooldown_until().lock() else {
        return false;
    };
    if let Some(until) = *guard {
        if Instant::now() < until {
            return true;
        }
        *guard = None;
    }
    false
}

/// Enter cooldown for the default 120s window.
pub fn enter_cooldown() {
    enter_cooldown_for(DEFAULT_COOLDOWN);
}

/// Enter cooldown for a specific duration.
///
/// If a cooldown is already active with a later expiry, this call is a
/// no-op — we never shorten an existing cooldown. If `duration` is too
/// large to represent as a future `Instant` (e.g. malformed upstream
/// timestamps), we silently skip instead of panicking.
pub fn enter_cooldown_for(duration: Duration) {
    let Ok(mut guard) = cooldown_until().lock() else {
        return;
    };
    let Some(new_until) = Instant::now().checked_add(duration) else {
        return;
    };
    match *guard {
        Some(existing) if existing >= new_until => {}
        _ => *guard = Some(new_until),
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::thread::sleep;

    #[test]
    fn detects_rate_limit_messages() {
        assert!(is_rate_limited_error("API rate limit exceeded"));
        assert!(is_rate_limited_error(
            "You have exceeded a secondary rate limit"
        ));
        assert!(is_rate_limited_error("GraphQL: API rate limit exceeded"));
        assert!(is_rate_limited_error("rate limit exceeded for app"));
        assert!(!is_rate_limited_error("404 not found"));
        assert!(!is_rate_limited_error(""));
    }

    // The cooldown state is process-global, so these scenarios share one
    // test to keep them sequential. Running them as separate #[test]
    // functions would race against each other under `cargo test`'s
    // default parallel execution.
    #[test]
    fn cooldown_lifecycle() {
        // Reset.
        if let Ok(mut g) = cooldown_until().lock() {
            *g = None;
        }

        // Short cooldown becomes active then expires.
        enter_cooldown_for(Duration::from_millis(30));
        assert!(in_cooldown_now());
        sleep(Duration::from_millis(60));
        assert!(!in_cooldown_now());

        // A long cooldown is not shortened by a subsequent short one.
        enter_cooldown_for(Duration::from_secs(60));
        let first = *cooldown_until().lock().unwrap();
        enter_cooldown_for(Duration::from_millis(10));
        let after_short = *cooldown_until().lock().unwrap();
        assert_eq!(
            first, after_short,
            "short cooldown must not shorten longer one"
        );

        // Clean up so other tests in the process start from a fresh slate.
        if let Ok(mut g) = cooldown_until().lock() {
            *g = None;
        }
    }

    #[test]
    fn enter_cooldown_for_ignores_overflowing_duration() {
        // An absurdly large duration (e.g. from a spoofed reset timestamp)
        // used to panic via `Instant::now() + duration`. After the fix it
        // silently skips.
        if let Ok(mut g) = cooldown_until().lock() {
            *g = None;
        }
        enter_cooldown_for(Duration::MAX);
        // No panic. Cooldown should NOT be set because the `Instant::now()
        // + Duration::MAX` overflows.
        assert!(
            !in_cooldown_now(),
            "overflowing duration must not activate cooldown"
        );
    }
}