systemprompt-database 0.10.2

PostgreSQL infrastructure for systemprompt.io AI governance. SQLx-backed pool, generic repository traits, and compile-time query verification. Part of the systemprompt.io AI governance pipeline.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

//! [`ResilienceGuard`] — composes bulkhead, breaker, retry and timeout.

use std::fmt;
use std::future::Future;

use tokio::sync::OwnedSemaphorePermit;

use super::breaker::CircuitBreaker;
use super::bulkhead::Bulkhead;
use super::classify::Outcome;
use super::config::ResilienceConfig;
use super::error::ResilienceError;
use super::retry::retry_async;

/// Wraps a caller error so a per-attempt timeout can flow through the retry
/// loop as a transient failure without the caller's `E` needing a timeout
/// variant.
enum AttemptError<E> {
    Inner(E),
    Timeout(std::time::Duration),
}

impl<E: fmt::Display> fmt::Display for AttemptError<E> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::Inner(err) => write!(f, "{err}"),
            Self::Timeout(after) => write!(f, "attempt timed out after {after:?}"),
        }
    }
}

/// The resilience policy applied to one logical dependency.
///
/// One guard instance is shared across all calls to that dependency (an AI
/// provider, an MCP server) so its breaker and bulkhead state accumulate across
/// calls.
#[derive(Debug)]
pub struct ResilienceGuard {
    key: String,
    cfg: ResilienceConfig,
    breaker: CircuitBreaker,
    bulkhead: Bulkhead,
}

impl ResilienceGuard {
    /// Build a guard for the dependency identified by `key`.
    pub fn new(key: impl Into<String>, cfg: ResilienceConfig) -> Self {
        let key = key.into();
        let breaker = CircuitBreaker::new(key.clone(), cfg.breaker);
        let bulkhead = Bulkhead::new(key.clone(), cfg.bulkhead.max_concurrent);
        Self {
            key,
            cfg,
            breaker,
            bulkhead,
        }
    }

    /// The dependency key this guard protects.
    #[must_use]
    pub fn key(&self) -> &str {
        &self.key
    }

    /// The policy this guard applies.
    #[must_use]
    pub const fn config(&self) -> &ResilienceConfig {
        &self.cfg
    }

    /// The circuit breaker, exposed so out-of-band signals (a health monitor)
    /// can report failures and successes directly.
    #[must_use]
    pub const fn breaker(&self) -> &CircuitBreaker {
        &self.breaker
    }

    /// Run `op` under the full policy: bulkhead admission → breaker admission →
    /// retry loop, each attempt bounded by `request_timeout`.
    pub async fn execute<T, E, F, Fut>(
        &self,
        classify: impl Fn(&E) -> Outcome + Send + Sync,
        op: F,
    ) -> Result<T, ResilienceError<E>>
    where
        T: Send,
        E: std::error::Error + Send,
        F: Fn() -> Fut + Send + Sync,
        Fut: Future<Output = Result<T, E>> + Send,
    {
        let _permit = self.acquire_permit::<E>()?;
        let timeout = self.cfg.request_timeout;

        let classify_attempt = |err: &AttemptError<E>| match err {
            AttemptError::Timeout(_) => Outcome::Transient { retry_after: None },
            AttemptError::Inner(inner) => classify(inner),
        };
        let attempt = || async {
            match tokio::time::timeout(timeout, op()).await {
                Ok(Ok(value)) => Ok(value),
                Ok(Err(err)) => Err(AttemptError::Inner(err)),
                Err(_) => Err(AttemptError::Timeout(timeout)),
            }
        };

        match retry_async(&self.cfg.retry, &self.key, classify_attempt, attempt).await {
            Ok(value) => {
                self.breaker.record_success();
                Ok(value)
            },
            Err(AttemptError::Inner(err)) => {
                self.breaker.record_failure();
                Err(ResilienceError::Inner(err))
            },
            Err(AttemptError::Timeout(after)) => {
                self.breaker.record_failure();
                Err(ResilienceError::Timeout { after })
            },
        }
    }

    /// Admit one call: a bulkhead permit plus breaker admission.
    ///
    /// Used directly by streaming callers, which hold the returned permit for
    /// the stream's lifetime and report the outcome via [`Self::breaker`].
    /// Non-streaming callers should use [`Self::execute`] instead.
    pub fn acquire_permit<E>(&self) -> Result<OwnedSemaphorePermit, ResilienceError<E>>
    where
        E: std::error::Error,
    {
        let permit = self
            .bulkhead
            .try_acquire()
            .map_err(|_| ResilienceError::BulkheadFull {
                key: self.key.clone(),
                limit: self.bulkhead.limit(),
            })?;
        self.breaker
            .acquire()
            .map_err(|_| ResilienceError::CircuitOpen {
                key: self.key.clone(),
            })?;
        Ok(permit)
    }
}