1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
//! Composable resilience primitives for outbound calls.
//!
//! This module wraps fallible async operations (HTTP calls to AI providers,
//! RPCs to MCP servers, the crate's own connection and transaction retries) so
//! a slow or failing dependency cannot pin workers or cascade into a
//! platform-wide outage. It is deliberately domain-agnostic: every primitive is
//! generic over a caller-supplied error type and an error [`classify`]r, so it
//! can be reused by `systemprompt-ai`, `systemprompt-mcp`, or any other caller
//! without depending on their error enums.
//!
//! # Primitives
//!
//! - [`retry::retry_async`] — bounded exponential backoff with full jitter;
//! honors a `Retry-After` hint and never retries [`Outcome::Permanent`]
//! failures.
//! - [`breaker::CircuitBreaker`] — `Closed` → `Open` → `HalfOpen` state machine
//! that fast-fails while a dependency is unhealthy.
//! - [`bulkhead::Bulkhead`] — a non-blocking concurrency cap; a saturated
//! dependency rejects callers instead of queueing them.
//! - [`guard::ResilienceGuard`] — composes bulkhead → breaker → retry →
//! per-attempt timeout into a single `execute` call.
//! - [`stream::guarded_stream`] — bounds each poll of a streaming response with
//! an idle timeout and holds a bulkhead permit for the stream's lifetime.
//!
//! # Error model
//!
//! Callers classify their own errors via a `Fn(&E) -> Outcome` closure.
//! Failures the guard itself produces (circuit open, bulkhead full, timeout)
//! surface as [`error::ResilienceError`], which the caller maps back into its
//! domain error.
pub use CircuitBreaker;
pub use Bulkhead;
pub use Outcome;
pub use ;
pub use ResilienceError;
pub use ResilienceGuard;
pub use retry_async;
pub use guarded_stream;