feat: add circuit breaker for upstream provider overload protection (#75)

* feat: add circuit breaker for upstream provider overload protection

Implement per-provider circuit breakers that detect upstream rate limiting
(429/503/529 status codes) and temporarily stop sending requests when
providers are overloaded.

Key features:
- Per-provider circuit breakers (Anthropic, OpenAI)
- Configurable failure threshold, time window, and cooldown period
- Half-open state allows gradual recovery testing
- Prometheus metrics for monitoring (state gauge, trips counter, rejects counter)
- Thread-safe implementation with proper state machine transitions
- Disabled by default for backward compatibility

Circuit breaker states:
- Closed: normal operation, tracking failures within sliding window
- Open: all requests rejected with 503, waiting for cooldown
- Half-Open: limited requests allowed to test if upstream recovered

Status codes that trigger circuit breaker:
- 429 Too Many Requests
- 503 Service Unavailable
- 529 Anthropic Overloaded

Relates to: coder/internal#1153

* chore: apply make fmt

* refactor: use sony/gobreaker for circuit breakers with per-endpoint isolation

- Replace custom circuit breaker implementation with sony/gobreaker
- Change from per-provider to per-endpoint circuit breakers
  (e.g., OpenAI chat completions failing won't block responses API)
- Simplify API: CircuitBreakers manages all breakers internally
- Update metrics to include endpoint label
- Simplify tests to focus on key behaviors

Based on PR review feedback suggesting use of established library
and per-endpoint granularity for better fault isolation.

* refactor: align CircuitBreakerConfig fields with gobreaker.Settings

Rename fields to match gobreaker naming convention:
- Window -> Interval
- Cooldown -> Timeout
- HalfOpenMaxRequests -> MaxRequests
- FailureThreshold type int64 -> uint32

* refactor: remove CircuitState, use gobreaker.State directly

* refactor: implement circuit breaker as middleware with per-provider configs

Address PR review feedback:

1. Middleware pattern - Circuit breaker is now HTTP middleware that wraps
   handlers, capturing response status codes directly instead of extracting
   from provider-specific error types.

2. Per-provider configs - NewCircuitBreakers takes map[string]CircuitBreakerConfig
   keyed by provider name. Providers not in the map have no circuit breaker.

3. Remove provider overfitting - Deleted extractStatusCodeFromError() which
   hardcoded AnthropicErrorResponse and OpenAIErrorResponse types. Middleware
   now uses statusCapturingWriter to inspect actual HTTP response codes.

4. Configurable failure detection - IsFailure func in config allows providers
   to define custom status codes as failures. Defaults to 429/503/529.

5. Fix gauge values - State gauge now uses 0 (closed), 0.5 (half-open), 1 (open)

6. Integration tests - Replaced unit tests with httptest-based integration tests
   that verify actual behavior: upstream errors trip circuit, requests get
   blocked, recovery after timeout, per-endpoint isolation.

7. Error message - Changed from 'upstream rate limiting' to 'circuit breaker is open'

* docs: clarify noop behavior when provider not configured

* Update go.mod

* fix: update metrics help text to reflect 0/0.5/1 gauge values

* refactor: add CircuitBreaker interface with NoopCircuitBreaker

- Add CircuitBreaker interface with Allow(), RecordSuccess(), RecordFailure()
- Add NoopCircuitBreaker struct for providers without circuit breaker config
- Add gobreakerCircuitBreaker wrapping sony/gobreaker implementation
- CircuitBreakers.Get() returns NoopCircuitBreaker when provider not configured
- Add http.Flusher support to statusCapturingWriter for SSE streaming
- Add Unwrap() for ResponseWriter interface detection

* refactor: use gobreaker Execute for proper half-open rejection handling

- Changed CircuitBreaker interface to Execute(fn func() int) (statusCode, rejected)
- Use gobreaker.Execute() to properly handle both ErrOpenState and ErrTooManyRequests
- NoopCircuitBreaker.Execute simply runs the function and returns not rejected
- Simplified middleware by removing separate Allow/Record pattern

* refactor: remove unused circuitBreakers field and getter from RequestBridge

* use per-provider maps for endpoints

* make fmt

* use mux.Handle for cb middleware

* Move CircuitBreakerConfig to the Provider struct

* Update tests

* default noop func for onChange

* create CircuitBreakers per Provider instead of a global one and remove gobreakerCircuitBraker along with the interface and noop struct

* Update bridge.go

Co-authored-by: Paweł Banaszewski <pawel@coder.com>

* fix format

* Apply review suggestions

* Apply review suggestions and add proper integration tests

* Add test to check circuit breaker config

* Remove test

* Remove TestCircuitBreaker_HalfOpenAndRecovery

* Apply review suggestions

* Apply review suggestions

* Fix test

* Add TestCircuitBreaker_HalfOpenMaxRequests test and add Retry-After header

* Apply review suggestions

* Apply review suggestions

* Update provider/anthropic.go

Co-authored-by: Danny Kopping <danny@coder.com>

* Fix tests

* Fix fmt

---------

Co-authored-by: Paweł Banaszewski <pawel@coder.com>
Co-authored-by: Danny Kopping <danny@coder.com>

Author: 3 people

bridge.go

@@ -10,16 +10,17 @@ import (
 	"time"
 
 	"cdr.dev/slog/v3"
+	"github.com/coder/aibridge/circuitbreaker"
 	aibcontext "github.com/coder/aibridge/context"
 	"github.com/coder/aibridge/mcp"
 	"github.com/coder/aibridge/metrics"
 	"github.com/coder/aibridge/provider"
 	"github.com/coder/aibridge/recorder"
 	"github.com/coder/aibridge/tracing"
+	"github.com/hashicorp/go-multierror"
+	"github.com/sony/gobreaker/v2"
 	"go.opentelemetry.io/otel/codes"
 	"go.opentelemetry.io/otel/trace"
-
-	"github.com/hashicorp/go-multierror"
 )
 
 // RequestBridge is an [http.Handler] which is capable of masquerading as AI providers' APIs;
@@ -59,22 +60,53 @@ const recordingTimeout = time.Second * 5
 // A [intercept.Recorder] is also required to record prompt, tool, and token use.
 //
 // mcpProxy will be closed when the [RequestBridge] is closed.
+//
+// Circuit breaker configuration is obtained from each provider's CircuitBreakerConfig() method.
+// Providers returning nil will not have circuit breaker protection.
 func NewRequestBridge(ctx context.Context, providers []provider.Provider, rec recorder.Recorder, mcpProxy mcp.ServerProxier, logger slog.Logger, m *metrics.Metrics, tracer trace.Tracer) (*RequestBridge, error) {
 	mux := http.NewServeMux()
 
-	for _, provider := range providers {
+	for _, prov := range providers {
+		// Create per-provider circuit breaker if configured
+		cfg := prov.CircuitBreakerConfig()
+		providerName := prov.Name()
+		onChange := func(endpoint string, from, to gobreaker.State) {
+			logger.Info(context.Background(), "circuit breaker state change",
+				slog.F("provider", providerName),
+				slog.F("endpoint", endpoint),
+				slog.F("from", from.String()),
+				slog.F("to", to.String()),
+			)
+			if m != nil {
+				m.CircuitBreakerState.WithLabelValues(providerName, endpoint).Set(circuitbreaker.StateToGaugeValue(to))
+				if to == gobreaker.StateOpen {
+					m.CircuitBreakerTrips.WithLabelValues(providerName, endpoint).Inc()
+				}
+			}
+		}
+		cbs := circuitbreaker.NewProviderCircuitBreakers(providerName, cfg, onChange)
+
 		// Add the known provider-specific routes which are bridged (i.e. intercepted and augmented).
-		for _, path := range provider.BridgedRoutes() {
-			mux.HandleFunc(path, newInterceptionProcessor(provider, rec, mcpProxy, logger, m, tracer))
+		for _, path := range prov.BridgedRoutes() {
+			// Initialize circuit breaker state metric to closed (0) for known routes
+			if m != nil && cbs != nil {
+				endpoint := strings.TrimPrefix(path, "/"+providerName)
+				m.CircuitBreakerState.WithLabelValues(providerName, endpoint).Set(0)
+			}
+
+			handler := newInterceptionProcessor(prov, rec, mcpProxy, logger, m, tracer)
+			// Wrap with circuit breaker middleware (nil cbs passes through)
+			wrapped := circuitbreaker.Middleware(cbs, m, logger)(handler)
+			mux.Handle(path, wrapped)
 		}
 
 		// Any requests which passthrough to this will be reverse-proxied to the upstream.
 		//
 		// We have to whitelist the known-safe routes because an API key with elevated privileges (i.e. admin) might be
 		// configured, so we should just reverse-proxy known-safe routes.
-		ftr := newPassthroughRouter(provider, logger.Named(fmt.Sprintf("passthrough.%s", provider.Name())), m, tracer)
-		for _, path := range provider.PassthroughRoutes() {
-			prefix := fmt.Sprintf("/%s", provider.Name())
+		ftr := newPassthroughRouter(prov, logger.Named(fmt.Sprintf("passthrough.%s", prov.Name())), m, tracer)
+		for _, path := range prov.PassthroughRoutes() {
+			prefix := fmt.Sprintf("/%s", prov.Name())
 			route := fmt.Sprintf("%s%s", prefix, path)
 			mux.HandleFunc(route, http.StripPrefix(prefix, ftr).ServeHTTP)
 		}
@@ -100,7 +132,7 @@ func NewRequestBridge(ctx context.Context, providers []provider.Provider, rec re
 
 // newInterceptionProcessor returns an [http.HandlerFunc] which is capable of creating a new interceptor and processing a given request
 // using [Provider] p, recording all usage events using [Recorder] rec.
-func newInterceptionProcessor(p Provider, rec recorder.Recorder, mcpProxy mcp.ServerProxier, logger slog.Logger, m *metrics.Metrics, tracer trace.Tracer) http.HandlerFunc {
+func newInterceptionProcessor(p provider.Provider, rec recorder.Recorder, mcpProxy mcp.ServerProxier, logger slog.Logger, m *metrics.Metrics, tracer trace.Tracer) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx, span := tracer.Start(r.Context(), "Intercept")
 		defer span.End()