Files
2026-07-13 13:39:12 +08:00

1864 lines
70 KiB
TypeScript

import {
BACKOFF_STEPS_MS,
PROVIDER_PROFILES,
RateLimitReason,
HTTP_STATUS,
} from "../config/constants.ts";
import {
BACKOFF_CONFIG,
COOLDOWN_MS,
calculateBackoffCooldown,
findMatchingErrorRule,
matchErrorRuleByText,
matchErrorRuleByStatus,
} from "../config/errorConfig.ts";
import { getProviderErrorRuleMatch } from "../config/providerErrorRules.ts";
import { getPassthroughProviders, getProviderCategory } from "../config/providerRegistry.ts";
import {
DEFAULT_RESILIENCE_SETTINGS,
resolveResilienceSettings,
} from "../../src/lib/resilience/settings";
import { resolveModelLockoutSettings } from "../../src/lib/resilience/modelLockoutSettings";
import {
getAllCircuitBreakerStatuses,
getCircuitBreaker,
} from "../../src/shared/utils/circuitBreaker";
import {
classify429FromError,
looksLikeQuotaExhausted,
type FailureKind,
} from "../../src/shared/utils/classify429";
import { resolveProviderId } from "../../src/shared/constants/providers";
import { resolveUseUpstream429BreakerHints } from "../../src/shared/utils/providerHints";
import { getCodexModelScope } from "../config/codexQuotaScopes.ts";
import { getQuotaScopedModelForProvider } from "./antigravityQuotaFamily.ts";
import { isRpdExhausted, isRpmExhausted } from "./geminiRateLimitTracker.ts";
import { setConnectionRateLimitUntil } from "@/lib/db/providers";
import { parseRetryHintFromJsonBody } from "./retryAfterJson.ts";
export type ProviderProfile = {
baseCooldownMs: number;
useUpstreamRetryHints: boolean;
useUpstream429BreakerHints?: boolean;
maxCooldownMs: number;
maxBackoffSteps: number;
failureThreshold: number;
resetTimeoutMs: number;
transientCooldown: number;
rateLimitCooldown: number;
maxBackoffLevel: number;
circuitBreakerThreshold: number;
circuitBreakerReset: number;
// Adaptive circuit breaker fields
degradationThreshold?: number;
// Provider-level cooldown fields
providerFailureThreshold: number;
providerFailureWindowMs: number;
providerCooldownMs: number;
maxBackoffMultiplier?: number;
backoffEscalationCount?: number;
};
type JsonRecord = Record<string, unknown>;
type RateLimitReasonValue = (typeof RateLimitReason)[keyof typeof RateLimitReason];
type ModelLockoutEntry = {
reason: string;
until: number;
lockedAt: number;
failureCount: number;
lastFailureAt: number;
resetAfterMs: number;
};
type ModelFailureState = {
failureCount: number;
lastFailureAt: number;
resetAfterMs: number;
/** Cooldown applied on the last failure — extends the escalation window so a
* model that fails again right after its lockout expires keeps escalating. */
lastCooldownMs?: number;
};
type AccountState = JsonRecord & {
id?: string | null;
rateLimitedUntil?: string | null;
backoffLevel?: number | null;
lastError?: unknown;
status?: string;
};
function toJsonRecord(value: unknown): JsonRecord {
return value && typeof value === "object" && !Array.isArray(value) ? (value as JsonRecord) : {};
}
// Provider-level failure tracking for circuit breaker behavior
// Error codes that count toward provider-level failure threshold.
// 429 is included: per-error-type cooldowns (rate_limit: 60s, quota_exhausted: 1h)
// prevent cascading provider trips at scale (Issue #1846 concern addressed),
// while still allowing the circuit breaker to open on sustained 429s and
// prevent infinite combo retries (Issue #3200).
const PROVIDER_FAILURE_ERROR_CODES = new Set([408, 429, 500, 502, 503, 504]);
// Per-connection failure deduplication: prevents rapid-fire failures from the
// same connection from counting multiple times toward the provider breaker.
const CONNECTION_FAILURE_DEDUP_MS = 5000;
const MAX_CONNECTION_FAILURE_DEDUP_ENTRIES = 10_000;
const lastConnectionFailure = new Map<string, number>();
function pruneConnectionFailureDedupeEntries(): void {
while (lastConnectionFailure.size > MAX_CONNECTION_FAILURE_DEDUP_ENTRIES) {
const oldestKey = lastConnectionFailure.keys().next().value;
if (typeof oldestKey !== "string") return;
lastConnectionFailure.delete(oldestKey);
}
}
const _connectionFailureSweep = setInterval(() => {
const now = Date.now();
for (const [key, ts] of lastConnectionFailure) {
if (now - ts > CONNECTION_FAILURE_DEDUP_MS) lastConnectionFailure.delete(key);
}
}, 60_000);
if (typeof _connectionFailureSweep === "object" && "unref" in _connectionFailureSweep) {
(_connectionFailureSweep as { unref?: () => void }).unref?.();
}
// T06 (sub2api PR #1037): Signals that indicate permanent account deactivation.
// When a 401 body contains these strings, the account is permanently dead
// and should NOT be retried after token refresh.
export const ACCOUNT_DEACTIVATED_SIGNALS = [
"account_deactivated",
"account has been deactivated",
"account has been disabled",
"your account has been suspended",
"this account is deactivated",
// AG (Antigravity/Google Cloud Code) permanent ban signals
"verify your account to continue",
"this service has been disabled in this account for violation",
"this service has been disabled in this account",
];
// Custom banned signals — loaded from DB settings at runtime.
// Combined with ACCOUNT_DEACTIVATED_SIGNALS in isAccountDeactivated().
let _customBannedSignals: string[] = [];
export function setCustomBannedSignals(signals: string[]): void {
_customBannedSignals = signals;
}
export function getMergedBannedSignals(): string[] {
if (_customBannedSignals.length === 0) return ACCOUNT_DEACTIVATED_SIGNALS;
return [...ACCOUNT_DEACTIVATED_SIGNALS, ..._customBannedSignals];
}
// T10 (sub2api PR #1169): Signals that indicate billing credits are exhausted.
// Distinct from rate-limit 429 — the account won't recover until credits are added.
export const CREDITS_EXHAUSTED_SIGNALS = [
"insufficient_quota",
"billing_hard_limit_reached",
"exceeded your current quota",
"exceeded your current usage quota",
"credit_balance_too_low",
"your credit balance is too low",
"credits exhausted",
"out of credits",
"payment required",
"free tier of the model has been exhausted",
// #5239: providers (e.g. DeepSeek/GLM-style) return "Insufficient account balance"
// on a depleted key. 402 is already terminalized by status, but catch non-402
// out-of-credit bodies here too.
"insufficient balance",
"insufficient_balance",
"insufficient account balance",
];
// T11: Signals that indicate OAuth token is invalid/expired (not permanent deactivation)
export const OAUTH_INVALID_TOKEN_SIGNALS = [
"invalid authentication credentials",
"oauth 2",
"login cookie",
"valid authentication credential",
"invalid credentials",
];
// Context overflow patterns — the prompt exceeds the model's maximum context length.
// Different providers phrase this differently. Used to decide whether a 400 error
// should trigger combo fallback (a different model may have a larger context window).
const CONTEXT_OVERFLOW_PATTERNS = [
/\binput is too long\b/i,
/\binput too long\b/i,
/\bcontext.*(too long|exceeded|overflow|limit)/i,
/\btoo many tokens\b/i,
/\bprompt is too long\b/i,
/\bcontext window/i,
/\bmaximum context/i,
/\bmax.*token/i,
/\btoken limit/i,
/\brequest too large\b/i,
];
// Structured error codes that reliably indicate model access denied
// (more reliable than regex on human-readable messages).
// OpenAI: { error: { code: "model_not_found", ... } }
// Anthropic: { error: { type: "not_found_error", ... } }
const MODEL_ACCESS_DENIED_CODES = new Set([
"model_not_found", // OpenAI, OpenAI-compatible (Kiro, Together, Fireworks, etc.)
"deployment_not_found", // Azure OpenAI
]);
const MODEL_ACCESS_DENIED_TYPES = new Set([
"not_found_error", // Anthropic: model doesn't exist — reliably model-scoped
]);
// Anthropic's permission_error is NOT exclusively model-access related: it also
// covers API-key scope, organization restrictions and feature gating. Treating it
// as model-access-denied unconditionally would make a genuinely auth-restricted key
// silently exhaust every combo target and hide the real error from the caller.
// So it only counts when the message text confirms it refers to the model.
const MODEL_ACCESS_AMBIGUOUS_TYPES = new Set([
"permission_error", // Anthropic: could be model access OR key/org/feature scope
]);
// Model access patterns — the account does not have access to the requested model
// but a different account (e.g. PRO vs free tier) may support it.
const MODEL_ACCESS_DENIED_PATTERNS = [
/\binvalid model\b/i,
/\bmodel.*not.*(?:available|found|supported|accessible)\b/i,
/\bmodel.*(?:does not exist|doesn't exist)\b/i,
/\baccess.*denied.*model\b/i,
/\bmodel.*access.*denied\b/i,
/\bplease select a different model\b/i,
// "...access to the requested model" / "model ... access" — bounded lookahead
// (no nested quantifiers) so it stays ReDoS-safe while requiring BOTH an
// access/permission word and "model" so a pure auth error never matches.
/\b(?:access|permission)[\s\S]{0,60}?\bmodel\b/i,
/\bmodel[\s\S]{0,60}?\b(?:access|permission)\b/i,
];
// Pure credential/authentication failures — the key or token itself is bad, which
// is NOT a model-availability problem. Some providers phrase these as a 400 that
// also mentions the model (e.g. "invalid api key for model X"), which would
// otherwise trip MODEL_ACCESS_DENIED_PATTERNS above and trigger combo fallback
// across every target, masking the real "fix your credential" error. When the
// text clearly indicates a bad credential, the regex-based model-access detection
// is suppressed (structured codes/types like model_not_found are unaffected).
const AUTH_CREDENTIAL_ERROR_PATTERNS = [
/\b(?:invalid|incorrect|expired|missing|revoked)\s+api[\s_-]?key\b/i,
/\bapi[\s_-]?key\s+(?:is\s+)?(?:invalid|incorrect|expired|missing|revoked|not\s+valid)\b/i,
/\bauthentication\s+(?:failed|error|required)\b/i,
/\b(?:invalid|expired|missing|revoked)\s+(?:token|credentials?|bearer)\b/i,
/\bunauthorized\b/i,
/\bnot\s+authenticated\b/i,
];
// Malformed request patterns — the model rejected the message format but a different
// provider/model in the combo may accept it.
const MALFORMED_REQUEST_PATTERNS = [
/\bimproperly formed request\b/i,
/\binvalid.*message.*format/i,
/\bmessages must alternate\b/i,
/\bempty (message|content)\b/i,
// Tool call function name errors
/\bfunction'?s? name (?:can't|can not|is|has) (?:blank|empty|missing)/i,
/function.*name.*(?:blank|empty|missing)/i,
/tool_call.*name.*(?:blank|empty|missing)/i,
];
// Rate-limit text on a 400 — some providers (e.g. MiMoCode) signal throttling with a
// non-standard 400 status whose body carries rate-limit semantics instead of a 429
// (#4976). When detected, the request is fallback-worthy at connection-cooldown scope
// (NOT a whole-provider breaker) so combo routing can fail over to another free target.
// Bounded, non-overlapping patterns only (ReDoS-safe — no nested quantifiers).
const RATE_LIMIT_TEXT_PATTERNS = [
/high.?frequency/i,
/non-compliant/i,
/too many requests/i,
/rate.?limit/i,
/频繁/, // "frequent" (zh) — high-frequency request throttling
/频率/, // "frequency" (zh) — request-frequency throttling
];
// Parameter validation errors — model-specific constraints (different models = different limits)
const PARAM_VALIDATION_PATTERNS = [
/max_tokens.*illegal/i,
/max_tokens.*must be/i,
/max_tokens.*range/i,
/parameter is illegal/i,
/is illegal.*range/i,
];
/**
* T06: Returns true if response body indicates the account is permanently deactivated.
*/
export function isAccountDeactivated(errorText: string): boolean {
const lower = String(errorText || "").toLowerCase();
return getMergedBannedSignals().some((sig) => lower.includes(sig));
}
/**
* T10: Returns true if response body indicates credits/quota are permanently exhausted.
*/
export function isCreditsExhausted(errorText: string): boolean {
const lower = String(errorText || "").toLowerCase();
return CREDITS_EXHAUSTED_SIGNALS.some((sig) => lower.includes(sig));
}
/**
* T11: Returns true if response body indicates OAuth token is invalid/expired.
* This is different from permanent account deactivation - token refresh can recover.
*/
export function isOAuthInvalidToken(errorText: string): boolean {
const lower = String(errorText || "").toLowerCase();
return OAUTH_INVALID_TOKEN_SIGNALS.some((sig) => lower.includes(sig));
}
// ─── Resilience Profile Helper ──────────────────────────────────────────────
function asRecord(value: unknown): JsonRecord {
return value && typeof value === "object" && !Array.isArray(value) ? (value as JsonRecord) : {};
}
function isCompatibleProvider(provider: string | null | undefined): boolean {
return (
typeof provider === "string" &&
(provider.startsWith("openai-compatible-") || provider.startsWith("anthropic-compatible-"))
);
}
function buildProviderProfile(
category: "oauth" | "apikey",
settings?: Record<string, unknown> | null
) {
const resilience = settings ? resolveResilienceSettings(settings) : DEFAULT_RESILIENCE_SETTINGS;
const connectionCooldown = resilience.connectionCooldown[category];
const providerBreaker = resilience.providerBreaker[category];
return {
baseCooldownMs: connectionCooldown.baseCooldownMs,
useUpstreamRetryHints: connectionCooldown.useUpstreamRetryHints,
useUpstream429BreakerHints: connectionCooldown.useUpstream429BreakerHints,
maxCooldownMs: resolveModelLockoutSettings(settings).maxCooldownMs,
maxBackoffSteps: connectionCooldown.maxBackoffSteps,
failureThreshold: providerBreaker.failureThreshold,
resetTimeoutMs: providerBreaker.resetTimeoutMs,
transientCooldown: connectionCooldown.baseCooldownMs,
rateLimitCooldown: connectionCooldown.useUpstreamRetryHints
? 0
: connectionCooldown.baseCooldownMs,
maxBackoffLevel: connectionCooldown.maxBackoffSteps,
circuitBreakerThreshold: providerBreaker.failureThreshold,
circuitBreakerReset: providerBreaker.resetTimeoutMs,
degradationThreshold: providerBreaker.degradationThreshold,
// Provider-level cooldown fields are not exposed in resilience settings yet.
providerFailureThreshold: PROVIDER_PROFILES[category].providerFailureThreshold,
providerFailureWindowMs: PROVIDER_PROFILES[category].providerFailureWindowMs,
maxBackoffMultiplier: PROVIDER_PROFILES[category].maxBackoffMultiplier,
backoffEscalationCount: PROVIDER_PROFILES[category].backoffEscalationCount,
providerCooldownMs: PROVIDER_PROFILES[category].providerCooldownMs,
} satisfies ProviderProfile;
}
/**
* Get the resilience profile for a provider (oauth or apikey).
* @param {string} provider - Provider ID or alias
*/
export function getProviderProfile(provider: string): ProviderProfile {
const category = getProviderCategory(provider);
return buildProviderProfile(category);
}
function shouldPreserveQuotaSignalsFor429(provider: string | null | undefined): boolean {
if (!provider) return true;
return getProviderCategory(provider) === "oauth";
}
export async function getRuntimeProviderProfile(provider: string | null | undefined) {
try {
const { getCachedSettings } = await import("@/lib/db/readCache");
const settings = await getCachedSettings();
const category = getProviderCategory(provider || "");
return buildProviderProfile(category, settings);
} catch {
return getProviderProfile(provider || "");
}
}
// ─── Per-Model Lockout Tracking ─────────────────────────────────────────────
// In-memory map: "provider:connectionId:model" → { reason, until, lockedAt }
const modelLockouts = new Map<string, ModelLockoutEntry>();
const modelFailureState = new Map<string, ModelFailureState>();
// Aliases (e.g. "cx" → "codex") must share lockout state with their canonical
// provider, otherwise a model locked via one spelling stays routable via the other.
const canonicalProviderCache = new Map<string, string>();
function getCanonicalLockProvider(provider: string): string {
let canonical = canonicalProviderCache.get(provider);
if (!canonical) {
canonical = resolveProviderId(provider);
canonicalProviderCache.set(provider, canonical);
}
return canonical;
}
function getModelLockKey(provider: string, connectionId: string, model: string) {
const canonicalProvider = getCanonicalLockProvider(provider);
const lockModel =
canonicalProvider === "codex"
? getCodexModelScope(model)
: getQuotaScopedModelForProvider(canonicalProvider, model) || model;
return `${canonicalProvider}:${connectionId}:${lockModel}`;
}
function getFailureWindowMs(profile: ProviderProfile | null = null, fallbackMs = 30 * 60 * 1000) {
const configured = profile?.resetTimeoutMs;
return typeof configured === "number" && configured > 0 ? configured : fallbackMs;
}
function cleanupModelLockKey(key: string, now = Date.now()) {
const entry = modelLockouts.get(key);
if (entry && now > entry.until) {
modelLockouts.delete(key);
}
const failure = modelFailureState.get(key);
if (!failure) return;
// The escalation window extends past the applied cooldown: a model that fails
// again right after its lockout expires must keep escalating, not reset to 1.
if (now - failure.lastFailureAt <= failure.resetAfterMs + (failure.lastCooldownMs ?? 0)) return;
if (modelLockouts.has(key)) return;
modelFailureState.delete(key);
}
function getModelLockBaseCooldown(
status: number,
fallbackCooldownMs: number,
profile: ProviderProfile | null = null
) {
if (Number.isFinite(fallbackCooldownMs) && fallbackCooldownMs > 0) {
return fallbackCooldownMs;
}
if (typeof profile?.baseCooldownMs === "number" && profile.baseCooldownMs >= 0) {
return profile.baseCooldownMs;
}
return status === HTTP_STATUS.RATE_LIMITED ? getQuotaCooldown(0) : COOLDOWN_MS.transientInitial;
}
function getScaledCooldown(
baseCooldownMs: number,
failureCount: number,
maxBackoffLevel = BACKOFF_CONFIG.maxLevel
) {
const safeBase = Number.isFinite(baseCooldownMs) && baseCooldownMs > 0 ? baseCooldownMs : 1000;
const exponent = Math.min(Math.max(0, failureCount - 1), Math.max(0, maxBackoffLevel));
return safeBase * Math.pow(2, exponent);
}
// Auto-cleanup expired lockouts every 15 seconds (lazy init for Cloudflare Workers compatibility)
let _cleanupTimer: ReturnType<typeof setInterval> | null = null;
function ensureCleanupTimer() {
if (_cleanupTimer) return;
try {
_cleanupTimer = setInterval(() => {
const now = Date.now();
for (const key of modelLockouts.keys()) cleanupModelLockKey(key, now);
for (const key of modelFailureState.keys()) cleanupModelLockKey(key, now);
}, 15_000);
if (typeof _cleanupTimer === "object" && "unref" in _cleanupTimer) {
(_cleanupTimer as { unref?: () => void }).unref?.(); // Don't prevent process exit (Node.js only)
}
} catch {
// Cloudflare Workers may not support setInterval outside handlers — skip cleanup timer
}
}
/**
* Lock a specific model on a specific account
* @param {string} provider
* @param {string} connectionId
* @param {string} model
* @param {string} reason - from RateLimitReason
* @param {number} cooldownMs
*/
export function lockModel(
provider: string,
connectionId: string,
model: string | null | undefined,
reason: string,
cooldownMs: number,
metadata: Partial<ModelLockoutEntry> = {}
): void {
if (!model) return; // No model → skip model-level locking
ensureCleanupTimer();
const key = getModelLockKey(provider, connectionId, model);
cleanupModelLockKey(key);
const newUntil = Date.now() + cooldownMs;
// Preserve the longer cooldown if an existing lock has more time remaining.
// Safe without a mutex: no await between get/set, so this runs atomically
// within Node.js's single-threaded event loop.
const existing = modelLockouts.get(key);
if (existing && existing.until > newUntil) {
if (metadata.failureCount && metadata.failureCount > existing.failureCount) {
existing.failureCount = metadata.failureCount;
existing.lastFailureAt = metadata.lastFailureAt ?? existing.lastFailureAt;
existing.resetAfterMs = metadata.resetAfterMs ?? existing.resetAfterMs;
modelLockouts.set(key, existing);
}
return;
}
const now = Date.now();
modelLockouts.set(key, {
reason,
until: newUntil,
lockedAt: now,
failureCount: metadata.failureCount ?? existing?.failureCount ?? 1,
lastFailureAt: metadata.lastFailureAt ?? now,
resetAfterMs: metadata.resetAfterMs ?? existing?.resetAfterMs ?? 0,
});
}
/**
* Pick the `exactCooldownMs` to apply to a model lockout (#1308).
*
* When the upstream response carried an explicit reset longer than the base
* cooldown — e.g. Antigravity "Resets in 160h", a `Retry-After` header, or a
* parseable reset text already extracted by `checkFallbackError`/`parseRetryFromErrorText`
* into `parsedCooldownMs` — honor it exactly so an exhausted model is not retried
* again within minutes. Otherwise preserve the previous behavior: return `0` to let
* `recordModelLockoutFailure` apply its exponential backoff, or the base cooldown when
* backoff is disabled.
*/
export function selectLockoutCooldownMs(
parsedCooldownMs: number,
settings: { baseCooldownMs: number; useExponentialBackoff: boolean }
): number {
if (typeof parsedCooldownMs === "number" && parsedCooldownMs > settings.baseCooldownMs) {
return parsedCooldownMs;
}
return settings.useExponentialBackoff ? 0 : settings.baseCooldownMs;
}
export function recordModelLockoutFailure(
provider: string,
connectionId: string,
model: string,
reason: string,
status: number,
fallbackCooldownMs: number,
profile: ProviderProfile | null = null,
options: { exactCooldownMs?: number | null; maxCooldownMs?: number } = {}
) {
ensureCleanupTimer();
const key = getModelLockKey(provider, connectionId, model);
const now = Date.now();
cleanupModelLockKey(key, now);
// For daily quota exhaustion (quota_exhausted), set cooldown until tomorrow 00:00
// Use exactCooldownMs to bypass exponential backoff, ensuring precise lock until midnight
if (reason === "quota_exhausted" && typeof options.exactCooldownMs !== "number") {
options = { ...options, exactCooldownMs: getMsUntilTomorrow() };
}
const resetAfterMs = getFailureWindowMs(profile);
const previous = modelFailureState.get(key);
// Escalation window extends past the previously applied cooldown so a model
// that fails again right after its lockout expires keeps escalating.
const withinWindow =
previous &&
now - previous.lastFailureAt <= previous.resetAfterMs + (previous.lastCooldownMs ?? 0);
const failureCount = withinWindow ? previous.failureCount + 1 : 1;
const baseCooldownMs = getModelLockBaseCooldown(status, fallbackCooldownMs, profile);
// Cap exponential backoff so repeated failures cannot produce absurdly long
// lockouts; exact cooldowns (e.g. daily-quota until-midnight) are not capped.
const maxCooldownMs =
typeof options.maxCooldownMs === "number" && options.maxCooldownMs > 0
? options.maxCooldownMs
: BACKOFF_CONFIG.max;
const cooldownMs =
typeof options.exactCooldownMs === "number" && options.exactCooldownMs > 0
? options.exactCooldownMs
: Math.min(
getScaledCooldown(
baseCooldownMs,
failureCount,
profile?.maxBackoffSteps ?? BACKOFF_CONFIG.maxLevel
),
maxCooldownMs
);
modelFailureState.set(key, {
failureCount,
lastFailureAt: now,
resetAfterMs,
lastCooldownMs: cooldownMs,
});
lockModel(provider, connectionId, model, reason, cooldownMs, {
failureCount,
lastFailureAt: now,
resetAfterMs,
});
return {
cooldownMs,
failureCount,
resetAfterMs,
};
}
export function clearModelLock(
provider: string,
connectionId: string,
model: string | null | undefined
): boolean {
if (!model) return false;
const key = getModelLockKey(provider, connectionId, model);
const hadLock = modelLockouts.delete(key);
const hadFailureState = modelFailureState.delete(key);
return hadLock || hadFailureState;
}
/**
* Whether a provider should use per-model lockouts instead of connection-wide cooldowns.
* Compatible and passthrough providers multiplex multiple upstream models behind one
* connection, so transient 404/429 responses should stay model-scoped instead of
* poisoning the whole connection.
*
* @param provider - Provider ID
* @param _model - Model ID (reserved for future use)
* @param connectionPassthroughModels - Optional per-connection override from providerSpecificData.
* When provided, takes precedence over registry/provider-level logic.
*/
export function hasPerModelQuota(
provider: string | null | undefined,
_model: string | null | undefined = null,
connectionPassthroughModels?: boolean
): boolean {
// Connection-level override takes precedence (e.g., user-configured ModelScope)
if (typeof connectionPassthroughModels === "boolean") {
return connectionPassthroughModels;
}
if (!provider) return false;
if (getCanonicalLockProvider(provider) === "codex") return true;
if (provider === "gemini" || provider === "github") return true;
if (getPassthroughProviders().has(provider)) return true;
if (isCompatibleProvider(provider)) return true;
return false;
}
/**
* Lock a model (not connection) for a provider with per-model quotas.
* No-ops for providers that don't use per-model lockouts.
*/
export function lockModelIfPerModelQuota(
provider: string,
connectionId: string,
model: string | null,
reason: string,
cooldownMs: number,
connectionPassthroughModels?: boolean
): boolean {
if (!hasPerModelQuota(provider, model, connectionPassthroughModels) || !model) return false;
// Skip model-level lock if the entire provider is in circuit-breaker cooldown.
// The provider cooldown already prevents all requests, so a model lock is redundant.
if (isProviderInCooldown(provider)) return false;
lockModel(provider, connectionId, model, reason, cooldownMs);
return true;
}
export function shouldMarkAccountExhaustedFrom429(
provider: string | null | undefined,
model: string | null | undefined = null,
connectionPassthroughModels?: boolean,
failureKind?: FailureKind
): boolean {
// A plain 429 means transient rate limiting / high traffic for many OAuth providers.
// Only connection-poison the quota cache when the upstream body explicitly says
// the long-window quota is exhausted; otherwise fallback should try another account
// without making this one look quota-depleted for 5 minutes.
if (failureKind === "rate_limit" || failureKind === "transient") return false;
return (
shouldPreserveQuotaSignalsFor429(provider) &&
!hasPerModelQuota(provider, model, connectionPassthroughModels)
);
}
export function classifyLockoutReason(status: number): string {
if (status === 429) return "rate_limit";
if (status === 403) return "quota_exhausted";
return "unknown";
}
export type DecayResult = { cleared: boolean; newFailureCount: number };
export function decayModelFailureCount(
provider: string,
connectionId: string,
model: string
): DecayResult {
const key = getModelLockKey(provider, connectionId, model);
const failure = modelFailureState.get(key);
if (!failure) return { cleared: false, newFailureCount: 0 };
const newFailureCount = Math.floor(failure.failureCount / 2);
if (newFailureCount === 0) {
modelFailureState.delete(key);
return { cleared: true, newFailureCount: 0 };
} else {
modelFailureState.set(key, {
...failure,
failureCount: newFailureCount,
});
return { cleared: false, newFailureCount };
}
}
/**
* Clear all in-memory model lockouts and failure state (for tests / full reset).
*/
export function clearAllModelLockouts(): void {
modelLockouts.clear();
modelFailureState.clear();
}
/**
* Check if a specific model on a specific account is locked
* @returns {boolean}
*/
export function isModelLocked(
provider: string,
connectionId: string,
model: string | null | undefined
): boolean {
if (!model) return false;
const key = getModelLockKey(provider, connectionId, model);
cleanupModelLockKey(key);
const entry = modelLockouts.get(key);
return Boolean(entry);
}
/**
* Get model lockout info (for debugging/dashboard)
*/
export function getModelLockoutInfo(
provider: string,
connectionId: string,
model: string | null | undefined
) {
if (!model) return null;
const key = getModelLockKey(provider, connectionId, model);
cleanupModelLockKey(key);
const entry = modelLockouts.get(key);
if (!entry) return null;
return {
reason: entry.reason,
remainingMs: entry.until - Date.now(),
lockedAt: new Date(entry.lockedAt).toISOString(),
failureCount: entry.failureCount,
};
}
export type ModelLockoutInfo = {
provider: string;
connectionId: string;
model: string;
reason: string;
remainingMs: number;
failureCount: number;
lockedAt: string;
until: number;
};
/**
* Get all active model lockouts (for dashboard)
*/
export function getAllModelLockouts(): ModelLockoutInfo[] {
const now = Date.now();
const active: ModelLockoutInfo[] = [];
for (const key of modelLockouts.keys()) {
cleanupModelLockKey(key, now);
}
for (const [key, entry] of modelLockouts) {
const [provider, connectionId, ...modelParts] = key.split(":");
const model = modelParts.join(":");
active.push({
provider,
connectionId,
model,
reason: entry.reason,
remainingMs: entry.until - now,
failureCount: entry.failureCount,
lockedAt: new Date(entry.lockedAt).toISOString(),
until: entry.until,
});
}
return active;
}
// ─── Provider Breaker Compatibility Wrappers ────────────────────────────────
// Legacy helpers now delegate to the shared provider circuit breaker.
type ProviderBreakerProfile = {
failureThreshold?: number;
degradationThreshold?: number;
resetTimeoutMs?: number;
circuitBreakerThreshold?: number;
circuitBreakerReset?: number;
};
function getProviderBreaker(provider: string | null | undefined) {
return provider ? getCircuitBreaker(provider) : null;
}
function configureProviderBreaker(
provider: string | null | undefined,
profile?: ProviderBreakerProfile | null
) {
if (!provider) return null;
const resolvedProfile = { ...getProviderProfile(provider), ...profile };
// Issue #2100 follow-up: resolve useUpstream429BreakerHints from the
// provider profile (stored override) or fall back to per-provider default.
// Stored value type is `boolean | undefined` — never `null` after PATCH.
const userValue = resolvedProfile.useUpstream429BreakerHints;
const useHints = resolveUseUpstream429BreakerHints(provider, userValue);
return getCircuitBreaker(provider, {
failureThreshold: resolvedProfile.failureThreshold ?? resolvedProfile.circuitBreakerThreshold,
resetTimeout: resolvedProfile.resetTimeoutMs ?? resolvedProfile.circuitBreakerReset,
...(useHints
? {
cooldownByKind: {
rate_limit: 60_000,
quota_exhausted: 3_600_000,
} satisfies Partial<Record<FailureKind, number>>,
classifyError: classify429FromError,
}
: {}),
degradationThreshold: resolvedProfile.degradationThreshold,
maxBackoffMultiplier: resolvedProfile.maxBackoffMultiplier,
backoffEscalationCount: resolvedProfile.backoffEscalationCount,
});
}
/**
* Check if a provider is currently blocked by the shared circuit breaker.
*/
export function isProviderInCooldown(provider: string | null | undefined): boolean {
const breaker = getProviderBreaker(provider);
return breaker ? !breaker.canExecute() : false;
}
/**
* Get remaining retry-after time for a provider breaker.
*/
export function getProviderCooldownRemainingMs(provider: string | null | undefined): number | null {
const breaker = getProviderBreaker(provider);
if (!breaker || breaker.canExecute()) return null;
const remaining = breaker.getRetryAfterMs();
return remaining > 0 ? remaining : null;
}
export function getProviderBreakerState(provider: string | null | undefined) {
const breaker = getProviderBreaker(provider);
return breaker?.getStatus?.() ?? null;
}
/**
* Record a provider failure against the shared circuit breaker.
* Delegates to the existing CircuitBreaker utility which handles
* failure counting, threshold detection, and state transitions.
*
* IMPORTANT: If the breaker is already OPEN (in cooldown), we skip
* recording the failure to prevent resetting the cooldown timer.
* This matches the original behavior where failures during cooldown
* were ignored to avoid indefinite lockout.
*/
export function recordProviderFailure(
provider: string | null | undefined,
log?: { warn?: (...args: unknown[]) => void },
connectionId?: string | null,
profile?: ProviderBreakerProfile | null
): void {
if (!provider) return;
// Deduplicate rapid-fire failures from the same connection
if (connectionId) {
const dedupKey = `${provider}:${connectionId}`;
const now = Date.now();
const lastFailure = lastConnectionFailure.get(dedupKey);
if (lastFailure && now - lastFailure < CONNECTION_FAILURE_DEDUP_MS) {
return;
}
lastConnectionFailure.delete(dedupKey);
lastConnectionFailure.set(dedupKey, now);
pruneConnectionFailureDedupeEntries();
}
const breaker = configureProviderBreaker(provider, profile);
if (!breaker) return;
if (!breaker.canExecute()) return;
breaker._onFailure();
if (!breaker.canExecute()) {
log?.warn?.(`[ProviderFailure] ${provider}: circuit breaker opened after repeated failures`);
}
}
/**
* Reset the shared provider breaker.
*/
export function clearProviderFailure(provider: string | null | undefined): void {
const breaker = getProviderBreaker(provider);
breaker?.reset();
}
/**
* Get all providers currently blocked by the shared breaker.
*/
export function getProvidersInCooldown(): Array<{
provider: string;
failureCount: number;
cooldownRemainingMs: number | null;
lastFailureAt: number | null;
}> {
return getAllCircuitBreakerStatuses()
.filter((status) => {
const breaker = getProviderBreaker(status.name);
return Boolean(breaker && !breaker.canExecute());
})
.map((status) => ({
provider: status.name,
failureCount: status.failureCount,
cooldownRemainingMs: status.retryAfterMs || null,
lastFailureAt: status.lastFailureTime,
}));
}
/**
* Check if a status code should be counted toward provider failure threshold
*/
export function isProviderFailureCode(status: number): boolean {
return PROVIDER_FAILURE_ERROR_CODES.has(status);
}
/**
* Returns true when a checkFallbackError result signals that the entire provider
* quota is exhausted for this request, so the combo router can skip remaining
* targets from the same provider (#1731).
*
* Covers:
* - reason === "quota_exhausted" (subscription, daily, credits)
* - creditsExhausted flag
* - dailyQuotaExhausted flag
*/
export function isProviderExhaustedReason(result: {
reason?: string;
creditsExhausted?: boolean;
dailyQuotaExhausted?: boolean;
}): boolean {
if (result.creditsExhausted || result.dailyQuotaExhausted) return true;
return result.reason === RateLimitReason.QUOTA_EXHAUSTED;
}
// ─── Retry-After Parsing ────────────────────────────────────────────────────
/**
* Parse retry-after information from JSON error response bodies.
* Providers embed retry info in different formats.
*
* @param {string|object} responseBody - Raw response body or parsed JSON
* @returns {{ retryAfterMs: number|null, reason: string }}
*/
export function parseRetryAfterFromBody(responseBody: unknown): {
retryAfterMs: number | null;
reason: RateLimitReasonValue;
} {
let body: JsonRecord;
try {
body = toJsonRecord(typeof responseBody === "string" ? JSON.parse(responseBody) : responseBody);
} catch {
return { retryAfterMs: null, reason: RateLimitReason.UNKNOWN };
}
if (Object.keys(body).length === 0) {
return { retryAfterMs: null, reason: RateLimitReason.UNKNOWN };
}
// Gemini: { error: { details: [{ retryDelay: "33s" }] } }
const error = toJsonRecord(body.error);
const details = error.details || body.details || [];
for (const detail of Array.isArray(details) ? details : []) {
const detailRecord = toJsonRecord(detail);
if (detailRecord.retryDelay) {
return {
retryAfterMs: parseDelayString(detailRecord.retryDelay),
reason: RateLimitReason.RATE_LIMIT_EXCEEDED,
};
}
}
// OpenAI: "Please retry after 20s" in message
const msg = String(error.message || body.message || "");
const retryMatch = /retry\s+after\s+(\d+)\s*s/i.exec(msg);
if (retryMatch) {
return {
retryAfterMs: Number.parseInt(retryMatch[1], 10) * 1000,
reason: RateLimitReason.RATE_LIMIT_EXCEEDED,
};
}
// Anthropic: error type classification
const errorType = String(error.type || body.type || "");
if (errorType === "rate_limit_error") {
return { retryAfterMs: null, reason: RateLimitReason.RATE_LIMIT_EXCEEDED };
}
// Classify by error message keywords
const reason = classifyErrorText(msg || errorType);
return { retryAfterMs: null, reason };
}
/**
* Parse delay strings like "33s", "2m", "1h", "1500ms"
*/
function parseDelayString(value: unknown): number | null {
if (!value) return null;
const str = String(value).trim();
const msMatch = /^(\d+)\s*ms$/i.exec(str);
if (msMatch) return Number.parseInt(msMatch[1], 10);
const secMatch = /^(\d+)\s*s$/i.exec(str);
if (secMatch) return Number.parseInt(secMatch[1], 10) * 1000;
const minMatch = /^(\d+)\s*m$/i.exec(str);
if (minMatch) return Number.parseInt(minMatch[1], 10) * 60 * 1000;
const hrMatch = /^(\d+)\s*h$/i.exec(str);
if (hrMatch) return Number.parseInt(hrMatch[1], 10) * 3600 * 1000;
// Bare number → seconds
const num = Number.parseInt(str, 10);
return Number.isNaN(num) ? null : num * 1000;
}
// T07: parse retry time from error text body with combined "XhYmZs" format.
export function parseRetryFromErrorText(errorText: unknown): number | null {
if (!errorText || typeof errorText !== "string") return null;
const msg: string = String(errorText);
const bodyHintMs = parseRetryHintFromJsonBody(msg, MAX_PROVIDER_COOLDOWN_MS);
if (bodyHintMs !== null) return bodyHintMs;
// Issue #2321: parse embedded absolute ISO retry timestamps.
const isoMatch =
/\b(?:try again at|wait until|reset(?:s)? at|available at|retry after)\s+(\d{4}-\d{2}-\d{2}[Tt ]\d{2}:\d{2}(?::\d{2})?(?:\.\d+)?(?:Z|[+-]\d{2}:?\d{2})?)/i.exec(
msg
);
if (isoMatch) {
const parsedTs = Date.parse(isoMatch[1]);
if (Number.isFinite(parsedTs)) {
const waitMs = parsedTs - Date.now();
if (waitMs > 0) return waitMs;
}
}
const match = /reset after (\d+h)?(\d+m)?(\d+s)?/i.exec(msg);
if (match?.[1] || match?.[2] || match?.[3]) return computeDurationMs(match);
// Variant without "reset after": "will reset after XhYmZs"
const altMatch = /will reset after (\d+h)?(\d+m)?(\d+s)?/i.exec(msg);
if (altMatch?.[1] || altMatch?.[2] || altMatch?.[3]) return computeDurationMs(altMatch);
// Antigravity / Cloud Code phrasing: "Resets in 164h27m24s".
const resetsInMatch = /resets? in (\d+h)?(\d+m)?(\d+s)?/i.exec(msg);
if (resetsInMatch?.[1] || resetsInMatch?.[2] || resetsInMatch?.[3]) {
return computeDurationMs(resetsInMatch);
}
return null;
}
/**
* Compute total milliseconds from regex match groups (Xh)(Ym)(Zs)
* Capped at 30 days to prevent adversarial/buggy upstream from locking indefinitely.
*/
const MAX_PROVIDER_COOLDOWN_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
function computeDurationMs(match: RegExpMatchArray): number | null {
let totalMs = 0;
if (match[1]) totalMs += Number.parseInt(match[1], 10) * 3600 * 1000; // hours
if (match[2]) totalMs += Number.parseInt(match[2], 10) * 60 * 1000; // minutes
if (match[3]) totalMs += Number.parseInt(match[3], 10) * 1000; // seconds
return totalMs > 0 ? Math.min(totalMs, MAX_PROVIDER_COOLDOWN_MS) : null;
}
function isSubscriptionQuotaText(lower: string): boolean {
return (
lower.includes("usage limit reached") ||
lower.includes("usage limit has been") ||
lower.includes("claude pro usage limit") ||
lower.includes("you've reached your usage limit") ||
lower.includes("you have reached your usage limit")
);
}
// ─── Error Classification ───────────────────────────────────────────────────
/**
* Classify error text into RateLimitReason
*/
export function classifyErrorText(errorText: unknown): RateLimitReasonValue {
if (!errorText) return RateLimitReason.UNKNOWN;
const lower = String(errorText).toLowerCase();
if (
lower.includes("quota exceeded") ||
lower.includes("quota depleted") ||
lower.includes("quota will reset") ||
lower.includes("your quota will reset") ||
lower.includes("quota has been exceeded") ||
lower.includes("hour quota") ||
lower.includes("billing") ||
looksLikeQuotaExhausted(lower) ||
// Issue #2321: Anthropic OAuth (Claude Code Pro/Team) 429 bodies surface
// the subscription quota with phrases that contain neither "quota" nor
// "billing". Without these patterns the error was classified as a
// transient RATE_LIMIT_EXCEEDED (~5s base cooldown), which cascades all
// Pro accounts into a tight retry loop until the 5h window resets.
isSubscriptionQuotaText(lower)
) {
return RateLimitReason.QUOTA_EXHAUSTED;
}
// T10: credits_exhausted signals
if (isCreditsExhausted(lower)) {
return RateLimitReason.QUOTA_EXHAUSTED;
}
// T06: account_deactivated signals
if (isAccountDeactivated(lower)) {
return RateLimitReason.AUTH_ERROR;
}
const configuredRule = matchErrorRuleByText(errorText);
if (configuredRule?.reason) return configuredRule.reason;
if (lower.includes("rate_limit")) return RateLimitReason.RATE_LIMIT_EXCEEDED;
if (lower.includes("resource exhausted") || lower.includes("high demand"))
return RateLimitReason.MODEL_CAPACITY;
if (
lower.includes("unauthorized") ||
lower.includes("invalid api key") ||
lower.includes("authentication")
) {
return RateLimitReason.AUTH_ERROR;
}
if (lower.includes("server error") || lower.includes("internal error")) {
return RateLimitReason.SERVER_ERROR;
}
return RateLimitReason.UNKNOWN;
}
/**
* Classify HTTP status + error text into RateLimitReason
*
* If context (provider, headers, body) is supplied, provider-specific rules
* are evaluated FIRST. A provider like Opencode can signal account-wide quota
* exhaustion via `x-ratelimit-remaining-requests: 0` even when the body says
* "rate limit" — without context, classifyError falls through to the global
* text rules and misclassifies as RATE_LIMIT_EXCEEDED. With context, the
* provider rule takes precedence.
*/
export function classifyError(
status: number,
errorText: unknown,
context?: { provider?: string | null; headers?: Record<string, string> | null; body?: unknown }
): RateLimitReasonValue {
// Provider-specific rules take priority — they have the most accurate signal
// (e.g. `x-ratelimit-remaining-requests: 0` is irrefutable account exhaustion).
if (context?.provider) {
const match = getProviderErrorRuleMatch(
context.provider,
status,
context.headers ?? null,
context.body
);
if (match) return match.reason;
}
// Text classification takes priority (more specific)
const textReason = classifyErrorText(errorText);
if (textReason !== RateLimitReason.UNKNOWN) return textReason;
// Fall back to status code
if (status === HTTP_STATUS.UNAUTHORIZED || status === HTTP_STATUS.FORBIDDEN) {
return RateLimitReason.AUTH_ERROR;
}
if (status === HTTP_STATUS.PAYMENT_REQUIRED) {
return RateLimitReason.QUOTA_EXHAUSTED;
}
if (status === HTTP_STATUS.RATE_LIMITED) {
return RateLimitReason.RATE_LIMIT_EXCEEDED;
}
if (status === HTTP_STATUS.SERVICE_UNAVAILABLE || status === 529) {
return RateLimitReason.MODEL_CAPACITY;
}
if (status >= 500) {
return RateLimitReason.SERVER_ERROR;
}
return RateLimitReason.UNKNOWN;
}
// ─── Daily Quota Helpers ────────────────────────────────────────────────────
/**
* Calculate milliseconds from now until tomorrow at midnight (00:00:00).
* Used to lock a model until the next day when daily quota is exhausted.
* @returns {number} Milliseconds until tomorrow
*/
export function getMsUntilTomorrow(): number {
const nowMs = Date.now();
const tomorrow = new Date(nowMs);
tomorrow.setDate(tomorrow.getDate() + 1);
tomorrow.setHours(0, 0, 0, 0);
const ms = tomorrow.getTime() - nowMs;
// Guard against DST edge cases: if ms is negative (shouldn't happen) or
// unreasonably large (>25h due to spring-forward), cap at 24 hours.
return ms > 0 && ms <= 25 * 60 * 60 * 1000 ? ms : 24 * 60 * 60 * 1000;
}
/**
* Check if error text indicates daily quota exhaustion (as opposed to rate limiting).
* Daily quota errors typically mention "today's quota" or "try again tomorrow".
* @param {string} errorText - Error message text
* @returns {boolean} True if daily quota is exhausted
*/
export function isDailyQuotaExhausted(errorText: string): boolean {
if (!errorText) return false;
const lower = errorText.toLowerCase();
return (
lower.includes("today's quota") ||
lower.includes("daily quota") ||
lower.includes("try again tomorrow")
);
}
// ─── Configurable Backoff ───────────────────────────────────────────────────
/**
* Get backoff duration from configurable steps.
* @param {number} failureCount - Number of consecutive failures
* @returns {number} Duration in ms
*/
export function getBackoffDuration(failureCount: number): number {
const idx = Math.min(failureCount, BACKOFF_STEPS_MS.length - 1);
return BACKOFF_STEPS_MS[idx];
}
// ─── Original API (Backward Compatible) ────────────────────────────────────
/**
* Calculate exponential backoff cooldown for rate limits (429)
* Level 0: 1s, Level 1: 2s, Level 2: 4s... → max 2 min
* @param {number} backoffLevel - Current backoff level
* @returns {number} Cooldown in milliseconds
*/
export function getQuotaCooldown(backoffLevel = 0) {
return calculateBackoffCooldown(backoffLevel);
}
/**
* Check if error should trigger account fallback (switch to next account)
* @param {number} status - HTTP status code
* @param {string} errorText - Error message text
* @param {number} backoffLevel - Current backoff level for exponential backoff
* @param {string} [model] - Optional model name for model-level lockout
* @param {string} [provider] - Provider ID for profile-aware cooldowns
* @returns {{ shouldFallback: boolean, cooldownMs: number, newBackoffLevel?: number, reason?: string }}
*/
export function checkFallbackError(
status: number,
errorText: string | null,
backoffLevel: number = 0,
_model: string | null = null,
provider: string | null = null,
headers: Headers | Record<string, string> | null = null,
profileOverride: ProviderProfile | null = null,
structuredError?: { code?: string | null; type?: string | null } | null
): {
shouldFallback: boolean;
cooldownMs: number;
baseCooldownMs?: number;
newBackoffLevel?: number;
usedUpstreamRetryHint?: boolean;
reason?: string;
permanent?: boolean;
creditsExhausted?: boolean;
dailyQuotaExhausted?: boolean;
/** G-02: true when the error originates from an embedded service supervisor (not the upstream AI
* provider itself). Callers should apply connection cooldown only — do NOT record a provider
* circuit-breaker failure when this flag is set. */
skipProviderBreaker?: boolean;
quotaResetHintMs?: number;
/** #6061: the provider-configured cooldown (ms) before backoff scaling, surfaced so the
* caller can persist an explicit reset window instead of the engine's scaled cooldown. */
configuredCooldownMs?: number;
} {
// G-02: detect embedded service supervisor failures (X-Omni-Fallback-Hint: connection_cooldown).
// These are NOT upstream AI provider failures — they are local supervisor state changes.
// Apply a short 5s connection cooldown without tripping the provider circuit breaker.
if (status === 503 && headers) {
const hintValue =
typeof (headers as Headers).get === "function"
? (headers as Headers).get("x-omni-fallback-hint")
: (headers as Record<string, string>)["x-omni-fallback-hint"] ||
(headers as Record<string, string>)["X-Omni-Fallback-Hint"];
if (typeof hintValue === "string" && hintValue.toLowerCase() === "connection_cooldown") {
return {
shouldFallback: true,
cooldownMs: 5_000,
baseCooldownMs: 5_000,
newBackoffLevel: 0,
reason: "service_not_running",
skipProviderBreaker: true,
};
}
}
const errorStr = (errorText || "").toString();
const profile = profileOverride ?? (provider ? getProviderProfile(provider) : null);
const maxBackoffSteps = profile?.maxBackoffSteps ?? BACKOFF_CONFIG.maxLevel;
const retryableStatuses = new Set([
HTTP_STATUS.REQUEST_TIMEOUT,
HTTP_STATUS.RATE_LIMITED,
HTTP_STATUS.SERVER_ERROR,
HTTP_STATUS.BAD_GATEWAY,
HTTP_STATUS.SERVICE_UNAVAILABLE,
HTTP_STATUS.GATEWAY_TIMEOUT,
]);
function parseResetFromHeaders(headers: Headers | Record<string, string> | null): number | null {
if (!headers) return null;
const recordHeaders = headers as Record<string, string>;
// Retry-After header
const retryAfter =
typeof (headers as Headers).get === "function"
? (headers as Headers).get("retry-after")
: recordHeaders["retry-after"] || recordHeaders["Retry-After"];
if (retryAfter) {
const seconds = Number.parseInt(retryAfter, 10);
if (!Number.isNaN(seconds) && String(seconds) === String(retryAfter).trim()) {
return Date.now() + seconds * 1000;
}
const date = new Date(retryAfter);
if (!Number.isNaN(date.getTime())) return date.getTime();
}
// X-RateLimit-Reset
const rlReset =
typeof (headers as Headers).get === "function"
? (headers as Headers).get("x-ratelimit-reset")
: recordHeaders["x-ratelimit-reset"] || recordHeaders["X-RateLimit-Reset"];
if (rlReset) {
const ts = Number.parseInt(rlReset, 10);
if (!Number.isNaN(ts)) {
return ts > 10000000000 ? ts : ts * 1000;
}
}
return null;
}
function getUpstreamRetryHintMs() {
if (!profile?.useUpstreamRetryHints) return null;
const resetTime = parseResetFromHeaders(headers);
if (resetTime) {
const waitMs = Math.max(resetTime - Date.now(), 0);
if (waitMs > 0) return waitMs;
}
const retryFromErrorText = parseRetryFromErrorText(errorStr);
if (retryFromErrorText && retryFromErrorText > 0) {
return retryFromErrorText;
}
return null;
}
function getScaledBaseCooldown(reason: RateLimitReasonValue, level = backoffLevel) {
void reason;
const baseCooldownMs =
typeof profile?.baseCooldownMs === "number" && profile.baseCooldownMs >= 0
? profile.baseCooldownMs
: COOLDOWN_MS.transientInitial;
return {
baseCooldownMs,
cooldownMs: getScaledCooldown(baseCooldownMs, level + 1, maxBackoffSteps),
newBackoffLevel: Math.min(level + 1, maxBackoffSteps),
};
}
function buildRetryableFallback(reason: RateLimitReasonValue) {
const upstreamRetryHintMs = getUpstreamRetryHintMs();
if (typeof upstreamRetryHintMs === "number" && upstreamRetryHintMs > 0) {
return {
shouldFallback: true,
cooldownMs: upstreamRetryHintMs,
baseCooldownMs: upstreamRetryHintMs,
newBackoffLevel: 0,
usedUpstreamRetryHint: true,
reason,
};
}
const scaled = getScaledBaseCooldown(reason, backoffLevel);
return {
shouldFallback: true,
cooldownMs: scaled.cooldownMs,
baseCooldownMs: scaled.baseCooldownMs,
newBackoffLevel: scaled.newBackoffLevel,
usedUpstreamRetryHint: false,
reason,
};
}
const isRateLimitStatus = status === HTTP_STATUS.RATE_LIMITED;
const preserveQuota429 = shouldPreserveQuotaSignalsFor429(provider);
const shouldUseQuotaSignal = !isRateLimitStatus || preserveQuota429;
// Check error message FIRST - specific patterns take priority over status codes
if (errorText) {
// T06 (sub2api #1037): Permanent account deactivation — do NOT retry, mark as permanent failure
if (isAccountDeactivated(errorStr)) {
return {
shouldFallback: true,
cooldownMs: 365 * 24 * 60 * 60 * 1000, // 1 year = effectively permanent
reason: RateLimitReason.AUTH_ERROR,
permanent: true,
};
}
// T10 (sub2api #1169): Credits/quota exhausted — long cooldown, distinct from rate limit
if (shouldUseQuotaSignal && isCreditsExhausted(errorStr)) {
return {
shouldFallback: true,
cooldownMs: COOLDOWN_MS.paymentRequired ?? 3600 * 1000, // 1h cooldown
reason: RateLimitReason.QUOTA_EXHAUSTED,
creditsExhausted: true,
};
}
// Daily quota exhausted — lock model until tomorrow
if (shouldUseQuotaSignal && isDailyQuotaExhausted(errorStr)) {
const msUntilTomorrow = getMsUntilTomorrow();
// Cap at 24 hours to handle timezone edge cases
const cooldownMs = Math.min(msUntilTomorrow, 24 * 60 * 60 * 1000);
return {
shouldFallback: true,
cooldownMs,
reason: RateLimitReason.QUOTA_EXHAUSTED,
dailyQuotaExhausted: true,
};
}
// Issue #2321: Anthropic OAuth (Claude Pro/Team) returns 429 with
// "Usage Limit Reached" for the 5-hour subscription quota. The
// pattern-based classifier now flags these as QUOTA_EXHAUSTED, but
// without a dedicated branch the request would still fall through to
// the generic 429 retry path (~5s base cooldown). Honor upstream
// Retry-After / reset hints only when the profile enables them;
// otherwise apply a local 1h cooldown so all Pro accounts on the same
// subscription tier stop cycling through tight retries without letting
// upstream-provided windows bypass the operator setting. (We
// deliberately do not use COOLDOWN_MS.paymentRequired here — that
// constant is 2 minutes, which is shorter than the recovery time of a
// subscription quota.)
if (
shouldUseQuotaSignal &&
!isCreditsExhausted(errorStr) &&
!isDailyQuotaExhausted(errorStr) &&
isSubscriptionQuotaText(errorStr.toLowerCase())
) {
// getUpstreamRetryHintMs() gates both headers and body reset text on
// profile.useUpstreamRetryHints.
const hintMs = getUpstreamRetryHintMs();
const SUBSCRIPTION_QUOTA_COOLDOWN_MS = 60 * 60 * 1000; // 1 hour
const bodyHint = parseRetryFromErrorText(errorStr);
return {
shouldFallback: true,
cooldownMs: hintMs ?? SUBSCRIPTION_QUOTA_COOLDOWN_MS,
reason: RateLimitReason.QUOTA_EXHAUSTED,
usedUpstreamRetryHint: Boolean(hintMs),
quotaResetHintMs: bodyHint ?? undefined,
};
}
const quotaResetHintMs = parseRetryFromErrorText(errorStr);
if (
shouldUseQuotaSignal &&
quotaResetHintMs &&
classifyErrorText(errorStr) === RateLimitReason.QUOTA_EXHAUSTED
) {
const fallbackResult = buildRetryableFallback(RateLimitReason.QUOTA_EXHAUSTED);
return {
...fallbackResult,
quotaResetHintMs,
};
}
// #2929: A route-restriction 403 (e.g. Fireworks Fire Pass keys returning
// "Fire Pass API keys are not authorized for this route." on the /models
// endpoint) means the key is valid but lacks access to THIS route — it still
// serves chat. It must NOT cool down the connection or be classified as an
// auth error, otherwise a single model-listing 403 marks the key unavailable.
if (
status === HTTP_STATUS.FORBIDDEN &&
errorStr.toLowerCase().includes("not authorized for this route")
) {
return { shouldFallback: false, cooldownMs: 0, reason: RateLimitReason.UNKNOWN };
}
if (
status === HTTP_STATUS.FORBIDDEN &&
provider &&
getProviderCategory(provider) === "apikey" &&
!errorStr.toLowerCase().includes("has not been used in project") &&
!errorStr.toLowerCase().includes("hour quota") &&
!errorStr.toLowerCase().includes("quota has been exceeded")
) {
return buildRetryableFallback(RateLimitReason.AUTH_ERROR);
}
}
// Gemini-specific: use known published RPM/RPD limits to distinguish 429 types.
// Gemini returns the same error body for both, so we use per-model request
// counters to decide: if daily count >= RPD → quota_exhausted (midnight lockout);
// if minute count >= RPM → rate_limit_exceeded (exponential backoff).
if (provider === "gemini" && status === HTTP_STATUS.RATE_LIMITED && _model) {
if (isRpdExhausted(_model)) {
return buildRetryableFallback(RateLimitReason.QUOTA_EXHAUSTED);
}
if (isRpmExhausted(_model)) {
return buildRetryableFallback(RateLimitReason.RATE_LIMIT_EXCEEDED);
}
}
const configuredRule =
isRateLimitStatus && !preserveQuota429
? matchErrorRuleByStatus(status)
: findMatchingErrorRule(status, errorStr);
if (configuredRule) {
if (configuredRule.backoff) {
// Provider-specific rules in `providerRuleRegistry` are MORE SPECIFIC
// than the configured (global) rule, so we check them first. If a
// provider rule matches, it overrides the configured rule's reason
// (e.g. Opencode's `x-ratelimit-remaining-requests: 0` overrides
// 429 → RATE_LIMIT_EXCEEDED). We do NOT call the full `classifyError`
// here because its global status fallback would otherwise override
// specific configured reasons (e.g. 503 → SERVER_ERROR would be
// shadowed by 503 → MODEL_CAPACITY).
const providerMatch = provider
? getProviderErrorRuleMatch(provider, status, headers, structuredError ?? null)
: null;
const reason = providerMatch
? providerMatch.reason
: (configuredRule.reason ?? RateLimitReason.UNKNOWN);
// Fix C: thread `providerMatch.cooldownMs` through so a configured rule
// like the "Monthly usage limit reached. Resets in N days." matcher can
// declare an explicit cooldown (e.g. 13 days) and have it win over the
// scaled backoff default returned by `buildRetryableFallback`. Without
// this, the rule's reason is used but its cooldownMs is silently
// dropped — which is exactly the user-visible bug where a 13-day
// upstream quota reset was being treated as ~60s.
const providerCooldownMs =
providerMatch?.cooldownMs !== undefined && providerMatch.cooldownMs > 0
? providerMatch.cooldownMs
: undefined;
const fallback = buildRetryableFallback(reason);
if (providerCooldownMs !== undefined) {
return {
...fallback,
cooldownMs: providerCooldownMs,
baseCooldownMs: providerCooldownMs,
configuredCooldownMs: providerCooldownMs,
};
}
return fallback;
}
const cooldownMs = configuredRule.cooldownMs ?? 0;
return {
shouldFallback: true,
cooldownMs,
baseCooldownMs: cooldownMs,
configuredCooldownMs: cooldownMs,
reason: configuredRule.reason ?? RateLimitReason.UNKNOWN,
};
}
if (status === HTTP_STATUS.NOT_ACCEPTABLE || retryableStatuses.has(status)) {
return buildRetryableFallback(RateLimitReason.SERVER_ERROR);
}
// 400 — context overflow / malformed request / model access denied
if (status === HTTP_STATUS.BAD_REQUEST) {
// Check structured error codes first (more reliable, no false positives)
// OpenAI: error.code === "model_not_found"
// Anthropic: error.type === "not_found_error" / "permission_error"
const structuredCode =
typeof structuredError?.code === "string" ? structuredError.code.toLowerCase() : "";
const structuredType =
typeof structuredError?.type === "string" ? structuredError.type.toLowerCase() : "";
// A clear bad-credential error must never be reclassified as model-access
// (which would silently exhaust every combo target). Structured detection
// below still catches genuine model_not_found / not_found_error codes.
const looksLikeAuthCredentialError = AUTH_CREDENTIAL_ERROR_PATTERNS.some((p) =>
p.test(errorStr)
);
const matchesModelAccessPattern =
!looksLikeAuthCredentialError && MODEL_ACCESS_DENIED_PATTERNS.some((p) => p.test(errorStr));
const isModelAccessDeniedStructured =
!!structuredError &&
(MODEL_ACCESS_DENIED_CODES.has(structuredCode) ||
MODEL_ACCESS_DENIED_TYPES.has(structuredType) ||
// Ambiguous types (e.g. Anthropic permission_error) only count as a model
// access denial when the message text confirms it is about the model.
(MODEL_ACCESS_AMBIGUOUS_TYPES.has(structuredType) && matchesModelAccessPattern));
const isOverflow = CONTEXT_OVERFLOW_PATTERNS.some((p) => p.test(errorStr));
const isMalformed = MALFORMED_REQUEST_PATTERNS.some((p) => p.test(errorStr));
const isParamValidation = PARAM_VALIDATION_PATTERNS.some((p) => p.test(errorStr));
const isModelAccessDenied = isModelAccessDeniedStructured || matchesModelAccessPattern;
if (isOverflow || isMalformed || isParamValidation || isModelAccessDenied) {
return {
shouldFallback: true,
cooldownMs: 0,
reason: RateLimitReason.MODEL_CAPACITY,
};
}
// Some providers (e.g. MiMoCode) signal throttling with a non-standard 400 whose
// body carries rate-limit semantics ("Detected high-frequency non-compliant
// requests from you.") instead of a 429. Detected here (AFTER malformed/overflow
// detection above, so a genuinely malformed 400 still wins and keeps its #2101
// zero-cooldown MODEL_CAPACITY classification), it is fallback-worthy at
// connection-cooldown scope so combo can fail over to another target (#4976).
if (RATE_LIMIT_TEXT_PATTERNS.some((p) => p.test(errorStr))) {
return buildRetryableFallback(RateLimitReason.RATE_LIMIT_EXCEEDED);
}
// Generic 400 is not account-fallback-worthy. Combo routing may still try a
// different provider/model because combo fallback is target-level orchestration.
return { shouldFallback: false, cooldownMs: 0, reason: RateLimitReason.UNKNOWN };
}
// All other errors - fallback with transient cooldown
return {
shouldFallback: true,
cooldownMs: profile?.baseCooldownMs ?? COOLDOWN_MS.transient,
baseCooldownMs: profile?.baseCooldownMs ?? COOLDOWN_MS.transient,
reason: RateLimitReason.UNKNOWN,
};
}
// ─── Account State Management ───────────────────────────────────────────────
/**
* Normalize a stored cooldown timestamp to epoch milliseconds.
*
* `rate_limited_until` is a TEXT column, but some write paths persist a raw
* epoch NUMBER (e.g. `setConnectionRateLimitUntil` on the Antigravity full-quota
* path). SQLite TEXT affinity coerces it to a numeric string like
* "1781696905131.0", which `new Date(...)` cannot parse (→ NaN). Accept numeric
* epoch strings/numbers as well as ISO strings and Date objects (#3954).
*/
export function cooldownUntilMs(value: string | number | Date | null | undefined): number {
if (value === null || value === undefined || value === "") return NaN;
if (value instanceof Date) return value.getTime();
if (typeof value === "number") return value;
const raw = value.trim();
if (/^\d+(\.\d+)?$/.test(raw)) return Number(raw);
return new Date(raw).getTime();
}
/**
* Check if account is currently unavailable (cooldown not expired)
*/
export function isAccountUnavailable(unavailableUntil: string | Date | null | undefined): boolean {
if (!unavailableUntil) return false;
const ms = cooldownUntilMs(unavailableUntil);
return Number.isFinite(ms) && ms > Date.now();
}
/**
* Calculate unavailable until timestamp
*/
export function getUnavailableUntil(cooldownMs: number): string {
return new Date(Date.now() + cooldownMs).toISOString();
}
/**
* Get the earliest rateLimitedUntil from a list of accounts
*/
export function getEarliestRateLimitedUntil(
accounts: Array<{ rateLimitedUntil?: string | null }>
): string | null {
let earliest: number | null = null;
const now = Date.now();
for (const acc of accounts) {
if (!acc.rateLimitedUntil) continue;
const until = cooldownUntilMs(acc.rateLimitedUntil);
if (!Number.isFinite(until) || until <= now) continue;
if (!earliest || until < earliest) earliest = until;
}
if (!earliest) return null;
return new Date(earliest).toISOString();
}
/**
* Format rateLimitedUntil to human-readable "reset after Xm Ys"
*/
export function formatRetryAfter(
rateLimitedUntil: string | number | Date | null | undefined
): string {
if (!rateLimitedUntil) return "";
const diffMs = new Date(rateLimitedUntil).getTime() - Date.now();
if (diffMs <= 0) return "reset after 0s";
const totalSec = Math.ceil(diffMs / 1000);
const h = Math.floor(totalSec / 3600);
const m = Math.floor((totalSec % 3600) / 60);
const s = totalSec % 60;
const parts: string[] = [];
if (h > 0) parts.push(`${h}h`);
if (m > 0) parts.push(`${m}m`);
if (s > 0 || parts.length === 0) parts.push(`${s}s`);
return `reset after ${parts.join(" ")}`;
}
/**
* Filter available accounts (not in cooldown)
*/
export function filterAvailableAccounts<T extends AccountState>(
accounts: T[],
excludeId: string | null = null
): T[] {
const now = Date.now();
return accounts.filter((acc) => {
if (excludeId && acc.id === excludeId) return false;
if (acc.rateLimitedUntil) {
const until = cooldownUntilMs(acc.rateLimitedUntil);
if (Number.isFinite(until) && until > now) return false;
}
return true;
});
}
/**
* Reset account state when request succeeds
*/
export function resetAccountState<T extends AccountState | null | undefined>(
account: T
): T | AccountState {
if (!account) return account;
// Persist the cooldown clear so a successfully-retried connection is no longer
// marked as rate-limited in `provider_connections.rate_limited_until`. Mirrors
// Fix A: the in-memory AccountState and the DB row must agree so the cascade
// survives the request boundary and `clearStaleCrashCooldowns` doesn't have
// to rediscover what we already know is healthy.
// Best-effort: a DB write failure must not crash the request path.
const connId = (account as AccountState | null | undefined)?.id;
if (typeof connId === "string" && connId.length > 0) {
try {
setConnectionRateLimitUntil(connId, null);
} catch {
// ignore — best effort
}
}
return {
...account,
rateLimitedUntil: null,
backoffLevel: 0,
lastError: null,
status: "active",
};
}
/**
* Apply error state to account
*/
export function applyErrorState<T extends AccountState | null | undefined>(
account: T,
status: number,
errorText: string | null,
provider: string | null = null
): T | AccountState {
if (!account) return account;
const backoffLevel = account.backoffLevel || 0;
const fallbackDecision = checkFallbackError(status, errorText, backoffLevel, null, provider);
const { cooldownMs, reason } = fallbackDecision;
const newBackoffLevel =
"newBackoffLevel" in fallbackDecision ? fallbackDecision.newBackoffLevel : undefined;
// Cooldown may be overridden by a configured provider rule (see
// `accountFallback.ts:1511-1540` provider-match branch + the
// `providerMatch.cooldownMs` thread-through added by Fix C). When the
// configured rule sets an explicit cooldownMs, it wins over the scaled
// backoff default that `checkFallbackError` returned.
const configuredCooldownMs =
"configuredCooldownMs" in fallbackDecision
? (fallbackDecision as { configuredCooldownMs?: number }).configuredCooldownMs
: undefined;
const effectiveCooldownMs =
typeof configuredCooldownMs === "number" && configuredCooldownMs > 0
? configuredCooldownMs
: cooldownMs;
const nextState: T | AccountState = {
...account,
rateLimitedUntil: effectiveCooldownMs > 0 ? getUnavailableUntil(effectiveCooldownMs) : null,
backoffLevel: newBackoffLevel ?? backoffLevel,
lastError: { status, message: errorText, timestamp: new Date().toISOString(), reason },
status: "error",
};
// Persist the cooldown to `provider_connections.rate_limited_until` so the
// cascade survives the request boundary. Before Fix A the cooldown only
// lived in the in-memory AccountState object returned here, which was
// discarded the moment the request ended — the same exhausted key was
// re-picked on the very next request.
// Best-effort try/catch mirrors `open-sse/executors/antigravity.ts:343`
// (`markConnectionQuotaExhausted`) so a DB failure can never crash the
// chat path. See issue #1 (per-account 429 cascade not persisting).
const connId = (account as AccountState | null | undefined)?.id;
if (
typeof connId === "string" &&
connId.length > 0 &&
effectiveCooldownMs > 0 &&
nextState.rateLimitedUntil
) {
try {
const untilMs = cooldownUntilMs(nextState.rateLimitedUntil);
if (Number.isFinite(untilMs) && untilMs > Date.now()) {
setConnectionRateLimitUntil(connId, untilMs);
}
} catch {
// ignore — best effort
}
}
return nextState;
}
/**
* Get account health score (0-100) for P2C selection (Phase 9)
* @param {object} account
* @returns {number} score 0 = unhealthy, 100 = perfectly healthy
*/
export function getAccountHealth(
account: AccountState | null | undefined,
model?: unknown
): number {
if (!account) return 0;
let score = 100;
score -= (account.backoffLevel || 0) * 10;
if (account.lastError) score -= 20;
if (account.rateLimitedUntil && isAccountUnavailable(account.rateLimitedUntil)) score -= 30;
return Math.max(0, score);
}