feat(circuit-breaker): add auto-recovery from OPEN state

[frankbria]

Summary

• Adds cooldown timer (default 30 min): OPEN → HALF_OPEN after CB_COOLDOWN_MINUTES, then existing HALF_OPEN logic handles recovery (progress → CLOSED) or re-trip (no progress → OPEN)
• Adds auto-reset option: CB_AUTO_RESET=true or --auto-reset-circuit flag bypasses cooldown, resets to CLOSED on startup for fully unattended operation
• Adds parse_iso_to_epoch() cross-platform ISO-to-epoch converter in lib/date_utils.sh
• Adds opened_at field to circuit breaker state file for cooldown tracking (backward compatible with old state files)
• 19 new tests, 484/484 total tests passing (zero regressions)

Closes #160

Changes

File	Description
lib/date_utils.sh	New parse_iso_to_epoch() function (GNU → BSD → manual fallback)
lib/circuit_breaker.sh	Cooldown + auto-reset in init_circuit_breaker(), opened_at in state file
ralph_loop.sh	--auto-reset-circuit CLI flag, env var capture/restore for new config
templates/ralphrc.template	CB_COOLDOWN_MINUTES and CB_AUTO_RESET config options
tests/unit/test_circuit_breaker_recovery.bats	19 tests: cooldown, auto-reset, parse_iso_to_epoch, CLI
CLAUDE.md	Auto-recovery docs, updated test table (484 tests)
README.md	Circuit breaker docs, CLI reference, test counts

Test plan

• All 484 tests pass (npm test)
• New test file passes: bats tests/unit/test_circuit_breaker_recovery.bats
• Manual: Force OPEN state, wait 30 min, restart ralph → enters HALF_OPEN
• Manual: CB_AUTO_RESET=true in .ralphrc, force OPEN → resets to CLOSED
• Manual: ralph --auto-reset-circuit with OPEN state → resets and runs

Summary by CodeRabbit

• New Features

  • Circuit breaker auto-recovery with configurable cooldown (default 30 minutes) and an option to auto-reset on startup.
  • New CLI flag to enable startup auto-reset and corresponding runtime option.

• Documentation

  • README and templates updated with auto-recovery options, sample configuration, and CLI help text.
  • Improved time-parsing behavior for cooldown comparisons.

• Tests

  • Test suite expanded to 484 tests with comprehensive auto-recovery scenarios.

[coderabbitai]

Walkthrough

This PR adds automatic circuit-breaker recovery (cooldown-based OPEN→HALF_OPEN and optional startup auto-reset to CLOSED), persists an opened_at timestamp for recovery decisions, introduces CB_COOLDOWN_MINUTES and CB_AUTO_RESET (plus --auto-reset-circuit flag), and exposes parse_iso_to_epoch() for ISO→epoch conversions.

Changes

Cohort / File(s)	Summary
Circuit Breaker Core lib/circuit_breaker.sh	Track and persist opened_at, compute elapsed cooldown, implement OPEN→HALF_OPEN cooldown transition, and support startup auto-reset when CB_AUTO_RESET=true.
Date Utility lib/date_utils.sh	Added public parse_iso_to_epoch() with multiple parsing fallbacks and exported it for external use.
CLI & Runtime Wiring ralph_loop.sh, templates/ralphrc.template	Load CB_COOLDOWN_MINUTES and CB_AUTO_RESET from env/template; add --auto-reset-circuit flag and propagate setting into session startup.
Docs & README CLAUDE.md, README.md	Documented auto-recovery behavior, new config flags, CLI usage, and updated test counts/status to 484 tests.
Tests tests/unit/test_circuit_breaker_recovery.bats	New comprehensive Bats suite covering cooldown logic, auto-reset behavior, opened_at handling, compatibility with older state formats, and ISO timestamp parsing.
Template templates/ralphrc.template	Added CB_COOLDOWN_MINUTES and CB_AUTO_RESET entries with descriptions and warnings about auto-reset safety.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI/ralph_loop.sh
    participant CBInit as CircuitBreaker (lib/circuit_breaker.sh)
    participant StateFile as State File
    participant DateUtil as Date Utils (parse_iso_to_epoch)

    CLI->>CBInit: init_circuit_breaker()
    CBInit->>StateFile: read persisted state JSON
    StateFile-->>CBInit: { state: OPEN, opened_at: "ISO_ts" }

    alt CB_AUTO_RESET = true
        CBInit->>CBInit: set state = CLOSED
        CBInit->>StateFile: persist CLOSED state
    else CB_AUTO_RESET = false
        CBInit->>DateUtil: parse_iso_to_epoch("ISO_ts")
        DateUtil-->>CBInit: opened_at_epoch
        CBInit->>CBInit: compute elapsed_minutes
        alt elapsed_minutes >= CB_COOLDOWN_MINUTES
            CBInit->>CBInit: transition OPEN → HALF_OPEN
            CBInit->>StateFile: persist HALF_OPEN (with opened_at)
        else
            CBInit->>StateFile: retain OPEN (with opened_at)
        end
    end

    CBInit-->>CLI: initialization complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• fix: progress detection improvements (#141, #144) #158: Modifies circuit-breaker and loop progress handling in ralph_loop.sh, overlapping startup and recovery logic.
• feat(session): add session lifecycle management with auto-reset triggers #66: Related changes to startup circuit-breaker behavior and wiring between ralph_loop.sh and date utilities.
• test(cli): add comprehensive CLI argument parsing tests #52: Adds CLI argument parsing tests that intersect with the new --auto-reset-circuit flag handling.

Poem

🐇 I burrowed through logs and time,
Saved opened_at in careful rhyme,
A cooldown nap, or jump to new—
Auto-reset wakes circuits true.
Hoppity-hop, the loop runs fine!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(circuit-breaker): add auto-recovery from OPEN state' directly and clearly summarizes the main change: adding auto-recovery capability to the circuit breaker.
Linked Issues check	✅ Passed	The PR addresses core requirements from #160: implements configurable cooldown-based auto-recovery (CB_COOLDOWN_MINUTES), auto-reset option (CB_AUTO_RESET/--auto-reset-circuit), state persistence with opened_at tracking, and comprehensive tests. However, it partially addresses streaming robustness and token limit handling aspects of #160.
Out of Scope Changes check	✅ Passed	All changes directly support the circuit breaker auto-recovery objective: configuration variables, CLI flags, state persistence, utility functions (parse_iso_to_epoch), test suite, and documentation updates are all in scope.
Docstring Coverage	✅ Passed	Docstring coverage is 84.62% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/circuit-breaker-auto-recovery

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Add auto-recovery for the circuit breaker by updating lib/circuit_breaker.sh::init_circuit_breaker to reset OPEN to CLOSED with CB_AUTO_RESET=true or move to HALF_OPEN after CB_COOLDOWN_MINUTES

Implement OPEN state recovery logic and opened_at tracking in lib/circuit_breaker.sh, add cross-platform parse_iso_to_epoch in lib/date_utils.sh, introduce --auto-reset-circuit and env precedence in ralph_loop.sh, update configs and docs, and add tests for recovery flows.

📍Where to Start

Start with recovery logic in init_circuit_breaker and record_loop_result in lib/circuit_breaker.sh.

---

Macroscope summarized c10efb9.

[github-actions]

Code Review: feat(circuit-breaker): add auto-recovery from OPEN state

Summary

This is a well-implemented feature that adds two complementary auto-recovery mechanisms to the circuit breaker system. The code is clean, well-tested (19 new tests, 484/484 passing), and maintains backward compatibility.

Code Quality & Best Practices ✅

Strengths:

• Excellent fallback chain in parse_iso_to_epoch() (GNU → BSD → manual → current epoch)
• Backward compatibility with old state files (falls back to last_change when opened_at missing)
• Clock skew handling (negative elapsed_time stays OPEN safely)
• Consistent use of jq for JSON operations (no string manipulation)
• Good separation of concerns (date_utils.sh for cross-platform compatibility)

Minor observations:

• The CB_AUTO_RESET=true behavior is well-implemented but could benefit from additional documentation about its interaction with cooldown logic

Potential Bugs or Issues ✅

No bugs found. The implementation handles edge cases well:

• Empty/null opened_at values checked before processing (line 87, 89)
• Clock skew detection prevents negative elapsed_time from causing issues (line 95)
• Old state files without opened_at fall back gracefully (line 87)
• CB_COOLDOWN_MINUTES=0 is intentional and handled correctly

Performance Considerations ✅

No concerns:

• Timestamp parsing is lightweight (simple date commands)
• Circuit breaker state checks only run at loop startup
• No new dependencies added

Security Considerations ✅

No security concerns:

• All JSON operations use jq (no eval or injection risks)
• Environment variables are validated/sanitized via jq
• ISO timestamp parsing is safe with proper validation

Test Coverage ✅

Excellent test coverage (19 tests):

• ✅ Cooldown timer behavior (elapsed/not elapsed cases)
• ✅ Auto-reset functionality (preserves total_opens, logs transitions)
• ✅ parse_iso_to_epoch() (valid/empty/null inputs)
• ✅ Backward compatibility (old state files without opened_at)
• ✅ Edge cases (clock skew, CB_COOLDOWN_MINUTES=0)
• ✅ CLI flag integration

Recommendations (Non-Blocking)

1. Documentation: Consider adding a note in CLAUDE.md or README.md explaining that CB_AUTO_RESET=true completely bypasses the cooldown mechanism, which may not be obvious to users reading both settings together.

2. Minor formatting: Line 309 in circuit_breaker.sh has a slightly unusual EOF pattern with embedded condition, but it's functionally correct and follows bash best practices.

Conclusion

LGTM with 1 minor documentation suggestion.

The implementation is production-ready with excellent test coverage. The dual mechanism (cooldown + auto-reset) provides flexibility for both attended and unattended workflows. All 484 tests pass with zero regressions.

[github-actions]

Review posted to #165 (comment)

opencode session  |  github run

[github-actions]

Code Review - PR 165: Circuit Breaker Auto-Recovery

This is an excellent implementation of auto-recovery from the OPEN state. The code is well-structured, thoroughly tested, and maintains backward compatibility.

---

✅ Strengths

1. Robust Cross-Platform Date Parsing
The parse_iso_to_epoch() function is exemplary with three-tier fallback strategy, validates numeric output, safe defaults, and handles edge cases.

2. Excellent Backward Compatibility

• Old state files without opened_at gracefully fall back to last_change
• Preserves total_opens count across auto-reset operations
• Conditional JSON field generation prevents breaking existing parsers

3. Comprehensive Test Coverage
19 new tests covering cooldown timer edge cases, auto-reset behavior, state file migrations, cross-platform behavior, and CLI flag integration. All 484 tests passing demonstrates zero regressions.

4. Clock Skew Safety
Protection against negative elapsed time prevents premature recovery on clock adjustments.

---

🔍 Code Quality Observations

1. JSON Generation (lib/circuit_breaker.sh:309-310)
The inline conditional for opened_at field works correctly but slightly reduces readability. Consider using jq for JSON construction in future refactors. Not a blocker - current implementation is correct and tested.

2. Variable Shadowing in Tests
Multiple test functions declare local state variables. While valid, consider unique names like cb_state for clarity. Minor - doesn't affect correctness.

3. Error Handling
The parse_iso_to_epoch() fallback chain is excellent. One theoretical edge case: if date +%s itself fails. Very minor - edge case is theoretical.

---

🎯 Security and Performance

Security: No concerns. All inputs validated, no command injection risks.

Performance: parse_iso_to_epoch() uses early returns, negligible overhead added.

---

📚 Documentation Quality

Excellent coverage in CLAUDE.md and README.md with clear explanations, configuration examples, and CLI reference. Optional: add troubleshooting section in future.

---

✨ Test Quality

Exceptional test design with helpers, edge case coverage, and isolated CLI flag testing.

---

🚀 Recommendation

APPROVE with confidence.

This PR:

• ✅ Solves Issue 160 completely
• ✅ Maintains 100% test pass rate (484/484)
• ✅ Preserves backward compatibility
• ✅ Follows repository conventions
• ✅ Includes comprehensive documentation
• ✅ Has zero security concerns

Minor observations are stylistic suggestions, not blockers. Ready to merge. 🎉

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In `@CLAUDE.md`:
- Around line 447-452: The README/CLAUDE.md test count is inconsistent: update
the earlier summary line that currently reads "Run all tests (420 tests)" to
match the new total "Run all tests (484 tests)" so the doc is consistent with
the updated table under the "Test Files (484 tests)" heading; locate and replace
the exact phrase "Run all tests (420 tests)" in CLAUDE.md with "Run all tests
(484 tests)" and verify no other stray 420 references remain.

In `@lib/circuit_breaker.sh`:
- Around line 60-113: The transition logging is called before the history file
is guaranteed to exist which can create/overwrite an invalid history and break
callers; fix by ensuring the history file is validated/created before any call
to log_circuit_transition (or add defensive validation inside
log_circuit_transition itself). Concretely, add a preflight that
creates/initializes CB_HISTORY_FILE (or call an existing
init_history/ensure_history function) before the two shown calls to
log_circuit_transition in the Auto-reset and Cooldown branches (and the similar
calls around lines 115-125), or modify log_circuit_transition to first
validate/create CB_HISTORY_FILE and return early on I/O errors.

In `@lib/date_utils.sh`:
- Around line 68-75: The BSD branch currently strips timezone info (variable
stripped) and parses with date -j -f which treats the timestamp as local time;
instead preserve/normalize the timezone and parse it so UTC is respected: modify
the logic that sets stripped to convert a trailing "Z" to "+0000" (or leave
existing +HH:MM/+-HH:MM as-is) and call date -j -f with a format that includes
the zone, e.g. "%Y-%m-%dT%H:%M:%S%z" when invoking date -j -f (the code path
using date -j -f in this file), so the parsed epoch uses the correct UTC offset
rather than local time.

In `@README.md`:
- Around line 652-654: Update the inconsistent test count references in README:
find the "Test Coverage" header and any test-count badge or occurrences showing
"465" (and the related badge text/alt/title) and change them to "484" so they
match the updated footer lines that show "484 tests" and "100% pass rate"; also
update the other occurrence noted (around line 855) to the same "484" and ensure
the badge markdown (alt/title/text) and any accompanying header text reflect
"484 tests" and "100% pass rate".

[github-actions]

Code Review

This is a well-implemented feature with excellent test coverage. The dual recovery mechanism (cooldown + auto-reset) provides flexibility for different use cases.

Code Quality

Strengths:

• Clean, well-documented implementation following repository conventions
• Comprehensive test suite (19 new tests, 484/484 passing)
• Backward compatibility with old state files (graceful fallback to last_change)
• Clock skew handling prevents premature recovery
• Cross-platform date parsing with robust fallback chain

Issues Assessment

I've reviewed the CodeRabbit comments and found:

1. History file initialization (claimed as "Major"): The history file is correctly initialized on lines 60-70 before the log_circuit_transition calls at lines 82 and 110. This is not a bug.

2. BSD date timezone parsing (claimed as "Major"): The code uses date -u (UTC) consistently throughout. The BSD date branch on lines 70-75 normalizes timezone format (Z → +0000, +HH:MM → +HHMM) before parsing. This is correct and UTC is properly handled.

3. Documentation test counts: Both CLAUDE.md and README.md already show "484 tests" consistently. No updates needed.

Security & Performance

• No security concerns: All JSON operations use jq, no command injection risks
• No performance concerns: Timestamp parsing is lightweight, only runs at startup

Minor Observations

• The inline JSON generation at circuit_breaker.sh:309-310 works correctly but could be refactored to use jq for consistency in future maintenance
• Consider adding a troubleshooting section to README.md for circuit breaker scenarios (future enhancement, not blocking)

Conclusion

LGTM - Approve for merge.

The implementation is production-ready with comprehensive testing. All 484 tests pass with zero regressions. The CodeRabbit "major" issues appear to be false positives based on incorrect analysis of the code flow.

Great work on Issue 160!

[github-actions]

Code review comment posted to #165 (comment)

opencode session  |  github run

[github-actions]

Code Review - PR 165: Circuit Breaker Auto-Recovery

This is an exceptionally well-implemented feature that adds auto-recovery mechanisms to the circuit breaker. The implementation is thorough, well-tested, and maintains backward compatibility. All 484 tests passing with zero regressions demonstrates excellent quality control.

---

✅ Strengths

1. Robust Cross-Platform Date Parsing
The parse_iso_to_epoch() function in lib/date_utils.sh:68-97 is exemplary:

• Three-tier fallback strategy (GNU date → BSD date → manual parsing → current epoch)
• Validates numeric output at each stage
• Safe defaults prevent edge case failures
• Handles timezone normalization for BSD systems

2. Excellent Backward Compatibility

• Old state files without opened_at gracefully fall back to last_change (circuit_breaker.sh:99)
• Preserves total_opens count across auto-reset operations (circuit_breaker.sh:92)
• Conditional JSON field generation (circuit_breaker.sh:280-281) prevents breaking existing parsers

3. Comprehensive Test Coverage
19 new tests covering:

• Cooldown timer edge cases (not elapsed, elapsed, CB_COOLDOWN_MINUTES=0)
• Auto-reset behavior (preserves total_opens, logs transitions)
• State file migrations (old format compatibility)
• Cross-platform behavior (parse_iso_to_epoch fallbacks)
• Clock skew safety (negative elapsed time)
• CLI flag integration

4. Clock Skew Safety
Lines 95-96 in circuit_breaker.sh protect against negative elapsed time (when system clock jumps backward), preventing premature recovery.

5. Clear Documentation
CLAUDE.md and README.md updates are thorough with configuration examples, CLI reference, and clear explanations of the dual recovery mechanisms.

[github-actions]

🔍 Minor Observations (Non-Blocking)

1. JSON Generation Pattern
lib/circuit_breaker.sh:280-281 uses inline conditional for the opened_at field. This works correctly but slightly reduces readability. Consider using jq for JSON construction in future refactors (not a blocker - current implementation is tested and correct).

2. Documentation Enhancement
The interaction between CB_AUTO_RESET=true and CB_COOLDOWN_MINUTES could be more explicit. When CB_AUTO_RESET is enabled, it completely bypasses the cooldown mechanism. A note in the "Circuit Breaker Auto-Recovery" section of CLAUDE.md explaining this would help users understand that setting both is unnecessary.

Suggested addition after line 50 in CLAUDE.md:

Note: When CB_AUTO_RESET=true, the cooldown timer is bypassed entirely. The CB_COOLDOWN_MINUTES setting has no effect in this mode.

3. Theoretical Edge Case
Lines 56-59 in date_utils.sh handle empty/null input, but if date +%s itself fails (theoretical edge case on exotic systems), there's no fallback. This is a very minor concern since date +%s is universally supported.

---

🎯 Security, Performance & Architecture

Security: ✅ No concerns

• All JSON operations use jq (no eval or injection risks)
• Environment variables validated via jq
• ISO timestamp parsing is safe with proper validation

Performance: ✅ No concerns

• Timestamp parsing is lightweight
• Circuit breaker checks only run at loop startup
• No new dependencies

Architecture: ✅ Excellent

• Clear separation of concerns (date_utils.sh for cross-platform compatibility)
• Dual mechanism design provides flexibility (cooldown vs auto-reset)
• State persistence is robust with corruption detection

---

📚 Test Quality

Exceptional test design:

• Helper functions (create_open_state, get_past_timestamp) promote DRY principles
• Edge cases well-covered (clock skew, old state files, CB_COOLDOWN_MINUTES=0)
• Integration tests verify HALF_OPEN recovery paths
• CLI flag testing ensures end-to-end functionality

[github-actions]

🚀 Recommendation

APPROVE with minor documentation suggestion

This PR:

• ✅ Solves Issue Number 160 completely
• ✅ Maintains 100% test pass rate (484/484)
• ✅ Preserves backward compatibility
• ✅ Follows repository conventions from CLAUDE.md
• ✅ Includes comprehensive documentation
• ✅ Has zero security concerns
• ✅ Adds valuable functionality for both attended and unattended workflows

The minor observations above are stylistic suggestions for future consideration, not blockers. This is production-ready code. Excellent work! 🎉

---

Reviewed by: Claude Sonnet 4.5 (AI Code Review)
Review Date: 2026-02-07