Chio/Docs

Failure & Recovery

Chio is fail-closed by default. A panic in a guard, a poisoned mutex, an exhausted WASM fuel budget, an unreachable provider: each of these produces Verdict::Deny with a structured reason, and each leaves an evidence trail. This page is the contract for which condition produces which verdict, what the circuit breaker does about it, how retries are bounded, and the recovery levers operators reach for.

Source

Verified against crates/chio-guards/src/external/circuit_breaker.rs, crates/chio-guards/src/external/retry.rs, and crates/chio-guards/src/external/mod.rs.

Failure-Mode Matrix

FailureVerdictReason classSide effects
Caught panic in guardDenytraptracing::error! with backtrace
Poisoned mutexDenypolicyMay invalidate session for session-aware guards
WASM fuel exhaustedDenyfuelGuard quarantined until reset
WASM trapDenytrapGuard module marked unhealthy
Circuit open (default)DenypolicyNo provider call attempted
Circuit open (advisory)AllowpolicyOpt-in via CircuitOpenVerdict::Allow
Parse error (request payload)DenypolicyEvidence carries the parse failure
Regex compile failure (config)guard skippedn/atracing::warn!; pipeline may be permissive
Network timeout (transient)retries; Deny on exhaustpolicyCounts as failure for the breaker
Permanent error (4xx, malformed)DenypolicyNo retry; not configurable
Session journal unavailableDenypolicyAffects only session-aware guards
Receipt store write failureDenypolicyKernel cannot record evidence

Regex compile failure is the one footgun

The other rows fail closed. A regex that fails to compile at config-load time disables the pattern entirely, which can produce a permissive guard. Validate policies through chio check before deployment so this turns into a load-time error rather than a runtime hole.

Circuit Breaker

External-guard adapters wrap their inner provider call in a three-state breaker (crates/chio-guards/src/external/circuit_breaker.rs):

crates/chio-guards/src/external/circuit_breaker.rs
pub enum CircuitState {
    Closed,    // Normal operation. Failures count toward a sliding window.
    Open,      // Fail-fast. Calls short-circuit until reset_timeout elapses.
    HalfOpen,  // Probing. A bounded number of trial calls test recovery.
}

The transitions:

  • Closed to Open. When the number of failures inside the rolling failure_window reaches failure_threshold.
  • Open to HalfOpen. When reset_timeout has elapsed since the breaker opened. The next call admitted moves to HalfOpen.
  • HalfOpen to Closed. After success_threshold consecutive successes.
  • HalfOpen to Open. Any single failure during probing reopens the breaker.
crates/chio-guards/src/external/circuit_breaker.rs
pub struct CircuitBreakerConfig {
    pub failure_threshold: u32,    // default 5
    pub failure_window: Duration,  // default 60s
    pub success_threshold: u32,    // default 2
    pub reset_timeout: Duration,   // default 30s
}

CircuitOpenVerdict

When the breaker is Open, the adapter does not call the provider. Instead it returns a configurable verdict:

crates/chio-guards/src/external/circuit_breaker.rs
pub enum CircuitOpenVerdict {
    Deny,   // Fail-closed. Default.
    Allow,  // Fail-open. Advisory only.
}

Pick Allow only when unavailability is preferable to a denied request. The two legitimate cases:

  • The guard's output feeds a human-review queue rather than gating an action. A missed signal is recoverable.
  • The guard is one of several independent layers and the others are still in the synchronous chain. Losing one advisory layer is not a security regression.

Never fail-open a last-line-of-defense guard

If a guard is the only thing standing between an agent and a privileged action, leave the default. An open-circuit Allow turns the breaker into a single-point-of-failure exfil channel.

RateLimitedVerdict

Same shape, different trigger. When the adapter's token bucket is empty:

crates/chio-guards/src/external/mod.rs
pub enum RateLimitedVerdict {
    Deny,   // Default. The QPS budget is exhausted; deny the request.
    Allow,  // Advisory: allow the request even though the budget is exhausted.
}

Retry Strategies

Adapters retry transient and timeout errors only. 4xx and malformed-request errors are permanent; they short-circuit the retry loop and become Verdict::Deny.

crates/chio-guards/src/external/retry.rs
pub enum BackoffStrategy {
    Exponential,  // base_delay * 2^(attempt - 1)
    Constant,     // base_delay
    Linear,       // base_delay * attempt
}

pub struct RetryConfig {
    pub max_retries: u32,         // default 3 (so 4 total attempts)
    pub base_delay: Duration,     // default 100ms
    pub max_delay: Duration,      // default 5s
    pub jitter_fraction: f64,     // default 0.25 (clamped to [0.0, 1.0])
    pub strategy: BackoffStrategy,// default Exponential
}

Three things to know:

  • Total attempts is max_retries + 1. A value of 0 means "run exactly once, no retries".
  • Jitter is bounded multiplicative. The configured delay is multiplied by 1 + uniform(-jitter_fraction, +jitter_fraction). Defaults give a ±25% spread, which is enough to avoid thundering herd while keeping the worst-case bounded.
  • Jitter is deterministic by default. The retry RNG is seeded from max_retries so tests reproduce. Production callers wanting non-deterministic jitter can use retry_with_jitter_rng.

Backoff selection

Exponential is right for most providers: a temporarily-degraded service recovers faster when retries thin out. Linear suits providers that throttle on a fixed window, where doubling delay overshoots the throttle. Constant is for tests and rare deterministic-cadence health checks.

Composed Adapter Flow

Inside AsyncGuardAdapter, the failure-handling pieces compose in a fixed order:

text
evaluate(ctx):
    1. CircuitBreaker.allow_call()          -> CircuitOpenVerdict on deny
    2. TtlCache.get(cache_key)              -> cached verdict on hit
    3. TokenBucket.try_acquire()            -> RateLimitedVerdict on empty
    4. retry_with_jitter(inner.eval)        -> Verdict::Deny on permanent failure
                                             -> Verdict on success (also cached)
AsyncGuardAdapter layered compositionCircuit breaker: tracks recent failures; opens on threshold; short-circuits while open; probes on reset_timeout.Circuit breakerClosed · Open · HalfOpenTTL cache keyed by ExternalGuard::cache_key(ctx). Hit returns the cached verdict and skips rate limit + retry.CacheTTL ~30 minToken bucket. On empty, returns the configured rate-limited verdict (Deny by default) without contacting the provider.Rate limittoken bucketretry_with_jitter: up to max_retries+1 attempts. Exponential, Constant, or Linear backoff with jitter_fraction=0.25 by default.Retryjittered backoffThe concrete provider's single attempt: one outbound call, one Verdict or ExternalGuardError.ExternalGuard::eval()one HTTP call · one verdictVerdict on Open is Deny by default; reconfigurable via circuit_open_verdict.open ⇒ Denythreshold 5 / window 60s · reset 30sCache check sits before the token bucket so steady-state hits do not spend rate-limit budget.hit ⇒ return cachedTTL ~30 min · skips rate limit + retryRate-limited calls return rate_limited_verdict (Deny by default) and never reach the provider, so they do not count against the breaker's failure window.empty ⇒ Denytoken bucket · does not feed breakerOnly Timeout and Transient errors retry. Permanent (4xx, malformed) errors short-circuit immediately.permanent ⇒ Deny · transient + timeout retrymax 3 retries · base 100ms · cap 5s · jitter 0.25request flows inbreaker → cache → rate limit→ retry → core evalresponse unwinds outverdict bubbles back througheach layer in reverse orderAsyncGuardAdapter<E>: outer layers add resilience around inner corefailure modes short-circuit at the layer that detects them · final fallback is Deny
AsyncGuardAdapter composition. Each outer layer adds a resilience concern. The core eval is wrapped innermost; failure modes short-circuit at the layer that detects them.

Two invariants matter:

  • Cache hits do not spend rate-limit budget. The cache check precedes the token bucket on purpose: a steady-state hot cache is free.
  • Rate-limited calls do not count as breaker failures. Only real attempts at the external service feed the failure window. A bursty client cannot trip the breaker by exceeding the rate limit.

Recovery Patterns

Hot-Reload a WASM Guard

A WASM guard that hits its fuel ceiling or traps repeatedly is quarantined: the bundle store marks it unhealthy and pipeline evaluations short-circuit to Verdict::Deny. To recover, push a corrected bundle through the hot-reload path. The reload metric chio_guard_reload_total labels by outcome: applied, canary_failed, rolled_back. A canary-failed reload leaves the prior epoch in place; the new bundle is rejected without disturbing in-flight requests.

Manual Circuit-Breaker Reset

The breaker normally drives itself: Open to HalfOpen on reset_timeout elapsing, HalfOpen to Closed on success_threshold consecutive successes. Operators can short-circuit this via the admin API when they have out-of-band confirmation that the provider has recovered. Use sparingly: forcing Closed during a real outage just trips the breaker again on the next request.

Session Journal Repair

Session journals reload from the receipt log on kernel restart. Replay the receipts for an active session and the journal rebuilds. A poisoned-mutex panic that survived restart points at an underlying invariant break; the repair-on-restart path is the recovery hatch but the underlying bug deserves a kernel issue.

Worked Example: Tuned for a Flaky Provider

adapter.yaml
adapter:
  # Cache aggressively because the provider is unreliable.
  cache_ttl_seconds: 120
  cache_capacity: 4096

  # Provider QPS is 50; leave 20% headroom.
  rate_per_second: 40
  rate_burst: 40

  # Rolling window for failure counting. 60s default is fine for a steady
  # 5K req/s replica.
  circuit_failure_window_secs: 60
  circuit_failure_threshold: 5
  circuit_success_threshold: 2
  circuit_reset_timeout_secs: 30

  # Retry transient failures up to twice (3 total attempts), exponential
  # backoff with deterministic jitter.
  retry_max_retries: 2
  retry_base_delay_ms: 100
  retry_max_delay_ms: 5000
  retry_jitter_fraction: 0.25
  retry_strategy: exponential

  # Default behavior: deny when the breaker is open.
  circuit_open_verdict: deny
  rate_limited_verdict: deny

The two changed-from-default knobs are cache_ttl_seconds (raised from 60 to 120) and retry_max_retries (lowered from 3 to 2). A flakier provider deserves a longer cache TTL (more hits, lower call volume) and fewer retries (don't amplify the load on a degraded service).

Next Steps

PreviousPerformance & TuningNextDeployment Topologies
Failure & Recovery · Chio Docs