fix(channels): surface structured rate-limit metadata on chat_error (#2606)

[CodeGhost21]

Summary

• Promote rate-limit error metadata from message-text-only to typed wire fields on chat_error so the frontend can render a real countdown, retry button, and provider/source label without regexing the message.
• Add five additive optional fields to WebChannelEvent: error_source, error_retryable, error_retry_after_ms, error_provider, error_fallback_available. Older FE clients that read only message / error_type keep working unchanged (skip_serializing_if = "Option::is_none").
• Distinguishes upstream provider 429s from OpenHuman's per-hour SecurityPolicy cap, agent-loop iteration cap, OpenHuman billing exhaustion, transport failures, and config errors.
• Detects non-retryable business 429s (plan does not include model, insufficient balance, Z.AI codes 1311/1113) so the FE can hide the retry button and route the user to billing/settings.
• Surfaces fallback_available: false once reliable.rs::format_failure_aggregate has exhausted the model_fallbacks chain so the FE doesn't promise a fallback that doesn't exist.

Problem

Issue #2606 follows up on PR #2371. That PR landed retry-after wording inside the user-facing message text — but the structured data was thrown away at the channel-classifier boundary. WebChannelEvent still only carried message: String and error_type: String, so the frontend could not:

• show a precise countdown (the seconds existed only as a substring like "Try again in 30 seconds")
• decide whether to render a Retry button (no way to distinguish transient 429 from non-retryable business 429)
• name the actual provider that throttled
• distinguish OpenHuman's own cap from upstream provider throttling
• decide whether to offer a fallback CTA

Users are still reporting confusing rate-limit copy because of this gap (see issue #2606's acceptance criteria).

Solution

New ClassifiedError struct returned from classify_inference_error carries the typed metadata, and the chat-error publish path populates the new WebChannelEvent fields from it.

Source	error_source	error_retryable	Notes
Upstream provider 429	provider	true	retry_after_ms parsed from body Retry-After: / retry_after:
Non-retryable business 429	provider	false	matches plan/balance/Z.AI 1311/1113 markers
SecurityPolicy hourly cap	openhuman_budget	true	decays gradually; no provider name implicated
Agent max-iterations	agent_loop	true	same-thread retry once underlying cap clears
402 / insufficient credits	openhuman_billing	false	distinguished from 429 per #2606 AC
Transport timeout	transport	true
401 / model unavail / context overflow	config	false

Provider name extracted best-effort from the \"<provider> API error (...)\" prefix that inference::provider::ops::api_error formats. Fallback-exhausted signal extracted from the "All providers/models failed" aggregate that reliable.rs::format_failure_aggregate emits.

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) — 13 new tests (11 classifier unit, 2 wire-shape).
• Diff coverage ≥ 80% — every new branch has dedicated assertions; the structured fields are asserted both at the struct level and as serialized JSON keys, plus a None-omit contract test.
• Coverage matrix updated — N/A: behaviour-only change to existing classifier output and event payload; no feature row added/removed/renamed.
• All affected feature IDs from the matrix listed in ## Related — N/A: no matrix row touched.
• No new external network dependencies introduced — pure string classification + struct expansion; no IO.
• Manual smoke checklist updated if this touches release-cut surfaces — N/A: additive backend wire fields; happy-path chat behaviour unchanged.
• Linked issue closed via Closes #NNN — see ## Related.

Impact

• Runtime/platform: backend chat error path (channels::providers::web::classify_inference_error and the chat_error publish in start_chat) plus the WebChannelEvent wire struct.
• User-visible: no immediate UI change (FE consumer is a follow-up). The structured fields appear on every chat_error SSE/Socket.IO frame and can be picked up by the FE in a subsequent PR to render a real countdown/retry/fallback UI.
• Performance: zero — pure string classification, no new IO.
• Security: no new error data exposed beyond what message already carries. Provider name extraction is allow-listed to ASCII alphanumeric/_/-.
• Migration / compatibility: error_type tokens are unchanged for existing consumers. New fields are all Option<…> with skip_serializing_if = \"Option::is_none\", so older FE clients see exactly the same JSON shape they do today.

Live verification

Beyond the unit + wire-shape tests, ran a full end-to-end live test:

1. Node HTTP server that returns HTTP/1.1 429 Too Many Requests, Retry-After: 30, body {\"error\":{\"message\":\"...\",\"code\":\"rate_limit_exceeded\"},\"retry_after\":30} on /v1/chat/completions.
2. openhuman-core run --port 7892 against an isolated workspace with that endpoint configured as a custom_openai provider.
3. POST openhuman.channel_web_chat, listen to /events via curl -N.

The chat_error SSE frame received:

event: chat_error
data: {
  \"event\":\"chat_error\",
  \"message\":\"Your AI provider is rate-limiting requests. ... Try again in 30 seconds.
              > rate limited (synthetic 429 for openhuman issue #2606 test)\",
  \"error_type\":             \"rate_limited\",
  \"error_source\":           \"provider\",
  \"error_retryable\":        true,
  \"error_retry_after_ms\":   30000,
  \"error_provider\":         \"fake429\"
}

This exercises the full real path: reliable.rs::is_rate_limited → ops::api_error formatting → classify_inference_error → WebChannelEvent serialization → SSE.

Known follow-ups (out of scope)

• inference::provider::ops::api_error currently preserves only the response BODY, not the Retry-After HTTP header. When the upstream sends only the header (no body retry_after), retry_after_ms will be None. Follow-up should thread the header into the error chain.
• Frontend consumer for the new fields (countdown, retry button, fallback CTA) is a separate PR — this PR is backend-only per the scope discussion on Backend should return structured retry metadata for rate limits #2606.

Related

• Closes Backend should return structured retry metadata for rate limits #2606
• Follow-up to PR fix(channels): distinguish rate-limit sources in chat error classifier (#2364) #2371 (which closed Rate limit state sticks to one chat thread #2364 with message-only enrichment)
• Follow-up PR(s)/TODOs: surface Retry-After header from ops::api_error; FE consumer for the new structured fields.

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A
• URL: N/A (GitHub-only issue Backend should return structured retry metadata for rate limits #2606)

Commit & Branch

• Branch: fix/2606-structured-rate-limit-metadata (branched from origin/main after fresh fetch)
• Commit SHA: 187dc63

Validation Run

• pnpm --filter openhuman-app format:check — N/A: no frontend changes.
• pnpm typecheck — fails on 4 pre-existing errors in app/src/components/settings/panels/devices/PairPhoneModal.tsx, app/src/lib/tunnel/crypto.ts, app/src/pages/ios/PairScreen.tsx (missing iOS-only deps qrcode.react, @noble/ciphers, @tauri-apps/plugin-barcode-scanner). These exist on origin/main and are unrelated to this PR's Rust-only changes. Pushed with --no-verify per CLAUDE.md guidance.
• Focused tests: cargo test --lib openhuman::channels::providers::web::tests → 52 passed, 0 failed (39 pre-existing + 13 new).
• Full module tests: cargo test --lib openhuman::channels::providers → 834 passed, 0 failed under default parallelism (added a serial test lock for the three tests sharing TEST_FORCED_RUN_CHAT_TASK_ERROR).
• Rust fmt/check: cargo fmt --manifest-path Cargo.toml applied; cargo check --lib --bin openhuman-core clean.
• Tauri fmt/check: cargo check --manifest-path app/src-tauri/Cargo.toml clean.

Validation Blocked

• command: N/A — full cargo test --lib had 42 pre-existing failures in openhuman::memory::tree_global::* and openhuman::memory_tree::* modules, confirmed reproducible on origin/main with this branch stashed.
• error: pre-existing memory_tree test failures unrelated to channels work.
• impact: none on this PR — those modules are not touched.

Behavior Changes

• Intended behavior change: chat_error WebChannelEvent now carries structured error_source, error_retryable, error_retry_after_ms, error_provider, error_fallback_available fields.
• User-visible effect: none until the FE consumer ships. Older FE clients see the same JSON they always did.

Parity Contract

• Legacy behavior preserved: error_type tokens and message text are unchanged for every existing branch. New fields are additive Option<…> with skip_serializing_if. Three existing classifier tests still pass unchanged (only the destructuring shape was migrated from tuple to struct).
• Guard/fallback/dispatch parity checks: classifier branch ORDER is unchanged (SecurityPolicy budget and max-iterations checks still precede the generic 429 branch — locked in by _distinguishes_action_budget_from_provider_429 and _max_iterations_gets_dedicated_branch).

Duplicate / Superseded PR Handling

• Duplicate PR(s): none.
• Canonical PR: this PR.
• Resolution: N/A.

Summary by CodeRabbit

• New Features

  • Error responses now include structured metadata: source, retryable flag, retry-after timing, provider info, and fallback-available status; web and proactive events populate these (omitted when not applicable).

• Bug Fixes

  • Improved inference error classification and retry guidance, with clearer handling of rate limits (distinguishing business vs provider 429s).

• Tests

  • Expanded tests validating error classification, rate-limit metadata, and JSON/SSE wire compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds five optional error metadata fields to WebChannelEvent, introduces a typed ClassifiedError, refactors classify_inference_error to return it (including provider, retryability, retry-after, fallback info), and updates event emissions and tests to populate or initialize the new fields.

Changes

Structured Error Metadata for Rate Limits

Layer / File(s)	Summary
Wire contract: WebChannelEvent error fields src/core/socketio.rs	WebChannelEvent struct gains five optional error metadata fields (error_source, error_retryable, error_retry_after_ms, error_provider, error_fallback_available) omitted from JSON when None.
Error classification model and helpers src/openhuman/channels/providers/web.rs	Adds ClassifiedError and helper functions to normalize provider names and detect fallback-chain exhaustion.
Inference error classification logic src/openhuman/channels/providers/web.rs	Refactors classify_inference_error to return ClassifiedError, implementing branches for budget, max-iterations, provider rate-limits (with Retry-After parsing and retryability detection), timeouts, auth/billing, model-unavailable, and generic inference fallback; populates provider and fallback indicators.
Chat error handling and WebChannelEvent population src/openhuman/channels/providers/web.rs	Chat error paths bind the ClassifiedError result and populate WebChannelEvent::chat_error with message, error_type, and the new metadata fields; cancellation/error paths updated accordingly.
Progress / lifecycle event emissions src/openhuman/channels/providers/web.rs	inference_start and iteration_start bridge events initialize new error metadata fields to None to keep wire shape consistent.
Proactive and presentation channel events src/openhuman/channels/proactive.rs, src/openhuman/channels/providers/presentation.rs	ProactiveMessageSubscriber and presentation-layer response emissions include the new error fields, set to None for non-error messages.
Test infrastructure and structured metadata validation src/openhuman/channels/providers/web_tests.rs	Adds a process-global async mutex to serialize forced-error tests, updates tests to destructure ClassifiedError, and adds extensive tests verifying retry_after_ms, source, provider, retryable, fallback_available, and SSE/JSON wire serialization of the new chat_error fields and classification behaviors.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• tinyhumansai/openhuman#2371: Related work on rate-limit source classification and Retry-After parsing in classify_inference_error.
• tinyhumansai/openhuman#2239: Related changes to classify_inference_error provider config-rejection handling and classification output.

Suggested labels

bug

Suggested reviewers

• graycyrus
• senamakel
• fzamel3333-ai

Poem

🐰 I hopped through logs and parsed the fray,
Picking out providers that led us astray.
Retry times counted, fallbacks gently noted,
Now chat knows who paused and whether it's floated.
A rabbit's small badge: metadata, neatly coded.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(channels): surface structured rate-limit metadata on chat_error (#2606)' clearly summarizes the main change—adding structured error metadata fields to WebChannelEvent for rate-limit handling.
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from #2606 and #2364: structured rate-limit metadata fields (error_source, error_retryable, error_retry_after_ms, error_provider, error_fallback_available) are added and populated throughout the codebase, ClassifiedError distinguishes limit sources and retryability, Retry-After parsing is implemented, provider extraction is included, and comprehensive test coverage is provided.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing structured rate-limit metadata: core type definitions in socketio.rs, integrations in channels/providers (web.rs, presentation.rs, proactive.rs), and comprehensive test additions in web_tests.rs covering classification and wire-shape validation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/openhuman/channels/providers/web_tests.rs (1)

29-35: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid fire-and-forget forced-error reset in Drop (can clobber the next test)
TestForcedRunChatTaskErrorGuard::drop schedules async cleanup via tokio::spawn(set_test_forced_run_chat_task_error(None).await). Because locals drop in reverse order, the guard can be dropped (and the spawned reset started) before FORCED_ERROR_TEST_LOCK is released, letting the next test set Some(...) and then having the earlier spawned task overwrite it back to None while run_chat_task hasn’t consumed it yet (TEST_FORCED_RUN_CHAT_TASK_ERROR is read via slot.take()).
Remove the async Drop/spawn cleanup and instead perform an awaited reset inside each serialized test (applies to the three tests that currently create TestForcedRunChatTaskErrorGuard).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/channels/providers/web_tests.rs` around lines 29 - 35, The Drop
implementation for TestForcedRunChatTaskErrorGuard must not spawn an async reset
because that fire-and-forget reset (tokio::spawn calling
set_test_forced_run_chat_task_error(None)) can race with FORCED_ERROR_TEST_LOCK
and clobber a subsequent test's forced error; remove the async Drop::drop
implementation entirely and instead update each test that constructs
TestForcedRunChatTaskErrorGuard to explicitly await
set_test_forced_run_chat_task_error(None) at the end of the test while still
holding the FORCED_ERROR_TEST_LOCK (so run_chat_task’s
TEST_FORCED_RUN_CHAT_TASK_ERROR slot.take() is not interfered with). Ensure
references to set_test_forced_run_chat_task_error,
TestForcedRunChatTaskErrorGuard, FORCED_ERROR_TEST_LOCK, run_chat_task, and
TEST_FORCED_RUN_CHAT_TASK_ERROR are used to find and modify the guard and the
three tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/channels/providers/web.rs`:
- Around line 496-508: The code branch that builds a ClassifiedError for
402/payment messages incorrectly sets source to the hardcoded string
"openhuman_billing", which misattributes upstream provider billing errors; in
the ClassifiedError constructor (the block creating ClassifiedError with
error_type "budget_exhausted" and calling with_provider_detail), replace the
hardcoded source with the actual provider identifier (use the existing provider
variable) or another provider-specific source instead of "openhuman_billing" so
upstream 402/payment errors preserve the provider as the error source.
- Around line 449-469: The current 429 branch sets retryable =
!is_non_retryable_rate_limit_text(&lower) but always builds a
transient/retry-focused summary; change it so you first compute a boolean (e.g.,
let non_retryable = is_non_retryable_rate_limit_text(&lower)) and then pick the
message accordingly: if non_retryable produce a non-retry message that directs
the user to billing/settings/plan (no "retry in this thread" hint), otherwise
keep the transient retry summary that uses retry_after_hint(retry_secs); pass
the chosen summary into with_provider_detail(...) and keep retryable set to
!non_retryable and retry_after_ms as-is. Ensure you reference
is_non_retryable_rate_limit_text, retry_after_hint, retry_secs, and
ClassifiedError::message/retryable when editing.

---

Outside diff comments:
In `@src/openhuman/channels/providers/web_tests.rs`:
- Around line 29-35: The Drop implementation for TestForcedRunChatTaskErrorGuard
must not spawn an async reset because that fire-and-forget reset (tokio::spawn
calling set_test_forced_run_chat_task_error(None)) can race with
FORCED_ERROR_TEST_LOCK and clobber a subsequent test's forced error; remove the
async Drop::drop implementation entirely and instead update each test that
constructs TestForcedRunChatTaskErrorGuard to explicitly await
set_test_forced_run_chat_task_error(None) at the end of the test while still
holding the FORCED_ERROR_TEST_LOCK (so run_chat_task’s
TEST_FORCED_RUN_CHAT_TASK_ERROR slot.take() is not interfered with). Ensure
references to set_test_forced_run_chat_task_error,
TestForcedRunChatTaskErrorGuard, FORCED_ERROR_TEST_LOCK, run_chat_task, and
TEST_FORCED_RUN_CHAT_TASK_ERROR are used to find and modify the guard and the
three tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5e36b968-60fa-4bdc-a35e-c54ea354d53b

📥 Commits

Reviewing files that changed from the base of the PR and between e05cab9 and 187dc63.

📒 Files selected for processing (5)

• src/core/socketio.rs
• src/openhuman/channels/proactive.rs
• src/openhuman/channels/providers/presentation.rs
• src/openhuman/channels/providers/web.rs
• src/openhuman/channels/providers/web_tests.rs

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/openhuman/channels/providers/web.rs (1)

508-525: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Preserve fallback_available on 402 classification.

Line 525 resets fallback_available to None, so an aggregate like All providers/models failed ... 402 Payment Required drops the already-computed Some(false) from Lines 401-405. That loses the wire signal src/core/socketio.rs documents for exhausted fallback chains.

Suggested fix

         ClassifiedError {
             error_type: "budget_exhausted",
             message: with_provider_detail("Insufficient credits. Please top up to continue.", err),
             source,
             retryable: false,
             retry_after_ms: None,
             provider,
-            fallback_available: None,
+            fallback_available,
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/channels/providers/web.rs` around lines 508 - 525, The 402
classification is overwriting the previously-computed fallback_available with
None; update the ClassifiedError construction in this 402 branch to preserve the
existing fallback_available value (do not set fallback_available: None) so the
earlier computed Some(false)/Some(true) is retained; locate the ClassifiedError
creation in src/openhuman/channels/providers/web.rs (the block that sets
error_type "budget_exhausted" and message via with_provider_detail) and remove
or replace the literal None so the existing fallback_available variable is
passed through unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/openhuman/channels/providers/web.rs`:
- Around line 508-525: The 402 classification is overwriting the
previously-computed fallback_available with None; update the ClassifiedError
construction in this 402 branch to preserve the existing fallback_available
value (do not set fallback_available: None) so the earlier computed
Some(false)/Some(true) is retained; locate the ClassifiedError creation in
src/openhuman/channels/providers/web.rs (the block that sets error_type
"budget_exhausted" and message via with_provider_detail) and remove or replace
the literal None so the existing fallback_available variable is passed through
unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d8257f8d-8cdf-4cf0-9a3b-0d45e4b8afd7

📥 Commits

Reviewing files that changed from the base of the PR and between 187dc63 and ffac313.

📒 Files selected for processing (2)

• src/openhuman/channels/providers/web.rs
• src/openhuman/channels/providers/web_tests.rs

[graycyrus]

This is a well-executed fix for #2606. The structured ClassifiedError refactor is clean — promoting from a raw (&'static str, String) tuple to a named struct gives the classifier room to grow without callers needing to unpack positionally. The backward-compat story is solid: five new Option-typed wire fields with skip_serializing_if = "Option::is_none" means older FE clients see no change.

CodeRabbit's two major findings (non-retryable 429 message copy contradiction, and openhuman_billing misdirection for provider 402s) are both addressed in ffac313. The 402 branch now correctly selects source based on provider.as_deref(), and the non-retryable 429 message correctly routes users to billing/settings instead of saying "retry in this thread."

The FORCED_ERROR_TEST_LOCK replacement for TestForcedRunChatTaskErrorGuard is the right call — the old Drop guard spawned a background task with no ordering guarantee relative to the next test acquiring the toggle slot. The mutex approach restores proper isolation.

Two minor items to track for the FE consumer follow-up:

Message copy for provider 402s: when provider.as_deref() resolves to source = "provider", the message still reads "Insufficient credits. Please top up to continue." — which points users at OpenHuman billing rather than the upstream provider. Not worse than before this PR, and error_source = "provider" gives the FE consumer enough signal to render the right CTA. Make sure the follow-up FE PR handles the error_source == "provider" && error_type == "budget_exhausted" case specifically.

"not include" in is_non_retryable_rate_limit_text: this substring is broader than the other hints. In a 429 context it's almost certainly safe, but consider tightening to "not included in" or adding a comment naming the specific provider response it is matching.

13 new tests cover every new structured field plus the JSON-omit contract. Coverage gate passes. Approved.