Add CircuitBreaker + AsyncTimeout (0.10.0)

[lesnik512]

Summary

Completes the Polly-shape resilience suite by adding the two missing strategies, both pure-stdlib and additive (no new optional extra):

• CircuitBreaker / AsyncCircuitBreaker — classic consecutive-failure circuit breaker (Polly pre-v8 default). Opens after failure_threshold consecutive counted failures, probes after reset_timeout, closes after success_threshold consecutive half-open successes. A counted failure = NetworkError, httpware TimeoutError, or a StatusError whose status is in failure_status_codes (default: all 5xx). 4xx including 429 count as successes (429 = healthy-but-throttling). The transition logic lives once in a lock-free _CircuitBreakerState; the async wrapper relies on asyncio atomicity + a single-event-loop guard (carried from AsyncBulkhead), the sync wrapper serializes with a threading.Lock.
• AsyncTimeout — async-only overall wall-clock deadline across the whole inner pipeline (most importantly across an AsyncRetry loop, which httpx2 can't bound). Uses asyncio.timeout(...).expired() to re-wrap only its own deadline as httpware.TimeoutError, leaving inner timeouts untouched. No sync Timeout (sync Python can't cancel a blocking call mid-flight; httpx2 covers sync per-call timeouts).
• CircuitOpenError — ClientError subclass with retry_after: float | None, raised when the breaker refuses a request.

New observability events (stable surface): circuit.opened, circuit.rejected, circuit.half_open, circuit.closed (logger httpware.circuit_breaker), timeout.exceeded (logger httpware.timeout).

Docs (resilience.md, errors.md, README) document the recommended (not enforced) chain order: AsyncTimeout → AsyncCircuitBreaker → AsyncBulkhead → AsyncRetry → terminal — AsyncBulkhead stays outside AsyncRetry (one slot per logical call), consistent with the existing tested guidance.

Spec: planning/specs/2026-06-13-circuit-breaker-and-timeout-design.md · Plan: planning/plans/2026-06-13-circuit-breaker-and-timeout.md · Release notes: planning/releases/0.10.0.md.

Test Plan

• just lint-ci clean (ruff format/check, ty)
• just test — 555 passed, 100% coverage (verified stable across 10 runs; property-test coverage made deterministic)
• Full state machine covered (CLOSED→OPEN→HALF_OPEN→CLOSED, probe re-open, concurrent-probe rejection) in both sync and async
• Hypothesis property test: while OPEN and pre-reset_timeout, next is never forwarded
• CircuitOpenError pickle round-trip; cross-event-loop guard; 429/4xx-as-success; custom failure_status_codes
• No production code paths exercise networking beyond httpx2.MockTransport

🤖 Generated with Claude Code

[lesnik512]

Addressed in c52d343.

1. failure_status_codes ergonomics — fixed. Relaxed the param from frozenset[int] to Collection[int] on both wrappers and _CircuitBreakerState, freezing internally (frozenset(failure_status_codes)). Confirmed the prior friction was real: AsyncCircuitBreaker(failure_status_codes={500, 503}) (a plain set literal) was a ty diagnostic before and type-checks clean now. Membership semantics unchanged. The custom-status tests now pass a plain set (async/sync trips_on_member) and a list (excludes_other_5xx) to lock in the generality.

2. _now test seam docstring — leaving as-is. The existing precedent is AsyncRetry._sleep: a leading-underscore seam with no docstring mention (the underscore is the signal). AsyncCircuitBreaker/CircuitBreaker already match that. Adding a note here would diverge from the convention you asked me to mirror, so I'd rather keep it consistent across the resilience modules.

3. Logging under the lock (sync) — leaving as-is, per your note. It matches the Bulkhead approach, and moving the _emit calls outside the critical section would risk reordering events relative to the state transition they describe. Not worth the trade for a handler-latency edge case.

Re-verified: just lint-ci clean, full suite 555 passed at 100% coverage.