Circuit breakers: contain a cascading failure

Build a service that calls three downstreams from a shared worker pool, drive it into a cascading failure by slowing the least-critical one, then add a timeout, circuit breaker, bulkhead, and fallback until that slow dependency can no longer starve the critical routes — proving each step with measurements, not assertions.

• Build a small HTTP service (Go, JVM, or Node) with three downstream calls — e.g. payments (critical), search (important), recommendations (non-critical) — all served from one shared worker/connection pool. Add a fake recommendations dependency whose latency you can inject (a configurable sleep).
• Wire observability before you break anything: per-route p99 latency and error rate, worker-pool / in-flight-call saturation, and the breaker's state and trip count. Four panels or the equivalent structured logs.
• Reproduce the cascade: inject 5 s latency into recommendations under sustained load and capture the baseline — show that payments and search p99 and error rate degrade even though only recommendations is sick, because the shared pool is starved.
• Add a per-call timeout (≤ the dependency's normal p99 plus headroom) so a hang becomes a countable failure, and show the timeout alone bounds each call but does not yet stop the starvation.
• Add a circuit breaker on the recommendations call: configure failure-rate threshold, a sliding window, a minimum-volume floor, and a cooldown that tracks the dependency's recovery time. Demonstrate the closed-to-open-to-half-open-to-closed cycle in the logs as you inject and then remove the fault.
• Add a bulkhead so recommendations cannot consume more than its share of the pool (thread-pool or semaphore isolation — justify the choice for a network call). Show that with the slow dependency injected, payments and search now keep their threads and stay healthy.
• Add a fallback for recommendations (drop the carousel / serve a static default) so an open breaker returns a degraded-but-correct response instead of an error, and confirm the page still renders with payments and search intact.
• Re-run the identical load test with all four defences on and record after numbers next to before; payments and search p99 and error rate should be essentially unchanged while recommendations is sick.

• A before/after table: per-route p99 latency and error rate, plus pool saturation, measured under the same injected-fault load — not estimated.
• Logs or a state trace showing the breaker moving closed to open on the injected fault, waiting the cooldown, probing in half-open with a limited number of trial calls, and returning to closed once the fault is removed.
• With all defences on, the critical routes (payments, search) stay within SLO while recommendations is slowed for the entire test — the cascade is contained to the one compartment.
• A one-paragraph write-up naming which defence stopped which failure: timeout converts the hang to a countable failure, breaker fast-fails it, bulkhead isolates the budget, fallback decides what to return.