Retry amplification: break a metastable storm

Build a 3-to-4-layer service chain that collapses into a metastable retry storm under a brief dependency outage, then add jitter, a retry budget, and a circuit breaker so the same outage stays a blip — proving each step with measurements, not assertions.

• Build a service chain at least 3 layers deep (e.g. gateway, service, data layer) calling a stub dependency you can fail on demand. Each layer starts with naive retries: 3 attempts, fixed interval, retrying every error.
• Wire observability: requests/s reaching the deepest dependency, retry-to-original ratio, timeout rate, and p99 latency — four panels, or the equivalent logged with timestamps.
• Reproduce the storm: inject an 8-second total outage of the stub dependency under steady load, then clear it. Show the dependency call rate spikes to roughly retries^depth (e.g. 3³ = 27x or 3⁴ = 81x) and, critically, that the system stays down after the 8 seconds end — the metastable signature.
• Add exponential backoff with full jitter at the retrying layer and show the synchronized retry spikes flatten into a spread distribution; record total calls and time-to-recovery before and after.
• Add a retry budget that caps retries at ~10% of request volume (token bucket: +0.1 per request, -1 per retry) and show the dependency call rate during a full outage now stays within ~10% above baseline instead of 27x-81x.
• Add a circuit breaker that opens on the failure threshold, fails fast while open, and admits a single half-open probe; show the breaker opens during the outage and the backend gets a window of zero retry traffic.
• Enforce the two rules: retry only retryable errors (stop retrying an injected 400) and propagate a deadline so no layer retries a request whose caller already timed out. Show wasted (already-dead) retries drop to zero.
• Re-run the identical 8-second outage with all defenses on and show the system recovers on its own within seconds of the trigger clearing — no manual load-shed or restart needed.

• A before/after table: peak dependency call rate (as a multiple of baseline), retry-to-original ratio, time-to-recovery after the trigger clears, and p99 latency — all measured under the identical injected outage, not estimated.
• The baseline run demonstrably shows metastability: the dependency call rate stays elevated and requests keep failing after the 8-second outage ends, until you force load down.
• With all defenses on, peak dependency load during a full outage stays within ~10% above baseline (the retry budget holds), and the breaker is observed opening and then half-open-probing back to closed.
• A one-paragraph write-up explaining which defense bounded which property (jitter -> timing, budget -> volume, breaker -> recovery window, idempotency/deadline -> wasted work) and why backoff alone was not enough.