SLO and error budgets: instrument a journey end to end

Instrument a small multi-service user journey (your own, or a 3-4 service starter such as gateway, order, payment, db) with a journey-level SLO, MWMBR burn-rate alerts generated by a platform, and a signed error budget policy — then prove the alerts fire fast and reset within 5 minutes with a deliberate fire drill.

• Pick one user journey and define its SLI from bad user outcomes, not HTTP status alone: an availability SLI (successful journeys / attempts at the gateway), a latency SLI with a histogram bucket boundary exactly at the SLO threshold (e.g. le=0.2 for a 200ms target), and at least one correctness or uniqueness SLI if the journey has side effects (e.g. distinct charge IDs / charges attempted). Join them worst-of.
• Set a conservative initial SLO target (start at 99% or 99.5%, not 99.9%) over a 28-day rolling window, and compute the error budget in concrete numbers for your traffic volume: budget = (1 − SLO) × total_events.
• Compute the composite ceiling for the journey: multiply the per-service SLOs (0.999^N for N services at 99.9%) and document why the journey-level SLI, not the per-service dashboards, is the authoritative measurement.
• Generate the alerting stack with Sloth or Pyrra from a single SLI declaration: the six ratio_rate recording rules plus the three MWMBR alerts (14.4x page on 1h AND 5m, 6x page on 6h AND 30m, 1x ticket on 3d AND 6h) — and verify the generated PromQL rebases the budget rate to your target (e.g. 0.005 for a 99.5% SLO).
• Run a fire drill: break the journey for ~5 minutes under load, confirm the 14.4x page fires within a few minutes, and confirm it clears within ~5 minutes of the fix because the 5m short window drops below threshold.
• Add a no-traffic / NaN guard: alert separately when the SLI denominator hits zero (sum(rate(... total ...)) == 0), and if the journey is low-traffic, add synthetic probes or a longer evaluation window so a single failure does not dominate.
• Write and (notionally) sign an error budget policy: freeze trigger at zero budget, postmortem trigger at a single incident burning ≥20%, freeze-exit above ~50% remaining, escalation path, and explicit out-of-scope exclusions (load tests, bots, maintenance, rate-limited edge requests).

• A documented SLI spec showing each indicator, its query, the bucket boundary at the latency threshold, and the worst-of join — with a one-line bad-user-outcome each indicator catches.
• The generated recording rules and MWMBR alerts checked into the repo, with the budget rate visibly rebased to the chosen SLO target (not a hard-coded 0.001).
• A fire-drill timeline (timestamps) proving the page fired within minutes and cleared within ~5 minutes of fix — measured from Prometheus/Alertmanager, not estimated.
• The composite-ceiling calculation for the journey and a one-paragraph argument for which layer is the authoritative SLO.
• The signed error budget policy document with all five mandatory sections and the exclusion list.