Trip the Breaker

The principle

A downstream model or tool that's timing out doesn't get healthier by being called more. It gets worse, while your agents pile up holding open connections and burning their latency budget. A circuit breaker wraps the call so that once failures cross a threshold it trips, and further calls fail fast instead of hanging, which gives the dependency room to recover.

Why it happens

A failing dependency does not heal because agents keep calling it. More calls add load, tie up connections, and push the failure outward. A circuit breaker counts failures and opens after a threshold, so later calls fail fast instead of hanging. After a cooldown, a small probe checks whether the dependency has recovered. The point is not elegance; it is containment. A predictable fast failure can be handled. A thousand slow hangs become an outage. Pair the breaker with retry shedding so recovery is not drowned by traffic.

Watch for

• When a downstream model or tool slows down, your agents respond by retrying harder and connections pile up.
• A single failing dependency drags whole-run latency toward your timeout ceiling instead of failing fast.
• There is no fast-fail path: calls to a known-sick dependency hang until they time out individually.

Apply it

1. Wrap every external model and tool dependency in a breaker that opens after a failure threshold and fails fast.
2. After a cooldown, let a single probe test recovery before resuming full traffic.
3. Shed retries and traffic upstream when load exceeds capacity so retries do not amplify the cascade.

Sources and further reading

• CircuitBreaker · Martin Fowler (after Nygard, 'Release It!')
• Site Reliability Engineering, Ch. 22: Addressing Cascading Failures · Google SRE