A/B test lab
Design retries, degradation, and recovery
Build a Python support-answer service comparing retriever_v1 with a reranking retriever_v2 as an operable release, not a slide-deck example.
1Try it yourself
Playground
A/B test lab
Split traffic and measure quality — not every change needs an experiment, but behavior shifts do.
New system prompt — 50/50 traffic
Before you start
Why this matters
Before changing code, write the single production outcome this chapter must prove and the signal that would stop you. For this lab, the service boundary is ExperimentAssignment(user_id, experiment, variant, exposure_id) and Outcome(exposure_id, grounded, latency_ms, helpful). Record one request identifier you can follow from ingress through the final decision. If you cannot name the owner of the stop decision, the rollout is not yet controlled.
The source lesson says an A/B test decides which version wins; it also warns that under-powered tests lie. This chapter turns that compact lesson into implementation evidence. The running scenario is a Python support-answer service comparing retriever_v1 with a reranking retriever_v2. You will keep the same scenario across all eight chapters so setup decisions, tests, telemetry, and rollback controls accumulate into one coherent system rather than eight disconnected exercises.
2Learn the idea
Read
Classify before retrying
Map failures into invalid input, unauthorized action, transient dependency failure, permanent dependency rejection, internal defect, and ambiguous outcome. Retry only transient failures, with exponential backoff, jitter, a strict attempt cap, and an overall deadline shorter than the caller’s timeout. Invalid signatures, authorization failures, and schema errors are not retryable. An ambiguous side effect requires an idempotency lookup before another attempt.
The known hazards are sample-ratio mismatch, cross-variant contamination, novelty effects, and repeated peeking. Pick three and inject them locally. For each, record expected HTTP behavior, durable state, user-facing response, alert, and operator action. A handled failure is not merely caught; it leaves the system in a state an operator can explain and recover.
Read
Add bounded degradation
Define a degraded mode that removes risky capability while preserving honest service. Never convert unavailable evidence into a confident answer. Return a typed temporarily_unavailable, serve a known-safe control, accept to a durable inbox, or create a human handoff as appropriate. Include a retry-after hint only when the service can support it.
Use a circuit breaker around a failing dependency to prevent retry storms. The breaker should open on a rolling failure threshold, permit a small number of probes after a cool-down, and emit state transitions. Bulkhead concurrency so one slow provider cannot consume every worker. Queue consumers need maximum attempts and a dead-letter destination with a replay procedure.
Read
Practice recovery
Execute the operational rollback: set allocation to 100% control while retaining exposure and outcome records for diagnosis. Measure time from the first injected breach to restored safe behavior. Confirm new requests use the safe path, in-flight requests are drained or completed according to contract, and no durable work is lost. Preserve the failed revision’s logs, configuration, and fixtures for diagnosis.
After rollback, reconcile ambiguous records. Compare ingress IDs with completion or outcome IDs, identify duplicates and gaps, and repair using an idempotent replay command. The replay command must support dry-run, bounded batches, and an operator-supplied reason. Never repair production by manually editing rows without an audit record.
Read
Exit criteria
This chapter passes when every classified failure has a deterministic disposition, retries are bounded, degradation is truthful, and rollback is rehearsed rather than merely documented. Save timestamps and commands from the drill. If recovery requires the original author’s memory, the system is not operable.
Read
Implement the safe failure branch
Make the disposition executable. This handler converts sample_ratio_mismatch into a bounded response and never retries a policy or contract failure. The reason is safe for logs; detailed dependency text stays in a protected trace.
from dataclasses import dataclass
@dataclass(frozen=True)
class Recovery:
action: str
retryable: bool
retry_after_seconds: int | None
def recover(kind: str, attempts: int) -> Recovery:
if kind == "sample_ratio_mismatch":
return Recovery("allocation.control=100 allocation.treatment=0", False, None)
if kind == "transient_dependency" and attempts < 3:
return Recovery("retry_with_jitter", True, 2 ** attempts)
return Recovery("hold_and_escalate", False, None)
Exercise the branch against the local service and capture both the control action and request identity. The expected result proves safe behavior without erasing evidence.
$ curl -sS -H 'X-Debug-Failure: sample_ratio_mismatch' http://localhost:8000/answer
{"status":"degraded","action":"allocation.control=100 allocation.treatment=0","retryable":false}
$ curl -sS http://localhost:8000/answer
{"status":"ok","exposure_id":"fixture-001","revision":"stable"}
A generic 500 means classification is incomplete; do not add broad retries. If recovery says success but the second response still names the failed revision, routing or cache invalidation is incomplete. Preserve the identity, old configuration digest, and rollback timestamp before replaying ambiguous work.