Fail-Open Design
The SDK never takes your app down
If anything goes wrong with the SDK or the Openfuse API, your application keeps running normally. Breakers default to closed, calls execute, and the SDK recovers silently in the background.
Behavior when the API is unreachable
| Scenario | SDK behavior |
|---|---|
init() fails | Logs a warning, retries with exponential backoff. All SDK methods work immediately with breakers defaulting to closed. |
API unreachable during protect() | Uses cached breaker state. If no cache exists, treats the breaker as closed and executes your function. |
API unreachable during isOpen() / isClosed() | Returns safe defaults (false / true). Never throws. |
API unreachable during status() | Returns null. Never throws. |
| Token refresh fails | Retries automatically. Cached state continues to be used. |
API health tracking
The SDK tracks consecutive API failures internally:
- After 3 consecutive failures, the SDK enters degraded mode for 30 seconds.
- In degraded mode, API calls are skipped. Cached state is used instead.
- When the API returns to normal, degraded mode clears automatically.
A flaky Openfuse API never translates into latency spikes for your users.
Stale-while-revalidate caching
Breaker state is cached at multiple levels:
- Bootstrap cache (30s TTL): fresh state from
init(). - API fetch cache (3s TTL): state from runtime checks.
- Last-known state: in-memory fallback when both caches expire and the API is unreachable.
The SDK always returns the best available state, even if it's stale.
Init never throws
const openfuse = new OpenfuseCloud({
system: 'payments',
clientId: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET',
})
openfuse.init() // Never throws, even with invalid credentialsIf credentials are wrong, the SDK logs an error and stops retrying. Your application starts normally and protect() calls execute your functions as if no breaker existed.
State check budget
State checks (isOpen, isClosed, status) have a 500ms budget. If the API doesn't respond in time, the SDK returns the safe default and lets the fetch continue in the background to update the cache.
Zero dependencies, no hidden surprises
The SDK has zero runtime dependencies. It's built entirely on native Node.js APIs for HTTP, crypto, and timers. No third-party code runs in your process, no transitive dependency trees to audit, and no supply chain risk beyond the SDK itself.