PK
Back to archive

Agentic Systems

Deadlines Beat Timeouts

Timeouts protect individual calls; deadlines protect the whole promise the system made.

Deadlines Beat Timeouts

Timeouts are local. Deadlines are contractual. That difference matters when a request crosses several services, queues, workers, tools, and retries before anyone can answer the user.

A timeout says, "I am not waiting longer than this." A deadline says, "This work is no longer valuable after this point unless we change the contract." Distributed systems need the second idea more often than they admit.

The thesis

Deadlines beat timeouts because they preserve the user's remaining budget across the whole path.

Local timeouts can protect each component while the overall request keeps wasting time. A service waits, retries, calls another service, waits again, and enqueues a job after the user has already left. Each piece obeyed its own timeout. The system still violated the product promise.

A deadline travels with the work. It lets every component ask whether starting, continuing, retrying, or committing still makes sense.

The production pattern

A request arrives with an interactive expectation. It needs data from a few services and one external dependency. Each service has a default timeout. When the dependency slows down, the first service spends its full timeout, retries, then calls another service that spends its full timeout. A background fallback starts after the user response is already impossible.

The same shape appears in job systems. A queued job starts with no memory of when the user requested it. It runs hours later, sends a notification that is no longer useful, or overwrites a newer result. The job succeeded according to its local code. It failed the real contract.

Agent systems add another version. A planner calls tools until some local stop condition fires. Without a deadline, the agent can spend the user's budget on low-value exploration and reach the risky write path too late.

The model

I treat a deadline as part of the work context:

  • Created at admission, based on the product promise.
  • Propagated across service calls, messages, and tool invocations.
  • Checked before expensive work, retries, and side effects.
  • Recorded with the operation so delayed workers know the original contract.
  • Converted into a new state when the system cannot finish in time.

The last point is important. A missed deadline is not always a failure. It may become an accepted asynchronous operation, a cancelled request, a partial answer, or a product-visible delay. What matters is that the system changes the contract explicitly instead of pretending it is still inside the old one.

Deadlines also force prioritization. Work with little remaining time may be skipped, narrowed, or answered from a cheaper source. Work with a longer product promise may move to a background path. The deadline makes that decision visible.

Where this goes wrong

The first mistake is setting independent timeouts everywhere and calling that resilience. Independent timeouts can stack into a user-visible delay no one intended.

The second mistake is retrying without budget accounting. A retry that starts after most of the deadline is gone may have little chance of helping and a high chance of adding load.

The third mistake is allowing background work to escape the deadline accidentally. If a request creates a job, that job should know whether it inherited the original deadline or accepted a new asynchronous contract.

The fourth mistake is checking deadlines only before reads. Writes are where late work can cause the most damage. Before sending a message, changing access, publishing a result, or invoking a tool with side effects, the system should know whether that action is still wanted.

There is a counterpoint. Some workflows are intentionally long-running: imports, migrations, approvals, investigations, and large report generation. Those still need deadlines, but the deadlines describe stages and commitments rather than a single interactive response. "We will accept this and finish later" is a different contract from "wait here."

What I do now

I ask what promise starts the deadline. Is this an interactive request, a background job, a user-visible import, a compliance-sensitive action, or a maintenance task? The answer should shape the budget and the fallback behavior.

I prefer absolute deadlines over passing remaining timeout values. An absolute timestamp is easier to compare, record, and propagate through queues. A worker that starts late can immediately see whether it is still inside the contract.

I make retry policies budget-aware. The question is not only whether an error is retryable. It is whether a retry has enough remaining budget to be useful and whether it risks duplicating an uncertain side effect.

I record deadline outcomes. Timed out locally, expired before start, cancelled after deadline, completed after accepted delay, and skipped as stale are different facts. They deserve different metrics and different product states.

For agents, I put deadlines outside the model. The model can reason about urgency, but it should not own the budget. The runtime should decide whether another read, another tool call, or a write action is still allowed.

Closing takeaway

Timeouts protect components from waiting forever. Deadlines protect the system from doing work after the promise has expired.