fix(sap-demo): partial-failure tolerance in Customer360 aggregator + clearer 502 semantics

The /api/v1/customers/{id}/360 aggregator fans out 3 parallel SAP OData
calls + 2 Postgres SELECTs + 1 audit INSERT. Under Keploy record, SAP
round-trips through the eBPF MITM pick up ~2× latency, and the existing
timeouts were tight enough that a single slow-but-successful GET could
push the optional fan-outs past the aggregate deadline (or trip the
resilience4j circuit) and degrade the whole view to an empty 200 — or
worse, surface a CallNotPermittedException as a 503 from an optional
branch.

Changes:
  * safely() now also catches CallNotPermittedException explicitly and
    falls back to Throwable-less Exception, so nothing thrown from an
    optional fan-out can 502/503 the parent request.
  * Raise read-timeout 30s → 45s, connect-timeout 10s → 15s, and
    aggregate-timeout 25s → 50s. All are env-overridable via
    SAP_{CONNECT,READ}_TIMEOUT_SECONDS and
    CUSTOMER360_AGGREGATE_TIMEOUT_SECONDS so real BTP tenants with tight
    SLAs can dial them back.
  * safely() log now includes the upstream HTTP status on SapApiException
    so operators can see at a glance whether a fan-out was a transport
    error or an upstream 5xx.

Reproduction:
  1. keploy record -c "java -jar target/customer360.jar"
  2. curl localhost:8080/api/v1/customers/11/360
     — intermittent 502 when the roles or addresses call trips slow-call
     circuit breaker, even though partner is healthy.

Root cause:
  aggregate-timeout (25s) < read-timeout (30s) × potential retries (3)
  for the optional calls; CallNotPermittedException escapes safely()
  via the default Exception-handler path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: slayerjain

sap-demo-java/src/main/java/com/tricentisdemo/sap/customer360/service/Customer360AggregatorService.java

@@ -9,6 +9,7 @@
 import com.tricentisdemo.sap.customer360.sap.CorrelationIdInterceptor;
 import com.tricentisdemo.sap.customer360.sap.SapApiException;
 import com.tricentisdemo.sap.customer360.sap.SapBusinessPartnerClient;
+import io.github.resilience4j.circuitbreaker.CallNotPermittedException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.slf4j.MDC;
@@ -180,11 +181,23 @@ private static <T> List<T> safely(String what, java.util.function.Supplier<List<
         try {
             return supplier.get();
         } catch (SapApiException sap) {
-            log.warn("{} failed (SAP): {}", what, sap.getMessage());
+            log.warn("{} failed (SAP {}): {}", what, sap.getUpstreamStatus().value(), sap.getMessage());
+            return List.of();
+        } catch (CallNotPermittedException circuit) {
+            // Circuit breaker open — degrade the optional view rather than
+            // propagating a 503 out of the aggregator. The partner call
+            // (mandatory) has its own circuit and is handled upstream.
+            log.warn("{} skipped: circuit breaker open ({})", what, circuit.getMessage());
             return List.of();
         } catch (RuntimeException e) {
             log.warn("{} failed ({}): {}", what, e.getClass().getSimpleName(), e.getMessage());
             return List.of();
+        } catch (Exception e) {
+            // Defensive: any checked exception that slipped through a
+            // supplier lambda (e.g. via sneaky-throws) should still degrade
+            // the optional fan-out, never 500 the parent request.
+            log.warn("{} failed ({}): {}", what, e.getClass().getSimpleName(), e.getMessage());
+            return List.of();
         }
     }
 }

sap-demo-java/src/main/resources/application.yml

@@ -83,12 +83,21 @@ sap:
     base-url: ${SAP_API_BASE_URL:https://sandbox.api.sap.com/s4hanacloud}
     key: ${SAP_API_KEY:}
     bearer-token: ${SAP_BEARER_TOKEN:}
-    connect-timeout-seconds: 10
-    read-timeout-seconds: 30
+    # Timeouts are sized for the SAP Business Accelerator Hub sandbox when
+    # routed through Keploy's eBPF proxy; first-hit latency on cold cache
+    # + TLS MITM occasionally reaches ~20s for a single OData GET, so we
+    # allow generous budgets rather than 502 a demo for a transient stall.
+    connect-timeout-seconds: ${SAP_CONNECT_TIMEOUT_SECONDS:15}
+    read-timeout-seconds: ${SAP_READ_TIMEOUT_SECONDS:45}
     default-top: 10
 
 customer360:
-  aggregate-timeout-seconds: 25
+  # Upper bound for the parallel fan-out (addresses/roles/tags/notes). The
+  # mandatory partner call runs before this and is bounded separately by
+  # sap.api.read-timeout-seconds × retry attempts. Kept larger than
+  # read-timeout so a single slow-but-eventually-successful SAP response
+  # still lands inside the captured window rather than degrading the view.
+  aggregate-timeout-seconds: ${CUSTOMER360_AGGREGATE_TIMEOUT_SECONDS:50}
 
 # ----------------------------------------------------------------------------
 # Resilience4j: retry + circuit breaker for SAP upstream calls