Cache stampede: build and tame the herd

Build a cache-aside HTTP service backed by Redis and a deliberately slow origin, reproduce a cache stampede on a hot key, then layer the unit's mitigations until a TTL-boundary burst reaches the origin as a single rebuild — proving every step with before/after measurements, not estimates.

• Build a small HTTP service with a GET /item/:id endpoint that reads from Redis cache-aside; on a miss, rebuild from an origin that sleeps ~300-500 ms (simulate an expensive query). Cache with a 60 s TTL.
• Instrument the stampede fingerprint: origin (DB) query rate, cache miss rate, rebuild duration p50/p99, and request p99 latency. Four panels or the equivalent logged time series.
• Reproduce the baseline stampede: drive one hot key at several thousand RPS through the TTL boundary and capture the per-boundary origin-query spike (should be hundreds-to-thousands of concurrent rebuilds) and the p99 latency spike.
• Add in-process single-flight so concurrent misses on the same key in one process collapse to one rebuild; show the per-node origin spike drop to ~1 per node under the same load.
• Add a Redis SETNX lock (SET lock:key uuid EX N NX) with N greater than rebuild p99, an explicit Del on completion, and lock-losers that wait, re-check the cache, and return a stale fallback rather than rebuilding; show multi-instance origin queries collapse toward 1.
• Add stale-while-revalidate: serve the expired value immediately to all callers at the boundary while exactly one background refresh runs; show p99 latency at the boundary drop to near the cache-hit latency.
• Add TTL jitter (plus/minus 15-25%) across many keys and negative caching (short-TTL sentinel for non-existent IDs); show that synchronized multi-key expiry is spread out and that a flood of random non-existent IDs no longer reaches the origin.

• A before/after table per mitigation: origin queries per TTL boundary, request p99 latency, and cache miss rate — all measured under the identical load test, not estimated.
• With the full stack enabled, a TTL boundary under sustained hot-key load produces at most a single origin rebuild, and the sawtooth origin-query fingerprint is gone from the metrics.
• A demonstration that single-flight alone leaves one rebuild per instance, and only adding the cross-node lock (or SWR background refresh) collapses it to one fleet-wide — proving you understand the scope of each layer.
• A short write-up naming, for each layer, exactly which herd it bounded (per-process, per-fleet, wait-time, multi-key, negative) and why that layer was needed on top of the previous one.