Sharding: provoke and tame a hot shard

Stand up a multi-worker Citus cluster with a co-located tenant_id-sharded schema, deliberately create a hot shard with a power-law tenant load, then detect and isolate the outlier tenant online — proving the skew and latency improvement with measurements, not estimates.

• Run a Citus cluster (Docker Compose: one coordinator + at least 3 workers) with a tenant-scoped schema — e.g. tenants, orders, order_items — distributed by tenant_id and co-located via create_distributed_table(..., colocate_with => 'orders'). Add at least one reference table (plans or countries).
• Verify the co-location contract: run a per-tenant join (orders JOIN order_items WHERE tenant_id = X) and confirm via EXPLAIN it executes on a single worker; then deliberately add one table distributed by a non-tenant key and show the same-shape join fans out to all workers.
• Seed a power-law tenant distribution: a few hundred small tenants plus one or two whale tenants holding 50–60% of all rows and driving most of the query load, so one shard becomes hot.
• Wire shard-skew and per-tenant observability: shard size skew from citus_shards (max/median ratio), per-worker CPU, and per-tenant query share from pg_stat_statements aggregated by tenant_id — capture the baseline showing one shard near saturation while others idle.
• Drive load (pgbench or a custom loop) weighted toward the whale tenants until one worker sustains >70% CPU; capture the baseline max/median skew ratio, the hot worker's CPU, and P99 latency for both whale and small-tenant requests.
• Isolate the whale online with SELECT isolate_tenant_to_new_shard('orders', <tenant_id>, 'CASCADE'); record the per-shard write-pause duration and confirm it is sub-second, and that the rest of the cluster keeps serving during the move.
• Re-run the identical load and record after numbers next to before: the hot worker's CPU should drop toward cluster median, max/median skew should shrink, and small-tenant P99 should recover.

• A before/after table: max/median shard-size skew ratio, hot-worker CPU %, whale P99, and small-tenant P99 — all measured under the same load, not estimated.
• EXPLAIN output (or query plans) proving the co-located join is single-worker and the non-co-located join fans out to all workers.
• Evidence the isolation was online: the measured write-pause is sub-second and the cluster served traffic throughout (no maintenance window).
• A one-paragraph write-up naming why isolate_tenant_to_new_shard fixed the skew where citus_rebalance_start() would not have, and the leading indicators (skew ratio, per-tenant share) you would alert on to pre-empt the next incident.