Leader election: build a fenced single-writer

Build a small leader-elected job that writes to a shared resource, reproduce a split-brain stale write by injecting a pause longer than the lease, then add a resource-enforced fencing token and prove the same stale write is now rejected — all backed by logs.

• Stand up a real lock/lease service — etcd (lease + keep-alive), ZooKeeper (ephemeral sequential znode), or Redis Redlock — and run at least two worker instances that compete to become the single leader for one job key.
• Implement the leader path: acquire leadership with a short lease (e.g. 5s), renew it with keep-alive, and on acquisition write a record to a shared resource (a file, an object-store key, or a row) that you can inspect for corruption.
• Add a fault-injection hook that pauses the current leader's process longer than the lease TTL (a sleep that holds the in-flight write, or SIGSTOP/SIGCONT) to simulate a GC pause or paused VM.
• Reproduce split-brain WITHOUT fencing: trigger the pause on leader A, let the coordinator expire its lease and elect leader B, let B write, then let A wake and complete its write. Capture the log showing both writes landing and the resulting corruption or out-of-order state.
• Add a monotonic fencing token: have the lock service return a strictly increasing token on each grant, stamp it on every write, and make the RESOURCE persist the highest token seen and reject any write with a lower token.
• Re-run the identical pause attack with fencing on: show leader A's stale write rejected at the resource because B already advanced the highest token, while the system stays available.
• Measure failover: record the time from leader A's pause start to leader B accepting its first write, and explain how the lease TTL trades failover speed against false-positive evictions.

• A before/after log pair: the unfenced run shows two writers and a corrupted or stale final state; the fenced run shows leader A's stale write rejected with its lower token while leader B's write stands.
• The fencing check lives at the resource (highest-token-wins), not only in the lock service — demonstrated by showing that a write bypassing the lock service but carrying a stale token is still rejected.
• A measured failover number (pause-start to new-leader-first-write) plus one sentence on why shortening the lease TTL speeds failover but increases false evictions of healthy-but-slow leaders.
• A short write-up stating which two clocks the lease spans, why a self-check or keep-alive callback could not have prevented the stale write, and why the resource-side token check could.