Change data capture: ship CDC and survive a stalled slot

Stand up log-based CDC from a Postgres orders table to a downstream consumer that maintains a derived view, then run a stalled-slot incident drill and prove your monitoring + max_slot_wal_keep_size cap protect the primary — with evidence at every step.

• Run Postgres (wal_level=logical) and a Debezium connector (Kafka Connect, or Debezium Server) capturing a public.orders table via a pgoutput logical replication slot and a publication.
• Bootstrap with snapshot-then-stream: load the table with seed rows before the connector starts, confirm the initial snapshot reproduces them downstream, then show new live INSERT/UPDATE/DELETE events arriving within seconds of commit.
• Build an idempotent consumer that maintains a derived view (e.g. an orders_summary table or a search index). It must converge correctly when the same event is delivered twice — upsert by primary key, dedupe on LSN/position, or a naturally idempotent operation.
• Capture full DELETE before images: set REPLICA IDENTITY FULL on the table, show a delete event now carries the whole old row, and handle the tombstone so a compacted topic can drop the key.
• Wire slot-lag monitoring: query pg_replication_slots for the byte distance between confirmed_flush_lsn and pg_current_wal_lsn, and alert above a threshold well below the disk limit.
• Set max_slot_wal_keep_size to a sensible bound so Postgres will invalidate a runaway slot rather than fill the disk.
• Run the incident drill: stop the consumer (or open a long-running transaction) under write load, watch retained WAL climb and the alert fire, then confirm the cap invalidates the slot before disk-full — and document the recovery (re-snapshot).

• A before/after demo: a row inserted, updated, and deleted on the primary appears correctly in the downstream view within seconds, including the full pre-delete row.
• Replaying the same change event twice leaves the downstream view identical — proving the consumer is idempotent, not just lucky.
• A monitoring panel or log showing retained-WAL bytes climbing during the stall and the alert firing before disk pressure — measured, not assumed.
• Evidence that max_slot_wal_keep_size invalidated the stalled slot before disk-full, plus a short write-up of how you recovered (re-snapshot) and why the cap was worth the re-snapshot cost.