Startup probe. Call store.probe() (or probeIdempotencyStore(store))
before serving traffic to catch a bad REDIS_URL or unreachable
instance at boot rather than on the first mutating request. Wire it via:
Client error handling. node-redis emits errors on the client itself
for transient connection drops. Without a listener, Node's
EventEmitter default-throws and crashes the process. Add one in your
bootstrap:
Redis memory policy — set this on the deployment. A buyer with a
valid principal can mint unbounded distinct idempotency_key values
and hit any mutating tool; each write adds a key to Redis with the
configured ttlSeconds (default 24h). A sufficient rate can pressure
Redis memory before TTLs evict naturally. Configure your Redis with:
maxmemory-policy volatile-lru (recommended) — evicts only
TTL'd keys, containing blast radius to AdCP's keyspace if the
instance is shared with other apps. All keys this backend writes
carry TTL, so this is safe.
maxmemory-policy allkeys-lru — only on a Redis db dedicated
to AdCP. Will evict your other keys if shared.
maxmemory-policy noeviction (Redis default) — fail-closed:
the backend's writes will start erroring once memory fills, and
mutating requests will fail. Operationally noisy but never serves
stale data; choose this only if you'd rather page than evict.
Pair with alerting on a per-principal VALIDATION_ERROR rate — a
drifted handler hit by a retrying buyer writes 10s-TTL entries on
every fresh key, amplifying the rate of cache fill. Steady-state
VALIDATION_ERROR should be zero.
Create a Redis-backed idempotency cache.
Startup probe. Call
store.probe()(orprobeIdempotencyStore(store)) before serving traffic to catch a badREDIS_URLor unreachable instance at boot rather than on the first mutating request. Wire it via:Client error handling. node-redis emits errors on the client itself for transient connection drops. Without a listener, Node's
EventEmitterdefault-throws and crashes the process. Add one in your bootstrap:Redis memory policy — set this on the deployment. A buyer with a valid principal can mint unbounded distinct
idempotency_keyvalues and hit any mutating tool; each write adds a key to Redis with the configuredttlSeconds(default 24h). A sufficient rate can pressure Redis memory before TTLs evict naturally. Configure your Redis with:maxmemory-policy volatile-lru(recommended) — evicts only TTL'd keys, containing blast radius to AdCP's keyspace if the instance is shared with other apps. All keys this backend writes carry TTL, so this is safe.maxmemory-policy allkeys-lru— only on a Redis db dedicated to AdCP. Will evict your other keys if shared.maxmemory-policy noeviction(Redis default) — fail-closed: the backend's writes will start erroring once memory fills, and mutating requests will fail. Operationally noisy but never serves stale data; choose this only if you'd rather page than evict.Pair with alerting on a per-principal
VALIDATION_ERRORrate — a drifted handler hit by a retrying buyer writes 10s-TTL entries on every fresh key, amplifying the rate of cache fill. Steady-stateVALIDATION_ERRORshould be zero.