Idempotency and retries: build an effectively-once payment path

Build a POST /charge service plus a downstream inventory/ledger consumer that together deliver effectively-once behaviour, then prove — under injected duplicate requests, concurrency, a lost response, and a relay crash — that the money-moving side effect fires exactly once per logical operation.

• Implement an Idempotency-Key state machine in Postgres: an idempotency_keys table with a body fingerprint (SHA-256), and atomic key creation via INSERT ... ON CONFLICT (key) DO NOTHING RETURNING. Resolve every request to one of four outcomes: new (process + store), in-flight (409), replay (return cached response), mismatch (422 when the fingerprint differs).
• Write a client that retries failed POSTs with full jitter — random(0, min(cap, base × 2^attempt)) — reusing the SAME key per logical operation, honouring Retry-After on 429/503, retrying only 5xx/timeouts (never 4xx), and capped at a small attempt count.
• Close the dual-write: in the same transaction as the charge, INSERT an outbox row. A separate relay polls (or tails the WAL) and publishes unpublished rows at-least-once to a broker (Kafka/Redis Streams/SQS or an in-process queue), marking them on ACK.
• Implement the consumer with the inbox pattern: INSERT the event_id into processed_events ON CONFLICT DO NOTHING inside the same transaction as its business write, and gate the business write on the insert actually happening so a duplicate delivery is a no-op.
• Instrument the core metrics: idempotency_key_total sliced by outcome (new/replay/409/422), retry_attempt_total by attempt number, outbox_lag, and a count of the actual side effects applied — enough to prove the side-effect count equals the logical-operation count.
• Build a chaos harness that injects four failures: duplicate concurrent requests with the same key, a dropped response (client must retry), a relay crash after publish but before marking the row, and a key reused with a changed body. Capture what the system does in each case.

• Under 1000 logical charge operations with duplicates and concurrency injected, the applied-side-effect count equals exactly 1000 — no double charge, no lost charge — shown from the metrics, not asserted.
• A concurrency test fires two simultaneous requests with the same key and shows exactly one processes (200) and the other gets 409 or a replay, never two charges.
• A relay-crash test (kill after publish, before marking published) shows the event re-published on restart and the consumer's inbox dedup keeping the business effect at one application.
• A key-reuse-with-changed-body test returns 422, and a transcript shows the retrying client honoured Retry-After and used full jitter (delays are spread, not synchronised).