Sagas: build a fault-tolerant order saga

Implement an orchestrated order saga across three services (order, payment, inventory) with durable step state, real compensations, idempotent handlers, and one isolation countermeasure — then demonstrate it reaches a consistent end state under every injected failure.

• Stand up three services, each owning its own database: order (creates the order, holds saga status), payment (charges and refunds), inventory (reserves and releases stock). No shared database and no two-phase commit.
• Implement an orchestrator that drives the forward path — reserve stock (T1), charge card (T2), confirm order (T3) — and on any step failure runs the compensations in reverse: refund (C2), release stock (C1). Order the irreversible step (charge) after the reservable one.
• Persist saga progress durably (a saga-state table or a durable-execution engine). After each step transition, the orchestrator must be able to crash and resume exactly where it stopped rather than losing the in-flight workflow.
• Make every step and compensation idempotent under at-least-once delivery: derive an idempotency key from the saga + step id, and dedupe charges/refunds and reservations/releases so a redelivered message is a no-op. A double-delivered charge must move money exactly once.
• Add one isolation countermeasure for a concurrent-saga anomaly: a semantic lock (order status PENDING_PAYMENT that other sagas honour), a commutative stock update (qty -= n, never qty = x), or an optimistic version check. Document which anomaly it prevents.
• Build a fault-injection harness: force T2 to fail, force a compensation to fail and be retried, redeliver a step message twice, and kill the orchestrator process between two steps. Drive each scenario from a test or script, not by hand.
• After each injected fault, assert the end state is consistent across all three databases — no money charged without confirmed stock, no stock held for a failed order, exactly one refund per failed charge.

• A scenario table: for each injected fault (step failure, compensation retry, duplicate delivery, mid-saga crash) the recorded end state of all three services and a pass/fail on the consistency invariant.
• Logs or a trace showing a redelivered charge message is detected and skipped — the payment service records exactly one charge for the saga.
• Evidence the orchestrator resumes after a kill: the saga that crashed mid-flow either completes or fully compensates on restart, with no orphaned reservation or charge.
• A short write-up naming, for each step, its compensation and whether that compensation is a true undo or an approximation, plus the one isolation anomaly your countermeasure prevents and why.