Distributed capstone: design a fault-tolerant pipeline

Design and build a small but realistic order/payment pipeline spanning at least three services (Order, Payment, plus Inventory or Shipping) coordinated by a saga, and demonstrate — with injected failures — that it survives a paused stale leader, a lost response, and a retry storm without producing a double effect or a lost effect.

• Write a one-page design that names your consistency model per piece of state: which writes are linearizable (e.g. via the leader/consensus path) and which are eventually consistent (saga-coordinated), and why each choice fits its data.
• Make order state durable with quorum replication: configure N, W, R so that R + W > N (e.g. N=3, W=2, R=2), and show a write survives the loss of one replica while reads still see it.
• Run the saga orchestrator as a single elected leader (real consensus library or a simulated lease), and protect every downstream write with a monotonic fencing token that the resource validates before applying — rejecting any token lower than the highest it has seen.
• Order saga steps causally, not by wall-clock: use a logical clock (Lamport or per-saga sequence) or a bounded-uncertainty scheme so 'Payment before Shipping' is a recorded causal fact.
• Implement at least one forward step with a compensation (e.g. charge → refund, reserve stock → restock), and thread a business-derived idempotency key (refund:{order_id}) from the saga through the retry layer into the receiver, which dedups on it.
• Add retry discipline on every cross-service call: exponential backoff with jitter, a circuit breaker, and a retry budget capped at roughly 10% over normal request rate.
• Build a failure-injection harness that can (a) pause the leader past its lease while a new one is elected, (b) drop or delay a response after the effect succeeded, and (c) fire a synchronized retry storm — and run each scenario.

• Under the paused-leader scenario, the stale leader's write is rejected by the fencing check and the state the new leader advanced is intact — shown by a log of the rejected token.
• Under the lost-response scenario, the retried compensation produces exactly one effect: the receiver returns the first result on the duplicate key, proven by a single refund record despite two physical calls.
• Under the retry storm, the retry budget sheds excess retries and the downstream service recovers — shown by a load graph where retry traffic stays bounded instead of amplifying.
• A seam-signal dashboard (or logged equivalent) covering consumer lag, quorum write/read p99, leader churn, and retry-budget consumption, with a short note on which signal would have caught each injected failure first.