Delivery guarantees: build a crash-proof payment consumer

Build a payment-processing consumer on an at-least-once queue (SQS, RabbitMQ, or Kafka) that achieves effectively-once: zero double-charges and zero lost events under injected consumer crashes, visibility-timeout expiry, and producer-side failures — proven with measured duplicate and loss counts, not assertions.

• Stand up an at-least-once queue (SQS standard, RabbitMQ with ack, or Kafka with defaults) plus a Postgres DB. Implement a consumer that processes a 'charge order' message: it must call a mock or sandbox payment API (a local stub that counts charges per order is enough) and update an orders row.
• First, reproduce the bug: implement the naive SELECT-then-act dedup, then drive two concurrent consumers (or kill-and-redeliver) and capture a non-zero double-charge count. This is your baseline.
• Fix Leg 3 with an INSERT-first transactional dedup: one DB transaction that INSERTs a UNIQUE msg_id row, performs the side effect, and COMMITs; on UNIQUE violation, roll back and ack. Confirm the side effect runs at most once.
• Make the external payment call safe with an Idempotency-Key derived from the stable message ID, so a crash between the API call and the local commit does not double-charge on redelivery.
• Tune the timeout leg: set the queue visibility timeout (or Kafka max.poll.interval) to ~6x average processing time, OR implement a heartbeat that extends visibility every timeout/3; show that a slow consumer no longer triggers concurrent redelivery.
• Close the producer-side dual-write with the outbox pattern: the upstream service INSERTs the event into an outbox table in the SAME transaction as the business write, and a separate sender publishes pending rows. Show that a publish failure does not lose the event.
• Add a DLQ (or equivalent) with maxReceiveCount 5-10 and a poison-pill message; show it lands in the DLQ rather than blocking the queue, and write a rate-limited (1-10 msg/s) redrive step.
• Wire observability: a dedup_check_hit_rate metric, a charges-per-order counter, consumer lag, and DLQ depth. These are how you will read the chaos run.

• A before/after table: double-charge count and lost-event count, measured under an identical chaos run (kill consumer mid-processing, expire the timeout, drop a publish) — naive version vs hardened version. Hardened must show zero of both.
• A demonstration that killing the consumer AFTER the DB commit but BEFORE the ack causes a redelivery that is silently deduplicated (UNIQUE violation -> rollback -> ack), with the dedup_hit_rate metric registering the catch.
• A demonstration that a dropped/failed publish on the producer side does NOT lose the event, because the outbox row stays pending and the sender republishes it.
• A short write-up mapping each fix to the failure leg it closes (Leg 1 / Leg 3 / dual-write / timeout) and naming why consumer idempotency — not a broker setting — is the load-bearing guarantee.