Queues capstone: build an order-processing pipeline

Design and build an end-to-end order-processing pipeline that places an order, fans it out to payment / inventory / notification consumers, survives a crash at every hop without double-charging or losing a write, quarantines poison messages, and shows the customer an honest pending-then-confirmed UI — proving each guarantee with a deliberate failure drill, not just a happy-path demo.

• Order service with a transactional outbox: in one local DB transaction, INSERT the order row AND an outbox row describing order.placed. Show that the event exists if and only if the order does.
• A relay that ships outbox rows to Kafka at-least-once — start with a polling publisher (SELECT ... FOR UPDATE SKIP LOCKED so replicas don't double-publish), then swap in CDC (Debezium tailing the WAL, or the outbox event router). Document why CDC is the upgrade and what it costs operationally.
• Topics keyed by order_id so each order's events keep per-order ordering on one partition; over-provision the partition count and write down why you would migrate to a new topic rather than resize in place.
• At least two consumer groups (payment, inventory) that commit offsets only AFTER the handler succeeds, and are idempotent: a dedup key (event id) under a unique constraint inside the side-effect transaction, plus an Idempotency-Key propagated to a simulated payment gateway.
• A retry-with-backoff budget for transient failures and a dead-letter queue for poison messages on exhaustion; show that a malformed event lands in the DLQ instead of blocking the partition, and that the DLQ is drainable.
• An eventually-consistent UI: the checkout returns 202, the UI echoes the order as pending, and reconciles to confirmed or failed from a real event — never a fake success toast, with a timeout path for a never-arriving confirmation.
• Observability at the seams: a correlation id stamped at the order write and carried through every async hop, plus gauges for consumer lag, DLQ depth, end-to-end latency, and CDC replication-slot lag — with an alarm on each.
• A failure drill: kill the payment consumer after the side effect but before the offset commit and show no double charge; stall the CDC consumer and show slot-lag alerting fires before disk pressure; feed a poison message and show it reaches the DLQ; replay from the DLQ and show idempotency makes it safe.

• A diagram of the six hops (write, publish, route, process, quarantine, display) labelling the guarantee and the defence at each, matching what your code actually does.
• A crash-before-commit drill on the payment consumer produces exactly one charge for one order — demonstrated with the gateway's request log, not asserted.
• A poison message exhausts its retry budget and appears in the DLQ while the rest of the partition keeps flowing; the live consumer lag does not grow unbounded.
• Stalling the CDC consumer triggers the slot-lag alarm before the primary's disk is endangered, and max_slot_wal_keep_size is set so a runaway slot is invalidated rather than fatal.
• The UI shows an order as pending immediately, never a premature success, and reconciles to the real state; a refetch during the consistency window does not erase the user's own order.
• A one-page write-up: where each delivery guarantee lives, why idempotency is the load-bearing invariant, and which failures your observability would catch in production.