Question
Design the charge-then-fulfill flow for a digital-goods store where, on a single purchase, you must (1) charge the customer via an external PSP, (2) grant the entitlement in your own DB, and (3) emit a 'purchase.completed' event consumed by downstream services. The PSP call can succeed while your process crashes before granting the entitlement — customer is charged but gets nothing. ~6,000 purchases/sec. No two-phase commit across the PSP. How do you guarantee the customer is never charged without getting the goods, and never gets the goods without being charged?
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.