Build a payment / wallet system that accepts charges, moves money across accounts, and never loses or double-applies a transaction — even when the network drops, the database fails over, or a third-party acquirer returns 503 mid-charge. The architectural pressure here isn't QPS (Stripe-scale is ~10K charges/sec sustained, well within reach of a sharded Postgres) — it's **correctness under retry**, **invariant preservation across services**, and **survivable failure modes**. Three load-bearing concepts: 1. **Idempotency** — every mutating call is keyed and replayable, with state-machine semantics so a crashed-and-retried client gets the same answer (Stripe / Brandur / Airbnb Orpheus). 2. **Double-entry, immutable journal + projected balances** — the ledger is append-only; balances are derived (Square Books, Monzo, Uber Gulfstream). 3. **Saga (not 2PC) for cross-service money movement** — durable workflow engine drives multi-step charges with explicit compensations (Uber Cadence / Temporal, Airbnb Skipper).