Related decision: #76
Related work: #49
type = improvement
status = proposed
Context/problem
Transactional outbox delivery is at-least-once. A relay can deliver a message and then fail before marking it processed, so duplicate delivery is normal and must be safe.
Rondel already has partial business idempotency for invoice payment events with no matching pending movement. Stateful Accounting will need explicit idempotency so duplicate charge messages cannot debit the same nation twice.
Proposed change
Add inbox or processed-message tracking for inbound durable messages, and align Accounting charge handling with BillingId-based idempotency.
The design should cover:
- Stable inbound message IDs.
- Consumer identity, for example
RondelHost and AccountingHost.
tryStart/markProcessed semantics, including concurrent duplicate delivery.- Atomicity between handler state changes and processed-message recording.
- Business-level idempotency for Accounting charge and void commands using
BillingId where appropriate.
Acceptance criteria
- Duplicate
RondelInvoicePaid delivery is safe and does not emit duplicate completed-move effects.
- Duplicate
RondelInvoicePaymentFailed delivery is safe and does not emit duplicate rejection effects.
- Duplicate Accounting charge delivery for the same
BillingId does not debit twice.
- Duplicate Accounting void delivery is safe.
- Failed-charge retry behavior is explicitly specified: either a billing ID is terminal after failure, or retry may later succeed under clearly defined rules.
- Processed-message or business-idempotency state is saved atomically with the consumer state change it protects.
- Tests cover duplicate delivery for Rondel inbound events and Accounting charge/void commands.
Consequences
This completes the consumer side of the durable delivery strategy. Without this work, the outbox relay can improve durability but cannot make duplicate delivery safe.
Related decision: #76
Related work: #49
type = improvement
status = proposed
Context/problem
Transactional outbox delivery is at-least-once. A relay can deliver a message and then fail before marking it processed, so duplicate delivery is normal and must be safe.
Rondel already has partial business idempotency for invoice payment events with no matching pending movement. Stateful Accounting will need explicit idempotency so duplicate charge messages cannot debit the same nation twice.
Proposed change
Add inbox or processed-message tracking for inbound durable messages, and align Accounting charge handling with
BillingId-based idempotency.The design should cover:
RondelHostandAccountingHost.tryStart/markProcessedsemantics, including concurrent duplicate delivery.BillingIdwhere appropriate.Acceptance criteria
RondelInvoicePaiddelivery is safe and does not emit duplicate completed-move effects.RondelInvoicePaymentFaileddelivery is safe and does not emit duplicate rejection effects.BillingIddoes not debit twice.Consequences
This completes the consumer side of the durable delivery strategy. Without this work, the outbox relay can improve durability but cannot make duplicate delivery safe.