Ref T2787. This doesn't get all the edge cases quite correct, but is generally a safe, complete payment workflow:

• Shares the actual charging state logic.
• Makes it appropriately stateful with locking and transactions.
• Gets the main flow correct.
• Detects failure cases, just tends to blow up rather than help the user resolve them.

• Charged with WePay.
• Charged with Infinite Free Money.
• Resumed an abandoned cart.
• Hit all failure states where we just dead-end the cart. Not ideal, but (seemingly) complete/safe/correct.