<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Erislandys Igarza</title>
    <description>The latest articles on DEV Community by Erislandys Igarza (@erislandys).</description>
    <link>https://dev.to/erislandys</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4018869%2Fd2fb7d8c-0629-4aea-9965-1e989c341be4.png</url>
      <title>DEV Community: Erislandys Igarza</title>
      <link>https://dev.to/erislandys</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/erislandys"/>
    <language>en</language>
    <item>
      <title>The budget that actually blocks: the concurrency bug an AI agent's spend guardrail can't afford</title>
      <dc:creator>Erislandys Igarza</dc:creator>
      <pubDate>Tue, 07 Jul 2026 15:21:19 +0000</pubDate>
      <link>https://dev.to/erislandys/the-budget-that-actually-blocks-the-concurrency-bug-an-ai-agents-spend-guardrail-cant-afford-29gj</link>
      <guid>https://dev.to/erislandys/the-budget-that-actually-blocks-the-concurrency-bug-an-ai-agents-spend-guardrail-cant-afford-29gj</guid>
      <description>&lt;p&gt;An AI agent with a wallet is a loop that spends money. Give it a budget — "$50/day, max&lt;br&gt;
$5 per call" — and you'd think the hard part is done. It isn't. The hard part is making the&lt;br&gt;
budget &lt;em&gt;hold&lt;/em&gt; when the agent fires ten calls at once. That's where most spend guardrails&lt;br&gt;
quietly fail, and the failure is the worst kind: it looks like it's working.&lt;/p&gt;

&lt;p&gt;This is the story of the bug that shaped Bridle, an open-source spend guardrail for agentic&lt;br&gt;
payments — and why we now don't trust a single line of money code that hasn't been run&lt;br&gt;
against a real database under concurrency.&lt;/p&gt;
&lt;h2&gt;
  
  
  The setup: a budget that "works"
&lt;/h2&gt;

&lt;p&gt;The naive design is obvious and wrong. You keep a ledger of what an agent has spent in a&lt;br&gt;
rolling window. Before a payment, you check: &lt;em&gt;does &lt;code&gt;spent + amount&lt;/code&gt; exceed the limit?&lt;/em&gt; If&lt;br&gt;
not, you insert the reservation and let the payment through.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="k"&gt;check&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;   &lt;span class="k"&gt;SELECT&lt;/span&gt; &lt;span class="k"&gt;sum&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;amount&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;FROM&lt;/span&gt; &lt;span class="n"&gt;ledger&lt;/span&gt; &lt;span class="k"&gt;WHERE&lt;/span&gt; &lt;span class="n"&gt;agent&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt; &lt;span class="k"&gt;AND&lt;/span&gt; &lt;span class="n"&gt;window_active&lt;/span&gt;
&lt;span class="n"&gt;decide&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;  &lt;span class="n"&gt;if&lt;/span&gt; &lt;span class="k"&gt;sum&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="n"&gt;amount&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="k"&gt;limit&lt;/span&gt;  &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt;  &lt;span class="k"&gt;INSERT&lt;/span&gt; &lt;span class="n"&gt;reservation&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="n"&gt;ALLOW&lt;/span&gt;
                                   &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt;  &lt;span class="n"&gt;DENY&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Write a unit test with a mocked store. Agent has spent $45 of $50, tries to spend $10 → deny.&lt;br&gt;
Tries $4 → allow. Green. Ship it.&lt;/p&gt;

&lt;p&gt;Now the agent — because it's an agent, not a human clicking one button — fires &lt;strong&gt;twenty&lt;br&gt;
concurrent requests&lt;/strong&gt; for $4 each. Every one of them runs the &lt;code&gt;SELECT&lt;/code&gt;. Every one of them&lt;br&gt;
reads &lt;code&gt;spent = $45&lt;/code&gt;. Every one of them computes &lt;code&gt;$45 + $4 = $49 &amp;lt;= $50&lt;/code&gt; and says &lt;strong&gt;ALLOW&lt;/strong&gt;.&lt;br&gt;
Twenty payments go out. The agent just spent $80 against a $50 limit, and your guardrail&lt;br&gt;
reported success twenty times.&lt;/p&gt;

&lt;p&gt;The unit tests are still green. They will &lt;em&gt;always&lt;/em&gt; be green, because a mock has no notion of&lt;br&gt;
two things happening at once.&lt;/p&gt;
&lt;h2&gt;
  
  
  The two traps
&lt;/h2&gt;

&lt;p&gt;The first instinct is "just add a lock." &lt;code&gt;SELECT ... FOR UPDATE&lt;/code&gt;. But there are two traps&lt;br&gt;
waiting, and we hit both.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Trap 1: you can't &lt;code&gt;FOR UPDATE&lt;/code&gt; an aggregate.&lt;/strong&gt; &lt;code&gt;SELECT sum(amount) ... FOR UPDATE&lt;/code&gt; is not&lt;br&gt;
valid — Postgres rejects locking with aggregate functions. So people lock the &lt;em&gt;rows&lt;/em&gt; they're&lt;br&gt;
summing. Which leads straight to:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Trap 2: locking rows doesn't protect the case with no rows.&lt;/strong&gt; The dangerous scenario is a&lt;br&gt;
&lt;em&gt;new&lt;/em&gt; agent, or an agent on a default budget, with &lt;strong&gt;zero ledger rows yet&lt;/strong&gt;. There's nothing&lt;br&gt;
to lock. Twenty concurrent "first payments" all see an empty ledger, all pass, and you've&lt;br&gt;
overcommitted before the agent has any history at all. Row locks protect existing rows; they&lt;br&gt;
do nothing about the rows that are all about to be inserted simultaneously.&lt;/p&gt;

&lt;p&gt;This is the trap that's invisible in a demo (you test with an agent that already has a&lt;br&gt;
budget row) and lethal in production (every agent starts with none).&lt;/p&gt;
&lt;h2&gt;
  
  
  The fix: lock the decision, not the data
&lt;/h2&gt;

&lt;p&gt;The guarantee we actually need is: &lt;strong&gt;for a given &lt;code&gt;(agent, currency)&lt;/code&gt;, the check-and-reserve&lt;br&gt;
runs serially — even when no row exists.&lt;/strong&gt; That's not a lock on data; it's a lock on the&lt;br&gt;
&lt;em&gt;logical entity&lt;/em&gt;. Postgres has exactly the right tool:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt; &lt;span class="n"&gt;pg_advisory_xact_lock&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hashtext&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'bridle:'&lt;/span&gt; &lt;span class="o"&gt;||&lt;/span&gt; &lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;agent&lt;/span&gt; &lt;span class="o"&gt;||&lt;/span&gt; &lt;span class="s1"&gt;':'&lt;/span&gt; &lt;span class="o"&gt;||&lt;/span&gt; &lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;currency&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;
&lt;span class="c1"&gt;-- ...now do the SELECT sum, the decision, and the INSERT...&lt;/span&gt;
&lt;span class="c1"&gt;-- lock releases automatically on COMMIT / ROLLBACK&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;An advisory lock keyed on the agent serializes the critical section regardless of whether any&lt;br&gt;
row exists. Two concurrent reservations for the same agent take turns; the second one sees the&lt;br&gt;
first one's insert. The budget holds. And critically, the &lt;em&gt;same&lt;/em&gt; connection that takes the&lt;br&gt;
lock must run the queries — a lock on one connection and a &lt;code&gt;SELECT&lt;/code&gt; on another serializes&lt;br&gt;
nothing (a subtlety that bites again when you wire this into a framework's transaction).&lt;/p&gt;

&lt;p&gt;In Bridle this lives behind a single non-negotiable primitive on the storage interface:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight typescript"&gt;&lt;code&gt;&lt;span class="nf"&gt;withAgentLock&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;agentAddress&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;currency&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;fn&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt; &lt;span class="nb"&gt;Promise&lt;/span&gt;&lt;span class="o"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;T&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The core &lt;em&gt;only&lt;/em&gt; enters check-and-reserve inside &lt;code&gt;withAgentLock&lt;/code&gt;. You can't forget to hold the&lt;br&gt;
lock from a call site, because there is no other door.&lt;/p&gt;
&lt;h2&gt;
  
  
  The test that has to travel with the code
&lt;/h2&gt;

&lt;p&gt;Here's the lesson that changed how we work: &lt;strong&gt;the bug is invisible to unit tests, so the test&lt;br&gt;
that proves the fix must run against real Postgres, and it must ship with the adapter.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Bridle's concurrency test fires ≥20 concurrent reservations for one agent whose budget only&lt;br&gt;
allows a single one, against a real Postgres, and asserts &lt;strong&gt;exactly one wins&lt;/strong&gt; and the total&lt;br&gt;
reserved equals the budget — &lt;em&gt;including the no-row default case that caused the original bug&lt;/em&gt;.&lt;br&gt;
It's gated so that in CI it &lt;strong&gt;fails&lt;/strong&gt; (not skips) if there's no database: a green pipeline&lt;br&gt;
means the guarantee was actually validated, not quietly skipped.&lt;/p&gt;

&lt;p&gt;A mocked unit test that "covers" concurrency is worse than no test — it's a green light on the&lt;br&gt;
one thing you most need to be red when it's broken.&lt;/p&gt;
&lt;h2&gt;
  
  
  The sequel: when the guardrail broke itself
&lt;/h2&gt;

&lt;p&gt;There's a second story, because money code finds new ways to betray you. We added an audit&lt;br&gt;
sink — a hook that records every allow/deny decision for the compliance trail. Best-effort,&lt;br&gt;
fire-and-forget. Except the emit happened &lt;em&gt;inside&lt;/em&gt; the locked transaction, right before the&lt;br&gt;
reservation insert, and it wasn't wrapped in a &lt;code&gt;try/catch&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;So: a perfectly valid, in-budget payment comes in. The guard decides ALLOW. It calls the audit&lt;br&gt;
sink. The host's sink throws (a transient logging error, say). The exception escapes the&lt;br&gt;
transaction, Postgres rolls back — and a payment that was &lt;strong&gt;inside budget gets rejected&lt;/strong&gt;. The&lt;br&gt;
observability hook, the thing that was supposed to just &lt;em&gt;watch&lt;/em&gt;, had become able to kill a&lt;br&gt;
legitimate payment.&lt;/p&gt;

&lt;p&gt;A review pass caught it because we now read money paths adversarially, asking "what breaks if&lt;br&gt;
this dependency misbehaves?" — not because a test was red. The fix is boring (isolate the sink;&lt;br&gt;
a best-effort hook can never break the flow) and it now has a test with a sink that always&lt;br&gt;
throws. But the pattern is the point: &lt;strong&gt;on a spend path, every side effect is guilty until&lt;br&gt;
proven harmless.&lt;/strong&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  What we believe now
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Mocks lie about concurrency.&lt;/strong&gt; For money code, a test that doesn't hit real infrastructure
under real parallelism is decoration.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The guarantee travels with the implementation.&lt;/strong&gt; Bridle's storage contract ships its own
concurrency test; any new adapter has to pass it. The promise isn't in a doc, it's in CI.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Fail closed, always.&lt;/strong&gt; No policy, missing context, a misbehaving hook — the answer is deny,
never a silent allow. A guardrail that fails open is not a guardrail.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That's what Bridle is: pre-execution budget reservation with a concurrency guarantee you can&lt;br&gt;
actually verify, a declarative policy engine, and an audit trail — framework-agnostic,&lt;br&gt;
non-custodial, &lt;code&gt;x402&lt;/code&gt;-ready. It sits &lt;em&gt;above&lt;/em&gt; your wallet or rail and only does one job:&lt;br&gt;
decide, correctly, whether an agent is allowed to spend — even when twenty requests arrive at&lt;br&gt;
the same millisecond.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm &lt;span class="nb"&gt;install&lt;/span&gt; @igarzatech/bridle
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;Code &amp;amp; docs: &lt;a href="https://github.com/IgarzaTech/bridle" rel="noopener noreferrer"&gt;https://github.com/IgarzaTech/bridle&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;npm (published with provenance): &lt;a href="https://www.npmjs.com/package/@igarzatech/bridle" rel="noopener noreferrer"&gt;https://www.npmjs.com/package/@igarzatech/bridle&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you're building agents that spend money, I'd genuinely love to know how you're handling the&lt;br&gt;
concurrency problem — reply here or open an issue.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Bridle is Apache-2.0 and built in the open. The concurrency test, the advisory-lock adapter,&lt;br&gt;
and the audit-sink fix described above are all in the repo.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>typescript</category>
      <category>opensource</category>
      <category>postgres</category>
    </item>
  </channel>
</rss>
