General LedgerAmazon Aurora DSQL

One budget your
agents can't break.

Stub is the general ledger for agent spend. Set one company-wide budget across your whole fleet, and a spend that would breach it fails the database transaction before any money moves.

Open the live dashboardView the source
$0
overspend window
2
AWS regions, one budget
40001
the error that blocks overspend
Ledgercommitted
Budget debit
research-agent
−$0.04
Vendor credit
Data API (x402)
+$0.04
intent "fetch market data", hash 9f2a…c41b chained to 6b18…ee03
coding-agent → LLM tokens
cap exceeded, serialization failure
40001 rejected
The problem

Agents can spend now. Nothing governs the whole fleet.

~$72,000billed overnight when a $7 budget cap turned out to be an alert, not an enforced limit.
A runaway job recursed across hundreds of parallel workers before anyone woke up. Source: The Register ↗

Per-session limits, no fleet budget

Agent wallets cap each session. Across a fleet, no single budget holds: every session stays in bounds while the total quietly runs over.

Retries can double-pay

A failed transaction that retries can re-send an already-irreversible payment. The ledger shows one charge; the vendor was paid twice.

No system of record

When finance asks how much agents spent, and on what, application logs aren't an answer. There's nothing to reconcile or audit against.

How the budget holds

The database is the guardrail, not application locking.

  1. 01

    Every spend is checked in one transaction

    Policies, the budget hierarchy (org → team → agent), and velocity limits are evaluated inside a single ACID transaction, before any money moves.

  2. 02

    A breach loses its commit

    Under concurrent cross-region writes, Aurora DSQL's optimistic concurrency control returns a serialization failure: SQLSTATE 40001. The overspend never commits.

  3. 03

    The denial is recorded, the balance holds

    Stub retries against the fresh balance or records a denial. The balance never goes negative. Every line is immutable and hash-chained for audit.

Why Amazon Aurora DSQL

Swap the database and the guarantee breaks.

Correctness here isthe database's consistency model. The load-bearing property is active-active, multi-region strong consistency. A writer in us-east-1 and a writer in us-east-2 hitting the same balance resolve to one consistent outcome. No other AWS database offers it: Aurora PostgreSQL Global is single-writer, and DynamoDB global tables are eventually consistent (last-writer-wins, which means silent overspend during replication).

The unswappable core
  • Strong consistency + OCC across regions
  • Double-entry ledger as first-class SQL
  • Hash-chained, tamper-evident audit trail
  • JSON receipts beside relational rows
What you get

Everything you need to govern agent spend.

Hierarchical budgets

Org → team → agent caps, enforced together in one transaction.

Exactly-once settlement

Reserve, pay once, settle the real cost. A retry around an irreversible payment can't double-charge.

Policy engine

Per-transaction and rolling-window caps, vendor rules, approval thresholds.

Cost attribution

Tag every spend to a team, customer, or feature and answer chargeback questions cloud bills can't.

Tamper-evident audit

Hash-chained entries that detect any altered row, exportable as accounting journal lines.

Velocity breaker

Runaway spend trips a limit and auto-freezes the account.

Kill switch

Freeze one agent or the entire fleet instantly.

Ask your ledger

Plain-English questions answered over the ledger, never raw SQL.

3-line SDK

Drop the budget gate in front of any paid call. Money moves only after it commits.

See the cap hold, live.

Replay a runaway agent and watch the overspend get refused, transaction by transaction.

Replay an incidentOpen the dashboard