[Bug] Promise-based mutex in BudgetManager does not prevent concurrent async writes to totalSpent

[anshul23102]

Summary

The trackingLock pattern in src/core/budgetManager.ts only serializes calls that await the lock before it is replaced. Two concurrent calls entering track() simultaneously both read the same lock Promise and both proceed to the critical section.

Affected File

src/core/budgetManager.ts

async track(cost: number): Promise<void> {
  await this.trackingLock;
  this.trackingLock = (async () => {
    // two concurrent calls can reach here simultaneously
    this.totalSpent += cost;
  })();
}

Suggested Fix

Use a proper mutex library (e.g., async-mutex) or Node.js AsyncLock to guarantee mutual exclusion in the critical section.

Severity

High

[anshul23102]

@Ruthwik000 could you please assign this issue to me? I would like to work on it.

assign/

gssoc'26

[anshul23102]

@Ruthwik000 Could you please assign/ this issue to me? I would like to work on it under GSSoC '26.