PK
Back to archive

Engineering

Transactions Are UX Guarantees, Not Database Features

How to review transaction boundaries by the user-visible promise they protect.

Transactions Are UX Guarantees, Not Database Features

Users do not experience isolation levels. They experience whether the system tells a coherent story.

They see a payment that appears accepted and then disappears. They see inventory available until checkout fails. They see a permission removed in one screen but still effective in another. They see workflow state move forward while the audit trail says nothing happened.

To them, the database did not have a concurrency anomaly. Reality looked negotiable.

The thesis

Transactions should be reviewed as user-visible guarantees about reality, not as database features.

The question is not only whether the database can provide atomicity, isolation, or durability. The question is what promise the product is making when it shows a state, accepts an action, or records a decision.

When the promise is strong, the transaction boundary must protect it. When the promise is weak, the product should admit uncertainty instead of pretending the system is more certain than it is.

The production pattern

A workflow crosses several pieces of state. A user submits an action. The system updates records, emits events, changes permissions, records history, sends messages, updates caches, and maybe calls another service.

In review, the conversation often starts with technical options. Can we wrap it in one transaction? Should we use a distributed transaction? Can we rely on eventual consistency? Do we need locks? What isolation level is enough?

Those questions matter, but they come too late if nobody has named the user-visible promise.

Sometimes the promise is "once you see success, money moved exactly once." Sometimes it is "this item is reserved for you for a limited window." Sometimes it is "when access is revoked, it stops being usable." Sometimes it is "a workflow step cannot be skipped." Sometimes it is "there is an audit record for every consequential transition."

Different promises need different boundaries. The database mechanism follows the promise, not the other way around.

The trap

The trap is translating every consistency concern into a database argument.

Engineers can spend a long time debating isolation while the product remains vague about acceptable uncertainty. A strict transaction can protect too much, creating contention, coupling, and poor availability. A loose boundary can protect too little, pushing contradictions into the user experience.

Another trap is treating success messages as cheap. A "done" state is a product contract. If the system cannot make the underlying reality true yet, the interface should say pending, reserved, processing, requested, or scheduled. Those words are not copy polish. They are consistency design.

The most painful failures happen when the UI offers certainty, the database stores partial truth, and operators are left to reconcile the gap.

The model

I review transaction boundaries by the kind of promise they protect.

Money needs careful treatment because users expect conservation, uniqueness, traceability, and finality. The transaction boundary should protect the ledger-level invariant, not merely the visible screen update. If finality depends on an external system, the user state should reflect that uncertainty.

Inventory is a promise about scarcity. The system may choose hard reservation, soft reservation, overbooking tolerance, or waitlisting. Each is valid in the right product, but the user experience must match the chosen model. "Available" and "requested" are different promises.

Permissions are promises about authority. Revocation, grant, delegation, and policy changes need boundaries that match risk. Some permission changes can propagate eventually. Others must stop access before the system acknowledges success.

Workflow state is a promise about order. A state machine should prevent impossible transitions from becoming visible truth. If steps can run out of order internally, the external workflow should still expose a coherent lifecycle.

Audit trails are promises about explainability. If an action changes consequential state, the record of that decision must be part of the protected boundary or have an equally strong recovery path. An audit event that can be lost separately from the state change is not an audit guarantee.

This model forces the review away from generic consistency and toward the sentence a user, operator, or regulator would believe after the system responds.

Where this model breaks

Strict transactions are expensive where uncertainty is acceptable. They can increase latency, reduce availability, create hot spots, and couple services that should be allowed to fail independently.

Many useful products are built on weaker promises. A feed can tolerate reordering. A recommendation can be stale. A notification can arrive late. A report can be marked as still refreshing. A collaborative workflow can expose "syncing" honestly instead of pretending everyone sees the same state at the same time.

The counterpoint is not that transactions are always required. It is that uncertainty should be designed, not hidden. If the product can tolerate eventual consistency, the user experience should carry the right language, affordances, retries, cancellation paths, and support tooling.

Overusing transactions is also a design smell. A giant transaction may indicate that the model has not separated the invariant from surrounding side effects. Protect the invariant tightly. Let email, search indexing, analytics, and other derived effects follow with clear recovery.

What I do now

Before discussing transaction mechanics, I ask for the promise sentence.

  • After success, what must be true?
  • What may still be pending?
  • What can the user safely do next?
  • What contradiction would be unacceptable?
  • Who needs to reconstruct what happened later?

Then I choose the smallest boundary that protects the promise. For money, that may mean a carefully designed ledger invariant. For inventory, it may mean a reservation state with expiry. For permissions, it may mean revocation before acknowledgement. For workflow state, it may mean transition guards. For audit, it may mean writing the decision record with the state change.

I also separate protected state from side effects. A transaction should not become a dumping ground for everything that happens after a user clicks. It should guard the reality the product claims. Other work can follow, but it needs observable recovery and user language that does not overpromise.

The principal-engineer lens is to keep the organization honest about what the system is promising. Transaction design is product design with failure modes attached.

Closing takeaway

Define the user-visible promise first, then choose the transaction boundary that makes success, pending, failure, and audit tell the same story.