M26-4: audit + spec out real usage_threshold_tokens enforcement #551

New issue

Closed

opened 2026-04-29 12:25:05 +00:00 by claude-desktop · 1 comment

claude-desktop commented 2026-04-29 12:25:05 +00:00

Collaborator

Copy link

As an operator, I want usage_threshold_tokens to actually halt or fail-over an agent when its token budget is exhausted, so that the dashboard ring (today purely cosmetic) reflects a real safety brake and the failover chain (M26-1) can include token_budget as a trigger.

Background

Audit performed during M26 design (PR #547 review):

• usage_threshold_tokens in config/service.json is parsed by the loader → webhook-config.ts exposes it as usageThresholdTokens: number | null.
• apps/server/src/main.ts::handleUsage echoes it back on GET /usage as threshold_tokens.
• The dashboard's usage ring uses it for 50/80/95 % colour tiers.
• No code path enforces it. Crossing the threshold has zero effect on dispatch, the worker pool, or container lifecycle.

M26-1's failover.triggers enum deliberately excludes token_budget because the trigger has nothing to detect today. This ticket is the prerequisite that brings it back.

Acceptance criteria

Audit (deliverable: docs/specs/token-budget.md)

• Confirm exhaustively: every read of usageThresholdTokens in the codebase. Document the count and call sites.
• Confirm: no enforcement gate currently exists. (If one is found, surprise — write it up.)
• Catalogue what computeUsage() already tracks: window granularity (week/day/all), per-agent vs. global, token type breakdown (input/output/cache).
• Decision: scope is global (current shape, single threshold) or per-type (lift threshold onto type config). Recommendation in the spec.
• Decision: budget reset cadence honours existing usage_reset knob ("week" | "day" | "all") or gets a new one.
• Decision: action on threshold cross — pause all agents (current dashboard semantics), pause specific types, fail-over to a cheaper tier (ties into M26-1), or warn-only with override.

Implementation spec (in the same doc)

• Sketch the enforcement gate location: post-task hook, dispatcher pre-flight, or background sweeper. Trade-offs documented.
• Sketch the integration with M26-1's failover.triggers: when token_budget is enabled and the active window's usage ≥ threshold, fire the same tier-bump path as auth_error so failover state is unified.
• Sketch the operator UX: how does the ring colour change at 100 %? What does the dashboard say happened? Where does the unpause button live?

Follow-up tickets

• Open M26-5 / 6 / … for actual implementation, scoped from the audit's recommendation. This ticket only ships the audit + spec.

Out of scope

• Implementation work — gated behind the audit's conclusion.
• Per-instance budget (today the threshold is global; M26-2 wizard already excludes per-tier budget knobs).

References

• PR #547 review thread (decision to defer): #547
• M26-1 (#TBD) — failover.triggers enum that this story re-enables.
• Existing call sites:
  • apps/server/src/shared/config/webhook-config.ts:469 (declaration)
  • apps/server/src/main.ts:1390 (handleUsage)
  • apps/server/src/shared/config/service-config-schema.ts (Zod field)

As an **operator**, I want `usage_threshold_tokens` to actually halt or fail-over an agent when its token budget is exhausted, so that the dashboard ring (today purely cosmetic) reflects a real safety brake and the failover chain (M26-1) can include `token_budget` as a trigger. ### Background Audit performed during M26 design (PR #547 review): - `usage_threshold_tokens` in `config/service.json` is parsed by the loader → `webhook-config.ts` exposes it as `usageThresholdTokens: number | null`. - `apps/server/src/main.ts::handleUsage` echoes it back on `GET /usage` as `threshold_tokens`. - The dashboard's usage ring uses it for 50/80/95 % colour tiers. - **No code path enforces it.** Crossing the threshold has zero effect on dispatch, the worker pool, or container lifecycle. M26-1's `failover.triggers` enum deliberately excludes `token_budget` because the trigger has nothing to detect today. This ticket is the prerequisite that brings it back. ### Acceptance criteria #### Audit (deliverable: `docs/specs/token-budget.md`) - [ ] Confirm exhaustively: every read of `usageThresholdTokens` in the codebase. Document the count and call sites. - [ ] Confirm: no enforcement gate currently exists. (If one is found, surprise — write it up.) - [ ] Catalogue what `computeUsage()` already tracks: window granularity (week/day/all), per-agent vs. global, token type breakdown (input/output/cache). - [ ] Decision: scope is **global** (current shape, single threshold) or **per-type** (lift threshold onto type config). Recommendation in the spec. - [ ] Decision: budget reset cadence honours existing `usage_reset` knob ("week" | "day" | "all") or gets a new one. - [ ] Decision: action on threshold cross — pause all agents (current dashboard semantics), pause specific types, fail-over to a cheaper tier (ties into M26-1), or warn-only with override. #### Implementation spec (in the same doc) - [ ] Sketch the enforcement gate location: post-task hook, dispatcher pre-flight, or background sweeper. Trade-offs documented. - [ ] Sketch the integration with M26-1's `failover.triggers`: when `token_budget` is enabled and the active window's usage ≥ threshold, fire the same tier-bump path as `auth_error` so failover state is unified. - [ ] Sketch the operator UX: how does the ring colour change at 100 %? What does the dashboard say happened? Where does the unpause button live? #### Follow-up tickets - [ ] Open M26-5 / 6 / … for actual implementation, scoped from the audit's recommendation. This ticket only ships the audit + spec. ### Out of scope - Implementation work — gated behind the audit's conclusion. - Per-instance budget (today the threshold is global; M26-2 wizard already excludes per-tier budget knobs). ### References - PR #547 review thread (decision to defer): https://forge.jacquin.app/charles/claude-hooks/pulls/547 - M26-1 (#TBD) — `failover.triggers` enum that this story re-enables. - Existing call sites: - `apps/server/src/shared/config/webhook-config.ts:469` (declaration) - `apps/server/src/main.ts:1390` (`handleUsage`) - `apps/server/src/shared/config/service-config-schema.ts` (Zod field)

claude-desktop added the

area:agents

type:chore

labels 2026-04-29 12:25:22 +00:00

claude-desktop added this to the M26 — Multi-provider failover milestone 2026-04-29 12:25:37 +00:00

charles referenced this issue from a commit 2026-04-29 12:55:17 +00:00

docs(specs): audit `usage_threshold_tokens` + spec out enforcement (M26-4)

claude-desktop referenced this issue 2026-04-29 12:57:40 +00:00

M26 — multi-provider failover (chain + UI + audit) #552

charles referenced this issue from a commit 2026-04-29 13:53:43 +00:00

M26 — multi-provider failover (chain + UI + audit) (#552)

claude-desktop commented 2026-04-29 19:09:44 +00:00

Author

Collaborator

Copy link

Audit shipped in PR #552 (docs/specs/token-budget.md). Reference cleanups in PR #552 review fixup commit. M26-5/6/7 implementation also shipped in PR #552 follow-up commit (operator opted to skip filing separate tickets and bundle them):

• M26-5 — per-type usage_threshold_tokens + post-task hook + recordExternalTrigger glue. Loader rejects negative/non-int, strips token_budget from single-tier chains, accepts on multi-tier. Audit's usage_reset: "all" caveat respected — gate skips when window is "all".
• M26-6 — token-budget input row in the wizard. (Per-type Stats ring deferred — needs Stats page redesign separate from M26.)
• M26-7 — ⛽ icon on the tier badge when last_failure_kind === "token_budget". Distinct from auth/rate-limit failures at a glance.

Audit-doc cleanup landed in PR #552 review fixup: corrected file:line refs, fixed UsageResult shape snippet (totals not total_tokens, window is object), called out usage_reset: "all" edge case, dual-cap UX caveat, repointed post-task hook reference from agent-runner.ts:489 (helper) to :981 (M26-1 classifier hook).

Closing — audit + spec + implementation all on main.

Audit shipped in PR #552 (`docs/specs/token-budget.md`). Reference cleanups in PR #552 review fixup commit. M26-5/6/7 implementation also shipped in PR #552 follow-up commit (operator opted to skip filing separate tickets and bundle them): - **M26-5** — per-type `usage_threshold_tokens` + post-task hook + `recordExternalTrigger` glue. Loader rejects negative/non-int, strips `token_budget` from single-tier chains, accepts on multi-tier. Audit's `usage_reset: "all"` caveat respected — gate skips when window is `"all"`. - **M26-6** — token-budget input row in the wizard. (Per-type Stats ring deferred — needs Stats page redesign separate from M26.) - **M26-7** — ⛽ icon on the tier badge when `last_failure_kind === "token_budget"`. Distinct from auth/rate-limit failures at a glance. Audit-doc cleanup landed in PR #552 review fixup: corrected file:line refs, fixed `UsageResult` shape snippet (`totals` not `total_tokens`, `window` is object), called out `usage_reset: "all"` edge case, dual-cap UX caveat, repointed post-task hook reference from `agent-runner.ts:489` (helper) to `:981` (M26-1 classifier hook). Closing — audit + spec + implementation all on main.

claude-desktop closed this issue 2026-04-29 19:10:08 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

chore/sync-pre-push-from-forge-base

fix/flows-yaml-dispatch-identity

feat/board-tap-to-assign

dev/1107

code-lead/1106

code-lead/1108

dev/1104

code-lead/1103

code-lead/1080

dev/1087

feat/flows-yaml-ci-events

chore/board-drop-stalled-and-density-controls

fix/flows-yaml-routes-always-register

flows-yaml/api-defaults

dev/1023

fix/event-log-history-bleed

fix/janitor-fix-ci-logs-and-cap

dev/1022

fix/board-card-provider

code-lead/1036

dev/1025

code-lead/1020

dev/1017

code-lead/1026

feat/web-shortcut-registry-1018

dev/1015

code-lead/1009

code-lead/1008

dev/975

dev/969

dev/973

dev/967

code-lead/968

code-lead/953

dev/970

dev/976

code-lead/966

code-lead/956

code-lead/951

dev/962

dev/963

dev/977

dev/955

dev/983

dev/961

dev/974

code-lead/950

code-lead/939

dev/941

dev/940

dev/937

dev/938

dev/936

dev/935

feat/web-i18n-fr-locale

feat/spec-editor-ui-polish

chore/drop-legacy-compat

fix/skills-drop-preview-pane

fix/882-skills-safety-rail

dev/911

dev/909

dev/923

dev/917

dev/915

feat/879-sr11-m2-drop-legacy-skill

code-lead/873

dev/881

code-lead/869

dev/867

code-lead/845

code-lead/843

code-lead/844

dev/837

dev/861

dev/849

code-lead/837

code-lead/842

fix/dedup-rebase-inflight

dev/838

code-lead/847

dev/833

code-lead/848

pr/838

code-lead/841

feat/settings-save-bar/836

code-lead/840

dev/846

code-lead/839

dev/832

fix/board-sse-stale-cache

dev/834

dev/835

feat/settings-breadcrumbs

feat/forge-oauth-credentials

refactor/service-config-consolidation

feat/agent-tokens-to-secrets

feat/gitlab-oauth-to-db

feat/authelia-rip-and-voice-fixes

fix/rebase-storm-and-dead-letter

code-lead/797

code-lead/796

dev/811

code-lead/798

dev/810

code-lead/795

dev/808

code-lead/794

dev/805

dev/802

dev/803

feat/avatar-menu-settings-entry

feat/per-agent-token-tracking

dev/793

dev/747

dev/752

code-lead/790

code-lead/759

dev/756

dev/760

dev/741

dev/767

dev/740

dev/709

dev/644

dev/637

boss/614

dev/600

dev/611

dev/585

fix/login-bonus-fixes

boss/544

dev/542

refactor/api-prefix-and-session-gate

dev/489

boss/531

boss/518

dev/499

boss/516

dev/530

dev/517

dev/519

dev/515

dev/522

dev/503

dev/471

boss/329

dev/417

dev/418

dev/402

boss/327

dev/334

dev/332

boss/326

boss/325

dev/331

boss/324

boss/323

boss/322

dev/294

test/s11-task-analytics

dev/262

boss/270

dev/268

foreman/ui-consolidation-spec

dev/234

boss/196

boss/176

boss/164

fix/124-session-persist-bind

boss/52

dev/87

boss/73

dev/77

dev/81

dev/82

boss/79

dev/42

dev/35

boss/7

No results found.

Labels

Clear labels   

area:agents

Agent types, pool scheduling, per-instance config

  

area:dashboard

Dashboard UI and observability surfaces

  

area:database

DB layer — schema, migrations, ORM, raw SQL

  

area:design

UI/UX mockup work — routes to designer agent

  

area:design-review

Design review dispatch — routes to design-reviewer agent

  

area:flows

Flow runner — YAML loader, executor, op registry, expression eval

  

area:infra

Deployment, isolation, containers, systemd units

  

area:meta

Tracking, scaffolding, project setup

  

area:security

Security — routes to reviewer-security (opus)

  

area:sessions

Session-id store, Claude SDK resume logic

  

area:webhook

Forgejo webhook routing and handlers

  

area:workdir

Clone cache, worktrees, git identity

  

security

Security-sensitive issue

  

type:bug

Bug

  

type:chore

Chore

  

type:meta

Tracking or decisions, not implementation work

  

type:user-story

User story

No labels

area:agents

area:dashboard

area:database

area:design

area:design-review

area:flows

area:infra

area:meta

area:security

area:sessions

area:webhook

area:workdir

security

type:bug

type:chore

type:meta

type:user-story

Milestone

Clear milestone

No items

No milestone

M26 — Multi-provider failover

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks#551

No description provided.