Per-session rate limit on tool calls

[esengine]

Background

The budget system (cost / token caps, landed in 0.12.x) prevents runaway spending, but not runaway frequency. A loop bug or a model going in circles can fire hundreds of run_command calls in seconds — fine on cost terms (each call is cheap) but bad for filesystem / disk / spawn pressure, and a real DoW vector when the loop also makes API calls.

OWASP AI Agent Cheat Sheet § 5 cites "max_calls": 100, "window_seconds": 60 as the canonical pattern.

Proposal

Sliding-window rate limiter at the tool-dispatch boundary. Defaults (suggested, not load-bearing):

• run_command / run_background: 60 calls / 60s
• All tools combined: 200 calls / 60s

When the limit fires, the tool call returns an error to the model ("rate-limited, slow down"); the next loop tick can retry once the window slides. UI surfaces the throttle state.

Open design questions

This is rfc-tagged — please discuss in the issue before opening a PR:

• Per-tool vs aggregate vs both?
• Sliding window vs token bucket?
• What does the model see — a real error, or a synthesized "wait" instruction the model can comply with?
• How does this interact with the existing budget system — combine, or stay separate?
• Configurable in user config? Per-project override?

Acceptance criteria (post-RFC)

• Rate-limiter at ToolRegistry.dispatch (or wherever the boundary lands after design)
• Configurable defaults
• Clear error → model when throttled
• Tests: window expiration, burst handling, multi-tool aggregation
• Doctor / dashboard surface (optional, follow-up)

Out of scope

• Cross-session limits (this is per-session)
• Network-level rate limiting (handled by upstream API providers)

References

• OWASP AI Agent Cheat Sheet § 5
• Existing budget code: src/core/budget*.ts
• Sibling work: git branch -d bypasses review mode #257, fix(shell): demote destructive flags on allowlisted commands #258

[llr-selfgit]

RFC proposal: per-session sliding-window tool dispatch limiter

I tested latest origin/main with both deterministic fake-client runs and real DeepSeek runs. I think #262 is valid, but the boundary is important: this is not primarily a token/cost-budget issue, and it is not the same as the existing repeat-loop guard. It is a host/resource-pressure issue at the tool-dispatch boundary.

Reasonix already handles repeated identical calls. For example, 12 identical echo({"msg":"same"}) calls were reduced to 2 actual dispatches by the repeat-loop guard, and a real DeepSeek run with 10 identical get_time({}) calls was also suppressed with warnings.

The missing protection is for many distinct calls in a short window. I was able to reproduce that in multiple ways:

• 24 distinct echo calls dispatched 24/24 with no warning.
• 18 mixed echo / add / slow_probe calls dispatched 18/18 with no warning.
• 10 run_command calls dispatched 10/10 with no warning.
• With maxToolIters=1, one assistant message containing 30 distinct tool calls still dispatched all 30 before the forced summary.
• Real DeepSeek dispatched 16 distinct echo calls in ~4.9s, 15 mixed-tool calls in ~7.7s, and 8 run_command calls in ~3.6s, all without warning.
• In one real session, three consecutive turns of 8 distinct echo calls each dispatched 24 total calls in ~9.8s with no warning.

So my proposed v1 is a per-session sliding-window limiter at ToolRegistry.dispatch.

The limiter should have both an aggregate bucket and optional per-tool buckets. The aggregate bucket protects the host from total dispatch pressure, while per-tool buckets protect high-impact tools such as run_command and run_background.

Suggested defaults:

• all_tools: 200 calls / 60s
• run_command: 60 calls / 60s
• run_background: 10 calls / 60s

I would use sliding windows rather than token buckets for v1 because the issue already frames the policy as max_calls / window_seconds, and that model is simpler to test and reason about. Token bucket smoothing could be a later enhancement if needed.

The limiter should run after basic dispatch validation, but before actual tool execution:

• after unknown-tool check
• after argument parsing
• after required-parameter validation
• after plan-mode refusal
• after interceptor short-circuit
• before audit listener
• before tool.fn

That means malformed args, unknown tools, plan-mode refusals, and interceptor short-circuits do not consume quota. Accepted dispatches should consume quota at dispatch start, not after completion.

When throttled, the model should see a real structured tool result, not an invisible host-side pause. Example:

{
  "error": "rate_limited",
  "tool": "run_command",
  "scope": "run_command",
  "limit": 60,
  "windowSeconds": 60,
  "retryAfterMs": 4200,
  "message": "run_command rate-limited: 60 calls / 60s. Wait 4.2s or summarize what you know."
}

This keeps the transcript protocol-valid and lets the model recover naturally by waiting, summarizing partial results, or changing strategy. The loop/TUI should also surface one warning when a throttle happens. Doctor/dashboard display can be a follow-up unless maintainers want it in the first PR.

Config could live in user config as:

toolRateLimit?: {
  enabled?: boolean
  aggregate?: { maxCalls?: number; windowSeconds?: number }
  tools?: Record<string, false | { maxCalls?: number; windowSeconds?: number }>
}

Invalid or missing values should fall back to defaults. enabled: false disables the limiter. Per-project overrides would be useful, but I would keep them optional for v1 unless maintainers want that included immediately.

Expected impact:

• Protects local host resources from rapid tool bursts.
• Covers built-in tools, MCP tools, filesystem, shell, memory, skills, and future tools through one shared boundary.
• Keeps existing repeat-loop behavior unchanged.
• Keeps token/cost budget separate from local dispatch pressure.
• Makes high-cache-hit sessions safer, because cheap cached prompts can still trigger expensive local work.
• Changes behavior only when a session exceeds the configured dispatch rate: some calls will return rate_limited instead of executing immediately.

Proposed tests:

• limiter allows calls under aggregate limit
• limiter blocks the first call over aggregate limit
• per-tool bucket can block before aggregate
• per-tool false disables that tool bucket while aggregate still applies
• old timestamps expire after the window
• enabled: false never blocks
• invalid config falls back to defaults
• ToolRegistry.dispatch does not consume quota for unknown tools, malformed args, missing required args, plan-mode refusals, or interceptor short-circuits
• successful dispatch consumes quota before fn awaits
• rate-limited dispatch does not call fn
• loop integration: fake model emits 3 distinct tool calls, limiter is 2 / 60s, first 2 execute, 3rd returns structured rate_limited, and the loop appends the tool result plus emits one warning

Out of scope for v1:

• cross-session/global limits
• provider/API/network rate limiting
• semantic per-tool budgets
• full doctor/dashboard polish unless maintainers want it in the initial PR

[Bernardxu123]

🛑 已关闭 — 功能需求迁移至 V2

V1 仅维护 bug 修复，新功能已迁移至 V2。请在 V2 Issues 中搜索或新建。

---

🛑 Closed — Migrated to V2. See #2398.