惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
罗磊的独立博客
H
Help Net Security
I
Intezer
G
Google Developers Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Troy Hunt's Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
News and Events Feed by Topic
J
Java Code Geeks
S
Security Affairs
T
The Blog of Author Tim Ferriss
Recent Commits to openclaw:main
Recent Commits to openclaw:main
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
The GitHub Blog
The GitHub Blog
F
Full Disclosure
N
News and Events Feed by Topic
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs
腾讯CDC
人人都是产品经理
人人都是产品经理
M
MIT News - Artificial intelligence
Blog — PlanetScale
Blog — PlanetScale
T
Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
MongoDB | Blog
MongoDB | Blog
博客园 - 【当耐特】
L
LINUX DO - 最新话题
Google Online Security Blog
Google Online Security Blog
S
Schneier on Security
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
P
Proofpoint News Feed
Project Zero
Project Zero
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Y
Y Combinator Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 叶小钗

Hacker News: Show HN

PurrrrrFocus: Pomodoro Timer App - App Store Workflow Engine — Multi-Step Orchestration for Bun RapidPhoto: Pro Photo Editor App - App Store GitHub - DheerG/swarms: Achieve extraordinary results with claude code across a variety of tasks SPICE simulation → oscilloscope → verification with Claude Code — Lucas Gerads Show HN: VCoding – A 5 MB native Windows IDE with no dynamic dependencies Show HN: LLMs don't hallucinate because they're bad at math, it's the format GitHub - Agent-FM/agentfm-core: AgentFM is a peer-to-peer network that turns everyday computers into a decentralized AI supercomputer. AgentFM lets you run massive AI workloads directly across a global mesh of idle CPUs and GPUs. Show HN: Tracking Top US Science Olympiad Alumni over Last 25 Years GitHub - Potarix/agent-hub: One place to talk to all your agents Show HN: Runtime security for AI agents(injection,tool abuse, data exfiltration) GitHub - dubeyKartikay/lazyspotify: Terminal Spotify client for macOS and Linux GitHub - the-banana-tool/king-louie: Easy to use GUI Personal AI Assistant. Win/Linux/Mac. Show HN I made my vacation rental bookable by AI agents–no Airbnb, 0% commission GitHub - basteez/jsf-autoreload: maven plugin to enable hot reload on jsf projects uvm32/hosts/host-gdbstub at main · ringtailsoftware/uvm32 GitHub - labsai/EDDI: Config-driven engine that turns JSON into production-grade AI agents. Multi-agent orchestration, 12+ LLM providers, MCP/A2A protocols, RAG, persistent memory, and enterprise compliance (EU AI Act, GDPR, HIPAA). Built on Quarkus. GitHub - glitchnsec/fortyone-oss: AI Executive Assistant Platform Quickstart | Alien GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. GitHub - ocrbase-hq/ocrbase: 📄 PDF/IMG ->.MD/JSON Document OCR API for PaddleOCR and GLMOCR. Self-hostable. GitHub - impactjo/home-memory: MCP server that lets your AI assistant remember everything about your home. GitHub - Sets88/dbcls: DbCls is a powerful terminal database client that supports various databases GitHub - neptun2000/heor-agent-mcp GitHub - SeanFDZ/macmind: Single-layer transformer in HyperTalk for the classic Macintosh RollQuation: Math Puzzles - Apps on Google Play GitHub - dropbox/witchcraft Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis GitHub - opentalon/opentalon: OpenTalon is an open-source platform built from the ground up in Go as a robust alternative to OpenClaw LinkedIn™ 职位抓取工具 - Chrome 应用商店 GitHub - EdoardoBambini/Agent-Armor-Iaga: AI agents are getting tool access — shell, file system, databases, APIs, secrets. But **nobody is governing what they actually do with it**. Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. Agent Armor gives you the power to control, audit, and approve every single action before it happens. HN Vibes — Week 15, Apr 7–13 2026 GitHub - chojs23/ec: Easy terminal-native 3-way git mergetool vim-like workflow GitHub - SethPyle376/hiraeth: Local AWS emulator focused on fast integration testing, with SQS support, SQLite-backed state, and a debug-friendly web UI. GitHub - JakOb-dotcom/cloud-sandbox-security-analysis: Technical analysis and Proof of Concept (PoC) regarding environment variable exfiltration in containerized cloud sandboxes via side-channel data leaks. Springboards - Flint Alpha Show HN: A simpler coding agent harness GitHub - audiodude/sudomake-friends GitHub - 256thFission/mini-mythos: OSS clone of Anthropic’s Mythos harness to locate C/C++ memory vulnerabilities Show HN: OpenParallax: OS-level privilege separation for AI agent execution Hacker News Sorted - Chrome 应用商店 Show HN: How to Install Docker on Ubuntu 24.04 LTS: Complete 2026 Guide GitHub - himanshudongre/smriti GitHub - sverrirsig/claude-control: macOS desktop dashboard for monitoring and managing multiple Claude Code sessions GitHub - ory/dockertest: Write better integration tests! Dockertest helps you boot up ephermal docker images for your Go tests with minimal work. Chiral - Chrome 应用商店 Show HN: Two Claudes collaborating through shared memory on a $100 mini-PC GitHub - pmichaillat/latex-cv: Minimalist LaTeX template for academic CVs GitHub - oguzbilgic/posse: A web UI for Anthropic Managed Agents. GitHub - sshiraz/depsly: Dependency risk analysis tool for npm packages ABI Add safari/agent-harness — Safari browser automation via safari-mcp by achiya-automation · Pull Request #212 · HKUDS/CLI-Anything GitHub - Halfblood-Prince/trustcheck: Verify PyPI package attestations and improve Python supply-chain security GitHub - oguzbilgic/kern-ai: Agents that do the work and show it. GitHub - bruits/satteri: High-performance Markdown and MDX processing for the JavaScript ecosystem GitHub - tylergibbs1/feedstock: High-performance web crawler and scraper for TypeScript, powered by Bun and Playwright GitHub - Grimm67123/grimmbot: The self-improving sandboxed and open-source AI agent. With persistent memory and scheduling. GitHub - whitevanillaskies/whitebloom: Local whiteboard that blooms. GitHub - hwdsl2/docker-whisper: Docker image for a self-hosted Whisper speech-to-text server with speaker diarization and OpenAI-compatible transcription and translation APIs. Powered by faster-whisper. Supports all Whisper models, NVIDIA GPU (CUDA) acceleration, JSON/SRT/VTT output, SSE streaming, offline mode, and multi-arch (amd64, arm64). GitHub - yisding/reviewwiggum GitHub - MarwanAlsoltany/serrors: Structured errors for Go: sentinel hierarchies, typed data, custom formatting, and slog integration. GitHub - soatok/age-php GitHub - Luthiraa/markitme GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits GitHub - tombedor/excalicharts GitHub - wh1le/excalidraw-edit: Open and edit .excalidraw files from the terminal. Offline, auto-saves to disk. MalExt Sentry - Malicious Extension Scanner - Chrome 应用商店 GitHub - syi0808/asciianimesvg: Generate animated ASCII art SVGs from text. CLI, Rust library, WASM, and web editor. GitHub - zaina-ml/ml_forge: A visual-based graph node editor for training computer vision models. GitHub - anakin87/llm-rl-environments-lil-course: 🌱 A little course on Reinforcement Learning Environments for evaluating and training Language Models GitHub - takaakit/superpowers-uml: Superpowers-UML modifies Superpowers to ensure a software development workflow in which AI agents design through UML modeling. AdriByte Studio - Sviluppo Web e Soluzioni Digitali GitHub - chouligi/angel-copilot: Your personalized Angel Investment Advisor Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 GitHub - agenteractai/lodmem: Level Of Detail Context Management for Agents GitHub - ostefani/subnetlens: A fast, concurrent network scanner with a TUI and plain-text CLI, built in Go. It discovers live hosts on your network, scans their open ports, resolves hostnames, and fingerprints operating systems—delivered. Cyber Pulse: Agentic Intel - Apps on Google Play Whisper API: Self-Hostable Speech to Text Transcription The Agent-Web Protocol Stack: A Research Thesis GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Show HN: Provepy – A Python decorator that proves your code using Lean and LLMs Show HN: Pardonned.com – A searchable database of US Pardons GitHub - patrickdappollonio/dux: Dux is a terminal UI that lets you run multiple AI coding agents side by side, each in its own git worktree, with full companion terminals, macros, commit generation, and a command palette that knows more tricks than you do. kMC Crystal Simulator Show HN: HyperFlow – A self-improving agent framework built on LangGraph GitHub - stef41/vibescore: 🎵 Grade your vibe-coded project. One command, instant letter grade across security, quality, dependencies, and testing. GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. imgur.com GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. GitHub - nowork-studio/toprank: Open-source Claude Code skills for SEO, SEM, Google Ads GitHub - tacomanator/sash: Lightweight macOS menu bar app for reliably cycling through windows of the current application. Appents | Social Media Management for Product-First Teams GitHub - pnhoang/youtube-spam-blocker: Automatically detects and hides spam messages in YouTube Live chat. Set rate limits, keyword filters, and block repeat offenders. GitHub - decisionnode/DecisionNode: CLI + Local MCP - A shared structured memory store across Claude Code, Cursor, Windsurf, Antigravity, and every MCP client. Semantically queryable. GitHub - AvaCodeSolutions/django-email-learning: An open source Django app for creating email-based learning platforms with IMAP integration and React frontend components. The $100K Gap in Kubernetes Security Tooling Function Calling Harness: From 6.75% to 100%
The Speedometer I Made Up: Building a Token Budget Governor for AI Coding Agents | Ryan Duffy - Building with AI
Ryan Duffy · 2026-06-24 · via Hacker News: Show HN

I run Claude Code and Codex hard — multiple sessions, long hauls. On the Max 20× plan that’s comfortable. But I wanted to know if I could drop to 5×, and that meant trusting the guardrails I’d spent eleven days building. So I audited them.

The audit found something I didn’t expect: my budget governor had been faithfully protecting me against a speed limit measured by a speedometer I’d built myself. This is how the guards evolved — and how each one had already mutated away from its naive first version.

A lone hooded engineer stands amid a wall of glowing cyberpunk monitors and readouts — the telemetry a long, hard agent session throws off, and the spend it quietly adds up to.

The ramp that forced this

I didn’t build a budget governor because I enjoy writing hooks. I built it because the curve got scary. Here’s five and a half months of local usage (from Jan 9, via ccusage), by month:

Monthraw tokgenerated (in+out)notional cost*
January (from the 9th)93 M0.6 M$61
February1.6 B2.3 M$1,375
March3.1 B7.2 M$2,472
April2.1 B7.2 M$1,895
May7.4 B36 M$5,896
June (to the 23rd)11.5 B161 M$11,223

* Notional — ccusage’s pricing-table estimate, not a bill; on a subscription the marginal cost is ~$0. Raw tokens are ~98% cache reads, so the generated column (input+output) is the honest “real work” signal.

The shape is the whole reason this post exists. Usage didn’t drift upward — it ramped ~5× from spring into June: with the month only two-thirds gone, June’s generated work alone (161 M) already outran all five prior months combined (~53 M). Real generated work went from ~7 M/month in spring to 161 M in June. Everything below — the weighted proxy, the warn-only pacing, the Codex routing, the deterministic guards — was built on the steepest part of that curve, not in calm water. The governor was a response, not a premonition. (Same caveats as everywhere here: single machine, notional dollars, and the data only starts Jan 9 — there’s no local transcript before that.)

The core method: don’t count tokens, weight them

Every version rests on one decision. The weekly cap isn’t about raw token volume — different token types cost wildly different amounts. So the guard scores spend with a price-weighted proxy, not a counter:

WEIGHTS = {
    "input_tokens": 1.0,
    "cache_creation_input_tokens": 1.25,
    "cache_read_input_tokens": 0.1,   # cache reads are cheap…
    "output_tokens": 5.0,             # …output is 5x input
}
# then scaled per-model: opus 1.0 (baseline), sonnet 0.6, haiku 0.2, fable 2.0

That 0.1 on cache reads looks innocent. Hold onto it — it’s the whole reason loops are dangerous, and we’ll come back to it.

Here’s the honest caveat, lifted straight from my own code comment:

Anthropic does not document how /usage computes the weekly %, so the price ratio is a defensible proxy for subscription-cap consumption, not a first-party-confirmed weighting.

I built a governor on a number I reverse-engineered. Keep that in mind too.

v0 → v1: the guard that punished me for being early

The first version watched the weighted spend and, when I was burning too fast, force-compacted my context mid-session to save tokens. It worked and it was awful — because ahead of pace isn’t over budget. Front-load a heavy Monday and the naive projection screams “you’ll blow the cap!” and compacts you, even though you’ll coast all week.

The fix was to make the guard forward-looking and warn-only (condensed):

# projected end-of-cycle spend at the RECENT burn rate, not cumulative.
# An idle/frugal day lowers `rate` -> projection drops -> the nag relaxes itself.
projected = spent + recent_rate * time_left
PROJ_BANDS = [        # (projected fraction of cap, compaction ceiling)
    (1.3, 250_000),   # on track to bust cap by >30%
    (1.1, 350_000),
    (1.0, 450_000),
]
# Only a genuine near-lockout (>=95% ACTUAL spend) ever hard-clamps.
# Being on-trajectory-to-bust is WARN-ONLY.

The thinking: a guard that blocks you costs more in broken flow than the overspend it prevents. The mature version advises, and lets the projection relax on its own when you behave. First law of guard evolution: block → advise.

The first time the meter lied (overcounting)

While building this I found the proxy running ~2.4× hot. Claude Code’s transcript logs repeat usage entries on session resume, compaction, and sidechain replay — I measured ~58% duplicates. The guard was counting the same tokens two or three times and panicking accordingly. The fix was a dedup key per assistant message:

key = f"{msg['id']}|{entry.get('requestId')}"
if key in seen:        # duplicate replay — already counted this cycle
    continue

Lesson banked: before you trust a guardrail, verify the number it reads. I’d need that lesson again.

v2 → v3: stop guarding, start routing

Codex joined the workflow, so “my budget” became two budgets with different reset windows. The guard grew into cross-vendor governance — an architecture decision record, a Codex-side rate-limit mirror, and a tier lever that flips every calculation between Max 20× and 5×.

Then the real conceptual jump: don’t just warn about spend — move the work. A UserPromptSubmit hook classifies intent and routes it. The method is deliberately crude — an implementation verb and a breadth signal, narrow on purpose to avoid alarm fatigue (condensed):

IMPL_VERB = re.compile(r"\b(implement|refactor|migrate|rewrite|build (a|the)|"
                       r"write (the )?tests?|fix the bug)\b", re.I)
BREADTH   = re.compile(r"\b(across|all call sites|multiple files|end-to-end|"
                       r"integration tests?|migrate|module|refactor)\b", re.I)

if IMPL_VERB.search(prompt) and BREADTH.search(prompt):
    route_to_codex()      # bounded implementation lane
elif ARCHITECTURE.search(prompt):
    keep_on_claude()      # expensive-thinking lane

Claude becomes the architecture/review lane; Codex the bounded-implementation lane. In week one the router fired ~80 hand-offs to Codex against ~142 “keep on Claude” holds — the asymmetry is the point. It discriminates; it doesn’t blanket-shove. Second law: a guard that routes beats a guard that blocks.

The loop is a token trap

A single glowing loop of track carrying the same data-block round and round past a meter — the most expensive shape of work there is.

There’s an autonomous loop pattern being heavily promoted right now, and it gets sold as a productivity feature. I’ve come to see it as the single most expensive shape of work you can run — and once you understand the weighting, it’s not subtle why.

Go back to that cache_read_input_tokens: 0.1. Cheap per token — which makes it feel free. But a loop keeps a large context alive and re-reads all of it every single iteration, for hundreds of iterations, with no human in the path to say “good enough, stop.” Cheap-per-token × a 150K-token context × hundreds of turns × hours of wall-clock = the biggest line on the bill. You’re not billed for the idea; you’re billed for dragging the entire context across the meter, over and over.

The per-session data made it undeniable. When I broke the week down with ccusage — a tool that reconstructs token usage from local transcript files — five marathon sessions accounted for 72% of the week’s spend on this machine, and the official usage breakdown attributed ~80% of consumption to sessions running 8+ hours. Not five times the work. Five times the sitting there with a huge context spinning.

The people writing the loops are the ones who never see the bill

This isn’t a fringe pattern — it’s actively evangelised. There’s a whole Anthropic engineering series on “long-running agents” and “harness design”, the marketing leads with 30+ hours of autonomous coding and an 11,000-line app from a single run, and the creator of Claude Code has publicly reframed his own job around it — he no longer prompts the model, he writes loops that prompt it. “Loop engineering” is now a named trend.

To their credit, there are guardrails: scheduled routines reportedly run on a budget separate from your interactive session limit, the advice is to kill a stalled loop early, and the 5-hour limits were doubled. So the official line is “loops are fine — we’ve isolated their cost.”

Here’s where it breaks for the rest of us. That isolation only applies to the specific scheduled-routine mode. The moment you do what most people actually do — run a long autonomous loop inside a normal interactive session — you’re back on the metered cap, and my own usage breakdown put 80% of a week’s consumption in sessions running 8+ hours. The protection exists; the default behaviour routes around it.

An endless neon highway running to the horizon with no toll gate in sight — what unlimited, unmetered token access looks like to the people who set the defaults.

And notice who is selling the pattern. The engineer who says “just write loops” is running on effectively unlimited internal tokens. The loop is free to them. It demos like magic. It is also, for a paying user, the most expensive shape of work there is.

I don’t think it’s malice, and I don’t think it’s laziness. It’s a missing feedback loop — the oldest blind spot in software wearing a new coat. Build on the gigabit internal network and you ship something that crawls on real broadband. Develop on the 128-core box and your “fast” is everyone else’s “unusable.” Tokens are the same axis: when your access is free and infinite, the gradient quietly tilts toward more — longer runs, fuller context, loops that keep going — because none of it shows up as a number you have to answer for. The headline benefit and the worst-case cost end up being the same feature, and the people setting the default never feel the second half.

The fix isn’t to take engineers’ tokens away — unlimited access is necessary for research. It’s to make sure someone in the room is on the meter when the defaults get decided, so “is this the cheapest way to get the same result?” is a question the defaults are forced to answer. Which is, more or less, exactly what I’m doing from the outside: re-introducing the cost signal the defaults assume I don’t have.

v4: the most evolved guard uses no AI at all

My agent keeps a plain-text memory index loaded into every session. It bloated to 31 KB — one entry had grown into a 975-character paragraph — and started silently truncating at load, meaning memories were quietly going missing.

The fix is a PostToolUse hook, and the point is that it’s dumb on purpose: a deterministic, zero-LLM, zero-token Python script that caps any over-long line and never invokes the model (condensed):

CAP = 350  # above the dense-entry norm; only nukes pathological bloat
def safe_truncate(line, cap):
    if len(line) <= cap: return line
    s = line[: line.rfind(" ", 0, cap - 1)].rstrip()
    # back off if the cut landed inside a [markdown](link)
    while s and (s.count("[") != s.count("]") or s.count("(") != s.count(")")):
        s = s[: s.rfind(" ")].rstrip()
    return s + ""

When the entire goal is to protect the expensive model’s budget, the smartest guard is the one that never calls the model. Third law: prefer a deterministic guard to a clever one for anything you can write as a rule. Save the model for judgment.

v5: the meter lied again — the other direction

Then I went to answer the question that started all this — is 5× feasible? — and the governor said I was using 18.7% of my weekly cap. The official /usage screen said 60%.

Not a bug. My proxy reads transcripts on this one machine. I run across a desktop, a laptop, and the web app — so it was undercounting real usage by roughly . Combine that with the earlier 2.4×-overcount-from-dupes and the picture is clear: a reverse-engineered proxy was wrong in both directions at different times, because it was never the real meter.

That detonated the feasibility math. “5× is comfortable” (18.7% × 4 ≈ 75%) became “5× would blow the cap” (60% × 4 ≈ 240%). The governor was faithfully protecting me against a limit measured by a speedometer I’d built myself.

The fix isn’t more cleverness — it’s calibration. Point the governor at the one number that’s ground truth (/usage), and treat the weighted proxy as a pacing hint within the day, not the cap itself.

Three meters, two of them blind

By the end I realised I’d been reading three different meters and trusting the wrong ones:

  • ccusage reconstructs token usage and a notional cost (token counts × a built-in pricing table, offline) from local transcript files. It’s how I got the per-session breakdown.
  • My own weighted proxy reads those same local transcripts and applies the price weighting from the top of this post.
  • The official /usage is the only one that sees every surface — desktop, laptop, web app.

A wall of glowing dial meters — three readings of the same week's spend, only one of which sees every machine.

Two of the three read the same partial data, so they share the same blind spot: anything I do on another machine is invisible to them. That’s the entire reason the proxy read 18.7% while /usage read 60%. And it’s why the per-session feasibility math carries an honest asterisk — the distribution (five sessions, 72%) is real for this machine, but to turn it into a “5× fits” verdict I had to cross-calibrate that local distribution against the one global number.

Here’s the actual arithmetic, because the method matters more than the result. ccusage reported ~3.23 B tokens across 364 sessions that week on this machine — a notional $2,865 by its built-in pricing table, but on a subscription the marginal cost is ~$0, so the number that matters is the cap fraction, not dollars. The official /usage pinned the same week at 60% of my weekly cap. Anchor one to the other and ~1% of the cap ≈ 54 M local tokens that week.

Now “is 5× feasible?” becomes arithmetic instead of a guess. Max 5× is a quarter of the 20× quota, so a 60%-of-20× week re-bases to ~240% of a 5× cap — over by more than double. To land at a safe 80% of 5×, I’d need to cut to ~20% of the 20×-equivalent: about 1.08 B tokens/week. ccusage’s per-session split shows the top five sessions ran 337–665 M tokens each — at that intensity only ~2 fit in the budget. Drop the marathon habit and a scoped session lands nearer 100–200 M, and 5–7 fit. Same cap, same tool: the answer is almost entirely a function of session shape, not session count.

The feasibility answer moved twice along the way: once when I found the proxy was lying, and again when I stopped trusting the headline and actually ran the per-session breakdown. The lesson isn’t “use ccusage” or “use /usage.” It’s: know which meter sees what, and never let the convenient local one outrank the one that sees the whole road.

The evolution, version by version

Each guard mutated when it hit reality. The scorecard, with the numbers that actually moved:

VersionThe changeBefore → after
v0force-compact on paceinterrupted me mid-session whenever I was ahead of pace — even with no real overspend
v1 (VW-779)warn-only + forward projectionhard-clamp on pace → warn-only; only ≥95% actual spend ever clamps
dedup (VW-840)de-duplicate replayed usage entriesproxy ran ~2.4× hot (~58% duplicate entries counted) → deduped to true count
v3 (VW-841/842)route work, don’t block it”warn about spend” → ~80 hand-offs to Codex vs ~142 Claude holds in week one
v4 (VW-994)deterministic, zero-LLM memory guardindex 31 KB with a 975-char line, truncating at load → capped at 350, no tokens
v5 (calibration)read /usage, not the home-made proxyproxy 18.7% of cap (3× under) → official 60%; “5× ≈ 76%, comfortable”240%, blows the cap

That last row is the whole post in miniature: the same week, two meters, opposite verdicts.

Did the guards actually help? What the meter recorded, per version bump

Here’s the honest answer up front, because the table buries it otherwise: the guards never cut Claude’s raw token volume. They relocated work onto a separate meter and killed the false-alarm compactions. That’s what “helping” turned out to mean — and it’s the opposite of the volume-reduction story I assumed I’d be telling. Raw tokens can’t show a guard working anyway: they’re ~98% cache reads (Jun 12 was 784 M raw but only ~11 M generated input+output), so the volume column is mostly workload noise. The column that does track help is % on Codex — how much of the day’s work ran on Codex’s separate budget instead of Claude’s metered cap:

DateShippedClaude raw tokCodex raw tok% on Codex*est. wk-cap %**Δ vs prev
Jun 12v0 guard + Codex governance (VW-755/761/762)784 M213 M21%~17%
Jun 13model-aware + warn-only (VW-774/779)598 M26 M4%~30%+13 pts
Jun 15tier lever + handoff/router (VW-829/841/842)397 M5 M1%~46%+16 pts
Jun 16auto-handoff + digest (VW-870/871)356 M2 M1%~54%+8 pts
Jun 18budget-context hooks (VW-887)284 M129 M31%~70%+16 pts
Jun 21— (heavy build day)942 M61 M6%~36%cap reset Jun 19
Jun 22874 M63 M7%~55%+19 pts
Jun 23memory guard (VW-994)226 M3 M1%60% (measured)+5 pts

* Share of that day’s combined raw tokens that ran on Codex’s separate budget rather than Claude’s weekly cap. This is the only column that tracks “did a guard move load off the metered lane” — i.e. did it help. ** Derived estimate, not a logged reading. Only Jun 23’s 60% is the real /usage figure. The rest is back-calculated from ccusage’s daily tokens against that single anchor (≈45 M raw ≈ 1% of cap), assuming the cap is linear and identical week to week. The weekly cap resets ~Jun 19, so the count restarts mid-table. I’m showing it precisely because it’s shaky — reverse-engineering a percentage from one anchor is the exact move this whole post is a warning about.

A rail junction diverting a loaded cart onto a second track — the guard that helped didn't cut the work, it moved it onto a separate meter.

Three honest reads of that table:

Did the guards help? Yes — but by moving work, not cutting it. Claude’s raw volume bounced between 226 M and 942 M a day no matter which guard shipped; no version pushed it down. What moved was where the work ran. The day the auto-handoff tooling matured (Jun 18), Codex’s share jumped to 31% — 129 M tokens billed to a separate budget instead of Claude’s weekly cap. The guard that helped wasn’t the one that watched spend; it was the one that moved it. The governor never made me spend less — it made me spend on the cheaper meter.

The help is lumpy, not a clean trend. % on Codex reads 21% → 4% → 1% → 1% → 31% → 6% → 7% → 1%. That tracks when I had bounded implementation work to hand off, not a steadily-improving guard. The honest signal is the single Jun 18 step-change when auto-handoff landed — not a smooth curve I can claim credit for.

The wk-cap % column is the shaky one. The ~17% → ~70% climb isn’t the guards spending more — it’s a weekly cap filling up as the week runs; the guards shipped into that fill, they didn’t drive it. And it exists at all only by leaning on one measured anchor and pretending the token-to-percent map is clean. Direction, not gospel.

What I actually learned

  • Guards evolve block → advise → route → deterministic. The first instinct — interrupt the user “for their own good” — is almost always the worst version.
  • Weight, don’t count. Output is 5× input; cache reads are 0.1×. Meter raw tokens and you’ll guard the wrong thing.
  • The loop is the most expensive shape of work there is — large context × every iteration × no human gate. Treat “leave it running” as a cost decision, not a convenience.
  • Verify the number before you trust the guard. Mine was 2.4× hot, then 3× cold. A perfect governor on a fake meter is worse than none, because it sells you false confidence.
  • Know which meter sees what. Two of my three meters read the same local data and shared its blind spot; only one saw all my machines. Don’t let the convenient meter outrank the complete one.
  • The cost driver is session length, not session count. Short and scoped wins. /clear between tasks is the highest-leverage habit I have.

So — has it evolved from the initial one? The first guard was a bouncer that threw me out for going 65 in a zone it thought was 40. The current one routes my traffic, fixes my own memory file for free, refuses to run the meter just to read a string length — and, once I point it at the real dial, will finally be governing the actual road.

Next: re-pointing the whole governor at the official figure, and a symmetric “send it back to Claude” nudge for when Codex is the one running hot.

Run it yourself

All four guards in this post — the weighted proxy, its compaction-enforcement half, the Claude/Codex router, and the zero-LLM memory compactor — are on GitHub, MIT-licensed and sanitized, with an example budget.json and the wiring for settings.json:

The calibration caveat from this post is baked into the README as the first thing you read: the proxy is single-machine and the weighting is reverse-engineered, so point it at /usage and treat the weighted number as a within-day pacing hint, not the cap. Every guard fails open and has a kill switch. If you only run one agent, the router degrades to local-only — delete the second-lane branch and keep the rest.