惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
T
Threat Research - Cisco Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
A
Arctic Wolf
Security Latest
Security Latest
Simon Willison's Weblog
Simon Willison's Weblog
I
Intezer
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Troy Hunt's Blog
Latest news
Latest news
Help Net Security
Help Net Security
S
Security Affairs
Webroot Blog
Webroot Blog
The Hacker News
The Hacker News
AI
AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Tor Project blog
Forbes - Security
Forbes - Security
Google DeepMind News
Google DeepMind News
AWS News Blog
AWS News Blog
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
H
Help Net Security
L
Lohrmann on Cybersecurity
S
SegmentFault 最新的问题
Google Online Security Blog
Google Online Security Blog
MongoDB | Blog
MongoDB | Blog
Cyberwarzone
Cyberwarzone
The Last Watchdog
The Last Watchdog
S
Securelist
N
News and Events Feed by Topic
S
Secure Thoughts
F
Fortinet All Blogs
博客园_首页
C
Cybersecurity and Infrastructure Security Agency CISA
量子位
M
MIT News - Artificial intelligence
F
Full Disclosure
T
The Blog of Author Tim Ferriss
T
Tailwind CSS Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Microsoft Security Blog
Microsoft Security Blog
I
InfoQ
P
Privacy International News Feed
L
LangChain Blog
Know Your Adversary
Know Your Adversary
C
CERT Recently Published Vulnerability Notes

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Per-Agent Quotas for MCP: The Token Budget That Stopped One Agent From Burning 80% of the Daily Spend
Muskan · 2026-05-15 · via DEV Community

The first ninety days of an MCP server in production are about correctness, not abuse. The team is busy proving the agents do the right thing: the policy lookups return what they should, the audit log captures the right fields, the structured errors are parsed by the agent framework correctly. Rate limiting is something the team plans to add "after we have real traffic." The team has real traffic on day 12 and forgets to add rate limiting. On day 87 the first runaway lands.

The runaway always has the same shape. One agent starts behaving badly: a test loop forgot to set max_iterations, a malformed prompt drove the model into a long-output failure mode, a retry policy got an aggressive backoff inverted. The agent calls the same MCP tool 400 times in 30 minutes, burning 70% to 90% of the day's token budget before any human sees the alert. By morning the bill shows a $4,200 charge against an Anthropic account that usually does $800/day.

The structural fix is per-agent token quotas baked into the MCP server. Each agent identity gets a budget across three windows (hourly, daily, weekly). The MCP server tracks consumption and rejects calls that would exceed the budget. The agent gets a structured error; the human operator gets one page per cycle instead of a Slack thread at 9 a.m. asking who is responsible for the bill.

The pattern composes with the MCP cost ledger (which tells you what each agent has spent) and the policy-aware MCP governance work. The ledger is descriptive; the quota is prescriptive. Together they turn per-agent cost into a managed budget rather than a billing artifact you read about three days later.

The first MCP runaway lands in 90 days

The runaway shapes are predictable. After auditing a dozen MCP-server rollouts at ZopDev customers, the three failure modes account for almost every incident.

Failure mode Trigger Burn rate Typical detection latency
Test loop left running Developer's local agent forgets max_iterations 80-120 calls/hour for hours 6-12 hours (next morning)
Malformed prompt drives long-output mode Prompt change ships with regex bug; model hits 8k token outputs every call 3-5x normal token cost per call 2-6 hours (when daily spend alert fires)
Inverted retry backoff Retry policy doubles on success instead of failure 200-500 calls/hour against an idempotent tool 1-3 hours (when downstream service alarms)

The detection latencies are uncomfortable because none of them are inside the MCP server's control. The server sees the agent's calls and bills them honestly. It does not see the agent's intent, the retry logic, or the prompt change that landed an hour ago. By the time a human sees the spike in a billing dashboard or a cost alert, the runaway has been burning for hours.

The right place to catch this is inside the MCP server, on the call path. Every tool call passes through the server; every call has an agent identity attached (a service account, a session token, an API key). If the server checks the agent's running budget against a quota before allowing the call, the runaway stops at the quota boundary instead of at the 9 a.m. Slack ping.

Per-agent quotas as a tri-window check

A single daily quota is not enough. An agent that burns its full daily budget by 10 a.m. has fourteen hours to keep generating rejected requests; even rejected, the orchestration overhead (the agent's own LLM calls deciding what to do next) eats real tokens. A weekly quota catches the slow-creep agent that goes 8% over every day for five days and adds up to a meaningful Friday total that no daily check would have stopped.

Window Catches Typical cap (for 50K/day default agent)
Hourly The fast runaway (within 60 min) 8K tokens/hour (typical: 2K-3K)
Daily The within-day burn (within hours) 50K tokens/day
Weekly The slow creep (within days) 250K tokens/week (typical: 200K)

The three caps compose. The agent is allowed if it is under all three. If any single cap trips, the call is rejected. This sounds expensive to check but in practice it is three counter reads from a Redis hash; the overhead is sub-millisecond.

The hourly cap is the most underweighted of the three. Teams that ship daily-only quotas get caught by the morning runaway whose damage is done before the daily counter resets. The hourly cap means the worst case is 60 minutes of damage instead of 8 hours. For a 100x normal burn rate, the difference is $200 vs $2,000.

The weekly cap catches the agent that nobody pages on because no single day looks anomalous. An agent that does 60K tokens/day on a 50K cap looks within budget on the daily check (allowing the over-budget grace described below) but accumulates to 420K by Friday on a 250K cap. The weekly check catches the pattern that the per-day signal misses.

Default budget + adaptive growth

A new agent does not get a generous quota on day one. The default is small (50K tokens/day, 8K/hour, 250K/week) and grows with demonstrated usage. The growth is automatic, based on the agent's actual consumption pattern over the trailing 30 days.

Time window Quota state Behavior
Days 1-7 Default (50K/day) Most agents stay under 30%; quota stays at default
Days 8-30 Default, monitoring If utilization stays under 30%, auto-promotion candidate
Day 30 Auto-promotion If utilization 10-50%, raise to 200K/day; if higher, page FinOps for review
Days 31-90 200K/day If utilization stays under 40%, candidate for 500K/day at day 60
Day 60+ 500K/day or higher Manual review required for further increases

The shape: cheap by default, generous to proven workloads, never silently unlimited. A new agent that turns out to need 1M tokens/day gets there through a documented promotion path, not by accident. The same agent at day one would have been hard-blocked at 50K and the human would have set the right quota explicitly.

The promotion thresholds matter. If the auto-promotion fires whenever utilization is non-zero, every agent inflates to its peak day's quota and the protection erodes. If the threshold is too tight (e.g., only auto-promote at 50-70% utilization), most agents never grow and FinOps becomes a quota-approval bottleneck. The 30% / 40% bands above are the typical operating range; tighten or loosen based on the team's tolerance for false promotion vs friction.

Hard-block vs degrade: the design choice

When an agent exceeds quota, the MCP server has two response options. Hard-block is the simple choice: reject the call with an error, the agent's task fails, the human investigates. Degrade is the more humane choice: route the call to a cheaper model (or a cached response, or a partial result), the agent's task completes but with lower quality, the cost stays under control.

Mode Bill predictability Task continuity Output quality risk
Hard-block High (cost stops at cap) Low (agent task fails) None (no degraded output)
Degrade to cheap model Medium (cheap model still costs) High (agent continues) High (low-quality outputs may loop)
Return cached response High (no model call) Medium (only some calls cacheable) Medium (cache may be stale)
Return structured "over budget" High (no model call) Medium (agent must handle) None

Most teams ship hard-block first because the failure mode is contained: an agent that breaks under quota is visible immediately and gets a real fix. Degrade looks better in theory but introduces a subtle failure mode: a degraded agent producing low-quality outputs may loop trying to recover, generating more (cheaper but still real) calls and ultimately costing more than hard-blocking would have.

The middle path is to ship hard-block as the default and let agents opt-in to degrade for specific tool classes where partial output is genuinely better than no output. Read-only tools (lookup, search, summarize) are good degrade candidates: a cached or cheap-model response is acceptable. Write tools (mutations, policy changes) should hard-block: a degraded write is worse than no write.

Structured rejection so retries back off correctly

When the MCP server rejects a call, the error payload matters more than the rejection itself. An unstructured error ("quota exceeded") triggers the agent's default retry logic, which is usually "try again with exponential backoff." The agent retries, gets rejected, retries again, and burns more tokens on its own orchestration calls trying to figure out why the tool is failing.

A structured rejection includes the data the agent needs to back off correctly:

Field Type Example
error_code string quota_exceeded_daily
agent_id string agent-fraud-classifier-prod
window string daily
cap integer 50000
consumed integer 52340
reset_at ISO timestamp 2026-05-10T00:00:00Z
retry_after_seconds integer 19260
suggested_action string wait_until_reset

With this payload, the agent's retry logic can do the right thing: stop retrying until reset_at, surface the over-budget condition to its orchestrator, or fall back to a different code path. None of these are possible from "quota exceeded" alone.

The cost difference between structured and unstructured errors is meaningful. A blind retry loop against a rejected MCP tool generates 5-15 orchestration LLM calls before the agent's policy gives up. At Claude Sonnet rates, those orchestration calls cost roughly the same as the rejected tool calls would have cost. Structured errors zero out that overhead.

Audit + composition with the cost ledger

Every quota check writes an audit log line, regardless of decision. This is the system of record for two things: postmortem of any cost incident, and input to monthly quota tuning.

diagram

The cost ledger and the quota check run on the same call path but serve different purposes. The ledger writes the actual token cost after the call returns (the source of truth for billing). The quota check uses a pre-call estimate (input tokens are known exactly, output tokens are projected from max_tokens). The estimate is conservative (assumes worst case); the ledger is exact.

This split matters for tuning. After 30 days, the ratio of estimated cost to actual cost is the input to whether the quota's grace margin needs to change. If estimates are systematically 20% higher than actuals, agents get blocked more often than the budget would warrant; the grace margin can shrink. If estimates are 10% lower, the budget is leaking; the grace margin needs to grow.

The composition with the MCP cost ledger is what makes the quota system trustworthy. The ledger answers "what did we spend"; the quota answers "what are we allowed to spend." Two complementary systems, one call path, one audit log.

First-month tuning: 2-4 unexpected runaways caught

The first month of the quota system in production produces a predictable mix of firings. ZopDev customer rollout data shows:

Week Typical firings Common cause Action
1 3-7 False positives (default too low for legitimate workloads) Raise quotas for the 1-3 affected agents
2 2-5 Legacy agents using more tokens than anyone realized Investigate; tune quota or refactor agent prompt
3 1-3 First real runaways caught Postmortem, no quota change
4 0-2 Mostly real Steady-state
Month 2+ 0-2/month Real runaways only Postmortem each

The week-1 false positives are a signal that some agents were running with consumption nobody had measured. This is itself the value: the team learns what its agents actually cost. Most teams discover at least one "we thought this agent did 20K tokens/day but it actually does 180K" surprise in the first two weeks.

The week-3 first real runaway is the moment the system earns its keep. The runaway gets caught within an hour (because of the hourly cap), the page goes out, the human reads the structured error, and the incident is closed in 45 minutes with $200 of damage instead of 8 hours and $5,000.

The FinOps engineer time across the month is 4-6 hours: classifying the firings, adjusting quotas, writing brief postmortems, updating the promotion thresholds based on observed utilization. The fleet-wide saving over the same month is typically 20-40% of the monthly token bill, mostly from runaways prevented and from the visibility into per-agent consumption that the audit log enables.

The dollar math

The numbers are simple. Per-agent quotas at a typical mid-market agent fleet:

Item Value
Monthly token bill before quotas $40,000 to $120,000
Reduction from prevented runaways 15-25%
Reduction from agent right-sizing (visible from audit) 5-15%
Total monthly reduction $8,000 to $48,000
Quota system build cost (one-time) $20,000 to $40,000
Operating cost (1 FinOps engineer, ~10% time) $20,000/year
Payback period 1-4 months

The build cost varies because the implementation choices (Redis counters vs Postgres, structured errors vs not, adaptive promotion vs static caps) have different effort profiles. The lowest-effort version (a single daily cap per agent, hard-block on overage, structured errors) ships in two weeks; the full tri-window adaptive system with degrade support is a quarter of platform-engineer time.

The payback math works because the prevented-runaway saving is a real reduction in spend, not a forecasted one. The agent that would have burned $4,200 overnight burns $200 and stops. The cost ledger and the audit log show exactly how much was saved at each firing, which is the kind of receipt finance accepts as ROI evidence.

Per-agent quotas are not optional once an MCP server has more than three or four agents in production. The first runaway is a question of when, not if. Shipping the quota system before the first runaway costs a quarter of platform-engineer time; shipping it after the first runaway costs that plus the bill for the incident and the trust hit from finance. Set the default budget, wire the tri-window check, log the decisions, and stop relying on the morning Slack ping to catch agent runaways.