1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
// Budget domain types
//
// Extensible budgeting system for controlling resource consumption.
// Supports multiple currencies (USD, tokens, credits), pluggable meters,
// pluggable rules, and soft enforcement (pause/warn/stop).
//
// See specs/budgeting.md for the full specification.
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use crate::typed_id::{BudgetId, SessionId};
use crate::user_facing_error::UserFacingErrorFields;
#[cfg(feature = "openapi")]
use utoipa::ToSchema;
// ============================================================================
// Budget
// ============================================================================
/// Budget status.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
#[cfg_attr(feature = "openapi", derive(ToSchema))]
#[serde(rename_all = "snake_case")]
pub enum BudgetStatus {
Active,
Paused,
Exhausted,
Disabled,
}
impl std::fmt::Display for BudgetStatus {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
BudgetStatus::Active => write!(f, "active"),
BudgetStatus::Paused => write!(f, "paused"),
BudgetStatus::Exhausted => write!(f, "exhausted"),
BudgetStatus::Disabled => write!(f, "disabled"),
}
}
}
impl From<&str> for BudgetStatus {
fn from(s: &str) -> Self {
match s {
"active" => BudgetStatus::Active,
"paused" => BudgetStatus::Paused,
"exhausted" => BudgetStatus::Exhausted,
"disabled" => BudgetStatus::Disabled,
_ => BudgetStatus::Active,
}
}
}
/// Subject type: what entity this budget constrains.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
#[cfg_attr(feature = "openapi", derive(ToSchema))]
#[serde(rename_all = "snake_case")]
pub enum BudgetSubjectType {
Session,
Agent,
User,
Organization,
/// Bound to an `App` (every session created for the app counts).
App,
/// Bound to a single `AppChannel` (only sessions for that channel count).
AppChannel,
}
impl BudgetSubjectType {
/// Wire string used in storage and the API.
pub fn as_wire(&self) -> &'static str {
match self {
BudgetSubjectType::Session => "session",
BudgetSubjectType::Agent => "agent",
BudgetSubjectType::User => "user",
BudgetSubjectType::Organization => "org",
BudgetSubjectType::App => "app",
BudgetSubjectType::AppChannel => "app_channel",
}
}
}
impl std::fmt::Display for BudgetSubjectType {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.write_str(self.as_wire())
}
}
impl From<&str> for BudgetSubjectType {
fn from(s: &str) -> Self {
match s {
"session" => BudgetSubjectType::Session,
"agent" => BudgetSubjectType::Agent,
"user" => BudgetSubjectType::User,
"org" | "organization" => BudgetSubjectType::Organization,
"app" => BudgetSubjectType::App,
"app_channel" => BudgetSubjectType::AppChannel,
_ => BudgetSubjectType::Session,
}
}
}
/// Budget period configuration for recurring budgets.
///
/// Periods drive automatic balance reset:
/// - `Duration` is a fixed-length sliding window (e.g. last 5 hours, last 30 days)
/// measured from `Budget::period_started_at`. When the window elapses the
/// balance is reset to `limit` and the window restarts.
/// - `Calendar` aligns to a calendar boundary (`hour | day | week | month | year`)
/// in UTC. The balance resets when the next boundary is crossed.
/// - `Rolling` is preserved for backwards compatibility and parses common
/// shorthand (`24h`, `5h`, `7d`, `30d`) into a `Duration`-equivalent reset
/// policy.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[cfg_attr(feature = "openapi", derive(ToSchema))]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum BudgetPeriod {
/// Sliding window of a configurable number of seconds.
Duration { seconds: u64 },
/// Rolling window described as a humanized string ("5h", "24h", "30d").
Rolling { window: String },
/// Calendar-aligned (`hour`, `day`, `week`, `month`, `year`).
Calendar { unit: String },
}
impl BudgetPeriod {
/// Length of the period in seconds, if it can be expressed as a fixed
/// duration. Calendar periods return `None` (handled separately).
pub fn duration_seconds(&self) -> Option<u64> {
match self {
BudgetPeriod::Duration { seconds } => Some(*seconds),
BudgetPeriod::Rolling { window } => parse_rolling_window(window),
BudgetPeriod::Calendar { .. } => None,
}
}
}
/// Parse a rolling window shorthand like "5h", "30m", "7d" into seconds.
fn parse_rolling_window(window: &str) -> Option<u64> {
let trimmed = window.trim();
if trimmed.is_empty() {
return None;
}
let (digits, suffix) = trimmed.split_at(
trimmed
.find(|c: char| !c.is_ascii_digit())
.unwrap_or(trimmed.len()),
);
let value: u64 = digits.parse().ok()?;
let multiplier: u64 = match suffix.trim().to_ascii_lowercase().as_str() {
"" | "s" | "sec" | "secs" | "second" | "seconds" => 1,
"m" | "min" | "mins" | "minute" | "minutes" => 60,
"h" | "hr" | "hrs" | "hour" | "hours" => 3_600,
"d" | "day" | "days" => 86_400,
"w" | "wk" | "wks" | "week" | "weeks" => 604_800,
_ => return None,
};
value.checked_mul(multiplier)
}
/// Budget — a spending cap for a subject in a currency.
/// API response DTO.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[cfg_attr(feature = "openapi", derive(ToSchema))]
pub struct Budget {
#[cfg_attr(feature = "openapi", schema(value_type = String, example = "bdgt_01933b5a00007000800000000000001"))]
pub id: BudgetId,
pub organization_id: String,
pub subject_type: BudgetSubjectType,
/// Public ID of the subject entity.
pub subject_id: String,
/// Currency: "usd", "tokens", "credits", or custom.
pub currency: String,
/// Hard limit — budget ceiling.
pub limit: f64,
/// Soft limit — triggers pause/warn when balance drops below this.
#[serde(skip_serializing_if = "Option::is_none")]
pub soft_limit: Option<f64>,
/// Current remaining balance (limit minus consumed).
pub balance: f64,
/// Optional period for recurring budgets.
#[serde(skip_serializing_if = "Option::is_none")]
pub period: Option<BudgetPeriod>,
/// When the current period started (used to detect period rollover for
/// `Duration` / `Rolling` periods, and to display "resets at" in the UI).
/// `None` for budgets without a period.
#[serde(skip_serializing_if = "Option::is_none")]
pub period_started_at: Option<DateTime<Utc>>,
/// Arbitrary metadata.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub metadata: Option<serde_json::Value>,
pub status: BudgetStatus,
pub created_at: DateTime<Utc>,
pub updated_at: DateTime<Utc>,
}
// ============================================================================
// Ledger Entry
// ============================================================================
/// Immutable ledger entry recording resource consumption or credit against a budget.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[cfg_attr(feature = "openapi", derive(ToSchema))]
pub struct LedgerEntry {
pub id: String,
#[cfg_attr(feature = "openapi", schema(value_type = String))]
pub budget_id: BudgetId,
/// Positive = debit (consumption), negative = credit (top-up/refund).
pub amount: f64,
/// Which meter produced this: "llm_tokens", "tool_calls", etc.
pub meter_source: String,
/// Reference entity type: "llm_generation", "tool_execution", "manual".
#[serde(skip_serializing_if = "Option::is_none")]
pub ref_type: Option<String>,
/// Reference entity ID.
#[serde(skip_serializing_if = "Option::is_none")]
pub ref_id: Option<String>,
/// Session context for this entry.
#[serde(skip_serializing_if = "Option::is_none")]
#[cfg_attr(feature = "openapi", schema(value_type = Option<String>))]
pub session_id: Option<SessionId>,
#[serde(skip_serializing_if = "Option::is_none")]
pub description: Option<String>,
pub created_at: DateTime<Utc>,
}
// ============================================================================
// Budget Rule Actions
// ============================================================================
/// Action returned by a budget rule after evaluation.
#[derive(Debug, Clone, PartialEq)]
pub enum BudgetAction {
/// No action needed, continue execution.
Continue,
/// Emit a warning event but keep running.
Warn { message: String },
/// Pause the session — requires user input to resume.
Pause { message: String },
/// Hard stop — terminate the current turn.
Stop { message: String },
}
// ============================================================================
// Budget check result (used by worker to decide what to do)
// ============================================================================
/// Result of checking all budgets for a session.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[cfg_attr(feature = "openapi", derive(ToSchema))]
pub struct BudgetCheckResult {
/// Most restrictive action across all budgets.
pub action: String, // "continue", "warn", "pause", "stop"
/// Human-readable message (set when action != "continue").
#[serde(skip_serializing_if = "Option::is_none")]
pub message: Option<String>,
/// Budget that triggered the action.
#[serde(skip_serializing_if = "Option::is_none")]
#[cfg_attr(feature = "openapi", schema(value_type = Option<String>))]
pub budget_id: Option<BudgetId>,
/// Remaining balance on the most restrictive budget.
#[serde(skip_serializing_if = "Option::is_none")]
pub balance: Option<f64>,
/// Currency of the most restrictive budget.
#[serde(skip_serializing_if = "Option::is_none")]
pub currency: Option<String>,
/// Stable error code for user-facing budget failures.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub error_code: Option<String>,
/// Structured interpolation fields for localized error rendering.
#[serde(default, skip_serializing_if = "Option::is_none")]
#[cfg_attr(feature = "openapi", schema(value_type = Option<Object>))]
pub error_fields: Option<UserFacingErrorFields>,
}
impl BudgetCheckResult {
pub fn ok() -> Self {
Self {
action: "continue".into(),
message: None,
budget_id: None,
balance: None,
currency: None,
error_code: None,
error_fields: None,
}
}
pub fn should_stop(&self) -> bool {
self.action == "stop"
}
pub fn should_pause(&self) -> bool {
self.action == "pause"
}
}
// ============================================================================
// Budget tool response (returned by check_budget tool)
// ============================================================================
/// Summary of a single budget for the check_budget tool response.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BudgetSummary {
pub currency: String,
pub limit: f64,
pub balance: f64,
#[serde(skip_serializing_if = "Option::is_none")]
pub soft_limit: Option<f64>,
pub percent_remaining: f64,
pub status: String,
}
/// Full response from the check_budget tool.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BudgetToolResponse {
/// Overall status: "active", "warning", "paused", "exhausted", "no_budgets"
pub status: String,
/// Per-budget summaries
pub budgets: Vec<BudgetSummary>,
/// Human-readable hint for the agent
#[serde(skip_serializing_if = "Option::is_none")]
pub hint: Option<String>,
}