PRD-105 Outline: Budget & Governance

Type: Research + Design Outline Status: Outline Depends On: PRD-101 (Mission Schema), PRD-100 (Master Research) Feeds Into: PRD-82C (Parallel Execution + Budget + Contractors)

1. Problem Statement

Automatos has no per-mission budget enforcement. Cost data flows from LLM responses into the llm_usage table (via UsageTracker), and analytics endpoints surface spending trends, but nothing blocks a mission from spending beyond any limit. The platform records what was spent — it never prevents overspending.

What's Missing

Why This Matters Now

Mission Mode (PRD-102) introduces a coordinator that decomposes goals into multiple tasks, each consuming LLM calls. Without budget enforcement:

• A 10-task mission using GPT-4-class models could cost $5-50 depending on complexity

• Users have no visibility into projected cost before execution

• There's no mechanism to halt a mission that's burning faster than expected

• Multi-tenant workspaces cannot isolate cost between users/missions

2. Prior Art Research Targets

2.1 OpenClaw 8-Stage Tool Policy Chain

Source: OpenClaw docs, GitHub

OpenClaw implements an 8-stage monotonically narrowing tool policy chain (originally documented as "6 tiers" in PRD-100 — actually 8):

Key design principle: Each stage can only narrow the tool set — never expand. Deny always wins over allow. Enforcement happens at tool-set construction (tools passed to LLM tools= param), not post-hoc interception. A denied tool never appears in the model's function schema.

What to adopt for Automatos:

• Monotonic narrowing invariant (workspace → mission → task → agent)

• Tool group shorthand (group:fs, group:web, etc.) for policy configuration

• Enforcement at tool-set construction (already how get_tools_for_agent() works in tool_router.py)

What doesn't apply:

• No temporal/budget dimension — OpenClaw controls which tools, not how often or at what cost

• No per-mission scoping — policies are static config, not runtime-dynamic

• Single-user gateway model — no multi-tenancy

2.2 AWS Budgets & Cost Management

Source: AWS Budgets API docs

AWS implements budget enforcement through soft caps with automated actions:

• Budget types: COST (dollars) and USAGE (quantity) — both relevant to mission budgeting

• CUSTOM time period: Fixed start/end, no auto-renew — maps to mission lifecycle

• Graduated thresholds: Up to 5 per budget (e.g., warn at 50%, alert at 80%, act at 100%)

• Budget Actions: APPLY_IAM_POLICY (deny access), RUN_SSM_DOCUMENTS (stop instances), APPLY_SCP_POLICY (org-level block)

• Approval models: AUTOMATIC (fire immediately) or MANUAL (queue for human)

• Cost allocation tags: Per-resource tagging for attribution (e.g., MissionId, AgentId)

Critical lesson: AWS has no true hard cap — billing data updates every 8-12 hours. For LLM missions that can exhaust budgets in seconds, this lag is fatal. We need synchronous pre-call checks, not post-hoc billing scrapes.

Adoptable patterns:

• Graduated soft/hard cap design (warn → throttle → stop)

• Separate action thresholds from notification thresholds

• AUTOMATIC vs MANUAL approval model per budget tier

• Dual COST + USAGE budget types (track dollars AND tokens independently)

• Tag-based attribution for post-hoc analysis

2.3 Kubernetes Resource Quotas & Admission Control

Source: K8s docs

K8s enforces resource limits through synchronous admission control — the single most applicable pattern:

Key properties:

• Hard rejection, not queuing: API server returns HTTP 403 synchronously. The resource is never created.

• Two-layer limits: ResourceQuota (namespace aggregate) + LimitRange (per-pod/container defaults and maximums)

• Quota scopes: PriorityClass-based quotas let you reserve budget for high-priority operations

• Quota does not retroactively evict: Lowering quota doesn't kill running workloads — enforcement fires on the next admission

Direct translation to mission budgeting:

2.4 Rate Limiting Algorithms

Sources: Cloudflare engineering blog, Stripe rate limiting docs, Anthropic API docs

For mission budgeting, use a cost-denominated token bucket:

• Bucket capacity = mission budget in dollars

• Refill disabled (missions have fixed, non-replenishing budgets)

• Each LLM call consumes estimated_cost tokens from the bucket

• After call, reconcile with actual cost from response

Pre-estimation formula:

• Input tokens: countable exactly pre-call via tokenizer

• Output tokens: use max_tokens × 0.7 as estimate (empirical median for agent tasks), NOT worst case. Worst-case (max_tokens) over-reserves budget and blocks legitimate work — missions would stall at 70% actual spend because the budget gate thinks 100% is committed. Reconcile actual vs estimated after each call; adjust reserve if the model consistently over/under-produces.

Anthropic tier structure (for reference):

• Tier 1: 50 RPM, 30K ITPM, $100/mo cap

• Tier 4: 4,000 RPM, 2M ITPM, $200K/mo cap

• Cached input tokens do NOT count toward ITPM

2.5 LiteLLM BudgetManager

Source: LiteLLM docs

LiteLLM implements a two-phase budget pattern:

1. projected_cost(model, messages, user) — pre-call estimate

2. update_cost(completion_response, user) — post-call reconciliation

This is the closest existing implementation to what Automatos needs for per-mission budget enforcement.

3. Budget Model

3.1 What to Track

3.2 Budget Hierarchy

3.3 Budget Lifecycle

3.4 Data Model Requirements (feeds PRD-101 schema)

4. Governance Layers

4.1 Tool Policy Layering (inspired by OpenClaw, adapted for multi-tenant)

Automatos needs a 4-tier monotonically narrowing tool policy:

Enforcement point: tool_router.py:get_tools_for_agent() — already the single source of truth. Add policy intersection before returning tools.

4.2 Model Access Policies

4.3 Human Approval Gates

4.4 Governance Config Storage

Recommendation: DB (JSONB on workspace/mission), not YAML files.

• Workspaces already have plan_limits JSONB (unwired)

• Missions will have budget_config JSONB (PRD-101)

• Tool policies as JSONB arrays on workspace + mission tables

• Human-readable, queryable, API-manageable

5. Key Design Questions

Q1: Hard cap vs soft cap?

• Hard cap on cost: Mission cannot exceed max_cost_usd. Pre-call admission gate rejects.

• Soft cap on tokens: Warning when approaching, but don't reject (token counts are less directly meaningful to users than dollars).

• Hybrid: Hard on dollars, soft on everything else.

Q2: Pre-estimation accuracy — how good can it be?

• Input tokens: exact (tokenizer count)

• Output tokens: worst case = max_tokens, typical = 30-50% of max

• OpenRouter returns pricing per model — llm_models table has input_cost_per_1k_tokens / output_cost_per_1k_tokens

• Risk: Model pricing changes without DB update → stale cost estimates

• Mitigation: Sync pricing from OpenRouter periodically; use worst-case estimates

Q3: What happens when budget exceeded mid-task?

Options (coordinator decides based on approval_model):

1. Abort mission — mark as budget_exceeded, save partial results

2. Downgrade model — switch remaining tasks to BUDGET_MODELS

3. Pause for human — halt execution, notify user, wait for budget increase

4. Complete current task, stop — finish in-flight work, don't start new tasks

• K8s pattern: in-flight work completes; next admission is rejected. Adopt this.

Q4: Per-model cost tracking with OpenRouter pricing?

• UsageTracker already reads LLMModel.input_cost_per_1k_tokens — this is the cost source

• OpenRouter returns usage.total_tokens in responses — already parsed by LLMManager

• Gap: UsageTracker doesn't tag calls with mission_id — needs a new column or tag field

• Gap: No pre-call cost estimation path exists — must build the admission gate

Q5: Governance config — DB vs YAML?

• DB wins for multi-tenant SaaS (per-workspace, per-mission configs)

• YAML is for self-hosted/single-tenant (OpenClaw pattern)

• Use Workspace.plan_limits JSONB (already exists, unwired) for workspace-level

• Use budget_config JSONB on orchestration_runs (PRD-101) for mission-level

Q6: How does budget interact with verification costs?

• PRD-103 defines verification as 10-30% of task generation cost

• Budget must account for verification: task_cost = generation + verification

• Option A: Include verification in the same budget pool

• Option B: Reserve a separate verification sub-budget (like K8s PriorityClass quotas)

• Recommendation: Option A (simpler), but track verification_cost_usd separately in budget_spent

Q7: BudgetMLAgent cascade pattern — adopt?

• Pattern: free model → cheap model → expensive model, escalating only when quality is insufficient

• RouteLLM (ICLR 2025): 75% cost reduction at 95% quality with static role→model mapping

• BudgetMLAgent: 96% cost reduction with cascade

• Recommendation: Static role→model mapping for v1 (PRD-104 scope), cascade for v2

6. Existing Codebase Touchpoints

Budget & Cost Infrastructure

Rate Limiting & Security

Governance & Access Control

Agent & Execution

7. Acceptance Criteria for Full PRD-105

Must Have

• Budget admission gate design: Synchronous pre-call check with estimated cost, integrated into LLMManager call path

• Budget data model: budget_config and budget_spent JSONB schemas (feeds PRD-101), budget_status enum

• Budget lifecycle: Create → estimate → enforce → reconcile → report, with state machine

• Graduated thresholds: Configurable warn/throttle/stop percentages with distinct actions per threshold

• Pre-estimation algorithm: Input token counting + output worst-case + model pricing lookup

• Post-call reconciliation: Actual cost recording with mission/task attribution

• Budget exceeded handling: At least 3 strategies (abort, downgrade, pause) with coordinator decision logic

• Tool policy layering design: 4-tier narrowing model (workspace → mission → task → agent) with enforcement at get_tools_for_agent()

• Workspace.plan_limits activation: Design for wiring the existing JSONB field to enforcement

• RBAC extensions: budget:set, budget:override, budget:view permissions

• Cost attribution: How llm_usage rows link to mission runs and tasks

Should Have

• Human approval gates design: Mission plan approval and budget-exceeded notification flows

• Model downgrade strategy: Static role→model mapping with budget-triggered fallback to BUDGET_MODELS

• Mission cost estimation endpoint: Pre-execution cost projection for user review

• Budget dashboard design: Per-mission spend tracking, remaining budget, burn rate

Nice to Have

• Adaptive rate limiting design: Adjust call frequency based on budget burn rate

• Cross-mission budget aggregation: Monthly workspace-level spending reports

• Budget templates: Reusable budget configs for common mission types

8. Risks & Dependencies

Risks

Dependencies

Cross-PRD Notes

• PRD-101 must include budget_config, budget_spent, budget_status fields on orchestration_runs

• PRD-102 coordinator must call budget admission gate before each agent execution

• PRD-103 verification cost should be tracked separately within the budget (verification_cost_usd)

• PRD-104 contractor agents must inherit the mission's remaining budget as their ceiling

• PRD-106 telemetry must capture budget utilization metrics for pattern analysis

• The stages TokenBudgetManager (stages/token_budget_manager.py) has latent AttributeError bugs — config.TOKEN_BUDGET_DEFAULT etc. don't exist in config.py. PRD-105 implementation should either fix or replace this class.

• Workspace.plan_limits JSONB is the existing hook for workspace-level budget — wire it, don't create a new field.

Appendix: Research Sources