# Token Budgets：63起LLM智能体预算超支事故的经验目录与仿射类型Rust缓解案例研究

- 来源：HuggingFace Daily Papers（社区热门论文）
- 发布时间：2026-06-02 08:00
- AIHOT 分数：66
- AIHOT 链接：https://aihot.virxact.com/items/cmpzsaqxj06hhslkptmn4dfjm
- 原文链接：https://arxiv.org/abs/2606.04056

## AI 摘要

论文整理了2023-2026年间21个编排框架中63起LLM智能体预算超支生产事故，构建8簇故障分类（Cohen's kappa=0.837，N=113），附加47个结构条目。开发了1,180行无unsafe的Rust crate token-budgets，通过仿射所有权模型使克隆、双重花费及委托后使用在编译期报错。单智能体下4行Python计数器表现相当（0/30超支）；多智能体委托场景中Python asyncio模式30/30超支，Rust crate编译期拒绝相同模式。在5个运行时、3个提供商、160次温度分层实时API测试中，方案零预算违规且零误拒，静态过度预留4-6倍（自适应2.11倍）。二进制级别预算安全性暂未解决。

## 正文

LLM-agent budget overruns are a documented production failure class: a single retry loop can spend thousands of dollars before an operator notices, and the in-process integrity properties that would prevent it (no aliasing, no double-spend, no use-after-delegation of a cost-bearing value) are enforced, if at all, by ad-hoc wrappers rather than by the type system. Our central contribution is empirical: a catalog of 63 confirmed production incidents from 21 orchestration frameworks (2023-2026), each backed by a quoted GitHub issue and, where reported, a dollar loss, organized into an eight-cluster failure taxonomy (inter-rater Cohen's kappa = 0.837, N = 113), plus 47 supplementary structural entries. As one mitigation evaluated against this taxonomy, we build token-budgets, an 1,180-line Rust crate (no unsafe) that operationalizes affine ownership so that cloning, double-spending, or using a budget after delegating it are compile errors rather than runtime hazards an operator must remember to avoid. The dollar cap is runtime arithmetic under an estimator assumption; the affine layer makes that arithmetic non-bypassable. On single-agent workloads a 4-line Python counter matches the crate at 0/30 overshoot, so the distinguishing value is non-bypassability under operator error in multi-agent delegation: the delegation-fanout race documented in 11 incidents is rejected by the borrow checker at compile time, while the same pattern under asyncio overshoots 30/30 and three disciplined alternatives overshoot 0/30. Across five runtimes, three providers, and a temperature-stratified live-API test (N = 160), the approach reports zero cap violations and zero false refusals, at operational parity with concurrent work. Static over-reservation is 4-6x (2.11x adaptive). Binary-level cap-soundness on the running binary is left open.
