Agent Operations Retrospective (4/7) — Token Guard Hook: Pre-Call Blocking

What This Post Covers

Post-hoc aggregation alone cannot stop token runaway in LLM agents. The numbers in the log after a runaway are accurate — but by that point the cost has already been incurred. This post documents the structure built on top of Hermes's plugin system that intercepts at tool_pre_call, immediately before execution, and blocks the call. Three topics are covered:

  1. The 3-tier threshold design based on repetition factor, and the rationale behind each number
  2. The hook system's event model and where Token Guard registers
  3. The roles of two additional hooks layered on the same system (schema dedup, delegation tracker)

The threshold numbers are operational hypotheses, not empirically validated values. That fact is stated explicitly throughout.

Why Post-Hoc Measurement Is Not Enough

One incident observed in Hermes v0.8.0: 5 inputs expanded to 111 tool calls, reaching 6.5M cumulative tokens. Expressed as a repetition factor relative to input, that is 42.79× — one request amplified to an average of forty-two times its original size.

The problem is when detection occurs. These numbers came from log aggregation after the session ended. The measurement was accurate, but by the time it was complete, the tokens were already spent. Post-hoc metrics cannot stop runaway. What is required is an intercept point immediately before execution. Token Guard is the plugin built to fulfill that requirement.

Token Guard Design — 3-Tier Threshold Based on Repetition Factor

A single cutoff blocks legitimate workloads; a threshold too loose is no different from post-hoc measurement. Token Guard divides the response into three tiers. All thresholds are based on the repetition factor (cumulative tool-call tokens ÷ input tokens).

  • T1 (15×) — Warning: Mark in log and notify main orchestrator. No blocking.
  • T2 (25×) — Block same-tool re-calls: Reject repeat calls to the same tool only. Calls to other tools pass through. Runaway episodes tend to originate from the pattern of repeatedly invoking the same tool.
  • T3 (40×) — Force session termination: Close the session entirely.

Rationale for Each Threshold Number

All three numbers are operational hypotheses — they are not empirically validated values. Two observations informed the decisions.

  • T2 (25×) rationale: The incident was detected at 42.79×, with a cumulative total of 6.5M tokens. Blocking at 25× would, by simple arithmetic, stop the runaway at roughly half that volume.
  • T1 (15×) rationale: Normal operating repetition factor was observed at 13.82×. T1 sits just above this baseline — capturing the band of "still normal, but anomaly signal possible."
  • T3 (40×) rationale: Slightly below the incident value of 42.79×. Terminates before the incident pattern can fully replay.

After the 7-day Phase 0 observation window, the thresholds are subject to re-calibration. The normal workload distribution and T1/T2 trigger frequency from that window will inform revised numbers.

Hook System — Event Model and Registration Point

Token Guard is not a standalone module — it operates on top of Hermes's plugin system. The plugin system is hook-based: register a callback on a defined event, and the runtime invokes it at that point.

Four events are currently exposed:

  • tool_pre_call — immediately before a tool call
  • tool_post_call — immediately after a tool call
  • session_init — on session start
  • session_end — on session end

Token Guard registers on tool_pre_call. Blocking only takes effect if the intercept happens before the tool actually executes. The callback performs two operations before each call:

  1. Read the current session's cumulative tool-call tokens and input tokens, and compute the repetition factor
  2. Evaluate the tier of the computed value; if T2 or T3, reject the call

tool_post_call is used for measurement updates: after a call completes, it updates the cumulative token count so the next tool_pre_call evaluation reflects the latest state. Implementation details — function signatures, how a rejection signal is propagated — are separated into a dedicated document. This post covers "where it intercepts and what it blocks".

Measurements — Normal Operating Value 13.82× / Just Below T1 at 15×

The most critical validation question is whether the thresholds block normal workloads. If too tight, routine tasks are interrupted and the system becomes non-functional.

First measurement day observations:

  • Repetition factor: 13.82×
  • T1 threshold: 15×

The normal operating band sits just below T1. No warning triggered; no blocking triggered. However, a single data point cannot be generalized. Re-evaluation after the 7-day distribution observation is required.

T2 (25×) and T3 (40×) have zero trigger events to date. This admits two interpretations: (1) runaway has not recurred under current operations; (2) the effectiveness of the thresholds is not yet verified. A threshold that has never fired is not a validated threshold.

Other Plugins on the Same Hook System

Two additional hooks are registered on the same plugin system alongside Token Guard.

Schema dedup — blocks repeated transmission of tool schemas within a session. When tool definitions are passed to the LLM, resending the same schema on every call accumulates input tokens in its own right. A schema transmitted once is cached; it is not retransmitted unless it changes. This hook operates by reducing input tokens directly, not by post-hoc token savings.

Delegation tracker — tracks the rate at which the main orchestrator delegates to sub-agents. If the pattern of the main agent handling heavy tasks directly (declining delegation rate) is detected, it is flagged. If the main agent is a high-option model (opus-class), direct handling of simple tasks is cost-inefficient. This hook only observes — it does not block.

All three hooks are active simply by registering on the plugin system. The architectural reason for leaving hook slots open is precisely this extensibility.

Limitations and Scope of Applicability

Two claims can be made with confidence:

  1. An intercept point (tool_pre_call) immediately before execution has been secured — filling the gap that post-hoc measurement could not cover.
  2. The first-measurement-day normal operating value (13.82×) is positioned just below T1 (15×).

More remains that cannot be claimed.

  • T1/T2/T3 thresholds are all operational hypotheses. Not empirically validated. Re-calibration scheduled after Phase 0 7-day observation.
  • No T2/T3 trigger events to date. Runaway blocking capability has not yet been demonstrated.
  • Single-user environment only. Whether the same thresholds are appropriate for other environments requires separate validation.

Transferable Pattern — The Same Question for Other Metrics

The extractable pattern from this design is the shift from "post-hoc measurement" to "pre-call blocking." The same question applies to other metrics:

  • Are there metrics currently viewed only in post-hoc fashion?
  • Is there an intercept point available immediately before a call, or at session start?
  • Are there metrics where marking alone — without blocking — delivers meaningful signal?

Schema dedup and delegation tracker both originated from that same question. Whether the choice is blocking or observation, securing "a place to intercept" determines the degrees of freedom available for subsequent policy decisions. Threshold re-calibration results and trigger-event distribution after the 7-day observation window will be documented separately.

Open Questions

  • What alternative metrics can identify runaway earlier, beyond repetition factor? (Examples: consecutive same-tool call count, session duration relative to input)
  • Is workload classification at session_init — enabling preemptive blocking rather than reactive blocking — feasible?
  • In a multi-user environment, should thresholds be separated per user/workload, or is a single global threshold sufficient?

Series overview: Series index

๋Œ“๊ธ€

๋Œ“๊ธ€ ์“ฐ๊ธฐ

์ด ๋ธ”๋กœ๊ทธ์˜ ์ธ๊ธฐ ๊ฒŒ์‹œ๋ฌผ

Agent Memory Engine (2/10) — Building an AI Agent Memory System with SQLite Alone

← 1/10 SQLite Memory Engine f… ๐Ÿ“š Series Index 3/10 memcore Completed → A memory engine that runs without daemons, without dependencies, anywhere ํ•ต์‹ฌ ์š”์•ฝ This post covers how to design an AI agent memory engine (memcore) on a single-file SQLite backend. - Structure: 25 modules, ~6,464 lines, 22 DB tables - Principles: no daemon, single-file portability, no required external dependencies, host-agnostic - Core techniques: 4-layer hybrid search (topic · vector · FTS5 · LIKE), U-tag dialectic-based confidence evolution, ingestion-layer bias rejection rules What This Post Covers One approach to building AI agent memory without a server or cloud vector DB. Specifically: (1) the limitations of text-file-based memory, (2) vector DB alternatives compared and selection criteria, (3) how to layer search tiers, (4) how to evolve confidence scores over time, and (5) how to block biased memory accumulation at the ingestion stage. Design Principles: Why Single-File SQLite Text-file-based ...
Read more »

"ML Foundations (9/9) — PyTorch vs TensorFlow, and the Road to Local LLMs"

์ด๋ฏธ์ง€
← 8/9 Deep Learning Architec… ๐Ÿ“š Series Index (series end) The final part. So far we've focused on models. Now we focus on the tools that actually run them . We'll lay out the philosophical difference between PyTorch and TensorFlow, and trace how Hugging Face transformers , llama.cpp , MLX , and Ollama built the bridge to running large language models on your own machine. By the end you should have the full mental model of "download a pretrained LLM and serve it locally." 0. Learning Objectives Explain the eager-vs-graph difference between PyTorch and TensorFlow. Explain, in graph terms, how autograd automates the backward pass. Use Hugging Face transformers ' AutoModel , AutoTokenizer , and pipeline abstractions. Describe llama.cpp's GGUF quantization, INT4 inference, and CPU-first flow. Describe Apple MLX's use of unified memory and how it differs from PyTorch. Run a local LLM with Ollama and call it through an OpenAI-compatible API. ...
Read more »

"RAG Core Study (14/26) — Evaluation Sets with RAGAS & DeepEval"

์ด๋ฏธ์ง€
Series overview: Series index ๐Ÿ“š Series Index Without an evaluation set, every RAG improvement is a story, not evidence. RAG systems fail in more than one place: retrieval, context selection, answer generation, and grounding. That means "looks better" is not a metric. Part 14 explains how to build a golden dataset , how RAGAS and DeepEval fit into the workflow, and why teams must separate retrieval quality from answer quality if they want tuning decisions to hold up. 0. Prerequisites Part 13 reranking — system quality now depends on multi-stage ranking. Part 1 grounding — a correct-looking answer is not enough. Part 12 Hybrid — multiple retrieval settings need comparison on fixed data. 1. Learning Objectives Build a small but useful golden dataset for RAG. Distinguish retrieval metrics from answer metrics . Use RAGAS and DeepEval in the right roles. Avoid the common traps in judge-model-based evaluation. 2. ํ•ต์‹ฌ ์š”์•ฝ An evaluation set for RAG is ...
Read more »

"ML Foundations (8/9) — Deep Learning Architectures: CNN, RNN, Attention"

์ด๋ฏธ์ง€
← 7/9 Deep Learning Training ๐Ÿ“š Series Index 9/9 PyTorch vs TensorFlow → What did we keep adding on top of an MLP? Vision went CNN, sequences went RNN/LSTM, and eventually both converged on Attention and the Transformer. Each architecture is easier to remember if you read it as what it gave up to gain something else . This part is the one-line summary of the decisive inflection points: LeNet → AlexNet → ResNet → LSTM → Attention → Transformer. 0. Learning Objectives Explain why CNN's convolution, pooling, and weight sharing match images so well. Trace what got unblocked from LeNet → AlexNet → VGG → ResNet as depth grew. State BPTT for RNNs and the vanishing/exploding gradient problem. Write the LSTM gate equations (forget, input, output) with intuition. Write the attention formula in query/key/value form and the scaled dot-product variant. State the precise reasons Transformers replaced RNNs (parallelism + long-range dependencies). 1. ํ•ต์‹ฌ ์š”์•ฝ CNN : weight sharin...
Read more »

"ML Foundations (7/9) — Deep Learning Training: Optimizers, Regularization, Initialization"

← 6/9 Neural Networks ๐Ÿ“š Series Index 8/9 Deep Learning Architec… → Building an MLP, as we did in Part 6, is not the same as getting it to train well . The right optimizer, regularization, initialization, and learning rate — when these line up, deep networks converge. When they don't, the network refuses to learn at all. This part is the catalog of those crafts, with formulas, paper citations, and code in one place. 0. Learning Objectives Compare and write the update rules for SGD, Momentum, Nesterov, and Adam. Explain how Dropout, BatchNorm, and LayerNorm work and where they belong in a model. Derive the variance formulas for Xavier and He initialization and match them to activations. Implement step, cosine, and warmup learning-rate schedules in PyTorch. Explain why gradient clipping is effectively required for RNNs and Transformers. Diagnose the most common training failures (NaN, plateau, overfitting) and apply first-line fixes. 1. ํ•ต์‹ฌ ์š”์•ฝ SGD : \(w \leftarro...
Read more »

OpenClaw to Hermes Migration (2/13) — What to Preserve, Partially Port, or Discard

← 1/13 Current Structure Inve… ๐Ÿ“š Series Index 3/13 What Moves to Hermes → A code review record classifying operational scripts into three tiers: preserve, partial-preserve, and discard. What This Post Covers An asset classification framework (preserve / partial-preserve / discard) for migrating a legacy agent system to a successor A concrete case applying the Strangler Fig + Subset Migration strategy to a memory pipeline Classification results evaluated across LOC, external dependencies, and replaceability axes A method for slimming down a bloated single file (1,310 LOC) using the migration as a natural entry point Problem Definition: Port Everything or Cut Deep? The OpenClaw inventory comprises multiple agents, multiple scheduler/daemon processes, and multiple operational scripts. When moving to the successor system, Hermes, the choice is not binary. A full port carries accumulated technical debt along with it; a minimal port discards hard-won domain logic. Code-revie...
Read more »

AI Agents I Built (5/7) — Building an Automated Blogger API Publishing System

← 4/7 My Life Organizer Agent ๐Ÿ“š Series Index 6/7 Dual → Designing a Markdown-Based Auto-Publish Pipeline with Blogger API v3 + OAuth 2.0 Key Summary Blogger API v3 + OAuth 2.0 enables a pipeline that converts Markdown files into publishable HTML posts blogger_publish.py handles the full flow — frontmatter parsing → body cleanup → HTML conversion → CSS injection → API post — in a single script For bulk publishing, quota management (delay, retry, TOC suppression) is the critical design concern Platform Selection Criteria API access is mandatory for AI agent-driven content publishing. A comparison of platforms: Platform API Cost AdSense Decision WordPress.com REST API Paid plan required Paid only Cost overhead Ghost REST API Self-hosted or paid Manual setup Ops overhead Blogger v3 API Free Native integration Adopted Blogger is free, exposes a REST API, and integrates natively with AdSense. For personal blog automation, this combination i...
Read more »