Add byte-seconds limit types for cumulative resource usage over time

Add 4 new limit types (ram-usage-bsec, disk-usage-bsec, ram-request-bsec,
disk-request-bsec) that track resource usage/reservation × time as
byte-seconds. Each enforcement tick accumulates the current source value,
and containers are killed via StopContainer when the limit is exceeded.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: bartek szabat

README.md

@@ -16,6 +16,10 @@ Dynamic resource limit management for Docker containers. Set, monitor, and enfor
 | **Disk I/O bytes** | Cumulative bytes | cgroup `io.max` throttle |
 | **Disk I/O ops** | Cumulative operations | cgroup `io.max` throttle |
 | **Spending** | USD cents | HTTP proxy budget block |
+| **RAM usage B·s** | Byte-seconds (actual RAM × time) | Container kill |
+| **Disk usage B·s** | Byte-seconds (actual disk × time) | Container kill |
+| **RAM request B·s** | Byte-seconds (ddl RAM limit × time) | Container kill |
+| **Disk request B·s** | Byte-seconds (ddl disk limit × time) | Container kill |
 
 - **Per-container limits** — set, increase, or decrease any limit at any time
 - **Automatic enforcement** — daemon polls every second and applies/releases enforcement actions
@@ -107,6 +111,11 @@ ddl limits set <container> net 1g          # 1 GiB network transfer
 ddl limits set <container> disk-io-bytes 5g
 ddl limits set <container> disk-io-ops 1000000
 ddl limits set <container> spending 10.00  # $10.00 USD
+
+ddl limits set <container> ram-usage-bsec 100g    # 100 GB·s of RAM usage over time
+ddl limits set <container> disk-usage-bsec 500g   # 500 GB·s of disk usage over time
+ddl limits set <container> ram-request-bsec 1t    # 1 TB·s of RAM reservation over time
+ddl limits set <container> disk-request-bsec 1t   # 1 TB·s of disk reservation over time
 ```
 
 ### Adjust limits
@@ -217,6 +226,7 @@ Token usage is extracted from responses and costs are calculated using built-in
 |---|---|
 | CPU time | `3600s`, `60m`, `1h` |
 | Bytes (RAM, disk, network, I/O) | `1024`, `512k`, `256m`, `1g`, `1.5t` |
+| Byte-seconds (usage/request B·s) | `100g`, `1.5t` (same byte suffixes, displayed as e.g. `1.5G·s`) |
 | I/O operations | Plain integer |
 | Spending | `10.00` (USD, stored as cents) |
 

cmd/ddl/dashboard/app.js

@@ -19,7 +19,8 @@
     const offlineBanner = document.getElementById('offline-banner');
 
     // --- Value formatting (mirrors Go format.go) ---
-    const LIMIT_TYPES = ['cpu', 'ram', 'net', 'disk', 'disk-io-bytes', 'disk-io-ops', 'spending'];
+    const LIMIT_TYPES = ['cpu', 'ram', 'net', 'disk', 'disk-io-bytes', 'disk-io-ops', 'spending',
+        'ram-usage-bsec', 'disk-usage-bsec', 'ram-request-bsec', 'disk-request-bsec'];
 
     const LIMIT_LABELS = {
         'cpu': 'CPU',
@@ -28,9 +29,25 @@
         'net': 'Network',
         'disk-io-bytes': 'Disk I/O Bytes',
         'disk-io-ops': 'Disk I/O Ops',
-        'spending': 'Spending'
+        'spending': 'Spending',
+        'ram-usage-bsec': 'RAM Usage B·s',
+        'disk-usage-bsec': 'Disk Usage B·s',
+        'ram-request-bsec': 'RAM Request B·s',
+        'disk-request-bsec': 'Disk Request B·s'
     };
 
+    function formatByteSeconds(b) {
+        var TB = 1024 * 1024 * 1024 * 1024;
+        var GB = 1024 * 1024 * 1024;
+        var MB = 1024 * 1024;
+        var KB = 1024;
+        if (b >= TB) return (b / TB).toFixed(1) + 'T\u00b7s';
+        if (b >= GB) return (b / GB).toFixed(1) + 'G\u00b7s';
+        if (b >= MB) return (b / MB).toFixed(1) + 'M\u00b7s';
+        if (b >= KB) return (b / KB).toFixed(1) + 'K\u00b7s';
+        return b + 'B\u00b7s';
+    }
+
     function formatValue(type, v) {
         if (v === 0) return '-';
         switch (type) {
@@ -40,6 +57,11 @@
             case 'net':
             case 'disk-io-bytes':
                 return formatBytes(v);
+            case 'ram-usage-bsec':
+            case 'disk-usage-bsec':
+            case 'ram-request-bsec':
+            case 'disk-request-bsec':
+                return formatByteSeconds(v);
             case 'spending':
                 return '$' + (v / 100).toFixed(2);
             case 'disk-io-ops':
@@ -83,6 +105,11 @@
             case 'net':
             case 'disk-io-bytes':
                 return parseBytes(s);
+            case 'ram-usage-bsec':
+            case 'disk-usage-bsec':
+            case 'ram-request-bsec':
+            case 'disk-request-bsec':
+                return parseBytes(s);
             case 'disk-io-ops':
                 return parseInt(s, 10);
             case 'spending':

cmd/ddl/format.go

@@ -20,6 +20,9 @@ func parseValue(limitType, s string) (int64, error) {
 	case "ram", "disk", "net", "disk-io-bytes":
 		// Accept "512m", "1g", "100k" for bytes
 		return parseBytes(s)
+	case "ram-usage-bsec", "disk-usage-bsec", "ram-request-bsec", "disk-request-bsec":
+		// Same byte suffixes, unit is byte-seconds
+		return parseBytes(s)
 	case "disk-io-ops":
 		// Plain integer
 		return strconv.ParseInt(s, 10, 64)
@@ -110,6 +113,8 @@ func formatValue(limitType string, v int64) string {
 		return fmt.Sprintf("%ds", v)
 	case "ram", "disk", "net", "disk-io-bytes":
 		return formatBytesHuman(v)
+	case "ram-usage-bsec", "disk-usage-bsec", "ram-request-bsec", "disk-request-bsec":
+		return formatByteSeconds(v)
 	case "spending":
 		return fmt.Sprintf("$%.2f", float64(v)/100)
 	default:
@@ -138,6 +143,27 @@ func formatBytesHuman(b int64) string {
 	}
 }
 
+func formatByteSeconds(b int64) string {
+	const (
+		kb = 1024
+		mb = kb * 1024
+		gb = mb * 1024
+		tb = gb * 1024
+	)
+	switch {
+	case b >= tb:
+		return fmt.Sprintf("%.1fT·s", float64(b)/float64(tb))
+	case b >= gb:
+		return fmt.Sprintf("%.1fG·s", float64(b)/float64(gb))
+	case b >= mb:
+		return fmt.Sprintf("%.1fM·s", float64(b)/float64(mb))
+	case b >= kb:
+		return fmt.Sprintf("%.1fK·s", float64(b)/float64(kb))
+	default:
+		return fmt.Sprintf("%dB·s", b)
+	}
+}
+
 func getJSONFloat(m map[string]interface{}, key string) float64 {
 	if m == nil {
 		return 0
@@ -157,7 +183,8 @@ func getJSONFloat(m map[string]interface{}, key string) float64 {
 func printLimitsOrUsage(m map[string]interface{}, label string) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
 	fmt.Fprintf(w, "TYPE\t%s\n", strings.ToUpper(label))
-	types := []string{"cpu", "ram", "net", "disk", "disk-io-bytes", "disk-io-ops", "spending"}
+	types := []string{"cpu", "ram", "net", "disk", "disk-io-bytes", "disk-io-ops", "spending",
+		"ram-usage-bsec", "disk-usage-bsec", "ram-request-bsec", "disk-request-bsec"}
 	for _, t := range types {
 		v := int64(getJSONFloat(m, t))
 		fmt.Fprintf(w, "%s\t%s\n", t, formatValue(t, v))

internal/docker/docker.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"strings"
+	"time"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -25,6 +26,7 @@ type DockerClient interface {
 	DisconnectNetwork(ctx context.Context, id string) error
 	ReconnectNetwork(ctx context.Context, id string) error
 	ContainerIP(ctx context.Context, id string) (string, error)
+	StopContainer(ctx context.Context, id string) error
 }
 
 // Client wraps the Docker Engine API.
@@ -229,3 +231,9 @@ func (c *Client) ContainerIP(ctx context.Context, id string) (string, error) {
 	}
 	return "", fmt.Errorf("no IP address for container %s", id)
 }
+
+// StopContainer stops a running container (SIGTERM then SIGKILL after timeout).
+func (c *Client) StopContainer(ctx context.Context, id string) error {
+	timeout := 10 * time.Second
+	return c.cli.ContainerStop(ctx, id, &timeout)
+}

internal/enforcement/enforcement.go

@@ -146,14 +146,28 @@ func (m *Manager) checkAndEnforce(ctx context.Context, containerID, dockerID str
 			continue
 		}
 
-		usage, err := m.getCurrentUsage(ctx, containerID, dockerID, lt, cgroupPath, cgroupErr)
-		if err != nil {
-			continue
+		var usage int64
+		if isByteSecondType(lt) {
+			// Don't accumulate if already enforced (container killed)
+			m.mu.Lock()
+			wasEnforced := m.enforced[containerID][lt]
+			m.mu.Unlock()
+
+			if !wasEnforced {
+				source := m.getByteSecondSource(ctx, containerID, dockerID, lt, limits, cgroupPath, cgroupErr)
+				m.store.AddUsage(containerID, lt, source)
+			}
+			usage, _ = m.store.GetUsage(containerID, lt)
+		} else {
+			var err error
+			usage, err = m.getCurrentUsage(ctx, containerID, dockerID, lt, cgroupPath, cgroupErr)
+			if err != nil {
+				continue
+			}
+			// Persist usage to store
+			m.store.SetUsage(containerID, lt, usage)
 		}
 
-		// Persist usage to store
-		m.store.SetUsage(containerID, lt, usage)
-
 		exceeded := usage >= limit
 		m.mu.Lock()
 		wasEnforced := m.enforced[containerID][lt]
@@ -234,6 +248,44 @@ func (m *Manager) getCurrentUsage(ctx context.Context, containerID, dockerID str
 	}
 }
 
+// isByteSecondType returns true for cumulative byte-second limit types.
+func isByteSecondType(lt model.LimitType) bool {
+	switch lt {
+	case model.LimitRAMUsageBSec, model.LimitDiskUsageBSec,
+		model.LimitRAMRequestBSec, model.LimitDiskRequestBSec:
+		return true
+	}
+	return false
+}
+
+// getByteSecondSource returns the current source value to accumulate for a byte-second type.
+func (m *Manager) getByteSecondSource(ctx context.Context, containerID, dockerID string, lt model.LimitType, limits map[model.LimitType]int64, cgroupPath string, cgroupErr error) int64 {
+	switch lt {
+	case model.LimitRAMUsageBSec:
+		if cgroupErr != nil {
+			return 0
+		}
+		v, err := m.cgroup.MemoryCurrent(cgroupPath)
+		if err != nil {
+			return 0
+		}
+		return v
+	case model.LimitDiskUsageBSec:
+		v, err := m.docker.GetContainerDiskUsage(ctx, dockerID)
+		if err != nil {
+			return 0
+		}
+		return v
+	case model.LimitRAMRequestBSec:
+		v, _ := m.store.GetLimit(containerID, model.LimitRAM)
+		return v
+	case model.LimitDiskRequestBSec:
+		v, _ := m.store.GetLimit(containerID, model.LimitDisk)
+		return v
+	}
+	return 0
+}
+
 func (m *Manager) enforce(ctx context.Context, containerID, dockerID string, lt model.LimitType, cgroupPath string) {
 	var err error
 	switch lt {
@@ -279,6 +331,13 @@ func (m *Manager) enforce(ctx context.Context, containerID, dockerID string, lt
 	case model.LimitSpending:
 		// Spending enforcement is handled by the proxy itself
 		log.Printf("[enforcement] spending limit exceeded for %s", containerID)
+
+	case model.LimitRAMUsageBSec, model.LimitDiskUsageBSec,
+		model.LimitRAMRequestBSec, model.LimitDiskRequestBSec:
+		err = m.docker.StopContainer(ctx, dockerID)
+		if err == nil {
+			log.Printf("[enforcement] killed container %s: %s limit exceeded", containerID, lt)
+		}
 	}
 
 	if err != nil {
@@ -341,6 +400,12 @@ func (m *Manager) release(ctx context.Context, containerID, dockerID string, lt
 
 	case model.LimitSpending:
 		log.Printf("[enforcement] spending limit released for %s", containerID)
+
+	case model.LimitRAMUsageBSec, model.LimitDiskUsageBSec,
+		model.LimitRAMRequestBSec, model.LimitDiskRequestBSec:
+		// Container was killed; if user increased the limit and restarted
+		// the container, just clear the enforced flag (no Docker action needed).
+		log.Printf("[enforcement] %s limit released for %s (container may be restarted)", lt, containerID)
 	}
 
 	if err != nil {

internal/model/model.go

@@ -12,13 +12,19 @@ const (
 	LimitNetwork    LimitType = "net"         // cumulative network bytes
 	LimitDiskIOByte LimitType = "disk-io-bytes" // cumulative disk IO bytes
 	LimitDiskIOOps  LimitType = "disk-io-ops"   // cumulative disk IO operations
-	LimitSpending   LimitType = "spending"      // spending budget in cents (USD)
+	LimitSpending        LimitType = "spending"          // spending budget in cents (USD)
+	LimitRAMUsageBSec    LimitType = "ram-usage-bsec"    // cumulative RAM usage × time (byte-seconds)
+	LimitDiskUsageBSec   LimitType = "disk-usage-bsec"   // cumulative disk usage × time (byte-seconds)
+	LimitRAMRequestBSec  LimitType = "ram-request-bsec"  // cumulative RAM request × time (byte-seconds)
+	LimitDiskRequestBSec LimitType = "disk-request-bsec" // cumulative disk request × time (byte-seconds)
 )
 
 // AllLimitTypes lists every supported limit type.
 var AllLimitTypes = []LimitType{
 	LimitCPU, LimitRAM, LimitDisk, LimitNetwork,
 	LimitDiskIOByte, LimitDiskIOOps, LimitSpending,
+	LimitRAMUsageBSec, LimitDiskUsageBSec,
+	LimitRAMRequestBSec, LimitDiskRequestBSec,
 }
 
 // Container represents a managed container.

internal/model/model_test.go

@@ -4,13 +4,17 @@ import "testing"
 
 func TestAllLimitTypesCompleteness(t *testing.T) {
 	known := map[LimitType]bool{
-		LimitCPU:        true,
-		LimitRAM:        true,
-		LimitDisk:       true,
-		LimitNetwork:    true,
-		LimitDiskIOByte: true,
-		LimitDiskIOOps:  true,
-		LimitSpending:   true,
+		LimitCPU:             true,
+		LimitRAM:             true,
+		LimitDisk:            true,
+		LimitNetwork:         true,
+		LimitDiskIOByte:      true,
+		LimitDiskIOOps:       true,
+		LimitSpending:        true,
+		LimitRAMUsageBSec:    true,
+		LimitDiskUsageBSec:   true,
+		LimitRAMRequestBSec:  true,
+		LimitDiskRequestBSec: true,
 	}
 
 	if len(AllLimitTypes) != len(known) {
@@ -36,6 +40,10 @@ func TestLimitTypeStringValues(t *testing.T) {
 		{LimitDiskIOByte, "disk-io-bytes"},
 		{LimitDiskIOOps, "disk-io-ops"},
 		{LimitSpending, "spending"},
+		{LimitRAMUsageBSec, "ram-usage-bsec"},
+		{LimitDiskUsageBSec, "disk-usage-bsec"},
+		{LimitRAMRequestBSec, "ram-request-bsec"},
+		{LimitDiskRequestBSec, "disk-request-bsec"},
 	}
 
 	for _, tc := range tests {

internal/testutil/mocks.go

@@ -181,6 +181,7 @@ type MockDocker struct {
 	Containers     map[string]*MockContainerState
 	ClonedFrom     []string // track clone calls
 	CloneIDCounter int
+	StoppedContainers []string // track StopContainer calls
 }
 
 type MockContainerState struct {
@@ -353,6 +354,18 @@ func (d *MockDocker) ContainerIP(ctx context.Context, id string) (string, error)
 	return state.IP, nil
 }
 
+func (d *MockDocker) StopContainer(ctx context.Context, id string) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	state, ok := d.Containers[id]
+	if !ok {
+		return fmt.Errorf("container %s not found", id)
+	}
+	state.Running = false
+	d.StoppedContainers = append(d.StoppedContainers, id)
+	return nil
+}
+
 func (d *MockDocker) SetContainerIP(id, ip string) {
 	d.mu.Lock()
 	defer d.mu.Unlock()