azerozero · Destynova2 · Apr 28, 2026
diff --git a/src/cli/config/security.rs b/src/cli/config/security.rs
@@ -60,6 +60,18 @@ pub struct SecurityConfig {
     /// Persist scores across restarts (default false)
     #[serde(default)]
     pub scoring_persist: bool,
+    /// Tool-call spike: warn threshold per session per minute.
+    ///
+    /// Crossing this threshold logs a warning + emits a metric, but
+    /// does not reject the request. Set to `0` to disable warnings.
+    #[serde(default = "default_tool_spike_warn_per_min")]
+    pub tool_spike_warn_per_min: u32,
+    /// Tool-call spike: block threshold per session per minute.
+    ///
+    /// Crossing this threshold returns HTTP 429, writes an audit
+    /// entry, and emits a metric. Set to `0` to disable blocking.
+    #[serde(default = "default_tool_spike_block_per_min")]
+    pub tool_spike_block_per_min: u32,
 }
 
 impl Default for SecurityConfig {
@@ -82,6 +94,8 @@ impl Default for SecurityConfig {
             scoring_window_size: default_scoring_window_size(),
             scoring_decay_rate: default_scoring_decay_rate(),
             scoring_persist: false,
+            tool_spike_warn_per_min: default_tool_spike_warn_per_min(),
+            tool_spike_block_per_min: default_tool_spike_block_per_min(),
         }
     }
 }
@@ -123,6 +137,20 @@ fn default_scoring_decay_rate() -> f64 {
     0.001
 }
 
+// NOTE: 100 tool calls/min/session is roughly the upper bound for a busy
+// build run (Claude Code reading ~2 files/sec while exploring a tree).
+// Above this we want a paper trail; we still allow the request through.
+fn default_tool_spike_warn_per_min() -> u32 {
+    100
+}
+
+// NOTE: 500 tool calls/min/session is firmly anomalous — equivalent to
+// >8/sec sustained, which only a runaway loop produces. Blocks the
+// dispatch and emits a signed audit entry.
+fn default_tool_spike_block_per_min() -> u32 {
+    500
+}
+
 /// EU AI Act compliance configuration
 #[derive(Debug, Clone, Deserialize, Serialize, Default)]
 pub struct ComplianceConfig {

diff --git a/src/security/audit_log.rs b/src/security/audit_log.rs
@@ -86,6 +86,8 @@ pub enum AuditEvent {
     HitApproval,
     /// TEE attestation report generated at startup.
     TeeAttestation,
+    /// Tool-call spike anomaly blocked (T-AD1).
+    ToolSpikeBlocked,
 }
 
 /// Immutable audit log entry.

diff --git a/src/security/mod.rs b/src/security/mod.rs
@@ -12,6 +12,7 @@ pub mod provider_scorer;
 pub mod rate_limit;
 pub mod risk;
 pub mod tee;
+pub mod tool_spike;
 
 // Re-exports used by server/mod.rs and other modules
 pub use audit_log::AuditLog;
@@ -20,3 +21,4 @@ pub use fips::FipsStatus;
 pub use headers::{apply_security_headers, SecurityHeadersConfig};
 pub use rate_limit::{RateLimitConfig, RateLimitKey, RateLimiter};
 pub use tee::TeeStatus;
+pub use tool_spike::{SpikeAction, ToolSpikeConfig, ToolSpikeDetector};