Server-side resource-consumption bounds — pagination, rate limits, retry caps, timeouts, token budgets, agentic-loop iteration caps, file-size limits.
The resource-bounds layer: is resource consumption bounded, metered, and controlled?
In scope. Missing pagination on list endpoints, unbounded query result sets, retry storms without backoff caps, timeout absence on outbound calls, missing LLM max_tokens / context-window caps, agentic-AI loop iteration budgets, file-upload size limits, webhook-handler idempotency, runaway background jobs, batch-operation bounds, cold-path resource amplification. Also covers energy / carbon consumption patterns — the mechanism (unbounded resource use) is the same regardless of whether the harm lands on dollars, latency, or externalities.
Not in scope. User-perceived slowness as the primary defect — that's performance. Denial-of-service via hostile input — that's injection-and-input-trust plus this taxon. Regulatory-mandated retention windows as the primary concern — that's regulatory-conformance.
Distinct because. The defect is the meter runs unbounded, independent of whether a user notices. A pattern about "LLM call has no max_tokens" is cost-efficiency. A pattern about "slow query affecting p95 response time" is performance primary.
Conceptual sub-structure. Input bounds (pagination, file size, query limits), retry / timeout discipline, inference-cost bounds (tokens, agent iterations), idempotency / dedup, resource budgeting.