「无人工接管」不是一句宣传语,而是评审闸门、字符串白名单、审计留痕与 CI 门禁层层落实的工程事实。每一条消息发出前都被同一套规则检查;每一次决策、调用、发送都留痕;每一次代码提交都被门禁扫描。
"No human handoff" is not a slogan — it is an engineering fact enforced by review gates, string allowlists, audit trails and CI guards. Every message is checked by one rule set before it sends; every decision, call and send is recorded; every commit is scanned at the gate.
这是产品定位的最高约束。AI 遇到超出自身职权的事,会向幕后决策源(领导)请示、拿回结论,再用自己的口吻向客户转述——对话始终是 AI 在说,客户从不被「转接给人工」。
This is the product's highest constraint. When something exceeds its mandate, the AI consults the behind-the-scenes principal, gets a verdict, and relays it to the customer in its own voice — the conversation is always the AI speaking, the customer is never "handed off to a human."
无论问题简单还是棘手,客户收到的永远是同一个 AI 的口吻与人格,没有「正在为您转接」、没有突然换人。等待期间的占位回复也不含任何转接类措辞。
Simple or thorny, the customer always meets the same AI voice and persona — no "transferring you now," no sudden human. Even the holding reply contains no handoff wording.
超出职权的事项进入请示通道,由真人决策源拍板。结论回到 AI 手里,AI 再以第一人称转述给客户。决策源在幕后,客户看不到、也不与之对话。
Out-of-mandate matters enter the escalation channel where a human principal decides. The verdict returns to the AI, which relays it first-person to the customer. The principal stays backstage — unseen, never in the chat.
仅当账号显式开启「辅助模式」、且 AI 判定客户契合引荐条件时,AI 才主动把真人顾问的名片推给客户。这仍是 AI 发起的动作,全自治模式(默认)下「只跟 AI 对话」一字不动。
Only when an account opts into "assist mode" and the AI judges the customer fits referral conditions does it proactively push a human advisor's card. Still an AI-initiated action; the default autonomous mode's "only talk to AI" stays untouched.
当一条消息没能发出,系统记录的状态名是 AI 内部语义,而不是「转人工」。这些字符串是闭集白名单,写入未知状态会在数据库层被拒。
When a message can't send, the recorded status is AI-internal semantics, never "to a human." These strings are a closed allowlist; unknown values are rejected at the DB write site.
held_by_ai_policyAI 策略主动暂缓AI policy hold
blocked_by_safety_guard安全门拦截Safety-guard block
ai_waiting_for_more_contextAI 等待更多上下文Awaiting more context
独立评审 Agent 会对回复打分。两类指标超标直接拦截、不送出;三类指标先触发一次改写,改写后仍不达标才落 hold。阈值是行业画像可覆盖的配置,下方为默认销售画像的取值。
An independent review agent scores each reply. Two metrics block outright; three trigger a single rewrite first, and only block if still failing after. Thresholds are profile-overridable; below are the default sales-profile values.
幻觉 / 事实风险评分达到 6 即拦截,不给改写机会,杜绝 AI 编造事实发出去。
A hallucination/fact-risk score of 6 blocks immediately — no rewrite — so the AI never sends fabricated facts.
含产品声明的发送,准确性低于 7 直接拦截;产品声明还必须有已验证知识支撑(见下一节)。
Product-claim sends below 7 are blocked; product claims must also be backed by verified knowledge (next section).
读起来不像真人在说话,先自动重写一次,让语气更自然。
If it doesn't read like a real person, rewrite once for a more natural tone.
缺乏情感价值、过于机械时,先重写一次补足温度。
Too mechanical or low on warmth — rewrite once to add it back.
话术给客户的压力过大时,先重写一次降低逼单感;改写后仍超标才拦下。
If the wording pressures the customer too hard, rewrite once to ease it; only block if still failing.
评审通过的判定是「全闸通过才放行」。改写只发生一次,避免无限循环;改写后仍不达标的发送落入 hold 或 block,状态用前述 AI 内部语义记录。
A reply ships only when all gates pass. Rewrite happens at most once to avoid loops; still-failing sends fall into hold or block, recorded with the AI-internal statuses above.
AI 不能凭印象谈价格、谈功效、谈政策。任何产品声明都要能在知识库的已验证切片里找到依据,否则这条发送被直接拦截,状态记为未验证产品声明。
The AI can't talk price, efficacy or policy from memory. Any product claim must trace to a verified slice in the knowledge base, or the send is blocked outright.
产品声明若在 operation_knowledge_chunks 中找不到已验证支撑,且不是来自产品目录的报价,发送被拦下。
If a product claim has no verified backing in operation_knowledge_chunks and isn't a catalog-priced quote, the send is blocked.
所有新摄入的知识——RSS、网页、PDF、图像识别——一律落 draft + 待核验状态,由人确认后才能成为发送依据。这条红线在每个摄入入口都成立。
All newly ingested knowledge — RSS, HTML, PDF, vision — lands as draft + needs-review, usable only after a human confirms. This holds at every ingestion entry.
对客户的认知不是一锅炖。系统把信息按可信度物理分成三层:人类录入的标签 AI 绝对碰不到、坚信不疑;AI 确信的判断必须挂着消息证据;AI 自己逐轮猜测的信号只进观测台账,永远不允许驱动任何决策。这不是靠提示词自律,是写进代码、有契约测试守护的硬约束。
Knowledge about a customer isn't one big soup. The system physically splits it into three tiers by trustworthiness: human-entered tags the AI can never touch and trusts absolutely; AI-confirmed judgments that must carry message evidence; and the AI's per-turn guesses, which only enter an observation ledger and are never allowed to drive any decision. This isn't prompt self-discipline — it's a hard constraint in code, guarded by contract tests.
运营手动录入的标签。AI 的所有写路径都触达不到这个字段——压缩归并、重新判断,统统绕开它。这是人类对客户的判断,AI 坚信不疑、原样带进决策,永远不会被 AI 覆盖或"优化"。
Tags an operator enters by hand. None of the AI's write paths can reach this field — consolidation and re-judgment all bypass it. This is the human's read on the customer: the AI trusts it unconditionally, carries it verbatim into decisions, and can never overwrite or "optimize" it.
AI 经过压缩重判或强证据快通道确信的标签。每一条都必须挂着具体的消息证据——找不到能锚定的原始消息,这条标签直接丢弃。它会进决策,但门槛是"拿得出依据",而不是 AI 随口一说。
Tags the AI is confident in, via consolidation re-judgment or a strong-evidence fast path. Each must carry concrete message evidence — if no anchoring source message is found, the tag is discarded. It feeds decisions, but the bar is "can show its receipts," not the AI's say-so.
AI 逐轮的猜测与人格画像——证据还不够硬、置信还不够高的判断。它们只写进观测台账,是给运营看走势的辅助工具。铁律是:永不进入任何 planner 过滤、状态机、选材或触达门。代码里有一条专门的契约测试守着这条线,防止哪天有人手滑让它驱动行为。
The AI's per-turn guesses and personality profile — judgments whose evidence isn't hard enough or confidence high enough. They only enter an observation ledger, an aid for operators to watch trends. The iron rule: they never enter any planner filter, state machine, selection or outreach gate. A dedicated contract test in the code guards this line, so no one can accidentally let them drive behavior.
人类权威层与 AI 确信层在存储上物理分家,写在不同字段。AI 的压缩重判只能 replace 自己那层,对 manual_tags 连写权限都没有。
The human-authority and AI-confirmed tiers are physically separated into different fields. The AI's re-judgment can only replace its own tier — it holds no write access to manual_tags at all.
贝叶斯信号、人格画像这类 AI 自评,写进台账供观察,但永不接入任何决策路径。bayesian_and_personality_do_not_affect_planner_filters 测试守着这条不变量。
AI self-assessments like Bayesian signals and personality profiles are logged for observation but never wired into any decision path. The test bayesian_and_personality_do_not_affect_planner_filters guards this invariant.
系统不是黑箱。从模型调用到最终发送,四类留痕构成完整审计链,配上幂等键防重发、异常降级而非崩溃。出了问题能复盘到具体哪一步。
Not a black box. From model call to final send, four trails form a complete audit chain — with idempotency keys against double-sends and graceful degradation instead of crashes.
每一次 Agent 运行的完整信封:触发来源、决策、评审、所用提示词版本与最终结果。
The full envelope of each agent run: trigger, decision, review, prompt versions used and final outcome.
每次模型调用留痕,状态四态可分:success / cache_hit / failed / json_error,并累计 token 用量。
Every model call recorded across four states: success / cache_hit / failed / json_error, with token usage tallied.
关键动作落审计事件,例如非法状态跃迁会发 agent.operation_state_transition_rejected,带前后状态详情。
Key actions emit audit events — e.g. an illegal state transition emits agent.operation_state_transition_rejected with before/after detail.
批准的发送先落 outbox、带幂等键 idempotency_key,再调 MCP 发送;客户拒绝或冷却会取消待发条目,杜绝重发。
Approved sends hit the outbox with an idempotency_key before the MCP call; rejection or cooldown cancels pending entries — no double-sends.
消息已发出后若状态机判定跃迁非法,不回滚已发送内容——跳过 operation_state 写入、保留旧状态,并发审计事件留痕。
If the state machine rejects a transition after a message is already sent, it doesn't roll back the send — it skips the operation_state write, keeps the old state, and emits an audit event.
每次运行有 token 与调用预算(默认 30000 token / 6 次模型调用)。超限走本地降级(如本地评审、跳过改写),绝不把 5xx 抛给 Webhook 调用方。
Each run has a token and call budget (default 30000 tokens / 6 model calls). Exceeding it triggers local fallback (local review, skip rewrite) — never a 5xx to the webhook caller.
多租户与多微信号下,数据边界靠两把键守住。敏感查询一律带上归属键,从不信任请求体传入的边界字段,杜绝越权访问。
Across tenants and WeChat accounts, two keys guard the data boundary. Sensitive queries always carry the ownership key and never trust a boundary field from the request body — closing off cross-boundary access.
联系人、产品、名片等查询按 _id + workspace_id 双条件过滤;workspace 锁定在服务端解析,不接受请求体传入,从源头堵住跨租户越权(IDOR)。
Contacts, products and cards are filtered by _id + workspace_id; the workspace is resolved server-side, never from the request body — closing IDOR at the source.
单个微信号的态势独立:审计事件、调用日志、当日发送软上限都按 account_id 归集与限流,多账号互不串扰。
Each WeChat account stands alone: audit events, call logs and the daily send soft-cap are all keyed and throttled by account_id — no cross-account bleed.
红线不只写在文档里,还固化成两道合并门禁:一道在字符串层面守住「无人工接管」措辞,一道守住测试基线不退化。任一不过,合并被拒。
Red lines aren't just docs — they're two merge gates: one guards the "no handoff" wording at the string level, one keeps the test baseline from regressing. Fail either, and the merge is rejected.
扫描 src/agent / src/routes / src/evolution / frontend/src 新增代码行,命中「接管 / takeover / hand-off / 人工」等禁用词即失败。强制使用 AI 自治措辞,不留侥幸。
Scans newly added lines under src/agent / src/routes / src/evolution / frontend/src; any forbidden word (takeover / hand-off / 人工 …) fails the build. Autonomous wording is mandatory.
单元测试 cargo test --lib 须 ≥ 350 通过、0 失败;四个属性测试文件累计须 ≥ 33 通过、0 失败。新工作只能加测试,不能拉低基线。
Unit tests cargo test --lib must pass ≥ 350 with 0 failures; four property-test files must cumulatively pass ≥ 33 with 0 failures. New work adds tests — never lowers the bar.
约束越清晰,自治越敢放手。看看这套规则如何落在统一网关与自我演化的工程实现里。
The clearer the constraints, the bolder the autonomy. See how these rules land in the gateway and the self-evolution engine.