首页Home 解决什么Solutions 产品能力Product 智能体编队Agents 技术架构Technology 工程深度Engineering 自我演化Self-evolution 行业场景Scenarios 运营透视Observability 信任与安全Trust
信任与安全 · 红线写进代码Trust & Safety · Red lines compiled in

把承诺,写成代码里的硬约束

Turn promises into hard constraints in code

「无人工接管」不是一句宣传语,而是评审闸门、字符串白名单、审计留痕与 CI 门禁层层落实的工程事实。每一条消息发出前都被同一套规则检查;每一次决策、调用、发送都留痕;每一次代码提交都被门禁扫描。

"No human handoff" is not a slogan — it is an engineering fact enforced by review gates, string allowlists, audit trails and CI guards. Every message is checked by one rule set before it sends; every decision, call and send is recorded; every commit is scanned at the gate.

5 道发送闸门5 send gates 4 类执行留痕4 audit trails 2 道 CI 门禁2 CI guards
第一红线 · 无人工接管Red line 01 · No human handoff

客户永远只跟 AI 对话,
从不直接面对真人

Customers only ever talk to the AI —
never directly to a human

这是产品定位的最高约束。AI 遇到超出自身职权的事,会向幕后决策源(领导)请示、拿回结论,再用自己的口吻向客户转述——对话始终是 AI 在说,客户从不被「转接给人工」。

This is the product's highest constraint. When something exceeds its mandate, the AI consults the behind-the-scenes principal, gets a verdict, and relays it to the customer in its own voice — the conversation is always the AI speaking, the customer is never "handed off to a human."

客户侧:始终面对同一个 AI

Customer side: always the same AI

无论问题简单还是棘手,客户收到的永远是同一个 AI 的口吻与人格,没有「正在为您转接」、没有突然换人。等待期间的占位回复也不含任何转接类措辞。

Simple or thorny, the customer always meets the same AI voice and persona — no "transferring you now," no sudden human. Even the holding reply contains no handoff wording.

占位回复:「这个我帮你确认一下,稍等我给你准信。」
Holding reply: "Let me confirm this for you — back shortly with a definite answer."

幕后:AI 向领导请示,拿回结论

Behind the scenes: AI consults, gets a verdict

超出职权的事项进入请示通道,由真人决策源拍板。结论回到 AI 手里,AI 再以第一人称转述给客户。决策源在幕后,客户看不到、也不与之对话。

Out-of-mandate matters enter the escalation channel where a human principal decides. The verdict returns to the AI, which relays it first-person to the customer. The principal stays backstage — unseen, never in the chat.

relay_principal_decision_to_customer()
受控例外 · 默认关闭Controlled exception · off by default

辅助模式:AI 主动递上真人名片

Assist mode: AI hands over a human card

仅当账号显式开启「辅助模式」、且 AI 判定客户契合引荐条件时,AI 才主动把真人顾问的名片推给客户。这仍是 AI 发起的动作,全自治模式(默认)下「只跟 AI 对话」一字不动。

Only when an account opts into "assist mode" and the AI judges the customer fits referral conditions does it proactively push a human advisor's card. Still an AI-initiated action; the default autonomous mode's "only talk to AI" stays untouched.

台前顾问 ≠ 幕后决策源(两者解耦)
Front-stage advisor ≠ behind-scenes principal

连「暂缓」都用 AI 自治的措辞

Even "hold" uses autonomous wording

当一条消息没能发出,系统记录的状态名是 AI 内部语义,而不是「转人工」。这些字符串是闭集白名单,写入未知状态会在数据库层被拒。

When a message can't send, the recorded status is AI-internal semantics, never "to a human." These strings are a closed allowlist; unknown values are rejected at the DB write site.

held_by_ai_policyAI 策略主动暂缓AI policy hold blocked_by_safety_guard安全门拦截Safety-guard block ai_waiting_for_more_contextAI 等待更多上下文Awaiting more context
发送闸门 · 五道检查Send gates · five checks

每一条消息,过闸才发得出去

Every message passes the gates before it sends

独立评审 Agent 会对回复打分。两类指标超标直接拦截、不送出;三类指标先触发一次改写,改写后仍不达标才落 hold。阈值是行业画像可覆盖的配置,下方为默认销售画像的取值。

An independent review agent scores each reply. Two metrics block outright; three trigger a single rewrite first, and only block if still failing after. Thresholds are profile-overridable; below are the default sales-profile values.

硬拦截 · 直接不送出Hard block · never sends
事实风险Fact riskblock
FactRisk  ≥  6

幻觉 / 事实风险评分达到 6 即拦截,不给改写机会,杜绝 AI 编造事实发出去。

A hallucination/fact-risk score of 6 blocks immediately — no rewrite — so the AI never sends fabricated facts.

产品准确性Product accuracyblock
ProductAccuracy  <  7

含产品声明的发送,准确性低于 7 直接拦截;产品声明还必须有已验证知识支撑(见下一节)。

Product-claim sends below 7 are blocked; product claims must also be backed by verified knowledge (next section).

先改写一次 · 不达标再拦Rewrite once · then block
拟人度Human-likenessrewrite
HumanLikeScore  <  6

读起来不像真人在说话,先自动重写一次,让语气更自然。

If it doesn't read like a real person, rewrite once for a more natural tone.

情感价值Emotional valuerewrite
EmotionalValue  <  6

缺乏情感价值、过于机械时,先重写一次补足温度。

Too mechanical or low on warmth — rewrite once to add it back.

压力感Pressurerewrite
PressureRisk  ≥  7

话术给客户的压力过大时,先重写一次降低逼单感;改写后仍超标才拦下。

If the wording pressures the customer too hard, rewrite once to ease it; only block if still failing.

评审通过的判定是「全闸通过才放行」。改写只发生一次,避免无限循环;改写后仍不达标的发送落入 hold 或 block,状态用前述 AI 内部语义记录。

A reply ships only when all gates pass. Rewrite happens at most once to avoid loops; still-failing sends fall into hold or block, recorded with the AI-internal statuses above.

知识红线 · 有据才说Knowledge red line · grounded or silent

产品声明,必须有已验证知识背书

Product claims must be backed by verified knowledge

AI 不能凭印象谈价格、谈功效、谈政策。任何产品声明都要能在知识库的已验证切片里找到依据,否则这条发送被直接拦截,状态记为未验证产品声明。

The AI can't talk price, efficacy or policy from memory. Any product claim must trace to a verified slice in the knowledge base, or the send is blocked outright.

拦截Block

无依据即拦截

No backing, no send

产品声明若在 operation_knowledge_chunks 中找不到已验证支撑,且不是来自产品目录的报价,发送被拦下。

If a product claim has no verified backing in operation_knowledge_chunks and isn't a catalog-priced quote, the send is blocked.

final_review_status = "blocked_unverified_product_claim"
不自动核验No self-verify

AI 永不自动核验知识

The AI never self-verifies

所有新摄入的知识——RSS、网页、PDF、图像识别——一律落 draft + 待核验状态,由人确认后才能成为发送依据。这条红线在每个摄入入口都成立。

All newly ingested knowledge — RSS, HTML, PDF, vision — lands as draft + needs-review, usable only after a human confirms. This holds at every ingestion entry.

status = "draft" · integrity_status = "needs_review"
信任红线 · 信息分层Trust red line · tiered information

人类录入的,AI 永远改不了
AI 自己猜的,只用来记录

What a human enters, the AI can never change;
what the AI guesses is for the record only

对客户的认知不是一锅炖。系统把信息按可信度物理分成三层:人类录入的标签 AI 绝对碰不到、坚信不疑;AI 确信的判断必须挂着消息证据;AI 自己逐轮猜测的信号只进观测台账,永远不允许驱动任何决策。这不是靠提示词自律,是写进代码、有契约测试守护的硬约束。

Knowledge about a customer isn't one big soup. The system physically splits it into three tiers by trustworthiness: human-entered tags the AI can never touch and trusts absolutely; AI-confirmed judgments that must carry message evidence; and the AI's per-turn guesses, which only enter an observation ledger and are never allowed to drive any decision. This isn't prompt self-discipline — it's a hard constraint in code, guarded by contract tests.

01

人类权威层

Human authority tier

manual_tags

运营手动录入的标签。AI 的所有写路径都触达不到这个字段——压缩归并、重新判断,统统绕开它。这是人类对客户的判断,AI 坚信不疑、原样带进决策,永远不会被 AI 覆盖或"优化"。

Tags an operator enters by hand. None of the AI's write paths can reach this field — consolidation and re-judgment all bypass it. This is the human's read on the customer: the AI trusts it unconditionally, carries it verbatim into decisions, and can never overwrite or "optimize" it.

仅人类可写 · AI 永不触达Human-only · AI never writes 驱动决策Drives decisions
02

AI 确信层

AI-confirmed tier

confirmed_tags

AI 经过压缩重判或强证据快通道确信的标签。每一条都必须挂着具体的消息证据——找不到能锚定的原始消息,这条标签直接丢弃。它会进决策,但门槛是"拿得出依据",而不是 AI 随口一说。

Tags the AI is confident in, via consolidation re-judgment or a strong-evidence fast path. Each must carry concrete message evidence — if no anchoring source message is found, the tag is discarded. It feeds decisions, but the bar is "can show its receipts," not the AI's say-so.

每条必挂消息证据 · 锚不上即丢弃Message evidence required · dropped if unanchored 驱动决策Drives decisions
03

AI 暂定观测层

AI observation tier

bayesian_signals · tag_observation · personality_profile

AI 逐轮的猜测与人格画像——证据还不够硬、置信还不够高的判断。它们只写进观测台账,是给运营看走势的辅助工具。铁律是:永不进入任何 planner 过滤、状态机、选材或触达门。代码里有一条专门的契约测试守着这条线,防止哪天有人手滑让它驱动行为。

The AI's per-turn guesses and personality profile — judgments whose evidence isn't hard enough or confidence high enough. They only enter an observation ledger, an aid for operators to watch trends. The iron rule: they never enter any planner filter, state machine, selection or outreach gate. A dedicated contract test in the code guards this line, so no one can accidentally let them drive behavior.

只记录 · 永不驱动行为Record only · never drives behavior 契约测试守护Guarded by a contract test
铁律一:AI 改不动人类的判断
Law 1: the AI can't alter the human's call

人类权威层与 AI 确信层在存储上物理分家,写在不同字段。AI 的压缩重判只能 replace 自己那层,对 manual_tags 连写权限都没有。

The human-authority and AI-confirmed tiers are physically separated into different fields. The AI's re-judgment can only replace its own tier — it holds no write access to manual_tags at all.

铁律二:猜测只记录,不决策
Law 2: guesses are logged, not acted on

贝叶斯信号、人格画像这类 AI 自评,写进台账供观察,但永不接入任何决策路径。bayesian_and_personality_do_not_affect_planner_filters 测试守着这条不变量。

AI self-assessments like Bayesian signals and personality profiles are logged for observation but never wired into any decision path. The test bayesian_and_personality_do_not_affect_planner_filters guards this invariant.

可审计性 · 全程留痕Auditability · full trail

每一次决策、调用、发送,都查得到

Every decision, call and send is traceable

系统不是黑箱。从模型调用到最终发送,四类留痕构成完整审计链,配上幂等键防重发、异常降级而非崩溃。出了问题能复盘到具体哪一步。

Not a black box. From model call to final send, four trails form a complete audit chain — with idempotency keys against double-sends and graceful degradation instead of crashes.

agent_run_logs

运行日志

Run logs

每一次 Agent 运行的完整信封:触发来源、决策、评审、所用提示词版本与最终结果。

The full envelope of each agent run: trigger, decision, review, prompt versions used and final outcome.

llm_call_logs

模型调用日志

LLM call logs

每次模型调用留痕,状态四态可分:success / cache_hit / failed / json_error,并累计 token 用量。

Every model call recorded across four states: success / cache_hit / failed / json_error, with token usage tallied.

events

审计事件

Audit events

关键动作落审计事件,例如非法状态跃迁会发 agent.operation_state_transition_rejected,带前后状态详情。

Key actions emit audit events — e.g. an illegal state transition emits agent.operation_state_transition_rejected with before/after detail.

agent_send_outbox

发送 Outbox

Send outbox

批准的发送先落 outbox、带幂等键 idempotency_key,再调 MCP 发送;客户拒绝或冷却会取消待发条目,杜绝重发。

Approved sends hit the outbox with an idempotency_key before the MCP call; rejection or cooldown cancels pending entries — no double-sends.

失败软着陆Fail-soft

异常不崩溃,降级兜底

Faults degrade, not crash

非法状态跃迁
Illegal state transition

消息已发出后若状态机判定跃迁非法,不回滚已发送内容——跳过 operation_state 写入、保留旧状态,并发审计事件留痕。

If the state machine rejects a transition after a message is already sent, it doesn't roll back the send — it skips the operation_state write, keeps the old state, and emits an audit event.

运行预算超限
Run budget exceeded

每次运行有 token 与调用预算(默认 30000 token / 6 次模型调用)。超限走本地降级(如本地评审、跳过改写),绝不把 5xx 抛给 Webhook 调用方。

Each run has a token and call budget (default 30000 tokens / 6 model calls). Exceeding it triggers local fallback (local review, skip rewrite) — never a 5xx to the webhook caller.

隔离红线 · 双键边界Isolation · double-key boundary

租户与账号,查询时双键校验

Tenant and account, checked on every query

多租户与多微信号下,数据边界靠两把键守住。敏感查询一律带上归属键,从不信任请求体传入的边界字段,杜绝越权访问。

Across tenants and WeChat accounts, two keys guard the data boundary. Sensitive queries always carry the ownership key and never trust a boundary field from the request body — closing off cross-boundary access.

workspace_id

租户边界

Tenant boundary

联系人、产品、名片等查询按 _id + workspace_id 双条件过滤;workspace 锁定在服务端解析,不接受请求体传入,从源头堵住跨租户越权(IDOR)。

Contacts, products and cards are filtered by _id + workspace_id; the workspace is resolved server-side, never from the request body — closing IDOR at the source.

画像隔离Profile isolation知识隔离Knowledge isolation防越权Anti-IDOR
account_id

账号边界

Account boundary

单个微信号的态势独立:审计事件、调用日志、当日发送软上限都按 account_id 归集与限流,多账号互不串扰。

Each WeChat account stands alone: audit events, call logs and the daily send soft-cap are all keyed and throttled by account_id — no cross-account bleed.

账号调度Scheduling独立态势Own posture发送限流Send throttle
CI 门禁 · 红线不靠自觉CI guards · not on the honor system

每一次提交,都被门禁扫一遍

Every commit is scanned at the gate

红线不只写在文档里,还固化成两道合并门禁:一道在字符串层面守住「无人工接管」措辞,一道守住测试基线不退化。任一不过,合并被拒。

Red lines aren't just docs — they're two merge gates: one guards the "no handoff" wording at the string level, one keeps the test baseline from regressing. Fail either, and the merge is rejected.

check-no-human-takeover

措辞门禁

Wording guard

扫描 src/agent / src/routes / src/evolution / frontend/src 新增代码行,命中「接管 / takeover / hand-off / 人工」等禁用词即失败。强制使用 AI 自治措辞,不留侥幸。

Scans newly added lines under src/agent / src/routes / src/evolution / frontend/src; any forbidden word (takeover / hand-off / 人工 …) fails the build. Autonomous wording is mandatory.

只扫新增行Added lines only大小写不敏感Case-insensitive
check-baseline

基线门禁

Baseline guard

单元测试 cargo test --lib 须 ≥ 350 通过、0 失败;四个属性测试文件累计须 ≥ 33 通过、0 失败。新工作只能加测试,不能拉低基线。

Unit tests cargo test --lib must pass ≥ 350 with 0 failures; four property-test files must cumulatively pass ≥ 33 with 0 failures. New work adds tests — never lowers the bar.

≥350lib 通过lib passed≥33PBT 累计PBT total

红线之上,是可以放心交付的自治

On top of red lines, autonomy you can trust to ship

约束越清晰,自治越敢放手。看看这套规则如何落在统一网关与自我演化的工程实现里。

The clearer the constraints, the bolder the autonomy. See how these rules land in the gateway and the self-evolution engine.