01 / PROBLEM
跑通的演示,不等于可被验证的系统。A working demo is not a verified system.
RAG 或 Agent 演示很容易跑通,但引用是否可靠、写操作是否越权、不同租户是否隔离,往往没有统一证据。我的完成标准不是增加聊天能力,而是让检索、权限、确认、状态流转和审计都能被测试。A RAG or agent demo can run while citation quality, write authorization, and tenant isolation remain unproven. I treated retrieval, permissions, confirmation, state transitions, and audit as testable completion criteria.
02 / SYSTEM DECISION
模型只协调;确定性服务负责边界。Models coordinate; deterministic services own boundaries.
03 / FAILURE RISK + CONTROLS
把危险动作留在模型之外。Keep dangerous actions outside the model.
| 失败风险Failure risk | 工程控制Engineering control |
|---|---|
| 跨 group 数据或引用泄漏Cross-group data or citation leakage | 业务对象从认证服务端上下文派生 group 范围Business objects derive group scope from authenticated server context |
| 未注册工具、参数缺失、越权写入Unregistered tools, missing parameters, or unauthorized writes | 记录失败步骤,不产生写操作Record failed steps and produce no write |
| 等待确认的 run 再次执行Re-running a pending confirmation | 禁止执行并返回 HTTP 409Block execution and return HTTP 409 |
04 / EVIDENCE
证据管线,而不是虚构的运营看板。An evidence pipeline, not a fabricated dashboard.
Keyword Recall@5
0.950
MRR
0.901
Hybrid 对 Precision@5 的影响Hybrid effect on Precision@5
−0.048
无证据拒答 / 安全类别No-evidence refusals / safety categories
5/5 · 4/4
Agent 攻击与误用案例Agent attack & misuse cases
12 / 12
跨 group 引用泄漏Cross-group citation leakage
0
测试结果Test result
1,135 passed · 3 skipped
05 / LIMITATIONS + LINKS
尚未被证明的部分What remains unproven
向量基线是离线词法特征哈希,不是神经向量模型。安全测试使用 fake provider,证明的是后端约束能容纳恶意模型决策,不证明真实托管模型本身能够抵抗 Prompt 注入。The vector baseline is lexical feature hashing, not neural embeddings. Fake-provider security tests prove backend containment of malicious model decisions, not real-model resistance to prompt injection.