Public Methodology Draft v0.1.0 公开方法学草案 v0.1.0

The Contract Layer for Safe AI Agent Execution

AI Agent 安全执行的合同层

Large language models generate probabilistically. Production systems need deterministic boundaries. Schema Sandbox defines a layered neuro-symbolic methodology to validate, authorize, isolate, and audit AI actions before they reach enterprise or industrial runtimes.

大语言模型是概率性生成的。生产环境系统在 Agent 调用工具、读写文件、访问 API 之前,需要确定性的边界。Schema Sandbox 定义了一个分层的 neuro-symbolic 方法论,在模型输出到达企业或工业运行时之前进行验证、授权、隔离和审计。

Current Status: Public Methodology Draft v0.1.0  |  Reference patterns only: Not a production-certified safety runtime.
当前状态: 公开方法学草案 v0.1.0  |  仅供参考: 非生产环境认证的安全运行环境。
Cite This Methodology 引用此方法论 Explore Showcase 浏览案例展示 View GitHub Repo 访问 GitHub 仓库
Schema Sandbox Concept Diagram
Cognitive Boundaries 认知边界

Nine-Layer Agent Execution Flow

九层 Agent 执行流程

Schema Sandbox sits between raw LLM outputs and persistent enterprise runtimes. Below is the simplified execution flow representing the core boundary gates.

Schema Sandbox 介于原始 LLM 输出与持久化企业运行时之间。以下是核心边界网关的简化执行流程。

Agent Proposal
Agent 提案
Probabilistic action stream generated by LLM
LLM 生成的概率性动作流
Validate Input
校验输入
Check constraints & sanitize prompt inputs
检查约束并清理提示词输入
Authorize Scope
授权范围
Match proposal to permission boundaries
将动作提案匹配至权限边界
Execute or Ask
执行或询问
Invoke safe tools or request human sign-off
调用安全工具或请求人工签批
Validate Output
校验输出
Review output payload & log evidence
审查输出数据并记录证据

1. Capability Boundary

1. 能力边界

Defines what an agent is allowed to generate. Enforces strict input contracts, structured tool call grammars, and validation of outputs against formatting or semantic rules.

定义允许 Agent 生成的内容。强制执行严格的输入合同、结构化工具调用语法,并根据格式或语义规则校验输出。

2. Execution Boundary

2. 执行边界

Limits how actions are physically run. Enforces isolated workspace partitions, strict local filesystem boundaries, network access scopes, and conditional human approval escalations.

限制动作的物理运行方式。强制执行隔离的工作区分区、严格的本地文件系统边界、网络访问范围以及条件性人工审批升级。

3. Evidence Boundary

3. 证据边界

Ensures high traceability. Records input/output hashes, exact tool arguments, permission validation results, trace metadata, and tamper-proof evidence logs.

确保高度可追溯性。记录输入/输出哈希、精确的工具参数、权限校验结果、追踪元数据以及防篡改的证据日志。

Product Showcase 案例展示

Industrial Middleware Reference Patterns

工业级 AI 中间件参考模式

AI agents should not directly connect to operational systems. We present five reference middleware patterns showing how Schema Sandbox isolates and validates actions.

AI Agent 不应直接连接到生产系统。我们展示了五种参考中间件模式,以演示 Schema Sandbox 如何隔离和校验动作。

Industrial Maintenance Work Order Gateway

设备维护工单网关

AI drafts work orders, but cannot bypass permission gates or submit high-risk actions without review. AI 可以草拟维护工单,但不能绕过权限边界或在未经人工审批下提交高风险操作。

The Problem

面临问题

If an AI maintenance agent directly accesses CMMS or MES APIs upon reading an alarm, it risks spamming duplicated, unauthorized, or critically flawed work orders.

如果 AI 维护 Agent 在读取设备警报后直接调用 CMMS 或 MES API,可能会导致大量重复、越权或存在严重逻辑缺陷的工单被自动提交。

Enforced Contracts

强制执行合同

  • Input validation: Validates alarm code and machine identifiers.
  • Permission scope: Read machine status, create draft work-orders only.
  • Output validation: Ensure structured work order payload matches enterprise schemas.
  • Human sign-off routing: High-priority alarms force decision redirection.
  • 输入校验:验证警报代码和设备标识符。
  • 权限范围:读取设备状态,仅限创建工单草稿。
  • 输出校验:确保生成的工单数据符合企业系统 Schema 规范。
  • 人工审批路由:高优先级警报将强制重定向决策至人工审批。
SAMPLE CONTRACT REJECTION 合同拒绝返回包样例 
{
  "decision": "ask",
  "reason": "high_priority_work_order_requires_human_approval",
  "evidence_id": "ev_maintenance_001"
}

Quality Inspection Report Contract

质量检测报告合同

AI generates inspection reports, but must satisfy field validation and forbidden-claim constraints. AI 可以生成质检报告,但必须满足字段、数据证据和禁用词约束。

The Problem

面临问题

AI-generated quality reports often hallucinate claims of certitude, omit required batch references, or state compliant status unsupported by actual raw test scores.

AI 生成的报告可能遗漏关键批次引用、过度承诺合格性,或者得出没有真实测试数据支持的结论。

Enforced Contracts

强制执行合同

  • Required fields: Batch ID, inspector key, raw value, tolerance limits.
  • Forbidden patterns: Denies marketing-speak like "100% compliant" or "guaranteed defect-free".
  • Evidence binding: Forces cryptographic signature matching of input test records.
  • 必要字段:批次 ID、质检员密钥、原始测量值、容差范围。
  • 禁用模式:禁止使用“100%合格”或“保证无缺陷”等营销辞令,除非有真实检测数据支撑。
  • 证据绑定:强制对输入测试记录进行加密数字签名包装。
SAMPLE CONTRACT REJECTION 合同拒绝返回包样例 
{
  "decision": "reject",
  "reason": "forbidden_pattern_matched",
  "detail": {
    "field": "conclusion",
    "value": "This batch is 100% compliant and guaranteed safe."
  }
}

ERP / MES Permission Gateway

ERP / MES 查询网关

No direct database connections. AI queries pass through schema permission layers and field filters. 禁止直接连接数据库。所有的 AI 查询都必须经过 Schema 权限层和字段过滤。

The Problem

面临问题

General-purpose AI agents can generate direct queries that request restricted operational logs, leak customer databases, or leak cross-partition organizational data.

通用型 AI Agent 可能会生成直接的数据库查询,从而获取受限的运营日志、泄露客户数据库或跨隔离区读取数据。

Enforced Contracts

强制执行合同

  • Role-aware scope: Maps agent session key to specific tables and query actions.
  • Field-level sanitization: Automatically strips or hashes sensitive fields.
  • Deny-by-default: Rejects any ambiguous or multi-join operations.
  • 角色感知范围:将 Agent 会话密钥映射到特定的表和查询动作。
  • 字段级脱敏:自动剥离或哈希敏感字段。
  • 默认拒绝:拒绝任何模糊的或包含多表关联的操作。
SAMPLE CONTRACT REJECTION 合同拒绝返回包样例 
{
  "decision": "reject",
  "reason": "scope_violation",
  "detail": {
    "proposed_action": "ERP.readPayrollData",
    "error": "action_outside_allowed_tool_scope"
  }
}

Supplier Document Intake

供应商文档录入

AI parses supplier documents, but only validated, structured records enter enterprise systems. AI 可以从非结构化文档中提取供应商信息,但只有经过校验的字段才能写入业务系统。

The Problem

面临问题

Invoices, packing list attachments, and emails contain highly irregular data formats. Unvalidated AI extraction leads to corrupt database records.

发票、装箱单附件和电子邮件包含极不规则的数据格式。未经校验的 AI 提取会导致数据库记录混乱或损坏。

Enforced Contracts

强制执行合同

  • Required structures: Supplier name, registry code, tax identifier, currency.
  • Schema checking: Enforces ISO country boundaries and correct postal formats.
  • Fallback logic: Auto-sends missing field complaints back to the supplier.
  • 必需结构:供应商名称、注册码、税号、货币类型。
  • Schema 检查:强制执行 ISO 国家代码边界和正确的邮编格式。
  • 回退逻辑:自动将缺失字段的申诉意见发送回供应商。
SAMPLE CONTRACT REJECTION 合同拒绝返回包样例 
{
  "decision": "reject",
  "reason": "missing_required_fields",
  "detail": {
    "missing": [
      "registration_number"
    ],
    "action": "provide_fallback_or_ask_supplier"
  }
}

EHS Compliance Assistant

EHS 安全合规助手

AI drafts EHS incident responses, but critical safety classifications require human verification. AI 可以起草 EHS 事故纠正措施,但关键的安全分类和建议需要明确的人工审核。

The Problem

面临问题

Environmental, Health, and Safety (EHS) logs are legally binding. AI recommendations could ignore mandatory safety escalation rules or omit vital hazard notices.

环境、健康和安全(EHS)日志具有法律效力。AI 的建议如果忽略了强制性安全升级规则或遗漏了危害警示,将带来合规风险。

Enforced Contracts

强制执行合同

  • Input provenance check: Ensures report inputs originate from verified sensors.
  • Safety keyword triggers: Red-flags sentences requesting immediate containment.
  • Verification logs: Collects evidence files showing human confirmation of safety codes.
  • 数据源验证:确保报告输入来自于通过验证的传感器。
  • 安全词触发:红色警示任何包含紧急控制或泄露等敏感词的句子。
  • 验证日志:收集记录了安全代码的人工确认凭证的证据文件。
SAMPLE CONTRACT REJECTION 合同拒绝返回包样例 
{
  "decision": "ask",
  "reason": "high_risk_corrective_action_detected",
  "detail": {
    "trigger_field": "priority",
    "trigger_value": "immediate_escalation_required"
  }
}
Standard Protocol 标准协议

Schema Interoperability Protocol (SIP-Core)

Schema 互操作协议 (SIP-Core)

SIP-Core is the minimal manifest spec designed to describe sandboxes as secure, discoverable capability assets.

SIP-Core 是最小清单规范,旨在将沙箱描述为安全、可发现的“能力资产”。

Input/Output Validation schemas

输入/输出校验 Schema

Describe JSON-Schema configurations that govern agent inputs and sanitization patterns.

描述控制 Agent 输入和脱敏规则的 JSON-Schema 配置。

Granular Permission Scopes

细粒度的权限范围

Locks local paths (`fs_scope`), restricts API hosts (`net_scope`), and defines allowed tool names (`tool_scope`).

锁定本地路径 (`fs_scope`),限制 API 主机 (`net_scope`),并限制允许的工具名称 (`tool_scope`)。

Traceable Rejection Payloads

可追溯的拒绝负载

Standard error formats returning `SIP_ERR_INPUT_VIOLATION` or `SIP_ERR_SCOPE_LOCKED` for fast self-healing prompts.

标准错误格式,向 Agent 返回冲突字段以实现自我修复(Self-healing Prompt)。

sip_manifest.json SIP v0.1.0 
{
  "sip_version": "0.1.0",
  "sandbox_id": "industrial_maintenance_workorder",
  "capability_type": "industrial.workorder.gateway",
  "input_contract": {
    "schema_ref": "./schemas/input.schema.json",
    "sanitize_input": true
  },
  "permission_scope": {
    "fs_scope": ["./workspace/reports"],
    "net_scope": ["mes.example.com:443"],
    "tool_scope": ["MES.readStatus", "MES.createWorkOrder"],
    "human_approval": true
  }
}
Open Access 开放访问

License & Citation Guide

开源许可与引用指南

Schema Sandbox is free for commercial and non-commercial application, provided that attribution rules are respected.

Schema Sandbox 免费向商业和非商业应用开放,但需严格遵守署名与引用规则。

Dual Open-Source License

双重开源许可证

The Schema Sandbox repository operates on a split license:

Schema Sandbox 仓库采用分层许可证结构:

  • Content & Methodology: Licensed under Creative Commons Attribution 4.0 International (CC BY 4.0).
  • Code & JSON Schemas: Provided under the Apache License 2.0.
  • 内容与方法论:采用 Creative Commons Attribution 4.0 International (CC BY 4.0) 许可。
  • 代码与 JSON Schema:采用 Apache 2.0 开源许可证。

Note: Trademark names "Schema Sandbox" and "SIP" are reserved. See TRADEMARK.md for guidelines.

注意:Schema Sandbox 和 SIP 等商标权保留。详见 TRADEMARK.md 准则。

Suggested Attribution

建议署名鸣谢

If you build, adapt, or teach using the Schema Sandbox methodology, please show this notice:

如果您基于 Schema Sandbox 进行二次开发、适配或教学,请展示此鸣谢声明:

Based on the Schema Sandbox methodology by Tengjiao Liu and Hongzong Si. 基于 Tengjiao Liu 与 Hongzong Si 的 Schema Sandbox 方法论。
Copied!

For academic citations, download the BibTeX metadata from CITATION.cff.

学术引用请从 CITATION.cff 下载 BibTeX 元数据。