大部分 software 記得咩變咗。少好多 software 記得 點解 呢個 change 被允許、邊個或咩 決定咗、同 咩 evidence 支撐呢個 decision。Trust 就係喺呢個缺口入面慢慢流失。Operations team 通常答到「而家 state 係咩」;但好多時答唔到「show me how we got here, and prove we were allowed to」。
Threada 建成嘅方式,令第二條問題永遠有答案。每個 governed action 都留下 receipt。
Receipt 實際包含啲咩
Receipt 唔係 log line。Log line 話「有事發生」。Receipt 提供足夠資料,令你之後可以 reconstruct 同 defend 一個 decision。喺 Threada,governed action 會記錄:
- Actor. Human operator 或 AI participant,作為 distinct actor events 記錄。Agent approval 永遠唔會扮成人嘅 approval。
- Inputs. WorkItem、佢嘅 extracted entities、requester identity、同 request 進入嘅 source channel。
- Evidence. Citations、retrieval trace,以及 — 當 context 不足時 — explicit fallback reason。Work 唔可以喺冇 citations 或 recorded fallback reason 之下建立。
- Policy. 邊個 policy set active、咩 version、同佢係 tenant-wide 適用,定係收窄到 pack、workflow、channel 或 requester group。
- Outcome. Action 係 proposed、approved、rejected、executed、succeeded 定 failed — 並連返到佢觸及嘅 external record。
將呢啲 fields 一齊讀,你就有一個 step 嘅 defendable account。沿住 WorkItem lifecycle 讀,你就有完整 history。
Auditability 係 default,唔係事後加上去嘅 feature
大部分 systems 嘅誘惑係之後先加 audit:先 ship feature,等 customer 要 SOC 2 evidence 或 regulator 出現,先包一層 logging。呢個次序係反轉咗。事後加嘅 audit 永遠 partial,因為 system 喺 decision 發生一刻從未被要求攜帶 context。
Threada 反過嚟。Runtime 喺每個 meaningful transition emit structured events — work_item_created、approval_requested、approval_decided、action_proposed、action_executed、fallback_triggered — 因為做工作同記錄工作係同一件事。冇另一個「turn on auditing」step,因為冇任何時刻工作係 off the record。
呢個就係我哋講 records-and-receipts model 嘅意思。Record 唔係你 generate 出嚟嘅 report;佢係正確完成工作後留下嘅痕跡。
Receipts 點樣改變 team 嘅運作
Receipt 對季尾 auditor 有用。但佢更安靜嘅價值,係星期二中段操作嘅 operator。
當每個 action 都帶住 evidence 同 policy basis,三件事會容易好多:
- Review 變得快而誠實。 Approver 唔需要憑記憶 reconstruct context,或者追 requester 要 original ask。Evidence 就喺 action 旁邊。Confidence、reversibility 同 clarity 喺 decision point visible,所以 reviewers 會 optimize reviewability,而唔係只追速度。
- Reversal 變得安全。 因為 receipt 指明 policy version 同 inputs,rollback 一個 action 係 defined operation,唔係 archaeology project。你知道自己 undo 緊咩,亦知道點解當初要做。
- Accountability 唔再對立。 當 record 自己組裝,「邊個 approved 呢件事」唔係指控 — 只係一個 field。Builder、approver 同 governance roles 之間嘅 separation of duties 被 enforce 並 visible,所以 accountability 問題喺有人問之前已經有答案。
High-risk work 保持 human,同時 on the record
Receipts 唔代表全部都自動化。佢代表全部都 accountable。High-risk automations 會跟 explicit human-in-the-loop progression — proposed、approved、executing — 並只喺 policy 明確允許時 auto-execute。Receipt 記錄該 action 行咗邊條 path。Automation 同 approval 唔係對立;兩者都係留下 trace 嘅 steps。
結果係一個你可以同樣有信心交畀 auditor 同新 operator 嘅 system。Auditor 睇到 controls 成立。Operator 睇到上一個人點處理眼前 case。兩者讀緊同一批 receipts。
Threada 底下嘅 bet 就係:捕捉「點解 decision 被允許」最平嘅時間,就係你作出 decision 嗰一刻;而一隊永遠唔 off the record 工作嘅 team,永遠答到第二條問題。