Capstone · 把企业级 agent 交给编码 agent 去搭Capstone · Hand the Enterprise Agent to a Coding Agent.
全书的收束:一张参考架构图、一份分层规格、一段能直接交给 Cursor 或 Claude Code 的 kickoff prompt —— 让「vibe 出一个企业级 agent」变成带验收标准的工程,而不是口号。The book's close: a reference architecture, a layered spec, and a kickoff prompt for Cursor or Claude Code — turning 'vibe-code an enterprise agent' into engineering with acceptance checks, not a slogan.
14 分钟 · 初稿 2026.0714 Min · Drafted 2026.07
全书到这里,你手里有一个能跑的研究助手,和八根支柱的判断力:身份鉴权、带权限的检索、对抗性安全、治理审计、常设评测、失败工程、控制平面、多租户。这一章把它们收成一个可交付的东西 —— 一张参考架构图、一份分层规格、和一段能直接交给 Cursor 或 Claude Code 去实现的 kickoff prompt。目标很具体:让「vibe 出一个完整企业级 agent」变成一件带验收标准、能验证的工程,而不是一句口号。By here you hold a running research assistant and the judgment of eight pillars: identity and auth, permission-aware retrieval, adversarial security, governance and audit, standing evaluation, failure engineering, a control plane, and multi-tenancy. This chapter folds them into something deliverable — a reference architecture, a layered spec, and a kickoff prompt you can hand straight to Cursor or Claude Code to implement. The goal is concrete: turn 'vibe-code a complete enterprise agent' into engineering with acceptance criteria you can verify, not a slogan.心脏没变。全书第一章那句话在这里第三次兑现:agent 是 LLM 在循环里用工具、读反馈、定下一步;其余都是挂在这个循环上的层。4注 4Note 4OpenAI ·「A Practical Guide to Building Agents」(2025-04)—— 单 agent 是一个 run loop,跑到触发退出条件为止;护栏是分层防御。capstone 的参考架构就是把这个 run loop 放进控制平面的中心,各层挂在四周。OpenAI · 'A Practical Guide to Building Agents' (2025-04) — a single agent is a run loop until an exit condition; guardrails are a layered defense. The capstone's reference architecture puts that run loop at the center of the control plane, with each layer hung around it.企业级不是换一个更聪明的心脏,是在同一个循环外面,一层一层把「可信、规模化、在别人数据上、留得下审计」搭起来。所以 capstone 不是又一个 demo,是把八根支柱收进一个连贯的控制平面 —— 而 Anthropic 那条老规矩照样管用:每一层都得挣到自己的位置,别为了「企业级」堆没被证明值得的复杂度。1注 1Note 1Anthropic ·「Building Effective Agents」(2024-12-19)—— 基本积木是 augmented LLM;建议先找最简单的方案,只在复杂度确实改善结果时才加。capstone 把八根支柱收进一个连贯工程,靠的还是这句话:每一层都得挣到自己的位置。Anthropic · 'Building Effective Agents' (2024-12-19) — the basic block is the augmented LLM; find the simplest solution and add complexity only when it demonstrably improves outcomes. The capstone folds eight pillars into one coherent project on that same line: every layer must earn its place.The heart is unchanged. Chapter 1's line cashes out here a third time: an agent is an LLM using tools in a loop, reading feedback, deciding the next step; everything else is a layer hung on that loop.4注 4Note 4OpenAI ·「A Practical Guide to Building Agents」(2025-04)—— 单 agent 是一个 run loop,跑到触发退出条件为止;护栏是分层防御。capstone 的参考架构就是把这个 run loop 放进控制平面的中心,各层挂在四周。OpenAI · 'A Practical Guide to Building Agents' (2025-04) — a single agent is a run loop until an exit condition; guardrails are a layered defense. The capstone's reference architecture puts that run loop at the center of the control plane, with each layer hung around it. Enterprise-grade isn't a smarter heart — it's building 'trustworthy, at scale, on other people's data, with an audit trail' around the same loop, one layer at a time. So the capstone isn't another demo; it folds the eight pillars into one coherent control plane — and Anthropic's old rule still governs: every layer must earn its place; don't pile complexity in the name of 'enterprise' unless it's proven worth it.1注 1Note 1Anthropic ·「Building Effective Agents」(2024-12-19)—— 基本积木是 augmented LLM;建议先找最简单的方案,只在复杂度确实改善结果时才加。capstone 把八根支柱收进一个连贯工程,靠的还是这句话:每一层都得挣到自己的位置。Anthropic · 'Building Effective Agents' (2024-12-19) — the basic block is the augmented LLM; find the simplest solution and add complexity only when it demonstrably improves outcomes. The capstone folds eight pillars into one coherent project on that same line: every layer must earn its place.
— I
参考架构:一个循环,套在控制平面里Reference Architecture — One Loop, Wrapped in a Control Plane.
先看全景。中间还是第二章那个 while 循环,控制平面的七层从上到下把它包住,每个行动进出都要穿过。八根支柱不是八个模块,是这张图上的位置。Start with the whole picture. At the center is still chapter 2's while loop; the control plane's seven layers wrap it top to bottom, and every action passes through them going in and coming out. The eight pillars aren't eight modules — they're positions on this map.
企业级研究助手的参考架构 —— 循环居中,控制平面环绕Reference architecture for the enterprise research assistant — loop at the center, control plane around it
读这张图的方法:从任意一个动作出发,它必须自上而下穿过每一层,任何一层都能拦。一个被网页注入劫持、想把密钥 fetch 出去的动作,会在 ⑤ 撞上出网白名单(对抗章)、或因会话被污点标记而撞上人闸;一个跑飞的循环会在 ⑦ 撞上预算硬闸(第十一章);一次改动让成功率掉了,会在 ⑥ 的回归门禁(第十章)被挡在上线之前。八根支柱在这张图上各就各位 —— 缺哪一层,就是那个方向没有拦截。How to read it: start from any action, and it must pass top-to-bottom through every layer, any of which can stop it. An action hijacked by a page injection, trying to fetch a key out, hits the egress allowlist at ⑤ (the adversarial chapter), or the human gate because the session is tainted; a runaway loop hits the hard budget gate at ⑦ (chapter 11); a change that dropped the success rate is held before launch by the regression gate at ⑥ (chapter 10). The eight pillars take their positions on this map — a missing layer is a direction with no interception.
— II
分层规格:每一层的输入、契约、不做会怎样Layered Spec — Each Layer's Input, Contract, and Cost of Skipping.
架构图给形状,规格给契约。下面把每一层写成三件事:它拿什么、保证什么、不做会怎样 —— 这正是能交给编码 agent 的东西:一层一个可验收的目标。The diagram gives shape; the spec gives contracts. Below, each layer is written as three things: what it takes in, what it guarantees, and what happens if you skip it — which is exactly what you can hand a coding agent: one verifiable goal per layer.
① 身份与委托① Identity & delegation
拿:调用者 + 替谁干。保证:agent 有独立身份、token 短命且只降权、密钥不进上下文。不做:无法归因、爆炸半径 = 你的全部权限(身份章 · RFC 8693)。Takes: caller + on-behalf-of. Guarantees: the agent has its own identity, tokens are short-lived and downscope-only, secrets never enter context. Skip it: no attribution, blast radius = all your privileges (identity chapter · RFC 8693).
② 运行时与隔离② Runtime & isolation
拿:要执行的不可信代码/动作。保证:沙箱、一次性工作区、租户间数据不串。不做:一次注入拿下整台机器、租户 A 读到租户 B(ch7 · 多租户)。Takes: untrusted code/actions to run. Guarantees: sandbox, ephemeral workspace, no cross-tenant data. Skip it: one injection owns the machine, tenant A reads tenant B (ch7 · multi-tenancy).
③ 上下文与检索③ Context & retrieval
拿:任务 + 可用知识。保证:先按权限过滤再检索、上下文有预算、缓存稳定前缀。不做:后置过滤经命中数泄露、context rot 让它变笨(ch4)。Takes: task + available knowledge. Guarantees: filter-before-retrieve by permission, a context budget, stable-prefix caching. Skip it: post-filtering leaks via hit counts, context rot dulls it (ch4).
④ 网关与成本④ Gateway & cost
拿:模型请求。保证:换模型不改工作流、按成本/复杂度路由、每请求可计价。不做:绑死一家、成本不可见(ch11 · FinOps)。Takes: model requests. Guarantees: swap models without touching the workflow, route by cost/complexity, price per request. Skip it: locked to one vendor, cost invisible (ch11 · FinOps).
⑤ 工具与护栏⑤ Tools & guardrails
拿:模型要调的工具。保证:scope 鉴权、白名单、污点后升级人闸、出网白名单。不做:confused deputy 借你的权限外发(身份+对抗+ch9)。Takes: tools the model wants to call. Guarantees: scope authz, allowlist, taint-then-gate, egress allowlist. Skip it: a confused deputy exfiltrates on your privilege (identity + adversarial + ch9).
⑥ 评测与追踪⑥ Eval & trace
拿:每一步 + 每次改动。保证:golden set 回归门禁、trace 可 debug、审计链不可篡改。不做:你以为 95% 其实 70%、改坏了没人知道(ch10 · 治理)。Takes: every step + every change. Guarantees: golden-set regression gate, debuggable trace, tamper-evident audit chain. Skip it: you think 95% when it's 70%, a regression ships silently (ch10 · governance).
⑦ 审批与降级⑦ Approval & degradation
拿:高风险/超预算/失败信号。保证:预算硬闸、熔断、模型 fallback、一键急停。不做:一个循环烧穿账单、坏模型上线拉不回(ch11 · 治理)。Takes: high-risk / over-budget / failure signals. Guarantees: hard budget gate, circuit breaker, model fallback, one-switch kill. Skip it: one loop burns the bill, a bad model ships with no rollback (ch11 · governance).
持久执行Durable execution
拿:长任务的状态。保证:可恢复、幂等、可重放。不做:一崩全白跑、恢复时重复下单(ch11 · 失败工程)。Takes: long-task state. Guarantees: resumable, idempotent, replayable. Skip it: one crash wastes it all, resume double-charges (ch11 · failure engineering).
这份规格的用法有两种。一是审计你现有的 agent:逐层问「这一层我有没有、保证得住吗」,缺的那几层就是你的差距清单。二是当作下一节 kickoff prompt 的骨架 —— 每一层的「保证」就是一条验收标准。Two uses for this spec. One: audit your existing agent — ask each layer 'do I have it, does it hold,' and the missing layers are your gap list. Two: use it as the skeleton of the next section's kickoff prompt — each layer's 'guarantees' becomes one acceptance criterion.
— III
Kickoff Prompt:交给编码 agent 去 vibeThe Kickoff Prompt — Hand It to a Coding Agent to Vibe.
「vibe 出一个企业级 agent」不是一句口号,前提是你交出去的不是「帮我做个企业级 agent」这种许愿,而是一份带验收标准的规格。编码 agent(Cursor / Claude Code / Codex)最强的场景是有客观对错信号的活 —— 所以 kickoff prompt 的关键,是把上一节每层的「保证」写成它能自己跑的检查。'Vibe-code an enterprise agent' isn't a slogan, provided what you hand over isn't the wish 'build me an enterprise agent' but a spec with acceptance criteria. A coding agent (Cursor / Claude Code / Codex) is strongest where there's an objective right/wrong signal — so the key to the kickoff prompt is writing each layer's 'guarantees' from the last section as checks it can run itself.Claude Code 的核心 best practice 就一句:给它一个它能自己跑的检查(测试、build、linter),循环就能自己闭合 —— 写 → 跑检查 → 读结果 → 改,直到过。2注 2Note 2Anthropic 文档 · Claude Code best practices —— 核心一句「给 Claude 一个它能自己跑的检查」(测试/build/linter/截图)让循环自己闭合;Explore → Plan → Code → Commit。capstone 的 kickoff prompt 正是把验收标准写成「它能自己跑的检查」,让 vibe-code 有客观的对错信号。截至 2026-05。Anthropic docs · Claude Code best practices — the core line 'give Claude a check it can run' (tests / build / linter / screenshot) lets the loop close itself; Explore → Plan → Code → Commit. The capstone's kickoff prompt writes its acceptance criteria as 'a check it can run,' giving the vibe-coding an objective right/wrong signal. As of 2026-05.下面这份 prompt 就是照这个来的:它给编码 agent 一个基线(本书的 research_agent 工程)、一份分层任务、和一组必须变绿的验收测试。把它整段贴给 Cursor 或 Claude Code:Claude Code's core best practice is one line: give it a check it can run (tests, a build, a linter), and the loop closes itself — write → run the check → read the result → fix, until it passes.2注 2Note 2Anthropic 文档 · Claude Code best practices —— 核心一句「给 Claude 一个它能自己跑的检查」(测试/build/linter/截图)让循环自己闭合;Explore → Plan → Code → Commit。capstone 的 kickoff prompt 正是把验收标准写成「它能自己跑的检查」,让 vibe-code 有客观的对错信号。截至 2026-05。Anthropic docs · Claude Code best practices — the core line 'give Claude a check it can run' (tests / build / linter / screenshot) lets the loop close itself; Explore → Plan → Code → Commit. The capstone's kickoff prompt writes its acceptance criteria as 'a check it can run,' giving the vibe-coding an objective right/wrong signal. As of 2026-05. The prompt below follows exactly that: it gives the coding agent a baseline (this book's research_agent project), a layered task, and a set of acceptance tests that must go green. Paste it whole into Cursor or Claude Code:
提示词PromptCursor / Claude Code / Codex
把基线工程 <research_agent> 升级成一个企业级 agent。基线已实现:循环、工具+并行、记忆、沙箱、护栏、trace、预算闸,以及企业四格的教学骨架(authz / 污点+出网 / 审计+急停)。
分层实现下面每一层,每层配一个可自动跑的测试,全部变绿才算完成:
1) 身份:把 authz.py 的教学版 TokenBroker 换成一次真实的 OAuth 2.0 token exchange(RFC 8693),token 短命、只降权、带 act 声明。测试:降权的 Principal 调受限工具被拒。
2) 运行时:把沙箱从 subprocess 换成容器隔离(<容器方案>),无网络、只读根、workspace 可写。测试:一段试图读 ~/.ssh 并外发的代码被挡。
3) 上下文:把关键词 RAG 换成「先按 <权限模型> 过滤、再检索」的管线。测试:租户 A 的查询检索不到租户 B 的文档。
4) 网关:在模型层前加一个 model gateway,支持按 <路由规则> 换模型、记每请求成本。测试:换模型时工作流代码零改动。
5) 工具:把污点闸和出网白名单接到你真实的高风险工具上。测试:会话读过不可信内容后,动手工具强制过人闸。
6) 评测:建一个 >=20 条的 golden set + CI 回归门禁,成功率下降就挡住合并。测试:注入一个会降低成功率的改动,CI 变红。
7) 审批/降级:预算硬闸 + 模型 fallback + 文件急停,全部可在不重启的情况下触发。测试:touch 急停文件后,下一步 0 执行且进审计。
持久执行:把内存态换成可持久化的状态,支持崩溃后从断点恢复、动手动作幂等。测试:跑到一半 kill 进程,重启后从断点续、不重复已完成的动手步。
约束:
- 每层实现前先给出取舍(为什么这个方案),再写代码。
- 沿用基线的双档设计:不配置时行为等同基线,配置后才启用企业档。
- 每层的验收测试进 CI;不许为了过测试写投机代码(reward hacking)。
- 对照 OWASP Agentic Top 10 自查:ASI01 目标劫持 / ASI02 工具滥用 / ASI03 身份滥用 / ASI05 意外代码执行 / ASI06 记忆投毒 / ASI10 失控 agent 各有哪一层在防,写进 README。Upgrade the baseline project <research_agent> into an enterprise-grade agent. The baseline already implements: the loop, tools + parallelism, memory, sandbox, guardrails, traces, a budget gate, and teaching skeletons for the four enterprise slots (authz / taint+egress / audit+kill switch).
Implement each layer below, each with an automated test; done means all green:
1) Identity: replace authz.py's teaching TokenBroker with a real OAuth 2.0 token exchange (RFC 8693) — short-lived, downscope-only tokens carrying an act claim. Test: a downscoped Principal is denied a restricted tool.
2) Runtime: move the sandbox from subprocess to container isolation (<container choice>), no network, read-only root, workspace writable. Test: code trying to read ~/.ssh and exfiltrate is blocked.
3) Context: replace keyword RAG with a filter-by-<permission model>-then-retrieve pipeline. Test: tenant A's query cannot retrieve tenant B's documents.
4) Gateway: add a model gateway before the model layer — swap models by <routing rule>, price per request. Test: swapping models requires zero workflow code changes.
5) Tools: wire the taint gate and egress allowlist onto your real high-risk tools. Test: after the session reads untrusted content, an action tool is forced through the human gate.
6) Eval: build a >=20-case golden set + a CI regression gate that blocks a merge on a success-rate drop. Test: inject a change that lowers success rate; CI goes red.
7) Approval/degradation: hard budget gate + model fallback + file kill switch, all triggerable without restart. Test: touch the kill-switch file; the next step executes 0 actions and is audited.
Durable execution: replace in-memory state with persistable state; resume from a checkpoint after a crash, with idempotent action steps. Test: kill the process midway; on restart it resumes without repeating done actions.
Constraints:
- Before each layer, state the trade-off (why this approach), then write code.
- Keep the baseline's two-tier design: unconfigured behavior equals the baseline; the enterprise tier is opt-in.
- Each layer's acceptance test goes into CI; no reward hacking to pass tests.
- Self-audit against the OWASP Agentic Top 10: for ASI01 goal hijack / ASI02 tool misuse / ASI03 identity abuse / ASI05 unexpected code execution / ASI06 memory poisoning / ASI10 rogue agents, document in the README which layer defends each.
(把 <尖括号> 换成你的真实选择,例如:)
<容器方案> = gVisor(比 Docker 强一档,跑不可信代码)
<权限模型> = 每文档的 tenant_id + ACL 标签,检索前先过滤
<路由规则> = 简单任务走便宜模型、复杂任务走旗舰,按 cost-of-pass 决定
—— 填完这三个,上面整段就能直接交出去。(Replace <angle brackets> with your real choices, e.g.:)
<container choice> = gVisor (a rung above Docker, for untrusted code)
<permission model> = per-document tenant_id + ACL tags, filtered before retrieval
<routing rule> = cheap model for simple tasks, flagship for complex, decided by cost-of-pass
— fill these three and the whole block above is ready to hand off.
为什么这份 prompt 能真搭出企业级 agent,而不是又一个 demo?因为它交出去的不是愿望,是八根支柱各自的验收标准 —— 每一条都能自动跑、会给对错。编码 agent 在这种有客观信号的活上最靠谱:它写完一层,测试告诉它过没过,不过就自己改。你要做的是三件事:填掉上面高亮的三个占位符(把取舍变成你的真实选择)、盯着它别为过测试写投机代码(第十四章的 reward hacking)、以及在它自查 OWASP 那一步核对每条威胁真有一层在防。3注 3Note 3OWASP · Top 10 for Agentic Applications 2026 —— capstone 的验收清单直接对着这十条:ASI01 Agent Goal Hijack、ASI02 Tool Misuse and Exploitation、ASI03 Identity and Privilege Abuse、ASI05 Unexpected Code Execution、ASI06 Memory & Context Poisoning、ASI10 Rogue Agents 等。条目名以官方 PDF 目录为准。OWASP · Top 10 for Agentic Applications 2026 — the capstone's acceptance checklist maps to these ten: ASI01 Agent Goal Hijack, ASI02 Tool Misuse and Exploitation, ASI03 Identity and Privilege Abuse, ASI05 Unexpected Code Execution, ASI06 Memory & Context Poisoning, ASI10 Rogue Agents, and the rest. Entry names per the official PDF's table of contents.这就是「vibe 出企业级 agent」的实际样子 —— 不是一句话许愿,是一份带刻度的规格加一个会自己闭环的编码 agent。Why does this prompt actually build an enterprise agent rather than another demo? Because what it hands over isn't a wish but an acceptance criterion for each of the eight pillars — each one automatable, each returning right or wrong. A coding agent is most reliable on work with an objective signal: it finishes a layer, the test says pass or fail, and it fixes what fails. Your job is three things: fill the three highlighted placeholders above (turn trade-offs into your real choices), watch that it doesn't reward-hack its way past the tests (chapter 14's warning), and at its OWASP self-audit step, verify each threat truly has a defending layer.3注 3Note 3OWASP · Top 10 for Agentic Applications 2026 —— capstone 的验收清单直接对着这十条:ASI01 Agent Goal Hijack、ASI02 Tool Misuse and Exploitation、ASI03 Identity and Privilege Abuse、ASI05 Unexpected Code Execution、ASI06 Memory & Context Poisoning、ASI10 Rogue Agents 等。条目名以官方 PDF 目录为准。OWASP · Top 10 for Agentic Applications 2026 — the capstone's acceptance checklist maps to these ten: ASI01 Agent Goal Hijack, ASI02 Tool Misuse and Exploitation, ASI03 Identity and Privilege Abuse, ASI05 Unexpected Code Execution, ASI06 Memory & Context Poisoning, ASI10 Rogue Agents, and the rest. Entry names per the official PDF's table of contents. That is what 'vibe-code an enterprise agent' actually looks like — not a one-sentence wish, but a spec with a scale plus a coding agent that closes its own loop.动手 · 真交出去一次:Hands-on · actually hand it off once:
01
填掉三个尖括号,选一层先做Fill the three brackets, pick one layer to start
把三个占位符(容器方案 / 权限模型 / 路由规则)换成你的真实取舍,然后只让编码 agent 先做第 5 层(污点+出网接到真实工具)—— 它是基线里已有骨架、最快看到绿的一层。Replace the three placeholders (container choice / permission model / routing rule) with your real trade-offs, then have the coding agent do only layer 5 first (taint+egress on real tools) — it has a skeleton in the baseline and is the fastest to green.
02
盯它的验收测试,别让它作弊Watch its acceptance test; don't let it cheat
看它写的测试是不是真在验「保证」,还是在验一个它自己能轻松满足的空壳 —— 那一步就是第十四章说的、客观信号保不了你的地方。Check whether its test really verifies the 'guarantee' or a hollow condition it can trivially satisfy — that step is exactly where chapter 14 said the objective signal can't protect you.
03
让它写 OWASP 自查表,你来核对Have it write the OWASP self-audit, you verify
让编码 agent 产出「ASI0x 由哪一层防」的表,你逐条核对:有没有哪条威胁其实没有任何一层在拦。核对完,你手里就是一个能对着清单交代自己的企业级 agent。Have the coding agent produce the 'ASI0x defended by which layer' table, and verify each row: is any threat actually unguarded by every layer. Once verified, you hold an enterprise agent that can account for itself against a checklist.
心脏还是第二章那个循环,
企业级是你在它外面搭起的每一层。.
The heart is still chapter 2's loop;
enterprise-grade is every layer you build around it..
Aklman Library
— 讨论Discussion
讨论Discussion.
评论区初始化中…Initializing comments…
01 / 01
没有匹配结果No matches.
换个关键词,或按 Esc 回到页面Try another keyword, or press Esc to return