A private AI assistant that never leaks: designing the outbound boundary 一个永不泄露的私有 AI 助手:设计出站边界
"Your data never leaves your machine" is the promise every privacy-anxious buyer wants to hear — and it's meaningless unless you can point at the single place data does leave, and prove nothing else can. The trust isn't in the reassurance. It's in drawing the outbound boundary explicitly, and designing the system so there's exactly one door. "你的数据永远不出你的机器"是每一个怕隐私泄露的买家都想听的承诺——而它毫无意义,除非你能指出数据确实离开的那唯一一个地方,并证明别的地方都出不去。信任不在那句安慰里。信任在于把出站边界明明白白画出来,并把系统设计成:只有一扇门。
The claim and the proof are different things"承诺"和"证明"是两回事
Anyone can say "self-hosted and private." The overclaim is easy and it's what a nervous buyer has heard before, usually right before something leaked anyway. What actually earns trust is the opposite move: instead of promising it never happens, you name precisely where data leaves, why it has to, and what stops it leaving anywhere else. A vendor who volunteers the one egress is a vendor who has actually thought about the boundary — and that's more convincing than any "100% private" banner. 谁都会说"自托管、很私密"。夸海口很容易,而且这正是一个紧张的买家以前听过的——通常听完没多久就还是泄露了。真正赢得信任的是相反的动作:不是承诺它永不发生,而是精确说出数据从哪里出去、为什么必须出去、以及什么拦住了它从别处出去。一个主动交代那唯一出口的供应商,才是真正想过边界的供应商——这比任何"100% 私密"的横幅都更有说服力。
Five controls, each an architecture decision — not a promise五条控制,每条都是架构决策——不是承诺
Take a buyer's list of "non-negotiables" for a private assistant and turn each one from a feature into an enforced mechanism: 拿一个买家给私有助手列的"不可谈判项",把每一条从"功能"变成"被强制的机制":
- Runs on your hardware, nowhere else. Self-hosted on your machine — the assistant has no home in anyone's cloud, so there's no account to be breached or subpoenaed elsewhere. 只跑在你的硬件上,别无他处。自托管在你的机器上——助手在任何人的云里都没有家,于是别处没有一个能被攻破或被传唤的账户。
- Never on the public internet. A private mesh (Tailscale) with no inbound public port — the machine is reachable by you, and unaddressable to the open internet. There's nothing to port-scan. 永不暴露在公网。一张私有网格(Tailscale),没有任何入站公网端口——这台机器只有你够得着,对开放互联网不可寻址。根本没有东西可供端口扫描。
- Your model keys, your inference. Every reasoning call uses your own API key — the intelligence is rented per-call under your account, not mediated through a middleman who sees your data. 你的模型密钥,你的推理。每一次推理调用都用你自己的 API key——智能是以你的账户按次租用的,不经过一个能看见你数据的中间商。
- Encrypted at rest, and fully exportable. A local encrypted store, and export to plain formats plus the original source anytime. Owning your data means being able to walk away with all of it — lock-in is its own kind of leak. 静态加密,且可完整导出。一个本地加密存储,随时能导出成通用格式加原始源文件。拥有你的数据,意味着能带着它全部离开——锁定本身就是另一种泄露。
- No silent failure. Every workflow has a heartbeat; a silent failure pings you instead of rotting quietly. A privacy system that dies without telling you is a privacy system you've stopped being able to trust without knowing it. 没有无声故障。每个工作流都有心跳;一次无声的失败会主动提醒你,而不是安静地烂掉。一个死了却不告诉你的隐私系统,是一个你已经不能再信任、却浑然不知的隐私系统。
The one door: only the inference call leaves那唯一一扇门:只有推理调用出去
Drawn as a data-flow, the whole system has exactly one arrow pointing outward: the inference call to the model provider, made on your key. Capture, transcription, memory, the knowledge graph, every business connector — all of it reads and writes locally. The provider call is the single egress, and because it's the only one, it's the only thing you have to reason about, rate-limit, and log. Everything else is contained by construction, not by policy. When there's one door, you can actually watch it. 把它画成数据流,整个系统只有一个箭头指向外面:发给模型提供方的那次推理调用,用的是你的 key。捕获、转写、记忆、知识图谱、每一个业务连接器——全都在本地读写。提供方调用是唯一的出站口,而正因为它是唯一的,它才是你唯一需要去推敲、限流、记录的东西。其余一切都由构造本身兜住,而非靠策略。当只有一扇门时,你才真的看得住它。
That's also the honest caveat, stated plainly: the model call does leave the machine. So the boundary isn't "nothing ever leaves" — it's "only your chosen model API sees a request, on your account, and you can see every time it does." Precision like that is what a real privacy design looks like, and saying it out loud is what separates it from a marketing claim. 这也是那条诚实的但书,直说:模型调用确实会离开这台机器。所以边界不是"什么都不出去"——而是"只有你选定的模型 API 会看到一个请求,用你的账户,而且它每次这么做你都看得见"。这种精确,才是真正的隐私设计的样子;而把它大声说出来,正是它区别于营销话术的地方。
The through-line贯穿其中的那条线
It's the same instinct as least-privilege everywhere else I build: don't grant a capability you can't account for, and make the sensitive path the narrowest, most visible part of the system rather than the vaguest. Trust with a privacy-anxious buyer isn't won by promising more — it's won by drawing the boundary so precisely that they can check it themselves. The system I'd be proud to hand over is the one where the customer can see exactly where their data goes, because it goes exactly one place. 这和我在别处构建时用的是同一种直觉——最小权限:不要授予一个你无法交代的能力,并把敏感路径做成系统里最窄、最可见的部分,而不是最含糊的部分。面对怕隐私泄露的买家,信任不是靠承诺更多赢来的——是靠把边界画得足够精确、精确到他们能自己核验。我愿意交付的那种系统,是客户能确切看到他们数据去了哪的那种——因为它只去一个地方。
This is how I design these systems — the pattern comes from years of backend work where the boundary between "inside" and "outside" a system is the thing you defend first. 这就是我设计这类系统的方式——这套模式来自多年后端工作,在那里,一个系统"内"与"外"之间的边界,是你首先要守住的东西。
← All notes← 全部笔记