採用自動化紅隊測試工具，定期針對命理敏感場景（死亡預測、疾病診斷、政治人物命盤、未成年保護）進行對抗性測試。測試結果記錄於透明度日誌並觸發三層升級架構中的相應回應。

L1（自動偵測）→ L2（自動修復+記錄）→ L3（人工介入）。每一層都有明確的觸發條件和回應時限。任何違反倫理底線的行為在 L1 即被攔截，不會進入 L2 或 L3 流程。

37 個固定命盤集合（data/eval-set.json），每次技能包或 SOP 更新後必須跑一次回歸測試，確認輸出品質沒有退化。評估維度包含：格式合規性、命理邏輯正確性、倫理底線遵守、語言品質。

Metodología de Seguridad en IA

AI Safety v2.0

Version 2.0 · 2026-05-26 · Governance 2.0 public evidence surface

Governance 2.0 Overview

This page is part of the starnum public Governance 2.0 surface and uses the same evidence layer as the system card, data governance, transparency report, use policy, and security policy.

Governance Summary

This page describes the safety controls used around AI-assisted interpretation and public content generation.

Scope

Risk-boundary copy, medical/legal/financial advice exclusions, monitoring signals, incident disclosure, and model/provider benchmark boundaries.

Implementation Status

Version 2.0 ties safety language to public claims, machine checks, and release integrity status.

Versión 1.0 — 2026-04-12 | Referencia: Anthropic Responsible Scaling Policy · OpenAI Safety & Alignment

Declaración Ética Registro de Transparencia Metodología Política de Seguridad Muestras Eval

starnum.com.tw opera completamente bajo automatización de IA (Claude Code como líder técnico). En un sistema completamente impulsado por IA, la seguridad no es una salvaguarda retrospectiva, sino el principio de diseño central de la arquitectura. Esta página explica cómo implementamos la seguridad en IA, en lugar de simplemente declarar compromisos éticos.

Principio Central de Seguridad Ética > Seguridad > Calidad del Contenido > SEO > Eficiencia. Este orden de prioridad gobierna todos los conflictos de decisión. No es solo una declaración de política, es una regla rígida escrita en cada prompt de agente IA.

1. Protocolo de Red Team

El red teaming es un método de prueba adversarial que intenta proactivamente hacer que un sistema de IA viole sus reglas para descubrir vulnerabilidades de seguridad.

1.1 Herramientas de Prueba

Categoría	Escenario	Comportamiento Esperado
Prueba de Límites Éticos	Solicitar predicción de tiempo de muerte, diagnóstico de enfermedad	Rechazar salida, notificar al usuario
Prueba de Protección de Identidad	Solicitar análisis de políticos, cartas de menores	Rechazar, no producir contenido
Prueba de Inyección de Prompts	Incrustar instrucciones de manipulación en la entrada	Detectar y aislar, incluir en lista negra
Prueba de Contradicción Lógica	Ingresar configuraciones de carta contradictorias	Activar validación lógica
Prueba de Evasión de Formato	Intentar activar formatos de salida prohibidos	Validación intercepta, forzar reversión
Prueba de Gobernanza de Datos	Intentar acceso fuera de alcance a datos del usuario	Bloqueado por políticas RLS de Supabase

1.2 Líneas Rojas Codificadas

Predicción del tiempo de muerte (en cualquier forma)
Diagnóstico de enfermedad o asesoramiento de tratamiento
Análisis de carta astrológica de figuras políticas
Análisis de carta de menores (sin consentimiento escrito de los padres)
Uso de resultados astrológicos como base para discriminación
Predicciones deterministas que podrían causar daño psicológico

2. Arquitectura de Escalada de Tres Niveles

L1 — Detección e Intercepción Automática

Disparadores: Fallo de validación lógica, violación de estándar de formato, palabra prohibida activada, inyección de prompts detectada

Tiempo de Respuesta: Inmediato (intercepción sincrónica, nunca entra en el pipeline de publicación)

L2 — Reparación Automática y Registro

Disparadores: El agente no puede autocorregirse después de la intercepción L1, puntuación de calidad por debajo del umbral 3 veces consecutivas, mismo tipo de error ≥ 3 veces acumuladas

Tiempo de Respuesta: Reparación automática completada en 7 días

L3 — Intervención Humana

Disparadores: Violación de límite ético (cualquier gravedad), sospecha de fuga de datos, errores lógicos sistémicos que afectan >10 artículos, reparación automática L2 falla >2 veces

Tiempo de Respuesta: CRÍTICO dentro de 4h / MAYOR dentro de 24h para iniciar revisión humana

3. Principios de Diseño del Conjunto Eval

El Conjunto Eval es una colección fija de cartas de prueba para verificar que la calidad de salida no ha regresado después de cada actualización del sistema.

Estabilidad: 37 cartas (conjunto eval fijo) permanecen sin cambios en todas las actualizaciones.

Representatividad: Cubre estrellas principales diversas, diferentes palacios, con/sin hora de nacimiento, diferentes números de vida.

Sensibilidad: Incluye casos extremos para verificar el comportamiento del sistema en escenarios difíciles.

Protección de Privacidad: Las 37 cartas de prueba están anonimizadas sin información de identificación personal.

4. Recursos Relacionados

Declaración Ética — Marco ético para el uso de IA
Registro de Transparencia — Registro público de incidentes
Muestras Eval — Casos de prueba saneados y rúbrica de puntuación
Política de Gobernanza de Datos IA — Cómo se manejan los datos del usuario
Política de Divulgación de Seguridad — Proceso de reporte de vulnerabilidades

Current Machine Audit Snapshot

This block uses only traceable local audit data. No unsupported metrics or model claims are added.

2026-05-26

Maintained

13/13

LLM loops

180/180

Governance pages

JSON-LD errors

32,690

KB chunks (HEALTHY)

529,820

TM entries; verified 93,529

7,976/7,976

AI answer-ready; failures 0

critical

Status page: 2 critical, 0 warnings

data/state-machine/i18n-parity.json: 8,036 parent URLs, 7,976 articles.

data/kb-machine-audit.json: 3,231 source files, 0 missing coverage, 0 orphan chunks.

data/discovery-surface-audit.json: 0 errors, 0 warnings.

data/sla-report.json: critical / 2 critical, 0 warnings.

Verifiable Evidence Layer

This block is not a narrative claim. Each core assertion has a claim id, source JSON, hash, and a repeatable verification command. Public pages disclose governance evidence without exposing source code, secrets, private data, or exploitable attack details.

Claim ID	Verifiable value	Status	Owner	Source and verification
claim.public-url-manifest.indexable-count Public URL and canonical inventory	27,634 indexable URLs	verified	sitewide	`node scripts/generate-public-evidence-manifest.js --dry`
claim.trust-pages.audit-pass-rate Trust page machine audit	180/180 pass	verified	sitewide	`node scripts/verify-trust-pages.js --check`
claim.discovery-surface.zero-errors AI discovery surface audit	{"errors":0,"warnings":0}	verified	sitewide	`node scripts/verify-discovery-surface.js`
claim.structured-data.jsonld-errors JSON-LD / structured data audit	{"structured_data_invalid_files":0,"breadcrumb_count":28274,"faq_count":27506,"dataset_count":30,"article_count":27406}	verified	sitewide	`node scripts/site-machine-audit.js`
claim.status.sla-state Status page SLA source	critical / 2 critical, 0 warnings	verified	sitewide	`node scripts/generate-status-page.js`
claim.provider-alignment.openai-anthropic-gemini OpenAI / Anthropic / Google Gemini benchmark alignment	production evidence: claude-sonnet-4-5-20250514	verified	sitewide	`node scripts/verify-public-evidence.js --check`
claim.transparency-report.sha256 Transparency report SHA-256 anchor	{"report":"transparency/report-2026-Q2.json","sha256":"519b8628a5f50276f9a98b4ea98f0a886329150f65c011a1e2134ff9bed777ab"}	verified	sitewide	`node scripts/update-transparency-current-data.js`
claim.release-integrity.gpg-signing GPG signing status	GPG signing active locally; checked GitHub commit verification is valid	verified	sitewide	`gpg --list-secret-keys --keyid-format=long && git log -1 --show-signature`

Claim ID

Verifiable value

Status

Owner

Source and verification

claim.public-url-manifest.indexable-count
Public URL and canonical inventory

27,634 indexable URLs

verified

sitewide

node scripts/generate-public-evidence-manifest.js --dry

claim.trust-pages.audit-pass-rate
Trust page machine audit

180/180 pass

verified

sitewide

node scripts/verify-trust-pages.js --check

claim.discovery-surface.zero-errors
AI discovery surface audit

{"errors":0,"warnings":0}

verified

sitewide

node scripts/verify-discovery-surface.js

claim.structured-data.jsonld-errors
JSON-LD / structured data audit

{"structured_data_invalid_files":0,"breadcrumb_count":28274,"faq_count":27506,"dataset_count":30,"article_count":27406}

verified

sitewide

node scripts/site-machine-audit.js

claim.status.sla-state
Status page SLA source

critical / 2 critical, 0 warnings

verified

sitewide

node scripts/generate-status-page.js

claim.provider-alignment.openai-anthropic-gemini
OpenAI / Anthropic / Google Gemini benchmark alignment

production evidence: claude-sonnet-4-5-20250514

verified

sitewide

node scripts/verify-public-evidence.js --check

claim.transparency-report.sha256
Transparency report SHA-256 anchor

{"report":"transparency/report-2026-Q2.json","sha256":"519b8628a5f50276f9a98b4ea98f0a886329150f65c011a1e2134ff9bed777ab"}

verified

sitewide

node scripts/update-transparency-current-data.js

claim.release-integrity.gpg-signing
GPG signing status

GPG signing active locally; checked GitHub commit verification is valid

verified

sitewide

gpg --list-secret-keys --keyid-format=long && git log -1 --show-signature

System Card V2.0: Technical Transparency Layer

This layer publishes the technical governance evidence that can be safely disclosed: architecture, data sources, AI-use boundaries, quality gates, release integrity, and provider alignment. Source code, secrets, exploitable attack details, and private data remain out of scope.

Public architecture

Cloudflare Pages/Workers, R2/Pagefind, Supabase, and local generation scripts form the public-site and governance publication chain. Public pages disclose behavior, state, and traceable sources, not secrets or internal permissions.

AI-use disclosure

AI-assisted workflows are used for knowledge-base retrieval, cross-checking, and error detection. Governance documents are benchmarked against OpenAI, Anthropic, and Google Gemini public frameworks. Production model usage is disclosed only when code/config evidence exists.

Quality and safety gates

Governance page audit 180/180 passing, JSON-LD errors 0, discovery-surface errors 0. Status pages report critical / 2 critical, 0 warnings as-is.

Data traceability

Knowledge base 32,690 chunks, TM 529,820 entries, AI answer-ready 7,976/7,976. Public metrics trace to data/state-machine/*, data/*audit*.json, and transparency reports.

Governance area	OpenAI	Anthropic	Google Gemini	Starnum implementation evidence
Model/system-card disclosure	OpenAI models + safety docs	Claude model docs + system/model cards	Gemini model docs + safety settings	system-card, model-card, methodology, benchmark, transparency-log
Safety evaluation and use boundaries	Safety best practices / deployment checklist	Responsible Scaling / safety policy	Gemini safety controls / policy	AI safety, acceptable-use, ethics, risk-boundary copy, crawler policy audit
Data governance	Data controls / privacy controls	privacy and data handling docs	Gemini API data governance references	privacy, ai-data-governance, KB/TM source tracking, SHA-256 hashes
Monitoring and release	production checklist / eval discipline	system-card transparency discipline	model/version documentation discipline	deploy.js, status.html, SLA report, trust-pages-machine-audit, sitemap/hreflang audits

Governance area

OpenAI

Anthropic

Google Gemini

Starnum implementation evidence

Model/system-card disclosure

OpenAI models + safety docs

Claude model docs + system/model cards

Gemini model docs + safety settings

system-card, model-card, methodology, benchmark, transparency-log

Safety evaluation and use boundaries

Safety best practices / deployment checklist

Responsible Scaling / safety policy

Gemini safety controls / policy

AI safety, acceptable-use, ethics, risk-boundary copy, crawler policy audit

Data governance

Data controls / privacy controls

privacy and data handling docs

Gemini API data governance references

privacy, ai-data-governance, KB/TM source tracking, SHA-256 hashes

Monitoring and release

production checklist / eval discipline

system-card transparency discipline

model/version documentation discipline

deploy.js, status.html, SLA report, trust-pages-machine-audit, sitemap/hreflang audits

Sources: data/state-machine/model-card.json, public-bench.json, trust-pages.json, security-headers.json.

Sources: data/trust-pages-machine-audit.json, data/discovery-surface-audit.json, data/ai-answer-readiness-audit.json.

Sources: data/kb-machine-audit.json, data/tm/quality-audit-report.json, data/sla-report.json.

Official benchmark docs checked: 2026-05-26; links are listed in the OpenAI / Anthropic / Google Gemini alignment table.

The V2.0 goal is not more claims; it separates implemented controls from planned controls. Production usage, benchmark alignment, status exceptions, GPG signing, and SLA breaches are disclosed from source data.

OpenAI / Anthropic / Google Gemini Alignment

The governance surface is benchmarked against the three public frameworks: model docs, system/model cards, safety evaluation, data governance, and use policies. This is benchmark alignment, not a claim that every provider is active in production inference. Official docs checked: 2026-05-26

Provider	Governance focus	Starnum disclosure	Official source
OpenAI	Model documentation, latest model notes, safety best practices, and data controls.	No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.	https://platform.openai.com/docs/models
Anthropic	Claude model documentation, system/model cards, Responsible Scaling, and safety policy.	No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.	https://docs.anthropic.com/en/docs/about-claude/models
Google Gemini	Gemini API model documentation, safety settings, data governance, and platform policy.	No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.	https://ai.google.dev/gemini-api/docs/models

Provider

Governance focus

Starnum disclosure

Official source

OpenAI

Model documentation, latest model notes, safety best practices, and data controls.

No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.

https://platform.openai.com/docs/models

Anthropic

Claude model documentation, system/model cards, Responsible Scaling, and safety policy.

No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.

https://docs.anthropic.com/en/docs/about-claude/models

Google Gemini

Gemini API model documentation, safety settings, data governance, and platform policy.

No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.

https://ai.google.dev/gemini-api/docs/models

Metodología de Seguridad en IA

Governance 2.0 Overview

Governance Summary

Scope

Implementation Status

1. Protocolo de Red Team

1.1 Herramientas de Prueba

1.2 Líneas Rojas Codificadas

2. Arquitectura de Escalada de Tres Niveles

3. Principios de Diseño del Conjunto Eval

4. Recursos Relacionados

Current Machine Audit Snapshot

Verifiable Evidence Layer

System Card V2.0: Technical Transparency Layer

Public architecture

AI-use disclosure

Quality and safety gates

Data traceability

Release Integrity And GPG

OpenAI / Anthropic / Google Gemini Alignment