We refuse to click inside Amazon Seller Central.
Zero-suspension isn't a claim. It's an architectural posture — Scope Manifests, tenant isolation, tamper-evident audit, and a quarterly-reviewed allowlist per sales channel. The agentic AI framework sits behind these gates; the gates are not negotiable.
EXSEL's security model is architectural, not procedural. OAuth tokens are encrypted at rest with AES-256-GCM; credentials never leave the merchant device (Companion). Every autonomous action flows through ScopeManifest (ADR-054) — a per-platform YAML allowlist that the orchestrator checks before modeGate. Tamper-evident audit logs use hash-chained entries plus weekly signed evidence bundles for AS-3/AS-4 customers. GDPR Article 32 isolation: each tenant has a dedicated Qdrant namespace.
The zero-suspension posture (G47)
Every action our AI specialists take passes through two gates before it touches a sales channel. Together they're the architectural backbone of our agentic AI posture — a Scope Manifest per channel combined with a ModeGate per action, with Cedar as the policy engine making each decision itself auditable:
1. ScopeGate (ADR-054). Each AI specialist has per-channel YAML manifests at src/lib/engines/ listing its allowedactions (with API endpoint + constraints), forbiddenactions (with reason), ratelimits, killswitchflag, and tosnextreview date. Any action not on the allowlist throws ScopeViolationError and logs to scopeviolation_attempts. No env var, feature flag, or dev override bypasses this gate.
2. ModeGate (ADR-034). Each merchant × each AI specialist × each action type operates in one of three modes — manual (we draft, you approve), 2FA-gated autonomous (we execute, each action cleared through a 2FA pre-confirm), or tamper-evident audit (autonomous + hash-chained log + weekly signed evidence bundle). Default on every account = manual. This is the human-in-the-loop (HITL) contract, made architectural.
### You choose your mode. We enforce your choice.
Three operating modes per AI specialist — Human, Human-in-the-loop, Fully autonomous. Default on every signup = Human. The ScopeManifest, the Llama Guard safety pass, and the tamper-evident audit log fire regardless of the mode you pick. triggersalwayshitl is a list in the scope manifest, not a UI preference — destructive actions (price writes, ad spend changes, inventory commits) stay Human-in-the-loop even when a specialist is running autonomous. Full detail at [/agents#modes](/agents#modes).
### What we architecturally refuse
- Amazon Seller Central UI automation — forbidden in code. Writes go only through SP-API POST/PUT within scope.
- Meta Business Suite UI automation — forbidden. Marketing API only.
- TikTok Shop multi-account Symphony rotation — deprecated per ADR-057.
- Any write to a platform without an active scope-manifest row covering the exact action.
- Any cross-tenant data read. Fail-closed TenantIsolationError at the primitive level (ADR-086 rule 3). Logged to audit; alerts paged.
The quarterly ToS review is enforced in CI — if tosnextreview passes without refresh, the AI specialist enters read-only automatically.
---
Tenant isolation (ADR-055 rule 6)
- Per-tenant Qdrant namespace.
AgenticRAG.recall(tenantId, query)requirestenantId; internal Qdrant calls wrap every retrieval withfilter: {tenant_id: $tenantId}. No bypass. - Per-tenant LoRA adapter. Your ClientConductor's per-tenant fine-tune lives in a dedicated adapter, hot-swapped via SGLang.
- Per-tenant causal attribution store. Only your confirmed outcomes train your adapter.
- Cross-tenant aggregation flows through
AggregateOnly— a wrapper type that strips PII before any cohort or global pattern can be accessed. GDPR Art. 32 breach = ship-blocker.
Tamper-evident audit log (ADR-044)
Every autonomous action is:
1. Written to companionauditlog_v2 as a hash-chained entry — each row's hash incorporates the previous row's hash. Retro-editing is detectable.
2. Accompanied by a DOM snapshot + screenshot at the moment of action (for Companion-driven flows).
3. Rolled up into a weekly signed evidence bundle exportable as a legal artifact.
This is the audit trail a regulator or a disputed chargeback lawyer will accept. Append-only Postgres without hash-chaining is not a legal defense — this is.
[ Request a sample evidence bundle → ] — email link, pre-scrubbed, 1 sample week.
---
The three agent archetypes (ADR-087)
- ClientConductor — the agent you pay to unlock. Per-tenant. Writes to your platforms inside ModeGate. See
/agents#client-conductor. - VisitorConcierge — the agent on marketing pages. Cookie-scoped, 90-day TTL, reflex-class model, anonymous, read-only on a shared public-knowledge index. Cannot touch tenant data. See
/agents#visitor-concierge. - GovernorAI — the board advisor. Reads aggregate signals through
AggregateOnly; writes only to internal Slack, tickets, and the dev log. Never acts on merchant accounts. See/agents#governor.
How learning works (ADR-088)
- Every
BaseAgent.call()emits a trajectory (state, action, outcome, reward, causalconfirmed bool) into the causalattribution_store. - A DoWhy 3-refuter gate (p < 0.05 across 3 refuters + Cohen's |d| ≥ 0.2) decides if the outcome was causally attributable to the action. This is causal inference as a training gate, not just a reporting overlay.
- Only confirmed trajectories flow into the per-tenant QDoRA training buffer (rank-8 parameter-efficient fine-tuning / PEFT). Preference pairs use ORPO by default, KTO as fallback, DPO for legacy chains.
- Catastrophic forgetting prevented via EWC++ on the router + top-quartile-reward replay buffer (P0.R1).
- Adversarial content quarantined — Llama Guard OBSERVATION pass on every retrieved chunk + every trajectory payload before it enters the training buffer. Prevents prompt-injection via merchant-owned content from poisoning the shared Reasoning Bank or the agentdb_pattern-store.
Data handling
| Surface | Retention | Deletion path |
|---|---|---|
| Tenant data (per ClientConductor) | Duration of subscription + 30d post-cancellation grace | Self-serve at /settings/delete · 72h hard delete · written confirmation |
Visitor cookie + session (exselvisitorid) | 90-day TTL, auto-purged | "Forget me" link in footer · immediate hard delete |
| Trajectories (training signal) | 180d raw + aggregate-only thereafter | Tenant-scoped delete cascades |
| Audit log entries (ADR-044) | 7y retention for regulated merchants; 13m default | Retention-policy controlled, not self-serve (legal-hold compatible) |
| Causal attribution store | Per tenant; deleted on tenant purge | Cascade from tenant delete |
Compliance posture (what we have, what we're working on)
| Framework | Status |
|---|---|
| GDPR (EU) | Art. 32 tenant isolation enforced architecturally. Art. 46 SCCs available for EU merchants. DPA template available on request. |
| ePrivacy / cookies | Consent banner before VisitorConcierge activates. Cookie deletable from footer. No PII capture except optional email opt-in. |
| CCPA | "Do not sell or share" honored. Rights-request portal at /legal/ccpa. |
| SOC 2 Type II | In progress — 2026-Q4 target. Evidence collection active; auditor engagement scheduled month-end. Interim: penetration-test reports + control inventory available under NDA. *Honesty footnote — auditor name + start date published here within 30 days of engagement.* |
| HIPAA / PHI | Not in scope. We are a commerce platform; we do not process protected health information. |
| PIPL (China cross-border) | Active analysis for TikTok Shop cross-border merchants. Interim posture: consent + purpose-limited transfer. |
External counsel posture (ADR-043)
Before any autonomous-action phase ships at scale, a written external counsel opinion is required — mandatory. MSA indemnification clause is required. This is a hard gate in our UNIFIED_ROADMAP, not a nice-to-have.
---
Refusal in action (one specific story)
> A merchant asked us to auto-reprice on Amazon based on competitor-price triggers. Our answer: no. ScopeGate blocks it, and the refusal is in ADR-054. What we shipped instead: a draft-for-approval reprice proposal, a 2FA-gated autonomous mode for merchants who want it after a 7-day trial under manual, and a causal-attribution measurement of whether the reprice actually improved margin. If the effect size doesn't clear Cohen's d ≥ 0.2, the AI specialist stops recommending the pattern.
That story sits above the fold of any procurement demo.
---
What you can verify yourself
- Public roadmap: [
docs/plans/UNIFIEDROADMAP.md](https://github.com/exsel-ai/public-roadmap/blob/main/UNIFIEDROADMAP.md). 78 targets. - Public ADRs: ADR-034 · ADR-043 · ADR-044 · ADR-054 · ADR-055 · ADR-086 · ADR-087 · ADR-088.
- Public CI checks:
corepuritycheck.py(Core layer is domain-agnostic),scopemanifestaudit.py(quarterly ToS review enforced),tenantisolationfuzz.py. - 50-task holdout across 8 categories: product research, PPC allocation, review response, inventory forecast, cross-channel content, account-health monitoring, content gen, policy compliance. Per-category gold-annotated success criteria in
docs/research/EXSELEVALDESIGN.md§3. - Published with raw trajectory + scoring protocol. Every run emits a signed trajectory file (inputs, tool calls, outputs, compliance events). Independent replication is the bar.
- Multi-dimensional scoring. Accuracy (per-category rubric) + cost (USD/task) + latency (p95 ms) + compliance hard-fail (any
ScopeViolationErrororTenantIsolationError→ score 0 on that task, not averaged). - Anti-gaming hardening. Annual refresh, paraphrased adversarial variants of held-out tasks, trajectory watermarks, mandatory disclosure of any fine-tune/RAG-corpus overlap with eval tasks for every leaderboard submission.
- First published run: 2026-Q3 (public leaderboard at
exsel-eval.ai, Apache-2.0 harness). The rubric is frozen now; the numbers land when Phase-6 Gate G6 opens.
Exit-intent drawer
> Before you go — the evidence bundle.
> One-sample, anonymized, 5 MB. See what an auditor sees.
>
> [ you@company.com ]
> [ Send the sample → ]
---
Close (P19 sleep-state)
> Operators who lost a Sunday to a suspension don't forget it. We built so that won't be you.
3 numbered steps: 1. Read ADR-054 (scope manifest). 5 minutes. 2. Read ADR-044 (audit log). 5 minutes. 3. [ Start free ] — your Conductor starts in manual mode.
---