AI Boundaries

DiveSuite includes AI-powered features for analysis and natural language planning. This document defines the strict boundaries that AI must never cross.

Fundamental Principle

What AI Can Do

Analysis & Insights (P3-F07, P3-F08, P3-F09)

Detect patterns in dive log history
Flag anomalies (unusual ascent rates, SAC spikes)
Suggest improvements (“Your SAC rate is 20% higher in cold water”)
Identify trends over time

Natural Language Planning (P1-F23)

Parse user intent from natural language
Extract dive parameters (depth, time, gas, conditions)
Suggest parameter values based on context
Critique resulting plans (within safety limits)

Logging Assistance (P2-F15, P2-F16, P2-F17)

Guide post-dive debriefing with questions
Transcribe voice notes to structured data
Extract data from photos of dive computers
Auto-fill fields from context

What AI Cannot Do

Absolute Prohibitions

Prohibited Action	Reason
Generate decompression schedules	Safety-critical calculation
Modify gradient factors silently	Affects deco obligations
Suggest exceeding MOD	Oxygen toxicity risk
Suggest exceeding NDL without warning	DCS risk
Override safety warnings	Could hide critical info
Claim authority on safety	AI is not certified

Architecture Enforcement

// AI output is ALWAYS validated before use
interface AIServiceOutput {
  type: 'suggestion' | 'analysis' | 'extraction';
  confidence: number;
  data: unknown;
  // Required metadata
  requiresUserConfirmation: true;  // Always true
  disclaimer: string;              // Always present
}

// Validation layer catches prohibited outputs
function validateAIOutput(output: AIServiceOutput): ValidationResult {
  // Check for prohibited actions
  if (containsDecoSchedule(output)) {
    return reject('AI cannot generate decompression schedules');
  }
  if (exceedsSafetyLimits(output)) {
    return reject('AI suggestion exceeds safety limits');
  }
  // ... more checks
  return approve(output);
}

Safety Validation Layer (P4-F02)

Every AI output passes through a safety validation layer:

graph LR
    AI[AI Service] -->|raw output| V[Validation Layer]
    V -->|rejected| R[Rejection + Logging]
    V -->|approved| U[User Review]
    U -->|confirmed| E[Deco Engine]
    U -->|rejected| D[Discarded]

Validation Checks

class AISafetyValidator {
  validate(suggestion: AISuggestion, context: DiveContext): ValidationResult {
    const checks = [
      this.checkMOD(suggestion, context),
      this.checkPpO2(suggestion, context),
      this.checkNDL(suggestion, context),
      this.checkAscentRate(suggestion, context),
      this.checkGasReserve(suggestion, context),
      this.checkCertificationLevel(suggestion, context),
    ];

    const failures = checks.filter(c => !c.passed);

    if (failures.length > 0) {
      // Log for audit
      this.auditLog.record({
        type: 'AI_SAFETY_REJECTION',
        suggestion,
        failures,
        timestamp: Date.now(),
      });

      return {
        valid: false,
        reason: failures.map(f => f.message).join('; '),
      };
    }

    return { valid: true };
  }
}

User Confirmation Flow

AI suggestions always require explicit user confirmation:

+---------------------------------------------+
|  AI Suggestion                              |
|                                             |
|  "Based on your description, I suggest:     |
|   - Depth: 25m                              |
|   - Bottom time: 40 minutes                 |
|   - Gas: EAN32                              |
|                                             |
|  Warning: This is an AI suggestion. Please  |
|  verify all parameters before planning.     |
|                                             |
|  [Use These Parameters] [Edit Manually]     |
+---------------------------------------------+

AI suggestions are visually distinct from user input
Disclaimer is always visible
User must actively confirm before parameters are used
Edit option always available

AI Toggle (CC-15)

Users can completely disable AI features:

// Master toggle in settings
interface AISettings {
  enabled: boolean;  // Master toggle
  features: {
    naturalLanguagePlanning: boolean;
    closedLoopSuggestions: boolean;
    guidedDebriefing: boolean;
    voiceToLog: boolean;
    photoToData: boolean;
    patternDetection: boolean;
    anomalyFlagging: boolean;
    personalizedSuggestions: boolean;
  };
}

When AI is disabled:

All AI features hidden from UI
Zero data sent to LLM APIs
App functions fully without AI
Non-AI alternatives available (manual planning, manual logging)

Audit Logging

All AI interactions are logged for safety audit:

interface AIAuditLog {
  id: string;
  timestamp: number;
  userId: string;
  feature: string;  // e.g., 'natural_language_planning'
  input: string;    // User's input (anonymized)
  output: AIServiceOutput;
  validationResult: ValidationResult;
  userAction: 'confirmed' | 'rejected' | 'modified';
}

Logs are:

Stored locally by default
Optionally synced to cloud (with user consent)
Retained for 90 days
Available for export (GDPR compliance)

Graceful Degradation

When AI services are unavailable:

Scenario	Behavior
Offline	AI features disabled, core app works
API error	Show error, fallback to manual input
Rate limited	Queue requests, notify user
Invalid response	Reject, log, show manual option

AI failure should never break core planning or logging functionality.

Forbidden Phrases

AI responses must never include:

Phrase	Why Forbidden
”It’s safe to…”	AI cannot guarantee safety
”You can exceed…”	Encourages unsafe behavior
”Ignore the warning…”	Undermines safety systems
”This plan is certified…”	False authority claim
”Medical advice…”	AI is not a medical professional