How we built the pipeline that classifies our leads with AI
Behind the scenes of the pipeline that classifies every inbound lead on our site: architecture, prompt injection defense, output validation and why the AI never sends anything on its own.
Every contact form generates the same invisible work: reading, assessing fit, deciding the answer and writing the email. On our site that work belonged to the founder, competed with delivery and client service, and hot leads cool off within hours. In May 2026 we automated the whole flow the way we sell: an AI automation inside our own site.
One LLM call, not an agent
The first decision was about scope: this did not need to be an autonomous agent. The job is well defined (evaluating a form against known criteria), the input is structured and so is the output. A single model call inside the API flow, with the prompt versioned in the repository, solves it. Adjusting a criterion becomes a prompt edit, no redeploy.
Architecture: from form to ready reply
The flow in production:
- A 4-step form with per-step validation (Zod shared between front and back) and per-IP rate limiting.
- API: stores the lead in the database, confirms to the lead instantly and triggers everything else after the HTTP response.
- Classifier: detects the lead's language (Portuguese, English or Spanish), computes a 0-10 fit score with a 5-criteria breakdown, flags green, yellow and red signals and recommends the next step.
- Draft: the reply comes out written in the lead's language, along with the discovery letter, ready for review.
Prompt injection is a problem for anyone receiving public input
A public form feeding an LLM is an attack surface. Our defense has two layers. On the way in, all form content reaches the classifier isolated inside external-data tags: the prompt treats everything inside them as data to analyze, never as instructions to follow. On the way out, the model's response passes through a Zod schema before touching the database: if the model returns anything outside the contract, the pipeline rejects it.
Fire-and-forget: the AI never takes the form down
Classification runs after the HTTP response. If the AI API is down, if the spreadsheet integration fails, if the webhook times out, the lead has already received confirmation and the record is already in the database. The worst case degrades to the old manual flow, never to a lost lead. Automation that adds a point of failure in front of the customer is a bad trade.
The AI never sends anything on its own
A product decision, not a technical limitation: the classifier delivers score, signals and draft, and stops there. The founder reviews and sends. The math is the same we apply to every client-facing AI project: reviewing takes minutes, recovering a lead who got a wrong reply can be impossible. The automation's gain is turning hours of triage and writing into minutes of review, not removing the human from the decision.
Three languages for free
A welcome side effect: since the classifier detects the language and writes the reply in it, the same pipeline serves leads in Portuguese, English and Spanish with no separate flow. The cost of internationalizing our inbound sales was zero.
What we would do differently
We would have defined the model's output schema on day one. Early versions validated little, and every prompt tweak could silently break the parsing. A validated output contract is what makes an LLM inside a production flow reliable.
The pipeline we use is the one we sell
This pipeline is a Track 1 project running in production on our own site. Details, technical decisions and results are in the full case. If automating your funnel's triage makes sense, tell us your context.