thumbgate 0.9.9

package/scripts/cloudflare-dynamic-sandbox.js

@@ -0,0 +1,315 @@
+#!/usr/bin/env node
+'use strict';
+
+const crypto = require('crypto');
+
+const { bootstrapInternalAgent } = require('./internal-agent-bootstrap');
+
+const DYNAMIC_WORKLOADS = new Set([
+  'analytics_transform',
+  'code_mode',
+  'creator_analytics',
+  'history_distillation',
+  'lesson_synthesis',
+  'workflow_triage',
+]);
+
+const DEFAULT_MAX_SKEW_MS = 5 * 60 * 1000;
+const DEFAULT_SANDBOX_ROUTE = '/sandbox/execute';
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return '';
+  return String(value).trim();
+}
+
+function normalizeBoolean(value) {
+  if (typeof value === 'boolean') return value;
+  if (value === undefined || value === null) return false;
+  const normalized = normalizeText(value).toLowerCase();
+  return ['1', 'true', 'yes', 'on'].includes(normalized);
+}
+
+function normalizeNumber(value, fallback = 0) {
+  const parsed = Number(value);
+  return Number.isFinite(parsed) ? parsed : fallback;
+}
+
+function normalizeStringArray(values = []) {
+  if (!Array.isArray(values)) return [];
+  return Array.from(new Set(
+    values
+      .map((value) => normalizeText(value).toLowerCase())
+      .filter(Boolean),
+  ));
+}
+
+function normalizeTier(value) {
+  const normalized = normalizeText(value).toLowerCase();
+  return ['free', 'pro', 'team', 'enterprise'].includes(normalized)
+    ? normalized
+    : 'pro';
+}
+
+function stableStringify(value) {
+  if (Array.isArray(value)) {
+    return `[${value.map((entry) => stableStringify(entry)).join(',')}]`;
+  }
+  if (value && typeof value === 'object') {
+    return `{${Object.keys(value).sort().map((key) => `${JSON.stringify(key)}:${stableStringify(value[key])}`).join(',')}}`;
+  }
+  return JSON.stringify(value);
+}
+
+function buildExecutionId() {
+  return `cfw_${Date.now().toString(36)}_${crypto.randomBytes(4).toString('hex')}`;
+}
+
+function buildNetworkPolicy(request) {
+  const allowedHosts = normalizeStringArray(request.allowedHosts);
+  if (!request.requiresNetwork) {
+    return {
+      mode: 'deny_all',
+      allowedHosts: [],
+    };
+  }
+  return {
+    mode: allowedHosts.length > 0 ? 'allow_list' : 'egress_enabled',
+    allowedHosts,
+  };
+}
+
+function buildBindings(request) {
+  const bindings = ['MEMORY_KV'];
+  if (
+    request.workloadType === 'history_distillation' ||
+    request.workloadType === 'lesson_synthesis' ||
+    request.workloadType === 'workflow_triage'
+  ) {
+    bindings.push('GATES_KV');
+  }
+  return bindings;
+}
+
+function summarizeRequest(request) {
+  return {
+    workloadType: request.workloadType,
+    tier: request.tier,
+    tenantId: request.tenantId,
+    requiresIsolation: request.requiresIsolation,
+    requiresNetwork: request.requiresNetwork,
+    requiresRepoAccess: request.requiresRepoAccess,
+    contextTokens: request.contextTokens,
+  };
+}
+
+function normalizeRequest(input = {}) {
+  const workloadType = normalizeText(input.workloadType || input.taskType || input.kind)
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '_')
+    .replace(/^_+|_+$/g, '') || 'generic_automation';
+  const providerPreference = normalizeText(input.providerPreference).toLowerCase() || 'auto';
+  const repoPath = normalizeText(input.repoPath) || '';
+  const requiresRepoAccess = normalizeBoolean(input.requiresRepoAccess)
+    || normalizeBoolean(input.localFileAccess)
+    || Boolean(repoPath);
+  const untrustedCode = normalizeBoolean(input.untrustedCode);
+  const tier = normalizeTier(input.tier);
+  const tenantId = normalizeText(input.tenantId || input.teamId || input.customerId) || null;
+  const requiresIsolation = normalizeBoolean(input.requiresIsolation)
+    || untrustedCode
+    || tier === 'team'
+    || tier === 'enterprise'
+    || Boolean(tenantId);
+  const contextTokens = normalizeNumber(input.contextTokens, 0);
+
+  return {
+    source: normalizeText(input.source) || 'api',
+    workloadType,
+    providerPreference,
+    tier,
+    tenantId,
+    repoPath,
+    requiresRepoAccess,
+    requiresIsolation,
+    requiresNetwork: normalizeBoolean(input.requiresNetwork),
+    untrustedCode,
+    contextTokens,
+    allowedHosts: normalizeStringArray(input.allowedHosts || input.egressAllowlist),
+    traceId: normalizeText(input.traceId) || null,
+    context: normalizeText(input.context) || '',
+    intentId: normalizeText(input.intentId) || '',
+    mcpProfile: normalizeText(input.mcpProfile) || undefined,
+    partnerProfile: normalizeText(input.partnerProfile) || undefined,
+    delegationMode: normalizeText(input.delegationMode) || 'auto',
+    approved: input.approved === true,
+    trigger: input.trigger || undefined,
+    thread: input.thread || undefined,
+    task: input.task || undefined,
+    comments: Array.isArray(input.comments) ? input.comments : undefined,
+    messages: Array.isArray(input.messages) ? input.messages : undefined,
+  };
+}
+
+function classifyHostedExecution(input = {}) {
+  const request = normalizeRequest(input);
+
+  if (request.providerPreference === 'railway') {
+    return {
+      provider: 'railway_control_plane',
+      reason: 'provider preference pinned to Railway control plane',
+      request,
+    };
+  }
+
+  if (request.requiresRepoAccess) {
+    return {
+      provider: 'railway_control_plane',
+      reason: 'task requires repo or local filesystem access',
+      request,
+    };
+  }
+
+  if (
+    request.providerPreference === 'cloudflare'
+    || request.requiresIsolation
+    || DYNAMIC_WORKLOADS.has(request.workloadType)
+    || request.contextTokens >= 120000
+  ) {
+    return {
+      provider: 'cloudflare_dynamic_worker',
+      reason: request.providerPreference === 'cloudflare'
+        ? 'provider preference explicitly requested Cloudflare dynamic workers'
+        : 'hosted isolated workload benefits from edge sandbox execution',
+      request,
+    };
+  }
+
+  return {
+    provider: 'railway_control_plane',
+    reason: 'standard hosted workload remains on the Railway control plane',
+    request,
+  };
+}
+
+function signDispatchEnvelope(bodyText, secret, timestamp) {
+  return crypto
+    .createHmac('sha256', String(secret || ''))
+    .update(`${timestamp}.${bodyText}`)
+    .digest('hex');
+}
+
+function verifyDispatchEnvelope({
+  body,
+  secret,
+  timestamp,
+  signature,
+  now = Date.now(),
+  maxSkewMs = DEFAULT_MAX_SKEW_MS,
+}) {
+  if (!secret || !timestamp || !signature) return false;
+  const issuedAt = Date.parse(timestamp);
+  if (!Number.isFinite(issuedAt)) return false;
+  if (Math.abs(Number(now) - issuedAt) > maxSkewMs) return false;
+  const bodyText = typeof body === 'string' ? body : stableStringify(body);
+  const expected = signDispatchEnvelope(bodyText, secret, timestamp);
+  const expectedBuffer = Buffer.from(expected, 'hex');
+  const actualBuffer = Buffer.from(String(signature), 'hex');
+  if (expectedBuffer.length !== actualBuffer.length) return false;
+  return crypto.timingSafeEqual(expectedBuffer, actualBuffer);
+}
+
+function buildCloudflareSandboxPlan(input = {}, options = {}) {
+  const classification = classifyHostedExecution(input);
+  const request = classification.request;
+
+  if (classification.provider !== 'cloudflare_dynamic_worker') {
+    return {
+      provider: 'railway_control_plane',
+      shouldDispatch: false,
+      reason: classification.reason,
+      route: null,
+      request: summarizeRequest(request),
+    };
+  }
+
+  const timestamp = options.now instanceof Date
+    ? options.now.toISOString()
+    : (normalizeText(options.now) || new Date().toISOString());
+  const executionId = normalizeText(options.executionId) || buildExecutionId();
+  const secret = options.sharedSecret
+    || process.env.CLOUDFLARE_SANDBOX_SHARED_SECRET
+    || process.env.THUMBGATE_CLOUDFLARE_SANDBOX_SECRET
+    || '';
+  const networkPolicy = buildNetworkPolicy(request);
+  const bindings = buildBindings(request);
+  const bootstrap = options.includeBootstrap === false
+    ? null
+    : bootstrapInternalAgent({
+      source: request.source,
+      prepareSandbox: false,
+      intentId: request.intentId,
+      context: request.context,
+      mcpProfile: request.mcpProfile,
+      partnerProfile: request.partnerProfile,
+      delegationMode: request.delegationMode,
+      approved: request.approved,
+      trigger: request.trigger,
+      thread: request.thread,
+      task: request.task,
+      comments: request.comments,
+      messages: request.messages,
+    });
+
+  const envelope = {
+    executionId,
+    provider: 'cloudflare_dynamic_worker',
+    workloadType: request.workloadType,
+    tier: request.tier,
+    tenantId: request.tenantId,
+    traceId: request.traceId || executionId,
+    requestedAt: timestamp,
+    networkPolicy,
+    bindings,
+    limits: {
+      maxRuntimeMs: request.requiresNetwork ? 60000 : 30000,
+      maxContextTokens: request.contextTokens || null,
+    },
+    bootstrap: bootstrap ? {
+      invocation: bootstrap.invocation,
+      startupContext: bootstrap.startupContext,
+      reviewerLane: bootstrap.reviewerLane,
+      middlewarePlan: bootstrap.middlewarePlan,
+      intentPlan: bootstrap.intentPlan,
+    } : null,
+  };
+
+  const bodyText = stableStringify(envelope);
+  const signature = secret ? signDispatchEnvelope(bodyText, secret, timestamp) : '';
+
+  return {
+    provider: 'cloudflare_dynamic_worker',
+    shouldDispatch: true,
+    reason: classification.reason,
+    route: normalizeText(options.route) || DEFAULT_SANDBOX_ROUTE,
+    request: summarizeRequest(request),
+    executionId,
+    envelope,
+    headers: {
+      'x-thumbgate-sandbox-timestamp': timestamp,
+      'x-thumbgate-sandbox-signature': signature,
+    },
+    signatureReady: Boolean(signature),
+  };
+}
+
+module.exports = {
+  DEFAULT_MAX_SKEW_MS,
+  DEFAULT_SANDBOX_ROUTE,
+  DYNAMIC_WORKLOADS,
+  stableStringify,
+  normalizeRequest,
+  classifyHostedExecution,
+  buildCloudflareSandboxPlan,
+  signDispatchEnvelope,
+  verifyDispatchEnvelope,
+};

package/scripts/code-reasoning.js

@@ -0,0 +1,350 @@
+#!/usr/bin/env node
+/**
+ * Agentic Code Reasoning — Structured Trace Engine
+ *
+ * Based on Meta's "Agentic Code Reasoning" paper (arxiv 2603.01896).
+ * Forces structured line-level reasoning instead of pattern-matching guesses.
+ *
+ * Produces a verification trace for every code change claim, self-heal fix,
+ * or DPO pair, requiring explicit evidence for each assertion.
+ */
+
+const crypto = require('node:crypto');
+
+/**
+ * @typedef {Object} TraceStep
+ * @property {string} location - File path and line range (e.g. "scripts/self-heal.js:49-69")
+ * @property {string} claim - What this step asserts about correctness
+ * @property {string} evidence - Concrete evidence supporting the claim
+ * @property {'verified'|'unverified'|'refuted'} verdict - Assessment of the claim
+ */
+
+/**
+ * @typedef {Object} ReasoningTrace
+ * @property {string} traceId - Unique identifier for this trace
+ * @property {string} timestamp - ISO 8601 timestamp
+ * @property {string} type - Trace type: 'self-heal' | 'dpo-pair' | 'proof-gate' | 'verification'
+ * @property {string} subject - What is being verified (script name, pair ID, etc.)
+ * @property {TraceStep[]} steps - Ordered reasoning steps
+ * @property {string[]} edgeCases - Edge cases explicitly addressed or ruled out
+ * @property {Object} summary - Aggregated verdict
+ * @property {number} summary.totalSteps - Total reasoning steps
+ * @property {number} summary.verified - Steps with verified verdict
+ * @property {number} summary.unverified - Steps with unverified verdict
+ * @property {number} summary.refuted - Steps with refuted verdict
+ * @property {number} summary.confidence - Ratio of verified to total (0-1)
+ * @property {boolean} summary.passed - True if confidence >= threshold and refuted === 0
+ */
+
+const DEFAULT_CONFIDENCE_THRESHOLD = 0.7;
+
+function generateTraceId() {
+  return `trace-${crypto.randomBytes(6).toString('hex')}`;
+}
+
+function createTrace(type, subject) {
+  return {
+    traceId: generateTraceId(),
+    timestamp: new Date().toISOString(),
+    type,
+    subject,
+    steps: [],
+    edgeCases: [],
+    summary: null,
+  };
+}
+
+function addStep(trace, { location, claim, evidence, verdict = 'unverified' }) {
+  if (!location || !claim) {
+    throw new Error('TraceStep requires location and claim');
+  }
+  const validVerdicts = ['verified', 'unverified', 'refuted'];
+  if (!validVerdicts.includes(verdict)) {
+    throw new Error(`Invalid verdict: ${verdict}. Must be one of: ${validVerdicts.join(', ')}`);
+  }
+  trace.steps.push({ location, claim, evidence: evidence || '', verdict });
+  return trace;
+}
+
+function addEdgeCase(trace, description) {
+  if (description) trace.edgeCases.push(description);
+  return trace;
+}
+
+function computeControllability(trace) {
+  const steps = trace.steps;
+  const edgeCases = trace.edgeCases;
+  if (steps.length === 0) return { score: 0, flags: ['empty_trace'] };
+
+  const flags = [];
+  const allVerified = steps.every((s) => s.verdict === 'verified');
+  const allSameEvidence = new Set(steps.map((s) => s.evidence)).size === 1 && steps.length > 1;
+  const shortEvidence = steps.filter((s) => s.evidence.length < 10).length;
+  const noEdgeCases = edgeCases.length === 0;
+
+  if (allVerified && steps.length > 2) flags.push('all_verified');
+  if (allSameEvidence) flags.push('identical_evidence');
+  if (shortEvidence > steps.length / 2) flags.push('thin_evidence');
+  if (noEdgeCases && steps.length > 1) flags.push('no_edge_cases');
+
+  const score = Math.round((flags.length / 4) * 1000) / 1000;
+  return { score, flags };
+}
+
+function finalizeTrace(trace, { confidenceThreshold = DEFAULT_CONFIDENCE_THRESHOLD } = {}) {
+  const totalSteps = trace.steps.length;
+  const verified = trace.steps.filter((s) => s.verdict === 'verified').length;
+  const unverified = trace.steps.filter((s) => s.verdict === 'unverified').length;
+  const refuted = trace.steps.filter((s) => s.verdict === 'refuted').length;
+  const confidence = totalSteps > 0 ? Math.round((verified / totalSteps) * 1000) / 1000 : 0;
+  const ctrl = computeControllability(trace);
+
+  trace.summary = {
+    totalSteps,
+    verified,
+    unverified,
+    refuted,
+    confidence,
+    passed: confidence >= confidenceThreshold && refuted === 0,
+    controllability: ctrl.score,
+    controllabilityFlags: ctrl.flags,
+  };
+
+  return trace;
+}
+
+/**
+ * Build a reasoning trace for a self-heal fix execution.
+ *
+ * @param {Object} fixResult - Result from runFixPlan for a single script
+ * @param {string} fixResult.script - Script name
+ * @param {string} fixResult.status - 'success' | 'failed'
+ * @param {number} fixResult.exitCode
+ * @param {string} fixResult.outputTail - Last 2000 chars of output
+ * @param {string[]} changedFiles - Files changed by this fix
+ * @returns {ReasoningTrace}
+ */
+function traceForSelfHealFix(fixResult, changedFiles = []) {
+  const trace = createTrace('self-heal', fixResult.script);
+
+  addStep(trace, {
+    location: `npm run ${fixResult.script}`,
+    claim: `Fix script "${fixResult.script}" executes without error`,
+    evidence: fixResult.status === 'success'
+      ? `Exit code ${fixResult.exitCode}, completed in ${fixResult.durationMs}ms`
+      : `Exit code ${fixResult.exitCode}, error: ${fixResult.error || 'non-zero exit'}`,
+    verdict: fixResult.status === 'success' ? 'verified' : 'refuted',
+  });
+
+  if (changedFiles.length > 0) {
+    addStep(trace, {
+      location: changedFiles.join(', '),
+      claim: `Fix modified ${changedFiles.length} file(s) — changes are intentional`,
+      evidence: `Changed: ${changedFiles.join(', ')}`,
+      verdict: 'verified',
+    });
+  } else {
+    addStep(trace, {
+      location: `npm run ${fixResult.script}`,
+      claim: 'Fix produced no file changes (idempotent or no-op)',
+      evidence: 'git diff --name-only returned empty after execution',
+      verdict: 'verified',
+    });
+  }
+
+  const outputTail = (fixResult.outputTail || '').toLowerCase();
+  const hasErrors = /error|fail|exception|fatal/i.test(outputTail);
+  addStep(trace, {
+    location: `npm run ${fixResult.script} (output)`,
+    claim: 'Script output contains no error indicators',
+    evidence: hasErrors
+      ? `Output contains error keywords: ${outputTail.slice(-200)}`
+      : 'No error keywords in output tail',
+    verdict: hasErrors && fixResult.status === 'success' ? 'unverified' : (hasErrors ? 'refuted' : 'verified'),
+  });
+
+  addEdgeCase(trace, 'Script timeout not triggered (completed within deadline)');
+  if (changedFiles.length === 0) {
+    addEdgeCase(trace, 'No files changed — fix may already be applied or script is no-op');
+  }
+
+  return finalizeTrace(trace);
+}
+
+/**
+ * Build a reasoning trace for a DPO preference pair.
+ *
+ * @param {Object} pair - The DPO pair with prompt, chosen, rejected, metadata
+ * @returns {ReasoningTrace}
+ */
+function traceForDpoPair(pair) {
+  const trace = createTrace('dpo-pair', `${pair.metadata.errorId}->${pair.metadata.learningId}`);
+
+  addStep(trace, {
+    location: `error:${pair.metadata.errorId}`,
+    claim: 'Rejected response represents a genuine mistake',
+    evidence: `Error title: "${pair.metadata.errorTitle}"`,
+    verdict: pair.metadata.errorTitle ? 'verified' : 'unverified',
+  });
+
+  addStep(trace, {
+    location: `learning:${pair.metadata.learningId}`,
+    claim: 'Chosen response represents a correct approach',
+    evidence: `Learning title: "${pair.metadata.learningTitle}"`,
+    verdict: pair.metadata.learningTitle ? 'verified' : 'unverified',
+  });
+
+  const matchedKeys = pair.metadata.matchedKeys || [];
+  addStep(trace, {
+    location: 'domain-matching',
+    claim: `Error and learning share domain context (${matchedKeys.length} key(s))`,
+    evidence: `Matched keys: [${matchedKeys.join(', ')}], overlap score: ${pair.metadata.overlapScore}`,
+    verdict: matchedKeys.length > 0 ? 'verified' : 'refuted',
+  });
+
+  const rubric = pair.metadata.rubric;
+  if (rubric) {
+    const hasDelta = rubric.weightedDelta != null && rubric.weightedDelta > 0;
+    addStep(trace, {
+      location: 'rubric-delta',
+      claim: 'Learning scores higher than error on rubric (positive delta)',
+      evidence: `Learning: ${rubric.learningWeightedScore}, Error: ${rubric.errorWeightedScore}, Delta: ${rubric.weightedDelta}`,
+      verdict: hasDelta ? 'verified' : (rubric.weightedDelta === 0 ? 'unverified' : 'refuted'),
+    });
+
+    const failingCriteria = rubric.errorFailingCriteria || rubric.failingCriteria || [];
+    if (failingCriteria.length > 0) {
+      addStep(trace, {
+        location: 'rubric-failures',
+        claim: `Error had ${failingCriteria.length} failing rubric criteria`,
+        evidence: `Failing: [${failingCriteria.join(', ')}]`,
+        verdict: 'verified',
+      });
+    }
+  } else {
+    addStep(trace, {
+      location: 'rubric-delta',
+      claim: 'Rubric scores provide quantitative quality signal',
+      evidence: 'No rubric data available for this pair',
+      verdict: 'unverified',
+    });
+  }
+
+  addStep(trace, {
+    location: 'prompt-inference',
+    claim: 'Inferred prompt captures the shared scenario correctly',
+    evidence: `Prompt: "${pair.prompt}"`,
+    verdict: pair.prompt && pair.prompt.length > 10 ? 'verified' : 'unverified',
+  });
+
+  addEdgeCase(trace, 'Pair may lack temporal proximity — error and learning from different sessions');
+  addEdgeCase(trace, 'Domain overlap is keyword-based — semantic similarity not verified');
+
+  return finalizeTrace(trace);
+}
+
+/**
+ * Build a reasoning trace for a proof harness check.
+ *
+ * @param {Object} checkResult - A check from the proof report
+ * @param {string} checkResult.name - Check name
+ * @param {boolean} checkResult.passed - Whether the check passed
+ * @param {Object} checkResult.details - Check-specific details
+ * @returns {ReasoningTrace}
+ */
+function traceForProofCheck(checkResult) {
+  const trace = createTrace('proof-gate', checkResult.name);
+
+  addStep(trace, {
+    location: `check:${checkResult.name}`,
+    claim: `Proof check "${checkResult.name}" passes`,
+    evidence: checkResult.passed
+      ? `Passed with details: ${JSON.stringify(checkResult.details)}`
+      : `Failed: ${JSON.stringify(checkResult.details)}`,
+    verdict: checkResult.passed ? 'verified' : 'refuted',
+  });
+
+  if (checkResult.details) {
+    const details = checkResult.details;
+    if (details.status !== undefined) {
+      addStep(trace, {
+        location: `check:${checkResult.name}/status`,
+        claim: 'HTTP/response status is expected value',
+        evidence: `Status: ${details.status}`,
+        verdict: checkResult.passed ? 'verified' : 'refuted',
+      });
+    }
+    if (details.accepted !== undefined) {
+      addStep(trace, {
+        location: `check:${checkResult.name}/accepted`,
+        claim: `Acceptance state is ${details.accepted}`,
+        evidence: `accepted=${details.accepted}`,
+        verdict: 'verified',
+      });
+    }
+  }
+
+  return finalizeTrace(trace);
+}
+
+/**
+ * Aggregate multiple traces into a verification summary.
+ *
+ * @param {ReasoningTrace[]} traces
+ * @returns {Object} Aggregated summary
+ */
+function aggregateTraces(traces) {
+  const totalTraces = traces.length;
+  const passedTraces = traces.filter((t) => t.summary && t.summary.passed).length;
+  const allSteps = traces.flatMap((t) => t.steps);
+  const totalSteps = allSteps.length;
+  const verified = allSteps.filter((s) => s.verdict === 'verified').length;
+  const refuted = allSteps.filter((s) => s.verdict === 'refuted').length;
+  const avgConfidence = totalTraces > 0
+    ? Math.round(traces.reduce((sum, t) => sum + (t.summary ? t.summary.confidence : 0), 0) / totalTraces * 1000) / 1000
+    : 0;
+
+  return {
+    totalTraces,
+    passedTraces,
+    failedTraces: totalTraces - passedTraces,
+    totalSteps,
+    verified,
+    unverified: totalSteps - verified - refuted,
+    refuted,
+    averageConfidence: avgConfidence,
+    allPassed: passedTraces === totalTraces,
+    flaggedTraces: traces.filter((t) => t.summary && t.summary.controllability > 0.5).length,
+  };
+}
+
+module.exports = {
+  createTrace,
+  addStep,
+  addEdgeCase,
+  computeControllability,
+  finalizeTrace,
+  traceForSelfHealFix,
+  traceForDpoPair,
+  traceForProofCheck,
+  aggregateTraces,
+  DEFAULT_CONFIDENCE_THRESHOLD,
+  /**
+   * Wraps a prompt with private reasoning instructions to maximize accuracy.
+   */
+  withReasoningPrompt: (userPrompt, role = 'expert senior software engineer') => {
+    return `
+You are a ${role} in March 2026. 
+
+INSTRUCTION: 
+1. First, think through the problem step-by-step privately. 
+2. Do not reveal your reasoning process in the final output. 
+3. Perform an internal self-correction check for logic gaps or hallucinations.
+4. When you are done, provide ONLY the final, concise, and technically accurate answer or code.
+
+USER PROMPT:
+${userPrompt}
+`.trim();
+  }
+};
+// Tests cover this module through the node:test suite; avoid hardcoding counts here.