Runtime·Model layer
Model routing
Models are routed capabilities inside a controlled runtime. They propose, embed, extract, rerank, and explain. They do not override validators, scoring contracts, or scientific review — that boundary is enforced in code.
All model routes are local-first and task-specific. Each route has a role, a fallback, and a boundary; the platform remains operational through deterministic descriptors when any specific route is unavailable.
The route table
| Task | Preferred model | Role |
| --- | --- | --- |
| Text embeddings | BAAI/bge-m3 | Evidence retrieval, document context, paper organisation |
| Evidence reranking | BAAI/bge-reranker-v2-m3 | Sharpens evidence context before explanation |
| Sequence embeddings | facebook/esm2_t12_35M_UR50D | Peptide similarity, novelty context, sequence-space mapping |
| Entity extraction | urchade/gliner_large-v2 | Scientific entity extraction from local records (additive signal) |
| Claim QA | tasksource/ModernBERT-base-nli | Entailment checks on generated statements against local evidence |
| Candidate proposal & explanation | Local Qwen / MLX | Proposal augmentation, evidence synthesis, candidate rationale |
The routing matrix lives in runtime/model_router.py::AGENT_MODEL_ROUTES. The actual selected backend for each task is decided by models/router.py::route_task with priority ollama > lmstudio > huggingface > local.
Local-first by design
Default execution is on-device. External providers are escalation paths, not default scientific infrastructure. The provider policy in agents/providers/provider_policy.py allows LOCAL_PROVIDERS (local, mlx, huggingface-cache, ollama, lmstudio, heuristic) unconditionally. Remote huggingface (the API, not the cache), xai-oauth, grok, and other generic external providers are denied today.
Authorised escalations
Two narrow escalation paths are authorised. Both call openai-codex/gpt-5.5
through the OpenClaw CLI and both remain downstream of local policy,
external-provider safety, and deterministic fallback.
pipelines/autonomous_thesis/may use OpenClaw for thesis cognition — prose sections (title, abstract, introduction, mechanistic framework, discussion, conclusion, editorial polish) plus bounded deep research, hypothesis reframing, candidate critique, experiment design, publication reasoning, and failure interpretation. All of it runs under the publication-guard quality gate and the operator approval rail, and carries no scoring, validation, or learning-mutation authority. Candidate scoring is deliberately not an OpenClaw purpose — it stays deterministic and local.pipelines/peptide_function_router/galen_reasoning.pymay use OpenClaw for bounded peptide-function-router reasoning cards. Deterministic feature extraction, validation, and safety gates remain local.
The boundary contract holds across every OpenClaw call:
- the call is made through OpenClaw, never bypassing its auth, external-provider safety, or quota controls
- every prose call is wrapped in the legacy-named safety wrapper
pipelines/autonomous_thesis/llm_safety.py(sanitize → validate → retry-with-feedback → final deterministic fallback) - every peptide-function-router call is routed through the local deterministic preliminary bundle and
llm_safety.pybefore a card can be accepted - the reviewer committee remains the canonical gate
- every thesis cycle records a
prose_model_logwith per-section attempt metadata - gpt-5.5 outputs cannot bypass the epistemic-marker requirement, the trusted-tier evidence-only policy, the fabricated-citation guard, the overclaim phrase block, or the sequence-leak prevention
Outside those two call sites, Bio pipelines may not invoke OpenClaw. OpenClaw is not part of Gitlawb replication; Gitlawb publication is controlled by mirror policy, artifact classification, publication-safety enforcement, and reconciliation.
The external-provider safety gate
agents/providers/redaction_gate.py::prepare_external_payload() strips sequence-like strings, salts, selected batches, source traces, scoring internals, optimization fields, embeddings, failure logs, unfiled IP, private manifests, and local paths from anything routed to an external provider. That is a concrete provider-governance boundary, not a publication policy: published candidates and families still expose full sequences on Protean-owned public surfaces.
Degraded operation
If a model route is unavailable, the runtime remains operational through deterministic descriptors, k-mer similarity, rule-based extraction, heuristic scoring, and structured explanations. Degraded operation is intentional — it ensures the platform can continue to produce reproducible candidate state while clearly marking where richer model support was unavailable.
