---
license: apache-2.0
language:
- en
- fr
library_name: transformers
pipeline_tag: text-generation
tags:
- agentic
- function-calling
- tool-use
- structured-generation
- orchestration
- code-agent
- mcp
- edge
- small-language-model
base_model: AMFORGE/samg-reasoning
model-index:
- name: SAM-G-CobraTooling
  results:
  - task:
      type: agentic-orchestration
      name: Agentic IDE tool-call orchestration (13 families, held-out)
    metrics:
    - type: exact_match
      value: 78.8
      name: Exact plan match, aggregate (%)
    - type: accuracy
      value: 94.0
      name: Risk-gate fidelity (%)
---

# SAM-G-CobraTooling

**SAM-G-CobraTooling** is a 30.3M-parameter model fine-tuned from
[SAM-G-Reasoning](https://huggingface.co/AMFORGE/samg-reasoning) on 196k
agentic orchestration traces. It turns a natural-language instruction — or an
observation from a previous step — into an **ordered, risk-flagged JSON plan of
tool calls**. It is the local orchestration layer of an agentic IDE: it routes,
decomposes, tracks state, reacts to exit codes and HTTP status, and emits
structured tool calls entirely offline. It does **not** write code; code is
delegated to a larger model via an `ask_code_model` hand-off. Built by
**AMEFORGE** for the CobraBub IDE.

- **Parameters:** 30.3M · **Footprint:** 121 MB fp32 (~30 MB quantized) · **Base:** SAM-G-Reasoning
- **Fine-tuning:** prompt-masked SFT (loss on the plan span only), cosine 8e-5, 10k steps, best at 6k
- **Aggregate exact plan-match:** 78.8% (held-out, disjoint seed)
- **Lineage:** SAM-G → SAM-G-Reasoning → SAM-G-CobraTooling

## Output format

```
<instruction>                     [ACTION] {"plan":[{"op":...,"args":{...},"risk":"safe|critical"}, ...]}
<intent> | {"last_op":...,"...":...} [ACTION] {"plan":[ ... ]}      # reactive (observation-driven)
```

Every step carries a `risk` flag (`safe` or `critical`) that drives the IDE
confirmation gate: safe ops run autonomously, critical ops require explicit
user confirmation.

## What it is good at — and what it is not

Stress-tested on thirteen families. The pattern mirrors the rest of the SAM-G
line: it excels at **routing and reaction** (short, procedural) and is limited
on **long ordered chains** that must match exactly at 30M parameters.

| Family | Exact % | Type |
|---|---|---|
| single_tool (routing) | 100 | routing |
| retry_loop (exit-code state machine) | 100 | reaction |
| feedback_react (stdout/stderr) | 100 | reaction |
| git_workflow (status→add→push, gated) | 100 | procedural |
| scrape_research (fetch→summarize→act) | 100 | procedural |
| db_query (SQL, SELECT vs mutation) | 100 | structured call |
| webhook_wait (async callback) | 92 | async reaction |
| **mcp_call (filesystem/github/postgres)** | **83** | **structured call** |
| api_call (REST/GraphQL + HTTP state machine) | 75 | structured call |
| plan_chain (multi-step plans) | 58 | planning |
| risk_gate (mixed safe/critical plans) | 58 | gated planning |
| fs_watch (file-change reaction) | 42 | async reaction |
| build_test_cycle (edit→test→react + hand-off) | 17 | long chain |

Routing, exit-code reaction, git, scraping and SQL routing are saturated.
`mcp_call` at 83% makes the model a viable local driver for MCP servers — the
core capability of a hosted code agent, here running offline. `plan_chain` rose
from the v1 plateau (0–42%) to 58% after broadening generator coverage.
`build_test_cycle` remains the hard family: four-to-five ordered ops ending in a
code-model hand-off, scored by strict exact match — the same long-chain ceiling
seen with arithmetic in SAM-G-Reasoning. For those, decompose app-side into
shorter sub-calls.

## Security: the risk flag is advisory, not a boundary

The model flags critical ops with **94% fidelity** across all families — strong
for pre-flagging and good UX. **It must not be the sole security boundary.** A
30M model will mis-flag a fraction of decisions, and the failure modes are
asymmetric: a false negative (a critical op flagged `safe`) would auto-run a
destructive command without confirmation. Integrators must add a
**deterministic backstop**: a hard whitelist/blacklist in the app that forces
`critical` on known-dangerous operations (`rm -rf`, `git push`, `DROP`/`DELETE`,
external mutating HTTP, MCP write tools, `delete_file`) regardless of the
model's flag. Treat the model's `risk` field as a fast hint that pre-fills the
confirmation gate, with the app's deterministic rules as the enforced boundary.

## Op vocabulary

Routing/IO: `open_file`, `list_dir`, `run_command`, `scrape`, `summarize`,
`capture`, `open_app`. Hand-off: `ask_code_model`, `write_file`. Control:
`retry`, `escalate`, `backoff`, `reauth`, `continue`, `stop`. Integrations:
`api_call`, `mcp_call`, `db_query`, `webhook_wait`, `fs_watch`, `git_push`.

## Intended use

The local planning/routing/reaction layer of an agentic IDE: decompose an
instruction into ordered tool calls, react to observations (exit codes, stderr,
HTTP status, DB row counts, webhook payloads, file-change events), and emit
structured, risk-flagged plans offline and for free. Roughly the procedural
majority of agentic turns; hard code generation and long exact chains are
escalated to a larger model via `ask_code_model`.

## Usage

```python
import sentencepiece as spm, torch
sp = spm.SentencePieceProcessor(); sp.Load("samg_tokenizer.model")

# routing
prompt = "open src/main.js and run the tests [ACTION]"
# -> {"plan":[{"op":"open_file","args":{"path":"src/main.js"},"risk":"safe"},
#             {"op":"run_command","args":{"cmd":"pytest"},"risk":"safe"}]}

# reactive: HTTP 429 -> back off and retry
prompt = "rate limited, back off and retry | {\"last_op\":\"api_call\",\"status\":429} [ACTION]"
# -> {"plan":[{"op":"backoff","args":{"seconds":30},"risk":"safe"},
#             {"op":"retry","args":{"attempt":2},"risk":"safe"}]}

ids = torch.tensor([sp.EncodeAsIds(prompt)])
# greedy-decode the [ACTION] span -> structured plan JSON
```

## Limitations

- `build_test_cycle` (17%) and the exact-match of `plan_chain`/`risk_gate`
  (58%) plateau because long, strictly-ordered plans are hard at 30M; decompose
  long plans app-side into shorter sub-calls.
- The `risk` flag is advisory (94% fidelity); enforce a deterministic backstop
  in the app, as above.
- Traces are synthetic, drawn from the training family distribution with a
  disjoint evaluation seed; coverage reflects the generator, not arbitrary
  real-world tool APIs.
- Not a general assistant and does not write code; it orchestrates and hands
  off. Inherits the base model's knowledge limits.

## Citation

```bibtex
@misc{samgcobratooling2026,
  title  = {SAM-G-CobraTooling: Risk-Flagged Agentic Tool-Call Orchestration at 30M Parameters},
  author = {AMEFORGE Lab},
  year   = {2026}
}
```