GHOST_PROTOCOL.md — Canonical Ghost Protocol Specification

Last updated: April 13, 2026 (Omega v2.7) Supersedes: GHOST_PROTOCOL_UNIFIED.md (March 24), ghost_protocol_v2_1_LOCKED.md, ghost_protocol_v3_0_spec.md, sprint_B12_ghost_protocol.md, epsilon_jtask_update.md, all earlier per-skill-pricing specs, all references to Qwen 3.5 9B as the Ghost server model, all references to ElevenLabs/WaveNet/Google Cloud TTS as the Ghost voice engine.

Newer sprint/handover content overrides older content. Where a sprint file and this doc disagree on a tactical server detail, the sprint file wins until this doc is republished. Where a locked decision in CLAUDE.md contradicts anything below, CLAUDE.md wins.

---

1. WHAT GHOST PROTOCOL IS

Ghost Protocol is alaivOS's private infrastructure layer. It is a server controlled by Citerius Holdings LLC that sits between Laiv and the outside world. Every time Laiv needs capability beyond the phone, it routes through Ghost — anonymously, with zero logging.

One sentence: Ghost is Laiv on steroids — a more powerful brain, smarter search, a richer voice, and overnight Checkup analysis. All powered by your own private server.

The privacy promise: Personal data never leaves the phone. When Laiv reaches out, Ghost strips identity from every request. Search engines never see IPs. Voice services never see accounts. Anthropic never sees raw user data (dual anonymization).

Cardinal rule (IMMUTABLE): Ghost tiers differ ONLY in credit allocation. All Ghost capabilities — Brain, Deep Search, Voice HD, Agent research, Agent cart fill, Agent transactional — are available at EVERY Ghost tier. Credits are the only gate. Laiv Checkup is NOT credit-gated — it is tier-baked (see §7).

---

2. LOCKED DECISIONS

1. Ghost server model = Gemma 4 E4B Q4_K_M on CX43. 12 tok/s, 10 GB loaded RAM, native function calling verified EN/ES/PT, native audio input, native vision. 2× faster than Qwen 3.5 9B on same hardware. Qwen 3.5 9B preserved in Ollama as fallback.
2. Qwen 3.5 9B on Ghost is DEAD as the primary model. All references to "Ghost uses Qwen 9B" in older docs are superseded.
3. Ghost voice = Kokoro 82M (StyleTTS 2, Apache 2.0, 54 voices, 8 languages, CPU-only). ElevenLabs, WaveNet, Google Cloud TTS are DEAD in production — kept only as historical training references in the Bishop pipeline.
4. Credits ONLY gate in-app Ghost skills. No per-skill pricing. No capability gating.
5. Laiv Checkup is tier-baked, not credit-gated. Cadence by tier (§7.2). Day 28 trial Checkup is FREE regardless of subscription status.
6. Dual anonymization on Checkup: device PII strip → Gemma 4 E4B narrative digest → Anthropic Batch API. No raw data ever reaches Anthropic.
7. Anthropic API account = Citerius Holdings LLC ($20 initial credits). Sonnet 4.6 Batch API @ $1.50/$7.50 per MTok.
8. Thinking mode OFF by default on Gemma 4 E4B to prevent 30-second Instant response spikes. Off at server (/api/chat) + toggle at device.
9. CX43 stays (€17/mo, Helsinki). Gemma 4 E4B at 12 tok/s makes Ghost viable on current hardware. Scaling triggers in §11.
10. Cloud Gemini on-device is DEAD. AiProvider enum = 2 values: local, ghost. (gemini, openai, claude removed from on-device path. Anthropic is Checkup-only server-side.)
11. E2EE between device and Ghost for chat/call/Checkup payloads (Signal Protocol for chat, AES-256-GCM for Checkup payloads, TLS 1.3 base). Ghost relay cannot read E2EE chat.
12. Checkup return_token model: device generates UUID v4, Ghost cannot map token to user. 72-hour auto-delete.
13. Voice pipeline inversion — Kokoro-first: EL reference → Kokoro style vector → Kokoro generates reference corpus → fine-tune Piper (on-device ONNX) + Voxtral 3B zero-shot (Ghost HD v1.1+). Users never hear the ElevenLabs voice; Kokoro IS Laiv's voice.
14. 17 tool definitions for native Gemma 4 E4B function calling (Alpha-A, TAW10). Laiv skill execution uses these.

---

3. CREDIT MODEL (Launch)

3.1 Two credit types

Type	Symbol	When consumed	Processing	Cost to Citerius
Deferred (D)	🌙	Overnight batch (midnight–6 AM, WiFi + charging)	Queued, no priority	~$0.005/credit
Instant (I)	⚡	Real-time, immediate	Priority	~$0.008/credit

Graceful degradation: Instant exhausted → queue to Deferred. Deferred exhausted → on-device + DDG only. Ghost never goes dark.

3.2 Ghost subscription tiers

Standard:

Tier	Price	D	I	Annual (10 for 12)
Ghost	$3.99/mo	50	20	$39.90/yr
Ghost Plus	$7.99/mo	80	80	$79.90/yr
Ghost Max	$14.99/mo	100	300	$149.90/yr

Deferred-only (35% off):

Tier	Price	D	I
Ghost Def.	$2.59/mo	70	0
Ghost Plus Def.	$5.19/mo	160	0
Ghost Max Def.	$9.74/mo	400	0

Elite ($23.99) includes Ghost base (50D / 20I). Regional: LatAm ~30% below USD. Ghost Def entry: ~MX$32/mo.

3.3 Credit burn

Capability	D	I	Notes
Ghost Brain (deep reasoning)	1	1	Complex questions beyond on-device
Ghost Search: Deep (Brave)	1	1	DDG insufficient
Ghost Voice HD (Kokoro)	—	1/min	Always real-time
Ghost Agent: Research [v1.2+]	3	3	Browse, compare, report
Ghost Agent: Interactive [v1.2+]	—	5	Cart fill, form fill
Ghost Agent: Transactional [v1.2+]	—	8–15	Checkout with rules
Traffic: live anomaly	—	1	Only when cache flags anomaly
Traffic: cached patterns	0	0	Always free
Morning Pulse (Ghost-enhanced)	1	—	Core+ local = FREE
Laiv Checkup	0	0	Tier-baked, NOT credit-gated

Always FREE: DDG Standard Search, on-device AI, cached traffic patterns, cached price reads, all local data ops, Laiv Checkup runs.

3.4 Credit packs (overage)

In-app purchase. Instant-only. Never expire. FIFO.

Pack	Price	I
Small	$1.99	15
Medium	$4.99	50
Large	$9.99	120

3.5 Rollover

None at launch. Consider soft cap (20% of monthly, max 1 month) as retention lever post-launch if underuse data warrants it.

3.6 RevenueCat products

Product ID	Price	Grants
ghost_standard	$3.99/mo	50D + 20I
ghost_plus	$7.99/mo	80D + 80I
ghost_max	$14.99/mo	100D + 300I
ghost_deferred	$2.59/mo	70D + 0I
ghost_plus_deferred	$5.19/mo	160D + 0I
ghost_max_deferred	$9.74/mo	400D + 0I
ghost_credits_small/medium/large	$1.99/$4.99/$9.99	15/50/120 I consumable
ghost_voice_custom	$7.99	1 voice non-consumable

Entitlements (2 total): ghost_active (any ghost_* sub OR Elite), ghost_voice_custom. All capabilities are credit-gated, not entitlement-gated.

---

4. GENERAL INTELLIGENCE LAYER (FREE — all tiers)

Before Ghost's paid capabilities, every user gets basic intelligence via anonymous search.

4.1 DDG Standard Search (Cloudflare Worker)

Phone → Cloudflare Worker (search.alaivos.com, global edge, <50ms) → DDG Instant Answer API → back. Cost to Citerius: $0.

Tier	DDG/day
Starter	5
Spark	15
Core	30
Pro	50
Elite	Unlimited

Cache: Weather/scores 1h TTL; facts/definitions 24h. Key = SHA-256 of query (no user info).

4.2 Emergency fallback (sacred)

DDG always works for emergency queries (medical/safety keywords, crisis protocol, explicit "emergency"). Bypasses all limits. We NEVER strand a user in an emergency.

---

5. GHOST SERVER (ghost-01, Hetzner CX43, Helsinki)

5.1 Hardware

• Host: ghost-01, Hetzner CX43, 46.62.149.145, Helsinki
• Specs: 8 vCPU, 16 GB RAM, 240 GB NVMe, Ubuntu 24.04
• Kernel: 6.8.0-107 (updated April 13, pending reboot)
• Cost: €17/mo
• Domain: ghost.alaivos.com (Let's Encrypt)

5.2 Services

Service	Port	Purpose	Status
Ollama	11434	Gemma 4 E4B inference (fallback: Qwen 3.5 9B)	Running
ghost-router	internal :11435	nginx → Ollama model-injection proxy (default gemma4:e4b)	Running
sports-cache	8300	31-league multi-sport cache (1h TTL, stale-on-error)	Running
checkup-relay	8100	Checkup Relay (FastAPI) — Gemma anonymizer → Anthropic Batch	Running (awaits API key)
Kokoro TTS	(HTTP shim)	Ghost Voice HD	Eval done, awaiting voice pick
nginx	443	Reverse proxy, SSL, auth (X-Ghost-Token)	Running, headers updated for gemma4:e4b
coturn	3478 / 5349	WebRTC TURN relay (NAT traversal, E2EE-transparent)	Running
Traffic collector	cron	290-city pipeline feed	Running

Ollama config: OLLAMA_HOST=0.0.0.0, OLLAMA_KEEP_ALIVE=-1 (model persistent in RAM). Thinking mode OFF by default for Instant routes.

5.3 Endpoints

Endpoint	Purpose	Auth
GET /	Banner	None
GET /api/health	Health + routing info	None
GET /api/tags	Ollama tags passthrough	X-Ghost-Token
POST /api/chat	Ghost Brain: Instant (thinking OFF)	Token + ghost_active
POST /api/chat/deferred	Ghost Brain: Deferred (thinking ON allowed)	Token + ghost_active
POST /api/search/deep	Deep Search (Brave)	Token + ghost_active
POST /api/tts/hd	Ghost Voice HD (Kokoro 82M)	Token + ghost_active
POST /api/tts/train	Custom Voice training [v1.1+]	Token + payment verify
POST /api/agent/research	Agent: Research [v1.2+]	Token + ghost_active
POST /api/agent/interactive	Agent: Interactive [v1.2+]	Token + ghost_active
POST /api/agent/transactional	Agent: Transactional [v1.2+]	Token + ghost_active
POST /api/traffic/pattern	Cached traffic patterns	Token
POST /api/traffic/live	Live anomaly check	Token + ghost_active
POST /api/checkup/submit	Queue Checkup (anonymized)	Token
GET /api/checkup/result/<return_token>	Poll result	Token
POST /api/checkup/aggregate	Capsule stub [v1.1+, returns 501]	Token
POST /api/sports/*	Sports cache (31 leagues)	Token

Auth model: app-level bearer token rotated per release (X-Ghost-Token header). Entitlement verified via RevenueCat receipt. No user accounts on Ghost — validates "this phone has a valid sub" without knowing WHO.

5.4 Scaling triggers

Trigger	Action	Monthly cost
>500 Ghost subscribers	Evaluate second CX43 node OR upgrade to CX51	+€17–35
>1,000 Deferred active	Dedicated GPU node for overnight Brain	~€230 (GEX44 €184 net-of-discounts)
Agent launch (v1.2+)	Dedicated NanoClaw container node	+€35–70
>10,000 total Ghost subs	Split: Brain / TTS / Agent / Traffic on separate nodes	+€300–500

5.5 Disk budget (year 1)

Traffic snapshots ~6 GB · Patterns ~600 MB · Agent cache ~1.2 GB · Brave cache ~2.4 GB · Checkup ephemeral (72h) ~<100 MB · Total ~10 GB (~4% of 240 GB NVMe). No concern.

---

6. GHOST PROTOCOL LIFECYCLE (request flow)

6.1 In-app Ghost Brain (Instant)

Device                             Ghost (ghost-01)
──────                             ─────────────────
User asks Laiv something on-device
  └→ Can local (Qwen 3.5) handle?
     NO, user has ghost_active
  └→ POST /api/chat
     X-Ghost-Token: <rotated>
     {messages, thinking: false}
                                   nginx → ghost-router → Ollama(gemma4:e4b)
                                   12 tok/s, 10 GB loaded RAM
                                   Native function calling EN/ES/PT
                                   Response streamed back
  └→ Credit burned (1 I)
  └→ Laiv synthesizes with local personal context
  └→ User sees answer, "no fanfare"

6.2 In-app Ghost Brain (Deferred / overnight)

Evening: Laiv queues deferred queries to device NightShift.
Midnight–6 AM (WiFi + charging): device POSTs /api/chat/deferred.
  Gemma 4 E4B processes (thinking ON allowed).
  Results cached locally. Surfaced in Morning Pulse + Thinking Room.
  1 D burned per query.

6.3 Laiv Checkup (overnight, tier-baked, NOT credit)

Device collects domain data (Wellbeing / Planning / Financial).
Device applies rigid PII strip (no names, no exact dates, categories only).
Device generates return_token (UUID v4).
Device POST /api/checkup/submit {return_token, domain, checkup_type, data_summary}.
  No user ID, no device ID.
  Ghost queues in /opt/ghost/data/checkup_queue.db.

Cron at 02:00 UTC (checkup_batch.py):
  For each pending row:
    1. anonymize_with_gemma(): Gemma 4 E4B rewrites JSON as ~500-word
       anonymized narrative digest. Strips implicit PII code rules miss.
       ~60–70% token reduction before Anthropic.
    2. Build Anthropic Batch API request (Sonnet 4.6, system prompt by
       domain × checkup_type, custom_id = return_token).
  Submit batch to Anthropic (Batch API, 50% off standard rate).
  Poll every 5 min until batch ends (typically 1–4 h, SLA <24 h).
  Store result in checkup_results keyed by return_token.

Device polls GET /api/checkup/result/<return_token>.
  Receives {summary, insights, recommendations, patterns_detected,
  watch_items, next_checkup_note}.
  Stores permanently in local SQLite.
  Results auto-deleted from server after 72 h.

Per-checkup cost to Citerius: ~$0.012–0.015.
At 10k paid users × avg ~6–12 checkups/yr: ~$600–900/yr total.

6.4 Voice HD (Kokoro) — Ghost

Device sends text + voice_id to POST /api/tts/hd.
Ghost runs Kokoro 82M (StyleTTS 2 architecture, CPU, ~2–5 s per utterance).
Streams WAV/Opus back. 1 I/min burned.
Fallback chain on failure: Custom Std (on-device) → Laiv Std (bundled) →
Platform TTS → text-only.

6.5 Cart fill / Agent [v1.2+]

Device → Ghost: {task, store, items, budget_max}.
NanoClaw spawns ephemeral Docker container (outbound-only internet,
no access to Ghost filesystem/Ollama/DBs).
Container: headless Chromium + store-skill module performs browse/search/add.
Container returns {cart_total, found, missing, substitutions}.
Container destroyed. Credit burned (8 I cached / 15 I fresh).
User confirms or cancels on device. Ghost never checks out autonomously
outside rule-based transactional mode.

---

7. LAIV CHECKUP (v1.0 feature)

7.1 Three domains

• Wellbeing — sleep, exercise, nutrition, mood, cross-signal correlations.
• Planning — goals, calendar density, projects, learning sessions, focus, habits.
• Financial Health — category spending, budget adherence, recurring expenses, unusual spikes, savings trend.

Each domain has baseline / mid_trial / full / followup prompt variants (10 prompt files in /opt/ghost/prompts/).

7.2 Cadence (tier-baked, not credit)

Tier	Cadence
Starter	— (no recurring)
Spark	Every 6 months (2/yr)
Core	Every 3 months (4/yr)
Pro	Every 2 months (6/yr)
Elite	Monthly (12/yr)

7.3 Trial flow (21-day trial)

• Day 0 (post-onboarding) — Baseline Checkup (Planning-only, built from onboarding data). Submitted immediately, result ready in the first Morning Briefing on Day 1. Hook set instantly.
• Day 14 — Mid-trial (Planning updated + Wellbeing baseline). Delivered alongside Elite trial unlock.
• Day 28 — FULL Checkup (all 3 domains). FREE regardless of subscription status. The conversion moment. CTA is "subscribe to keep these coming," not "pay to see this." Checkup history stays in local SQLite forever.

7.4 Privacy chain (dual anonymization)

1. Device code-strip: rigid rules remove names, specific dates (day-of-week only), locations, merchants, account numbers. Outputs structured JSON with categories + aggregates.
2. Gemma 4 E4B on Ghost: rewrites into ~500-word anonymized narrative digest. Catches implicit PII code rules miss ("my Tuesday marketing standup" → "a recurring mid-week work meeting"). ~60–70% token reduction.
3. Anthropic Batch API (Sonnet 4.6): receives the lean double-anonymized digest. No user identity possible. Overnight processing.
4. Return: Ghost stores result against return_token only. Device polls, fetches, stores locally. Server auto-deletes after 72 h.

7.5 Hints between checkups

Beta-2 "Checkup Teaser Hints" (35 tests): surfaces light pattern nudges in the days between full checkups to maintain the felt value of the feature.

---

8. VOICE ARCHITECTURE

8.1 Tiers

Voice	Setup	Monthly	Runs on	Available
Text only	—	free	—	Starter
Laiv Voice Standard	—	free w/ tier	Device (Piper ONNX bundled in APK)	Spark+
Laiv Voice HD	—	1 I/min in Ghost	Ghost (Kokoro 82M)	Ghost subs
Custom Voice Std	$7.99 one-time	free w/ tier	Device (downloaded)	Spark+
Custom Voice HD	same training	1 I/min in Ghost	Ghost	Ghost subs

No third-party TTS in production. ElevenLabs/WaveNet/Google Cloud TTS are DEAD at runtime.

8.2 Kokoro-first pipeline (inversion)

ElevenLabs custom voice (existing ref audio, never shipped to users)
  └→ Bishop extracts StyleTTS 2 style vector
Kokoro 82M "Laiv voice" = canonical reference (what users actually hear)
  └→ generates reference corpus (500–1000 sentences EN/ES/PT)
     ├→ Fine-tune Piper VITS → ONNX on-device (v1.0 if Bishop ready)
     └→ Voxtral 3B zero-shot embedding → Ghost HD v1.1+

Rationale: Users never heard the EL voice. Kokoro's approximation IS the first voice they hear. Piper trained to match Kokoro (not EL) → quality degrades gracefully. Voxtral clones Kokoro output for Ghost HD — same person, frontier quality.

8.3 Fallback chain

Custom HD (Ghost) → Custom Std (on-device if downloaded) → Laiv HD (Kokoro on Ghost) → Laiv Std (Piper ONNX bundled) → Platform TTS → text-only (Starter).

8.4 Voice during trial

No Ghost access during trial. Standard voice only. Starter expiry = silence. This is the strongest upgrade motivator in the app.

Cross-reference: VOICE_AND_AI.md for full pipeline, model selection, and AMI dynamic loading behaviour.

---

9. LAIV ROUTING INTELLIGENCE

9.1 Decision tree

User triggers query / workflow
 │
 ▼ Can on-device (Qwen 3.5) handle?    YES → local, FREE
 │
 ▼ Factual lookup?                     YES → DDG (FREE, rate-limited by tier)
 │
 ▼ Has Ghost?                          NO  → "With Ghost Protocol, I can do real research..."
 │
 ▼ Urgent / real-time?                 YES → Instant credit check
 │                                            Has capacity → Ghost Instant (gemma4:e4b, thinking OFF)
 │                                            None        → offer to defer
 │
 ▼                                     NO  → queue Deferred → Morning Pulse + Thinking Room

9.2 DDG-first optimization

Every Deep Search hits DDG first (free). Escalate to Brave only if DDG returns thin/empty/disambiguation-only response, OR query contains "research/compare/analyze." Estimated 70–80% resolved by DDG without touching Brave.

9.3 Price pre-fetching (Agent v1.2+, Deferred credits)

Ghost Agent pre-fetches grocery/pharmacy prices overnight. Results cached locally (7 days grocery, 14 days pharmacy). Daytime comparisons read from cache = 0 credits. "Another store is cheaper" notifications = FREE.

Action	Credits
Price pre-fetch for user's list	3 D (per store batch)
Price compare with cache	0
Price compare no cache	8 I
Cart fill with cache	8 I
Cart fill no cache	15 I
"Another store is cheaper" push	0

9.4 Laiv personality on routing

Proactive about deferring, not apologetic: - "Great question — I'll dig into that tonight and have a thorough answer in your Morning Pulse." - "I could look that up right now, or do a deeper dive overnight. Which would you prefer?"

Laiv NEVER mentions DuckDuckGo, Brave, Gemma, Kokoro, Anthropic, servers, APIs, infrastructure. Laiv just knows things.

---

10. MAPS, ROUTING & TRAFFIC (Ghost's role)

10.1 Philosophy

alaivOS is the intelligence layer ("when to leave, what to expect"), not a navigation app. Interactive map + voice nav + motorcycle time + OSRM routing are FREE for ALL tiers (Starter included). Traffic features are gated per MAP_MODULE_SPEC.md / PRICING_AND_TIERS.md:

Gate	Min tier
interactiveMap	Starter
mapTrafficPatterns	Spark
mapFamilySharing	Spark
mapLiveTraffic	Core
mapTrafficNavigate	Pro

10.2 Traffic Intelligence Engine (5-layer composite ETA)

baseline_spline × live_calibration × weather × calendar × event. Catmull-Rom cubic spline for Gold cities, linear for Standard. Factor chips display minutes, not percentages ("Rain expected — adds ~8 min"). Calendar adjustment covers 20 countries (holidays, puentes, Semana Santa, Buen Fin, Día de Muertos).

10.3 Data pipeline

3 servers (ghost-01 CX43 + cx23 + cx23-b), 290 cities Full tier, ZERO paid API deps. Overpass/OSM (backbone) + DDG (enrichment) + Photon Cloudflare Worker (autocomplete) + Nominatim (geocoding) + My Places FTS5. Google Places = temporary real-time luxury layer with dart-define kill-switch, $5,154 MXN credit expires June 5, 2026. Foursquare/Yelp cancelled.

Full pipeline details: DATA_PIPELINE.md.

---

11. GHOST AGENT [v1.2+ beta infrastructure]

11.1 Principle

Build everything. Test internally (friends/family). Flip switches for public release. No store skill goes public until 95%+ reliability over 5 test phases.

11.2 Levels

Level	Credits	Capability
Research	3 D or I	Browse, compare, report. Read-only web.
Interactive	5 I	Fill forms, build carts, apply coupons. Human confirms.
Transactional	8–15 I	Rule-based recurring purchases. Auto-approve under $X.

11.3 NanoClaw architecture

Ephemeral Docker container per task. Container has outbound internet only. CANNOT access Ghost filesystem, Ollama models, traffic DB, any alaivOS infra. Compromise blast radius = zero.

Hero use case: grocery-to-cart (MX retailers: Soriana, Chedraui, Walmart MX, Rappi, UberEats). Pharmacy (Similares, Guadalajara, Benavides, del Ahorro) with delivery-markup comparison.

Security: container-isolated, no identity/payment/personal data access, mandatory human approval gates on Interactive, circuit breakers on Transactional (hard cap, cooldown, anomaly detection).

Full spec: ghost_agent_beta_spec.md.

---

12. VISUAL IDENTITY

12.1 Concept

Ghost Protocol gets its own visual mode: dark, private, unmistakable. Like Chrome incognito trained users to associate dark UI with privacy, Ghost's dark treatment = instant shorthand in app, website, and marketing. "Dark mode, but for your data."

12.2 Design tokens

Token	Value	Usage
ghost-bg	#0D0D0F	Primary dark background
ghost-surface	#161619	Cards, elevated surfaces
ghost-surface-hover	#1E1E22	Hover/active
ghost-border	rgba(255,255,255,0.06)	Subtle card borders
ghost-border-glow	rgba(255,23,68,0.15)	Active/focus borders
ghost-accent	#FF1744	Primary accent
ghost-accent-dim	rgba(255,23,68,0.6)	Secondary accent
ghost-accent-subtle	rgba(255,23,68,0.08)	Banner bg, badge bg
ghost-text	rgba(255,255,255,0.92)	Primary text
ghost-text-muted	rgba(255,255,255,0.45)	Secondary text
ghost-glow	0 0 40px rgba(255,23,68,0.08)	Ambient surface glow
ghost-scanline	rgba(255,255,255,0.015)	Scanline overlay

Typography: Inter, +0.02em letter-spacing on labels for "terminal" feel. Icon: minimalist ghost silhouette or shield-with-slashed-eye (stealth, not Halloween).

12.3 In-app (Flutter)

• GhostProtocolTheme (dark global theme) applied via AnimatedTheme (600 ms crossfade) when user enables Ghost.
• Persistent GhostProtocolBanner below app bar: pulsing red dot + "GHOST PROTOCOL ACTIVE" + shield icon.
• Activation moment (when user enables): dim 200 ms → red pulse from toggle → crossfade to dark 600 ms → banner slides in → medium haptic.
• Settings > Ghost Protocol card styled in dark treatment even when app is in light mode (previews the experience).
• Ghost cards: Color(0xFF161619) surface, 6% white border, 4% red ambient box-shadow.

Builder refs: Ghost_Protocol_App_Spec.md, Ghost_Protocol_Visual_Identity_Spec.md.

12.4 Settings > Ghost Protocol (credit display)

┌─────────────────────────────────────────┐
│  Ghost Plus — $7.99/mo                  │
│  Resets March 28                        │
│                                         │
│  🌙 Overnight     ████████░░  ~75%     │
│  ⚡ Real-time     ██████░░░░  ~50%     │
│                                         │
│  [Get More Credits]  [Manage Plan]      │
└─────────────────────────────────────────┘

Rounded percentages only (~100%/75%/50%/25%/Low). No exact numbers primary. Bar color green → amber → red. "Details" tap for granular breakdown.

---

13. WEBSITE — GHOST PROTOCOL SECTION

13.1 Structural change

Break Ghost Protocol out of <section class="psec"> pricing container into its own full-bleed <section class="ghost-zone"> between pricing and comparison/FAQ. Dark background spans edge-to-edge — scrolling in = entering a different environment.

13.2 Ambient effects

• Scanline overlay — repeating-linear-gradient pseudo-element, rgba(255,255,255,0.015) lines. Surveillance/tech feel without distraction.
• Red ambient glow — two blurred radial orbs (top-right 400×400, bottom-left 300×300), dimmer than main page orbs.
• Scroll-triggered activation — @keyframes ghost-activate (flicker: 0→60%→30%→80%→100%) over 1.2 s, one-time. Via IntersectionObserver.
• Pulsing badge — ghost-pulse 2.5 s loop on ::before red dot.

13.3 Copy

Headline: "Dark mode, but for your data." Subline: "Add sovereign AI to your Pro or Premium plan. Your prompts never leave your ecosystem."

Brand rule: Ghost Protocol always appears in dark context. Never on a light background in marketing. Trains audience: dark = sovereign.

Full spec: Ghost_Protocol_Website_Spec.md.

13.4 Marketing assets

• Split-screen Normal vs Ghost Protocol (light glass vs dark vault) — natural TikTok/Reel format.
• "The Switch" 15-second short: toggle → dim → red pulse → dark crossfade → banner slide → "Dark mode, but for your data."

---

14. TRIAL GHOST ACCESS

Trial users do NOT get Ghost. On-device only during 21-day trial (14 Pro + 7 Elite). Ghost enters surgically on Days 5–7 as a single carefully chosen Ghost-powered insight (with Ghost icon visible). Cost ~$0.08 per trial user. Shows what Ghost CAN do. Gift, not entitlement.

EXCEPT Checkup Day 28, which runs via Ghost Relay regardless of subscription and is FREE.

Trial details: TRIAL_AND_ONBOARDING.md.

---

15. USER COMMUNICATION

Laiv NEVER mentions DuckDuckGo, Brave, Gemma, Kokoro, Anthropic, Ghost, servers, credits, APIs. Laiv just knows things.

Situation	Laiv says
DDG answer	"It's 18°C and rainy in Tokyo right now."
Ghost Brain Deferred	"I researched that overnight — here's what I found."
Ghost Brain Instant	"Here's what I found..." (no fanfare)
Agent result	"Done! $82.47 — 21 of 23 items found."
Suggesting Ghost (non-sub)	"With Ghost Protocol, I can do real research — privately."
~25% credits remaining (once)	"I have a few Ghost sessions left this month. I'll prioritize your biggest questions."
Zero Instant	"I'll queue that for tonight's research. Ghost resets on [date]."
Zero everything	"I'm in on-device mode until [date]. I can still help with everything on your phone."

---

16. COMPLETE TIER CAPABILITY MATRIX

Capability	Starter	Spark	Core	Pro	Elite
On-device AI (AMI cascade)	—	0.8B/2B/4B per RAM	same	same	same
DDG Standard Search	5/day	15/day	30/day	50/day	Unlimited
Voice	Text only	Laiv Voice Std (Piper)	same	same	same
Ghost Protocol sub	—	+$3.99	+$3.99	+$3.99	Base included (50D/20I)
Ghost Voice HD	—	w/ Ghost	w/ Ghost	w/ Ghost	w/ Ghost
Custom Voice	—	$7.99 × 3 max	× 3 max	× 5 max	× 5 max
Laiv Checkup cadence	—	2/yr	4/yr	6/yr	12/yr
Day 28 trial Checkup	✅ FREE	✅	✅	✅	✅
Traffic: cold OSRM	✅	✅	✅	✅	✅
Traffic: patterns	—	✅	✅	✅	✅
Traffic: live + smart departure	—	—	✅	✅	✅
Traffic: coloring + navigate + multi-stop	—	—	—	✅	✅

Per-tier gate detail: PRICING_AND_TIERS.md.

---

17. COSTS & INFRA SUMMARY

Line	Monthly
ghost-01 CX43 (Ghost + Kokoro + Checkup Relay + Coturn + Sports Cache + pipeline feed)	€17
cx23 (Europe traffic)	€4
cx23-b (Expansion + DDG enrichment)	€4
Infra total	€25
TheSportsDB Patreon	$3
Anthropic (Checkup, variable)	~$50–75 @ 10k users
Brave Search API (variable)	~$5–40
Zero paid APIs in POI/search core pipeline	—

Full breakdown: INFRASTRUCTURE.md.

---

18. CANONICAL CROSS-REFERENCES

Topic	Read
AMI dynamic load/unload, Qwen 3.5 on-device, Gemma 4 E4B, Kokoro pipeline, Piper, Voxtral	VOICE_AND_AI.md
CX43 specs, cx23 / cx23-b, Bishop mini-PC, CDN, Cloudflare, cost breakdown	INFRASTRUCTURE.md
All 119+ feature gates × 7 tiers, pricing constants, annual (10-for-12), regional	PRICING_AND_TIERS.md
5-layer composite ETA, 290 cities, Gold/Standard/Lite, calendar countries	DATA_PIPELINE.md
5 map views, voice nav, dock, 5-layer search	MAP_MODULE_SPEC.md
7 defense layers, device fingerprint, Day-14 phone verify	ANTI_ABUSE_SPEC.md
21-day trial, 45-question interview, Day-14 verify	TRIAL_AND_ONBOARDING.md

---

19. CHANGE LOG (condensed)

• Apr 13, 2026 (v2.7): Gemma 4 E4B confirmed as Ghost model. Checkup Relay endpoints added (/api/checkup/submit, /api/checkup/result/<return_token>, /api/checkup/aggregate stub). Dual anonymization (device → Gemma → Anthropic Batch) locked. Laiv Checkup 3-domain cadence baked into tiers. Kokoro 82M locked as Ghost TTS. Voice pipeline inversion (Kokoro-first) locked. Thinking mode OFF default for Instant. Sports cache (31 leagues, :8300) live. nginx headers updated for gemma4:e4b.
• Apr 4, 2026 (v2.6): Coturn on ghost-01:3478/5349 for WebRTC NAT traversal (E2EE-transparent).
• Mar 27, 2026: Qwen 3.5 9B moved from primary to fallback. Simplified to single Ollama model path.
• Mar 24, 2026 (v2.1): Credit model locked as THE launch model. Per-skill pricing killed. Capability gating killed. 2 entitlements only.

---

This is the canonical Ghost Protocol document. If a sprint file disagrees on a tactical server detail, the sprint file wins until this doc is republished. If CLAUDE.md locked decisions disagree, CLAUDE.md wins. All other Ghost Protocol files are historical.