ghost-dragon 4.2.1

package/src/brain/claude-cli.ts

@@ -0,0 +1,78 @@
+/**
+ * Claude-CLI brain — drive the agent with the LOCAL `claude` CLI (Claude Code) in
+ * headless mode, reusing the operator's EXISTING Claude Code auth. No separate
+ * ANTHROPIC_API_KEY needed: if `--brain claude` has no API key but the `claude` binary
+ * is on PATH, the factory falls back here ("use this Claude").
+ *
+ * It runs `claude -p --output-format json` per turn, feeding the rendered conversation
+ * on stdin and asking for ONLY the next tool call(s) as a JSON array (EMBER's exact
+ * format) — so the same parser handles it AND the captured ~/.dragon/traces are
+ * Claude-quality decisions IN dragon-cli's contract: the gold distillation data for the
+ * next EMBER. Caveats: heavier than the API (spawns Claude Code per turn) and it bills
+ * the operator's Claude Code usage — fine for flywheel-filling, not low-latency chat.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import { spawn } from 'node:child_process'
+import type { Brain, BrainMessage, BrainTurn, TurnOpts } from './types.js'
+import { parseEmberToolCalls } from './ghost-ember.js'
+
+function render(system: string, messages: BrainMessage[], toolNames: string[]): string {
+  const convo = messages.map((m) => {
+    if (m.role === 'tool') return `[tool result: ${m.toolName ?? 'tool'}]\n${m.content}`.slice(0, 4000)
+    if (m.role === 'assistant') return `[assistant] ${m.toolCalls?.length ? JSON.stringify(m.toolCalls.map((t) => ({ tool: t.name, arguments: t.arguments }))) : m.content}`
+    return `[user] ${m.content}`
+  }).join('\n\n')
+  return `${system}\n\n── CONVERSATION SO FAR ──\n${convo}\n\n── YOUR TASK ──\n` +
+    'You are the REASONING brain of an external agent — do NOT use your own tools or take any action yourself. ' +
+    'When you need the agent to act, respond with ONLY a JSON array of the next tool call(s), no prose:\n' +
+    '[{"tool":"<name>","arguments":{…}}]\n' +
+    'When you have enough to finish, respond with your final answer as PLAIN TEXT (no JSON array). ' +
+    `The agent's available tools are: ${toolNames.join(', ')}.`
+}
+
+function runClaude(args: string[], prompt: string, signal?: AbortSignal): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const cp = spawn('claude', args, { stdio: ['pipe', 'pipe', 'ignore'], signal })
+    let out = ''
+    cp.stdout.on('data', (d) => { out += d })
+    cp.on('error', reject)
+    cp.on('close', () => {
+      // --output-format json → either a single result object or a stream array;
+      // the assistant text lives in the `result` field of the type:'result' event.
+      try {
+        const parsed = JSON.parse(out)
+        if (Array.isArray(parsed)) {
+          const res = parsed.find((e) => e && e.type === 'result')
+          return resolve(typeof res?.result === 'string' ? res.result : '')
+        }
+        return resolve(typeof parsed?.result === 'string' ? parsed.result : out)
+      } catch { resolve(out) }
+    })
+    cp.stdin.write(prompt)
+    cp.stdin.end()
+  })
+}
+
+export function makeClaudeCliBrain(opts?: { model?: string }): Brain {
+  return {
+    id: 'claude',
+    model: opts?.model ? `${opts.model} (cli)` : 'claude-code (cli)',
+    async turn(t: TurnOpts): Promise<BrainTurn> {
+      // --model FIRST (so the variadic --disallowedTools below doesn't swallow it).
+      const args = ['-p', '--output-format', 'json']
+      if (opts?.model) args.push('--model', opts.model)
+      // Disable Claude Code's OWN acting tools so it can't do the work itself — it must
+      // route through dragon-cli (its decisions become EMBER's training traces) and only
+      // produce prose once dragon-cli feeds the results back. Variadic → keep LAST.
+      args.push('--disallowedTools', 'Bash', 'Edit', 'Write', 'Read', 'Grep', 'Glob',
+        'MultiEdit', 'NotebookEdit', 'Task', 'WebFetch', 'WebSearch')
+      const prompt = render(t.system, t.messages, t.tools.map((x) => x.name))
+      const text = await runClaude(args, prompt, t.signal)
+      const toolCalls = parseEmberToolCalls(text)
+      t.onDelta?.(toolCalls.length ? toolCalls.map((c) => `→ ${c.name}`).join('  ') : text)
+      return { text: toolCalls.length ? '' : text, toolCalls }
+    },
+  }
+}

package/src/brain/ghost-ember.ts

@@ -0,0 +1,94 @@
+/**
+ * Ghost / EMBER brain — Ghost Protocol's own local model (DragonSpark's EMBER,
+ * served by Ollama) as the agent's reasoning layer.
+ *
+ * EMBER is a small specialist FINE-TUNED to emit tool calls as a JSON array in the
+ * response TEXT — `[{"tool":"Bash","arguments":{…}}]` — NOT via the OpenAI native
+ * function-calling protocol. So this adapter, unlike the generic openai-compat brain:
+ *   1. does NOT send `tools`/`tool_choice` (EMBER ignores them); instead it appends a
+ *      terse output contract + the available tool names to the system prompt, matching
+ *      what EMBER was trained on (DragonSpark configs/fixtures/system_prompt.txt);
+ *   2. parses EMBER's JSON-array output back into the loop's normalized ToolCall shape.
+ *
+ * This format bridge is doubly important: it makes EMBER's calls EXECUTE in the loop
+ * AND makes the emitted ~/.dragon/traces training-grade (the flywheel that improves the
+ * next EMBER). Wyrm-RAG comes for free — dragon-cli already folds recalled project
+ * context into the system prompt (loop.ts buildSystemPrompt `primed`), so EMBER decides
+ * WITH memory, which is the whole "Wyrm is the brain" thesis.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import type { Brain, BrainMessage, BrainTurn, ToolCall, TurnOpts } from './types.js'
+
+const EMBER_CONTRACT =
+  '\n\n── OUTPUT CONTRACT (EMBER) ──\n' +
+  'Respond with ONLY a JSON array of the tool call(s) to make, no prose:\n' +
+  '[{"tool":"<name>","arguments":{…}}]\n' +
+  'If the task is complete and no tool is needed, respond with [].'
+
+function oaiMessages(system: string, messages: BrainMessage[], toolNames: string[]) {
+  const sys = system + EMBER_CONTRACT + '\nAvailable tools: ' + toolNames.join(', ')
+  const out: { role: string; content: string }[] = [{ role: 'system', content: sys }]
+  for (const m of messages) {
+    if (m.role === 'tool') {
+      out.push({ role: 'user', content: `[observed] ${m.toolName ?? 'tool'} → ${m.content}`.slice(0, 1200) })
+    } else if (m.role === 'assistant') {
+      out.push({ role: 'assistant', content: m.toolCalls?.length ? JSON.stringify(m.toolCalls.map((t) => ({ tool: t.name, arguments: t.arguments }))) : m.content })
+    } else {
+      out.push({ role: 'user', content: m.content })
+    }
+  }
+  return out
+}
+
+/** Pull EMBER's JSON tool array out of the response text (tolerant of stray prose). */
+export function parseEmberToolCalls(text: string): ToolCall[] {
+  const m = text.match(/\[[\s\S]*\]/)
+  if (!m) return []
+  let arr: unknown
+  try { arr = JSON.parse(m[0]) } catch { return [] }
+  if (!Array.isArray(arr)) return []
+  const calls: ToolCall[] = []
+  arr.forEach((c, i) => {
+    if (c && typeof c === 'object' && typeof (c as Record<string, unknown>).tool === 'string') {
+      const o = c as Record<string, unknown>
+      calls.push({ id: `ember_${Date.now()}_${i}`, name: o.tool as string, arguments: (o.arguments as Record<string, unknown>) ?? {} })
+    }
+  })
+  return calls
+}
+
+export function makeGhostEmberBrain(opts: { baseURL: string; model: string }): Brain {
+  const baseURL = opts.baseURL.replace(/\/+$/, '')
+  return {
+    id: 'ghost',
+    model: opts.model,
+    async turn(t: TurnOpts): Promise<BrainTurn> {
+      const toolNames = t.tools.map((tl) => tl.name)
+      const res = await fetch(`${baseURL}/chat/completions`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json', authorization: 'Bearer ghost' },
+        body: JSON.stringify({
+          model: opts.model,
+          messages: oaiMessages(t.system, t.messages, toolNames),
+          temperature: 0.1,
+          stream: false,
+          max_tokens: t.maxTokens ?? 512,
+        }),
+        signal: t.signal,
+      })
+      if (!res.ok) {
+        const body = await res.text().catch(() => res.statusText)
+        throw new Error(`ghost(EMBER) brain HTTP ${res.status}: ${body.slice(0, 300)} — is Ollama serving '${opts.model}'? (dragon-spark serve)`)
+      }
+      const data = (await res.json()) as { choices?: { message?: { content?: string } }[] }
+      const text = data.choices?.[0]?.message?.content ?? ''
+      const toolCalls = parseEmberToolCalls(text)
+      // EMBER emits JSON, not prose — surface a readable line for the operator/trace.
+      const display = toolCalls.length ? toolCalls.map((c) => `→ ${c.name}`).join('  ') : text
+      t.onDelta?.(display)
+      return { text: toolCalls.length ? '' : text, toolCalls }
+    },
+  }
+}

package/src/brain/index.ts

@@ -0,0 +1,99 @@
+/**
+ * Brain factory — resolves which model drives the agent, from (in priority)
+ * an explicit override → env → ~/.dragon/config.json → built-in default
+ * ('claude'). Keys come from env first, then config (`dragon config key …`).
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import { execSync } from 'node:child_process'
+import { loadConfig } from '../config.js'
+import type { Brain } from './types.js'
+import { makeClaudeBrain, DEFAULT_CLAUDE_MODEL } from './anthropic.js'
+import { makeClaudeCliBrain } from './claude-cli.js'
+import { makeOpenAICompatBrain } from './openai-compat.js'
+import { makeGhostEmberBrain } from './ghost-ember.js'
+import { makeWorkerBrain } from './worker.js'
+import { makeRouterBrain } from './router/index.js'
+
+/** Is the local `claude` CLI (Claude Code) on PATH? Lets `--brain claude` reuse the
+ *  operator's existing Claude Code auth when no API key is configured. */
+function hasClaudeCli(): boolean {
+  try { execSync('command -v claude', { stdio: 'ignore' }); return true } catch { return false }
+}
+
+export type { Brain, BrainMessage, ToolSpec, ToolCall, BrainTurn } from './types.js'
+
+export type Provider = 'claude' | 'openai' | 'local' | 'ghost' | 'worker' | 'custom' | 'router'
+export const PROVIDERS: Provider[] = ['claude', 'worker', 'local', 'ghost', 'openai', 'custom', 'router']
+
+/** Missing/invalid key → thrown so commands can print a friendly fix. */
+export class BrainConfigError extends Error {
+  constructor(public provider: Provider, message: string) {
+    super(message)
+    this.name = 'BrainConfigError'
+  }
+}
+
+export function resolveProvider(override?: string): Provider {
+  const cfg = loadConfig()
+  const want = (override || process.env.DRAGON_BRAIN || cfg.brain?.provider || 'claude').toLowerCase()
+  return (PROVIDERS as string[]).includes(want) ? (want as Provider) : 'claude'
+}
+
+export function getBrain(opts?: { provider?: string; model?: string }): Brain {
+  const cfg = loadConfig()
+  const provider = resolveProvider(opts?.provider)
+
+  if (provider === 'claude') {
+    const apiKey = process.env.ANTHROPIC_API_KEY || cfg.brain?.keys?.anthropic
+    const override = opts?.model || process.env.DRAGON_MODEL || cfg.brain?.model
+    if (apiKey) return makeClaudeBrain({ apiKey, model: override || DEFAULT_CLAUDE_MODEL })
+    // No API key → reuse the local Claude Code CLI's own auth ("use this Claude").
+    if (hasClaudeCli()) return makeClaudeCliBrain({ model: override })
+    throw new BrainConfigError('claude', 'no Anthropic key and no `claude` CLI found — set ANTHROPIC_API_KEY, run `dragon config key anthropic <key>`, install Claude Code, or use `--brain local`.')
+  }
+
+  if (provider === 'openai') {
+    const apiKey = process.env.OPENAI_API_KEY || cfg.brain?.keys?.openai
+    if (!apiKey) throw new BrainConfigError('openai', 'no OpenAI key — set OPENAI_API_KEY or run `dragon config key openai <key>`.')
+    const model = opts?.model || process.env.DRAGON_MODEL || cfg.brain?.model || 'gpt-4o'
+    return makeOpenAICompatBrain({ id: 'openai', baseURL: 'https://api.openai.com/v1', apiKey, model })
+  }
+
+  if (provider === 'worker') {
+    // Our Cloudflare Workers AI — free, no key, just `dragon login`.
+    return makeWorkerBrain()
+  }
+
+  if (provider === 'custom') {
+    // ANY OpenAI-compatible endpoint — OpenRouter, vLLM, LM Studio, llama.cpp, etc.
+    const baseURL = process.env.DRAGON_OPENAI_BASE || cfg.brain?.customBaseURL
+    if (!baseURL) throw new BrainConfigError('custom', 'no custom endpoint — set DRAGON_OPENAI_BASE (any OpenAI-compatible base URL) or `dragon config custom-url <url>`.')
+    const apiKey = process.env.DRAGON_OPENAI_KEY || cfg.brain?.keys?.openai || 'none'
+    const model = opts?.model || process.env.DRAGON_CUSTOM_MODEL || cfg.brain?.customModel || 'default'
+    return makeOpenAICompatBrain({ id: 'custom', baseURL, apiKey, model })
+  }
+
+  if (provider === 'router') {
+    // The Ghost Router — classifies each turn and delegates to the best local
+    // model (or escalates to Claude). `resolve` is injected so the router can
+    // build sibling brains without a circular import.
+    const localBaseURL = process.env.DRAGON_LOCAL_URL || cfg.brain?.localBaseURL || 'http://localhost:11434/v1'
+    return makeRouterBrain({ resolve: (p, m) => getBrain({ provider: p, model: m }), localBaseURL })
+  }
+
+  if (provider === 'ghost') {
+    // DragonSpark's EMBER — Ghost Protocol's own fine-tuned local model, served by
+    // Ollama. Uses the EMBER-specific adapter (JSON-array tool format + Wyrm-RAG via
+    // the primed system prompt), NOT generic OpenAI function-calling.
+    const baseURL = process.env.DRAGON_GHOST_URL || cfg.brain?.ghostBaseURL || 'http://localhost:11434/v1'
+    const model = opts?.model || process.env.DRAGON_GHOST_MODEL || cfg.brain?.ghostModel || 'ember'
+    return makeGhostEmberBrain({ baseURL, model })
+  }
+
+  // local (Ollama / any OpenAI-compatible local server) — sovereign, $0
+  const baseURL = process.env.DRAGON_LOCAL_URL || cfg.brain?.localBaseURL || 'http://localhost:11434/v1'
+  const model = opts?.model || process.env.DRAGON_LOCAL_MODEL || cfg.brain?.localModel || 'qwen2.5-coder:7b'
+  return makeOpenAICompatBrain({ id: 'local', baseURL, apiKey: 'ollama', model })
+}

package/src/brain/openai-compat.ts

@@ -0,0 +1,115 @@
+/**
+ * OpenAI-compatible brain — one implementation, two providers:
+ *   - 'openai' → https://api.openai.com/v1   (GPT)
+ *   - 'local'  → http://localhost:11434/v1   (Ollama; sovereign, $0)
+ * Any other OpenAI-compatible server works too via a custom baseURL.
+ *
+ * Speaks the Chat Completions streaming protocol with function tools, decoding
+ * SSE deltas: `delta.content` → text, `delta.tool_calls[]` → accumulated by
+ * index (id + name once, arguments streamed as string chunks → JSON-parsed at
+ * the end). No SDK — plain fetch keeps the dep surface small.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import type { Brain, BrainMessage, BrainTurn, TurnOpts } from './types.js'
+
+interface OAIMessage {
+  role: 'system' | 'user' | 'assistant' | 'tool'
+  content: string | null
+  tool_calls?: { id: string; type: 'function'; function: { name: string; arguments: string } }[]
+  tool_call_id?: string
+}
+
+function toOpenAI(system: string, messages: BrainMessage[]): OAIMessage[] {
+  const out: OAIMessage[] = [{ role: 'system', content: system }]
+  for (const m of messages) {
+    if (m.role === 'tool') {
+      out.push({ role: 'tool', tool_call_id: m.toolCallId ?? '', content: m.content })
+    } else if (m.role === 'assistant') {
+      out.push({
+        role: 'assistant',
+        content: m.content || null,
+        tool_calls: m.toolCalls?.length
+          ? m.toolCalls.map((tc) => ({ id: tc.id, type: 'function' as const, function: { name: tc.name, arguments: JSON.stringify(tc.arguments ?? {}) } }))
+          : undefined,
+      })
+    } else {
+      out.push({ role: 'user', content: m.content })
+    }
+  }
+  return out
+}
+
+interface AccTool { id: string; name: string; args: string }
+
+export function makeOpenAICompatBrain(opts: { id: string; baseURL: string; apiKey: string; model: string }): Brain {
+  const baseURL = opts.baseURL.replace(/\/+$/, '')
+  return {
+    id: opts.id,
+    model: opts.model,
+    async turn(t: TurnOpts): Promise<BrainTurn> {
+      const res = await fetch(`${baseURL}/chat/completions`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json', authorization: `Bearer ${opts.apiKey}` },
+        body: JSON.stringify({
+          model: opts.model,
+          messages: toOpenAI(t.system, t.messages),
+          tools: t.tools.length ? t.tools.map((tool) => ({ type: 'function', function: { name: tool.name, description: tool.description, parameters: tool.parameters } })) : undefined,
+          tool_choice: t.tools.length ? 'auto' : undefined,
+          stream: true,
+          max_tokens: t.maxTokens ?? 8192,
+        }),
+        signal: t.signal,
+      })
+      if (!res.ok || !res.body) {
+        const body = await res.text().catch(() => res.statusText)
+        throw new Error(`${opts.id} brain HTTP ${res.status}: ${body.slice(0, 400)}`)
+      }
+
+      const reader = res.body.getReader()
+      const dec = new TextDecoder()
+      let buf = ''
+      let text = ''
+      const acc = new Map<number, AccTool>()
+
+      for (;;) {
+        const { value, done } = await reader.read()
+        if (done) break
+        buf += dec.decode(value, { stream: true })
+        const lines = buf.split('\n')
+        buf = lines.pop() ?? ''
+        for (const line of lines) {
+          if (!line.startsWith('data: ')) continue
+          const data = line.slice(6).trim()
+          if (data === '[DONE]') break
+          let obj: any
+          try { obj = JSON.parse(data) } catch { continue }
+          const delta = obj.choices?.[0]?.delta
+          if (!delta) continue
+          if (typeof delta.content === 'string' && delta.content) {
+            text += delta.content
+            t.onDelta?.(delta.content)
+          }
+          for (const tc of delta.tool_calls ?? []) {
+            const idx = tc.index ?? 0
+            const cur = acc.get(idx) ?? { id: '', name: '', args: '' }
+            if (tc.id) cur.id = tc.id
+            if (tc.function?.name) cur.name = tc.function.name
+            if (tc.function?.arguments) cur.args += tc.function.arguments
+            acc.set(idx, cur)
+          }
+        }
+      }
+
+      const toolCalls: BrainTurn['toolCalls'] = [...acc.values()]
+        .filter((a) => a.name)
+        .map((a, i) => {
+          let args: Record<string, unknown> = {}
+          try { args = a.args ? JSON.parse(a.args) : {} } catch { args = {} }
+          return { id: a.id || `call_${i}`, name: a.name, arguments: args }
+        })
+      return { text, toolCalls }
+    },
+  }
+}

package/src/brain/router/classify.ts

@@ -0,0 +1,167 @@
+/**
+ * Request classification for the Ghost Router — intent × difficulty × stakes.
+ *
+ * INTENT is decided semantically: we embed the current user message with the
+ * already-resident nomic-embed-text (via Ollama, ~0 extra VRAM) and take the
+ * nearest route centroid. A deterministic keyword classifier is the fallback when
+ * embeddings are unavailable, so routing degrades gracefully (never throws).
+ *
+ * DIFFICULTY and STAKES are cheap deterministic heuristics — no model needed.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import type { BrainMessage } from '../types.js'
+
+export type Intent = 'reasoning' | 'code' | 'tools' | 'chat' | 'ops_security'
+export type Stakes = 'security' | 'financial' | 'critical' | 'standard' | 'dev'
+
+export interface Classification {
+  intent: Intent
+  difficulty: number // 0..1
+  stakes: Stakes
+  via: 'embed' | 'keyword' // how intent was decided (telemetry)
+}
+
+const EMBED_URL = (base: string) => base.replace(/\/v1\/?$/, '').replace(/\/+$/, '') + '/api/embeddings'
+
+/** Seed phrases per route — centroids are the mean of their embeddings. */
+const ROUTE_SEEDS: Record<Intent, string[]> = {
+  reasoning: [
+    'solve this math problem step by step', 'prove that the statement holds',
+    'what is the time complexity', 'derive the closed-form formula',
+    'solve this logic puzzle', 'crack this cipher / modular arithmetic',
+  ],
+  code: [
+    'write a function that', 'implement this feature', 'refactor this code',
+    'add a unit test for', 'fix the bug in this code',
+  ],
+  tools: [
+    'run the command', 'edit the file', 'deploy the service', 'list the files',
+    'grep the codebase for', 'execute and show the output',
+  ],
+  chat: [
+    'hello', 'what do you think about', 'explain this briefly',
+    'summarize this', 'give me a quick answer',
+  ],
+  ops_security: [
+    'run a penetration test', 'find the vulnerability', 'audit this for security',
+    'harden this configuration', 'scan the target host',
+  ],
+}
+
+const KEYWORDS: Record<Intent, RegExp> = {
+  ops_security: /\b(pentest|exploit|vuln|cve|nmap|payload|recon|harden|audit|red.?team|owasp)\b/i,
+  reasoning: /\b(prove|theorem|complexity|derive|calculate|compute|equation|algorithm|puzzle|cipher|optimal)\b/i,
+  code: /\b(function|refactor|implement|class|compile|unit test|bug|stack trace|typescript|python)\b/i,
+  tools: /\b(run|execute|deploy|grep|edit|read the file|list files|install|git )\b/i,
+  chat: /.*/, // fallback
+}
+
+const STAKES_RULES: [Stakes, RegExp][] = [
+  // NOTE: pentest/exploit are our DOMAIN, not "stakes" — they must stay local
+  // (privacy-first). Only genuinely sensitive/irreversible ops escalate.
+  ['security', /\b(production|prod\b|credential|secret|api.?key|ssh|rm -rf|drop table|sudo)\b/i],
+  ['financial', /\b(payment|invoice|billing|refund|bank|wire|salary|price|charge|stripe|paddle)\b/i],
+  ['critical', /\b(migration|database|deploy to prod|delete|irreversible|legal|contract)\b/i],
+]
+
+function lastUser(messages: BrainMessage[]): string {
+  for (let i = messages.length - 1; i >= 0; i--) if (messages[i].role === 'user') return messages[i].content
+  return messages.length ? messages[messages.length - 1].content : ''
+}
+
+async function embed(base: string, text: string, signal?: AbortSignal): Promise<number[] | null> {
+  try {
+    const res = await fetch(EMBED_URL(base), {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ model: process.env.DRAGON_ROUTER_EMBED || 'nomic-embed-text', prompt: text }),
+      signal,
+    })
+    if (!res.ok) return null
+    const data = (await res.json()) as { embedding?: number[] }
+    return Array.isArray(data.embedding) && data.embedding.length ? data.embedding : null
+  } catch {
+    return null
+  }
+}
+
+function cosine(a: number[], b: number[]): number {
+  let dot = 0, na = 0, nb = 0
+  for (let i = 0; i < a.length; i++) { dot += a[i] * b[i]; na += a[i] * a[i]; nb += b[i] * b[i] }
+  return dot / (Math.sqrt(na) * Math.sqrt(nb) + 1e-9)
+}
+
+// Route centroids are computed once and cached. If embeddings are unavailable
+// (e.g. Ollama still starting), we keep CENTROIDS null and RETRY after a cooldown
+// rather than disabling semantic routing for the whole process lifetime.
+let CENTROIDS: Record<Intent, number[]> | null = null
+let centroidsNextRetry = 0
+
+async function ensureCentroids(base: string, signal?: AbortSignal): Promise<Record<Intent, number[]> | null> {
+  if (CENTROIDS) return CENTROIDS
+  if (Date.now() < centroidsNextRetry) return null
+  centroidsNextRetry = Date.now() + 30_000 // don't hammer a down Ollama
+  const out = {} as Record<Intent, number[]>
+  for (const intent of Object.keys(ROUTE_SEEDS) as Intent[]) {
+    const vecs: number[][] = []
+    for (const phrase of ROUTE_SEEDS[intent]) {
+      const v = await embed(base, phrase, signal)
+      if (v) vecs.push(v)
+    }
+    if (!vecs.length) return null // embeddings unavailable → keyword fallback, retry later
+    const dim = vecs[0].length
+    const mean = new Array(dim).fill(0)
+    for (const v of vecs) for (let i = 0; i < dim; i++) mean[i] += v[i] / vecs.length
+    out[intent] = mean
+  }
+  return (CENTROIDS = out)
+}
+
+function keywordIntent(text: string): Intent {
+  for (const intent of ['ops_security', 'reasoning', 'code', 'tools'] as Intent[]) {
+    if (KEYWORDS[intent].test(text)) return intent
+  }
+  return 'chat'
+}
+
+function scoreDifficulty(text: string, toolCount: number): number {
+  const len = text.length
+  let d = Math.min(len / 1600, 0.5) // length signal, capped at 0.5
+  if (/\b(step by step|prove|derive|complex|multi-step|optimi[sz]e|edge case|why)\b/i.test(text)) d += 0.2
+  if ((text.match(/\?/g) || []).length >= 2) d += 0.1 // multiple questions
+  if (/```|\bfunction\b|\bclass\b/.test(text)) d += 0.1 // code present
+  d += Math.min(toolCount / 40, 0.15) // many tools = harder orchestration
+  return Math.max(0, Math.min(1, d))
+}
+
+function classifyStakes(text: string): Stakes {
+  for (const [tier, re] of STAKES_RULES) if (re.test(text)) return tier
+  return 'standard'
+}
+
+export async function classify(
+  base: string,
+  messages: BrainMessage[],
+  toolCount: number,
+  signal?: AbortSignal,
+): Promise<Classification> {
+  const text = lastUser(messages)
+  const stakes = classifyStakes(text)
+  const difficulty = scoreDifficulty(text, toolCount)
+
+  const centroids = await ensureCentroids(base, signal)
+  if (centroids) {
+    const v = await embed(base, text, signal)
+    if (v) {
+      let best: Intent = 'chat', bestScore = -Infinity
+      for (const intent of Object.keys(centroids) as Intent[]) {
+        const s = cosine(v, centroids[intent])
+        if (s > bestScore) { bestScore = s; best = intent }
+      }
+      return { intent: best, difficulty, stakes, via: 'embed' }
+    }
+  }
+  return { intent: keywordIntent(text), difficulty, stakes, via: 'keyword' }
+}

package/src/brain/router/execute.ts

@@ -0,0 +1,80 @@
+/**
+ * Execution-based verification (ROUTER-BLUEPRINT.md §2) — the highest-value reward
+ * for code/security work: actually RUN the candidate and use pass/fail as the signal.
+ *
+ * SECURITY-FIRST (this is a security company): auto-running model-generated code is
+ * dangerous, so it is OFF by default and only ever runs:
+ *   - when DRAGON_VERIFY_EXEC=1 is explicitly set,
+ *   - inside a bwrap sandbox with NO network, a tmpfs, and a read-only /usr,
+ *   - for python3 / node ONLY (never bash/sh),
+ *   - under a hard timeout.
+ * If bwrap is missing we REFUSE to execute (fail closed).
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import { spawnSync, execSync } from 'node:child_process'
+import { mkdtempSync, writeFileSync, rmSync } from 'node:fs'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+
+export interface ExecResult {
+  ran: boolean
+  ok?: boolean
+  lang?: string
+  output?: string
+  reason?: string // why it didn't run
+}
+
+const LANGS: Record<string, { file: string; cmd: string }> = {
+  python: { file: 'snippet.py', cmd: 'python3' },
+  py: { file: 'snippet.py', cmd: 'python3' },
+  javascript: { file: 'snippet.js', cmd: 'node' },
+  js: { file: 'snippet.js', cmd: 'node' },
+  node: { file: 'snippet.js', cmd: 'node' },
+}
+
+function hasBwrap(): boolean {
+  try { execSync('command -v bwrap', { stdio: 'ignore' }); return true } catch { return false }
+}
+
+/** Pull the last fenced code block + its language. */
+function lastCodeBlock(text: string): { lang: string; code: string } | null {
+  const blocks = [...text.matchAll(/```([a-zA-Z0-9]*)\n([\s\S]*?)```/g)]
+  if (!blocks.length) return null
+  const b = blocks[blocks.length - 1]
+  return { lang: (b[1] || '').toLowerCase(), code: b[2] }
+}
+
+export async function executeVerify(text: string, _signal?: AbortSignal): Promise<ExecResult | null> {
+  if (process.env.DRAGON_VERIFY_EXEC !== '1') return null // off by default
+  const block = lastCodeBlock(text)
+  if (!block) return null
+  const spec = LANGS[block.lang]
+  if (!spec) return { ran: false, reason: `unsupported lang '${block.lang}' (only python/node auto-run)` }
+  if (!hasBwrap()) return { ran: false, reason: 'no bwrap sandbox — refusing to execute (fail-closed)' }
+
+  const dir = mkdtempSync(join(tmpdir(), 'dragon-verify-'))
+  try {
+    writeFileSync(join(dir, spec.file), block.code, { mode: 0o600 })
+    const args = [
+      '--unshare-all', '--die-with-parent',
+      '--cap-drop', 'ALL', '--new-session', // drop all caps + no controlling tty (defense-in-depth)
+      '--ro-bind', '/usr', '/usr',
+      '--ro-bind', '/lib', '/lib', '--ro-bind', '/lib64', '/lib64',
+      '--proc', '/proc', '--dev', '/dev',
+      '--tmpfs', '/tmp',
+      '--bind', dir, '/work', '--chdir', '/work',
+      '--setenv', 'HOME', '/work', '--setenv', 'PATH', '/usr/bin:/bin',
+      spec.cmd, join('/work', spec.file),
+    ]
+    const r = spawnSync('bwrap', args, { timeout: 8000, encoding: 'utf-8', maxBuffer: 1 << 20 })
+    if (r.error) return { ran: false, lang: block.lang, reason: String(r.error.message || r.error) }
+    const output = ((r.stdout || '') + (r.stderr || '')).slice(0, 2000)
+    return { ran: true, ok: r.status === 0, lang: block.lang, output }
+  } catch (e) {
+    return { ran: false, lang: block.lang, reason: (e as Error).message }
+  } finally {
+    try { rmSync(dir, { recursive: true, force: true }) } catch { /* best-effort */ }
+  }
+}