ghost-dragon 4.2.1

package/src/brain/router/index.ts

@@ -0,0 +1,125 @@
+/**
+ * Ghost Router — the spine of the multi-model stack (ROUTER-BLUEPRINT.md §1).
+ *
+ * It IS a Brain, so the agent loop stays unchanged: every turn it classifies the
+ * request (intent × difficulty × stakes), selects the best {provider, model} for
+ * 8 GB, then DELEGATES to that underlying brain. The factory is injected as
+ * `resolve` to avoid a circular import with brain/index.ts.
+ *
+ * Each decision is appended to ~/.dragon/routing.jsonl (observability + the
+ * DragonSpark flywheel) and shown to the operator on stderr (silence with
+ * DRAGON_ROUTER_QUIET=1).
+ *
+ * MVP scope: single-hop selection over the resident Ollama models + Claude
+ * escalation. The reason→tool two-hop and llama-swap co-residency are later phases.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import { appendFileSync, mkdirSync } from 'node:fs'
+import { homedir } from 'node:os'
+import { join } from 'node:path'
+import type { Brain, BrainTurn, TurnOpts } from '../types.js'
+import { classify } from './classify.js'
+import { selectTarget } from './select.js'
+import { verifyReasoning } from './verify.js'
+import { twoHop } from './two-hop.js'
+
+const ROUTE_LOG = process.env.DRAGON_ROUTING_LOG || join(homedir(), '.dragon', 'routing.jsonl')
+
+function logDecision(rec: Record<string, unknown>): void {
+  try {
+    mkdirSync(join(homedir(), '.dragon'), { recursive: true })
+    appendFileSync(ROUTE_LOG, JSON.stringify({ ts: new Date().toISOString(), ...rec }) + '\n')
+  } catch { /* best-effort */ }
+}
+
+function show(line: string): void {
+  if (process.env.DRAGON_ROUTER_QUIET === '1') return
+  try { process.stderr.write(`\x1b[2m⟐ ${line}\x1b[0m\n`) } catch { /* ignore */ }
+}
+
+export interface RouterOpts {
+  /** Factory injected by brain/index.ts to avoid a circular import. */
+  resolve: (provider: string, model?: string) => Brain
+  /** Ollama base (…/v1) used for embeddings + tags/ps lookups. */
+  localBaseURL: string
+}
+
+export function makeRouterBrain(opts: RouterOpts): Brain {
+  const cache = new Map<string, Brain>()
+  const get = (provider: string, model?: string): Brain => {
+    const safe = provider === 'router' ? 'local' : provider // never recurse
+    const key = `${safe}:${model ?? ''}`
+    let b = cache.get(key)
+    if (!b) { b = opts.resolve(safe, model); cache.set(key, b) }
+    return b
+  }
+
+  return {
+    id: 'router',
+    model: 'auto',
+    async turn(t: TurnOpts): Promise<BrainTurn> {
+      const hasTools = t.tools.length > 0
+      const c = await classify(opts.localBaseURL, t.messages, t.tools.length, t.signal)
+      const target = await selectTarget(c, hasTools, opts.localBaseURL, t.signal)
+
+      const label = `${target.provider}${target.model ? ':' + target.model : ''}`
+      const base = {
+        intent: c.intent, difficulty: c.difficulty, stakes: c.stakes, via: c.via,
+        hasTools, provider: target.provider, model: target.model ?? null,
+        swap: target.swap, penalty: target.penalty ?? 0, why: target.why,
+      }
+
+      // Reason→tool two-hop: the reasoner plans (no tools), the workhorse executes.
+      if (target.twoHop && target.provider === 'local' && target.model && target.reasoner) {
+        show(`router → two-hop: ${target.reasoner} plans → ${target.model} executes  [${c.intent}/${c.difficulty.toFixed(2)}/${c.stakes}]`)
+        try {
+          const { turn, planChars } = await twoHop(opts.localBaseURL, target.reasoner, target.model, t, get)
+          show(`  ↳ plan ${planChars} chars → ${turn.toolCalls.length} tool call(s)`)
+          logDecision({ ...base, twoHop: true, planChars, toolCalls: turn.toolCalls.length })
+          return turn
+        } catch (e) {
+          show(`  ↳ two-hop failed (${(e as Error).message}) — single call`)
+          // Log the failure so routing-memory accrues a penalty (a config where
+          // two-hop keeps failing — e.g. swap OOM/timeout — adaptively backs off).
+          logDecision({ ...base, twoHop: true, twoHopFailed: true })
+        }
+      }
+
+      // Verified hard-reasoning path: best-of-N + vote (+ optional execution check),
+      // then a CONFIDENCE CASCADE — escalate to Claude on low agreement / failed
+      // execution. A model with a bad routing-memory track record escalates sooner.
+      if (target.verify && target.provider === 'local' && target.model) {
+        const votes = Math.max(1, parseInt(process.env.DRAGON_ROUTER_VOTES || '3', 10) || 3)
+        show(`router → ${label} ×${votes} verified  [${c.intent}/${c.difficulty.toFixed(2)}/${c.stakes}]`)
+        try {
+          const { turn, meta } = await verifyReasoning(opts.localBaseURL, target.model, t, votes)
+          const execFail = !!(meta.exec?.ran && meta.exec.ok === false)
+          show(`  ↳ agreement ${meta.agreement ?? 'n/a'} (${meta.votes} votes${meta.exec?.ran ? `, exec ${meta.exec.ok ? 'pass' : 'fail'}` : ''})`)
+
+          const floor = parseFloat(process.env.DRAGON_ROUTER_ESCALATE_BELOW || '0.5') || 0.5
+          const threshold = Math.min(0.85, floor + (target.penalty ?? 0) * 0.3) // worse history → escalate sooner
+          const lowConf = meta.agreement != null && meta.agreement < threshold
+          if ((lowConf || execFail) && process.env.DRAGON_ROUTER_NO_ESCALATE !== '1') {
+            try {
+              const claude = get('claude')
+              show(`  ↳ ${execFail ? 'execution failed' : `low confidence (${meta.agreement} < ${threshold.toFixed(2)})`} → escalating to Claude`)
+              const esc = await claude.turn(t)
+              logDecision({ ...base, verify: meta, escalated: true, reason: execFail ? 'exec-fail' : 'low-agreement', threshold })
+              return esc
+            } catch { /* Claude unavailable → keep the verified local answer */ }
+          }
+          logDecision({ ...base, verify: meta, escalated: false })
+          return turn
+        } catch (e) {
+          show(`  ↳ verify failed (${(e as Error).message}) — single call`)
+        }
+      }
+
+      show(`router → ${label}  [${c.intent}/${c.difficulty.toFixed(2)}/${c.stakes}${target.swap ? ' · swap' : ''}]  ${target.why}`)
+      logDecision(base)
+      return get(target.provider, target.model).turn(t)
+    },
+  }
+}

package/src/brain/router/routing-memory.ts

@@ -0,0 +1,71 @@
+/**
+ * Routing-memory — negative learning over the router's own history
+ * (ROUTER-BLUEPRINT.md §3, dragon-cli-local MVP).
+ *
+ * The router already logs every decision (+ verify agreement + exec pass/fail +
+ * whether it escalated) to ~/.dragon/routing.jsonl. This reads that log and, per
+ * (intent, model), computes a PENALTY in [0..1]: how often that model needed help
+ * for that kind of task (low agreement, failed execution, or had to escalate). The
+ * selector uses it to demote chronically-failing models, and the cascade uses it to
+ * escalate sooner for a model with a bad track record.
+ *
+ * Local now; promotable to the Wyrm memory substrate (the wyrm-routing-rerank
+ * subsystem) — same signal, durable + cross-device.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import { readFileSync } from 'node:fs'
+import { homedir } from 'node:os'
+import { join } from 'node:path'
+
+const LOG = process.env.DRAGON_ROUTING_LOG || join(homedir(), '.dragon', 'routing.jsonl')
+const MIN_SAMPLES = 3 // below this we have no opinion (penalty 0)
+const LOW_AGREEMENT = 0.5
+
+interface Stat { n: number; bad: number }
+type Stats = Record<string, Record<string, Stat>> // intent → model → stat
+
+let cache: { at: number; stats: Stats } | null = null
+
+function compute(): Stats {
+  const stats: Stats = {}
+  let raw: string
+  try { raw = readFileSync(LOG, 'utf-8') } catch { return stats }
+  for (const line of raw.split('\n')) {
+    if (!line.trim()) continue
+    let r: Record<string, any>
+    try { r = JSON.parse(line) } catch { continue }
+    const intent = r.intent, model = r.model
+    if (!intent || !model) continue
+    const v = r.verify || {}
+    const lowAgree = typeof v.agreement === 'number' && v.agreement < LOW_AGREEMENT
+    const execFail = v.exec && v.exec.ran && v.exec.ok === false
+    const escalated = r.escalated === true
+    const twoHopFailed = r.twoHopFailed === true
+    const bad = lowAgree || execFail || escalated || twoHopFailed
+    const byModel = (stats[intent] ||= {})
+    const s = (byModel[model] ||= { n: 0, bad: 0 })
+    s.n++
+    if (bad) s.bad++
+  }
+  return stats
+}
+
+function load(): Stats {
+  if (cache && Date.now() - cache.at < 30_000) return cache.stats
+  cache = { at: Date.now(), stats: compute() }
+  return cache.stats
+}
+
+/** 0 = no opinion / reliable; →1 = this model keeps needing help for this intent. */
+export function penalty(intent: string, model: string): number {
+  const s = load()[intent]?.[model]
+  if (!s || s.n < MIN_SAMPLES) return 0
+  return Math.max(0, Math.min(1, s.bad / s.n))
+}
+
+/** For telemetry / `dragon` introspection. */
+export function routingStats(): Stats {
+  return load()
+}

package/src/brain/router/select.ts

@@ -0,0 +1,156 @@
+/**
+ * Ghost Router selection policy — (intent × difficulty × stakes × hasTools) → a
+ * concrete {provider, model}, constrained by what's actually installed and what
+ * fits 8 GB.
+ *
+ * Roles (Ollama tags, all overridable via env/config):
+ *   workhorse (tool/agent turns) → mistral-nemo   (verified tool-caller)
+ *   reasoner  (hard, NO tools)   → vibethinker     (can't tool-call → only when tools=[])
+ *   cheap     (simple chat)      → qwen2.5:1.5b    (fast, tiny)
+ *   escalate  (high stakes / hard) → claude        (cloud, only if available)
+ *
+ * VRAM rule: only one big model fits at a time. When two candidates are equally
+ * acceptable, prefer the one already resident in Ollama (avoids a reload/“swap”).
+ * EMBER is intentionally NOT a default role yet — it earns its way in via the
+ * DragonSpark flywheel.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import { execSync } from 'node:child_process'
+import { loadConfig } from '../../config.js'
+import type { Classification } from './classify.js'
+import { penalty } from './routing-memory.js'
+
+export interface Target {
+  provider: string
+  model?: string
+  why: string
+  swap: boolean // chosen big model is not currently resident → a reload will occur
+  verify?: boolean // run the test-time-scaling verified path (best-of-N + vote)
+  penalty?: number // routing-memory: how unreliable this model has been for this intent (0..1)
+  twoHop?: boolean // hard tool turn → reasoner plans, then this model executes
+  reasoner?: string // the reasoner model for the two-hop plan step
+}
+
+const env = (k: string, d: string) => process.env[k] || d
+function roles() {
+  const c = loadConfig().brain as Record<string, string> | undefined
+  return {
+    workhorse: env('DRAGON_ROUTER_WORKHORSE', c?.routerWorkhorse || 'mistral-nemo'),
+    reasoner: env('DRAGON_ROUTER_REASONER', c?.routerReasoner || 'vibethinker'),
+    cheap: env('DRAGON_ROUTER_CHEAP', c?.routerCheap || 'qwen2.5:1.5b'),
+  }
+}
+
+const OLLAMA = (base: string) => base.replace(/\/v1\/?$/, '').replace(/\/+$/, '')
+
+let installedCache: { at: number; names: Set<string> } | null = null
+async function installed(base: string, signal?: AbortSignal): Promise<Set<string>> {
+  if (installedCache && Date.now() - installedCache.at < 60_000) return installedCache.names
+  try {
+    const res = await fetch(OLLAMA(base) + '/api/tags', { signal })
+    if (!res.ok) return new Set() // don't cache an error as "nothing installed"
+    const data = (await res.json()) as { models?: { name: string }[] }
+    const names = new Set((data.models || []).map((m) => m.name.replace(/:latest$/, '')))
+    installedCache = { at: Date.now(), names }
+    return names
+  } catch {
+    return new Set()
+  }
+}
+
+async function resident(base: string, signal?: AbortSignal): Promise<Set<string>> {
+  try {
+    const res = await fetch(OLLAMA(base) + '/api/ps', { signal })
+    if (!res.ok) return new Set()
+    const data = (await res.json()) as { models?: { name: string }[] }
+    return new Set((data.models || []).map((m) => m.name.replace(/:latest$/, '')))
+  } catch {
+    return new Set()
+  }
+}
+
+function claudeAvailable(): boolean {
+  const cfg = loadConfig()
+  if (process.env.ANTHROPIC_API_KEY || cfg.brain?.keys?.anthropic) return true
+  try { execSync('command -v claude', { stdio: 'ignore' }); return true } catch { return false }
+}
+
+const has = (set: Set<string>, name: string) => set.has(name) || set.has(name.replace(/:latest$/, ''))
+
+/** Decide where this turn goes. Pure policy + availability; never throws. */
+export async function selectTarget(
+  c: Classification,
+  hasTools: boolean,
+  base: string,
+  signal?: AbortSignal,
+): Promise<Target> {
+  const r = roles()
+  const have = await installed(base, signal)
+  const live = await resident(base, signal)
+  const local = (model: string, why: string): Target => ({
+    provider: 'local', model, why, swap: !has(live, model),
+  })
+
+  // 1) Stakes → escalate to Claude. PRIVACY-FIRST: this ships the turn to the cloud,
+  //    so it is OPT-IN (DRAGON_ROUTER_ESCALATE_STAKES=1) and NEVER fires for
+  //    security-sensitive content. `security` stakes (credentials, ssh, secrets,
+  //    prod, sudo) and any ops_security intent ALWAYS stay local — we never ship
+  //    secrets or target data off the box. Only financial/critical business-
+  //    irreversible decisions may escalate, and only when explicitly enabled.
+  //    (Low-confidence reasoning still escalates separately via the verify cascade.)
+  if (
+    process.env.DRAGON_ROUTER_ESCALATE_STAKES === '1' &&
+    (c.stakes === 'financial' || c.stakes === 'critical') &&
+    c.intent !== 'ops_security' &&
+    claudeAvailable()
+  ) {
+    return { provider: 'claude', why: `stakes=${c.stakes} → escalate to Claude (opt-in)`, swap: false }
+  }
+  // 2) Reasoning with NO tools in play → the reasoning specialist (that's exactly
+  //    what it's for; it can't tool-call, so only ever route here when tools=[]).
+  //    Opt into the verified (best-of-N) path with DRAGON_ROUTER_VERIFY=1.
+  if (!hasTools && c.intent === 'reasoning' && has(have, r.reasoner)) {
+    const t = local(r.reasoner, `reasoning, no tools → ${r.reasoner}`)
+    t.verify = process.env.DRAGON_ROUTER_VERIFY === '1'
+    t.penalty = penalty(c.intent, r.reasoner)
+    return t
+  }
+  // 3) Simple chat, no tools → the cheap/tiny model.
+  if (!hasTools && c.intent === 'chat' && c.difficulty < 0.35 && has(have, r.cheap)) {
+    return local(r.cheap, `simple chat → ${r.cheap}`)
+  }
+  // 4) Default workhorse for tool/agent turns (and everything else): the tool-caller.
+  //    Negative learning: if the workhorse has been unreliable for this intent and a
+  //    better-scoring installed alternative exists, demote to it.
+  //    Two-hop: a HARD tool turn first gets a plan from the reasoner (gated).
+  if (has(have, r.workhorse)) {
+    const wantTwoHop =
+      process.env.DRAGON_ROUTER_TWOHOP === '1' && hasTools && has(have, r.reasoner) &&
+      (c.difficulty >= 0.5 || c.intent === 'reasoning' || c.intent === 'ops_security')
+    const withHop = (t: Target): Target => {
+      if (wantTwoHop) { t.twoHop = true; t.reasoner = r.reasoner; t.why += ` (+two-hop via ${r.reasoner})` }
+      return t
+    }
+    const p = penalty(c.intent, r.workhorse)
+    if (p >= 0.7) {
+      const alt = [...have].find((m) => !/embed/.test(m) && m !== r.workhorse && m !== r.reasoner)
+      if (alt && penalty(c.intent, alt) < p) {
+        const t = local(alt, `routing-memory: ${r.workhorse} unreliable here (penalty ${p.toFixed(2)}) → ${alt}`)
+        t.penalty = penalty(c.intent, alt)
+        return withHop(t)
+      }
+    }
+    const t = local(r.workhorse, `${hasTools ? 'tool turn' : c.intent} → workhorse ${r.workhorse}`)
+    t.penalty = p
+    return withHop(t)
+  }
+  // 5) Workhorse missing → degrade: any resident big local model, else Claude, else cheap.
+  //    Exclude the reasoner (can't tool-call) so a tool turn never lands on it.
+  const usable = (m: string) => !/embed/.test(m) && m !== r.reasoner
+  const fallback = [...live].find(usable) || [...have].find(usable)
+  if (fallback) return local(fallback, `workhorse '${r.workhorse}' not installed → ${fallback}`)
+  if (claudeAvailable()) return { provider: 'claude', why: 'no local model available → Claude', swap: false }
+  return { provider: 'local', model: r.cheap, why: 'last-resort cheap local', swap: true }
+}

package/src/brain/router/two-hop.ts

@@ -0,0 +1,62 @@
+/**
+ * Reason→tool two-hop (ROUTER-BLUEPRINT.md §1).
+ *
+ * vibethinker reasons brilliantly but CANNOT tool-call; mistral-nemo tool-calls but
+ * reasons less deeply. For a HARD tool turn the router splits the work:
+ *   hop 1 — the reasoner produces a concrete PLAN (no tools), then
+ *   hop 2 — the tool model executes that plan with the real tools.
+ *
+ * On 8 GB this is sequential (the two models can't co-reside) — Ollama swaps them,
+ * so it's gated behind DRAGON_ROUTER_TWOHOP=1 and only fires on hard tool turns.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import type { Brain, BrainTurn, TurnOpts } from '../types.js'
+import { ollamaChat, toOllamaMessages } from './verify.js'
+
+const PLAN_SYSTEM =
+  '\n\n── PLAN-ONLY MODE ──\n' +
+  'You are the analyst. Read the user request and produce a brief, concrete, numbered ' +
+  'PLAN to accomplish it (which tools to use, in what order, and why). Do NOT call any ' +
+  'tools and do NOT write code blocks — output only the plan.'
+
+export interface TwoHopResult {
+  turn: BrainTurn
+  planChars: number
+}
+
+/**
+ * @param resolve  factory to build the executor brain (from router/index.ts)
+ */
+export async function twoHop(
+  localBaseURL: string,
+  reasonerModel: string,
+  workhorseModel: string,
+  t: TurnOpts,
+  resolve: (provider: string, model?: string) => Brain,
+): Promise<TwoHopResult> {
+  // hop 1 — reasoning/plan, no tools (so vibethinker never has to tool-call)
+  const plan = (await ollamaChat(
+    localBaseURL,
+    reasonerModel,
+    toOllamaMessages(t.system + PLAN_SYSTEM, t.messages),
+    0.4,
+    Math.min(t.maxTokens ?? 1024, 1024),
+    t.signal,
+  )).trim()
+
+  // hop 2 — execution with the real tools, plan injected as guidance.
+  // Clean the plan (drop stray code fences) and cap it so the executor ACTS on it
+  // rather than engaging with it as prose, plus a firm act-now directive.
+  const cleanPlan = plan.replace(/```[\s\S]*?```/g, '').replace(/```/g, '').trim().slice(0, 700)
+  const enriched = cleanPlan
+    ? t.system +
+      '\n\n── PLAN (from the analyst) ──\n' + cleanPlan +
+      '\n\nExecute this plan NOW by calling the appropriate tool. Do NOT restate or ' +
+      'explain the plan — issue the tool call.'
+    : t.system
+  const worker = resolve('local', workhorseModel)
+  const turn = await worker.turn({ ...t, system: enriched })
+  return { turn, planChars: cleanPlan.length }
+}

package/src/brain/router/verify.ts

@@ -0,0 +1,123 @@
+/**
+ * Verified hard-reasoning path (ROUTER-BLUEPRINT.md §2).
+ *
+ * Ollama exposes no logits, so confidence = ANSWER-AGREEMENT: sample the reasoner
+ * N times at spread temperatures, extract each final answer, and majority-vote.
+ * The agreement ratio is the router's confidence signal (→ later: escalate if low).
+ * For code/security candidates we additionally run EXECUTION-based verification
+ * (see execute.ts) and use pass/fail as a hard reward.
+ *
+ * optillm: if DRAGON_OPTILLM_URL is set we treat it as a drop-in OpenAI-compatible
+ * test-time-scaling proxy and let IT do the scaling in one call (you run optillm
+ * pointed at Ollama). Otherwise we do best-of-N here — self-contained, no extra
+ * service, which suits the 8 GB local-first box.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import type { BrainMessage, BrainTurn, TurnOpts } from '../types.js'
+import { executeVerify, type ExecResult } from './execute.js'
+
+export interface VerifyMeta {
+  via: 'self-consistency' | 'optillm'
+  votes: number
+  agreement: number | null // null when via=optillm (single call)
+  distribution?: Record<string, number>
+  exec?: ExecResult | null
+}
+
+const OLLAMA = (base: string) => base.replace(/\/v1\/?$/, '').replace(/\/+$/, '')
+
+export function toOllamaMessages(system: string, messages: BrainMessage[]) {
+  const out: { role: string; content: string }[] = [{ role: 'system', content: system }]
+  for (const m of messages) {
+    if (m.role === 'tool') out.push({ role: 'user', content: `[observed] ${m.toolName ?? 'tool'} → ${m.content}`.slice(0, 1200) })
+    else out.push({ role: m.role === 'assistant' ? 'assistant' : 'user', content: m.content })
+  }
+  return out
+}
+
+export async function ollamaChat(base: string, model: string, messages: unknown, temperature: number, maxTokens: number, signal?: AbortSignal): Promise<string> {
+  const res = await fetch(OLLAMA(base) + '/api/chat', {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ model, messages, stream: false, options: { temperature, top_p: 0.95, num_predict: maxTokens } }),
+    signal,
+  })
+  if (!res.ok) throw new Error(`reasoner HTTP ${res.status}`)
+  const data = (await res.json()) as { message?: { content?: string } }
+  return data.message?.content ?? ''
+}
+
+async function openaiChat(base: string, model: string, messages: unknown, temperature: number, maxTokens: number, signal?: AbortSignal): Promise<string> {
+  const res = await fetch(base.replace(/\/+$/, '') + '/chat/completions', {
+    method: 'POST',
+    headers: { 'content-type': 'application/json', authorization: 'Bearer optillm' },
+    body: JSON.stringify({ model, messages, temperature, top_p: 0.95, max_tokens: maxTokens, stream: false }),
+    signal,
+  })
+  if (!res.ok) throw new Error(`optillm HTTP ${res.status}`)
+  const data = (await res.json()) as { choices?: { message?: { content?: string } }[] }
+  return data.choices?.[0]?.message?.content ?? ''
+}
+
+export function extractAnswer(text: string): string | null {
+  const boxed = [...text.matchAll(/\\boxed\{([^}]*)\}/g)]
+  if (boxed.length) return boxed[boxed.length - 1][1].trim()
+  const ans = [...text.matchAll(/(?:final answer|answer)\s*(?:is|:|=)\s*([^\n.]+)/gi)]
+  if (ans.length) return ans[ans.length - 1][1].trim().replace(/\.$/, '')
+  const nums = text.match(/-?\d[\d,]*\.?\d*/g)
+  return nums ? nums[nums.length - 1].replace(/,/g, '') : null
+}
+
+const norm = (a: string | null) => (a || '').toLowerCase().replace(/\s+/g, '').replace(/\.$/, '')
+
+/** Run the reasoner with test-time scaling. Returns the chosen turn + how confident. */
+export async function verifyReasoning(
+  localBaseURL: string,
+  model: string,
+  t: TurnOpts,
+  votes: number,
+): Promise<{ turn: BrainTurn; meta: VerifyMeta }> {
+  const maxTokens = t.maxTokens ?? 2048
+  const messages = toOllamaMessages(t.system, t.messages)
+  const optillm = process.env.DRAGON_OPTILLM_URL
+
+  let chosen: string
+  let meta: VerifyMeta
+
+  if (optillm) {
+    chosen = await openaiChat(optillm, process.env.DRAGON_OPTILLM_MODEL || model, messages, 0.7, maxTokens, t.signal)
+    meta = { via: 'optillm', votes: 1, agreement: null }
+  } else {
+    const temps = [0.3, 0.6, 0.8, 1.0, 1.1, 0.5, 0.9].slice(0, Math.max(1, votes))
+    while (temps.length < votes) temps.push(0.7)
+    const samples: string[] = []
+    for (const temp of temps) {
+      try { samples.push(await ollamaChat(localBaseURL, model, messages, temp, maxTokens, t.signal)) }
+      catch { /* a failed sample just doesn't vote */ }
+    }
+    if (!samples.length) throw new Error('reasoner produced no samples')
+    const dist: Record<string, number> = {}
+    const byNorm: Record<string, string> = {} // normalized answer → a full sample text
+    for (const s of samples) {
+      const a = extractAnswer(s)
+      const key = norm(a)
+      if (!key) continue
+      dist[key] = (dist[key] || 0) + 1
+      if (!byNorm[key]) byNorm[key] = s
+    }
+    const winner = Object.entries(dist).sort((a, b) => b[1] - a[1])[0]
+    chosen = winner ? byNorm[winner[0]] : samples[0] // no extractable answer → first sample
+    meta = {
+      via: 'self-consistency', votes: samples.length,
+      agreement: winner ? winner[1] / samples.length : 0, distribution: dist,
+    }
+  }
+
+  // Execution-based verification for code/security candidates (opt-in + sandboxed).
+  meta.exec = await executeVerify(chosen, t.signal)
+
+  t.onDelta?.(chosen)
+  return { turn: { text: chosen, toolCalls: [] }, meta }
+}

package/src/brain/types.ts

@@ -0,0 +1,61 @@
+/**
+ * Brain abstraction — the reasoning layer behind the Dragon agent.
+ *
+ * A Brain runs ONE model turn: given the system prompt, the running message
+ * history, and the available tool specs, it streams text deltas and returns the
+ * assembled text plus any tool calls the model wants executed. The agent loop
+ * (src/agent/loop.ts) owns the loop; the Brain owns only "talk to the model".
+ *
+ * Tool calls are normalized to a single shape across providers so the loop is
+ * provider-agnostic — Anthropic content blocks and OpenAI `tool_calls` both map
+ * onto {id,name,arguments}.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+export interface ToolSpec {
+  name: string
+  description: string
+  /** JSON Schema for the arguments object. */
+  parameters: Record<string, unknown>
+}
+
+export interface ToolCall {
+  id: string
+  name: string
+  arguments: Record<string, unknown>
+}
+
+export type Role = 'user' | 'assistant' | 'tool'
+
+export interface BrainMessage {
+  role: Role
+  /** Natural-language text (assistant prose, user input, or a tool result string). */
+  content: string
+  /** Present on assistant turns that requested tools. */
+  toolCalls?: ToolCall[]
+  /** Present on role:'tool' — links the result to the assistant's call. */
+  toolCallId?: string
+  toolName?: string
+}
+
+export interface BrainTurn {
+  text: string
+  toolCalls: ToolCall[]
+}
+
+export interface TurnOpts {
+  system: string
+  messages: BrainMessage[]
+  tools: ToolSpec[]
+  onDelta?: (s: string) => void
+  signal?: AbortSignal
+  maxTokens?: number
+}
+
+export interface Brain {
+  /** provider id: 'claude' | 'openai' | 'local' */
+  id: string
+  model: string
+  turn(opts: TurnOpts): Promise<BrainTurn>
+}

package/src/brain/worker.ts

@@ -0,0 +1,72 @@
+/**
+ * Worker brain — Ghost Protocol's Cloudflare Workers AI (Llama 3.3 70B) as the
+ * agent's reasoning brain. The free, zero-key fallback: no API key, just
+ * `dragon login`. Tools still execute locally in the CLI; this only does
+ * inference, via POST /api/v1/cli/brain (one turn, non-streaming).
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+
+import { resolveAuth } from '../auth.js'
+import type { Brain, BrainTurn, TurnOpts } from './types.js'
+
+function safeParse(s: string): Record<string, unknown> {
+  try { return JSON.parse(s) } catch { return {} }
+}
+
+/** The raw JSON shape the /api/v1/cli/brain endpoint returns. */
+export interface WorkerResponse {
+  response?: string
+  tool_calls?: { name?: string; arguments?: unknown }[]
+}
+
+/**
+ * Normalize the Cloudflare brain's (Llama 3.3, fp8) raw JSON into a BrainTurn.
+ * Deliberately tolerant — the fp8 tool-caller is flaky: arguments arrive as a
+ * JSON string OR an object OR not at all, tool_calls can be nameless/garbage,
+ * and `response` can be missing. Every one of those degrades gracefully instead
+ * of throwing into the agent loop. (Pure → unit-tested in test/brain.test.ts.)
+ */
+export function normalizeWorkerTurn(data: WorkerResponse): BrainTurn {
+  const text = data.response ?? ''
+  const toolCalls = (data.tool_calls ?? [])
+    .filter((c) => c && c.name)
+    .map((c, i) => ({
+      id: `wc_${i}`,
+      name: String(c.name),
+      arguments: typeof c.arguments === 'string' ? safeParse(c.arguments) : ((c.arguments as Record<string, unknown>) ?? {}),
+    }))
+  return { text, toolCalls }
+}
+
+export function makeWorkerBrain(): Brain {
+  return {
+    id: 'worker',
+    model: 'cloudflare:llama-3.3-70b',
+    async turn(t: TurnOpts): Promise<BrainTurn> {
+      const { apiBase, headers, mode } = resolveAuth()
+      if (mode === 'none') throw new Error('the Cloudflare brain needs sign-in — run `dragon login` (or use `--brain local`).')
+
+      let res: Response
+      try {
+        res = await fetch(`${apiBase}/api/v1/cli/brain`, {
+          method: 'POST',
+          headers: { 'content-type': 'application/json', ...headers },
+          body: JSON.stringify({ system: t.system, messages: t.messages, tools: t.tools, max_tokens: t.maxTokens ?? 1024 }),
+          signal: t.signal,
+        })
+      } catch (e) {
+        if ((e as { name?: string })?.name === 'AbortError') throw e
+        throw new Error(`can't reach the Cloudflare brain at ${apiBase} — ${e instanceof Error ? e.message : String(e)}.`)
+      }
+
+      if (res.status === 401) throw new Error('not signed in — run `dragon login`.')
+      if (res.status === 429) throw new Error('daily quota reached on the Cloudflare brain — try tomorrow, or `--brain claude`/`--brain local`.')
+      if (!res.ok) throw new Error(`Cloudflare brain HTTP ${res.status}: ${(await res.text().catch(() => '')).slice(0, 200)}`)
+
+      const turn = normalizeWorkerTurn((await res.json()) as WorkerResponse)
+      if (turn.text && t.onDelta) t.onDelta(turn.text) // non-streaming endpoint → emit the whole answer once
+      return turn
+    },
+  }
+}