ghost-dragon 4.2.1

package/dist/agent.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Client for the Dragon assistant — account.ghosts.lk `POST /api/v1/agent`.
+ *
+ * The endpoint runs a server-side tool-calling loop, then streams the answer as
+ * SSE. Two frame kinds arrive on the `data:` channel:
+ *   - `{"tools":[{"name","ok"}]}`  — once, up front, if tools ran (→ onTools)
+ *   - `{"response":"…"}`           — token deltas of the natural-language answer
+ *   - `[DONE]`                     — terminator
+ *
+ * Tools execute server-side and role-gated; the client only DISPLAYS which ran.
+ * Request body is `{ messages:[{role,content}], surface }` — the server keeps
+ * only user/assistant turns and prepends its own system prompt + memory.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+export interface AgentMsg {
+    role: 'user' | 'assistant';
+    content: string;
+}
+export interface ToolChip {
+    name: string;
+    ok: boolean;
+}
+/** Surfaces the server understands — they scope the tool set + system context. */
+export declare const SURFACES: readonly ["dashboard", "admin", "chat", "activity", "marketing"];
+export type Surface = (typeof SURFACES)[number];
+export type AgentErrorKind = 'unauthenticated' | 'quota' | 'unavailable' | 'http' | 'network';
+export declare class AgentError extends Error {
+    kind: AgentErrorKind;
+    detail?: unknown | undefined;
+    constructor(kind: AgentErrorKind, message: string, detail?: unknown | undefined);
+}
+export interface StreamAgentOpts {
+    messages: AgentMsg[];
+    surface: string;
+    onDelta: (s: string) => void;
+    onTools?: (tools: ToolChip[]) => void;
+    signal?: AbortSignal;
+}
+/**
+ * Stream one assistant turn. Emits tool chips (if any) then token deltas, and
+ * returns the assembled answer when `[DONE]` arrives. Throws AgentError on
+ * 401 (unauthenticated), 429 (quota), 502 (model down), or transport failure.
+ */
+export declare function streamAgent(opts: StreamAgentOpts): Promise<string>;
+//# sourceMappingURL=agent.d.ts.map

package/dist/agent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent.d.ts","sourceRoot":"","sources":["../src/agent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,MAAM,WAAW,QAAQ;IAAG,IAAI,EAAE,MAAM,GAAG,WAAW,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE;AACzE,MAAM,WAAW,QAAQ;IAAG,IAAI,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,OAAO,CAAA;CAAE;AAEvD,kFAAkF;AAClF,eAAO,MAAM,QAAQ,kEAAmE,CAAA;AACxF,MAAM,MAAM,OAAO,GAAG,CAAC,OAAO,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAA;AAE/C,MAAM,MAAM,cAAc,GAAG,iBAAiB,GAAG,OAAO,GAAG,aAAa,GAAG,MAAM,GAAG,SAAS,CAAA;AAE7F,qBAAa,UAAW,SAAQ,KAAK;IAChB,IAAI,EAAE,cAAc;IAA0B,MAAM,CAAC,EAAE,OAAO;gBAA9D,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,EAAS,MAAM,CAAC,EAAE,OAAO,YAAA;CAIlF;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,QAAQ,EAAE,CAAA;IACpB,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,IAAI,CAAA;IAC5B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,IAAI,CAAA;IACrC,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAkExE"}

package/dist/agent.js

@@ -0,0 +1,103 @@
+/**
+ * Client for the Dragon assistant — account.ghosts.lk `POST /api/v1/agent`.
+ *
+ * The endpoint runs a server-side tool-calling loop, then streams the answer as
+ * SSE. Two frame kinds arrive on the `data:` channel:
+ *   - `{"tools":[{"name","ok"}]}`  — once, up front, if tools ran (→ onTools)
+ *   - `{"response":"…"}`           — token deltas of the natural-language answer
+ *   - `[DONE]`                     — terminator
+ *
+ * Tools execute server-side and role-gated; the client only DISPLAYS which ran.
+ * Request body is `{ messages:[{role,content}], surface }` — the server keeps
+ * only user/assistant turns and prepends its own system prompt + memory.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import { resolveAuth } from './auth.js';
+/** Surfaces the server understands — they scope the tool set + system context. */
+export const SURFACES = ['dashboard', 'admin', 'chat', 'activity', 'marketing'];
+export class AgentError extends Error {
+    kind;
+    detail;
+    constructor(kind, message, detail) {
+        super(message);
+        this.kind = kind;
+        this.detail = detail;
+        this.name = 'AgentError';
+    }
+}
+/**
+ * Stream one assistant turn. Emits tool chips (if any) then token deltas, and
+ * returns the assembled answer when `[DONE]` arrives. Throws AgentError on
+ * 401 (unauthenticated), 429 (quota), 502 (model down), or transport failure.
+ */
+export async function streamAgent(opts) {
+    const { apiBase, headers, mode } = resolveAuth();
+    let res;
+    try {
+        res = await fetch(`${apiBase}/api/v1/agent`, {
+            method: 'POST',
+            headers: { 'content-type': 'application/json', ...headers },
+            body: JSON.stringify({ messages: opts.messages, surface: opts.surface }),
+            signal: opts.signal,
+        });
+    }
+    catch (e) {
+        if (e?.name === 'AbortError')
+            throw e;
+        throw new AgentError('network', `cannot reach ${apiBase}: ${String(e instanceof Error ? e.message : e)}`);
+    }
+    if (res.status === 401) {
+        const b = (await res.json().catch(() => ({})));
+        const hint = mode === 'none'
+            ? 'no credentials configured — run `dragon login`'
+            : 'your session is invalid or expired — run `dragon login` again';
+        throw new AgentError('unauthenticated', hint, b);
+    }
+    if (res.status === 429) {
+        const b = (await res.json().catch(() => ({})));
+        const reset = b.reset_at ? new Date(b.reset_at).toLocaleString() : '—';
+        throw new AgentError('quota', `daily quota reached (${b.used ?? '?'} / ${b.cap ?? '?'} tokens). Resets ${reset}.`, b);
+    }
+    if (res.status === 502) {
+        throw new AgentError('unavailable', 'the model is momentarily unavailable — try again in a moment.');
+    }
+    if (!res.ok || !res.body) {
+        const t = await res.text().catch(() => res.statusText);
+        throw new AgentError('http', `HTTP ${res.status}: ${t}`);
+    }
+    const reader = res.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = '';
+    let assembled = '';
+    for (;;) {
+        const { value, done } = await reader.read();
+        if (done)
+            break;
+        buffer += decoder.decode(value, { stream: true });
+        const lines = buffer.split('\n');
+        buffer = lines.pop() ?? ''; // hold the partial trailing line
+        for (const line of lines) {
+            if (!line.startsWith('data: '))
+                continue;
+            const data = line.slice(6);
+            if (data === '[DONE]')
+                return assembled;
+            try {
+                const obj = JSON.parse(data);
+                if (Array.isArray(obj.tools)) {
+                    opts.onTools?.(obj.tools.map((t) => ({ name: String(t.name), ok: t.ok !== false })));
+                }
+                else if (typeof obj.response === 'string' && obj.response) {
+                    assembled += obj.response;
+                    opts.onDelta(obj.response);
+                }
+            }
+            catch {
+                /* skip a malformed frame */
+            }
+        }
+    }
+    return assembled;
+}
+//# sourceMappingURL=agent.js.map

package/dist/auth.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Auth for the Dragon assistant (account.ghosts.lk /api/v1/agent).
+ *
+ * The assistant is account-scoped: it answers AS the signed-in user and gates
+ * its tools by role. The browser authenticates with the `gp_session` HttpOnly
+ * cookie minted by Google/GitHub OAuth. A CLI has no browser, so we support two
+ * credential carriers, in priority order:
+ *
+ *   1. Bearer token  — `DRAGON_TOKEN` env or `auth.token` in config. The primary
+ *      path: a 90-day personal access token (`dgn_…`) minted by `dragon login`'s
+ *      browser device-code flow. Backend is live on account.ghosts.lk.
+ *   2. Session cookie — `DRAGON_SESSION` env or `auth.session` in config. The
+ *      `gp_session` value copied from a signed-in browser. The `--paste` fallback
+ *      for headless boxes where the device flow can't open a browser.
+ *
+ * Resolution is env-first so a shell can override the stored credential without
+ * touching the config file.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import { type DragonConfig } from './config.js';
+export declare const DEFAULT_API = "https://account.ghosts.lk";
+/** True if `raw` is a URL a browser will actually open: http(s), a sane port, and
+ *  https for any non-loopback host (no plaintext auth over the network). */
+export declare function isBrowsableHttpUrl(raw: string): boolean;
+/** A trustworthy assistant origin, self-healing: a malformed/restricted-port value
+ *  (e.g. a stale config) silently falls back to the default instead of breaking login. */
+export declare function sanitizeApiBase(raw?: string): string;
+export type AuthMode = 'token' | 'session' | 'none';
+export interface ResolvedAuth {
+    apiBase: string;
+    headers: Record<string, string>;
+    mode: AuthMode;
+    email?: string;
+}
+/** Credential values become HTTP header content — accept only printable, space-free
+ *  ASCII so a CR/LF or control char can't smuggle extra headers. */
+export declare function validCred(v?: string): string | undefined;
+/** The credential-bearing env vars auth reads — extracted so the precedence
+ *  logic is unit-testable without a real shell, config file, or second machine. */
+export interface AuthEnv {
+    DRAGON_API?: string;
+    DRAGON_TOKEN?: string;
+    DRAGON_SESSION?: string;
+}
+/**
+ * Pure auth resolution: env-first, then config, behind the cred-injection
+ * (`validCred`) and restricted-origin (`sanitizeApiBase`) guards. Token beats
+ * session beats none. `resolveAuth()` is just this fed the real env + config —
+ * keeping the decision logic deterministic and machine-independent for tests.
+ */
+export declare function resolveAuthFrom(env: AuthEnv, cfg: DragonConfig): ResolvedAuth;
+/** Resolve the assistant origin + credential headers from env then config. */
+export declare function resolveAuth(): ResolvedAuth;
+/** Merge a patch into config.auth and persist. */
+export declare function saveAuth(patch: Partial<NonNullable<DragonConfig['auth']>>): void;
+/** Forget all stored credentials (keeps a custom apiBase if set). */
+export declare function clearAuth(): void;
+export interface WhoAmI {
+    ok: boolean;
+    status: number;
+    email?: string;
+    error?: string;
+}
+/**
+ * Validate the current (or a supplied) credential against the cheap authed
+ * endpoint `GET /api/v1/me/licenses` — no LLM cost. Returns the identity email
+ * on success so the caller can confirm + store who we signed in as.
+ */
+export declare function whoami(override?: {
+    headers?: Record<string, string>;
+    apiBase?: string;
+}): Promise<WhoAmI>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAA0B,KAAK,YAAY,EAAE,MAAM,aAAa,CAAA;AAEvE,eAAO,MAAM,WAAW,8BAA8B,CAAA;AAYtD;4EAC4E;AAC5E,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAQvD;AAED;0FAC0F;AAC1F,wBAAgB,eAAe,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAGpD;AAED,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,CAAA;AAEnD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC/B,IAAI,EAAE,QAAQ,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;oEACoE;AACpE,wBAAgB,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAExD;AAED;mFACmF;AACnF,MAAM,WAAW,OAAO;IACtB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,GAAG,YAAY,CAQ7E;AAED,8EAA8E;AAC9E,wBAAgB,WAAW,IAAI,YAAY,CAE1C;AAED,kDAAkD;AAClD,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,WAAW,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,CAIhF;AAED,qEAAqE;AACrE,wBAAgB,SAAS,IAAI,IAAI,CAKhC;AAED,MAAM,WAAW,MAAM;IAAG,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE;AAEvF;;;;GAIG;AACH,wBAAsB,MAAM,CAAC,QAAQ,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAY/G"}

package/dist/auth.js

@@ -0,0 +1,116 @@
+/**
+ * Auth for the Dragon assistant (account.ghosts.lk /api/v1/agent).
+ *
+ * The assistant is account-scoped: it answers AS the signed-in user and gates
+ * its tools by role. The browser authenticates with the `gp_session` HttpOnly
+ * cookie minted by Google/GitHub OAuth. A CLI has no browser, so we support two
+ * credential carriers, in priority order:
+ *
+ *   1. Bearer token  — `DRAGON_TOKEN` env or `auth.token` in config. The primary
+ *      path: a 90-day personal access token (`dgn_…`) minted by `dragon login`'s
+ *      browser device-code flow. Backend is live on account.ghosts.lk.
+ *   2. Session cookie — `DRAGON_SESSION` env or `auth.session` in config. The
+ *      `gp_session` value copied from a signed-in browser. The `--paste` fallback
+ *      for headless boxes where the device flow can't open a browser.
+ *
+ * Resolution is env-first so a shell can override the stored credential without
+ * touching the config file.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import { loadConfig, saveConfig } from './config.js';
+export const DEFAULT_API = 'https://account.ghosts.lk';
+// Ports browsers refuse to open (ERR_UNSAFE_PORT / "this address is restricted").
+// We guard against ever handing one of these to a browser or using it as an origin.
+const RESTRICTED_PORTS = new Set([
+    1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 25, 37, 42, 43, 53, 69, 77, 79, 87, 95,
+    101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 123, 135, 137, 139, 143, 161,
+    179, 389, 427, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 548, 554, 556, 563,
+    587, 601, 636, 989, 990, 993, 995, 1719, 1720, 1723, 2049, 3659, 4045, 5060, 5061,
+    6000, 6566, 6665, 6666, 6667, 6668, 6669, 6697, 10080,
+]);
+/** True if `raw` is a URL a browser will actually open: http(s), a sane port, and
+ *  https for any non-loopback host (no plaintext auth over the network). */
+export function isBrowsableHttpUrl(raw) {
+    let u;
+    try {
+        u = new URL(raw);
+    }
+    catch {
+        return false;
+    }
+    if (u.protocol !== 'http:' && u.protocol !== 'https:')
+        return false;
+    const isLocal = u.hostname === 'localhost' || u.hostname === '127.0.0.1' || u.hostname === '::1';
+    if (!isLocal && u.protocol !== 'https:')
+        return false;
+    const port = u.port ? Number(u.port) : u.protocol === 'https:' ? 443 : 80;
+    return !RESTRICTED_PORTS.has(port);
+}
+/** A trustworthy assistant origin, self-healing: a malformed/restricted-port value
+ *  (e.g. a stale config) silently falls back to the default instead of breaking login. */
+export function sanitizeApiBase(raw) {
+    const trimmed = (raw ?? '').replace(/\/+$/, '');
+    return trimmed && isBrowsableHttpUrl(trimmed) ? trimmed : DEFAULT_API;
+}
+/** Credential values become HTTP header content — accept only printable, space-free
+ *  ASCII so a CR/LF or control char can't smuggle extra headers. */
+export function validCred(v) {
+    return v && /^[\x21-\x7e]+$/.test(v) ? v : undefined;
+}
+/**
+ * Pure auth resolution: env-first, then config, behind the cred-injection
+ * (`validCred`) and restricted-origin (`sanitizeApiBase`) guards. Token beats
+ * session beats none. `resolveAuth()` is just this fed the real env + config —
+ * keeping the decision logic deterministic and machine-independent for tests.
+ */
+export function resolveAuthFrom(env, cfg) {
+    const apiBase = sanitizeApiBase(env.DRAGON_API || cfg.auth?.apiBase);
+    const token = validCred(env.DRAGON_TOKEN || cfg.auth?.token);
+    const session = validCred(env.DRAGON_SESSION || cfg.auth?.session);
+    const email = cfg.auth?.email;
+    if (token)
+        return { apiBase, headers: { authorization: `Bearer ${token}` }, mode: 'token', email };
+    if (session)
+        return { apiBase, headers: { cookie: `gp_session=${session}` }, mode: 'session', email };
+    return { apiBase, headers: {}, mode: 'none', email };
+}
+/** Resolve the assistant origin + credential headers from env then config. */
+export function resolveAuth() {
+    return resolveAuthFrom(process.env, loadConfig());
+}
+/** Merge a patch into config.auth and persist. */
+export function saveAuth(patch) {
+    const cfg = loadConfig();
+    cfg.auth = { ...(cfg.auth ?? {}), ...patch };
+    saveConfig(cfg);
+}
+/** Forget all stored credentials (keeps a custom apiBase if set). */
+export function clearAuth() {
+    const cfg = loadConfig();
+    const apiBase = cfg.auth?.apiBase;
+    cfg.auth = apiBase ? { apiBase } : {};
+    saveConfig(cfg);
+}
+/**
+ * Validate the current (or a supplied) credential against the cheap authed
+ * endpoint `GET /api/v1/me/licenses` — no LLM cost. Returns the identity email
+ * on success so the caller can confirm + store who we signed in as.
+ */
+export async function whoami(override) {
+    const base = override?.apiBase ?? resolveAuth().apiBase;
+    const headers = override?.headers ?? resolveAuth().headers;
+    try {
+        const res = await fetch(`${base}/api/v1/me/licenses`, { headers });
+        if (res.status === 401)
+            return { ok: false, status: 401, error: 'not signed in' };
+        if (!res.ok)
+            return { ok: false, status: res.status, error: `HTTP ${res.status}` };
+        const body = (await res.json().catch(() => ({})));
+        return { ok: true, status: 200, email: body.account?.email };
+    }
+    catch (e) {
+        return { ok: false, status: 0, error: String(e instanceof Error ? e.message : e) };
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/brain/anthropic.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Claude brain — Anthropic Messages API via the official SDK. The default,
+ * "amazing at programming" path.
+ *
+ * Maps our normalized BrainMessage[] onto Anthropic's content-block format:
+ *   - assistant tool calls  → `tool_use`  blocks
+ *   - tool results          → `tool_result` blocks (folded into a user message;
+ *     consecutive tool messages are batched into one user turn, as the API wants)
+ * Streams `text` deltas and collects `tool_use` blocks from the final message.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import type { Brain } from './types.js';
+export declare const DEFAULT_CLAUDE_MODEL = "claude-sonnet-4-6";
+export declare function makeClaudeBrain(opts: {
+    apiKey: string;
+    model?: string;
+}): Brain;
+//# sourceMappingURL=anthropic.d.ts.map

package/dist/brain/anthropic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anthropic.d.ts","sourceRoot":"","sources":["../../src/brain/anthropic.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,KAAK,EAA+C,MAAM,YAAY,CAAA;AAEpF,eAAO,MAAM,oBAAoB,sBAAsB,CAAA;AAqCvD,wBAAgB,eAAe,CAAC,IAAI,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,KAAK,CA6B/E"}

package/dist/brain/anthropic.js

@@ -0,0 +1,74 @@
+/**
+ * Claude brain — Anthropic Messages API via the official SDK. The default,
+ * "amazing at programming" path.
+ *
+ * Maps our normalized BrainMessage[] onto Anthropic's content-block format:
+ *   - assistant tool calls  → `tool_use`  blocks
+ *   - tool results          → `tool_result` blocks (folded into a user message;
+ *     consecutive tool messages are batched into one user turn, as the API wants)
+ * Streams `text` deltas and collects `tool_use` blocks from the final message.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import Anthropic from '@anthropic-ai/sdk';
+export const DEFAULT_CLAUDE_MODEL = 'claude-sonnet-4-6';
+/** Fold our flat BrainMessage[] into Anthropic's role-batched content blocks. */
+function toAnthropic(messages) {
+    const out = [];
+    for (const m of messages) {
+        if (m.role === 'tool') {
+            const block = { type: 'tool_result', tool_use_id: m.toolCallId ?? '', content: m.content };
+            const last = out[out.length - 1];
+            if (last && last.role === 'user' && last.content.every((b) => b.type === 'tool_result'))
+                last.content.push(block);
+            else
+                out.push({ role: 'user', content: [block] });
+            continue;
+        }
+        if (m.role === 'assistant') {
+            const blocks = [];
+            if (m.content)
+                blocks.push({ type: 'text', text: m.content });
+            for (const tc of m.toolCalls ?? [])
+                blocks.push({ type: 'tool_use', id: tc.id, name: tc.name, input: tc.arguments });
+            out.push({ role: 'assistant', content: blocks.length ? blocks : [{ type: 'text', text: '' }] });
+            continue;
+        }
+        // user
+        out.push({ role: 'user', content: [{ type: 'text', text: m.content }] });
+    }
+    return out;
+}
+function toAnthropicTools(tools) {
+    return tools.map((t) => ({ name: t.name, description: t.description, input_schema: t.parameters }));
+}
+export function makeClaudeBrain(opts) {
+    const client = new Anthropic({ apiKey: opts.apiKey });
+    const model = opts.model || DEFAULT_CLAUDE_MODEL;
+    return {
+        id: 'claude',
+        model,
+        async turn(t) {
+            const stream = client.messages.stream({
+                model,
+                max_tokens: t.maxTokens ?? 8192,
+                system: t.system,
+                messages: toAnthropic(t.messages),
+                tools: t.tools.length ? toAnthropicTools(t.tools) : undefined,
+            }, { signal: t.signal });
+            if (t.onDelta)
+                stream.on('text', (delta) => t.onDelta(delta));
+            const final = await stream.finalMessage();
+            let text = '';
+            const toolCalls = [];
+            for (const block of final.content) {
+                if (block.type === 'text')
+                    text += block.text;
+                else if (block.type === 'tool_use')
+                    toolCalls.push({ id: block.id, name: block.name, arguments: (block.input ?? {}) });
+            }
+            return { text, toolCalls };
+        },
+    };
+}
+//# sourceMappingURL=anthropic.js.map

package/dist/brain/claude-cli.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Claude-CLI brain — drive the agent with the LOCAL `claude` CLI (Claude Code) in
+ * headless mode, reusing the operator's EXISTING Claude Code auth. No separate
+ * ANTHROPIC_API_KEY needed: if `--brain claude` has no API key but the `claude` binary
+ * is on PATH, the factory falls back here ("use this Claude").
+ *
+ * It runs `claude -p --output-format json` per turn, feeding the rendered conversation
+ * on stdin and asking for ONLY the next tool call(s) as a JSON array (EMBER's exact
+ * format) — so the same parser handles it AND the captured ~/.dragon/traces are
+ * Claude-quality decisions IN dragon-cli's contract: the gold distillation data for the
+ * next EMBER. Caveats: heavier than the API (spawns Claude Code per turn) and it bills
+ * the operator's Claude Code usage — fine for flywheel-filling, not low-latency chat.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import type { Brain } from './types.js';
+export declare function makeClaudeCliBrain(opts?: {
+    model?: string;
+}): Brain;
+//# sourceMappingURL=claude-cli.d.ts.map

package/dist/brain/claude-cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-cli.d.ts","sourceRoot":"","sources":["../../src/brain/claude-cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,KAAK,EAAE,KAAK,EAAqC,MAAM,YAAY,CAAA;AAwC1E,wBAAgB,kBAAkB,CAAC,IAAI,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,KAAK,CAoBnE"}

package/dist/brain/claude-cli.js

@@ -0,0 +1,79 @@
+/**
+ * Claude-CLI brain — drive the agent with the LOCAL `claude` CLI (Claude Code) in
+ * headless mode, reusing the operator's EXISTING Claude Code auth. No separate
+ * ANTHROPIC_API_KEY needed: if `--brain claude` has no API key but the `claude` binary
+ * is on PATH, the factory falls back here ("use this Claude").
+ *
+ * It runs `claude -p --output-format json` per turn, feeding the rendered conversation
+ * on stdin and asking for ONLY the next tool call(s) as a JSON array (EMBER's exact
+ * format) — so the same parser handles it AND the captured ~/.dragon/traces are
+ * Claude-quality decisions IN dragon-cli's contract: the gold distillation data for the
+ * next EMBER. Caveats: heavier than the API (spawns Claude Code per turn) and it bills
+ * the operator's Claude Code usage — fine for flywheel-filling, not low-latency chat.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import { spawn } from 'node:child_process';
+import { parseEmberToolCalls } from './ghost-ember.js';
+function render(system, messages, toolNames) {
+    const convo = messages.map((m) => {
+        if (m.role === 'tool')
+            return `[tool result: ${m.toolName ?? 'tool'}]\n${m.content}`.slice(0, 4000);
+        if (m.role === 'assistant')
+            return `[assistant] ${m.toolCalls?.length ? JSON.stringify(m.toolCalls.map((t) => ({ tool: t.name, arguments: t.arguments }))) : m.content}`;
+        return `[user] ${m.content}`;
+    }).join('\n\n');
+    return `${system}\n\n── CONVERSATION SO FAR ──\n${convo}\n\n── YOUR TASK ──\n` +
+        'You are the REASONING brain of an external agent — do NOT use your own tools or take any action yourself. ' +
+        'When you need the agent to act, respond with ONLY a JSON array of the next tool call(s), no prose:\n' +
+        '[{"tool":"<name>","arguments":{…}}]\n' +
+        'When you have enough to finish, respond with your final answer as PLAIN TEXT (no JSON array). ' +
+        `The agent's available tools are: ${toolNames.join(', ')}.`;
+}
+function runClaude(args, prompt, signal) {
+    return new Promise((resolve, reject) => {
+        const cp = spawn('claude', args, { stdio: ['pipe', 'pipe', 'ignore'], signal });
+        let out = '';
+        cp.stdout.on('data', (d) => { out += d; });
+        cp.on('error', reject);
+        cp.on('close', () => {
+            // --output-format json → either a single result object or a stream array;
+            // the assistant text lives in the `result` field of the type:'result' event.
+            try {
+                const parsed = JSON.parse(out);
+                if (Array.isArray(parsed)) {
+                    const res = parsed.find((e) => e && e.type === 'result');
+                    return resolve(typeof res?.result === 'string' ? res.result : '');
+                }
+                return resolve(typeof parsed?.result === 'string' ? parsed.result : out);
+            }
+            catch {
+                resolve(out);
+            }
+        });
+        cp.stdin.write(prompt);
+        cp.stdin.end();
+    });
+}
+export function makeClaudeCliBrain(opts) {
+    return {
+        id: 'claude',
+        model: opts?.model ? `${opts.model} (cli)` : 'claude-code (cli)',
+        async turn(t) {
+            // --model FIRST (so the variadic --disallowedTools below doesn't swallow it).
+            const args = ['-p', '--output-format', 'json'];
+            if (opts?.model)
+                args.push('--model', opts.model);
+            // Disable Claude Code's OWN acting tools so it can't do the work itself — it must
+            // route through dragon-cli (its decisions become EMBER's training traces) and only
+            // produce prose once dragon-cli feeds the results back. Variadic → keep LAST.
+            args.push('--disallowedTools', 'Bash', 'Edit', 'Write', 'Read', 'Grep', 'Glob', 'MultiEdit', 'NotebookEdit', 'Task', 'WebFetch', 'WebSearch');
+            const prompt = render(t.system, t.messages, t.tools.map((x) => x.name));
+            const text = await runClaude(args, prompt, t.signal);
+            const toolCalls = parseEmberToolCalls(text);
+            t.onDelta?.(toolCalls.length ? toolCalls.map((c) => `→ ${c.name}`).join('  ') : text);
+            return { text: toolCalls.length ? '' : text, toolCalls };
+        },
+    };
+}
+//# sourceMappingURL=claude-cli.js.map

package/dist/brain/ghost-ember.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Ghost / EMBER brain — Ghost Protocol's own local model (DragonSpark's EMBER,
+ * served by Ollama) as the agent's reasoning layer.
+ *
+ * EMBER is a small specialist FINE-TUNED to emit tool calls as a JSON array in the
+ * response TEXT — `[{"tool":"Bash","arguments":{…}}]` — NOT via the OpenAI native
+ * function-calling protocol. So this adapter, unlike the generic openai-compat brain:
+ *   1. does NOT send `tools`/`tool_choice` (EMBER ignores them); instead it appends a
+ *      terse output contract + the available tool names to the system prompt, matching
+ *      what EMBER was trained on (DragonSpark configs/fixtures/system_prompt.txt);
+ *   2. parses EMBER's JSON-array output back into the loop's normalized ToolCall shape.
+ *
+ * This format bridge is doubly important: it makes EMBER's calls EXECUTE in the loop
+ * AND makes the emitted ~/.dragon/traces training-grade (the flywheel that improves the
+ * next EMBER). Wyrm-RAG comes for free — dragon-cli already folds recalled project
+ * context into the system prompt (loop.ts buildSystemPrompt `primed`), so EMBER decides
+ * WITH memory, which is the whole "Wyrm is the brain" thesis.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import type { Brain, ToolCall } from './types.js';
+/** Pull EMBER's JSON tool array out of the response text (tolerant of stray prose). */
+export declare function parseEmberToolCalls(text: string): ToolCall[];
+export declare function makeGhostEmberBrain(opts: {
+    baseURL: string;
+    model: string;
+}): Brain;
+//# sourceMappingURL=ghost-ember.d.ts.map

package/dist/brain/ghost-ember.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ghost-ember.d.ts","sourceRoot":"","sources":["../../src/brain/ghost-ember.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,KAAK,EAA2B,QAAQ,EAAY,MAAM,YAAY,CAAA;AAuBpF,uFAAuF;AACvF,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,EAAE,CAc5D;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,KAAK,CAgCnF"}