ghost-dragon 4.2.1

package/dist/brain/ghost-ember.js

@@ -0,0 +1,97 @@
+/**
+ * Ghost / EMBER brain — Ghost Protocol's own local model (DragonSpark's EMBER,
+ * served by Ollama) as the agent's reasoning layer.
+ *
+ * EMBER is a small specialist FINE-TUNED to emit tool calls as a JSON array in the
+ * response TEXT — `[{"tool":"Bash","arguments":{…}}]` — NOT via the OpenAI native
+ * function-calling protocol. So this adapter, unlike the generic openai-compat brain:
+ *   1. does NOT send `tools`/`tool_choice` (EMBER ignores them); instead it appends a
+ *      terse output contract + the available tool names to the system prompt, matching
+ *      what EMBER was trained on (DragonSpark configs/fixtures/system_prompt.txt);
+ *   2. parses EMBER's JSON-array output back into the loop's normalized ToolCall shape.
+ *
+ * This format bridge is doubly important: it makes EMBER's calls EXECUTE in the loop
+ * AND makes the emitted ~/.dragon/traces training-grade (the flywheel that improves the
+ * next EMBER). Wyrm-RAG comes for free — dragon-cli already folds recalled project
+ * context into the system prompt (loop.ts buildSystemPrompt `primed`), so EMBER decides
+ * WITH memory, which is the whole "Wyrm is the brain" thesis.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+const EMBER_CONTRACT = '\n\n── OUTPUT CONTRACT (EMBER) ──\n' +
+    'Respond with ONLY a JSON array of the tool call(s) to make, no prose:\n' +
+    '[{"tool":"<name>","arguments":{…}}]\n' +
+    'If the task is complete and no tool is needed, respond with [].';
+function oaiMessages(system, messages, toolNames) {
+    const sys = system + EMBER_CONTRACT + '\nAvailable tools: ' + toolNames.join(', ');
+    const out = [{ role: 'system', content: sys }];
+    for (const m of messages) {
+        if (m.role === 'tool') {
+            out.push({ role: 'user', content: `[observed] ${m.toolName ?? 'tool'} → ${m.content}`.slice(0, 1200) });
+        }
+        else if (m.role === 'assistant') {
+            out.push({ role: 'assistant', content: m.toolCalls?.length ? JSON.stringify(m.toolCalls.map((t) => ({ tool: t.name, arguments: t.arguments }))) : m.content });
+        }
+        else {
+            out.push({ role: 'user', content: m.content });
+        }
+    }
+    return out;
+}
+/** Pull EMBER's JSON tool array out of the response text (tolerant of stray prose). */
+export function parseEmberToolCalls(text) {
+    const m = text.match(/\[[\s\S]*\]/);
+    if (!m)
+        return [];
+    let arr;
+    try {
+        arr = JSON.parse(m[0]);
+    }
+    catch {
+        return [];
+    }
+    if (!Array.isArray(arr))
+        return [];
+    const calls = [];
+    arr.forEach((c, i) => {
+        if (c && typeof c === 'object' && typeof c.tool === 'string') {
+            const o = c;
+            calls.push({ id: `ember_${Date.now()}_${i}`, name: o.tool, arguments: o.arguments ?? {} });
+        }
+    });
+    return calls;
+}
+export function makeGhostEmberBrain(opts) {
+    const baseURL = opts.baseURL.replace(/\/+$/, '');
+    return {
+        id: 'ghost',
+        model: opts.model,
+        async turn(t) {
+            const toolNames = t.tools.map((tl) => tl.name);
+            const res = await fetch(`${baseURL}/chat/completions`, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json', authorization: 'Bearer ghost' },
+                body: JSON.stringify({
+                    model: opts.model,
+                    messages: oaiMessages(t.system, t.messages, toolNames),
+                    temperature: 0.1,
+                    stream: false,
+                    max_tokens: t.maxTokens ?? 512,
+                }),
+                signal: t.signal,
+            });
+            if (!res.ok) {
+                const body = await res.text().catch(() => res.statusText);
+                throw new Error(`ghost(EMBER) brain HTTP ${res.status}: ${body.slice(0, 300)} — is Ollama serving '${opts.model}'? (dragon-spark serve)`);
+            }
+            const data = (await res.json());
+            const text = data.choices?.[0]?.message?.content ?? '';
+            const toolCalls = parseEmberToolCalls(text);
+            // EMBER emits JSON, not prose — surface a readable line for the operator/trace.
+            const display = toolCalls.length ? toolCalls.map((c) => `→ ${c.name}`).join('  ') : text;
+            t.onDelta?.(display);
+            return { text: toolCalls.length ? '' : text, toolCalls };
+        },
+    };
+}
+//# sourceMappingURL=ghost-ember.js.map

package/dist/brain/index.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Brain factory — resolves which model drives the agent, from (in priority)
+ * an explicit override → env → ~/.dragon/config.json → built-in default
+ * ('claude'). Keys come from env first, then config (`dragon config key …`).
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import type { Brain } from './types.js';
+export type { Brain, BrainMessage, ToolSpec, ToolCall, BrainTurn } from './types.js';
+export type Provider = 'claude' | 'openai' | 'local' | 'ghost' | 'worker' | 'custom' | 'router';
+export declare const PROVIDERS: Provider[];
+/** Missing/invalid key → thrown so commands can print a friendly fix. */
+export declare class BrainConfigError extends Error {
+    provider: Provider;
+    constructor(provider: Provider, message: string);
+}
+export declare function resolveProvider(override?: string): Provider;
+export declare function getBrain(opts?: {
+    provider?: string;
+    model?: string;
+}): Brain;
+//# sourceMappingURL=index.d.ts.map

package/dist/brain/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/brain/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAA;AAcvC,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAEpF,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAA;AAC/F,eAAO,MAAM,SAAS,EAAE,QAAQ,EAAyE,CAAA;AAEzG,yEAAyE;AACzE,qBAAa,gBAAiB,SAAQ,KAAK;IACtB,QAAQ,EAAE,QAAQ;gBAAlB,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM;CAIvD;AAED,wBAAgB,eAAe,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,QAAQ,CAI3D;AAED,wBAAgB,QAAQ,CAAC,IAAI,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,KAAK,CAuD5E"}

package/dist/brain/index.js

@@ -0,0 +1,95 @@
+/**
+ * Brain factory — resolves which model drives the agent, from (in priority)
+ * an explicit override → env → ~/.dragon/config.json → built-in default
+ * ('claude'). Keys come from env first, then config (`dragon config key …`).
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import { execSync } from 'node:child_process';
+import { loadConfig } from '../config.js';
+import { makeClaudeBrain, DEFAULT_CLAUDE_MODEL } from './anthropic.js';
+import { makeClaudeCliBrain } from './claude-cli.js';
+import { makeOpenAICompatBrain } from './openai-compat.js';
+import { makeGhostEmberBrain } from './ghost-ember.js';
+import { makeWorkerBrain } from './worker.js';
+import { makeRouterBrain } from './router/index.js';
+/** Is the local `claude` CLI (Claude Code) on PATH? Lets `--brain claude` reuse the
+ *  operator's existing Claude Code auth when no API key is configured. */
+function hasClaudeCli() {
+    try {
+        execSync('command -v claude', { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export const PROVIDERS = ['claude', 'worker', 'local', 'ghost', 'openai', 'custom', 'router'];
+/** Missing/invalid key → thrown so commands can print a friendly fix. */
+export class BrainConfigError extends Error {
+    provider;
+    constructor(provider, message) {
+        super(message);
+        this.provider = provider;
+        this.name = 'BrainConfigError';
+    }
+}
+export function resolveProvider(override) {
+    const cfg = loadConfig();
+    const want = (override || process.env.DRAGON_BRAIN || cfg.brain?.provider || 'claude').toLowerCase();
+    return PROVIDERS.includes(want) ? want : 'claude';
+}
+export function getBrain(opts) {
+    const cfg = loadConfig();
+    const provider = resolveProvider(opts?.provider);
+    if (provider === 'claude') {
+        const apiKey = process.env.ANTHROPIC_API_KEY || cfg.brain?.keys?.anthropic;
+        const override = opts?.model || process.env.DRAGON_MODEL || cfg.brain?.model;
+        if (apiKey)
+            return makeClaudeBrain({ apiKey, model: override || DEFAULT_CLAUDE_MODEL });
+        // No API key → reuse the local Claude Code CLI's own auth ("use this Claude").
+        if (hasClaudeCli())
+            return makeClaudeCliBrain({ model: override });
+        throw new BrainConfigError('claude', 'no Anthropic key and no `claude` CLI found — set ANTHROPIC_API_KEY, run `dragon config key anthropic <key>`, install Claude Code, or use `--brain local`.');
+    }
+    if (provider === 'openai') {
+        const apiKey = process.env.OPENAI_API_KEY || cfg.brain?.keys?.openai;
+        if (!apiKey)
+            throw new BrainConfigError('openai', 'no OpenAI key — set OPENAI_API_KEY or run `dragon config key openai <key>`.');
+        const model = opts?.model || process.env.DRAGON_MODEL || cfg.brain?.model || 'gpt-4o';
+        return makeOpenAICompatBrain({ id: 'openai', baseURL: 'https://api.openai.com/v1', apiKey, model });
+    }
+    if (provider === 'worker') {
+        // Our Cloudflare Workers AI — free, no key, just `dragon login`.
+        return makeWorkerBrain();
+    }
+    if (provider === 'custom') {
+        // ANY OpenAI-compatible endpoint — OpenRouter, vLLM, LM Studio, llama.cpp, etc.
+        const baseURL = process.env.DRAGON_OPENAI_BASE || cfg.brain?.customBaseURL;
+        if (!baseURL)
+            throw new BrainConfigError('custom', 'no custom endpoint — set DRAGON_OPENAI_BASE (any OpenAI-compatible base URL) or `dragon config custom-url <url>`.');
+        const apiKey = process.env.DRAGON_OPENAI_KEY || cfg.brain?.keys?.openai || 'none';
+        const model = opts?.model || process.env.DRAGON_CUSTOM_MODEL || cfg.brain?.customModel || 'default';
+        return makeOpenAICompatBrain({ id: 'custom', baseURL, apiKey, model });
+    }
+    if (provider === 'router') {
+        // The Ghost Router — classifies each turn and delegates to the best local
+        // model (or escalates to Claude). `resolve` is injected so the router can
+        // build sibling brains without a circular import.
+        const localBaseURL = process.env.DRAGON_LOCAL_URL || cfg.brain?.localBaseURL || 'http://localhost:11434/v1';
+        return makeRouterBrain({ resolve: (p, m) => getBrain({ provider: p, model: m }), localBaseURL });
+    }
+    if (provider === 'ghost') {
+        // DragonSpark's EMBER — Ghost Protocol's own fine-tuned local model, served by
+        // Ollama. Uses the EMBER-specific adapter (JSON-array tool format + Wyrm-RAG via
+        // the primed system prompt), NOT generic OpenAI function-calling.
+        const baseURL = process.env.DRAGON_GHOST_URL || cfg.brain?.ghostBaseURL || 'http://localhost:11434/v1';
+        const model = opts?.model || process.env.DRAGON_GHOST_MODEL || cfg.brain?.ghostModel || 'ember';
+        return makeGhostEmberBrain({ baseURL, model });
+    }
+    // local (Ollama / any OpenAI-compatible local server) — sovereign, $0
+    const baseURL = process.env.DRAGON_LOCAL_URL || cfg.brain?.localBaseURL || 'http://localhost:11434/v1';
+    const model = opts?.model || process.env.DRAGON_LOCAL_MODEL || cfg.brain?.localModel || 'qwen2.5-coder:7b';
+    return makeOpenAICompatBrain({ id: 'local', baseURL, apiKey: 'ollama', model });
+}
+//# sourceMappingURL=index.js.map

package/dist/brain/openai-compat.d.ts

@@ -0,0 +1,21 @@
+/**
+ * OpenAI-compatible brain — one implementation, two providers:
+ *   - 'openai' → https://api.openai.com/v1   (GPT)
+ *   - 'local'  → http://localhost:11434/v1   (Ollama; sovereign, $0)
+ * Any other OpenAI-compatible server works too via a custom baseURL.
+ *
+ * Speaks the Chat Completions streaming protocol with function tools, decoding
+ * SSE deltas: `delta.content` → text, `delta.tool_calls[]` → accumulated by
+ * index (id + name once, arguments streamed as string chunks → JSON-parsed at
+ * the end). No SDK — plain fetch keeps the dep surface small.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import type { Brain } from './types.js';
+export declare function makeOpenAICompatBrain(opts: {
+    id: string;
+    baseURL: string;
+    apiKey: string;
+    model: string;
+}): Brain;
+//# sourceMappingURL=openai-compat.d.ts.map

package/dist/brain/openai-compat.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai-compat.d.ts","sourceRoot":"","sources":["../../src/brain/openai-compat.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAqC,MAAM,YAAY,CAAA;AA+B1E,wBAAgB,qBAAqB,CAAC,IAAI,EAAE;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,KAAK,CAqEjH"}

package/dist/brain/openai-compat.js

@@ -0,0 +1,119 @@
+/**
+ * OpenAI-compatible brain — one implementation, two providers:
+ *   - 'openai' → https://api.openai.com/v1   (GPT)
+ *   - 'local'  → http://localhost:11434/v1   (Ollama; sovereign, $0)
+ * Any other OpenAI-compatible server works too via a custom baseURL.
+ *
+ * Speaks the Chat Completions streaming protocol with function tools, decoding
+ * SSE deltas: `delta.content` → text, `delta.tool_calls[]` → accumulated by
+ * index (id + name once, arguments streamed as string chunks → JSON-parsed at
+ * the end). No SDK — plain fetch keeps the dep surface small.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+function toOpenAI(system, messages) {
+    const out = [{ role: 'system', content: system }];
+    for (const m of messages) {
+        if (m.role === 'tool') {
+            out.push({ role: 'tool', tool_call_id: m.toolCallId ?? '', content: m.content });
+        }
+        else if (m.role === 'assistant') {
+            out.push({
+                role: 'assistant',
+                content: m.content || null,
+                tool_calls: m.toolCalls?.length
+                    ? m.toolCalls.map((tc) => ({ id: tc.id, type: 'function', function: { name: tc.name, arguments: JSON.stringify(tc.arguments ?? {}) } }))
+                    : undefined,
+            });
+        }
+        else {
+            out.push({ role: 'user', content: m.content });
+        }
+    }
+    return out;
+}
+export function makeOpenAICompatBrain(opts) {
+    const baseURL = opts.baseURL.replace(/\/+$/, '');
+    return {
+        id: opts.id,
+        model: opts.model,
+        async turn(t) {
+            const res = await fetch(`${baseURL}/chat/completions`, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json', authorization: `Bearer ${opts.apiKey}` },
+                body: JSON.stringify({
+                    model: opts.model,
+                    messages: toOpenAI(t.system, t.messages),
+                    tools: t.tools.length ? t.tools.map((tool) => ({ type: 'function', function: { name: tool.name, description: tool.description, parameters: tool.parameters } })) : undefined,
+                    tool_choice: t.tools.length ? 'auto' : undefined,
+                    stream: true,
+                    max_tokens: t.maxTokens ?? 8192,
+                }),
+                signal: t.signal,
+            });
+            if (!res.ok || !res.body) {
+                const body = await res.text().catch(() => res.statusText);
+                throw new Error(`${opts.id} brain HTTP ${res.status}: ${body.slice(0, 400)}`);
+            }
+            const reader = res.body.getReader();
+            const dec = new TextDecoder();
+            let buf = '';
+            let text = '';
+            const acc = new Map();
+            for (;;) {
+                const { value, done } = await reader.read();
+                if (done)
+                    break;
+                buf += dec.decode(value, { stream: true });
+                const lines = buf.split('\n');
+                buf = lines.pop() ?? '';
+                for (const line of lines) {
+                    if (!line.startsWith('data: '))
+                        continue;
+                    const data = line.slice(6).trim();
+                    if (data === '[DONE]')
+                        break;
+                    let obj;
+                    try {
+                        obj = JSON.parse(data);
+                    }
+                    catch {
+                        continue;
+                    }
+                    const delta = obj.choices?.[0]?.delta;
+                    if (!delta)
+                        continue;
+                    if (typeof delta.content === 'string' && delta.content) {
+                        text += delta.content;
+                        t.onDelta?.(delta.content);
+                    }
+                    for (const tc of delta.tool_calls ?? []) {
+                        const idx = tc.index ?? 0;
+                        const cur = acc.get(idx) ?? { id: '', name: '', args: '' };
+                        if (tc.id)
+                            cur.id = tc.id;
+                        if (tc.function?.name)
+                            cur.name = tc.function.name;
+                        if (tc.function?.arguments)
+                            cur.args += tc.function.arguments;
+                        acc.set(idx, cur);
+                    }
+                }
+            }
+            const toolCalls = [...acc.values()]
+                .filter((a) => a.name)
+                .map((a, i) => {
+                let args = {};
+                try {
+                    args = a.args ? JSON.parse(a.args) : {};
+                }
+                catch {
+                    args = {};
+                }
+                return { id: a.id || `call_${i}`, name: a.name, arguments: args };
+            });
+            return { text, toolCalls };
+        },
+    };
+}
+//# sourceMappingURL=openai-compat.js.map

package/dist/brain/router/classify.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Request classification for the Ghost Router — intent × difficulty × stakes.
+ *
+ * INTENT is decided semantically: we embed the current user message with the
+ * already-resident nomic-embed-text (via Ollama, ~0 extra VRAM) and take the
+ * nearest route centroid. A deterministic keyword classifier is the fallback when
+ * embeddings are unavailable, so routing degrades gracefully (never throws).
+ *
+ * DIFFICULTY and STAKES are cheap deterministic heuristics — no model needed.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import type { BrainMessage } from '../types.js';
+export type Intent = 'reasoning' | 'code' | 'tools' | 'chat' | 'ops_security';
+export type Stakes = 'security' | 'financial' | 'critical' | 'standard' | 'dev';
+export interface Classification {
+    intent: Intent;
+    difficulty: number;
+    stakes: Stakes;
+    via: 'embed' | 'keyword';
+}
+export declare function classify(base: string, messages: BrainMessage[], toolCount: number, signal?: AbortSignal): Promise<Classification>;
+//# sourceMappingURL=classify.d.ts.map

package/dist/brain/router/classify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"classify.d.ts","sourceRoot":"","sources":["../../../src/brain/router/classify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,MAAM,MAAM,MAAM,GAAG,WAAW,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,cAAc,CAAA;AAC7E,MAAM,MAAM,MAAM,GAAG,UAAU,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,GAAG,KAAK,CAAA;AAE/E,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,GAAG,EAAE,OAAO,GAAG,SAAS,CAAA;CACzB;AAwHD,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,YAAY,EAAE,EACxB,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,cAAc,CAAC,CAkBzB"}

package/dist/brain/router/classify.js

@@ -0,0 +1,160 @@
+/**
+ * Request classification for the Ghost Router — intent × difficulty × stakes.
+ *
+ * INTENT is decided semantically: we embed the current user message with the
+ * already-resident nomic-embed-text (via Ollama, ~0 extra VRAM) and take the
+ * nearest route centroid. A deterministic keyword classifier is the fallback when
+ * embeddings are unavailable, so routing degrades gracefully (never throws).
+ *
+ * DIFFICULTY and STAKES are cheap deterministic heuristics — no model needed.
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+const EMBED_URL = (base) => base.replace(/\/v1\/?$/, '').replace(/\/+$/, '') + '/api/embeddings';
+/** Seed phrases per route — centroids are the mean of their embeddings. */
+const ROUTE_SEEDS = {
+    reasoning: [
+        'solve this math problem step by step', 'prove that the statement holds',
+        'what is the time complexity', 'derive the closed-form formula',
+        'solve this logic puzzle', 'crack this cipher / modular arithmetic',
+    ],
+    code: [
+        'write a function that', 'implement this feature', 'refactor this code',
+        'add a unit test for', 'fix the bug in this code',
+    ],
+    tools: [
+        'run the command', 'edit the file', 'deploy the service', 'list the files',
+        'grep the codebase for', 'execute and show the output',
+    ],
+    chat: [
+        'hello', 'what do you think about', 'explain this briefly',
+        'summarize this', 'give me a quick answer',
+    ],
+    ops_security: [
+        'run a penetration test', 'find the vulnerability', 'audit this for security',
+        'harden this configuration', 'scan the target host',
+    ],
+};
+const KEYWORDS = {
+    ops_security: /\b(pentest|exploit|vuln|cve|nmap|payload|recon|harden|audit|red.?team|owasp)\b/i,
+    reasoning: /\b(prove|theorem|complexity|derive|calculate|compute|equation|algorithm|puzzle|cipher|optimal)\b/i,
+    code: /\b(function|refactor|implement|class|compile|unit test|bug|stack trace|typescript|python)\b/i,
+    tools: /\b(run|execute|deploy|grep|edit|read the file|list files|install|git )\b/i,
+    chat: /.*/, // fallback
+};
+const STAKES_RULES = [
+    // NOTE: pentest/exploit are our DOMAIN, not "stakes" — they must stay local
+    // (privacy-first). Only genuinely sensitive/irreversible ops escalate.
+    ['security', /\b(production|prod\b|credential|secret|api.?key|ssh|rm -rf|drop table|sudo)\b/i],
+    ['financial', /\b(payment|invoice|billing|refund|bank|wire|salary|price|charge|stripe|paddle)\b/i],
+    ['critical', /\b(migration|database|deploy to prod|delete|irreversible|legal|contract)\b/i],
+];
+function lastUser(messages) {
+    for (let i = messages.length - 1; i >= 0; i--)
+        if (messages[i].role === 'user')
+            return messages[i].content;
+    return messages.length ? messages[messages.length - 1].content : '';
+}
+async function embed(base, text, signal) {
+    try {
+        const res = await fetch(EMBED_URL(base), {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ model: process.env.DRAGON_ROUTER_EMBED || 'nomic-embed-text', prompt: text }),
+            signal,
+        });
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        return Array.isArray(data.embedding) && data.embedding.length ? data.embedding : null;
+    }
+    catch {
+        return null;
+    }
+}
+function cosine(a, b) {
+    let dot = 0, na = 0, nb = 0;
+    for (let i = 0; i < a.length; i++) {
+        dot += a[i] * b[i];
+        na += a[i] * a[i];
+        nb += b[i] * b[i];
+    }
+    return dot / (Math.sqrt(na) * Math.sqrt(nb) + 1e-9);
+}
+// Route centroids are computed once and cached. If embeddings are unavailable
+// (e.g. Ollama still starting), we keep CENTROIDS null and RETRY after a cooldown
+// rather than disabling semantic routing for the whole process lifetime.
+let CENTROIDS = null;
+let centroidsNextRetry = 0;
+async function ensureCentroids(base, signal) {
+    if (CENTROIDS)
+        return CENTROIDS;
+    if (Date.now() < centroidsNextRetry)
+        return null;
+    centroidsNextRetry = Date.now() + 30_000; // don't hammer a down Ollama
+    const out = {};
+    for (const intent of Object.keys(ROUTE_SEEDS)) {
+        const vecs = [];
+        for (const phrase of ROUTE_SEEDS[intent]) {
+            const v = await embed(base, phrase, signal);
+            if (v)
+                vecs.push(v);
+        }
+        if (!vecs.length)
+            return null; // embeddings unavailable → keyword fallback, retry later
+        const dim = vecs[0].length;
+        const mean = new Array(dim).fill(0);
+        for (const v of vecs)
+            for (let i = 0; i < dim; i++)
+                mean[i] += v[i] / vecs.length;
+        out[intent] = mean;
+    }
+    return (CENTROIDS = out);
+}
+function keywordIntent(text) {
+    for (const intent of ['ops_security', 'reasoning', 'code', 'tools']) {
+        if (KEYWORDS[intent].test(text))
+            return intent;
+    }
+    return 'chat';
+}
+function scoreDifficulty(text, toolCount) {
+    const len = text.length;
+    let d = Math.min(len / 1600, 0.5); // length signal, capped at 0.5
+    if (/\b(step by step|prove|derive|complex|multi-step|optimi[sz]e|edge case|why)\b/i.test(text))
+        d += 0.2;
+    if ((text.match(/\?/g) || []).length >= 2)
+        d += 0.1; // multiple questions
+    if (/```|\bfunction\b|\bclass\b/.test(text))
+        d += 0.1; // code present
+    d += Math.min(toolCount / 40, 0.15); // many tools = harder orchestration
+    return Math.max(0, Math.min(1, d));
+}
+function classifyStakes(text) {
+    for (const [tier, re] of STAKES_RULES)
+        if (re.test(text))
+            return tier;
+    return 'standard';
+}
+export async function classify(base, messages, toolCount, signal) {
+    const text = lastUser(messages);
+    const stakes = classifyStakes(text);
+    const difficulty = scoreDifficulty(text, toolCount);
+    const centroids = await ensureCentroids(base, signal);
+    if (centroids) {
+        const v = await embed(base, text, signal);
+        if (v) {
+            let best = 'chat', bestScore = -Infinity;
+            for (const intent of Object.keys(centroids)) {
+                const s = cosine(v, centroids[intent]);
+                if (s > bestScore) {
+                    bestScore = s;
+                    best = intent;
+                }
+            }
+            return { intent: best, difficulty, stakes, via: 'embed' };
+        }
+    }
+    return { intent: keywordIntent(text), difficulty, stakes, via: 'keyword' };
+}
+//# sourceMappingURL=classify.js.map

package/dist/brain/router/execute.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Execution-based verification (ROUTER-BLUEPRINT.md §2) — the highest-value reward
+ * for code/security work: actually RUN the candidate and use pass/fail as the signal.
+ *
+ * SECURITY-FIRST (this is a security company): auto-running model-generated code is
+ * dangerous, so it is OFF by default and only ever runs:
+ *   - when DRAGON_VERIFY_EXEC=1 is explicitly set,
+ *   - inside a bwrap sandbox with NO network, a tmpfs, and a read-only /usr,
+ *   - for python3 / node ONLY (never bash/sh),
+ *   - under a hard timeout.
+ * If bwrap is missing we REFUSE to execute (fail closed).
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+export interface ExecResult {
+    ran: boolean;
+    ok?: boolean;
+    lang?: string;
+    output?: string;
+    reason?: string;
+}
+export declare function executeVerify(text: string, _signal?: AbortSignal): Promise<ExecResult | null>;
+//# sourceMappingURL=execute.d.ts.map

package/dist/brain/router/execute.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"execute.d.ts","sourceRoot":"","sources":["../../../src/brain/router/execute.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAOH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,OAAO,CAAA;IACZ,EAAE,CAAC,EAAE,OAAO,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAsBD,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CA+BnG"}

package/dist/brain/router/execute.js

@@ -0,0 +1,84 @@
+/**
+ * Execution-based verification (ROUTER-BLUEPRINT.md §2) — the highest-value reward
+ * for code/security work: actually RUN the candidate and use pass/fail as the signal.
+ *
+ * SECURITY-FIRST (this is a security company): auto-running model-generated code is
+ * dangerous, so it is OFF by default and only ever runs:
+ *   - when DRAGON_VERIFY_EXEC=1 is explicitly set,
+ *   - inside a bwrap sandbox with NO network, a tmpfs, and a read-only /usr,
+ *   - for python3 / node ONLY (never bash/sh),
+ *   - under a hard timeout.
+ * If bwrap is missing we REFUSE to execute (fail closed).
+ *
+ * Copyright 2026 Ghost Protocol (Pvt) Ltd. All Rights Reserved.
+ */
+import { spawnSync, execSync } from 'node:child_process';
+import { mkdtempSync, writeFileSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+const LANGS = {
+    python: { file: 'snippet.py', cmd: 'python3' },
+    py: { file: 'snippet.py', cmd: 'python3' },
+    javascript: { file: 'snippet.js', cmd: 'node' },
+    js: { file: 'snippet.js', cmd: 'node' },
+    node: { file: 'snippet.js', cmd: 'node' },
+};
+function hasBwrap() {
+    try {
+        execSync('command -v bwrap', { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** Pull the last fenced code block + its language. */
+function lastCodeBlock(text) {
+    const blocks = [...text.matchAll(/```([a-zA-Z0-9]*)\n([\s\S]*?)```/g)];
+    if (!blocks.length)
+        return null;
+    const b = blocks[blocks.length - 1];
+    return { lang: (b[1] || '').toLowerCase(), code: b[2] };
+}
+export async function executeVerify(text, _signal) {
+    if (process.env.DRAGON_VERIFY_EXEC !== '1')
+        return null; // off by default
+    const block = lastCodeBlock(text);
+    if (!block)
+        return null;
+    const spec = LANGS[block.lang];
+    if (!spec)
+        return { ran: false, reason: `unsupported lang '${block.lang}' (only python/node auto-run)` };
+    if (!hasBwrap())
+        return { ran: false, reason: 'no bwrap sandbox — refusing to execute (fail-closed)' };
+    const dir = mkdtempSync(join(tmpdir(), 'dragon-verify-'));
+    try {
+        writeFileSync(join(dir, spec.file), block.code, { mode: 0o600 });
+        const args = [
+            '--unshare-all', '--die-with-parent',
+            '--cap-drop', 'ALL', '--new-session', // drop all caps + no controlling tty (defense-in-depth)
+            '--ro-bind', '/usr', '/usr',
+            '--ro-bind', '/lib', '/lib', '--ro-bind', '/lib64', '/lib64',
+            '--proc', '/proc', '--dev', '/dev',
+            '--tmpfs', '/tmp',
+            '--bind', dir, '/work', '--chdir', '/work',
+            '--setenv', 'HOME', '/work', '--setenv', 'PATH', '/usr/bin:/bin',
+            spec.cmd, join('/work', spec.file),
+        ];
+        const r = spawnSync('bwrap', args, { timeout: 8000, encoding: 'utf-8', maxBuffer: 1 << 20 });
+        if (r.error)
+            return { ran: false, lang: block.lang, reason: String(r.error.message || r.error) };
+        const output = ((r.stdout || '') + (r.stderr || '')).slice(0, 2000);
+        return { ran: true, ok: r.status === 0, lang: block.lang, output };
+    }
+    catch (e) {
+        return { ran: false, lang: block.lang, reason: e.message };
+    }
+    finally {
+        try {
+            rmSync(dir, { recursive: true, force: true });
+        }
+        catch { /* best-effort */ }
+    }
+}
+//# sourceMappingURL=execute.js.map