open-classify 0.1.1 → 0.2.0

package/dist/src/classify.d.ts

@@ -0,0 +1,22 @@
+import { type RunClassifier } from "./classifiers.js";
+import { type OpenClassifyConfig } from "./config.js";
+import type { AggregatorConfig, Catalog, PipelineResult } from "./manifest.js";
+import type { OpenClassifyInput } from "./types.js";
+export type Classifier = (input: OpenClassifyInput, options?: {
+    signal?: AbortSignal;
+}) => Promise<PipelineResult>;
+export interface CreateClassifierOptions {
+    runClassifier?: RunClassifier;
+    catalog?: Catalog;
+    config?: OpenClassifyConfig;
+    configPath?: string;
+    catalogPath?: string;
+    skipResourceCheck?: boolean;
+    minAvailableMemoryBytes?: number;
+    minTotalMemoryBytes?: number;
+    fetch?: typeof fetch;
+    classifierTimeoutMs?: number;
+    classifierRetryCount?: number;
+    aggregator?: AggregatorConfig;
+}
+export declare function createClassifier(options?: CreateClassifierOptions): Classifier;

package/dist/src/classify.js

@@ -0,0 +1,50 @@
+// High-level facade for the pipeline. Builds the runner and catalog once,
+// then returns a closure callers can invoke many times without re-loading
+// config or the catalog from disk. Backend-agnostic: pass a custom
+// `runClassifier` to bypass the bundled Ollama runner entirely.
+import { loadCatalog } from "./catalog.js";
+import { classifierModelsFromConfig, loadOpenClassifyConfig, } from "./config.js";
+import { assertOllamaResources, createOllamaClassifierRunner, OLLAMA_DEFAULT_CATALOG_PATH, } from "./ollama.js";
+import { classifyOpenClassifyInput } from "./pipeline.js";
+export function createClassifier(options = {}) {
+    const fileConfig = options.config ??
+        loadOpenClassifyConfig(options.configPath, {
+            optional: options.configPath === undefined &&
+                process.env.OPEN_CLASSIFY_CONFIG === undefined,
+        });
+    // When we own the runner, hoist the resource check to the wrapper so a
+    // failure surfaces as a top-level rejection — the per-classifier fallback
+    // path would otherwise mask it as five "classifier failed" entries.
+    const ownsRunner = options.runClassifier === undefined;
+    const needsResourceCheck = ownsRunner && !options.skipResourceCheck;
+    const runClassifier = options.runClassifier ??
+        createOllamaClassifierRunner({
+            host: fileConfig?.runner?.host,
+            defaultModel: fileConfig?.runner?.defaultModel,
+            models: classifierModelsFromConfig(fileConfig),
+            options: fileConfig?.runner?.options,
+            skipResourceCheck: needsResourceCheck ? true : options.skipResourceCheck,
+            fetch: options.fetch,
+        });
+    const catalog = options.catalog ??
+        loadCatalog(options.catalogPath ?? fileConfig?.catalog ?? OLLAMA_DEFAULT_CATALOG_PATH);
+    const aggregator = options.aggregator ?? fileConfig?.aggregator;
+    let resourceCheck;
+    return async (input, callOptions) => {
+        if (needsResourceCheck) {
+            resourceCheck ??= assertOllamaResources({
+                minTotalMemoryBytes: options.minTotalMemoryBytes,
+                minAvailableMemoryBytes: options.minAvailableMemoryBytes,
+            });
+            await resourceCheck;
+        }
+        return classifyOpenClassifyInput(input, {
+            runClassifier,
+            catalog,
+            classifierTimeoutMs: options.classifierTimeoutMs,
+            classifierRetryCount: options.classifierRetryCount,
+            aggregator,
+            signal: callOptions?.signal,
+        });
+    };
+}

package/dist/src/config.d.ts

@@ -1,8 +1,10 @@
 import { type ClassifierName } from "./classifiers.js";
+import { type AggregatorConfig } from "./manifest.js";
 export declare const DEFAULT_OPEN_CLASSIFY_CONFIG_PATH = "open-classify.config.json";
 export interface OpenClassifyConfig {
     readonly runner?: OllamaRunnerConfig;
     readonly catalog?: string;
+    readonly aggregator?: AggregatorConfig;
 }
 export interface OllamaRunnerConfig {
     readonly provider: "ollama";

package/dist/src/config.js

@@ -1,5 +1,6 @@
 import { existsSync, readFileSync } from "node:fs";
 import { REGISTRY } from "./classifiers.js";
+import { CERTAINTY_GATE_MODES, } from "./manifest.js";
 import { STOCK_CLASSIFIER_NAMES } from "./stock.js";
 import { isRecord } from "./validation.js";
 export const DEFAULT_OPEN_CLASSIFY_CONFIG_PATH = "open-classify.config.json";
@@ -37,10 +38,28 @@ export function validateOpenClassifyConfig(value, path = "open-classify config")
     if (!isRecord(value)) {
         throwConfig(path, "config must be a JSON object");
     }
-    ensureAllowedKeys(value, ["runner", "catalog"], path, "<root>");
+    ensureAllowedKeys(value, ["runner", "catalog", "aggregator"], path, "<root>");
     return {
         ...(value.runner === undefined ? {} : { runner: validateRunner(value.runner, path) }),
         ...(value.catalog === undefined ? {} : { catalog: requireString(value.catalog, path, "catalog") }),
+        ...(value.aggregator === undefined ? {} : { aggregator: validateAggregator(value.aggregator, path) }),
+    };
+}
+function validateAggregator(value, path) {
+    if (!isRecord(value)) {
+        throwConfig(path, "aggregator must be an object");
+    }
+    ensureAllowedKeys(value, ["certaintyThreshold", "confidenceThreshold", "certaintyGate"], path, "aggregator");
+    return {
+        ...(value.certaintyThreshold === undefined
+            ? {}
+            : { certaintyThreshold: requireUnitFloat(value.certaintyThreshold, path, "aggregator.certaintyThreshold") }),
+        ...(value.confidenceThreshold === undefined
+            ? {}
+            : { confidenceThreshold: requireUnitFloat(value.confidenceThreshold, path, "aggregator.confidenceThreshold") }),
+        ...(value.certaintyGate === undefined
+            ? {}
+            : { certaintyGate: requireCertaintyGateMode(value.certaintyGate, path, "aggregator.certaintyGate") }),
     };
 }
 function validateRunner(value, path) {
@@ -131,6 +150,19 @@ function requireNumber(value, path, field) {
     }
     return value;
 }
+function requireUnitFloat(value, path, field) {
+    const number = requireNumber(value, path, field);
+    if (number < 0 || number > 1) {
+        throwConfig(path, `${field} must be a finite number between 0 and 1 inclusive`);
+    }
+    return number;
+}
+function requireCertaintyGateMode(value, path, field) {
+    if (typeof value !== "string" || !CERTAINTY_GATE_MODES.includes(value)) {
+        throwConfig(path, `${field} must be one of ${CERTAINTY_GATE_MODES.join(", ")}`);
+    }
+    return value;
+}
 function ensureAllowedKeys(value, allowedKeys, path, field) {
     const allowed = new Set(allowedKeys);
     for (const key of Object.keys(value)) {

package/dist/src/enums.d.ts

@@ -1,10 +1,6 @@
 export declare const DOWNSTREAM_MODEL_TIER_VALUES: readonly ["local_fast", "local_small", "local_strong", "local_coding", "frontier_fast", "frontier_strong", "frontier_coding"];
 export type DownstreamModelTier = (typeof DOWNSTREAM_MODEL_TIER_VALUES)[number];
-export declare const MODEL_SPECIALIZATION_VALUES: readonly ["agentic_coding", "agentic_workflows", "chat", "code_fixing", "code_reasoning", "code_review", "writing", "reasoning", "planning", "coding", "computer_use", "debugging", "instruction_following", "question_answering", "subagents", "summarization", "tool_assisted_coding", "vision_input"];
+export declare const MODEL_SPECIALIZATION_VALUES: readonly ["chat", "reasoning", "planning", "writing", "summarization", "coding", "tool_use", "computer_use", "vision"];
 export type ModelSpecialization = (typeof MODEL_SPECIALIZATION_VALUES)[number];
-export declare const SECURITY_DECISION_VALUES: readonly ["allow", "block", "needs_review"];
-export type SecurityDecision = (typeof SECURITY_DECISION_VALUES)[number];
-export declare const SECURITY_RISK_LEVEL_VALUES: readonly ["normal", "suspicious", "high_risk", "unknown"];
-export type SecurityRiskLevel = (typeof SECURITY_RISK_LEVEL_VALUES)[number];
-export declare const SECURITY_SIGNAL_VALUES: readonly ["instruction_attack", "secret_or_private_data_risk", "unsafe_tool_or_action", "untrusted_content_or_code", "injection_or_obfuscation"];
-export type SecuritySignal = (typeof SECURITY_SIGNAL_VALUES)[number];
+export declare const PROMPT_INJECTION_RISK_LEVEL_VALUES: readonly ["normal", "suspicious", "high_risk", "unknown"];
+export type PromptInjectionRiskLevel = (typeof PROMPT_INJECTION_RISK_LEVEL_VALUES)[number];

package/dist/src/enums.js

@@ -19,44 +19,21 @@ export const DOWNSTREAM_MODEL_TIER_VALUES = [
 // Which kind of model/prompt specialization fits the request best. Combined
 // with the tier to look up a concrete model in the catalog.
 export const MODEL_SPECIALIZATION_VALUES = [
-    "agentic_coding",
-    "agentic_workflows",
     "chat",
-    "code_fixing",
-    "code_reasoning",
-    "code_review",
-    "writing",
     "reasoning",
     "planning",
+    "writing",
+    "summarization",
     "coding",
+    "tool_use",
     "computer_use",
-    "debugging",
-    "instruction_following",
-    "question_answering",
-    "subagents",
-    "summarization",
-    "tool_assisted_coding",
-    "vision_input",
-];
-export const SECURITY_DECISION_VALUES = [
-    "allow",
-    "block",
-    "needs_review",
+    "vision",
 ];
-// Overall safety posture on the latest user message. Security short-circuiting
-// is driven by safety.decision, not risk level alone.
-export const SECURITY_RISK_LEVEL_VALUES = [
+// Prompt-injection posture on the latest user message. The pipeline blocks
+// confident high_risk and unknown prompt-injection outputs.
+export const PROMPT_INJECTION_RISK_LEVEL_VALUES = [
     "normal",
     "suspicious",
     "high_risk",
     "unknown",
 ];
-// Specific safety concerns the security classifier can flag. These are
-// advisory; safety.decision controls whether the pipeline blocks or needs review.
-export const SECURITY_SIGNAL_VALUES = [
-    "instruction_attack",
-    "secret_or_private_data_risk",
-    "unsafe_tool_or_action",
-    "untrusted_content_or_code",
-    "injection_or_obfuscation",
-];

package/dist/src/index.d.ts

@@ -1,6 +1,7 @@
 export * from "./aggregator.js";
 export * from "./catalog.js";
 export * from "./classifiers.js";
+export * from "./classify.js";
 export * from "./config.js";
 export * from "./enums.js";
 export * from "./input.js";

package/dist/src/index.js

@@ -1,11 +1,12 @@
 // Public barrel for the Open Classify package. Everything an external caller
 // would need — input types, enums, the registry, the pipeline, the Ollama
-// runner, the catalog loader, the aggregator's confidence threshold — is
+// runner, the catalog loader, the aggregator's certainty threshold — is
 // re-exported here. The build emits a single `index.js` that downstream
 // consumers can import from `open-classify`.
 export * from "./aggregator.js";
 export * from "./catalog.js";
 export * from "./classifiers.js";
+export * from "./classify.js";
 export * from "./config.js";
 export * from "./enums.js";
 export * from "./input.js";

package/dist/src/input.js

@@ -9,7 +9,7 @@ import { createHash } from "node:crypto";
  * Gemma 4 E4B supports a native 131,072-token (128K) context window. Open
  * Classify does not use that full window in the reference local runtime: it
  * runs the classifier set in parallel with a configured 4,096-token context.
- * The largest fixed classifier prompt is security at about 1,748 estimated
+ * The largest fixed classifier prompt is prompt_injection at roughly 1,700 estimated
  * tokens using the same 3 chars/token heuristic as the Ollama packer. We round
  * that up to 2,000 fixed-prompt tokens, reserve roughly 400 tokens for output,
  * chat-template variance, and estimation error, then spend the remainder on

package/dist/src/manifest.d.ts

@@ -1,8 +1,10 @@
-import type { AckReplySignal, ClassifierOutput, CustomClassifierOutput, FinalReplySignal, RoutingSignal, RuntimeClassifierManifest, SafetySignal, ToolsSignal } from "./stock.js";
+import type { AckReplySignal, ClassifierOutput, CustomClassifierOutput, FinalReplySignal, PromptInjectionSignal, RoutingSignal, RuntimeClassifierManifest, ToolsSignal } from "./stock.js";
 import type { ClassifierInput, ClassifierRunStatus } from "./types.js";
 import type { DownstreamModelTier, ModelSpecialization } from "./enums.js";
 export type ClassifierName = string;
 export type ClassifierResults = Record<ClassifierName, ClassifierOutput>;
+export declare const CERTAINTY_GATE_MODES: readonly ["min_score", "avg_score", "off"];
+export type CertaintyGateMode = (typeof CERTAINTY_GATE_MODES)[number];
 export type RunClassifier = (name: ClassifierName, input: ClassifierInput, signal: AbortSignal) => Promise<ClassifierOutput>;
 export interface CatalogEntry {
     readonly id: string;
@@ -46,7 +48,7 @@ export interface Envelope {
     readonly ack_reply?: AckReplySignal;
     readonly routing?: RoutingSignal;
     readonly tools?: ToolsSignal;
-    readonly safety?: SafetySignal;
+    readonly prompt_injection?: PromptInjectionSignal;
     readonly custom_outputs: ReadonlyArray<CustomClassifierOutput>;
     readonly model_recommendation: ModelRecommendation;
 }
@@ -71,35 +73,38 @@ export interface PipelineMeta {
 export interface PipelineAudit extends Envelope {
     readonly meta: PipelineMeta;
     readonly fired_by?: string;
+    readonly certainty_gate?: LowCertaintyBlockReason;
 }
-export type AnswerPipelineResult = {
-    readonly action: "answer";
+export type BlockReason = PromptInjectionBlockReason | LowCertaintyBlockReason;
+export interface PromptInjectionBlockReason {
+    readonly kind: "prompt_injection";
+    readonly risk_level: PromptInjectionSignal["risk_level"];
+}
+export interface LowCertaintyBlockReason {
+    readonly kind: "low_certainty";
+    readonly mode: Exclude<CertaintyGateMode, "off">;
+    readonly threshold: number;
+    readonly score: number;
+    readonly classifier_scores: Readonly<Record<string, number>>;
+    readonly low_classifiers: ReadonlyArray<string>;
+}
+export type ReplyPipelineResult = {
+    readonly action: "reply";
     readonly message_id: string;
-    readonly final_reply: FinalReplySignal;
-    readonly reason: "already_answered";
+    readonly reply: {
+        readonly text: string;
+    };
+    readonly reason: "preflight_reply";
     readonly classifier_outputs: ClassifierCustomOutputs;
     readonly audit: Pick<PipelineAudit, "final_reply" | "meta" | "fired_by">;
 };
 export type BlockPipelineResult = {
     readonly action: "block";
     readonly message_id: string;
-    readonly reason: {
-        readonly risk_level?: SafetySignal["risk_level"];
-        readonly signals?: ReadonlyArray<string>;
-    };
-    readonly classifier_outputs: ClassifierCustomOutputs;
-    readonly audit: Pick<PipelineAudit, "safety" | "meta" | "fired_by">;
-};
-export type NeedsReviewPipelineResult = {
-    readonly action: "needs_review";
-    readonly message_id: string;
-    readonly fired_by: string;
-    readonly reason: {
-        readonly risk_level?: SafetySignal["risk_level"];
-        readonly signals?: ReadonlyArray<string>;
-    };
+    readonly fired_by?: string;
+    readonly reason: BlockReason;
     readonly classifier_outputs: ClassifierCustomOutputs;
-    readonly audit: Pick<PipelineAudit, "safety" | "meta" | "fired_by">;
+    readonly audit: Pick<PipelineAudit, "prompt_injection" | "meta" | "fired_by" | "certainty_gate">;
 };
 export type RoutePipelineResult = {
     readonly action: "route";
@@ -108,8 +113,11 @@ export type RoutePipelineResult = {
     readonly classifier_outputs: ClassifierCustomOutputs;
     readonly audit: PipelineAudit;
 };
-export type PipelineResult = AnswerPipelineResult | BlockPipelineResult | NeedsReviewPipelineResult | RoutePipelineResult;
+export type PipelineResult = ReplyPipelineResult | BlockPipelineResult | RoutePipelineResult;
 export interface AggregatorConfig {
+    readonly certaintyThreshold?: number;
+    /** @deprecated Use certaintyThreshold. */
     readonly confidenceThreshold?: number;
+    readonly certaintyGate?: CertaintyGateMode;
 }
 export type ClassifierRegistry = ReadonlyArray<RuntimeClassifierManifest>;

package/dist/src/manifest.js

@@ -1 +1,5 @@
-export {};
+export const CERTAINTY_GATE_MODES = [
+    "min_score",
+    "avg_score",
+    "off",
+];

package/dist/src/ollama.d.ts

@@ -1,8 +1,4 @@
 import { type ClassifierName, type RunClassifier } from "./classifiers.js";
-import { type OpenClassifyConfig } from "./config.js";
-import { classifyOpenClassifyInput } from "./pipeline.js";
-import type { Catalog } from "./manifest.js";
-import type { OpenClassifyInput } from "./types.js";
 export declare const OLLAMA_DEFAULT_HOST = "http://localhost:11434";
 export declare const OLLAMA_BASE_MODEL = "gemma4:e4b-it-q4_K_M";
 export declare const OLLAMA_BASE_MODEL_NATIVE_CONTEXT_LENGTH = 131072;
@@ -28,12 +24,6 @@ export interface OllamaClassifierRunnerConfig {
     minAvailableMemoryBytes?: number;
     minTotalMemoryBytes?: number;
 }
-export interface ClassifyWithOllamaConfig extends OllamaClassifierRunnerConfig {
-    catalog?: Catalog;
-    catalogPath?: string;
-    configPath?: string;
-    openClassifyConfig?: OpenClassifyConfig;
-}
 export declare class OllamaClassifierError extends Error {
     readonly classifier: ClassifierName;
     readonly model: string;
@@ -51,4 +41,3 @@ export declare function assertOllamaResources(options?: {
     minTotalMemoryBytes?: number;
     minAvailableMemoryBytes?: number;
 }): Promise<void>;
-export declare function classifyWithOllama(input: OpenClassifyInput, config?: ClassifyWithOllamaConfig): ReturnType<typeof classifyOpenClassifyInput>;

package/dist/src/ollama.js

@@ -10,10 +10,7 @@
 // `classifyOpenClassifyInput` — you don't have to use this module at all.
 import { execFile } from "node:child_process";
 import { promisify } from "node:util";
-import { loadCatalog } from "./catalog.js";
 import { CLASSIFIER_NAMES, MODULES_BY_NAME, validateClassifierOutput, } from "./classifiers.js";
-import { classifierModelsFromConfig, loadOpenClassifyConfig, } from "./config.js";
-import { classifyOpenClassifyInput } from "./pipeline.js";
 import { ClassifierValidationError, isRecord, } from "./validation.js";
 export const OLLAMA_DEFAULT_HOST = "http://localhost:11434";
 export const OLLAMA_BASE_MODEL = "gemma4:e4b-it-q4_K_M";
@@ -93,39 +90,6 @@ export async function assertOllamaResources(options = {}) {
         throw new OllamaResourceError(totalMemoryBytes, availableMemoryBytes, minTotalMemoryBytes, minAvailableMemoryBytes);
     }
 }
-export async function classifyWithOllama(input, config = {}) {
-    const fileConfig = config.openClassifyConfig ?? loadOpenClassifyConfig(config.configPath, {
-        optional: config.configPath === undefined && process.env.OPEN_CLASSIFY_CONFIG === undefined,
-    });
-    const runnerFileConfig = fileConfig?.runner;
-    const runnerConfig = {
-        ...config,
-        host: config.host ?? runnerFileConfig?.host,
-        defaultModel: config.defaultModel ?? runnerFileConfig?.defaultModel,
-        models: {
-            ...classifierModelsFromConfig(fileConfig),
-            ...config.models,
-        },
-        options: {
-            ...runnerFileConfig?.options,
-            ...config.options,
-        },
-    };
-    if (!runnerConfig.skipResourceCheck) {
-        await assertOllamaResources({
-            minTotalMemoryBytes: runnerConfig.minTotalMemoryBytes,
-            minAvailableMemoryBytes: runnerConfig.minAvailableMemoryBytes,
-        });
-        Object.assign(runnerConfig, {
-            skipResourceCheck: true,
-        });
-    }
-    const catalog = config.catalog ?? loadCatalog(config.catalogPath ?? fileConfig?.catalog ?? OLLAMA_DEFAULT_CATALOG_PATH);
-    return classifyOpenClassifyInput(input, {
-        runClassifier: createOllamaClassifierRunner(runnerConfig),
-        catalog,
-    });
-}
 async function runOllamaClassifier(name, input, signal, fetchImpl, host, model, options, allowManifestModel) {
     const module_ = MODULES_BY_NAME[name];
     const systemPrompt = module_.systemPrompt;

package/dist/src/pipeline.d.ts

@@ -3,6 +3,7 @@ import type { AggregatorConfig, Catalog, PipelineResult } from "./manifest.js";
 import type { OpenClassifyInput } from "./types.js";
 export declare const DEFAULT_CLASSIFIER_TIMEOUT_MS = 15000;
 export declare const DEFAULT_CLASSIFIER_RETRY_COUNT = 1;
+export declare const DEFAULT_CERTAINTY_GATE = "min_score";
 export declare class OpenClassifyNormalizationError extends Error {
     constructor(cause: unknown);
 }

package/dist/src/pipeline.js

@@ -1,9 +1,10 @@
-import { composeEnvelope } from "./aggregator.js";
+import { certaintyThreshold, composeEnvelope } from "./aggregator.js";
 import { CLASSIFIER_NAMES, MODULES_BY_NAME, REGISTRY, } from "./classifiers.js";
 import { normalizeOpenClassifyInput, toClassifierInput } from "./input.js";
-import { isCustomManifest } from "./stock.js";
+import { certaintyScore, isCustomManifest } from "./stock.js";
 export const DEFAULT_CLASSIFIER_TIMEOUT_MS = 15_000;
 export const DEFAULT_CLASSIFIER_RETRY_COUNT = 1;
+export const DEFAULT_CERTAINTY_GATE = "min_score";
 export class OpenClassifyNormalizationError extends Error {
     constructor(cause) {
         super(errorMessage(cause), { cause });
@@ -11,10 +12,10 @@ export class OpenClassifyNormalizationError extends Error {
     }
 }
 // Short-circuit gates are intrinsic to specific stock signals — not configured
-// per-manifest. preflight.final_reply ⇒ answer; security.decision in
-// {block, needs_review} ⇒ block / needs_review. Order matters: preflight is
+// per-manifest. preflight.final_reply ⇒ reply; confident high_risk or unknown
+// prompt-injection risk ⇒ block. Order matters: preflight is
 // cheaper to evaluate, so we check it first.
-const SHORT_CIRCUIT_GATES = ["preflight", "security"];
+const SHORT_CIRCUIT_GATES = ["preflight", "prompt_injection"];
 export async function classifyOpenClassifyInput(input, options) {
     let request;
     try {
@@ -36,7 +37,7 @@ export async function classifyOpenClassifyInput(input, options) {
     const classifierInput = toClassifierInput(request);
     const classifierTimeoutMs = options.classifierTimeoutMs ?? DEFAULT_CLASSIFIER_TIMEOUT_MS;
     const classifierRetryCount = options.classifierRetryCount ?? DEFAULT_CLASSIFIER_RETRY_COUNT;
-    const threshold = options.aggregator?.confidenceThreshold ?? 0.6;
+    const threshold = certaintyThreshold(options.aggregator);
     const runs = new Map(CLASSIFIER_NAMES.map((name) => [
         name,
         runClassifierWithRetry(name, classifierInput, options.runClassifier, controller.signal, classifierTimeoutMs, classifierRetryCount),
@@ -65,6 +66,10 @@ export async function classifyOpenClassifyInput(input, options) {
             input: classifierInput,
             config: options.aggregator,
         });
+        const certaintyGate = certaintyGateBlock(options.aggregator, results);
+        if (certaintyGate) {
+            return buildCertaintyGateBlockResult(request, envelope, results, meta, certaintyGate);
+        }
         return buildRouteResult(request, envelope, results, meta);
     }
     finally {
@@ -72,38 +77,67 @@ export async function classifyOpenClassifyInput(input, options) {
     }
 }
 function shortCircuitVerdict(gate, result, threshold) {
-    const confidence = result.confidence ?? 0;
-    if (confidence < threshold)
+    const score = scoreCertainty(result.certainty);
+    if (score < threshold)
         return null;
     if (gate === "preflight") {
         const preflight = result;
         if (preflight.final_reply !== undefined) {
-            return { kind: "answer", final_reply: preflight.final_reply };
+            return { kind: "reply", final_reply: preflight.final_reply };
         }
         return null;
     }
-    if (gate === "security") {
-        const security = result;
-        if (security.decision === "block") {
+    if (gate === "prompt_injection") {
+        const promptInjection = result;
+        if (promptInjection.risk_level === "high_risk" || promptInjection.risk_level === "unknown") {
+            const promptInjectionSignal = extractPromptInjection(promptInjection);
             return {
                 kind: "block",
-                safety: extractSafety(security),
-            };
-        }
-        if (security.decision === "needs_review") {
-            return {
-                kind: "needs_review",
-                safety: extractSafety(security),
+                prompt_injection: promptInjectionSignal,
+                reason: {
+                    kind: "prompt_injection",
+                    risk_level: promptInjectionSignal.risk_level,
+                },
             };
         }
     }
     return null;
 }
-function extractSafety(value) {
+function certaintyGateBlock(config, results) {
+    const mode = config?.certaintyGate ?? DEFAULT_CERTAINTY_GATE;
+    if (mode === "off")
+        return undefined;
+    const threshold = certaintyThreshold(config);
+    const classifier_scores = classifierScores(results);
+    const scores = Object.values(classifier_scores);
+    const score = mode === "min_score"
+        ? Math.min(...scores)
+        : scores.reduce((sum, value) => sum + value, 0) / scores.length;
+    if (score >= threshold)
+        return undefined;
+    return {
+        kind: "low_certainty",
+        mode,
+        threshold,
+        score,
+        classifier_scores,
+        low_classifiers: Object.entries(classifier_scores)
+            .filter(([, value]) => value < threshold)
+            .map(([name]) => name),
+    };
+}
+function classifierScores(results) {
+    return Object.fromEntries(REGISTRY.map((manifest) => [
+        manifest.name,
+        scoreCertainty(results[manifest.name]?.certainty),
+    ]));
+}
+function scoreCertainty(certainty) {
+    return certainty === undefined ? 0 : certaintyScore[certainty];
+}
+function extractPromptInjection(value) {
     return {
-        ...(value.decision === undefined ? {} : { decision: value.decision }),
         risk_level: value.risk_level,
-        signals: value.signals,
     };
 }
 function buildShortCircuitResult(name, verdict, settled, target_message_hash) {
@@ -116,13 +150,13 @@ function buildShortCircuitResult(name, verdict, settled, target_message_hash) {
     };
     const meta = { classifiers: { [name]: entry } };
     const classifier_outputs = classifierCustomOutputs({ [name]: value });
-    if (verdict.kind === "answer") {
+    if (verdict.kind === "reply") {
         const preflight = value;
         return {
-            action: "answer",
+            action: "reply",
             message_id: target_message_hash,
-            final_reply: verdict.final_reply,
-            reason: "already_answered",
+            reply: { text: verdict.final_reply.reply },
+            reason: "preflight_reply",
             classifier_outputs,
             audit: {
                 fired_by: name,
@@ -131,34 +165,15 @@ function buildShortCircuitResult(name, verdict, settled, target_message_hash) {
             },
         };
     }
-    if (verdict.kind === "needs_review") {
-        return {
-            action: "needs_review",
-            message_id: target_message_hash,
-            fired_by: name,
-            reason: {
-                risk_level: verdict.safety.risk_level,
-                signals: verdict.safety.signals,
-            },
-            classifier_outputs,
-            audit: {
-                fired_by: name,
-                safety: verdict.safety,
-                meta,
-            },
-        };
-    }
     return {
         action: "block",
         message_id: target_message_hash,
-        reason: {
-            risk_level: verdict.safety.risk_level,
-            signals: verdict.safety.signals,
-        },
+        fired_by: name,
+        reason: verdict.reason,
         classifier_outputs,
         audit: {
             fired_by: name,
-            safety: verdict.safety,
+            prompt_injection: verdict.prompt_injection,
             meta,
         },
     };
@@ -199,6 +214,21 @@ function buildRouteResult(request, envelope, results, meta) {
         },
     };
 }
+function buildCertaintyGateBlockResult(request, envelope, results, meta, certaintyGate) {
+    return {
+        action: "block",
+        message_id: request.target_message_hash,
+        fired_by: "certainty_gate",
+        reason: certaintyGate,
+        classifier_outputs: classifierCustomOutputs(results),
+        audit: {
+            ...envelope,
+            fired_by: "certainty_gate",
+            certainty_gate: certaintyGate,
+            meta,
+        },
+    };
+}
 function classifierCustomOutputs(results) {
     const out = {};
     for (const manifest of REGISTRY) {

package/dist/src/stock-prompt.js

@@ -26,7 +26,7 @@ function stockSection(manifest) {
         allowed_tools: renderAllowedTools(manifest.tools),
         preflight_output: promptMarkdown("preflight-output.md"),
         routing_output: promptMarkdown("routing-output.md"),
-        security_output: promptMarkdown("security-output.md"),
+        prompt_injection_output: promptMarkdown("prompt-injection-output.md"),
         specialty: promptMarkdown("specialty.md"),
         tier: promptMarkdown("tier.md"),
         tools_output: promptMarkdown("tools-output.md"),