open-classify 0.5.0 → 0.6.0

package/dist/src/classifiers/{routing → model_tier}/manifest.json

@@ -1,11 +1,11 @@
 {
-  "name": "routing",
+  "name": "model_tier",
   "version": "1.0.0",
   "purpose": "Recommend the downstream model tier.",
   "dispatch_order": 20,
   "reserved_fields": ["model_tier"],
   "fallback": {
-    "reason": "Classifier failed; no routing signal.",
+    "reason": "Classifier failed; no model tier signal.",
     "certainty": "no_signal"
   }
 }

package/dist/src/classifiers/{routing → model_tier}/prompt.md

@@ -1,4 +1,4 @@
-You are the routing classifier for an AI assistant routing system.
+You are the model_tier classifier for an AI assistant routing system.
 
 Pick the coarse model tier that best fits the target user message. Emit only `model_tier`; do not infer specialization, tools, or prompt-injection risk — other classifiers own those axes.
 

package/dist/src/classifiers/preflight/manifest.json

@@ -1,29 +1,30 @@
 {
   "name": "preflight",
-  "version": "1.0.0",
-  "purpose": "Determine whether the latest message can be answered immediately or should continue downstream.",
+  "version": "1.1.0",
+  "purpose": "Assess whether the latest message can be answered immediately (final_reply) or should route downstream with an acknowledgement (ack_reply). Always emits exactly one.",
   "dispatch_order": 10,
   "reserved_fields": ["final_reply", "ack_reply"],
   "output_schema": {
     "examples": [
       {
-        "reason": "Greeting.",
+        "reason": "Simple greeting — answerable directly.",
         "certainty": "near_certain",
         "final_reply": { "text": "Hi!" }
       },
       {
-        "reason": "Trivial arithmetic.",
+        "reason": "Trivial arithmetic — answerable directly.",
         "certainty": "very_strong",
         "final_reply": { "text": "4" }
       },
       {
-        "reason": "Generated writing task.",
+        "reason": "Code review task requires substantive downstream work.",
         "certainty": "very_strong",
-        "ack_reply": { "text": "On it." }
+        "ack_reply": { "text": "On it — reviewing the code now." }
       },
       {
-        "reason": "Ambiguous; needs downstream model.",
-        "certainty": "strong"
+        "reason": "Reminder request requires downstream action.",
+        "certainty": "strong",
+        "ack_reply": { "text": "Got it, I'll set that reminder for 3pm." }
       }
     ]
   },

package/dist/src/classifiers/preflight/prompt.md

@@ -1,10 +1,16 @@
 You are the preflight classifier for an AI assistant routing system.
 
-Decide whether the target user message can be answered immediately with a tiny terminal reply, or whether downstream work should continue (optionally with a brief acknowledgement).
+Your primary task is to assess: **can you fully answer the target message yourself**, given the conversation history? Make this judgment first — the reply text follows from it.
 
-- Emit `final_reply` only for tiny terminal answers like greetings, thanks, spelling lookups, and simple arithmetic. The reply text IS the complete answer to the user — nothing else happens after this.
-- Emit `ack_reply` when downstream work should continue and a brief acknowledgement would help (drafting, analysis, coding, research). The text must not contain the answer.
-- Omit both fields when the request is ambiguous or no acknowledgement is useful.
-- Do not address the user anywhere except inside `final_reply.text` or `ack_reply.text`.
+**Step 1 — assess whether you can fully answer:**
+Ask yourself: Is the intent clear? Is the answer fully derivable from context right now, without real-time data, external tools, code execution, non-trivial generation, analysis, or judgment? Would a one-sentence reply genuinely resolve the request?
+
+If yes → emit `final_reply` with the complete answer.
+
+If no (the downstream model should handle it) → emit `ack_reply` with a brief, contextually specific acknowledgement that shows you understood the request. The ack must reflect the actual request — not a generic "On it." — so the user knows their message was understood while the model works.
 
-If answering would require non-trivial generation, analysis, or judgment, do not use `final_reply`. Use `ack_reply` (or omit both) and let the downstream model produce the answer.
+**Rule: always emit exactly one of `final_reply` or `ack_reply`. Never emit both. Never emit neither.**
+
+- `final_reply` is for tiny terminal answers only: greetings, thanks, spelling lookups, simple arithmetic, yes/no factual questions answerable from context. If answering requires drafting, rewriting, analysis, coding, research, planning, or any substantive generation — use `ack_reply` instead.
+- `ack_reply` text must not contain the answer. It acknowledges the request and confirms it is being worked on.
+- Do not address the user anywhere except inside `final_reply.text` or `ack_reply.text`.

package/dist/src/classifiers/prompt_injection/manifest.json

@@ -9,8 +9,7 @@
     "required": ["risk_level"]
   },
   "fallback": {
-    "reason": "Classifier failed; prompt-injection risk is unknown.",
-    "certainty": "no_signal",
-    "risk_level": "unknown"
+    "reason": "Classifier failed; prompt-injection risk could not be assessed.",
+    "certainty": "no_signal"
   }
 }

package/dist/src/classify.d.ts

@@ -1,6 +1,6 @@
 import { type RunClassifier } from "./classifiers.js";
 import { type OpenClassifyConfig } from "./config.js";
-import type { AggregatorConfig, Catalog, InspectResult, PipelineResult } from "./manifest.js";
+import type { Catalog, InspectResult, PipelineResult } from "./manifest.js";
 import type { OpenClassifyInput } from "./types.js";
 export type Classifier = (input: OpenClassifyInput, options?: {
     signal?: AbortSignal;
@@ -25,6 +25,5 @@ export interface CreateClassifierOptions {
     classifierTimeoutMs?: number;
     classifierRetryCount?: number;
     maxConcurrency?: number;
-    aggregator?: AggregatorConfig;
 }
 export declare function createClassifier(options?: CreateClassifierOptions): OpenClassify;

package/dist/src/classify.js

@@ -28,7 +28,6 @@ export function createClassifier(options = {}) {
         });
     const catalog = options.catalog ??
         loadCatalog(options.catalogPath ?? fileConfig?.catalog ?? OLLAMA_DEFAULT_CATALOG_PATH);
-    const aggregator = options.aggregator ?? fileConfig?.aggregator;
     let resourceCheck;
     const ensureResources = async () => {
         if (!needsResourceCheck)
@@ -47,7 +46,6 @@ export function createClassifier(options = {}) {
             classifierTimeoutMs: options.classifierTimeoutMs,
             classifierRetryCount: options.classifierRetryCount,
             maxConcurrency: options.maxConcurrency,
-            aggregator,
             signal: callOptions?.signal,
         });
     };

package/dist/src/config.d.ts

@@ -1,10 +1,8 @@
 import { type ClassifierName } from "./classifiers.js";
-import { type AggregatorConfig } from "./manifest.js";
 export declare const DEFAULT_OPEN_CLASSIFY_CONFIG_PATH = "open-classify.config.json";
 export interface OpenClassifyConfig {
     readonly runner?: OllamaRunnerConfig;
     readonly catalog?: string;
-    readonly aggregator?: AggregatorConfig;
 }
 export interface OllamaRunnerConfig {
     readonly provider: "ollama";

package/dist/src/config.js

@@ -30,25 +30,10 @@ export function validateOpenClassifyConfig(value, path = "open-classify config")
     if (!isRecord(value)) {
         throwConfig(path, "config must be a JSON object");
     }
-    ensureAllowedKeys(value, ["runner", "catalog", "aggregator"], path, "<root>");
+    ensureAllowedKeys(value, ["runner", "catalog"], path, "<root>");
     return {
         ...(value.runner === undefined ? {} : { runner: validateRunner(value.runner, path) }),
         ...(value.catalog === undefined ? {} : { catalog: requireString(value.catalog, path, "catalog") }),
-        ...(value.aggregator === undefined ? {} : { aggregator: validateAggregator(value.aggregator, path) }),
-    };
-}
-function validateAggregator(value, path) {
-    if (!isRecord(value)) {
-        throwConfig(path, "aggregator must be an object");
-    }
-    ensureAllowedKeys(value, ["certaintyThreshold", "confidenceThreshold"], path, "aggregator");
-    return {
-        ...(value.certaintyThreshold === undefined
-            ? {}
-            : { certaintyThreshold: requireUnitFloat(value.certaintyThreshold, path, "aggregator.certaintyThreshold") }),
-        ...(value.confidenceThreshold === undefined
-            ? {}
-            : { confidenceThreshold: requireUnitFloat(value.confidenceThreshold, path, "aggregator.confidenceThreshold") }),
     };
 }
 function validateRunner(value, path) {
@@ -118,13 +103,6 @@ function requireNumber(value, path, field) {
     }
     return value;
 }
-function requireUnitFloat(value, path, field) {
-    const number = requireNumber(value, path, field);
-    if (number < 0 || number > 1) {
-        throwConfig(path, `${field} must be a finite number between 0 and 1 inclusive`);
-    }
-    return number;
-}
 function ensureAllowedKeys(value, allowedKeys, path, field) {
     const allowed = new Set(allowedKeys);
     for (const key of Object.keys(value)) {

package/dist/src/index.js

@@ -1,8 +1,7 @@
 // Public barrel for the Open Classify package. Everything an external caller
 // would need — input types, enums, the registry, the pipeline, the Ollama
-// runner, the catalog loader, the aggregator's certainty threshold — is
-// re-exported here. The build emits a single `index.js` that downstream
-// consumers can import from `open-classify`.
+// runner, the catalog loader — is re-exported here. The build emits a single
+// `index.js` that downstream consumers can import from `open-classify`.
 export * from "./aggregator.js";
 export * from "./catalog.js";
 export * from "./classifiers.js";

package/dist/src/manifest.d.ts

@@ -1,9 +1,9 @@
-import type { AckReplySignal, ClassifierAuditOutput, ClassifierOutput, FinalReplySignal, PromptInjectionSignal, RoutingSignal, RuntimeClassifierManifest, ToolsSignal } from "./stock.js";
-import type { ClassifierInput, ClassifierRunStatus } from "./types.js";
-import type { DownstreamModelTier, ModelSpecialization } from "./enums.js";
+import type { RuntimeClassifierManifest } from "./stock.js";
+import type { ClassifierInput } from "./types.js";
+import type { DownstreamModelTier, ModelSpecialization, PromptInjectionRiskLevel } from "./enums.js";
 export type ClassifierName = string;
-export type ClassifierResults = Record<ClassifierName, ClassifierOutput>;
-export type RunClassifier = (name: ClassifierName, input: ClassifierInput, signal: AbortSignal) => Promise<ClassifierOutput>;
+export type ClassifierResults = Record<ClassifierName, import("./stock.js").ClassifierOutput>;
+export type RunClassifier = (name: ClassifierName, input: ClassifierInput, signal: AbortSignal) => Promise<import("./stock.js").ClassifierOutput>;
 export interface CatalogEntry {
     readonly id: string;
     readonly specializations: ReadonlyArray<ModelSpecialization>;
@@ -18,78 +18,33 @@ export interface Catalog {
     readonly models: ReadonlyArray<CatalogEntry>;
     readonly default: string;
 }
-export interface ModelRecommendationResolution {
-    readonly constraints_used: Partial<{
-        model_specialization: ModelSpecialization;
-        model_tier: DownstreamModelTier;
-    }>;
-    readonly constraints_dropped: ReadonlyArray<{
-        readonly axis: "model_specialization" | "model_tier";
-        readonly reason: "low_confidence" | "no_match_relaxed" | "default_fallback";
-    }>;
-    readonly confidences: Partial<{
-        routing: number;
-    }>;
-    readonly fell_back_to_default: boolean;
-}
-export interface ModelRecommendation {
-    readonly id: string;
-    readonly params_in_billions: number | null;
-    readonly context_window: number;
-    readonly input_tokens_cpm?: number;
-    readonly cached_tokens_cpm?: number;
-    readonly output_tokens_cpm?: number;
-    readonly resolution: ModelRecommendationResolution;
-}
-export interface Envelope {
-    readonly final_reply?: FinalReplySignal;
-    readonly ack_reply?: AckReplySignal;
-    readonly routing?: RoutingSignal;
-    readonly tools?: ToolsSignal;
-    readonly prompt_injection?: PromptInjectionSignal;
-    readonly classifier_outputs: ReadonlyArray<ClassifierAuditOutput>;
-    readonly model_recommendation: ModelRecommendation;
-}
 export type ClassifierPublicOutputs = Record<string, Record<string, unknown>>;
-export interface DownstreamTargetMessage {
-    readonly role: "user";
+export type PipelineAction = "route" | "block" | "reply";
+export type BlockReason = "prompt_injection" | "classification_error";
+export interface ReplySignal {
     readonly text: string;
-    readonly hash: string;
 }
-export interface DownstreamPayload {
-    readonly model_id: string;
-    readonly target_message: DownstreamTargetMessage;
-    readonly tools: ToolsSignal;
-}
-export type ClassifierEntry = ClassifierOutput & {
-    readonly status: ClassifierRunStatus;
-    readonly version: string;
-};
-export interface CertaintySummary {
-    readonly min: number;
-    readonly avg: number;
-}
-export interface PipelineMeta {
-    readonly classifiers: Record<string, ClassifierEntry>;
-    readonly certainty: CertaintySummary;
-}
-export interface PipelineAudit extends Envelope {
-    readonly meta: PipelineMeta;
-}
-export interface InspectResult {
+export interface PipelineResult {
+    readonly action: PipelineAction;
+    readonly block_reason?: BlockReason;
     readonly target_message_hash: string;
+    readonly model_id: string | null;
+    readonly tools: ReadonlyArray<string>;
+    readonly reply: ReplySignal | null;
+    readonly prompt_injection: {
+        readonly risk_level: PromptInjectionRiskLevel;
+    } | null;
+    readonly avg_certainty: number;
+    readonly min_certainty: number;
+    readonly failed_classifiers: ReadonlyArray<string>;
     readonly classifier_outputs: ClassifierPublicOutputs;
 }
-export interface PipelineResult {
-    readonly action: "route";
+export interface InspectResult {
     readonly target_message_hash: string;
-    readonly downstream: DownstreamPayload;
+    readonly message: {
+        readonly role: "assistant";
+        readonly text: string;
+    };
     readonly classifier_outputs: ClassifierPublicOutputs;
-    readonly audit: PipelineAudit;
-}
-export interface AggregatorConfig {
-    readonly certaintyThreshold?: number;
-    /** @deprecated Use certaintyThreshold. */
-    readonly confidenceThreshold?: number;
 }
 export type ClassifierRegistry = ReadonlyArray<RuntimeClassifierManifest>;

package/dist/src/pipeline.d.ts

@@ -1,5 +1,5 @@
 import { type RunClassifier } from "./classifiers.js";
-import type { AggregatorConfig, Catalog, InspectResult, PipelineResult } from "./manifest.js";
+import type { Catalog, InspectResult, PipelineResult } from "./manifest.js";
 import type { OpenClassifyInput } from "./types.js";
 export declare const DEFAULT_CLASSIFIER_TIMEOUT_MS = 15000;
 export declare const DEFAULT_CLASSIFIER_RETRY_COUNT = 1;
@@ -13,7 +13,6 @@ export interface ClassifyOptions {
     classifierTimeoutMs?: number;
     classifierRetryCount?: number;
     maxConcurrency?: number;
-    aggregator?: AggregatorConfig;
     signal?: AbortSignal;
 }
 export interface InspectOptions {

package/dist/src/pipeline.js

@@ -1,7 +1,6 @@
-import { composeEnvelope } from "./aggregator.js";
+import { assembleResult, buildPublicOutputs } from "./aggregator.js";
 import { MODULES_BY_NAME, REGISTRY, } from "./classifiers.js";
 import { normalizeOpenClassifyInput, toClassifierInput } from "./input.js";
-import { certaintyScore } from "./stock.js";
 export const DEFAULT_CLASSIFIER_TIMEOUT_MS = 15_000;
 export const DEFAULT_CLASSIFIER_RETRY_COUNT = 1;
 export const DEFAULT_MAX_CONCURRENCY = 7;
@@ -12,22 +11,27 @@ export class OpenClassifyNormalizationError extends Error {
     }
 }
 export async function classifyOpenClassifyInput(input, options) {
-    const { request, results, meta } = await runPipeline(input, "user", options);
-    const classifierInput = toClassifierInput(request);
-    const envelope = composeEnvelope({
-        registry: filteredRegistry("user"),
+    const { request, results, failedClassifiers } = await runPipeline(input, "user", options);
+    const reg = filteredRegistry("user");
+    const assembled = assembleResult({
+        registry: reg,
         results,
+        failedClassifiers,
         catalog: options.catalog,
-        input: classifierInput,
-        config: options.aggregator,
     });
-    return buildRouteResult(request, envelope, results, meta);
+    return {
+        ...assembled,
+        target_message_hash: request.target_message_hash,
+    };
 }
 export async function inspectOpenClassifyInput(input, options) {
     const { request, results } = await runPipeline(input, "assistant", options);
+    const reg = filteredRegistry("assistant");
+    const lastMsg = request.messages[request.messages.length - 1];
     return {
         target_message_hash: request.target_message_hash,
-        classifier_outputs: classifierPublicOutputs(filteredRegistry("assistant"), results),
+        message: { role: "assistant", text: lastMsg.text },
+        classifier_outputs: buildPublicOutputs(reg, results),
     };
 }
 async function runPipeline(input, role, options) {
@@ -52,15 +56,12 @@ async function runPipeline(input, role, options) {
     const classifierTimeoutMs = options.classifierTimeoutMs ?? DEFAULT_CLASSIFIER_TIMEOUT_MS;
     const classifierRetryCount = options.classifierRetryCount ?? DEFAULT_CLASSIFIER_RETRY_COUNT;
     const maxConcurrency = resolveMaxConcurrency(options.maxConcurrency);
-    // REGISTRY is already sorted by `dispatch_order` ascending. Filter by
-    // applies_to so we only dispatch classifiers relevant to this role; the
-    // worker pool then runs them in the remaining order.
     const registry = filteredRegistry(role);
     const queue = registry.map((m) => m.name);
     try {
         const settled = await runWithConcurrency(queue, maxConcurrency, controller.signal, (name) => runClassifierWithRetry(name, classifierInput, options.runClassifier, controller.signal, classifierTimeoutMs, classifierRetryCount));
-        const { results, meta } = collectFullEntries(settled, registry);
-        return { request, results, meta };
+        const { results, failedClassifiers } = collectResults(settled);
+        return { request, results, failedClassifiers };
     }
     finally {
         options.signal?.removeEventListener("abort", abortFromOptions);
@@ -91,9 +92,6 @@ async function runWithConcurrency(names, maxConcurrency, signal, start) {
                 return;
             const name = names[i];
             if (signal.aborted) {
-                // Queued classifiers that never started are reported as not-run so
-                // the audit shows their fallback in `meta.classifiers`. In-flight
-                // classifiers receive the abort signal directly and resolve normally.
                 results[i] = {
                     ok: false,
                     name,
@@ -109,71 +107,16 @@ async function runWithConcurrency(names, maxConcurrency, signal, start) {
     await Promise.all(Array.from({ length: workerCount }, () => worker()));
     return results;
 }
-function collectFullEntries(settled, registry) {
+function collectResults(settled) {
     const results = {};
-    const classifiers = {};
+    const failedClassifiers = [];
     for (const s of settled) {
         const manifest = MODULES_BY_NAME[s.name];
-        const value = s.ok ? s.value : manifest.fallback;
-        results[s.name] = value;
-        classifiers[s.name] = {
-            ...value,
-            status: classifierRunStatus(s),
-            version: manifest.version,
-        };
+        results[s.name] = s.ok ? s.value : manifest.fallback;
+        if (!s.ok)
+            failedClassifiers.push(s.name);
     }
-    return { results, meta: { classifiers, certainty: certaintySummary(results, registry) } };
-}
-function certaintySummary(results, registry) {
-    const scores = registry.map((m) => scoreCertainty(results[m.name]?.certainty));
-    if (scores.length === 0)
-        return { min: 0, avg: 0 };
-    const min = Math.min(...scores);
-    const avg = scores.reduce((sum, v) => sum + v, 0) / scores.length;
-    return { min, avg };
-}
-function scoreCertainty(certainty) {
-    return certainty === undefined ? 0 : certaintyScore[certainty];
-}
-function buildRouteResult(request, envelope, results, meta) {
-    const downstream = {
-        model_id: envelope.model_recommendation.id,
-        target_message: {
-            role: "user",
-            text: request.text,
-            hash: request.target_message_hash,
-        },
-        tools: envelope.tools ?? { tools: [] },
-    };
-    return {
-        action: "route",
-        target_message_hash: request.target_message_hash,
-        downstream,
-        classifier_outputs: classifierPublicOutputs(filteredRegistry("user"), results),
-        audit: {
-            ...envelope,
-            meta,
-        },
-    };
-}
-// Expose each classifier's payload — every output field except `reason` and
-// `certainty`. Iterates the supplied registry so we only surface classifiers
-// that actually ran for this role.
-function classifierPublicOutputs(registry, results) {
-    const out = {};
-    for (const manifest of registry) {
-        const result = results[manifest.name];
-        if (result === undefined)
-            continue;
-        out[manifest.name] = stripMetadata(result);
-    }
-    return out;
-}
-function stripMetadata(output) {
-    const { reason, certainty, ...payload } = output;
-    void reason;
-    void certainty;
-    return payload;
+    return { results, failedClassifiers };
 }
 async function runClassifierWithRetry(name, input, runClassifier, rootSignal, timeoutMs, retryCount) {
     let lastError = new Error(`${name} classifier did not run`);
@@ -219,16 +162,6 @@ async function runClassifierAttempt(name, input, runClassifier, rootSignal, time
             rootSignal.removeEventListener("abort", abortAttempt);
     }
 }
-function classifierRunStatus(settled) {
-    if (settled.ok)
-        return { ok: true, source: "model" };
-    return {
-        ok: false,
-        source: "fallback",
-        reason: settled.reason,
-        error: errorMessage(settled.error),
-    };
-}
 function errorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }

package/dist/src/stock-validation.js

@@ -212,10 +212,14 @@ function validateFallback(raw, composedSchema, classifier, model) {
     if (!isRecord(raw)) {
         throwInvalid(classifier, model, "fallback must be a JSON object");
     }
-    // Fallback represents the "I have no signal" state, so reserved fields are
-    // optional. The composed schema already marks them optional except for
-    // reason/certainty.
-    const validate = ajv.compile(composedSchema);
+    // Fallback is the "no signal" state: only reason and certainty are required.
+    // Strip any custom `required` entries beyond those two so that reserved fields
+    // and output_schema.required fields don't force the fallback to emit values
+    // it cannot meaningfully provide when the classifier has failed.
+    const fallbackSchema = isRecord(composedSchema)
+        ? { ...composedSchema, required: ["reason", "certainty"] }
+        : composedSchema;
+    const validate = ajv.compile(fallbackSchema);
     if (!validate(raw)) {
         const message = formatSchemaErrors(validate.errors, "fallback");
         throwInvalid(classifier, model, `fallback is invalid: ${message}`);

package/docs/adding-a-classifier.md

@@ -71,7 +71,7 @@ Rules:
 - `name` must match the directory name.
 - Reserved field names cannot appear in `output_schema.properties`; declare them in `reserved_fields` instead.
 - `reason` and `certainty` are added to the composed schema by the runtime — don't declare them.
-- `fallback` must validate against the composed schema. Reserved fields are optional in fallback (a "no signal" fallback usually omits them).
+- `fallback` must validate against the composed schema. Only `reason` and `certainty` are required in fallback; reserved fields and `output_schema.required` fields are exempt (a "no signal" fallback usually omits them).
 - `output_schema.examples` (JSON Schema standard) must validate against the composed schema at load time, so a broken example fails the build, not the model call.
 
 See [manifests.md](manifests.md) for the full field list.
@@ -107,7 +107,7 @@ const result = await classify(input);
 const tags = result.classifier_outputs.topic_tags?.tags ?? [];
 ```
 
-`result.audit.classifier_outputs[]` carries the same data with `reason` and `certainty` attached if you need to inspect them.
+`classifier_outputs[name]` includes all payload fields plus `reason` (string) and `certainty` (float).
 
 ## Targeting the assistant response
 
@@ -117,7 +117,7 @@ Classifiers run against the user message by default. To run a classifier against
 - `"assistant"` — only `inspect()` runs it.
 - `"both"` — both passes run it.
 
-Use `inspect()` from `createClassifier()` for the assistant-side pass. It returns a lean shape (`target_message_hash` + `classifier_outputs`) — no routing, no audit envelope. The built-in `prompt_injection` ships tagged `"both"` so it runs on both sides.
+Use `inspect()` from `createClassifier()` for the assistant-side pass. It returns a lean shape: `target_message_hash`, the `message` that was inspected, and `classifier_outputs`. No routing, no action, no block logic.
 
 ```ts
 const { inspect } = createClassifier({ catalog });
@@ -130,6 +130,8 @@ const post = await inspect({
 const risk = post.classifier_outputs.prompt_injection?.risk_level;
 ```
 
+The built-in `prompt_injection` ships tagged `"both"` so it runs on both sides.
+
 ## Choosing the classifier model
 
 For apps and OSS installs, prefer `open-classify.config.json`:

package/docs/manifests.md

@@ -17,7 +17,7 @@ The loader skips any top-level directory whose name starts with `_` (those are s
 | Field | Required | Description |
 |---|---|---|
 | `name` | yes | Classifier id. Must match the directory name. |
-| `version` | yes | Contract version surfaced in `meta.classifiers[name].version`. |
+| `version` | yes | Contract version string for this classifier. |
 | `purpose` | yes | Human-readable description of the classifier's job. Treated as a hard scope boundary in the prompt. |
 | `dispatch_order` | no | Non-negative integer scheduling priority. Lower runs first. Omit to schedule this classifier last (treated as +Infinity). Duplicate names are rejected; duplicate dispatch_orders are allowed and schedule adjacent. |
 | `applies_to` | no | One of `"user"`, `"assistant"`, `"both"`. Controls which pipeline pass the classifier participates in: `classify()` runs `"user"` + `"both"`; `inspect()` runs `"assistant"` + `"both"`. Defaults to `"user"`. |
@@ -34,12 +34,12 @@ Reserved fields are well-known output keys the aggregator knows how to consume.
 
 | Reserved field | Shape | What the aggregator does with it |
 |---|---|---|
-| `final_reply` | `{ text: string ≤200 chars }` | Surfaced in `audit.final_reply`; caller can return as the terminal reply |
-| `ack_reply` | `{ text: string ≤200 chars }` | Surfaced in `audit.ack_reply`; caller can show as an acknowledgement |
+| `final_reply` | `{ text: string ≤200 chars }` | Sets `result.action = "reply"` and `result.reply`; caller returns it as the terminal reply |
+| `ack_reply` | `{ text: string ≤200 chars }` | Sets `result.reply` (when action is `"route"`); caller shows it as an acknowledgement while downstream works |
 | `model_tier` | one of `DOWNSTREAM_MODEL_TIER_VALUES` | Soft constraint for catalog resolver |
 | `model_specialization` | one of `MODEL_SPECIALIZATION_VALUES` | Soft constraint for catalog resolver |
-| `tools` | array of allowed tool ids | Sets `downstream.tools` |
-| `risk_level` | one of `PROMPT_INJECTION_RISK_LEVEL_VALUES` | Surfaced in `audit.prompt_injection` |
+| `tools` | array of allowed tool ids | Sets `result.tools` |
+| `risk_level` | one of `PROMPT_INJECTION_RISK_LEVEL_VALUES` | Surfaced in `result.prompt_injection`; `"high_risk"` or `"unknown"` triggers `action: "block"` |
 
 `final_reply` and `ack_reply` are mutually exclusive — a single output may contain at most one.
 
@@ -49,7 +49,7 @@ When multiple classifiers emit the same reserved field, the highest-certainty co
 
 ```json
 {
-  "name": "routing",
+  "name": "model_tier",
   "version": "1.0.0",
   "purpose": "Recommend the downstream model tier.",
   "dispatch_order": 20,