feat(model-tier+branch-dna): activate cost router + give branches DNA

Phase 4 of substrate-unified-registry: turn on the existing
kei-model-router by changing manifest defaults from `model = "opus"`
to `model = "sonnet"` for routine agents, and give every git branch
a deterministic DNA in the kei-status dashboard.

The model-tier system was BUILT (`_primitives/_rust/kei-model-router/`
crate with Beta posterior, complexity τ-estimator, escalate ladder,
calibrate subcommand) and the advisor hook
(`~/.claude/hooks/model-router-advisor.sh`) was REGISTERED. But every
ledger row from this session ran on Opus because:
  1. All 38 manifests hard-coded `model = "opus"` → no chance for the
     router to recommend cheaper.
  2. The orchestrator (me) ignored the stderr advisory.

This commit closes (1). (2) is a behavioural change tracked separately.

Manifest reclassification (4 Opus + 34 Sonnet):
  Opus (hard reasoning):
    - architect            (system-design synthesis)
    - ml-implementer       (Math-First paradigm)
    - ml-researcher        (literature analysis)
    - security-auditor     (deep risk synthesis)
  Sonnet (everything else):
    - 8 code-implementer-* + code-implementer
    - 5 critic-* + critic
    - 6 infra-implementer-* + infra-implementer
    - 4 researcher-* + researcher
    - 6 validator-* + validator
    - 3 security-auditor-{differential,supply-chain,variant}
    - cost-guardian, fal-ai-runner, frontend-validator, modal-runner

Regenerated all 38 `_generated/*.md` so the YAML frontmatter `model:`
field matches the manifest.

Branch DNA (kei-registry status):
  - New `compute_branch_dna(name, commit_sha)` in `status.rs`. Format
    `branch::<sha8(name)>::<sha8(commit)>`, mirrors kei-shared
    DNA wire layout `<role>::<caps>::<scope_sha8>::<body_sha8>`.
  - Deterministic — same `(name, commit)` → same DNA. Changes when
    either changes. No DB persistence: the underlying truth lives in
    `.git/refs/heads/<name>`.
  - 3 new unit tests cover format, determinism, name-change, commit-
    change. `cargo test status::tests` → 10 passed.

`kei-registry status` output now shows DNA prefix per branch alongside
ahead/behind, last commit. Combined with existing per-block DNA in the
[Blocks] and [Path Atoms] sections + `dna` column on `agents` table in
kei-ledger, every artefact in the dashboard has an identifier:

  Atoms (incl path-atoms)  → atom::<caps>::<scope>::<body>     (registry)
  Skills/Rules/Hooks/Prim  → <role>::<caps>::<scope>::<body>   (registry)
  Agent forks              → row.dna in agents table           (ledger)
  Local branches           → branch::<sha8>::<sha8>       (computed)

What this does NOT do:
- No outcome backfill — the 205 NULL outcomes in ledger still prevent
  the Beta posterior from learning. Router falls back to top-tier
  until ≥1 datapoint per (task_class, model) accumulates. Tracked as
  follow-up.
- No post-checkout hook to auto-register branches in kei-ledger. Live
  shell-out to `git for-each-ref` is fast enough for the dashboard;
  persistence buys nothing the .git tree doesn't already give.

=== STATUS-TRUTH MARKER ===
shipped: functional
stubs: 0
cargo-check: PASS
behaviour-verified: yes
follow-up-required:
  - Outcome backfill hook (writes outcome to ledger after agent done)
  - User /model claude-sonnet-4-6 for current session (5x cheaper)
  - Push the orchestrator (me) to read advisor stderr in real-time

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

_generated/code-implementer-flutter.md

@@ -2,7 +2,7 @@
 name: code-implementer-flutter
 description: Flutter / Dart implementation specialist. Riverpod state, Clean Architecture, multi-platform apps.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/code-implementer-flutter.toml — DO NOT EDIT. Edit the manifest. -->

_generated/code-implementer-go.md

@@ -2,7 +2,7 @@
 name: code-implementer-go
 description: Go implementation specialist. Mesh networking, lightweight CLI, embedded servers. Constructor Pattern enforced.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/code-implementer-go.toml — DO NOT EDIT. Edit the manifest. -->

_generated/code-implementer-python.md

@@ -2,7 +2,7 @@
 name: code-implementer-python
 description: Python implementation specialist. Use only when RULE 0.2 exception #N is stated. Default to delegating Rust.
 tools: Glob, Grep, Read, Edit, Write, Bash, NotebookEdit, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/code-implementer-python.toml — DO NOT EDIT. Edit the manifest. -->

_generated/code-implementer-rust.md

@@ -2,7 +2,7 @@
 name: code-implementer-rust
 description: Rust implementation specialist (Cargo, traits, async/tokio, rusqlite, tests). RULE 0.2 default language. Constructor Pattern enforced. Hands off other languages to siblings.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/code-implementer-rust.toml — DO NOT EDIT. Edit the manifest. -->

_generated/code-implementer-swift.md

@@ -2,7 +2,7 @@
 name: code-implementer-swift
 description: Swift / SwiftUI / SPM implementation specialist. macOS menubar / iOS apps. Constructor Pattern enforced.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/code-implementer-swift.toml — DO NOT EDIT. Edit the manifest. -->

_generated/code-implementer-typescript.md

@@ -2,7 +2,7 @@
 name: code-implementer-typescript
 description: TypeScript implementation specialist. Next.js 16 / Node / browser. Type-safe API contracts.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/code-implementer-typescript.toml — DO NOT EDIT. Edit the manifest. -->

_generated/code-implementer.md

@@ -2,7 +2,7 @@
 name: code-implementer
 description: Generic implementation specialist for Rust/Swift/Python/Go/Flutter/TypeScript. Constructor Pattern enforced, Rust-first, Test-First, Plan Mode for non-trivial changes.
 tools: Glob, Grep, Read, Edit, Write, Bash, NotebookEdit, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/code-implementer.toml — DO NOT EDIT. Edit the manifest. -->

_generated/cost-guardian.md

@@ -2,7 +2,7 @@
 name: cost-guardian
 description: api-cost-guard.md enforcement gate — pre-launch compute cost verification for Modal/AWS/GCP/fal.ai/Apify/ElevenLabs. Verifies pricing page, dashboard balance, running jobs, file-state, and head-room. Read-only — emits GO/NO-GO recommendation BEFORE money is spent.
 tools: Glob, Grep, Read, Bash, WebFetch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/cost-guardian.toml — DO NOT EDIT. Edit the manifest. -->

_generated/critic-anti-pattern.md

@@ -2,7 +2,7 @@
 name: critic-anti-pattern
 description: Detects code anti-patterns: god classes, deep inheritance, shotgun surgery, primitive obsession. Read-only.
 tools: Glob, Grep, Read
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/critic-anti-pattern.toml — DO NOT EDIT. Edit the manifest. -->

_generated/critic-bug.md

@@ -2,7 +2,7 @@
 name: critic-bug
 description: Detects bug patterns: off-by-one, error-swallowing, unchecked Result/Option, race conditions in shared state. Read-only.
 tools: Glob, Grep, Read
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/critic-bug.toml — DO NOT EDIT. Edit the manifest. -->

_generated/critic-perf.md

@@ -2,7 +2,7 @@
 name: critic-perf
 description: Detects performance traps: N+1 queries, allocator hot loops, blocking-in-async, unbounded retention. Read-only.
 tools: Glob, Grep, Read
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/critic-perf.toml — DO NOT EDIT. Edit the manifest. -->

_generated/critic-tech-debt.md

@@ -2,7 +2,7 @@
 name: critic-tech-debt
 description: Detects dead code, TODO/FIXME, version-skew, abandoned branches, stale dependencies. Read-only.
 tools: Glob, Grep, Read, Bash
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/critic-tech-debt.toml — DO NOT EDIT. Edit the manifest. -->

_generated/critic.md

@@ -2,7 +2,7 @@
 name: critic
 description: Ruthless code critic finding anti-patterns, tech debt, security issues, bugs, and performance traps. Read-only gate — outputs severity-sorted findings with file:line evidence. No fixes, only reports.
 tools: Glob, Grep, Read, WebSearch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/critic.toml — DO NOT EDIT. Edit the manifest. -->

_generated/fal-ai-runner.md

@@ -2,7 +2,7 @@
 name: fal-ai-runner
 description: fal.ai image, video, and 3D generation expert. Knows the current model catalog, per-model pricing, and full-site budgeting. Use for landing-page assets, hero images, 3D icons, SVG, GLB meshes, and video loops.
 tools: Glob, Grep, Read, Edit, Bash, WebFetch, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/fal-ai-runner.toml — DO NOT EDIT. Edit the manifest. -->

_generated/frontend-validator.md

@@ -2,7 +2,7 @@
 name: frontend-validator
 description: Frontend continuous validator. Runs tsc --noEmit, eslint, kei-db-contract, optional visual snapshot. Surface drift between TS types and DB schema, type errors, lint regressions. Advisory by default.
 tools: Glob, Grep, Read, Bash
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/frontend-validator.toml — DO NOT EDIT. Edit the manifest. -->

_generated/infra-implementer-cicd.md

@@ -2,7 +2,7 @@
 name: infra-implementer-cicd
 description: CI/CD pipeline specialist. GitHub Actions, GitLab CI, build-and-deploy scripts. Constructor Pattern.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/infra-implementer-cicd.toml — DO NOT EDIT. Edit the manifest. -->

_generated/infra-implementer-container.md

@@ -2,7 +2,7 @@
 name: infra-implementer-container
 description: Containerization specialist. Dockerfile, OCI images, multi-stage builds, distroless.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/infra-implementer-container.toml — DO NOT EDIT. Edit the manifest. -->

_generated/infra-implementer-iac.md

@@ -2,7 +2,7 @@
 name: infra-implementer-iac
 description: Infrastructure-as-code specialist. Terraform, Pulumi, OpenTofu, CDK. Constructor Pattern (≤200 LOC per module).
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/infra-implementer-iac.toml — DO NOT EDIT. Edit the manifest. -->

_generated/infra-implementer-secrets.md

@@ -2,7 +2,7 @@
 name: infra-implementer-secrets
 description: Secrets management specialist. Vault integration, sops, age, env-var injection. RULE 0.8 enforcer.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/infra-implementer-secrets.toml — DO NOT EDIT. Edit the manifest. -->

_generated/infra-implementer.md

@@ -2,7 +2,7 @@
 name: infra-implementer
 description: Infrastructure code, deploys, CI/CD, secrets management, container/IaC. Per-project credential isolation, deploy-target guard enforcement, Self-Sufficiency Protocol, cost guard on paid compute.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/infra-implementer.toml — DO NOT EDIT. Edit the manifest. -->

_generated/modal-runner.md

@@ -2,7 +2,7 @@
 name: modal-runner
 description: Modal compute orchestrator. Pre-launch cost estimation, GPU compatibility check, single-variant verify, observability-first, and a hard anti-stop guard against stopping running training. Use for any Modal app launch, batch spawn, or job inspection.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/modal-runner.toml — DO NOT EDIT. Edit the manifest. -->

_generated/researcher-code.md

@@ -2,7 +2,7 @@
 name: researcher-code
 description: Codebase research specialist. Glob / Grep / Read only. E1-E6 grading.
 tools: Glob, Grep, Read
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/researcher-code.toml — DO NOT EDIT. Edit the manifest. -->

_generated/researcher-hybrid.md

@@ -2,7 +2,7 @@
 name: researcher-hybrid
 description: Hybrid web+code research orchestrator. Routes to researcher-web and researcher-code in parallel.
 tools: Glob, Grep, Read, WebFetch, WebSearch, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/researcher-hybrid.toml — DO NOT EDIT. Edit the manifest. -->

_generated/researcher-web.md

@@ -2,7 +2,7 @@
 name: researcher-web
 description: Web research specialist. WebFetch / WebSearch only. E1-E6 grading.
 tools: WebFetch, WebSearch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/researcher-web.toml — DO NOT EDIT. Edit the manifest. -->

_generated/researcher.md

@@ -2,7 +2,7 @@
 name: researcher
 description: Generic web + codebase research with 3 modes (web / code / hybrid). Returns Evidence-Graded findings. Read-only. Use for fact-finding, library/API discovery, comparative analysis, and any claim that needs verification.
 tools: Glob, Grep, Read, WebFetch, WebSearch, Agent
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/researcher.toml — DO NOT EDIT. Edit the manifest. -->

_generated/security-auditor-differential.md

@@ -2,7 +2,7 @@
 name: security-auditor-differential
 description: 9-point differential security review. Auth bypass, injection, deserialization, race conditions. Read-only.
 tools: Glob, Grep, Read, WebFetch, WebSearch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/security-auditor-differential.toml — DO NOT EDIT. Edit the manifest. -->

_generated/security-auditor-supply-chain.md

@@ -2,7 +2,7 @@
 name: security-auditor-supply-chain
 description: Supply-chain audit on new dependencies: maintainers, CVE history, transitive deps, native code. Read-only.
 tools: Glob, Grep, Read, Bash, WebFetch, WebSearch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/security-auditor-supply-chain.toml — DO NOT EDIT. Edit the manifest. -->

_generated/security-auditor-variant.md

@@ -2,7 +2,7 @@
 name: security-auditor-variant
 description: Variant analysis after a vulnerability is found. Greps codebase for the same pattern. Read-only.
 tools: Glob, Grep, Read
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/security-auditor-variant.toml — DO NOT EDIT. Edit the manifest. -->

_generated/validator-api.md

@@ -2,7 +2,7 @@
 name: validator-api
 description: Verifies API existence and signatures. Reads docs, greps source, fetches OpenAPI / vendor reference. Read-only.
 tools: Glob, Grep, Read, WebFetch, WebSearch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/validator-api.toml — DO NOT EDIT. Edit the manifest. -->

_generated/validator-benchmark.md

@@ -2,7 +2,7 @@
 name: validator-benchmark
 description: Verifies external benchmark claims (p50/p95/throughput). Read-only.
 tools: Glob, Grep, Read, WebFetch, WebSearch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/validator-benchmark.toml — DO NOT EDIT. Edit the manifest. -->

_generated/validator-code-reality.md

@@ -2,7 +2,7 @@
 name: validator-code-reality
 description: Verifies behavioural claims against running code. Reads tests, traces, recent runs. Read-only.
 tools: Glob, Grep, Read, Bash
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/validator-code-reality.toml — DO NOT EDIT. Edit the manifest. -->

_generated/validator-doc.md

@@ -2,7 +2,7 @@
 name: validator-doc
 description: Verifies documentation claims against code reality. Read-only.
 tools: Glob, Grep, Read, WebFetch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/validator-doc.toml — DO NOT EDIT. Edit the manifest. -->

_generated/validator-version.md

@@ -2,7 +2,7 @@
 name: validator-version
 description: Verifies version compatibility (semver, MSRV, transitive deps). Read-only.
 tools: Glob, Grep, Read, Bash, WebFetch, WebSearch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/validator-version.toml — DO NOT EDIT. Edit the manifest. -->

_generated/validator.md

@@ -2,7 +2,7 @@
 name: validator
 description: RULE 0.4 enforcement gate — fact-checker and hallucination detector. Verifies API existence, version compatibility, documentation claims, code reality, and external benchmarks. Read-only — emits VERIFIED / UNVERIFIED / FALSE / PARTIALLY TRUE per claim.
 tools: Glob, Grep, Read, WebFetch, WebSearch
-model: opus
+model: sonnet
 ---
 
 <!-- GENERATED by _assembler (Rust) from _manifests/validator.toml — DO NOT EDIT. Edit the manifest. -->

_manifests/code-implementer-flutter.toml

@@ -4,7 +4,7 @@
 name = "code-implementer-flutter"
 description = "Flutter / Dart implementation specialist. Riverpod state, Clean Architecture, multi-platform apps."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/code-implementer-go.toml

@@ -4,7 +4,7 @@
 name = "code-implementer-go"
 description = "Go implementation specialist. Mesh networking, lightweight CLI, embedded servers. Constructor Pattern enforced."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/code-implementer-python.toml

@@ -4,7 +4,7 @@
 name = "code-implementer-python"
 description = "Python implementation specialist. Use only when RULE 0.2 exception #N is stated. Default to delegating Rust."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "NotebookEdit", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/code-implementer-rust.toml

@@ -4,7 +4,7 @@
 name = "code-implementer-rust"
 description = "Rust implementation specialist (Cargo, traits, async/tokio, rusqlite, tests). RULE 0.2 default language. Constructor Pattern enforced. Hands off other languages to siblings."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/code-implementer-swift.toml

@@ -4,7 +4,7 @@
 name = "code-implementer-swift"
 description = "Swift / SwiftUI / SPM implementation specialist. macOS menubar / iOS apps. Constructor Pattern enforced."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/code-implementer-typescript.toml

@@ -4,7 +4,7 @@
 name = "code-implementer-typescript"
 description = "TypeScript implementation specialist. Next.js 16 / Node / browser. Type-safe API contracts."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/code-implementer.toml

@@ -5,7 +5,7 @@
 name = "code-implementer"
 description = "Generic implementation specialist for Rust/Swift/Python/Go/Flutter/TypeScript. Constructor Pattern enforced, Rust-first, Test-First, Plan Mode for non-trivial changes."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "NotebookEdit", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 produces_artifact = "patch"
 

_manifests/cost-guardian.toml

@@ -5,7 +5,7 @@
 name = "cost-guardian"
 description = "api-cost-guard.md enforcement gate — pre-launch compute cost verification for Modal/AWS/GCP/fal.ai/Apify/ElevenLabs. Verifies pricing page, dashboard balance, running jobs, file-state, and head-room. Read-only — emits GO/NO-GO recommendation BEFORE money is spent."
 tools = ["Glob", "Grep", "Read", "Bash", "WebFetch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/critic-anti-pattern.toml

@@ -4,7 +4,7 @@
 name = "critic-anti-pattern"
 description = "Detects code anti-patterns: god classes, deep inheritance, shotgun surgery, primitive obsession. Read-only."
 tools = ["Glob", "Grep", "Read"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/critic-bug.toml

@@ -4,7 +4,7 @@
 name = "critic-bug"
 description = "Detects bug patterns: off-by-one, error-swallowing, unchecked Result/Option, race conditions in shared state. Read-only."
 tools = ["Glob", "Grep", "Read"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/critic-perf.toml

@@ -4,7 +4,7 @@
 name = "critic-perf"
 description = "Detects performance traps: N+1 queries, allocator hot loops, blocking-in-async, unbounded retention. Read-only."
 tools = ["Glob", "Grep", "Read"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/critic-tech-debt.toml

@@ -4,7 +4,7 @@
 name = "critic-tech-debt"
 description = "Detects dead code, TODO/FIXME, version-skew, abandoned branches, stale dependencies. Read-only."
 tools = ["Glob", "Grep", "Read", "Bash"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/critic.toml

@@ -5,7 +5,7 @@
 name = "critic"
 description = "Ruthless code critic finding anti-patterns, tech debt, security issues, bugs, and performance traps. Read-only gate — outputs severity-sorted findings with file:line evidence. No fixes, only reports."
 tools = ["Glob", "Grep", "Read", "WebSearch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 produces_artifact = "review"
 

_manifests/fal-ai-runner.toml

@@ -5,7 +5,7 @@
 name = "fal-ai-runner"
 description = "fal.ai image, video, and 3D generation expert. Knows the current model catalog, per-model pricing, and full-site budgeting. Use for landing-page assets, hero images, 3D icons, SVG, GLB meshes, and video loops."
 tools = ["Glob", "Grep", "Read", "Edit", "Bash", "WebFetch", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/frontend-validator.toml

@@ -4,7 +4,7 @@
 name = "frontend-validator"
 description = "Frontend continuous validator. Runs tsc --noEmit, eslint, kei-db-contract, optional visual snapshot. Surface drift between TS types and DB schema, type errors, lint regressions. Advisory by default."
 tools = ["Glob", "Grep", "Read", "Bash"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/infra-implementer-cicd.toml

@@ -4,7 +4,7 @@
 name = "infra-implementer-cicd"
 description = "CI/CD pipeline specialist. GitHub Actions, GitLab CI, build-and-deploy scripts. Constructor Pattern."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-shared"
 
 role = """

_manifests/infra-implementer-container.toml

@@ -4,7 +4,7 @@
 name = "infra-implementer-container"
 description = "Containerization specialist. Dockerfile, OCI images, multi-stage builds, distroless."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-shared"
 
 role = """

_manifests/infra-implementer-iac.toml

@@ -4,7 +4,7 @@
 name = "infra-implementer-iac"
 description = "Infrastructure-as-code specialist. Terraform, Pulumi, OpenTofu, CDK. Constructor Pattern (≤200 LOC per module)."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-shared"
 
 role = """

_manifests/infra-implementer-secrets.toml

@@ -4,7 +4,7 @@
 name = "infra-implementer-secrets"
 description = "Secrets management specialist. Vault integration, sops, age, env-var injection. RULE 0.8 enforcer."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-shared"
 
 role = """

_manifests/infra-implementer.toml

@@ -5,7 +5,7 @@
 name = "infra-implementer"
 description = "Infrastructure code, deploys, CI/CD, secrets management, container/IaC. Per-project credential isolation, deploy-target guard enforcement, Self-Sufficiency Protocol, cost guard on paid compute."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/modal-runner.toml

@@ -5,7 +5,7 @@
 name = "modal-runner"
 description = "Modal compute orchestrator. Pre-launch cost estimation, GPU compatibility check, single-variant verify, observability-first, and a hard anti-stop guard against stopping running training. Use for any Modal app launch, batch spawn, or job inspection."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "edit-local"
 
 role = """

_manifests/researcher-code.toml

@@ -4,7 +4,7 @@
 name = "researcher-code"
 description = "Codebase research specialist. Glob / Grep / Read only. E1-E6 grading."
 tools = ["Glob", "Grep", "Read"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/researcher-hybrid.toml

@@ -4,7 +4,7 @@
 name = "researcher-hybrid"
 description = "Hybrid web+code research orchestrator. Routes to researcher-web and researcher-code in parallel."
 tools = ["Glob", "Grep", "Read", "WebFetch", "WebSearch", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/researcher-web.toml

@@ -4,7 +4,7 @@
 name = "researcher-web"
 description = "Web research specialist. WebFetch / WebSearch only. E1-E6 grading."
 tools = ["WebFetch", "WebSearch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/researcher.toml

@@ -5,7 +5,7 @@
 name = "researcher"
 description = "Generic web + codebase research with 3 modes (web / code / hybrid). Returns Evidence-Graded findings. Read-only. Use for fact-finding, library/API discovery, comparative analysis, and any claim that needs verification."
 tools = ["Glob", "Grep", "Read", "WebFetch", "WebSearch", "Agent"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/security-auditor-differential.toml

@@ -4,7 +4,7 @@
 name = "security-auditor-differential"
 description = "9-point differential security review. Auth bypass, injection, deserialization, race conditions. Read-only."
 tools = ["Glob", "Grep", "Read", "WebFetch", "WebSearch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "auditor"
 
 role = """

_manifests/security-auditor-supply-chain.toml

@@ -4,7 +4,7 @@
 name = "security-auditor-supply-chain"
 description = "Supply-chain audit on new dependencies: maintainers, CVE history, transitive deps, native code. Read-only."
 tools = ["Glob", "Grep", "Read", "Bash", "WebFetch", "WebSearch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "auditor"
 
 role = """

_manifests/security-auditor-variant.toml

@@ -4,7 +4,7 @@
 name = "security-auditor-variant"
 description = "Variant analysis after a vulnerability is found. Greps codebase for the same pattern. Read-only."
 tools = ["Glob", "Grep", "Read"]
-model = "opus"
+model = "sonnet"
 substrate_role = "auditor"
 
 role = """

_manifests/validator-api.toml

@@ -4,7 +4,7 @@
 name = "validator-api"
 description = "Verifies API existence and signatures. Reads docs, greps source, fetches OpenAPI / vendor reference. Read-only."
 tools = ["Glob", "Grep", "Read", "WebFetch", "WebSearch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/validator-benchmark.toml

@@ -4,7 +4,7 @@
 name = "validator-benchmark"
 description = "Verifies external benchmark claims (p50/p95/throughput). Read-only."
 tools = ["Glob", "Grep", "Read", "WebFetch", "WebSearch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/validator-code-reality.toml

@@ -4,7 +4,7 @@
 name = "validator-code-reality"
 description = "Verifies behavioural claims against running code. Reads tests, traces, recent runs. Read-only."
 tools = ["Glob", "Grep", "Read", "Bash"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/validator-doc.toml

@@ -4,7 +4,7 @@
 name = "validator-doc"
 description = "Verifies documentation claims against code reality. Read-only."
 tools = ["Glob", "Grep", "Read", "WebFetch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/validator-version.toml

@@ -4,7 +4,7 @@
 name = "validator-version"
 description = "Verifies version compatibility (semver, MSRV, transitive deps). Read-only."
 tools = ["Glob", "Grep", "Read", "Bash", "WebFetch", "WebSearch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 
 role = """

_manifests/validator.toml

@@ -5,7 +5,7 @@
 name = "validator"
 description = "RULE 0.4 enforcement gate — fact-checker and hallucination detector. Verifies API existence, version compatibility, documentation claims, code reality, and external benchmarks. Read-only — emits VERIFIED / UNVERIFIED / FALSE / PARTIALLY TRUE per claim."
 tools = ["Glob", "Grep", "Read", "WebFetch", "WebSearch"]
-model = "opus"
+model = "sonnet"
 substrate_role = "read-only"
 produces_artifact = "review"
 

_primitives/_rust/kei-registry/src/status.rs

@@ -48,6 +48,11 @@ pub struct BranchRow {
     pub ahead: u32,
     pub behind: u32,
     pub last_commit: String,
+    /// Deterministic DNA-style identifier for the branch. Format
+    /// `branch::git::<sha8(branch_name)>::<sha8(commit_sha)>`. Computed
+    /// on-the-fly from `(name, last_commit)` so it survives without DB
+    /// persistence — the underlying truth lives in `.git/refs/heads/<name>`.
+    pub dna: String,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
@@ -127,6 +132,26 @@ fn path_atom_rows(conn: &Connection) -> Result<Vec<PathAtomRow>> {
     Ok(rows)
 }
 
+/// Compute a deterministic DNA-style identifier for a git branch. Mirrors
+/// the kei-shared wire format `<role>::<caps>::<scope_sha8>::<body_sha8>`:
+/// role is fixed `branch`, caps is fixed `git`, scope_sha is the first 8
+/// hex chars of `sha256(branch_name)`, body_sha is the first 8 chars of
+/// the commit SHA (which is itself a SHA-1 prefix). The pair is unique
+/// per (name, head_commit) so the DNA changes on every commit, mirroring
+/// the immutable-content invariant atoms have.
+fn compute_branch_dna(name: &str, commit_sha: &str) -> String {
+    use sha2::{Digest, Sha256};
+    let mut h = Sha256::new();
+    h.update(name.as_bytes());
+    let name_sha = format!("{:x}", h.finalize());
+    let scope8 = &name_sha[..8];
+    let body8 = commit_sha
+        .get(..8)
+        .unwrap_or(commit_sha)
+        .to_ascii_lowercase();
+    format!("branch::git::{scope8}::{body8}")
+}
+
 /// Take the first three segments of a `<role>::<caps>::<scope_sha8>::...`
 /// DNA so the displayed prefix is readable but identifying.
 fn dna_prefix(dna: &str) -> String {
@@ -161,13 +186,16 @@ fn git_branches(repo: &Path) -> Result<Vec<BranchRow>> {
             Some(parts[1].to_string())
         };
         let (ahead, behind) = parse_track(parts[2]);
+        let last_commit = parts[3].to_string();
+        let dna = compute_branch_dna(&name, &last_commit);
         rows.push(BranchRow {
             current: current_branch.as_deref() == Some(&name),
             name,
             upstream,
             ahead,
             behind,
-            last_commit: parts[3].to_string(),
+            last_commit,
+            dna,
         });
     }
     Ok(rows)
@@ -261,8 +289,8 @@ pub fn render_ascii(s: &Status) -> String {
         };
         let upstream = b.upstream.as_deref().unwrap_or("(none)");
         out.push_str(&format!(
-            "  {} {:<40} → {:<25} {} @ {}\n",
+            "  {} {:<40} → {:<25} {} @ {}  {}\n",
-            marker, b.name, upstream, track, b.last_commit
+            marker, b.name, upstream, track, b.last_commit, dna_prefix(&b.dna)
         ));
     }
     out.push('\n');
@@ -327,6 +355,35 @@ mod tests {
         assert_eq!(dna_prefix(dna), "atom::md::1a771d51::…");
     }
 
+    #[test]
+    fn branch_dna_is_deterministic_and_well_formed() {
+        let dna = compute_branch_dna("feat/foo-bar", "3422bdca12d4567");
+        assert!(dna.starts_with("branch::git::"));
+        let parts: Vec<&str> = dna.split("::").collect();
+        assert_eq!(parts.len(), 4);
+        assert_eq!(parts[0], "branch");
+        assert_eq!(parts[1], "git");
+        assert_eq!(parts[2].len(), 8); // sha8 of branch name
+        assert_eq!(parts[3], "3422bdca"); // first 8 of commit
+        // determinism: same input → same DNA
+        let dna2 = compute_branch_dna("feat/foo-bar", "3422bdca12d4567");
+        assert_eq!(dna, dna2);
+    }
+
+    #[test]
+    fn branch_dna_changes_on_commit() {
+        let a = compute_branch_dna("main", "aaaaaaaa1111");
+        let b = compute_branch_dna("main", "bbbbbbbb2222");
+        assert_ne!(a, b, "DNA should change when commit changes");
+    }
+
+    #[test]
+    fn branch_dna_changes_on_rename() {
+        let a = compute_branch_dna("main", "deadbeef");
+        let b = compute_branch_dna("trunk", "deadbeef");
+        assert_ne!(a, b, "DNA should change when name changes");
+    }
+
     #[test]
     fn render_ascii_empty_status_has_all_sections() {
         let s = Status::default();