haechi 0.3.2

package/LICENSE

@@ -0,0 +1,154 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction,
+and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by
+the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all
+other entities that control, are controlled by, or are under common
+control with that entity. For the purposes of this definition,
+"control" means (i) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or
+otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications,
+including but not limited to software source code, documentation
+source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical
+transformation or translation of a Source form, including but
+not limited to compiled object code, generated documentation,
+and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or
+Object form, made available under the License, as indicated by a
+copyright notice that is included in or attached to the work.
+
+"Derivative Works" shall mean any work, whether in Source or Object
+form, that is based on (or derived from) the Work and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship. For the purposes
+of this License, Derivative Works shall not include works that remain
+separable from, or merely link (or bind by name) to the interfaces of,
+the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the
+original version of the Work and any modifications or additions
+to that Work or Derivative Works thereof, that is intentionally
+submitted to Licensor for inclusion in the Work by the copyright owner
+or by an individual or Legal Entity authorized to submit on behalf of
+the copyright owner. For the purposes of this definition, "submitted"
+means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems,
+and issue tracking systems that are managed by, or on behalf of, the
+Licensor for the purpose of discussing and improving the Work, but
+excluding communication that is conspicuously marked or otherwise
+designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity
+on behalf of whom a Contribution has been received by Licensor and
+subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the
+Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated in this section) patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Work,
+where such license applies only to those patent claims licensable
+by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by combination of their Contribution(s)
+with the Work to which such Contribution(s) was submitted. If You
+institute patent litigation against any entity alleging that the Work
+or a Contribution incorporated within the Work constitutes direct
+or contributory patent infringement, then any patent licenses granted
+to You under this License for that Work shall terminate as of the
+date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+Work or Derivative Works thereof in any medium, with or without
+modifications, and in Source or Object form, provided that You meet
+the following conditions:
+
+(a) You must give any other recipients of the Work or Derivative
+Works a copy of this License; and
+
+(b) You must cause any modified files to carry prominent notices
+stating that You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works
+that You distribute, all copyright, patent, trademark, and attribution
+notices from the Source form of the Work, excluding those notices
+that do not pertain to any part of the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its
+distribution, then any Derivative Works that You distribute must
+include a readable copy of the attribution notices contained within
+such NOTICE file, excluding those notices that do not pertain to
+any part of the Derivative Works.
+
+You may add Your own copyright statement to Your modifications and
+may provide additional or different license terms and conditions
+for use, reproduction, or distribution of Your modifications, or
+for any such Derivative Works as a whole, provided Your use,
+reproduction, and distribution of the Work otherwise complies with
+the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+any Contribution intentionally submitted for inclusion in the Work by
+You to the Licensor shall be under the terms and conditions of this
+License, without any additional terms or conditions.
+
+6. Trademarks. This License does not grant permission to use the trade
+names, trademarks, service marks, or product names of the Licensor,
+except as required for reasonable and customary use in describing the
+origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+agreed to in writing, Licensor provides the Work on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+implied, including, without limitation, any warranties or conditions
+of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any
+risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+whether in tort (including negligence), contract, or otherwise,
+unless required by applicable law (such as deliberate and grossly
+negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special,
+incidental, or consequential damages of any character arising as a
+result of this License or out of the use or inability to use the
+Work, even if such Contributor has been advised of the possibility
+of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+the Work or Derivative Works thereof, You may choose to offer, and
+charge a fee for, acceptance of support, warranty, indemnity, or
+other liability obligations and/or rights consistent with this
+License. However, in accepting such obligations, You may act only on
+Your own behalf and on Your sole responsibility, not on behalf of any
+other Contributor, and only if You agree to indemnify, defend, and
+hold each Contributor harmless for any liability incurred by, or
+claims asserted against, such Contributor by reason of your accepting
+any such warranty or additional liability.

package/README.md

@@ -0,0 +1,102 @@
+# Haechi
+
+Haechi is an experimental developer preview of a self-hosted AI context enforcement layer for protecting LLM, MCP, vLLM, Ollama, and agent payloads before they reach models, tools, logs, or proxies.
+
+The name comes from Haechi, a Korean guardian figure associated with discernment and protection.
+
+This repository is intended for local development, security design review, and self-hosted integration experiments. It is not production-ready and is not a compliance guarantee.
+
+The current developer-preview scope focuses on local adoption:
+
+- `haechi init`: create a local key, sample config, and audit path
+- `haechi protect`: inspect and protect an OpenAI-compatible JSON payload
+- `haechi report`: summarize audit events without raw payloads
+- `haechi proxy`: run a local HTTP JSON proxy for existing LLM calls
+
+## Quickstart
+
+```bash
+npm test
+npm run demo:init
+npm run demo:protect
+npm run demo:report
+```
+
+The default config runs in `dry-run` mode. It detects sensitive values and writes audit metadata, but it does not modify outbound payloads until policy mode is changed.
+
+`npm run demo:init` writes `haechi.config.json` and `.haechi/dev.keys.json` locally. The generated key file is for local development only. Haechi 0.3.x does not include a production KMS/HSM/Vault key provider. A non-secret template is available at `haechi.config.example.json`.
+
+## Local Proxy
+
+```bash
+node packages/cli/bin/haechi.mjs proxy --config haechi.config.json
+```
+
+Point an existing HTTP JSON client at `http://localhost:1016` and set `target.upstream` in `haechi.config.json`. Change `proxy.port` in the config or pass `--port` to use a different local port.
+
+The proxy binds to loopback by default. Binding to `0.0.0.0`, `::`, or another non-loopback host fails unless `--allow-remote-bind` is provided. Use that flag only behind explicit network access controls.
+
+Streaming requests with `stream: true` are blocked by default. Haechi 0.3.x does not inspect SSE or NDJSON streams. Set `streaming.requestMode` to `pass-through` only when the caller explicitly accepts that streaming payloads are not protected by Haechi.
+
+Ollama `/api/chat` and `/api/generate` stream by default when the `stream` field is omitted, so the proxy treats those requests as streaming unless `stream: false` is explicitly set.
+
+Upstream requests time out after `limits.upstreamTimeoutMs` (default 120000) and fail with `504 haechi_upstream_timeout`.
+
+## Local Inference Servers
+
+Haechi 0.3 includes protocol adapter presets for OpenAI-compatible servers, vLLM, Ollama, and llama.cpp.
+
+```json
+{
+  "target": {
+    "type": "vllm-openai",
+    "upstream": "http://127.0.0.1:8000"
+  },
+  "policy": {
+    "mode": "enforce",
+    "presets": ["local-inference"]
+  },
+  "responseProtection": {
+    "enabled": true,
+    "mode": "enforce",
+    "failureMode": "fail-closed"
+  }
+}
+```
+
+Then point an OpenAI-compatible client at `http://127.0.0.1:1016/v1`. For Ollama native APIs, use `target.adapter: "ollama"` and call `/api/chat` or `/api/generate` through the proxy.
+
+## Privacy Profiles
+
+Haechi includes baseline regional privacy profiles for local policy bootstrapping:
+
+- `kr-pipa`
+- `eu-gdpr`
+- `us-general`
+
+Set `privacy.profile` in `haechi.config.json` to apply the profile's default actions before enforcement. These profiles are engineering defaults, not legal advice.
+
+## Security Notes
+
+- This project is not a compliance guarantee.
+- The 0.1 crypto provider uses Node `crypto` with AES-256-GCM and local software keys.
+- Audit events must not contain raw prompt, tool result, secret, or PII values.
+- Unknown or invalid policy/config errors should fail closed in enforcement paths.
+- Response protection fails closed for non-JSON, invalid JSON, compressed, or oversized responses unless an explicit allow policy is configured.
+- Token reveal and purge decisions are written to the audit log (token ids and decisions only, never plaintext). Expired tokens are removed on vault mutations or via `haechi token-purge --expired`.
+- `haechi init --force` rotates the local key: prior keys are kept as `retired` so existing envelopes and token vault records stay decryptable by `kid`.
+- Privacy profiles can strengthen but never weaken an explicitly stricter user action.
+- Detection scans string values, JSON numbers (e.g. card numbers), and object key names. Base64/URL-encoded values and URL query strings are NOT inspected.
+- The package is a developer preview. Do not expose it as an internet-facing production LLM gateway.
+
+## Current Scope
+
+0.1 quickstart scope is described in `docs/current/mvp-0.1-implementation-scope.md`.
+
+0.2 adds local TokenVault, signed policy bundle commands, plugin manifest validation, and an MCP stdio JSON-RPC line filter skeleton. See `docs/current/release-0.2-implementation-scope.md`.
+
+0.3 adds local inference protocol adapters, optional JSON response protection, npm package metadata, and publish-ready exports. See `docs/current/release-0.3-implementation-scope.md`.
+
+0.3.1 adds release safety gates, response fail-closed behavior, audit hash chaining, token reveal governance, provider injection, privacy profiles, CI/SBOM/provenance workflow scaffolding, and dedicated threat/shared-responsibility/API-stability docs.
+
+0.3.2 is a security-hardening release and the first npm developer preview target: Ollama implicit-streaming fail-closed handling, audited token reveal/purge, retention purge, kid-based key rotation, domain-separated policy bundle signing, JSON number/object key detection, upstream timeouts, stale lock recovery, and non-enforcing-mode warnings. See `docs/current/release-0.3.2-hardening-scope.md`.

package/SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy
+
+## Scope
+
+This repository is an experimental self-hosted security toolkit. It is not production-ready and is not a compliance certification, legal opinion, or assurance report.
+
+Release risk tracking is maintained in `docs/current/risk-register-release-gate.md`. npm release checks must pass `npm run release:preflight`; actual npm publication additionally requires `npm run release:preflight:npm` from an authenticated npm account.
+
+## Supported Versions
+
+Only the current `0.3.x` development line is considered in scope.
+
+## Reporting
+
+Report suspected vulnerabilities privately to the repository maintainer. Do not include real secrets, production prompts, customer data, or personal information in reports.
+
+## Security Invariants
+
+- Audit output must not contain raw sensitive payload values.
+- Audit output must carry a SHA-256 hash chain for local tamper detection.
+- Encryption must bind ciphertext to canonical AAD.
+- Policy enforcement must prefer blocking over leaking plaintext when configuration is invalid.
+- Proxy listeners must stay loopback-only unless remote binding is explicitly enabled and the deployment supplies network access controls.
+- Streaming payloads are not inspected in 0.3.x and must fail closed unless the operator explicitly selects pass-through.
+- Token reveal must be disabled by default and enabled only for explicit local development workflows.
+- Plugin manifests are validation-only in 0.3.x; dynamic plugin execution is not supported.
+- Plugin/provider implementations that read plaintext or use network egress must declare that capability in plugin manifests.
+
+## Local Development Keys
+
+`haechi init` creates `.haechi/dev.keys.json` for local development. Treat this file as a disposable development secret. Do not reuse it for production data, shared environments, compliance evidence, or internet-facing gateways.

package/docs/README.md

@@ -0,0 +1,35 @@
+# Haechi Documentation Index
+
+English is the primary documentation language. Korean translations are maintained alongside each document as `*.ko.md`.
+
+## Current
+
+- `docs/current/prd-ai-llm-mcp-encryption.md`: PRD draft for the AI/LLM/MCP-focused encryption solution
+- `docs/current/initial-plan-ai-llm-mcp-encryption.md`: initial execution plan and technical hypotheses
+- `docs/current/privacy-filtering-policy-draft.md`: privacy filtering policy draft
+- `docs/current/global-privacy-compliance-review.md`: global privacy / AI compliance review
+- `docs/current/expert-gap-review-ai-llm-mcp-encryption.md`: missing requirements and hardening backlog from parallel expert review
+- `docs/current/open-source-modular-architecture.md`: OSS/self-hosted modular architecture with replaceable provider/plugin boundaries (not SaaS)
+- `docs/current/mvp-0.1-implementation-scope.md`: MVP 0.1 implementation scope, exclusions, quickstart completion criteria
+- `docs/current/release-0.2-implementation-scope.md`: 0.2 TokenVault, signed policy, plugin manifest, MCP stdio scope
+- `docs/current/release-0.3-implementation-scope.md`: 0.3 vLLM/Ollama/llama.cpp adapters, response protection, npm publish readiness scope
+- `docs/current/release-0.3.2-hardening-scope.md`: 0.3.2 security hardening release; first npm developer preview target
+- `docs/current/release-0.4-implementation-scope.md`: 0.4 token round-trip, mcp-wrap, audit-verify/status, identity/authProvider contract reservation
+- `docs/current/risk-register-release-gate.md`: release-blocking risks, security/operational risk status, npm release gates (0.3.2 baseline)
+- `docs/current/threat-model.md`: Haechi 0.3.2 trust boundaries, protected assets, key threats and controls
+- `docs/current/shared-responsibility.md`: responsibility split between Haechi and users/operators in self-hosted deployments
+- `docs/current/api-stability.md`: developer preview API stability and migration note criteria
+- `docs/current/release-process.md`: release preflight, SBOM, npm provenance publish procedure
+
+## Archive
+
+- `docs/archive/2026-06-08-initial/research-summary.md`: initial research summary for the general-purpose modular segment-encryption concept
+- `docs/archive/2026-06-08-initial/`: PRD, SRS, and security review drafts for the general-purpose segment-encryption concept (Korean, historical record)
+
+## Direction Change Record
+
+Early documents covered a general-purpose modular segment-encryption layer spanning HTTP/HTTPS/socket/gRPC/A2A. The current direction is a specialized protection solution for prompts, context, tool calls, resources, artifacts, and streaming messages across AI, LLM, MCP, A2A, and agent platforms.
+
+Open-source/self-hosted security infrastructure takes priority over commercial SaaS. Current documents therefore center on the self-hosted SDK/CLI/proxy, replaceable `CryptoProvider`, `PolicyEngine`, `FilterEngine`, `KeyProvider`, `AuditSink`, and plugin conformance tests, rather than a hosted control plane.
+
+Adoptability is a core requirement. The targets are a 5-minute local demo, a 30-minute MCP/LLM PoC, and a 1-day custom filter PoC; users should be able to start with whichever integration has the lowest change cost: proxy, middleware, SDK wrapper, or sidecar.

package/docs/current/api-stability.ko.md

@@ -0,0 +1,48 @@
+# Haechi API Stability Policy
+
+- 문서 상태: Draft 0.1
+- 작성일: 2026-06-10
+- 기준 버전: 0.3.2
+
+## 1. 버전 해석
+
+0.x 버전은 developer preview다. public exports는 사용 가능하지만, stable API로 간주하지 않는다.
+
+| 버전 범위 | 의미 |
+|---|---|
+| `0.3.x` | local inference/proxy safety patch line |
+| `0.4.x` | streaming/deployment hardening target |
+| `0.5.x` | key custody/audit hardening target |
+| `1.0.0` | API compatibility contract를 선언할 수 있는 첫 stable 후보 |
+
+## 2. 변경 정책
+
+| 변경 유형 | 0.x 처리 |
+|---|---|
+| 보안 기본값 강화 | patch에서 허용 |
+| unsafe config 차단 | patch에서 허용 |
+| export 제거/이름 변경 | minor에서 허용, README에 migration note 필요 |
+| policy action 의미 변경 | minor 이상 필요 |
+| audit schema 변경 | minor 이상 필요 |
+| crypto envelope format 변경 | minor 이상 필요, backward handling 필요 |
+
+## 3. Experimental exports
+
+다음 export는 0.3.2에서 preview로 취급한다.
+
+- `haechi/runtime`
+- `haechi/proxy`
+- `haechi/protocol-adapters`
+- `haechi/privacy-profiles`
+- `haechi/plugin`
+
+## 4. Migration note 기준
+
+다음 변경이 있으면 `docs/current/release-*.md` 또는 README에 migration note를 남긴다.
+
+- config key 추가/삭제
+- default enforcement 변경
+- CLI flag 추가/삭제
+- audit event 필드 변경
+- token format 변경
+- plugin manifest schema 변경

package/docs/current/api-stability.md

@@ -0,0 +1,48 @@
+# Haechi API Stability Policy
+
+- Status: Draft 0.1
+- Date: 2026-06-10
+- Target version: 0.3.2
+
+## 1. Version Interpretation
+
+0.x releases are developer previews. Public exports are available for use but are not considered stable API.
+
+| Version range | Meaning |
+|---|---|
+| `0.3.x` | local inference/proxy safety patch line |
+| `0.4.x` | streaming/deployment hardening target |
+| `0.5.x` | key custody/audit hardening target |
+| `1.0.0` | First stable candidate at which an API compatibility contract may be declared |
+
+## 2. Change Policy
+
+| Change type | 0.x handling |
+|---|---|
+| Strengthening security defaults | Allowed in patch |
+| Blocking unsafe config | Allowed in patch |
+| Removing or renaming exports | Allowed in minor; migration note required in README |
+| Changing policy action semantics | Requires minor or higher |
+| Changing audit schema | Requires minor or higher |
+| Changing crypto envelope format | Requires minor or higher; backward handling required |
+
+## 3. Experimental exports
+
+The following exports are treated as preview in 0.3.2.
+
+- `haechi/runtime`
+- `haechi/proxy`
+- `haechi/protocol-adapters`
+- `haechi/privacy-profiles`
+- `haechi/plugin`
+
+## 4. Migration note criteria
+
+A migration note is added to `docs/current/release-*.md` or the README whenever any of the following changes occur.
+
+- Adding or removing a config key
+- Changing default enforcement behavior
+- Adding or removing a CLI flag
+- Changing an audit event field
+- Changing the token format
+- Changing the plugin manifest schema

package/docs/current/expert-gap-review-ai-llm-mcp-encryption.ko.md

@@ -0,0 +1,107 @@
+# 전문가 병렬 Gap Review: AI/LLM/MCP 특화 암호화 솔루션
+
+- 문서 상태: Draft 0.1
+- 작성일: 2026-06-08
+- 관련 제품: Haechi
+- 검토 방식: 보안/암호, AI/MCP/A2A 아키텍처, 글로벌 컴플라이언스, 제품/사업, 테스트 전략 페르소나 병렬 검토
+
+## 1. 결론
+
+현재 문서는 `무엇을 보호할 것인가`는 잘 잡고 있다. 다만 최신 방향은 SaaS 판매가 아니라 오픈소스/self-hosted 보안 인프라다. 따라서 아래 gap은 "초기 OSS core에 반드시 필요한 보안 gap"과 "상용화 또는 엔터프라이즈 도입을 고려할 때의 선택 backlog"로 나누어 해석한다.
+
+초기 OSS core라도 다음 5개 축은 필요하다.
+
+1. 암호/정책의 우회 불가능성: canonical AAD, nonce/replay, key lifecycle, signed policy, fail-closed.
+2. 프로토콜별 운영 계약: MCP stdio/Streamable HTTP, A2A, gRPC, LLM gateway, RAG/vector, agent memory.
+3. OSS 배포/신뢰 모델: self-hosted mode, key custody, telemetry boundary, SECURITY.md, conformance test, SBOM, signed release.
+4. 글로벌 AI/개인정보 거버넌스: EU AI Act, NIST AI RMF/CSF, OWASP LLM/Agentic, US state privacy, sector profiles.
+5. 적용성: 5분 local demo, 30분 MCP/LLM PoC, 1일 custom filter PoC, proxy/middleware/SDK/sidecar 적용 경로.
+6. 검증 자동화: 표면별 plaintext leak sentinel, policy conflict matrix, KMS fault injection, streaming chaos, red-team corpus.
+
+## 2. P0: 요구사항 Freeze 전 반드시 보강
+
+| ID | 누락/보강 항목 | 왜 필요한가 | 수용 기준 |
+|---|---|---|---|
+| GAP-P0-001 | AAD canonicalization | JSON 재정렬, Unicode 변형, role/source spoofing, policy version 변경으로 복호화 context가 흔들릴 수 있다. | AAD schema, canonical JSON, Unicode normalization, policy version, tenant/user/agent/model/task/tool/resource binding이 고정되고 변형 입력은 복호화 실패한다. |
+| GAP-P0-002 | nonce/replay/stream sequencing | streaming chunk, retry, partial delivery, duplicate request에서 nonce 재사용 또는 replay가 치명적이다. | 동일 nonce, cross-session replay, cross-tenant replay, out-of-order chunk, duplicate chunk가 모두 거부된다. |
+| GAP-P0-003 | key lifecycle | KMS/HSM/Vault 사용만으로는 생성, 회전, 폐기, rewrap, backup/restore, blast radius가 정의되지 않는다. | tenant key rotation, retired key rejection, plaintext key non-export, rewrap job, restore drill, destruction evidence가 테스트된다. |
+| GAP-P0-004 | token vault governance | 토큰화는 DSAR, deletion, retention, re-identification 권한 모델과 연결돼야 한다. | token mapping purge, dual control re-identification, DSAR export, retention expiry, decision record linkage가 검증된다. |
+| GAP-P0-005 | signed policy distribution | client-supplied metadata, stale policy cache, allowlist 오남용으로 hard-block이 우회될 수 있다. | signed policy bundle, version pinning, server-side source classification, emergency rule precedence, fail-closed validation을 강제한다. |
+| GAP-P0-006 | MCP transport security contract | MCP는 최신 스펙에서 authorization, lifecycle, protocol version, security best practices가 명시적으로 진화하고 있다. | `initialize`/`initialized`, `MCP-Protocol-Version`, OAuth resource binding, stdio env allowlist, token passthrough 금지, per-client consent가 테스트된다. |
+| GAP-P0-007 | A2A discovery/auth parity | AgentCard, authenticated extended card, SSE/gRPC/REST binding, push notification 경계가 약하면 agent impersonation이 가능하다. | AgentCard signature/verification, security scheme parity, authenticated extended card, streaming/resubscribe/push security가 adapter별로 동일하다. |
+| GAP-P0-008 | observability boundary | 로그뿐 아니라 trace baggage, headers, URL query, stack trace, crash dump, metric label, replay artifact에서 평문이 샌다. | 모든 telemetry sink에 sentinel PII/secret 원문이 남지 않고 hash/id/redaction metadata만 남는다. |
+| GAP-P0-009 | OSS/self-hosted deployment modes | library, CLI, local proxy, sidecar, self-hosted service는 키 위치, egress, update, telemetry, 장애 경계가 다르다. | mode별 key custody, network egress, telemetry path, upgrade/rollback, local-only 동작이 명시된다. |
+| GAP-P0-010 | open-source shared responsibility note | OSS 사용자는 법적 판단, transfer evidence, key custody, DSAR, incident response를 스스로 책임지는 범위를 알아야 한다. | README/SECURITY/docs에 maintainer responsibility, user responsibility, non-compliance disclaimer가 명시된다. |
+| GAP-P0-011 | EU AI Act / AI governance mapping | Haechi가 AI 시스템 또는 AI governance component로 쓰이면 투명성, role 판정, incident 관련 해석이 필요할 수 있다. | provider/deployer/GPAI role 판단표, transparency note, incident log, AI risk register template을 참고 자료로 제공한다. |
+| GAP-P0-012 | build-blocking security tests | 현재 검증 기준은 선언형이다. 보안 제품은 어떤 실패가 빌드를 막는지 명확해야 한다. | plaintext leak, policy conflict, KMS fault, replay, global profile, hard-block bypass 실패가 CI gate가 된다. |
+| GAP-P0-013 | easy adoption path | 보안성이 높아도 적용이 어렵다면 OSS 확산과 실제 사용이 어렵다. | `haechi init`, dry-run/report-only, preset policy, local proxy, copy-paste middleware, 5분/30분/1일 적용 목표가 문서와 예제로 검증된다. |
+
+## 3. P1: OSS 확산과 실사용 전 보강
+
+| ID | 누락/보강 항목 | 왜 필요한가 | 수용 기준 |
+|---|---|---|---|
+| GAP-P1-001 | provider-neutral LLM message model | OpenAI-compatible schema만으로는 Anthropic, multimodal, structured output, tool/function call, streaming chunk를 일관되게 통제하기 어렵다. | 내부 canonical message schema와 provider adapter mapping, pre/post policy hook, chunk-level decision record가 존재한다. |
+| GAP-P1-002 | MCP registry/provenance/cache invalidation | tools/resources/prompts 목록과 `listChanged` 이벤트가 오염되거나 stale하면 잘못된 tool 정책이 적용된다. | registry entry owner/version/hash/scope, cache invalidation, discovery auth, deterministic ordering을 검증한다. |
+| GAP-P1-003 | gRPC streaming semantics | field encryption만으로 deadline, cancel, retry, ordering, metadata leakage를 다룰 수 없다. | deadline propagation, cancel audit, retry idempotency, metadata scrub, partial delivery semantics를 테스트한다. |
+| GAP-P1-004 | RAG/vector DB protection | snippet 보호만으로는 embedding, vector namespace, citation, deletion propagation이 남는다. | tenant-scoped namespace, embedding/source metadata policy, index deletion propagation, citation redaction을 검증한다. |
+| GAP-P1-005 | agent memory lifecycle | 장기 memory와 recall은 task/context 암호화만으로 통제되지 않는다. | ephemeral/durable memory 구분, TTL/purge/export, per-tenant/agent namespace, cross-task recall denial이 동작한다. |
+| GAP-P1-006 | multi-tenant isolation | key separation만으로는 policy, audit, memory, rate limit, admin plane 격리가 부족하다. | tenant config store, audit sink, quota, provider allowlist, admin RBAC, blast-radius 제한이 분리된다. |
+| GAP-P1-007 | SDK/proxy/plugin deployment model | 고객은 in-process SDK, sidecar, gateway plugin, server middleware 중 어떤 방식으로 적용할지 판단해야 한다. | 각 모드의 호환성, 장애 경계, 성능 비용, rollback, upgrade 정책이 명시된다. |
+| GAP-P1-008 | custom DSL safety | 커스텀 필터는 parser bug, regex DoS, allowlist bypass, external classifier leakage의 공격 표면이다. | DSL fuzzing, regex resource limit, conflict golden test, classifier egress test가 CI에서 돈다. |
+| GAP-P1-009 | supply chain integrity | SDK, connector, classifier plugin, policy package가 오염되면 보안 제품이 공격 경로가 된다. | SBOM, provenance, artifact signing, dependency vulnerability policy, plugin trust policy가 필요하다. |
+| GAP-P1-010 | AI red-team corpus | prompt injection을 비목표로만 두면 tool-output injection, resource poisoning, exfiltration을 놓친다. | OWASP LLM/Agentic 위협과 매핑된 red-team corpus가 있고 차단 근거가 decision record에 남는다. |
+| GAP-P1-011 | US privacy 확장 | CCPA/CPRA만으로 미국 전체 판매 대응은 부족하다. | Colorado, Connecticut, Virginia, Texas, Washington My Health My Data Act profile 또는 제외 사유가 정의된다. |
+| GAP-P1-012 | sector operational controls | HIPAA/PCI는 식별자 탐지만으로 부족하다. | BAA, ePHI audit, breach workflow, SAD storage prohibition, retention/disposal, MFA evidence를 검증한다. |
+| GAP-P1-013 | OSS trust evidence | 상용 인증은 후순위지만, 보안 OSS는 threat model, security policy, SBOM, release provenance, test result가 신뢰의 전제다. | SECURITY.md, threat model, SBOM, signed release, conformance 결과가 공개된다. |
+| GAP-P1-014 | adoption packaging | 판매용 SKU는 필요 없지만 사용자가 어떤 모듈을 어떻게 붙일지 판단할 정보가 필요하다. | core/filter/policy/crypto/mcp/llm/audit package matrix와 example별 적용 가이드가 제공된다. |
+
+## 4. P2: Roadmap / Hardening
+
+| ID | 항목 | 이유 | 완료 기준 |
+|---|---|---|---|
+| GAP-P2-001 | crypto agility / PQC migration | envelope format은 장기 보존 데이터를 다룰 수 있으므로 알고리즘 폐기와 PQC 전환 계획이 필요하다. | envelope versioning, deprecation window, rewrap, HPKE/PQC 검토 메모가 존재한다. |
+| GAP-P2-002 | STPA/CAST 기반 system-theoretic risk analysis | agentic AI는 단일 취약점보다 구조적 실패와 cascading failure가 중요하다. | high-risk use case에 STPA-Sec 또는 CAST 형식의 hazard/control loop 분석을 수행한다. |
+| GAP-P2-003 | China/India/Australia market matrix | 글로벌 제품이라면 대형 시장을 profile로 지원할지 제외할지 결정해야 한다. | PIPL, DPDP Act, Australia Privacy Act에 대한 profile 또는 exclusion rationale을 남긴다. |
+| GAP-P2-004 | optional commercialization path | 현재는 OSS/self-hosted가 우선이지만 장기적으로 상용 지원, 컨설팅, managed offering을 선택할 수 있다. | 상용화를 다시 검토할 때만 partner/channel, support policy, SLA, pricing/SKU를 별도 문서화한다. |
+| GAP-P2-005 | performance/soak budget | 필터링과 암호화는 latency와 cost를 직접 만든다. | p95/p99 latency, throughput, memory, regex CPU limit, telemetry overhead budget을 CI/soak test로 검증한다. |
+
+## 5. 전문가 페르소나별 핵심 발견
+
+| 페르소나 | 핵심 발견 |
+|---|---|
+| 보안/암호 | AAD canonicalization, nonce/replay, key lifecycle, token vault, signed policy가 P0다. |
+| AI/MCP/A2A 아키텍처 | 프로토콜별 transport/auth/lifecycle 계약, observability 경계, RAG/vector, agent memory, multi-tenancy가 부족하다. |
+| 글로벌 컴플라이언스 | EU AI Act, ISO 27001/27701/42001, NIST AI RMF/CSF, OWASP GenAI/Agentic, 미국 주 privacy 확장은 참고 profile과 제외 사유가 필요하다. |
+| 제품/사업 | 현재는 판매보다 adoption이 우선이다. quickstart, package boundary, examples, README, SECURITY.md, plugin conformance가 핵심이다. |
+| 테스트 전략 | 보안 요구사항을 build-blocking CI gate로 내려야 한다. plaintext leak, policy conflict, KMS fault, replay, global profile, DSL fuzzing이 핵심이다. |
+
+## 6. 즉시 추가해야 할 문서
+
+| 우선순위 | 문서 | 목적 |
+|---|---|---|
+| 1 | `crypto-envelope-spec.md` | AAD canonicalization, envelope version, nonce, replay, key lifecycle 정의 |
+| 2 | `security-test-spec-ai-llm-mcp.md` | build-blocking negative test와 red-team corpus 정의 |
+| 3 | `protocol-security-contract-mcp-a2a-grpc.md` | MCP/A2A/gRPC/LLM adapter별 transport, auth, lifecycle, metadata scrub 계약 |
+| 4 | `open-source-modular-architecture.md` | OSS/self-hosted package boundary, provider/plugin API, conformance test |
+| 5 | `self-hosted-shared-responsibility.md` | library/CLI/proxy/sidecar mode별 key custody, telemetry, user/maintainer responsibility |
+| 6 | `rag-agent-memory-protection-design.md` | RAG/vector DB, source metadata, citation, agent memory lifecycle 보호 |
+| 7 | `optional-enterprise-evidence-pack.md` | 장기 상용화를 다시 검토할 때 SOC 2, ISO, DPA, SCC/IDTA, BAA 증빙 |
+
+## 7. 공식 참고 자료
+
+- Model Context Protocol latest specification: https://modelcontextprotocol.io/specification/
+- MCP authorization: https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization
+- MCP security best practices: https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices
+- NSA, Model Context Protocol Security Design Considerations, May 2026: https://www.nsa.gov/Portals/75/documents/Cybersecurity/CSI_MCP_SECURITY.pdf
+- NSA/Five Eyes, Careful Adoption of Agentic AI Services, April 2026: https://media.defense.gov/2026/Apr/30/2003922823/-1/-1/0/CAREFUL%20ADOPTION%20OF%20AGENTIC%20AI%20SERVICES_FINAL.PDF
+- A2A Protocol latest specification: https://a2a-protocol.org/latest/specification/
+- NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
+- NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
+- NIST Generative AI Profile, AI 600-1: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
+- European Commission, AI Act enters into force: https://commission.europa.eu/news-and-media/news/ai-act-enters-force-2024-08-01_en
+- OWASP Top 10 for LLM Applications 2025: https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/
+- OWASP Top 10 for Agentic Applications 2026: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
+- ISO/IEC 27001:2022: https://www.iso.org/standard/27001
+- ISO/IEC 27701:2025: https://www.iso.org/standard/27701
+- ISO/IEC 42001:2023: https://www.iso.org/standard/42001
+- AICPA SOC Suite of Services: https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services