haechi 0.3.2 → 0.4.0

package/packages/cli/bin/haechi.mjs

@@ -1,10 +1,11 @@
 #!/usr/bin/env node
-import { readFile } from "node:fs/promises";
-import { readAuditSummary } from "../../audit/index.mjs";
+import { readFile, stat } from "node:fs/promises";
+import { readAuditSummary, verifyAuditChain } from "../../audit/index.mjs";
 import { DEFAULT_PROXY_PORT, createHaechiProxy } from "../../proxy/index.mjs";
 import { signPolicyBundleFile, verifyPolicyBundleFile } from "../../policy-bundle/index.mjs";
 import { validatePluginManifestFile } from "../../plugin/index.mjs";
-import { runMcpStdioFilter } from "../../mcp-stdio/index.mjs";
+import { runMcpStdioFilter, wrapMcpChild } from "../../mcp-stdio/index.mjs";
+import { spawn } from "node:child_process";
 import { DEFAULT_CONFIG_PATH, createRuntime, isValidPort, loadConfig, writeDefaultConfig } from "../runtime.mjs";
 
 const [command, ...argv] = process.argv.slice(2);
@@ -20,6 +21,12 @@ try {
     case "report":
       await reportCommand(argv);
       break;
+    case "audit-verify":
+      await auditVerifyCommand(argv);
+      break;
+    case "status":
+      await statusCommand(argv);
+      break;
     case "proxy":
       await proxyCommand(argv);
       break;
@@ -44,6 +51,9 @@ try {
     case "mcp-stdio":
       await mcpStdioCommand(argv);
       break;
+    case "mcp-wrap":
+      await mcpWrapCommand(argv);
+      break;
     case "help":
     case "--help":
     case "-h":
@@ -91,6 +101,7 @@ async function protectCommand(argv) {
   const result = await runtime.haechi.protectJson(input, {
     protocol: config.target.type,
     operation: "cli protect",
+    direction: "request",
     mode: effectiveMode
   });
 
@@ -123,6 +134,116 @@ async function reportCommand(argv) {
   });
 }
 
+async function auditVerifyCommand(argv) {
+  const options = parseOptions(argv);
+  let auditPath = options.audit ?? options.path;
+  if (!auditPath) {
+    try {
+      auditPath = (await loadConfig(options.config ?? DEFAULT_CONFIG_PATH)).audit.path;
+    } catch {
+      auditPath = ".haechi/audit.jsonl";
+    }
+  }
+
+  const result = await verifyAuditChain(auditPath);
+  writeJson({
+    ok: result.valid,
+    command: "audit-verify",
+    auditPath,
+    result
+  });
+  if (!result.valid) {
+    process.exitCode = 4;
+  }
+}
+
+async function statusCommand(argv) {
+  const options = parseOptions(argv);
+  const configPath = options.config ?? DEFAULT_CONFIG_PATH;
+  const config = await loadConfig(configPath);
+  const effectiveMode = config.policy.mode ?? config.mode;
+  const enforced = !["dry-run", "report-only"].includes(effectiveMode);
+  const warnings = [];
+
+  if (!enforced) {
+    warnings.push(`policy mode is ${effectiveMode}: payloads are inspected and audited but NOT modified or blocked`);
+  }
+  if (!config.responseProtection.enabled) {
+    warnings.push("responseProtection.enabled is false: upstream responses are forwarded without inspection");
+  }
+  if (config.streaming.requestMode === "pass-through") {
+    warnings.push("streaming.requestMode is pass-through: streaming payloads are not protected");
+  }
+  if (config.tokenVault.revealPolicy !== "disabled") {
+    warnings.push(`tokenVault.revealPolicy is ${config.tokenVault.revealPolicy}: manual token reveal is enabled`);
+  }
+  if (config.tokenVault.detokenizeResponses && !config.responseProtection.enabled) {
+    warnings.push("tokenVault.detokenizeResponses is true but responseProtection.enabled is false: detokenization never runs");
+  }
+
+  const keys = {
+    provider: config.keys.provider,
+    keyFile: config.keys.keyFile,
+    exists: false,
+    permissions: null
+  };
+  try {
+    const info = await stat(config.keys.keyFile);
+    keys.exists = true;
+    keys.permissions = `0${(info.mode & 0o777).toString(8)}`;
+    if ((info.mode & 0o077) !== 0) {
+      warnings.push(`key file ${config.keys.keyFile} is group/world accessible (${keys.permissions}); expected 0600`);
+    }
+  } catch {
+    warnings.push(`key file ${config.keys.keyFile} does not exist; run haechi init`);
+  }
+
+  const audit = { path: config.audit.path, exists: false, chain: null };
+  try {
+    await stat(config.audit.path);
+    audit.exists = true;
+    audit.chain = await verifyAuditChain(config.audit.path);
+    if (!audit.chain.valid) {
+      warnings.push(`audit chain verification failed: ${audit.chain.reason}`);
+    }
+  } catch {
+    // No audit file yet is a normal pre-first-run state, not a warning.
+  }
+
+  writeJson({
+    ok: true,
+    command: "status",
+    configPath,
+    protection: {
+      policyMode: effectiveMode,
+      enforced,
+      responseProtection: {
+        enabled: config.responseProtection.enabled,
+        mode: config.responseProtection.mode,
+        failureMode: config.responseProtection.failureMode
+      },
+      streamingRequestMode: config.streaming.requestMode
+    },
+    target: {
+      type: config.target.type,
+      adapter: config.target.adapter,
+      upstream: config.target.upstream
+    },
+    proxy: config.proxy,
+    tokenVault: {
+      revealPolicy: config.tokenVault.revealPolicy,
+      retentionDays: config.tokenVault.retentionDays,
+      deterministic: config.tokenVault.deterministic,
+      deterministicTypes: config.tokenVault.deterministicTypes,
+      detokenizeResponses: config.tokenVault.detokenizeResponses
+    },
+    privacyProfile: config.privacy.profile,
+    keys,
+    audit,
+    warnings
+  });
+}
+
 async function proxyCommand(argv) {
   const options = parseOptions(argv);
   const config = await loadConfig(options.config ?? DEFAULT_CONFIG_PATH);
@@ -282,6 +403,30 @@ async function mcpStdioCommand(argv) {
   await runMcpStdioFilter({ runtime });
 }
 
+async function mcpWrapCommand(argv) {
+  const separator = argv.indexOf("--");
+  if (separator === -1 || !argv[separator + 1]) {
+    throw new Error("mcp-wrap requires a child command after --, e.g. haechi mcp-wrap -- npx some-mcp-server");
+  }
+  const options = parseOptions(argv.slice(0, separator));
+  const command = argv[separator + 1];
+  const commandArgs = argv.slice(separator + 2);
+
+  const config = await loadConfig(options.config ?? DEFAULT_CONFIG_PATH);
+  const runtime = createRuntime(config);
+
+  const child = spawn(command, commandArgs, {
+    stdio: ["pipe", "pipe", "inherit"]
+  });
+
+  for (const signal of ["SIGINT", "SIGTERM"]) {
+    process.on(signal, () => child.kill(signal));
+  }
+
+  const { code } = await wrapMcpChild({ runtime, child });
+  process.exitCode = code;
+}
+
 function parseOptions(argv) {
   const options = {};
   for (let index = 0; index < argv.length; index += 1) {
@@ -326,6 +471,8 @@ Usage:
   haechi init [--config haechi.config.json] [--force]
   haechi protect <input.json> [--config haechi.config.json]
   haechi report [--audit .haechi/audit.jsonl]
+  haechi audit-verify [--audit .haechi/audit.jsonl] [--config haechi.config.json]
+  haechi status [--config haechi.config.json]
   haechi proxy [--config haechi.config.json] [--host 127.0.0.1] [--port ${DEFAULT_PROXY_PORT}] [--allow-remote-bind]
   haechi policy-sign <policy.json> [--config haechi.config.json] [--out policy.bundle.json]
   haechi policy-verify <policy.bundle.json> [--config haechi.config.json]
@@ -335,6 +482,7 @@ Usage:
   haechi token-export [--config haechi.config.json] [--type email]
   haechi plugin-validate <plugin-manifest.json>
   haechi mcp-stdio [--config haechi.config.json]
+  haechi mcp-wrap [--config haechi.config.json] -- <command> [args...]
 
 The default policy mode is dry-run. Change policy.mode to enforce to mutate or block payloads.
 `);

package/packages/cli/runtime.mjs

@@ -63,7 +63,10 @@ export function defaultConfig() {
       provider: "local",
       path: ".haechi/token-vault.json",
       revealPolicy: "disabled",
-      retentionDays: 30
+      retentionDays: 30,
+      deterministic: false,
+      deterministicTypes: null,
+      detokenizeResponses: false
     },
     privacy: {
       profile: null
@@ -113,6 +116,8 @@ export function createRuntime(config, providers = {}) {
     cryptoProvider,
     revealPolicy: normalized.tokenVault.revealPolicy,
     retentionDays: normalized.tokenVault.retentionDays,
+    deterministic: normalized.tokenVault.deterministic,
+    deterministicTypes: normalized.tokenVault.deterministicTypes,
     auditSink
   });
   assertProvider("tokenVault", tokenVault, ["tokenize", "reveal", "purge"]);
@@ -233,6 +238,18 @@ export function normalizeConfig(config) {
   if (typeof merged.tokenVault.retentionDays !== "number" || merged.tokenVault.retentionDays < 1) {
     throw new Error("tokenVault.retentionDays must be a positive number");
   }
+  if (typeof merged.tokenVault.deterministic !== "boolean") {
+    throw new Error("tokenVault.deterministic must be boolean");
+  }
+  if (merged.tokenVault.deterministicTypes !== null
+    && (!Array.isArray(merged.tokenVault.deterministicTypes)
+      || merged.tokenVault.deterministicTypes.length === 0
+      || !merged.tokenVault.deterministicTypes.every((type) => typeof type === "string" && type.trim()))) {
+    throw new Error("tokenVault.deterministicTypes must be null or a non-empty array of type strings");
+  }
+  if (typeof merged.tokenVault.detokenizeResponses !== "boolean") {
+    throw new Error("tokenVault.detokenizeResponses must be boolean");
+  }
   if (!Array.isArray(merged.mcp.allowedMethods) || merged.mcp.allowedMethods.length === 0) {
     throw new Error("mcp.allowedMethods must be a non-empty array");
   }

package/packages/core/index.mjs

@@ -19,11 +19,15 @@ export function createHaechi({ filterEngine, policyEngine, cryptoProvider, audit
 
     const enforced = !NO_ENFORCE_MODES.has(effectiveMode);
     const blocked = enforced && decisions.some((decision) => decision.action === "block");
+    // Tokens issued or reused while protecting THIS payload; the proxy uses
+    // this request-scoped set to restore only these tokens in the response.
+    const issuedTokens = new Set();
     const protectedPayload = blocked ? null : await transformPayload(payload, detections, decisions, {
       context,
       cryptoProvider,
       tokenVault,
-      enforced
+      enforced,
+      issuedTokens
     });
 
     const auditEvent = buildAuditEvent({
@@ -42,7 +46,8 @@ export function createHaechi({ filterEngine, policyEngine, cryptoProvider, audit
       payload: protectedPayload,
       blocked,
       summary: summarize(detections, decisions),
-      auditEvent
+      auditEvent,
+      issuedTokens: [...issuedTokens]
     };
   }
 
@@ -127,7 +132,7 @@ export function summarize(detections, decisions) {
   };
 }
 
-async function transformPayload(payload, detections, decisions, { context, cryptoProvider, tokenVault, enforced }) {
+async function transformPayload(payload, detections, decisions, { context, cryptoProvider, tokenVault, enforced, issuedTokens = null }) {
   if (!enforced || detections.length === 0) {
     return structuredClone(payload);
   }
@@ -155,7 +160,7 @@ async function transformPayload(payload, detections, decisions, { context, crypt
       if (typeof original !== "number") {
         continue;
       }
-      const transformed = await transformString(String(original), items, { context, cryptoProvider, tokenVault });
+      const transformed = await transformString(String(original), items, { context, cryptoProvider, tokenVault, issuedTokens });
       if (transformed !== String(original)) {
         setByPath(output, path, transformed);
       }
@@ -164,7 +169,7 @@ async function transformPayload(payload, detections, decisions, { context, crypt
     if (typeof original !== "string") {
       continue;
     }
-    const transformed = await transformString(original, items, { context, cryptoProvider, tokenVault });
+    const transformed = await transformString(original, items, { context, cryptoProvider, tokenVault, issuedTokens });
     setByPath(output, path, transformed);
   }
 
@@ -179,7 +184,7 @@ async function transformPayload(payload, detections, decisions, { context, crypt
       || !Object.prototype.hasOwnProperty.call(parent, originalKey)) {
       continue;
     }
-    const transformedKey = await transformString(String(originalKey), items, { context, cryptoProvider, tokenVault });
+    const transformedKey = await transformString(String(originalKey), items, { context, cryptoProvider, tokenVault, issuedTokens });
     if (transformedKey === originalKey) {
       continue;
     }
@@ -197,7 +202,7 @@ async function transformPayload(payload, detections, decisions, { context, crypt
   return output;
 }
 
-async function transformString(value, items, { context, cryptoProvider, tokenVault }) {
+async function transformString(value, items, { context, cryptoProvider, tokenVault, issuedTokens = null }) {
   const sorted = items
     .filter(({ decision }) => decision.action !== "allow" && decision.action !== "block")
     .sort((left, right) => left.detection.start - right.detection.start);
@@ -212,7 +217,7 @@ async function transformString(value, items, { context, cryptoProvider, tokenVau
 
     output += value.slice(cursor, detection.start);
     const segment = value.slice(detection.start, detection.end);
-    output += await replacementFor(segment, detection, decision, { context, cryptoProvider, tokenVault });
+    output += await replacementFor(segment, detection, decision, { context, cryptoProvider, tokenVault, issuedTokens });
     cursor = detection.end;
   }
 
@@ -220,7 +225,7 @@ async function transformString(value, items, { context, cryptoProvider, tokenVau
   return output;
 }
 
-async function replacementFor(segment, detection, decision, { context, cryptoProvider, tokenVault }) {
+async function replacementFor(segment, detection, decision, { context, cryptoProvider, tokenVault, issuedTokens = null }) {
   switch (decision.action) {
     case "redact":
       return `[REDACTED:${detection.type}]`;
@@ -237,6 +242,7 @@ async function replacementFor(segment, detection, decision, { context, cryptoPro
             ruleId: detection.ruleId
           }
         });
+        issuedTokens?.add(result.token);
         return `[TOKEN:${result.token}]`;
       }
       return `[TOKEN:${detection.type}:${shortHash(segment)}]`;
@@ -263,6 +269,9 @@ function buildAuditEvent({ context, mode, enforced, blocked, payload, detections
     timestamp: new Date().toISOString(),
     protocol: context.protocol ?? "custom",
     operation: context.operation ?? "protect",
+    // Reserved for 0.6 auth: hard null so unvalidated identity objects cannot
+    // reach the audit log before the PII-safe hashing contract exists.
+    identity: null,
     mode,
     enforced,
     blocked,

package/packages/crypto/index.mjs

@@ -1,4 +1,4 @@
-import { createCipheriv, createDecipheriv, createHash, randomBytes } from "node:crypto";
+import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes } from "node:crypto";
 import { dirname } from "node:path";
 import { mkdir, readFile, writeFile } from "node:fs/promises";
 
@@ -60,6 +60,18 @@ export function createLocalCryptoProvider({ keyFile }) {
         aadHash: sha256(aadBytes)
       };
     },
+    // Keyed hash over a domain-separated derived key. The raw stored key is an
+    // AES-256-GCM key and must never be used for HMAC directly; every use case
+    // gets its own versioned domain string (e.g. deterministic tokenization,
+    // identity hashing). Uses the active key, so rotation changes outputs.
+    async hmac({ data, domain }) {
+      if (!domain || typeof domain !== "string") {
+        throw new Error("hmac requires a non-empty domain string");
+      }
+      const { active: { key } } = await loadKeys();
+      const derived = createHmac("sha256", key).update(domain).digest();
+      return createHmac("sha256", derived).update(data).digest("hex");
+    },
     async decrypt({ envelope, aad }) {
       const { active, byKid } = await loadKeys();
       if (envelope.alg && envelope.alg !== ALG) {

package/packages/filter/index.mjs

@@ -51,6 +51,50 @@ const DEFAULT_RULES = [
     pattern: "(?<=\\b(?:api[_-]?key|secret|token|password)\\s*[:=]\\s*['\\\"]?)[A-Za-z0-9._~+/-]{12,}",
     flags: "gi",
     confidence: 0.85
+  },
+  // Indirect prompt injection heuristics. Response/tool-result direction only,
+  // and the policy default for the injection type is `allow` (report-only):
+  // detections are audited regardless of action, and false-positive blocks
+  // would erode trust faster than missed detections.
+  {
+    id: "injection-instruction-override",
+    type: "injection",
+    pattern: "\\b(?:ignore|disregard|forget)\\s+(?:all\\s+|any\\s+|the\\s+|your\\s+)?(?:previous|prior|earlier|above|system)\\s+(?:instructions?|rules?|prompts?|guidelines)",
+    flags: "gi",
+    confidence: 0.7,
+    direction: "response"
+  },
+  {
+    id: "injection-role-reassignment",
+    type: "injection",
+    pattern: "\\b(?:you are now|act as)\\s+(?:an?\\s+)?(?:unrestricted|jailbroken|uncensored|developer mode|dan\\b)|\\bnew (?:system )?instructions?\\s*:",
+    flags: "gi",
+    confidence: 0.65,
+    direction: "response"
+  },
+  {
+    id: "injection-prompt-markers",
+    type: "injection",
+    pattern: "<\\|im_start\\|>|<<SYS>>|\\[\\[?system\\]\\]?\\s*:",
+    flags: "gi",
+    confidence: 0.7,
+    direction: "response"
+  },
+  {
+    id: "injection-conceal-from-user",
+    type: "injection",
+    pattern: "\\bdo not (?:tell|inform|mention|reveal|show)(?:\\s+this)?(?:\\s+to)?\\s+the user\\b",
+    flags: "gi",
+    confidence: 0.7,
+    direction: "response"
+  },
+  {
+    id: "injection-tool-induction",
+    type: "injection",
+    pattern: "\\b(?:silently|secretly|immediately)\\s+(?:call|invoke|run|execute)\\s+(?:the\\s+)?[\\w.-]+\\s+tool\\b",
+    flags: "gi",
+    confidence: 0.6,
+    direction: "response"
   }
 ];
 
@@ -64,16 +108,21 @@ export function createDefaultFilterEngine({ customRules = [] } = {}) {
       readsPlaintext: true,
       networkEgress: false
     },
-    async detect({ entries }) {
-      return entries.flatMap((entry) => detectEntry(entry, rules));
+    async detect({ entries, context }) {
+      return entries.flatMap((entry) => detectEntry(entry, rules, context));
     }
   };
 }
 
-export function detectEntry(entry, rules) {
+export function detectEntry(entry, rules, context = {}) {
   const detections = [];
 
   for (const rule of rules) {
+    // Direction-scoped rules (e.g. injection heuristics) only run on the
+    // matching traffic direction; rules without a direction run everywhere.
+    if (rule.direction && rule.direction !== context?.direction) {
+      continue;
+    }
     const regex = new RegExp(rule.pattern, rule.flags.includes("g") ? rule.flags : `${rule.flags}g`);
     for (const match of entry.value.matchAll(regex)) {
       const value = match[0];

package/packages/mcp-stdio/index.mjs

@@ -1,25 +1,35 @@
 import { createInterface } from "node:readline";
 
-export async function protectMcpJsonRpcMessage(message, runtime) {
+// Tagged core used by both the one-direction line filter and mcp-wrap.
+// kinds: "forward" (deliver the protected message), "reject" (send the error
+// back to the CLIENT instead of delivering), "drop" (notification — deliver
+// nothing, per JSON-RPC).
+async function protectTagged(message, runtime, { enforceMethodAllowlist = true } = {}) {
   if (!message || typeof message !== "object" || Array.isArray(message)) {
     throw new Error(Array.isArray(message)
       ? "JSON-RPC batch messages are not supported by the MCP stdio filter"
       : "MCP message must be a JSON object");
   }
   const policy = runtime.config.mcp;
-  // JSON-RPC notifications (method, no id) must not receive responses; a
-  // rejected or blocked notification is dropped (returns null) instead.
   const isNotification = message.method !== undefined
     && !Object.prototype.hasOwnProperty.call(message, "id");
+
+  function reject(error) {
+    return isNotification ? { kind: "drop" } : { kind: "reject", message: error };
+  }
+
   if (policy.requireJsonRpc && message.jsonrpc !== "2.0") {
-    return isNotification ? null : errorJsonRpc(message.id, -32002, "haechi_mcp_invalid_jsonrpc", {
+    return reject(errorJsonRpc(message.id, -32002, "haechi_mcp_invalid_jsonrpc", {
       reason: "MCP messages must use JSON-RPC 2.0"
-    });
+    }));
   }
-  if (message.method && !methodAllowed(message.method, policy.allowedMethods)) {
-    return isNotification ? null : errorJsonRpc(message.id, -32003, "haechi_mcp_method_not_allowed", {
+  // The allowlist describes CLIENT-callable methods. Server-initiated requests
+  // (e.g. sampling/createMessage) are exempted by the caller via
+  // enforceMethodAllowlist: false, but their params are still protected.
+  if (enforceMethodAllowlist && message.method && !methodAllowed(message.method, policy.allowedMethods)) {
+    return reject(errorJsonRpc(message.id, -32003, "haechi_mcp_method_not_allowed", {
       method: message.method
-    });
+    }));
   }
 
   const next = structuredClone(message);
@@ -28,10 +38,11 @@ export async function protectMcpJsonRpcMessage(message, runtime) {
     const result = await runtime.haechi.protectJson(next.params, {
       protocol: "mcp-stdio",
       operation: next.method ?? "params",
+      direction: "request",
       mode: runtime.config.policy.mode ?? runtime.config.mode
     });
     if (result.blocked) {
-      return isNotification ? null : blockedJsonRpc(next.id, result);
+      return reject(blockedJsonRpc(next.id, result));
     }
     next.params = result.payload;
   }
@@ -40,15 +51,21 @@ export async function protectMcpJsonRpcMessage(message, runtime) {
     const result = await runtime.haechi.protectJson(next.result, {
       protocol: "mcp-stdio",
       operation: "result",
+      direction: "response",
       mode: runtime.config.policy.mode ?? runtime.config.mode
     });
     if (result.blocked) {
-      return blockedJsonRpc(next.id, result);
+      return { kind: "reject", message: blockedJsonRpc(next.id, result) };
     }
     next.result = result.payload;
   }
 
-  return next;
+  return { kind: "forward", message: next };
+}
+
+export async function protectMcpJsonRpcMessage(message, runtime, options = {}) {
+  const tagged = await protectTagged(message, runtime, options);
+  return tagged.kind === "drop" ? null : tagged.message;
 }
 
 export async function runMcpStdioFilter({ input = process.stdin, output = process.stdout, runtime }) {
@@ -66,21 +83,85 @@ export async function runMcpStdioFilter({ input = process.stdin, output = proces
       }
       output.write(`${JSON.stringify(protectedMessage)}\n`);
     } catch (error) {
-      output.write(`${JSON.stringify({
-        jsonrpc: "2.0",
-        error: {
-          code: -32000,
-          message: "haechi_mcp_stdio_error",
-          data: {
-            reason: error.message
-          }
-        },
-        id: null
-      })}\n`);
+      output.write(`${JSON.stringify(stdioError(error))}\n`);
     }
   }
 }
 
+// Bidirectional wrap around a spawned MCP server child process:
+//   client → (allowlist + params protection) → child stdin
+//   child stdout → (params/result protection, no client allowlist) → client
+// Rejections in BOTH directions are answered to the client; nothing reaches
+// the child for a rejected client message. Resolves with the child exit code.
+export function wrapMcpChild({ runtime, child, input = process.stdin, output = process.stdout }) {
+  const clientLines = createInterface({ input, crlfDelay: Infinity });
+  const serverLines = createInterface({ input: child.stdout, crlfDelay: Infinity });
+
+  const clientPump = (async () => {
+    for await (const line of clientLines) {
+      if (!line.trim()) {
+        continue;
+      }
+      try {
+        const tagged = await protectTagged(JSON.parse(line), runtime, { enforceMethodAllowlist: true });
+        if (tagged.kind === "forward" && child.stdin.writable) {
+          child.stdin.write(`${JSON.stringify(tagged.message)}\n`);
+        } else if (tagged.kind === "reject") {
+          output.write(`${JSON.stringify(tagged.message)}\n`);
+        }
+      } catch (error) {
+        output.write(`${JSON.stringify(stdioError(error))}\n`);
+      }
+    }
+    if (child.stdin.writable) {
+      child.stdin.end();
+    }
+  })();
+
+  const serverPump = (async () => {
+    for await (const line of serverLines) {
+      if (!line.trim()) {
+        continue;
+      }
+      try {
+        const tagged = await protectTagged(JSON.parse(line), runtime, { enforceMethodAllowlist: false });
+        if (tagged.kind !== "drop") {
+          output.write(`${JSON.stringify(tagged.message)}\n`);
+        }
+      } catch (error) {
+        output.write(`${JSON.stringify(stdioError(error))}\n`);
+      }
+    }
+  })();
+
+  return new Promise((resolve, reject) => {
+    child.once("error", reject);
+    child.once("exit", (code, signal) => {
+      // The child is gone: stop consuming client input so the pumps can
+      // settle even when the caller's input stream stays open.
+      clientLines.close();
+      serverLines.close();
+      Promise.allSettled([clientPump, serverPump]).then(() => {
+        resolve({ code: code ?? (signal ? 1 : 0), signal });
+      });
+    });
+  });
+}
+
+function stdioError(error) {
+  return {
+    jsonrpc: "2.0",
+    error: {
+      code: -32000,
+      message: "haechi_mcp_stdio_error",
+      data: {
+        reason: error.message
+      }
+    },
+    id: null
+  };
+}
+
 function blockedJsonRpc(id, result) {
   return errorJsonRpc(id, -32001, "haechi_policy_block", {
     auditId: result.auditEvent.id,

package/packages/policy/index.mjs

@@ -95,6 +95,12 @@ export function buildPolicy({
       allowUnsafeOverrides
     });
   }
+  // Injection heuristics ship report-only: unless a preset or the user sets an
+  // explicit action, injection detections are audited but never transform or
+  // block. This intentionally bypasses defaultAction.
+  if (!merged.actions.injection) {
+    merged.actions.injection = "allow";
+  }
   validatePolicy(merged);
   return merged;
 }