haechi 0.3.2

package/packages/policy-bundle/index.mjs

@@ -0,0 +1,91 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+import { readFile, writeFile } from "node:fs/promises";
+import { readFileSync } from "node:fs";
+import { canonicalize } from "../crypto/index.mjs";
+
+const ALG = "HS256";
+
+export async function signPolicyBundleFile({ policyPath, keyFile, outPath }) {
+  const policy = JSON.parse(await readFile(policyPath, "utf8"));
+  const bundle = signPolicyBundle(policy, { keyFile });
+  await writeFile(outPath, `${JSON.stringify(bundle, null, 2)}\n`, "utf8");
+  return bundle;
+}
+
+export function signPolicyBundle(policy, { keyFile }) {
+  const key = loadActiveKey(keyFile);
+  const payload = {
+    version: 1,
+    alg: ALG,
+    kid: key.kid,
+    signedAt: new Date().toISOString(),
+    policy
+  };
+  return {
+    ...payload,
+    signature: hmac(key.key, payload)
+  };
+}
+
+export async function verifyPolicyBundleFile({ bundlePath, keyFile }) {
+  const bundle = JSON.parse(await readFile(bundlePath, "utf8"));
+  return verifyPolicyBundle(bundle, { keyFile });
+}
+
+export function loadVerifiedPolicyBundleFileSync({ bundlePath, keyFile }) {
+  const bundle = JSON.parse(readFileSync(bundlePath, "utf8"));
+  return verifyPolicyBundle(bundle, { keyFile });
+}
+
+export function verifyPolicyBundle(bundle, { keyFile }) {
+  if (!bundle || bundle.alg !== ALG || !bundle.policy || !bundle.signature) {
+    throw new Error("Invalid policy bundle");
+  }
+  const key = loadActiveKey(keyFile, bundle.kid);
+  const payload = {
+    version: bundle.version,
+    alg: bundle.alg,
+    kid: bundle.kid,
+    signedAt: bundle.signedAt,
+    policy: bundle.policy
+  };
+  const expected = hmac(key.key, payload);
+  if (!safeEqual(expected, bundle.signature)) {
+    throw new Error("Policy bundle signature verification failed");
+  }
+  return {
+    valid: true,
+    kid: bundle.kid,
+    signedAt: bundle.signedAt,
+    policy: bundle.policy
+  };
+}
+
+function loadActiveKey(keyFile, kid = null) {
+  const raw = JSON.parse(readFileSync(keyFile, "utf8"));
+  const selected = kid
+    ? raw.keys.find((key) => key.kid === kid)
+    : raw.keys.find((key) => key.status === "active") ?? raw.keys[0];
+  if (!selected) {
+    throw new Error(`Signing key not found: ${kid ?? "active"}`);
+  }
+  return {
+    kid: selected.kid,
+    key: Buffer.from(selected.k, "base64url")
+  };
+}
+
+const SIGNING_KEY_DOMAIN = "haechi:policy-bundle:signing:v1";
+
+function hmac(key, payload) {
+  // Domain-separated signing key: the stored key material doubles as the
+  // AES-256-GCM encryption key, so it must never be used for HMAC directly.
+  const signingKey = createHmac("sha256", key).update(SIGNING_KEY_DOMAIN).digest();
+  return createHmac("sha256", signingKey).update(canonicalize(payload)).digest("base64url");
+}
+
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}

package/packages/privacy-profiles/index.mjs

@@ -0,0 +1,92 @@
+import { ACTION_STRENGTH } from "../policy/index.mjs";
+
+const PROFILES = {
+  "kr-pipa": {
+    id: "kr-pipa",
+    region: "KR",
+    regulations: ["PIPA", "Credit Information Act"],
+    policy: {
+      actions: {
+        kr_rrn: "block",
+        phone: "mask",
+        email: "redact",
+        card: "block",
+        api_key: "block",
+        secret: "block"
+      }
+    },
+    transfer: {
+      requiresAssessment: true,
+      note: "Document cross-border transfer purpose, recipient, retention, and user notice before production use."
+    }
+  },
+  "eu-gdpr": {
+    id: "eu-gdpr",
+    region: "EU",
+    regulations: ["GDPR"],
+    policy: {
+      actions: {
+        email: "tokenize",
+        phone: "mask",
+        card: "block",
+        api_key: "block",
+        secret: "block",
+        kr_rrn: "block"
+      }
+    },
+    transfer: {
+      requiresAssessment: true,
+      note: "Treat model/tool transfer as processor/subprocessor transfer and document SCC/TIA evidence outside Haechi."
+    }
+  },
+  "us-general": {
+    id: "us-general",
+    region: "US",
+    regulations: ["CCPA/CPRA", "HIPAA-sensitive deployments require separate controls"],
+    policy: {
+      actions: {
+        email: "redact",
+        phone: "mask",
+        card: "block",
+        api_key: "block",
+        secret: "block"
+      }
+    },
+    transfer: {
+      requiresAssessment: false,
+      note: "Classify sector rules separately before using protected health, payment, or children's data."
+    }
+  }
+};
+
+export function listPrivacyProfiles() {
+  return Object.values(PROFILES).map((profile) => structuredClone(profile));
+}
+
+export function getPrivacyProfile(id) {
+  const profile = PROFILES[id];
+  if (!profile) {
+    throw new Error(`Unknown privacy profile: ${id}`);
+  }
+  return structuredClone(profile);
+}
+
+export function applyPrivacyProfile(policy = {}, profileId) {
+  const profile = getPrivacyProfile(profileId);
+  const actions = { ...(policy.actions ?? {}) };
+
+  // Profiles are baseline defaults: they may strengthen an action but must
+  // never silently weaken an explicitly stricter user setting.
+  for (const [type, action] of Object.entries(profile.policy.actions)) {
+    const existing = actions[type];
+    if (!existing || ACTION_STRENGTH[action] > ACTION_STRENGTH[existing]) {
+      actions[type] = action;
+    }
+  }
+
+  return {
+    ...policy,
+    privacyProfile: profile.id,
+    actions
+  };
+}

package/packages/protocol-adapters/index.mjs

@@ -0,0 +1,111 @@
+const ADAPTERS = {
+  "openai-compatible": {
+    id: "openai-compatible",
+    protocol: "llm-http",
+    routes: [
+      route("/v1/chat/completions", "chat-completions"),
+      route("/v1/completions", "completions"),
+      route("/v1/responses", "responses"),
+      route("/v1/embeddings", "embeddings")
+    ]
+  },
+  "vllm-openai": {
+    id: "vllm-openai",
+    protocol: "vllm-openai",
+    routes: [
+      route("/v1/chat/completions", "chat-completions"),
+      route("/v1/completions", "completions"),
+      route("/v1/responses", "responses"),
+      route("/v1/embeddings", "embeddings")
+    ]
+  },
+  "llama-cpp": {
+    id: "llama-cpp",
+    protocol: "llama-cpp",
+    routes: [
+      route("/v1/chat/completions", "chat-completions"),
+      route("/v1/completions", "completions"),
+      route("/v1/embeddings", "embeddings"),
+      route("/completion", "legacy-completion")
+    ]
+  },
+  "ollama": {
+    id: "ollama",
+    protocol: "ollama",
+    routes: [
+      // Ollama streams /api/chat and /api/generate unless the request sets stream:false.
+      route("/api/chat", "chat", { streamingDefault: true }),
+      route("/api/generate", "generate", { streamingDefault: true }),
+      route("/api/embed", "embed"),
+      route("/api/embeddings", "embeddings")
+    ]
+  }
+};
+
+const TARGET_TYPE_ALIASES = {
+  "llm-http": "openai-compatible"
+};
+
+export function createProtocolAdapter(target = {}) {
+  const adapterId = target.adapter ?? adapterFromTargetType(target.type);
+  const adapter = ADAPTERS[adapterId];
+  if (!adapter) {
+    throw new Error(`Unknown protocol adapter: ${adapterId}`);
+  }
+
+  return {
+    id: adapter.id,
+    protocol: adapter.protocol,
+    classifyRequest(request) {
+      const pathname = pathFromRequestUrl(request.url);
+      const matched = matchRoute(adapter.routes, pathname);
+      const operation = matched
+        ? `${request.method} ${matched.operation}`
+        : `${request.method} ${pathname}`;
+
+      return {
+        adapterId: adapter.id,
+        protocol: adapter.protocol,
+        routeId: matched?.id ?? "unknown",
+        path: pathname,
+        operation,
+        protectRequest: matched?.protectRequest ?? true,
+        protectResponse: matched?.protectResponse ?? true,
+        streamingByDefault: matched?.streamingDefault ?? false
+      };
+    }
+  };
+}
+
+export function knownProtocolAdapters() {
+  return Object.keys(ADAPTERS);
+}
+
+function adapterFromTargetType(type = "llm-http") {
+  if (ADAPTERS[type]) {
+    return type;
+  }
+  if (TARGET_TYPE_ALIASES[type]) {
+    return TARGET_TYPE_ALIASES[type];
+  }
+  throw new Error(`Unknown target.type: ${type}. Known types: ${["llm-http", ...Object.keys(ADAPTERS)].join(", ")}`);
+}
+
+function route(path, operation, options = {}) {
+  return {
+    id: operation,
+    path,
+    operation,
+    protectRequest: options.protectRequest ?? true,
+    protectResponse: options.protectResponse ?? true,
+    streamingDefault: options.streamingDefault ?? false
+  };
+}
+
+function pathFromRequestUrl(url) {
+  return new URL(url, "http://haechi.local").pathname;
+}
+
+function matchRoute(routes, pathname) {
+  return routes.find((candidate) => candidate.path === pathname);
+}