haechi 0.3.2

package/docs/current/privacy-filtering-policy-draft.md

@@ -0,0 +1,307 @@
+# Privacy Filtering Policy Draft
+
+- Status: Draft 0.1
+- Date: 2026-06-08
+- Related product: Haechi
+
+## 1. Purpose
+
+This document defines a draft policy for detecting and handling personal information and high-risk sensitive data before it is passed to models, tools, agents, logs, traces, and replay artifacts in AI/LLM/MCP environments.
+
+Privacy filtering is not a substitute for encryption. Filtering determines whether data is exposed in plaintext; encryption protects data at rest, in transit, and across authorization boundaries. Haechi applies both mechanisms together.
+
+## 2. Filtering Points
+
+| Point | Description | Default Policy |
+|---|---|---|
+| Pre-model | Filter prompts/messages before calling an LLM provider | Must |
+| Post-model | Filter LLM responses before delivering them to users, agents, or tools | Must |
+| MCP tool input | Filter MCP tools/call arguments | Must |
+| MCP tool output | Filter tool results and resource content | Must |
+| RAG input | Filter retrieval queries, snippets, and source metadata | Should |
+| A2A message | Filter agent messages, tasks, and artifacts | Should |
+| Observability | Filter logs, traces, replays, and metric labels | Must |
+
+## 3. Default Detection Catalog
+
+| Category | Examples | Default Action |
+|---|---|---|
+| Unique identifiers | Korean RRN, alien registration number, passport number, driver's license number | block or tokenize |
+| Sensitive data | Health information, biometric data, genetic data, criminal records, political/union/religious information | block or human-review |
+| Contact information | Mobile phone number, telephone number, email, address | mask or tokenize |
+| Financial information | Bank account number, card number, card expiry date, CVC-like values | tokenize or block |
+| Credentials | Passwords, access tokens, refresh tokens, API keys, private keys | block |
+| Customer data | Customer ID, contract number, order number, internal identifiers | tokenize or encrypt |
+| AI-specific sensitive data | Secrets in prompts, personal information in tool outputs, personal information in RAG snippets | redact, tokenize, or encrypt |
+
+## 4. Global Regulatory Profiles
+
+Regional default profiles alter the detection catalog, default actions, transfer restrictions, audit fields, and retention policies. This table is a starting point for product policy design and does not substitute for legal counsel.
+
+| Profile | Key Standards | Default Enhancements |
+|---|---|---|
+| KR-PIPA | Personal information, unique identifiers, sensitive information, security measures | Unique identifier block/tokenize, encryption key management, access logging |
+| EU-GDPR | personal data, special categories, pseudonymisation, data minimisation, international transfer | Special category default block/human-review, SCC/adequacy evidence, DPIA evidence |
+| UK-GDPR | UK GDPR, IDTA/Addendum, special category data | UK transfer mechanism evidence, enhanced special category handling |
+| US-CCPA-CPRA | personal information, sensitive personal information, limit use/disclosure | SPI limit-use flag, consumer request evidence |
+| US-HIPAA | PHI, covered entity/business associate, de-identification | PHI default block/tokenize, Safe Harbor style identifier catalog, BAA evidence |
+| PCI-DSS | cardholder data, sensitive authentication data | PAN tokenize/mask, CVC block, prohibition on logging payment data |
+| JP-APPI | personal information, special care-required personal information, anonymized/pseudonymized information | Special care-required information human-review, cross-border consent/evidence |
+| SG-PDPA | consent, purpose limitation, protection, retention, transfer limitation | Purpose binding, transfer limitation evidence |
+| CA-PIPEDA | consent, limiting collection/use/disclosure, safeguards, cross-border handling | Consent/purpose evidence, safeguard audit |
+| BR-LGPD | personal data, sensitive personal data, international transfer | Enhanced sensitive data handling, ANPD transfer mechanism evidence |
+
+## 5. Global Policy Decision Context
+
+| Context | Description |
+|---|---|
+| data_subject_region | Inferred or declared region of the data subject |
+| controller_region | Region of the customer/controller |
+| processor_region | Region where Haechi/processor processes data |
+| model_provider_region | Region where the LLM provider processes data |
+| transfer_mechanism | SCC, IDTA, adequacy, BCR, consent, local-only, etc. |
+| sector_profile | healthcare, payment, finance, education, public sector, etc. |
+| lawful_basis_or_purpose | Customer-defined value expressing the processing purpose or legal basis |
+| residency_policy | local-only, region-locked, allowed-regions |
+| retention_policy | Retention policy for audit and token vault |
+
+## 6. Detection Methods
+
+| Method | Applies To | Requirements |
+|---|---|---|
+| Deterministic rule | Korean RRN, card number, email, phone number, API key | Rule IDs and versions must be managed. |
+| Checksum validation | Korean RRN candidates, card number candidates | Candidates that fail validation receive a lower confidence score. |
+| Dictionary | Organization names, internal system names, prohibited terms | Per-tenant dictionaries must be supported. |
+| NER/classifier | Names, addresses, medical/health context, sensitive inference | Local-first by default; external transmission requires separate consent or policy. |
+| Custom entity rule | Customer-specific identifiers, contract numbers, ticket numbers | Schema and action are defined in policy. |
+
+## 7. Custom Filtering
+
+Default regulatory profiles cannot have full knowledge of a customer's internal data. Haechi must provide per-tenant custom filters as a first-class feature.
+
+### 7.1 Custom Detection Targets
+
+| Target | Examples |
+|---|---|
+| Internal identifiers | Customer ID, employee ID, membership ID, contract number, order number, ticket number |
+| Product/project confidential data | Code names, product launch names, internal roadmap keywords |
+| Internal system information | internal hostname, repository name, table name, service name |
+| Industry-specific data | Medical chart ID, insurance policy number, invoice number, account alias |
+| AI-specific data | prompt template secret, tool name, private skill name, vector collection name |
+| Security information | internal API key prefix, service account, private endpoint, secret naming pattern |
+
+### 7.2 Custom Filter DSL Requirements
+
+| Feature | Description |
+|---|---|
+| regex | Regex-based detection |
+| checksum | Customer-defined checksum or validator function |
+| dictionary | Per-tenant word/phrase dictionary |
+| allowlist | False positive exception handling |
+| denylist | Immediate block targets |
+| path scope | Scope specification by JSONPath, protobuf field path, MCP method, or A2A part type |
+| context condition | Conditions on tenant, app, environment, model provider, region, or purpose |
+| action override | Apply a stricter action than the default profile action |
+| confidence override | Per-rule confidence calculation or fixed confidence value |
+| test fixture | Positive/negative samples with expected actions |
+
+### 7.3 Rule Lifecycle
+
+| Stage | Requirements |
+|---|---|
+| draft | Rule authors must be able to create drafts without affecting production traffic. |
+| validate | Must check schema, regex safety, catastrophic backtracking, and action conflicts. |
+| test | False positive/negative rates must be measured using fixtures and shadow traffic. |
+| approve | High-risk actions — e.g., block, external classifier, region override — require an approval workflow. |
+| publish | Versioned rollout and tenant/app/environment scope are required. |
+| monitor | Hit rate, action rate, and override rate must be observable. |
+| rollback | Must be able to immediately revert to a previous rule version. |
+
+### 7.4 Priority
+
+Stronger protection takes precedence over weaker protection.
+
+1. Emergency global block rule
+2. Legal/regional profile mandatory rule
+3. Sector profile mandatory rule
+4. Tenant custom rule
+5. Application custom rule
+6. Allowlist exception
+7. Default profile rule
+
+An allowlist must not be able to bypass hard-block entities such as unique identifiers, PHI, card security codes, and secrets.
+
+### 7.5 Custom Rule Examples
+
+```yaml
+customRules:
+  - id: tenant-contract-id
+    version: 3
+    owner: privacy-team
+    match:
+      regex: "\\bCTR-[0-9]{4}-[A-Z0-9]{8}\\b"
+      entityType: TENANT_CONTRACT_ID
+      scope:
+        sources:
+          - pre_model
+          - mcp_tool_input
+          - a2a_artifact
+    action: tokenize
+    tests:
+      positive:
+        - input: "Contract number is CTR-2026-AB12CD34."
+          expectedEntity: TENANT_CONTRACT_ID
+          expectedAction: tokenize
+      negative:
+        - input: "CTR-ABCD is a product code."
+          expectedEntity: null
+
+  - id: internal-project-codename
+    version: 1
+    match:
+      dictionaryRef: dict://tenant-a/project-codenames
+      caseSensitive: false
+    action: block
+    appliesTo:
+      modelProviderRegionNotIn:
+        - local
+        - private-cloud
+```
+
+## 8. Processing Actions
+
+| Action | Meaning |
+|---|---|
+| allow | Permit the detected result. An audit event is still recorded. |
+| mask | Retain only some characters and mask the rest. |
+| redact | Remove the value and replace it with a placeholder. |
+| tokenize | Replace with a recoverable token. Recovery is performed after authorization evaluation. |
+| encrypt | Replace with an envelope ciphertext. |
+| block | Block the request, response, tool-call, or artifact delivery. |
+| human-review | Send to an approval workflow. Do not forward automatically. |
+| region-deny | Block due to a regional/transfer policy violation. |
+| local-only | Allow local processing only; no calls to external providers. |
+
+## 9. Policy Examples
+
+```yaml
+profiles:
+  active:
+    - KR-PIPA
+    - EU-GDPR
+    - US-CCPA-CPRA
+
+rules:
+  - id: kr-unique-id-default
+    match:
+      entityTypes:
+        - KR_RRN
+        - KR_ALIEN_REG_NO
+        - PASSPORT_NO
+        - DRIVER_LICENSE_NO
+    action: block
+    appliesTo:
+      - pre_model
+      - mcp_tool_input
+      - observability
+
+  - id: contact-info-tokenize
+    match:
+      entityTypes:
+        - EMAIL
+        - PHONE
+        - ADDRESS
+    action: tokenize
+    reveal:
+      allowedPurposes:
+        - customer_support
+      requireAudit: true
+
+  - id: tool-output-redact
+    match:
+      source: mcp_tool_output
+      minConfidence: 0.65
+    action: redact
+
+  - id: eu-special-category-transfer-guard
+    match:
+      profiles:
+        - EU-GDPR
+      entityTypes:
+        - HEALTH_DATA
+        - BIOMETRIC_ID
+        - POLITICAL_OPINION
+        - UNION_MEMBERSHIP
+      destination:
+        modelProviderRegionNotIn:
+          - EU
+          - EEA
+    action: region-deny
+    require:
+      transferMechanism:
+        - adequacy
+        - SCC
+        - BCR
+```
+
+## 10. Audit Events
+
+Audit events must not contain the original plaintext values.
+
+| Field | Description |
+|---|---|
+| decision_id | Policy decision ID |
+| entity_type | Detected entity type |
+| rule_id | Rule that was applied |
+| confidence | Detection confidence |
+| action | Processing action applied |
+| source | pre_model, mcp_tool_input, etc. |
+| tenant_id_hash | Hash of the tenant identifier |
+| agent_id_hash | Hash of the agent identifier |
+| request_id | Correlation ID |
+| profile | Regional/sector profile applied |
+| transfer_mechanism | Transfer mechanism applied |
+| residency_decision | Residency policy decision |
+| custom_rule_id | Rule ID if a custom rule was applied |
+| custom_rule_version | Custom rule version |
+
+## 11. Test Requirements
+
+- Maintain Korean personal information fixtures.
+- Maintain fixtures for EU special categories, US sensitive personal information, HIPAA PHI, PCI card data, and Japan/Singapore/Brazil/Canada data.
+- Korean RRN, alien registration number, and card number fixtures must include both checksum-positive and checksum-negative cases.
+- Positive and negative fixtures are mandatory for each custom rule.
+- Check for regex catastrophic backtracking and excessive CPU/memory usage.
+- Test that allowlists cannot bypass hard-block entities.
+- Maintain fixtures per source: prompt, MCP tool input/output, resource, artifact, and log line.
+- Measure false positives and false negatives separately.
+- Perform snapshot tests to verify that no original plaintext remains in pre- and post-filtering results.
+- When using an external classifier, separately verify that personal information is not transmitted in the classifier request payload.
+- Perform negative tests for region-deny, local-only, allowed-regions, and missing transfer-mechanism scenarios.
+
+## 12. Open Questions
+
+- Decide whether high-risk identifiers such as Korean RRNs should be blocked in all environments, or whether tokenization should be permitted in air-gapped or customer-managed-key environments.
+- Decide whether name/address detection should rely primarily on deterministic rules or also include NER classifiers.
+- Decide whether the privacy filtering confidence threshold should be a global default or configurable per tenant.
+- Decide whether filtering results should be described to the LLM via placeholders or removed entirely.
+- Decide whether GDPR/UK GDPR transfer mechanisms should be hard-enforced by the product or left to customer-provided evidence validation.
+- Decide whether HIPAA/PCI sector profiles should be included in the MVP.
+- Decide whether the custom filter DSL should be maintained as a proprietary YAML schema or adopt a limited subset of an existing expression language such as CEL, OPA, or Rego.
+- Decide whether customer-provided dictionaries should be encrypted with a product-managed KMS or only with customer-managed keys.
+
+## 13. References
+
+- Korea Personal Information Safety Measures Standards: https://law.go.kr/LSW/admRulInfoP.do?admRulSeq=2100000192069&chrClsCd=010201
+- Korea Personal Information Protection Commission Guidelines: https://law.go.kr/LSW/admRulLsInfoP.do?admRulSeq=2100000240116
+- KISA Cryptography Usage FAQ: https://seed.kisa.or.kr/kisa/bbs/faq.do
+- European Commission GDPR overview: https://commission.europa.eu/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en
+- European Commission SCC: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
+- California CCPA: https://www.oag.ca.gov/privacy/ccpa
+- HHS HIPAA Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
+- NIST Privacy Framework: https://www.nist.gov/privacy-framework
+- Japan PPC APPI: https://www.ppc.go.jp/en/legal/
+- Singapore PDPC: https://www.imda.gov.sg/About-IMDA/Data-Protection/personal-data-protection
+- Canada PIPEDA: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief
+- Brazil LGPD: https://www.gov.br/anpd/pt-br/centrais-de-conteudo/outros-documentos-e-publicacoes-institucionais/lgpd-en-lei-no-13-709-capa.pdf/view
+- PCI DSS: https://www.pcisecuritystandards.org/standards/pci-dss/

package/docs/current/release-0.2-implementation-scope.ko.md

@@ -0,0 +1,46 @@
+# Release 0.2 구현 범위
+
+- 문서 상태: Draft 0.1
+- 작성일: 2026-06-09
+- 관련 제품: Haechi
+
+## 1. 목표
+
+0.2는 0.1 quickstart 위에 보안 신뢰 경계와 교체 가능성을 보강한다.
+
+포함 범위:
+
+- local encrypted TokenVault
+- signed policy bundle signing/verification
+- plugin manifest validation
+- MCP stdio JSON-RPC line filter skeleton
+- 관련 CLI와 테스트
+
+## 2. CLI 추가
+
+```bash
+node packages/cli/bin/haechi.mjs policy-sign policy.json --out policy.bundle.json
+node packages/cli/bin/haechi.mjs policy-verify policy.bundle.json
+node packages/cli/bin/haechi.mjs plugin-validate examples/plugins/custom-filter.plugin.json
+node packages/cli/bin/haechi.mjs token-reveal <token>
+node packages/cli/bin/haechi.mjs token-purge <token>
+node packages/cli/bin/haechi.mjs mcp-stdio --config haechi.config.json
+```
+
+## 3. 제외 범위
+
+- 외부 Vault/AWS/GCP/Azure KMS 실제 연동
+- plugin code dynamic loading
+- MCP server child process lifecycle management
+- signed release artifact와 SBOM 자동 생성
+- Python SDK
+
+## 4. 완료 기준
+
+| 기준 | 완료 조건 |
+|---|---|
+| TokenVault | `tokenize` action이 encrypted local vault에 mapping 저장 |
+| Signed policy | policy bundle 서명 검증 실패 시 runtime load 실패 |
+| Plugin manifest | capability와 dataHandling 필드 검증 |
+| MCP stdio | JSON-RPC `params`/`result` payload 보호 |
+| Tests | token vault, policy bundle, plugin manifest, MCP stdio fixture 통과 |

package/docs/current/release-0.2-implementation-scope.md

@@ -0,0 +1,46 @@
+# Release 0.2 Implementation Scope
+
+- Status: Draft 0.1
+- Date: 2026-06-09
+- Target version: Haechi
+
+## 1. Goals
+
+0.2 reinforces the security trust boundary and replaceability on top of the 0.1 quickstart.
+
+Included scope:
+
+- Local encrypted TokenVault
+- Signed policy bundle signing/verification
+- Plugin manifest validation
+- MCP stdio JSON-RPC line filter skeleton
+- Related CLI commands and tests
+
+## 2. New CLI Commands
+
+```bash
+node packages/cli/bin/haechi.mjs policy-sign policy.json --out policy.bundle.json
+node packages/cli/bin/haechi.mjs policy-verify policy.bundle.json
+node packages/cli/bin/haechi.mjs plugin-validate examples/plugins/custom-filter.plugin.json
+node packages/cli/bin/haechi.mjs token-reveal <token>
+node packages/cli/bin/haechi.mjs token-purge <token>
+node packages/cli/bin/haechi.mjs mcp-stdio --config haechi.config.json
+```
+
+## 3. Excluded Scope
+
+- Live integration with external Vault/AWS/GCP/Azure KMS
+- Dynamic loading of plugin code
+- MCP server child process lifecycle management
+- Automated generation of signed release artifacts and SBOM
+- Python SDK
+
+## 4. Completion Criteria
+
+| Criterion | Done When |
+|---|---|
+| TokenVault | `tokenize` action stores mappings in an encrypted local vault |
+| Signed policy | Runtime load fails when policy bundle signature verification fails |
+| Plugin manifest | `capability` and `dataHandling` fields are validated |
+| MCP stdio | JSON-RPC `params`/`result` payloads are protected |
+| Tests | token vault, policy bundle, plugin manifest, and MCP stdio fixtures pass |

package/docs/current/release-0.3-implementation-scope.ko.md

@@ -0,0 +1,86 @@
+# Release 0.3 구현 범위
+
+- 문서 상태: Draft 0.1
+- 작성일: 2026-06-10
+- 관련 제품: Haechi
+
+## 1. 목표
+
+0.3은 Haechi를 vLLM, Ollama, llama.cpp 같은 self-hosted/local inference server 앞단에 더 쉽게 붙일 수 있도록 한다.
+
+포함 범위:
+
+- OpenAI-compatible, vLLM, Ollama, llama.cpp protocol adapter preset
+- request path별 operation 분류와 audit correlation
+- 선택적 JSON response protection
+- `local-inference` policy preset
+- npm publish-ready package metadata, exports, files 목록
+- 0.3.1 safety patch: remote bind guard, streaming fail-closed, response failure policy, audit hash chain, provider injection, CI/SBOM/provenance workflow
+
+## 2. 적용 예시
+
+### vLLM
+
+```json
+{
+  "target": {
+    "type": "vllm-openai",
+    "upstream": "http://127.0.0.1:8000"
+  },
+  "policy": {
+    "mode": "enforce",
+    "presets": ["local-inference"]
+  },
+  "responseProtection": {
+    "enabled": true,
+    "mode": "enforce"
+  }
+}
+```
+
+### Ollama
+
+```json
+{
+  "target": {
+    "adapter": "ollama",
+    "upstream": "http://127.0.0.1:11434"
+  },
+  "policy": {
+    "mode": "enforce",
+    "presets": ["local-inference"]
+  }
+}
+```
+
+### llama.cpp
+
+```json
+{
+  "target": {
+    "adapter": "llama-cpp",
+    "upstream": "http://127.0.0.1:8080"
+  },
+  "policy": {
+    "mode": "enforce",
+    "presets": ["local-inference"]
+  }
+}
+```
+
+## 3. 제외 범위
+
+- SSE/NDJSON streaming response transformation beyond default fail-closed blocking
+- 이미지/멀티모달 payload 전용 media scanner
+- vendor-specific KMS, Vault, HSM adapter implementation
+- production authentication/authorization gateway
+
+## 4. 완료 기준
+
+| 기준 | 완료 조건 |
+|---|---|
+| Protocol adapters | vLLM, Ollama, llama.cpp route classification test 통과 |
+| Response protection | upstream JSON 응답의 민감정보가 정책에 따라 변환되고 audit에 평문이 남지 않음 |
+| Package readiness | `npm pack --dry-run` 통과 |
+| Release safety | `npm run release:preflight` 통과 |
+| Regression | 전체 `npm test` 통과 |

package/docs/current/release-0.3-implementation-scope.md

@@ -0,0 +1,86 @@
+# Release 0.3 Implementation Scope
+
+- Status: Draft 0.1
+- Date: 2026-06-10
+- Target version: Haechi
+
+## 1. Goals
+
+0.3 makes it easier to place Haechi in front of self-hosted/local inference servers such as vLLM, Ollama, and llama.cpp.
+
+Included scope:
+
+- OpenAI-compatible, vLLM, Ollama, and llama.cpp protocol adapter presets
+- Per-request-path operation classification and audit correlation
+- Optional JSON response protection
+- `local-inference` policy preset
+- npm publish-ready package metadata, exports, and files list
+- 0.3.1 safety patch: remote bind guard, streaming fail-closed, response failure policy, audit hash chain, provider injection, CI/SBOM/provenance workflow
+
+## 2. Usage Examples
+
+### vLLM
+
+```json
+{
+  "target": {
+    "type": "vllm-openai",
+    "upstream": "http://127.0.0.1:8000"
+  },
+  "policy": {
+    "mode": "enforce",
+    "presets": ["local-inference"]
+  },
+  "responseProtection": {
+    "enabled": true,
+    "mode": "enforce"
+  }
+}
+```
+
+### Ollama
+
+```json
+{
+  "target": {
+    "adapter": "ollama",
+    "upstream": "http://127.0.0.1:11434"
+  },
+  "policy": {
+    "mode": "enforce",
+    "presets": ["local-inference"]
+  }
+}
+```
+
+### llama.cpp
+
+```json
+{
+  "target": {
+    "adapter": "llama-cpp",
+    "upstream": "http://127.0.0.1:8080"
+  },
+  "policy": {
+    "mode": "enforce",
+    "presets": ["local-inference"]
+  }
+}
+```
+
+## 3. Excluded Scope
+
+- SSE/NDJSON streaming response transformation beyond default fail-closed blocking
+- Dedicated media scanner for image/multimodal payloads
+- Vendor-specific KMS, Vault, and HSM adapter implementations
+- Production authentication/authorization gateway
+
+## 4. Completion Criteria
+
+| Criterion | Done When |
+|---|---|
+| Protocol adapters | vLLM, Ollama, and llama.cpp route classification tests pass |
+| Response protection | Sensitive data in upstream JSON responses is transformed per policy; no plaintext remains in the audit log |
+| Package readiness | `npm pack --dry-run` passes |
+| Release safety | `npm run release:preflight` passes |
+| Regression | Full `npm test` passes |

package/docs/current/release-0.3.2-hardening-scope.ko.md

@@ -0,0 +1,64 @@
+# Haechi 0.3.2 Hardening Scope
+
+- 문서 상태: Final
+- 작성일: 2026-06-10
+- 기준 버전: 0.3.2
+- 성격: 보안 하드닝 릴리스, 첫 npm developer preview 배포 대상
+
+## 1. 배경
+
+0.3.1 전체 코드 리뷰에서 식별된 16건의 리스크를 해소한 릴리스다. 상세 리스크 목록과 해소 증거는 `risk-register-release-gate.md` 5.2절(P0-SEC-016 ~ P2-DOC-005)을 따른다.
+
+npm에 한 번도 배포된 적이 없으므로 0.3.2가 첫 배포 버전이다. 첫 배포를 기능 릴리스(0.4.0)와 분리해 패키지 이름 소유권 확정과 publish 파이프라인(provenance, GitHub release workflow) 검증을 저위험 릴리스에서 먼저 통과시킨다.
+
+## 2. 변경 요약
+
+### 차단/집행 경로
+- Ollama `/api/chat`·`/api/generate`는 `stream: false` 명시가 없으면 streaming으로 간주, 기본 501 fail-closed (protocol adapter `streamingDefault`)
+- unknown `target.type`은 config 검증 단계에서 fail-closed (`llm-http` alias만 openai-compatible로 허용)
+- upstream fetch에 `limits.upstreamTimeoutMs`(기본 120000) 적용, 초과 시 `504 haechi_upstream_timeout`, 연결 실패 시 `502 haechi_upstream_unreachable`
+- proxy 내부 오류 메시지 일반화 (상세는 stderr)
+
+### 탐지/변환
+- JSON number leaf(카드번호 등)와 object key 이름도 detection/transform 대상 (enforce 시 key rename, 충돌은 `#n` suffix)
+- 8자 이하 mask는 전체 마스킹
+- `assignment-secret` 패턴 lookbehind 전환 — key 이름 보존, 값만 치환
+- privacy profile은 `ACTION_STRENGTH` 비교로 사용자 명시 정책을 강화만 가능
+
+### 키/암호
+- `decrypt`가 envelope `kid`로 키 선택 (구버전 envelope 복호 유지)
+- `initLocalKeyFile --force`는 기존 키를 `retired`로 보존하는 rotation으로 변경
+- policy bundle 서명 키를 `haechi:policy-bundle:signing:v1` domain-separated 파생 키로 분리
+
+### TokenVault/Audit
+- reveal/purge 결정을 audit 기록 (`reveal_allowed/denied/failed`, `purge`, `purge_expired` — 토큰 id만, 평문 불포함)
+- vault mutation 시 만료 토큰 자동 삭제, `purgeExpired()` 및 `haechi token-purge --expired` 추가
+- audit append를 tail-chunk 읽기로 O(1)화
+- audit/vault lock 파일 30초 초과 시 stale 판정 후 자동 탈취
+
+### UX/가시성
+- proxy 기동 시와 `protect` 출력에 비집행 모드(dry-run/report-only)·responseProtection 비활성 경고
+- `protect` 출력에 `mode`/`enforced`/`warnings` 필드 추가
+
+### MCP
+- notification(id 없는 메시지)은 JSON-RPC 스펙대로 오류 응답 없이 drop
+- batch 배열은 명시적 fail-closed 거부
+
+## 3. 호환성 주의 (0.3.1 대비)
+
+배포된 사용자가 없으므로 마이그레이션 경로는 제공하지 않고 기록만 남긴다.
+
+- 0.3.1 키로 서명한 policy bundle은 서명 키 분리로 검증에 실패한다. `haechi policy-sign`으로 재서명해야 한다.
+- detection 범위 확대(number/key)와 mask 동작 변경으로 enforce 모드 출력이 0.3.1과 다를 수 있다.
+- audit 이벤트 detection 항목에 `kind` 필드가 추가됐다.
+
+## 4. 명시적 제외 (0.4+ backlog)
+
+- base64/URL-encoded 값 디코딩 후 검사
+- URL query string 검사
+- audit hash chain tail truncation 탐지 (외부 앵커 필요)
+- SSE/NDJSON stream inspection (0.5.0)
+
+## 5. 배포 게이트
+
+`risk-register-release-gate.md` 7절 체크리스트를 따른다. `npm run release:preflight` 통과 후 인증된 계정에서 `release:preflight:npm` 및 GitHub release workflow로 배포한다.