haechi 0.4.0 → 0.5.0

package/packages/cli/bin/haechi.mjs

@@ -10,6 +10,7 @@ import { DEFAULT_CONFIG_PATH, createRuntime, isValidPort, loadConfig, writeDefau
 
 const [command, ...argv] = process.argv.slice(2);
 
+async function main(command, argv) {
 try {
   switch (command) {
     case "init":
@@ -54,19 +55,23 @@ try {
     case "mcp-wrap":
       await mcpWrapCommand(argv);
       break;
+    case "config":
+      printConfigGuide();
+      break;
     case "help":
     case "--help":
     case "-h":
     case undefined:
-      printHelp();
+      printHelp(argv[0]);
       break;
     default:
-      throw new Error(`Unknown command: ${command}`);
+      throw new Error(`Unknown command: ${command}. Run 'haechi help' for usage.`);
   }
 } catch (error) {
   console.error(`haechi: ${error.message}`);
   process.exitCode = process.exitCode || 1;
 }
+}
 
 async function initCommand(argv) {
   const options = parseOptions(argv);
@@ -222,7 +227,8 @@ async function statusCommand(argv) {
         mode: config.responseProtection.mode,
         failureMode: config.responseProtection.failureMode
       },
-      streamingRequestMode: config.streaming.requestMode
+      streamingRequestMode: config.streaming.requestMode,
+      streamingResponseMode: config.streaming.responseMode
     },
     target: {
       type: config.target.type,
@@ -464,26 +470,161 @@ function parsePort(value) {
   return port;
 }
 
-function printHelp() {
-  console.log(`Haechi MVP CLI
+const COMMAND_HELP = {
+  init: {
+    usage: "haechi init [--config haechi.config.json] [--force]",
+    summary: "Create a local key, sample config, and audit path.",
+    detail: "Writes haechi.config.json and .haechi/dev.keys.json (0600). --force rotates the key (prior keys are retired, not deleted) and overwrites the config."
+  },
+  protect: {
+    usage: "haechi protect <input.json> [--config haechi.config.json]",
+    summary: "Inspect and protect a JSON payload, printing the result.",
+    detail: "Reads input.json, applies the policy, and prints the protected payload, audit id, and warnings. Exit 3 if the payload is blocked."
+  },
+  report: {
+    usage: "haechi report [--audit .haechi/audit.jsonl]",
+    summary: "Summarize audit events without raw payloads."
+  },
+  "audit-verify": {
+    usage: "haechi audit-verify [--audit .haechi/audit.jsonl] [--config haechi.config.json]",
+    summary: "Verify the audit hash chain; print validity, record count, and head hash.",
+    detail: "Exit 4 on a broken chain. The head hash is the value to anchor externally against tail truncation."
+  },
+  status: {
+    usage: "haechi status [--config haechi.config.json]",
+    summary: "Show what is and is not protected under the current config.",
+    detail: "Prints effective policy mode, response/streaming protection, target, token vault governance, key file permissions, audit chain status, and a consolidated warnings list."
+  },
+  proxy: {
+    usage: `haechi proxy [--config haechi.config.json] [--host 127.0.0.1] [--port ${DEFAULT_PROXY_PORT}] [--allow-remote-bind]`,
+    summary: "Run the local HTTP JSON proxy in front of an upstream LLM.",
+    detail: "Binds loopback by default; --allow-remote-bind is required (and must be a CLI flag, not config) to bind non-loopback hosts. There is no client auth yet — see 'haechi config'."
+  },
+  "policy-sign": {
+    usage: "haechi policy-sign <policy.json> [--config haechi.config.json] [--out policy.bundle.json]",
+    summary: "Sign a policy file into a verifiable bundle."
+  },
+  "policy-verify": {
+    usage: "haechi policy-verify <policy.bundle.json> [--config haechi.config.json]",
+    summary: "Verify a signed policy bundle against the configured key."
+  },
+  "token-reveal": {
+    usage: "haechi token-reveal <token> [--config haechi.config.json] [--allow-dev-reveal]",
+    summary: "Reveal a tokenized value (governed by tokenVault.revealPolicy; audited).",
+    detail: "Fails unless revealPolicy is local-dev or --allow-dev-reveal is passed."
+  },
+  "token-purge": {
+    usage: "haechi token-purge <token> [--config haechi.config.json]\n  haechi token-purge --expired [--config haechi.config.json]",
+    summary: "Purge a specific token, or all expired tokens with --expired."
+  },
+  "token-export": {
+    usage: "haechi token-export [--config haechi.config.json] [--type email]",
+    summary: "Export token metadata (never plaintext), optionally filtered by type."
+  },
+  "plugin-validate": {
+    usage: "haechi plugin-validate <plugin-manifest.json>",
+    summary: "Validate a plugin manifest (manifest-only; dynamic runtime is rejected)."
+  },
+  "mcp-stdio": {
+    usage: "haechi mcp-stdio [--config haechi.config.json]",
+    summary: "Filter MCP JSON-RPC traffic on stdin/stdout (one direction)."
+  },
+  "mcp-wrap": {
+    usage: "haechi mcp-wrap [--config haechi.config.json] -- <command> [args...]",
+    summary: "Wrap an MCP server with bidirectional stdio protection.",
+    detail: "Spawns <command>, applies the method allowlist + params protection client→server, and result protection + injection heuristics server→client. Drop-in for MCP client configs."
+  },
+  config: {
+    usage: "haechi config",
+    summary: "Print the configuration guide (keys, defaults, common setups)."
+  }
+};
+
+function printHelp(topic) {
+  if (topic && COMMAND_HELP[topic]) {
+    const entry = COMMAND_HELP[topic];
+    console.log(`haechi ${topic} — ${entry.summary}\n\nUsage:\n  ${entry.usage}${entry.detail ? `\n\n${entry.detail}` : ""}`);
+    return;
+  }
+
+  const order = [
+    "init", "protect", "report", "status", "audit-verify", "proxy",
+    "policy-sign", "policy-verify",
+    "token-reveal", "token-purge", "token-export",
+    "plugin-validate", "mcp-stdio", "mcp-wrap", "config"
+  ];
+  const lines = order.map((name) => `  ${name.padEnd(16)}${COMMAND_HELP[name].summary}`);
+  console.log(`Haechi — self-hosted AI context enforcement (developer preview)
 
 Usage:
-  haechi init [--config haechi.config.json] [--force]
-  haechi protect <input.json> [--config haechi.config.json]
-  haechi report [--audit .haechi/audit.jsonl]
-  haechi audit-verify [--audit .haechi/audit.jsonl] [--config haechi.config.json]
-  haechi status [--config haechi.config.json]
-  haechi proxy [--config haechi.config.json] [--host 127.0.0.1] [--port ${DEFAULT_PROXY_PORT}] [--allow-remote-bind]
-  haechi policy-sign <policy.json> [--config haechi.config.json] [--out policy.bundle.json]
-  haechi policy-verify <policy.bundle.json> [--config haechi.config.json]
-  haechi token-reveal <token> [--config haechi.config.json] [--allow-dev-reveal]
-  haechi token-purge <token> [--config haechi.config.json]
-  haechi token-purge --expired [--config haechi.config.json]
-  haechi token-export [--config haechi.config.json] [--type email]
-  haechi plugin-validate <plugin-manifest.json>
-  haechi mcp-stdio [--config haechi.config.json]
-  haechi mcp-wrap [--config haechi.config.json] -- <command> [args...]
-
-The default policy mode is dry-run. Change policy.mode to enforce to mutate or block payloads.
+  haechi <command> [options]
+  haechi help <command>     show usage for one command
+
+Commands:
+${lines.join("\n")}
+
+Getting started:
+  haechi init               write config + local key
+  haechi status             see what is protected
+  haechi config             configuration guide
+
+The default policy mode is dry-run (detect + audit only). Set policy.mode to
+"enforce" to transform or block. Run 'haechi config' for all settings.
 `);
 }
+
+function printConfigGuide() {
+  console.log(`Haechi configuration guide
+
+Config file: haechi.config.json (override with --config <path>); template at
+haechi.config.example.json. All values are validated fail-closed — unknown or
+malformed settings refuse to start. 'haechi status' prints the EFFECTIVE state.
+
+Enforcement
+  mode / policy.mode        dry-run | report-only | enforce   (default dry-run)
+                            dry-run/report-only detect + audit only.
+                            policy.mode overrides mode.
+
+Upstream + proxy
+  target.type               llm-http | openai-compatible | vllm-openai |
+                            ollama | llama-cpp                 (unknown = fail)
+  target.upstream           the only upstream the proxy forwards to
+  proxy.host / proxy.port   127.0.0.1 / ${DEFAULT_PROXY_PORT}
+                            non-loopback host needs --allow-remote-bind (CLI flag)
+
+Response + streaming
+  responseProtection.enabled  inspect upstream responses        (default false)
+  responseProtection.failureMode  fail-closed | allow           (default fail-closed)
+  streaming.requestMode     block | pass-through | inspect       (default block)
+                            inspect = stream-filter SSE/NDJSON responses
+  streaming.maxMatchBytes   cross-frame match window             (default 256)
+  limits.upstreamTimeoutMs  upstream timeout in ms              (default 120000)
+
+Detection policy
+  policy.presets            korean-pii, secrets-only, llm-redact,
+                            strict-block, mcp-basic, local-inference, local-only
+  policy.defaultAction      allow | redact | mask | tokenize | encrypt | block
+  policy.actions            per-type overrides; merges may strengthen, not weaken
+  filters.customRules       extra regex rules (ReDoS-screened)
+
+Tokenization (model sees token, caller sees plaintext)
+  tokenVault.revealPolicy   disabled | local-dev               (manual reveal gate)
+  tokenVault.deterministic  same value -> same token           (default false)
+  tokenVault.detokenizeResponses  restore request-issued tokens in the response
+                            (needs responseProtection.enabled)
+
+Privacy + MCP
+  privacy.profile           kr-pipa | eu-gdpr | us-general | null
+  mcp.allowedMethods        client-callable method allowlist
+
+Binding beyond loopback (0.0.0.0):
+  haechi proxy --host 0.0.0.0 --allow-remote-bind
+  There is NO client auth yet (planned 0.6). Use only behind network controls:
+  bind 0.0.0.0 in a container and map -p 127.0.0.1:${DEFAULT_PROXY_PORT}:${DEFAULT_PROXY_PORT}, or front
+  it with a firewall/VPN/authenticating reverse proxy.
+
+Full reference: docs/current/configuration.md
+`);
+}
+
+await main(command, argv);

package/packages/cli/runtime.mjs

@@ -34,7 +34,9 @@ export function defaultConfig() {
       maxBytes: 1048576
     },
     streaming: {
-      requestMode: "block"
+      requestMode: "block",
+      responseMode: "enforce",
+      maxMatchBytes: 256
     },
     limits: {
       maxRequestBytes: 1048576,
@@ -271,9 +273,15 @@ export function normalizeConfig(config) {
   if (typeof merged.responseProtection.maxBytes !== "number" || merged.responseProtection.maxBytes < 1) {
     throw new Error("responseProtection.maxBytes must be a positive number");
   }
-  if (!["block", "pass-through"].includes(merged.streaming.requestMode)) {
+  if (!["block", "pass-through", "inspect"].includes(merged.streaming.requestMode)) {
     throw new Error(`Invalid streaming.requestMode: ${merged.streaming.requestMode}`);
   }
+  if (!["dry-run", "report-only", "enforce"].includes(merged.streaming.responseMode)) {
+    throw new Error(`Invalid streaming.responseMode: ${merged.streaming.responseMode}`);
+  }
+  if (typeof merged.streaming.maxMatchBytes !== "number" || merged.streaming.maxMatchBytes < 1) {
+    throw new Error("streaming.maxMatchBytes must be a positive number");
+  }
   if (typeof merged.limits.maxRequestBytes !== "number" || merged.limits.maxRequestBytes < 1) {
     throw new Error("limits.maxRequestBytes must be a positive number");
   }

package/packages/core/index.mjs

@@ -51,7 +51,116 @@ export function createHaechi({ filterEngine, policyEngine, cryptoProvider, audit
     };
   }
 
-  return { protectJson };
+  // Stateful protector for an incremental text stream (SSE/NDJSON deltas).
+  // Holds a bounded raw tail so a detection split across chunk boundaries is
+  // caught before the leading part is emitted. maxMatchBytes bounds the
+  // guarantee: a single match longer than it may still split across frames.
+  function createStreamProtector(context = {}) {
+    const effectiveMode = context.mode ?? mode;
+    const enforced = !NO_ENFORCE_MODES.has(effectiveMode);
+    const maxMatchBytes = context.maxMatchBytes ?? 256;
+    const byType = {};
+    const byAction = {};
+    let detectionCount = 0;
+    let pending = "";
+
+    function tally(detections, decisions) {
+      detections.forEach((detection, index) => {
+        byType[detection.type] = (byType[detection.type] ?? 0) + 1;
+        const action = decisions[index]?.action ?? "unknown";
+        byAction[action] = (byAction[action] ?? 0) + 1;
+        detectionCount += 1;
+      });
+    }
+
+    async function decideAll(detections) {
+      const decisions = [];
+      for (const detection of detections) {
+        decisions.push(await policyEngine.decide({ detection, context, mode: effectiveMode }));
+      }
+      return decisions;
+    }
+
+    // Transform a complete, committed text segment.
+    async function transformSegment(text) {
+      const detections = await filterEngine.detect({
+        entries: collectStringEntries(text),
+        context
+      });
+      const decisions = await decideAll(detections);
+      tally(detections, decisions);
+      const blocked = enforced && decisions.some((decision) => decision.action === "block");
+      if (blocked) {
+        return { text: "", blocked: true };
+      }
+      if (!enforced || detections.length === 0) {
+        return { text, blocked: false };
+      }
+      const items = detections.map((detection, index) => ({ detection, decision: decisions[index] }));
+      const transformed = await transformString(text, items, { context, cryptoProvider, tokenVault, issuedTokens: null });
+      return { text: transformed, blocked: false };
+    }
+
+    return {
+      // Protect string leaves of a parsed frame OTHER than the incremental
+      // delta text (e.g. tool-call arguments). Returns the mutated object.
+      async protectFrameExtras(value) {
+        const detections = await filterEngine.detect({
+          entries: collectStringEntries(value),
+          context
+        });
+        if (detections.length === 0) {
+          return { value, blocked: false };
+        }
+        const decisions = await decideAll(detections);
+        tally(detections, decisions);
+        const blocked = enforced && decisions.some((decision) => decision.action === "block");
+        if (blocked) {
+          return { value: null, blocked: true };
+        }
+        if (!enforced) {
+          return { value, blocked: false };
+        }
+        const transformed = await transformPayload(value, detections, decisions, {
+          context, cryptoProvider, tokenVault, enforced
+        });
+        return { value: transformed, blocked: false };
+      },
+      // Append incremental text; return the portion safe to emit now.
+      async push(text) {
+        pending += text;
+        const detections = await filterEngine.detect({
+          entries: collectStringEntries(pending),
+          context
+        });
+        let commit = Math.max(0, pending.length - maxMatchBytes);
+        const straddlers = detections.filter((detection) => detection.end > commit);
+        if (straddlers.length > 0) {
+          commit = Math.min(commit, ...straddlers.map((detection) => detection.start));
+        }
+        if (commit <= 0) {
+          return { text: "", blocked: false };
+        }
+        const head = pending.slice(0, commit);
+        pending = pending.slice(commit);
+        return transformSegment(head);
+      },
+      // Drain the held tail at end of stream (no more cross-frame risk).
+      async flush() {
+        const tail = pending;
+        pending = "";
+        if (!tail) {
+          return { text: "", blocked: false };
+        }
+        return transformSegment(tail);
+      },
+      summary() {
+        return { detectionCount, byType, byAction };
+      }
+    };
+  }
+
+  return { protectJson, createStreamProtector };
 }
 
 export function collectStringEntries(value, path = []) {

package/packages/protocol-adapters/index.mjs

@@ -1,11 +1,22 @@
+// Streaming descriptors: `format` is the wire framing, `deltaPath` is the
+// primary incremental-text channel (index 0 of choices for OpenAI-style).
+// A null deltaPath means "no known channel" — frames still get within-frame
+// protection but no cross-frame buffering.
+const SSE_CHAT = { format: "sse", deltaPath: ["choices", 0, "delta", "content"] };
+const SSE_COMPLETION = { format: "sse", deltaPath: ["choices", 0, "text"] };
+const SSE_RESPONSES = { format: "sse", deltaPath: null };
+const SSE_LLAMA_LEGACY = { format: "sse", deltaPath: ["content"] };
+const NDJSON_OLLAMA_CHAT = { format: "ndjson", deltaPath: ["message", "content"] };
+const NDJSON_OLLAMA_GENERATE = { format: "ndjson", deltaPath: ["response"] };
+
 const ADAPTERS = {
   "openai-compatible": {
     id: "openai-compatible",
     protocol: "llm-http",
     routes: [
-      route("/v1/chat/completions", "chat-completions"),
-      route("/v1/completions", "completions"),
-      route("/v1/responses", "responses"),
+      route("/v1/chat/completions", "chat-completions", { streaming: SSE_CHAT }),
+      route("/v1/completions", "completions", { streaming: SSE_COMPLETION }),
+      route("/v1/responses", "responses", { streaming: SSE_RESPONSES }),
       route("/v1/embeddings", "embeddings")
     ]
   },
@@ -13,9 +24,9 @@ const ADAPTERS = {
     id: "vllm-openai",
     protocol: "vllm-openai",
     routes: [
-      route("/v1/chat/completions", "chat-completions"),
-      route("/v1/completions", "completions"),
-      route("/v1/responses", "responses"),
+      route("/v1/chat/completions", "chat-completions", { streaming: SSE_CHAT }),
+      route("/v1/completions", "completions", { streaming: SSE_COMPLETION }),
+      route("/v1/responses", "responses", { streaming: SSE_RESPONSES }),
       route("/v1/embeddings", "embeddings")
     ]
   },
@@ -23,10 +34,10 @@ const ADAPTERS = {
     id: "llama-cpp",
     protocol: "llama-cpp",
     routes: [
-      route("/v1/chat/completions", "chat-completions"),
-      route("/v1/completions", "completions"),
+      route("/v1/chat/completions", "chat-completions", { streaming: SSE_CHAT }),
+      route("/v1/completions", "completions", { streaming: SSE_COMPLETION }),
       route("/v1/embeddings", "embeddings"),
-      route("/completion", "legacy-completion")
+      route("/completion", "legacy-completion", { streaming: SSE_LLAMA_LEGACY })
     ]
   },
   "ollama": {
@@ -34,8 +45,8 @@ const ADAPTERS = {
     protocol: "ollama",
     routes: [
       // Ollama streams /api/chat and /api/generate unless the request sets stream:false.
-      route("/api/chat", "chat", { streamingDefault: true }),
-      route("/api/generate", "generate", { streamingDefault: true }),
+      route("/api/chat", "chat", { streamingDefault: true, streaming: NDJSON_OLLAMA_CHAT }),
+      route("/api/generate", "generate", { streamingDefault: true, streaming: NDJSON_OLLAMA_GENERATE }),
       route("/api/embed", "embed"),
       route("/api/embeddings", "embeddings")
     ]
@@ -47,7 +58,13 @@ const TARGET_TYPE_ALIASES = {
 };
 
 export function createProtocolAdapter(target = {}) {
-  const adapterId = target.adapter ?? adapterFromTargetType(target.type);
+  // A specific target.type (vllm-openai, ollama, llama-cpp) names its own
+  // adapter and wins over a generic/default target.adapter — otherwise the
+  // default config's adapter ("openai-compatible") would shadow the type after
+  // a deep merge and silently route an Ollama target to OpenAI paths.
+  const adapterId = ADAPTERS[target.type]
+    ? target.type
+    : (target.adapter ?? adapterFromTargetType(target.type));
   const adapter = ADAPTERS[adapterId];
   if (!adapter) {
     throw new Error(`Unknown protocol adapter: ${adapterId}`);
@@ -71,7 +88,8 @@ export function createProtocolAdapter(target = {}) {
         operation,
         protectRequest: matched?.protectRequest ?? true,
         protectResponse: matched?.protectResponse ?? true,
-        streamingByDefault: matched?.streamingDefault ?? false
+        streamingByDefault: matched?.streamingDefault ?? false,
+        streaming: matched?.streaming ?? null
       };
     }
   };
@@ -98,7 +116,8 @@ function route(path, operation, options = {}) {
     operation,
     protectRequest: options.protectRequest ?? true,
     protectResponse: options.protectResponse ?? true,
-    streamingDefault: options.streamingDefault ?? false
+    streamingDefault: options.streamingDefault ?? false,
+    streaming: options.streaming ?? null
   };
 }
 

package/packages/proxy/index.mjs

@@ -1,5 +1,6 @@
 import { createServer } from "node:http";
 import { createHash, randomUUID } from "node:crypto";
+import { inspectResponseStream } from "../stream-filter/index.mjs";
 
 export const DEFAULT_PROXY_PORT = 1016;
 
@@ -22,6 +23,11 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
       const json = parseJsonBody(body);
 
       if (isStreamingRequest(json, routeContext)) {
+        if (config.streaming.requestMode === "inspect") {
+          await handleInspectedStream({ runtime, request, response, routeContext, json });
+          return;
+        }
+
         if (config.streaming.requestMode === "pass-through") {
           await recordProxyDecision({
             runtime,
@@ -45,7 +51,7 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
 
         writeJson(response, 501, {
           error: "haechi_streaming_unsupported",
-          message: "Streaming requests are blocked unless streaming.requestMode is explicitly set to pass-through"
+          message: "Streaming requests are blocked unless streaming.requestMode is set to pass-through or inspect"
         });
         return;
       }
@@ -114,6 +120,107 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
   };
 }
 
+async function handleInspectedStream({ runtime, request, response, routeContext, json }) {
+  const { haechi, config } = runtime;
+
+  // Inspection needs to know the wire format and delta channel for this route.
+  if (!routeContext.streaming) {
+    writeJson(response, 501, {
+      error: "haechi_streaming_uninspectable_route",
+      message: `streaming.requestMode is "inspect" but route ${routeContext.routeId} has no known streaming format`
+    });
+    return;
+  }
+
+  // The request body is ordinary JSON even when the response streams, so it is
+  // protected like any other request.
+  const requestResult = routeContext.protectRequest
+    ? await haechi.protectJson(json, {
+      ...routeContext,
+      operation: `request:${routeContext.operation}`,
+      direction: "request",
+      mode: config.policy.mode ?? config.mode
+    })
+    : { payload: json, blocked: false };
+
+  if (requestResult.blocked) {
+    writeJson(response, 403, {
+      error: "haechi_policy_block",
+      summary: requestResult.summary,
+      auditId: requestResult.auditEvent.id
+    });
+    return;
+  }
+
+  const upstreamResponse = await forward({
+    upstream: config.target.upstream,
+    request,
+    body: JSON.stringify(requestResult.payload),
+    timeoutMs: config.limits.upstreamTimeoutMs
+  });
+
+  const streamMode = config.streaming.responseMode ?? config.responseProtection.mode ?? config.policy.mode ?? config.mode;
+  const protector = haechi.createStreamProtector({
+    ...routeContext,
+    operation: `response-stream:${routeContext.operation}`,
+    direction: "response",
+    mode: streamMode,
+    maxMatchBytes: config.streaming.maxMatchBytes
+  });
+
+  response.writeHead(upstreamResponse.status, streamingResponseHeaders(upstreamResponse));
+
+  const { blocked, summary } = await inspectResponseStream({
+    source: upstreamResponse.body ?? emptyAsyncIterable(),
+    sink: nodeResponseSink(response),
+    streaming: routeContext.streaming,
+    protector
+  });
+
+  await recordStreamDecision({ runtime, routeContext, blocked, summary, mode: streamMode });
+  response.end();
+}
+
+function streamingResponseHeaders(upstreamResponse) {
+  const headers = Object.fromEntries(upstreamResponse.headers.entries());
+  delete headers["content-length"];
+  delete headers["content-encoding"];
+  return headers;
+}
+
+function nodeResponseSink(response) {
+  return {
+    write(text) {
+      response.write(text);
+    }
+  };
+}
+
+async function* emptyAsyncIterable() {
+  // No upstream body to inspect.
+}
+
+async function recordStreamDecision({ runtime, routeContext, blocked, summary, mode }) {
+  if (typeof runtime.auditSink?.record !== "function") {
+    return;
+  }
+  await runtime.auditSink.record({
+    id: randomUUID(),
+    timestamp: new Date().toISOString(),
+    protocol: routeContext?.protocol ?? "proxy",
+    operation: `response-stream:${routeContext?.operation ?? "unknown"}`,
+    mode,
+    identity: null,
+    enforced: !["dry-run", "report-only"].includes(mode),
+    blocked,
+    decision: blocked ? "stream_blocked" : "stream_inspected",
+    reason: blocked ? "stream_policy_block" : "stream_inspected",
+    routeId: routeContext?.routeId ?? "unknown",
+    pathHash: routeContext?.path ? shortHash(routeContext.path) : null,
+    summary
+  });
+}
+
 async function maybeProtectResponse({ upstreamResponse, routeContext, runtime, issuedTokens = [] }) {
   const headers = Object.fromEntries(upstreamResponse.headers.entries());