haechi 0.4.0 → 0.6.0

package/packages/cli/runtime.mjs

@@ -2,13 +2,14 @@ import { mkdir, readFile, writeFile } from "node:fs/promises";
 import { dirname } from "node:path";
 import { createHaechi } from "../core/index.mjs";
 import { createDefaultFilterEngine } from "../filter/index.mjs";
-import { buildPolicy, createPolicyEngine } from "../policy/index.mjs";
+import { createPolicyProfiles } from "../policy/index.mjs";
 import { createLocalCryptoProvider, initLocalKeyFile } from "../crypto/index.mjs";
 import { createJsonlAuditSink } from "../audit/index.mjs";
 import { createLocalTokenVault } from "../token-vault/index.mjs";
 import { loadVerifiedPolicyBundleFileSync } from "../policy-bundle/index.mjs";
 import { createProtocolAdapter } from "../protocol-adapters/index.mjs";
 import { applyPrivacyProfile, getPrivacyProfile } from "../privacy-profiles/index.mjs";
+import { createBearerAuthProvider } from "../auth/index.mjs";
 import { DEFAULT_PROXY_PORT } from "../proxy/index.mjs";
 
 export const DEFAULT_CONFIG_PATH = "haechi.config.json";
@@ -34,7 +35,9 @@ export function defaultConfig() {
       maxBytes: 1048576
     },
     streaming: {
-      requestMode: "block"
+      requestMode: "block",
+      responseMode: "enforce",
+      maxMatchBytes: 256
     },
     limits: {
       maxRequestBytes: 1048576,
@@ -71,6 +74,11 @@ export function defaultConfig() {
     privacy: {
       profile: null
     },
+    auth: {
+      provider: "none",
+      store: ".haechi/auth.json",
+      allowedLabelKeys: ["team", "env", "tier", "role"]
+    },
     mcp: {
       allowedMethods: ["initialize", "tools/call", "resources/read", "prompts/get"],
       protectParams: true,
@@ -133,19 +141,25 @@ export function createRuntime(config, providers = {}) {
       ...normalized.policy,
       mode: normalized.policy.mode ?? normalized.mode
     };
-  const policy = buildPolicy(normalized.privacy.profile
-    ? applyPrivacyProfile(policySource, normalized.privacy.profile)
-    : policySource);
+  const policyProfiles = createPolicyProfiles(policySource, {
+    transform: (source) => normalized.privacy.profile
+      ? applyPrivacyProfile(source, normalized.privacy.profile)
+      : source
+  });
 
   const filterEngine = providers.filterEngine ?? createDefaultFilterEngine(normalized.filters);
   assertProvider("filterEngine", filterEngine, ["detect"]);
-  const policyEngine = providers.policyEngine ?? createPolicyEngine(policy);
+  const policyEngine = providers.policyEngine ?? policyProfiles.base.policyEngine;
   assertProvider("policyEngine", policyEngine, ["decide"]);
 
+  const authProvider = resolveAuthProvider(normalized, providers, cryptoProvider);
+
   return {
     config: normalized,
     tokenVault,
     auditSink,
+    authProvider,
+    policyProfiles,
     protocolAdapter: createProtocolAdapter(normalized.target),
     haechi: createHaechi({
       mode: normalized.mode,
@@ -210,6 +224,11 @@ export function normalizeConfig(config) {
       ...defaultConfig().privacy,
       ...(config.privacy ?? {})
     },
+    auth: {
+      ...defaultConfig().auth,
+      ...(config.auth ?? {}),
+      allowedLabelKeys: config.auth?.allowedLabelKeys ?? defaultConfig().auth.allowedLabelKeys
+    },
     mcp: {
       ...defaultConfig().mcp,
       ...(config.mcp ?? {}),
@@ -271,15 +290,32 @@ export function normalizeConfig(config) {
   if (typeof merged.responseProtection.maxBytes !== "number" || merged.responseProtection.maxBytes < 1) {
     throw new Error("responseProtection.maxBytes must be a positive number");
   }
-  if (!["block", "pass-through"].includes(merged.streaming.requestMode)) {
+  if (!["block", "pass-through", "inspect"].includes(merged.streaming.requestMode)) {
     throw new Error(`Invalid streaming.requestMode: ${merged.streaming.requestMode}`);
   }
+  if (!["dry-run", "report-only", "enforce"].includes(merged.streaming.responseMode)) {
+    throw new Error(`Invalid streaming.responseMode: ${merged.streaming.responseMode}`);
+  }
+  if (typeof merged.streaming.maxMatchBytes !== "number" || merged.streaming.maxMatchBytes < 1) {
+    throw new Error("streaming.maxMatchBytes must be a positive number");
+  }
   if (typeof merged.limits.maxRequestBytes !== "number" || merged.limits.maxRequestBytes < 1) {
     throw new Error("limits.maxRequestBytes must be a positive number");
   }
   if (typeof merged.limits.upstreamTimeoutMs !== "number" || merged.limits.upstreamTimeoutMs < 1) {
     throw new Error("limits.upstreamTimeoutMs must be a positive number");
   }
+  validatePolicyExtras(merged.policy);
+  if (!["none", "bearer", "external"].includes(merged.auth.provider)) {
+    throw new Error(`Invalid auth.provider: ${merged.auth.provider}`);
+  }
+  if (typeof merged.auth.store !== "string" || !merged.auth.store.trim()) {
+    throw new Error("auth.store must be a non-empty string");
+  }
+  if (!Array.isArray(merged.auth.allowedLabelKeys)
+    || !merged.auth.allowedLabelKeys.every((key) => typeof key === "string" && key.trim())) {
+    throw new Error("auth.allowedLabelKeys must be an array of non-empty strings");
+  }
   createProtocolAdapter(merged.target);
   return merged;
 }
@@ -288,6 +324,76 @@ export function isValidPort(port) {
   return Number.isInteger(port) && port >= 0 && port <= 65535;
 }
 
+function validatePolicyExtras(policy) {
+  if (policy.modelAllowlist !== undefined) {
+    assertModelAllowlist(policy.modelAllowlist, "policy.modelAllowlist");
+  }
+  if (policy.rate !== undefined) {
+    assertRate(policy.rate, "policy.rate");
+  }
+  if (policy.profiles !== undefined) {
+    if (typeof policy.profiles !== "object" || policy.profiles === null || Array.isArray(policy.profiles)) {
+      throw new Error("policy.profiles must be an object of named profiles");
+    }
+    for (const [name, profile] of Object.entries(policy.profiles)) {
+      if (typeof profile !== "object" || profile === null || Array.isArray(profile)) {
+        throw new Error(`policy.profiles.${name} must be an object`);
+      }
+      if (profile.modelAllowlist !== undefined) {
+        assertModelAllowlist(profile.modelAllowlist, `policy.profiles.${name}.modelAllowlist`);
+      }
+      if (profile.rate !== undefined) {
+        assertRate(profile.rate, `policy.profiles.${name}.rate`);
+      }
+    }
+  }
+  if (policy.profileBinding !== undefined) {
+    const binding = policy.profileBinding;
+    if (typeof binding !== "object" || binding === null || Array.isArray(binding)) {
+      throw new Error("policy.profileBinding must be an object");
+    }
+    if (typeof binding.default !== "string" || !binding.default.trim()) {
+      throw new Error("policy.profileBinding.default must be a profile name");
+    }
+    for (const field of ["byScope", "byLabel"]) {
+      if (binding[field] !== undefined
+        && (typeof binding[field] !== "object" || binding[field] === null || Array.isArray(binding[field]))) {
+        throw new Error(`policy.profileBinding.${field} must be an object`);
+      }
+    }
+  }
+}
+
+function assertModelAllowlist(value, label) {
+  if (!Array.isArray(value) || !value.every((model) => typeof model === "string" && model.trim())) {
+    throw new Error(`${label} must be an array of non-empty strings`);
+  }
+}
+
+function assertRate(value, label) {
+  if (typeof value !== "object" || value === null
+    || typeof value.requestsPerMinute !== "number" || value.requestsPerMinute < 1) {
+    throw new Error(`${label}.requestsPerMinute must be a positive number`);
+  }
+}
+
+function resolveAuthProvider(config, providers, cryptoProvider) {
+  if (config.auth.provider === "external") {
+    if (typeof providers.authProvider?.authenticate !== "function") {
+      throw new Error("auth.provider external requires createRuntime(config, { authProvider })");
+    }
+    return providers.authProvider;
+  }
+  if (providers.authProvider) {
+    // An injected provider overrides the built-in selection.
+    return providers.authProvider;
+  }
+  if (config.auth.provider === "bearer") {
+    return createBearerAuthProvider({ path: config.auth.store, cryptoProvider });
+  }
+  return null;
+}
+
 function createConfiguredCryptoProvider(config) {
   if (config.keys.provider === "external") {
     throw new Error("keys.provider external requires createRuntime(config, { cryptoProvider })");

package/packages/core/index.mjs

@@ -7,14 +7,19 @@ export function createHaechi({ filterEngine, policyEngine, cryptoProvider, audit
     throw new Error("Haechi requires filterEngine, policyEngine, cryptoProvider, and auditSink");
   }
 
-  async function protectJson(payload, context = {}) {
+  async function protectJson(payload, rawContext = {}) {
+    // A per-request policy engine (a named profile selected from identity)
+    // overrides the default. It is a control object, NOT data: strip it before
+    // anything downstream (tokenize AAD, audit) sees the context.
+    const { policyEngine: contextEngine, ...context } = rawContext;
     const effectiveMode = context.mode ?? mode;
+    const engine = contextEngine ?? policyEngine;
     const entries = collectStringEntries(payload);
     const detections = await filterEngine.detect({ entries, context });
     const decisions = [];
 
     for (const detection of detections) {
-      decisions.push(await policyEngine.decide({ detection, context, mode: effectiveMode }));
+      decisions.push(await engine.decide({ detection, context, mode: effectiveMode }));
     }
 
     const enforced = !NO_ENFORCE_MODES.has(effectiveMode);
@@ -51,7 +56,120 @@ export function createHaechi({ filterEngine, policyEngine, cryptoProvider, audit
     };
   }
 
-  return { protectJson };
+  // Stateful protector for an incremental text stream (SSE/NDJSON deltas).
+  // Holds a bounded raw tail so a detection split across chunk boundaries is
+  // caught before the leading part is emitted. maxMatchBytes bounds the
+  // guarantee: a single match longer than it may still split across frames.
+  function createStreamProtector(rawContext = {}) {
+    // Strip the control-object policy engine from the data context (see
+    // protectJson) so it cannot leak into tokenize AAD or audit.
+    const { policyEngine: contextEngine, ...context } = rawContext;
+    const effectiveMode = context.mode ?? mode;
+    const engine = contextEngine ?? policyEngine;
+    const enforced = !NO_ENFORCE_MODES.has(effectiveMode);
+    const maxMatchBytes = context.maxMatchBytes ?? 256;
+    const byType = {};
+    const byAction = {};
+    let detectionCount = 0;
+    let pending = "";
+
+    function tally(detections, decisions) {
+      detections.forEach((detection, index) => {
+        byType[detection.type] = (byType[detection.type] ?? 0) + 1;
+        const action = decisions[index]?.action ?? "unknown";
+        byAction[action] = (byAction[action] ?? 0) + 1;
+        detectionCount += 1;
+      });
+    }
+
+    async function decideAll(detections) {
+      const decisions = [];
+      for (const detection of detections) {
+        decisions.push(await engine.decide({ detection, context, mode: effectiveMode }));
+      }
+      return decisions;
+    }
+
+    // Transform a complete, committed text segment.
+    async function transformSegment(text) {
+      const detections = await filterEngine.detect({
+        entries: collectStringEntries(text),
+        context
+      });
+      const decisions = await decideAll(detections);
+      tally(detections, decisions);
+      const blocked = enforced && decisions.some((decision) => decision.action === "block");
+      if (blocked) {
+        return { text: "", blocked: true };
+      }
+      if (!enforced || detections.length === 0) {
+        return { text, blocked: false };
+      }
+      const items = detections.map((detection, index) => ({ detection, decision: decisions[index] }));
+      const transformed = await transformString(text, items, { context, cryptoProvider, tokenVault, issuedTokens: null });
+      return { text: transformed, blocked: false };
+    }
+
+    return {
+      // Protect string leaves of a parsed frame OTHER than the incremental
+      // delta text (e.g. tool-call arguments). Returns the mutated object.
+      async protectFrameExtras(value) {
+        const detections = await filterEngine.detect({
+          entries: collectStringEntries(value),
+          context
+        });
+        if (detections.length === 0) {
+          return { value, blocked: false };
+        }
+        const decisions = await decideAll(detections);
+        tally(detections, decisions);
+        const blocked = enforced && decisions.some((decision) => decision.action === "block");
+        if (blocked) {
+          return { value: null, blocked: true };
+        }
+        if (!enforced) {
+          return { value, blocked: false };
+        }
+        const transformed = await transformPayload(value, detections, decisions, {
+          context, cryptoProvider, tokenVault, enforced
+        });
+        return { value: transformed, blocked: false };
+      },
+      // Append incremental text; return the portion safe to emit now.
+      async push(text) {
+        pending += text;
+        const detections = await filterEngine.detect({
+          entries: collectStringEntries(pending),
+          context
+        });
+        let commit = Math.max(0, pending.length - maxMatchBytes);
+        const straddlers = detections.filter((detection) => detection.end > commit);
+        if (straddlers.length > 0) {
+          commit = Math.min(commit, ...straddlers.map((detection) => detection.start));
+        }
+        if (commit <= 0) {
+          return { text: "", blocked: false };
+        }
+        const head = pending.slice(0, commit);
+        pending = pending.slice(commit);
+        return transformSegment(head);
+      },
+      // Drain the held tail at end of stream (no more cross-frame risk).
+      async flush() {
+        const tail = pending;
+        pending = "";
+        if (!tail) {
+          return { text: "", blocked: false };
+        }
+        return transformSegment(tail);
+      },
+      summary() {
+        return { detectionCount, byType, byAction };
+      }
+    };
+  }
+
+  return { protectJson, createStreamProtector };
 }
 
 export function collectStringEntries(value, path = []) {
@@ -269,9 +387,11 @@ function buildAuditEvent({ context, mode, enforced, blocked, payload, detections
     timestamp: new Date().toISOString(),
     protocol: context.protocol ?? "custom",
     operation: context.operation ?? "protect",
-    // Reserved for 0.6 auth: hard null so unvalidated identity objects cannot
-    // reach the audit log before the PII-safe hashing contract exists.
-    identity: null,
+    // PII-safe identity built by the auth layer (subject/issuer are keyed
+    // HMACs); null when no auth is configured. `profile` is the resolved
+    // policy profile name (or null).
+    identity: context.identity ?? null,
+    profile: context.profile ?? null,
     mode,
     enforced,
     blocked,

package/packages/policy/index.mjs

@@ -130,6 +130,88 @@ export function createPolicyEngine(policy) {
   };
 }
 
+// Compiles the base policy plus every named profile into ready policy engines
+// and a resolver that maps an identity to one. A profile inherits the base
+// policy's presets/actions and overrides on top (so a profile need only state
+// what differs). `transform` (e.g. applyPrivacyProfile) is applied to each
+// compiled policy source before buildPolicy.
+export function createPolicyProfiles(policyConfig = {}, { transform } = {}) {
+  const { profiles = {}, profileBinding = null, ...baseSource } = policyConfig;
+  const apply = (source) => (transform ? transform(source) : source);
+
+  const baseEngine = createPolicyEngine(buildPolicy(apply(baseSource)));
+  const profileNames = Object.keys(profiles);
+  const engines = new Map();
+
+  for (const name of profileNames) {
+    const override = profiles[name] ?? {};
+    const merged = {
+      ...baseSource,
+      ...override,
+      // Profile presets replace the base presets when given; actions merge over
+      // the base via buildPolicy's strengthen-only rules.
+      actions: { ...(baseSource.actions ?? {}), ...(override.actions ?? {}) },
+      modelAllowlist: override.modelAllowlist ?? baseSource.modelAllowlist,
+      rate: override.rate ?? baseSource.rate
+    };
+    engines.set(name, {
+      policyEngine: createPolicyEngine(buildPolicy(apply(merged))),
+      modelAllowlist: merged.modelAllowlist ?? null,
+      rate: merged.rate ?? null
+    });
+  }
+
+  if (profileBinding) {
+    if (!profileBinding.default || !engines.has(profileBinding.default)) {
+      throw new Error("policy.profileBinding.default must name a declared profile");
+    }
+    for (const map of [profileBinding.byScope ?? {}, profileBinding.byLabel ?? {}]) {
+      for (const [key, target] of Object.entries(map)) {
+        if (!engines.has(target)) {
+          throw new Error(`policy.profileBinding maps ${key} to unknown profile: ${target}`);
+        }
+      }
+    }
+  } else if (profileNames.length > 0) {
+    throw new Error("policy.profiles requires policy.profileBinding with a default");
+  }
+
+  const base = {
+    policyEngine: baseEngine,
+    modelAllowlist: baseSource.modelAllowlist ?? null,
+    rate: baseSource.rate ?? null
+  };
+
+  return {
+    base,
+    hasProfiles: profileNames.length > 0,
+    // Resolve identity → { profile, policyEngine, modelAllowlist, rate }.
+    // Order: scope match → label match → default. Without profiles or identity,
+    // the base policy applies.
+    resolve(identity) {
+      if (!profileBinding) {
+        return { profile: null, ...base };
+      }
+      if (identity) {
+        for (const scope of identity.scopes ?? []) {
+          const name = profileBinding.byScope?.[scope];
+          if (name) {
+            return { profile: name, ...engines.get(name) };
+          }
+        }
+        for (const [key, value] of Object.entries(identity.labels ?? {})) {
+          const name = profileBinding.byLabel?.[`${key}=${value}`];
+          if (name) {
+            return { profile: name, ...engines.get(name) };
+          }
+        }
+      }
+      const fallback = profileBinding.default;
+      return { profile: fallback, ...engines.get(fallback) };
+    }
+  };
+}
+
 export function validatePolicy(policy) {
   if (!policy || typeof policy !== "object") {
     throw new Error("Policy must be an object");

package/packages/protocol-adapters/index.mjs

@@ -1,11 +1,22 @@
+// Streaming descriptors: `format` is the wire framing, `deltaPath` is the
+// primary incremental-text channel (index 0 of choices for OpenAI-style).
+// A null deltaPath means "no known channel" — frames still get within-frame
+// protection but no cross-frame buffering.
+const SSE_CHAT = { format: "sse", deltaPath: ["choices", 0, "delta", "content"] };
+const SSE_COMPLETION = { format: "sse", deltaPath: ["choices", 0, "text"] };
+const SSE_RESPONSES = { format: "sse", deltaPath: null };
+const SSE_LLAMA_LEGACY = { format: "sse", deltaPath: ["content"] };
+const NDJSON_OLLAMA_CHAT = { format: "ndjson", deltaPath: ["message", "content"] };
+const NDJSON_OLLAMA_GENERATE = { format: "ndjson", deltaPath: ["response"] };
+
 const ADAPTERS = {
   "openai-compatible": {
     id: "openai-compatible",
     protocol: "llm-http",
     routes: [
-      route("/v1/chat/completions", "chat-completions"),
-      route("/v1/completions", "completions"),
-      route("/v1/responses", "responses"),
+      route("/v1/chat/completions", "chat-completions", { streaming: SSE_CHAT }),
+      route("/v1/completions", "completions", { streaming: SSE_COMPLETION }),
+      route("/v1/responses", "responses", { streaming: SSE_RESPONSES }),
       route("/v1/embeddings", "embeddings")
     ]
   },
@@ -13,9 +24,9 @@ const ADAPTERS = {
     id: "vllm-openai",
     protocol: "vllm-openai",
     routes: [
-      route("/v1/chat/completions", "chat-completions"),
-      route("/v1/completions", "completions"),
-      route("/v1/responses", "responses"),
+      route("/v1/chat/completions", "chat-completions", { streaming: SSE_CHAT }),
+      route("/v1/completions", "completions", { streaming: SSE_COMPLETION }),
+      route("/v1/responses", "responses", { streaming: SSE_RESPONSES }),
       route("/v1/embeddings", "embeddings")
     ]
   },
@@ -23,10 +34,10 @@ const ADAPTERS = {
     id: "llama-cpp",
     protocol: "llama-cpp",
     routes: [
-      route("/v1/chat/completions", "chat-completions"),
-      route("/v1/completions", "completions"),
+      route("/v1/chat/completions", "chat-completions", { streaming: SSE_CHAT }),
+      route("/v1/completions", "completions", { streaming: SSE_COMPLETION }),
       route("/v1/embeddings", "embeddings"),
-      route("/completion", "legacy-completion")
+      route("/completion", "legacy-completion", { streaming: SSE_LLAMA_LEGACY })
     ]
   },
   "ollama": {
@@ -34,8 +45,8 @@ const ADAPTERS = {
     protocol: "ollama",
     routes: [
       // Ollama streams /api/chat and /api/generate unless the request sets stream:false.
-      route("/api/chat", "chat", { streamingDefault: true }),
-      route("/api/generate", "generate", { streamingDefault: true }),
+      route("/api/chat", "chat", { streamingDefault: true, streaming: NDJSON_OLLAMA_CHAT }),
+      route("/api/generate", "generate", { streamingDefault: true, streaming: NDJSON_OLLAMA_GENERATE }),
       route("/api/embed", "embed"),
       route("/api/embeddings", "embeddings")
     ]
@@ -47,7 +58,13 @@ const TARGET_TYPE_ALIASES = {
 };
 
 export function createProtocolAdapter(target = {}) {
-  const adapterId = target.adapter ?? adapterFromTargetType(target.type);
+  // A specific target.type (vllm-openai, ollama, llama-cpp) names its own
+  // adapter and wins over a generic/default target.adapter — otherwise the
+  // default config's adapter ("openai-compatible") would shadow the type after
+  // a deep merge and silently route an Ollama target to OpenAI paths.
+  const adapterId = ADAPTERS[target.type]
+    ? target.type
+    : (target.adapter ?? adapterFromTargetType(target.type));
   const adapter = ADAPTERS[adapterId];
   if (!adapter) {
     throw new Error(`Unknown protocol adapter: ${adapterId}`);
@@ -71,7 +88,8 @@ export function createProtocolAdapter(target = {}) {
         operation,
         protectRequest: matched?.protectRequest ?? true,
         protectResponse: matched?.protectResponse ?? true,
-        streamingByDefault: matched?.streamingDefault ?? false
+        streamingByDefault: matched?.streamingDefault ?? false,
+        streaming: matched?.streaming ?? null
       };
     }
   };
@@ -98,7 +116,8 @@ function route(path, operation, options = {}) {
     operation,
     protectRequest: options.protectRequest ?? true,
     protectResponse: options.protectResponse ?? true,
-    streamingDefault: options.streamingDefault ?? false
+    streamingDefault: options.streamingDefault ?? false,
+    streaming: options.streaming ?? null
   };
 }