haechi 0.5.0 → 0.6.0

package/docs/current/threat-model.md

@@ -2,7 +2,7 @@
 
 - Status: Draft 0.1
 - Date: 2026-06-10
-- Target version: 0.4.0
+- Target version: 0.6.0
 
 ## 1. Assets Under Protection
 
@@ -47,6 +47,8 @@ The primary assets Haechi protects are:
 | Hung upstream | Proxy connection exhaustion | `limits.upstreamTimeoutMs` default 120 s; 504 fail on timeout |
 | Signing/encryption key conflation | Key separation violation | Policy bundle signing key isolated as a domain-separated derived key |
 | JSON number / object key concealment | Undetected non-string leaves such as card numbers | Number leaves and object keys included in detection/transform scope |
+| Unauthenticated multi-client access | Any local process uses the upstream / token round-trip | Optional bearer auth (`auth.provider: bearer`); missing/invalid → 401 before body read; per-identity rate limit and model allowlist |
+| Raw credentials/identity in audit | Token or subject leak through the audit log | Tokens stored only as keyed-HMAC hashes; identity subject/issuer are keyed HMAC; `auth_denied` records no token |
 | Token round-trip restoring foreign tokens | Cross-client/request plaintext recovery | Detokenization is opt-in (`detokenizeResponses`) and request-scoped: only tokens issued while protecting the same request are restored |
 | Indirect prompt injection in tool results/responses | Agent manipulation via planted instructions | Response-direction heuristics, report-only by default (`injection` action `allow`); escalation is an explicit policy choice. Not a complete defense |
 

package/haechi.config.example.json

@@ -61,6 +61,16 @@
   "privacy": {
     "profile": null
   },
+  "auth": {
+    "provider": "none",
+    "store": ".haechi/auth.json",
+    "allowedLabelKeys": [
+      "team",
+      "env",
+      "tier",
+      "role"
+    ]
+  },
   "mcp": {
     "allowedMethods": [
       "initialize",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "haechi",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Experimental developer preview for self-hosted AI context enforcement across LLM, MCP, vLLM, Ollama, and agent traffic.",
   "license": "Apache-2.0",
   "type": "module",
@@ -45,7 +45,8 @@
     "./proxy": "./packages/proxy/index.mjs",
     "./runtime": "./packages/cli/runtime.mjs",
     "./token-vault": "./packages/token-vault/index.mjs",
-    "./stream-filter": "./packages/stream-filter/index.mjs"
+    "./stream-filter": "./packages/stream-filter/index.mjs",
+    "./auth": "./packages/auth/index.mjs"
   },
   "files": [
     "README.md",

package/packages/auth/index.mjs

@@ -0,0 +1,170 @@
+// Built-in bearer authentication and the authProvider contract.
+//
+// Tokens are never stored in plaintext: the store keeps a keyed-HMAC hash
+// (domain-separated, never a bare hash) plus PII-safe metadata. The plaintext
+// token is shown once at creation. Identity objects are PII-safe by
+// construction — subject/issuer are keyed HMACs, never raw values.
+
+import { mkdir, readFile, rename, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
+import { randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
+
+const TOKEN_DOMAIN = "haechi:auth:token:v1";
+const IDENTITY_DOMAIN = "haechi:identity:hash:v1";
+const TOKEN_PREFIX = "hae_";
+const DEFAULT_ALLOWED_LABEL_KEYS = ["team", "env", "tier", "role"];
+const VALID_IDENTITY_TYPES = new Set(["user", "service", "agent"]);
+const MAX_LABEL_VALUE_LENGTH = 64;
+
+export async function readAuthStore(path) {
+  try {
+    const parsed = JSON.parse(await readFile(path, "utf8"));
+    return { version: parsed.version ?? 1, tokens: parsed.tokens ?? [] };
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return { version: 1, tokens: [] };
+    }
+    throw error;
+  }
+}
+
+async function writeAuthStore(path, store) {
+  await mkdir(dirname(path), { recursive: true });
+  const tempPath = `${path}.${process.pid}.${randomBytes(6).toString("hex")}.tmp`;
+  await writeFile(tempPath, `${JSON.stringify(store, null, 2)}\n`, { mode: 0o600 });
+  await rename(tempPath, path);
+}
+
+export function validateLabels(labels, allowedLabelKeys = DEFAULT_ALLOWED_LABEL_KEYS) {
+  for (const [key, value] of Object.entries(labels)) {
+    if (!allowedLabelKeys.includes(key)) {
+      throw new Error(`Label key not allowed: ${key} (allowed: ${allowedLabelKeys.join(", ") || "none"})`);
+    }
+    if (typeof value !== "string" || value.length === 0 || value.length > MAX_LABEL_VALUE_LENGTH) {
+      throw new Error(`Label value for ${key} must be a non-empty string up to ${MAX_LABEL_VALUE_LENGTH} chars`);
+    }
+  }
+  return labels;
+}
+
+export async function addToken({ path, cryptoProvider, type, scopes = [], labels = {}, allowedLabelKeys = DEFAULT_ALLOWED_LABEL_KEYS }) {
+  if (!VALID_IDENTITY_TYPES.has(type)) {
+    throw new Error(`Invalid token type: ${type} (expected user | service | agent)`);
+  }
+  if (!Array.isArray(scopes) || !scopes.every((scope) => typeof scope === "string" && scope.trim())) {
+    throw new Error("scopes must be an array of non-empty strings");
+  }
+  validateLabels(labels, allowedLabelKeys);
+
+  const token = `${TOKEN_PREFIX}${randomBytes(32).toString("base64url")}`;
+  const tokenHash = await cryptoProvider.hmac({ data: token, domain: TOKEN_DOMAIN });
+  const record = {
+    id: `tok_auth_${randomUUID().slice(0, 8)}`,
+    tokenHash,
+    type,
+    scopes,
+    labels,
+    createdAt: new Date().toISOString(),
+    disabled: false
+  };
+
+  const store = await readAuthStore(path);
+  store.tokens.push(record);
+  await writeAuthStore(path, store);
+
+  // The plaintext token is returned to the caller for one-time display only.
+  return { token, record: publicRecord(record) };
+}
+
+export async function listTokens(path) {
+  const store = await readAuthStore(path);
+  return store.tokens.map(publicRecord);
+}
+
+export async function revokeToken({ path, id }) {
+  const store = await readAuthStore(path);
+  const record = store.tokens.find((entry) => entry.id === id);
+  if (!record) {
+    throw new Error(`Unknown token id: ${id}`);
+  }
+  const changed = !record.disabled;
+  record.disabled = true;
+  await writeAuthStore(path, store);
+  return { id, revoked: changed };
+}
+
+function publicRecord(record) {
+  // Never expose the token or its hash.
+  return {
+    id: record.id,
+    type: record.type,
+    scopes: record.scopes,
+    labels: record.labels,
+    createdAt: record.createdAt,
+    disabled: Boolean(record.disabled)
+  };
+}
+
+export async function buildIdentity(record, cryptoProvider) {
+  return {
+    id: record.id,
+    type: record.type,
+    subjectHash: await cryptoProvider.hmac({ data: record.id, domain: IDENTITY_DOMAIN }),
+    issuerHash: await cryptoProvider.hmac({ data: "bearer-local", domain: IDENTITY_DOMAIN }),
+    provider: "bearer",
+    scopes: record.scopes ?? [],
+    labels: record.labels ?? {}
+  };
+}
+
+function bearerTokenFromRequest(request) {
+  const header = request?.headers?.authorization ?? request?.headers?.Authorization;
+  if (typeof header !== "string") {
+    return null;
+  }
+  const match = /^Bearer\s+(.+)$/i.exec(header.trim());
+  return match ? match[1].trim() : null;
+}
+
+function constantTimeHashMatch(candidateHash, storedHash) {
+  const a = Buffer.from(candidateHash, "utf8");
+  const b = Buffer.from(storedHash, "utf8");
+  return a.length === b.length && timingSafeEqual(a, b);
+}
+
+// authProvider contract: authenticate(request) -> identity | null. Fails closed
+// (null/deny) for a missing/invalid/disabled token; throws are treated as deny
+// by the caller.
+export function createBearerAuthProvider({ path, cryptoProvider }) {
+  if (!path) {
+    throw new Error("Bearer auth provider requires a store path");
+  }
+  if (typeof cryptoProvider?.hmac !== "function") {
+    throw new Error("Bearer auth provider requires a cryptoProvider with hmac()");
+  }
+  return {
+    id: "haechi.auth.bearer",
+    async authenticate(request) {
+      const token = bearerTokenFromRequest(request);
+      if (!token) {
+        return null;
+      }
+      const candidateHash = await cryptoProvider.hmac({ data: token, domain: TOKEN_DOMAIN });
+      const store = await readAuthStore(path);
+      let matched = null;
+      // Scan every record (no early return) so timing does not reveal which
+      // token matched.
+      for (const record of store.tokens) {
+        if (!record.disabled && constantTimeHashMatch(candidateHash, record.tokenHash)) {
+          matched = record;
+        }
+      }
+      if (!matched) {
+        return null;
+      }
+      return buildIdentity(matched, cryptoProvider);
+    }
+  };
+}
+
+export { DEFAULT_ALLOWED_LABEL_KEYS };

package/packages/cli/bin/haechi.mjs

@@ -5,6 +5,8 @@ import { DEFAULT_PROXY_PORT, createHaechiProxy } from "../../proxy/index.mjs";
 import { signPolicyBundleFile, verifyPolicyBundleFile } from "../../policy-bundle/index.mjs";
 import { validatePluginManifestFile } from "../../plugin/index.mjs";
 import { runMcpStdioFilter, wrapMcpChild } from "../../mcp-stdio/index.mjs";
+import { addToken, listTokens, revokeToken } from "../../auth/index.mjs";
+import { createLocalCryptoProvider } from "../../crypto/index.mjs";
 import { spawn } from "node:child_process";
 import { DEFAULT_CONFIG_PATH, createRuntime, isValidPort, loadConfig, writeDefaultConfig } from "../runtime.mjs";
 
@@ -55,6 +57,9 @@ try {
     case "mcp-wrap":
       await mcpWrapCommand(argv);
       break;
+    case "auth":
+      await authCommand(argv);
+      break;
     case "config":
       printConfigGuide();
       break;
@@ -402,6 +407,76 @@ async function pluginValidateCommand(argv) {
   }
 }
 
+async function authCommand(argv) {
+  const [sub, ...rest] = argv;
+  const options = parseOptions(rest);
+  const config = await loadConfig(options.config ?? DEFAULT_CONFIG_PATH);
+  if (config.keys.provider !== "local") {
+    throw new Error("haechi auth requires keys.provider local (the bearer store is hashed with the local key)");
+  }
+  const cryptoProvider = createLocalCryptoProvider({ keyFile: config.keys.keyFile });
+  const storePath = config.auth.store;
+
+  switch (sub) {
+    case "add": {
+      if (!options.type || options.type === true) {
+        throw new Error("auth add requires --type user|service|agent");
+      }
+      const { token, record } = await addToken({
+        path: storePath,
+        cryptoProvider,
+        type: options.type,
+        scopes: asList(options.scope),
+        labels: asLabels(options.label),
+        allowedLabelKeys: config.auth.allowedLabelKeys
+      });
+      writeJson({
+        ok: true,
+        command: "auth add",
+        id: record.id,
+        type: record.type,
+        scopes: record.scopes,
+        labels: record.labels,
+        token,
+        warning: "This token is shown only once. Store it now; it is not recoverable."
+      });
+      return;
+    }
+    case "list":
+      writeJson({ ok: true, command: "auth list", tokens: await listTokens(storePath) });
+      return;
+    case "revoke": {
+      const [id] = rest;
+      if (!id || id.startsWith("--")) {
+        throw new Error("auth revoke requires a token id");
+      }
+      writeJson({ ok: true, command: "auth revoke", result: await revokeToken({ path: storePath, id }) });
+      return;
+    }
+    default:
+      throw new Error("auth requires a subcommand: add | list | revoke");
+  }
+}
+
+function asList(value) {
+  if (!value || value === true) {
+    return [];
+  }
+  return Array.isArray(value) ? value : [value];
+}
+
+function asLabels(value) {
+  const labels = {};
+  for (const entry of asList(value)) {
+    const index = entry.indexOf("=");
+    if (index === -1) {
+      throw new Error(`Invalid --label (expected key=value): ${entry}`);
+    }
+    labels[entry.slice(0, index)] = entry.slice(index + 1);
+  }
+  return labels;
+}
+
 async function mcpStdioCommand(argv) {
   const options = parseOptions(argv);
   const config = await loadConfig(options.config ?? DEFAULT_CONFIG_PATH);
@@ -442,12 +517,17 @@ function parseOptions(argv) {
     }
     const key = arg.slice(2);
     const next = argv[index + 1];
-    if (!next || next.startsWith("--")) {
-      options[key] = true;
-      continue;
+    const value = (!next || next.startsWith("--")) ? true : next;
+    if (value !== true) {
+      index += 1;
+    }
+    // Repeated flags accumulate into an array (e.g. --scope a --scope b);
+    // a single occurrence stays scalar for backward compatibility.
+    if (Object.prototype.hasOwnProperty.call(options, key)) {
+      options[key] = Array.isArray(options[key]) ? [...options[key], value] : [options[key], value];
+    } else {
+      options[key] = value;
     }
-    options[key] = next;
-    index += 1;
   }
   return options;
 }
@@ -534,6 +614,11 @@ const COMMAND_HELP = {
     summary: "Wrap an MCP server with bidirectional stdio protection.",
     detail: "Spawns <command>, applies the method allowlist + params protection client→server, and result protection + injection heuristics server→client. Drop-in for MCP client configs."
   },
+  auth: {
+    usage: "haechi auth add --type user|service|agent [--scope k:v ...] [--label k=v ...]\n  haechi auth list [--config haechi.config.json]\n  haechi auth revoke <id> [--config haechi.config.json]",
+    summary: "Manage built-in bearer tokens (separate store, hashed).",
+    detail: "Tokens are stored hashed in auth.store (default .haechi/auth.json, 0600). `add` prints the plaintext token once — it cannot be recovered. `list` never reveals tokens; `revoke` disables one by id."
+  },
   config: {
     usage: "haechi config",
     summary: "Print the configuration guide (keys, defaults, common setups)."
@@ -551,7 +636,7 @@ function printHelp(topic) {
     "init", "protect", "report", "status", "audit-verify", "proxy",
     "policy-sign", "policy-verify",
     "token-reveal", "token-purge", "token-export",
-    "plugin-validate", "mcp-stdio", "mcp-wrap", "config"
+    "plugin-validate", "mcp-stdio", "mcp-wrap", "auth", "config"
   ];
   const lines = order.map((name) => `  ${name.padEnd(16)}${COMMAND_HELP[name].summary}`);
   console.log(`Haechi — self-hosted AI context enforcement (developer preview)

package/packages/cli/runtime.mjs

@@ -2,13 +2,14 @@ import { mkdir, readFile, writeFile } from "node:fs/promises";
 import { dirname } from "node:path";
 import { createHaechi } from "../core/index.mjs";
 import { createDefaultFilterEngine } from "../filter/index.mjs";
-import { buildPolicy, createPolicyEngine } from "../policy/index.mjs";
+import { createPolicyProfiles } from "../policy/index.mjs";
 import { createLocalCryptoProvider, initLocalKeyFile } from "../crypto/index.mjs";
 import { createJsonlAuditSink } from "../audit/index.mjs";
 import { createLocalTokenVault } from "../token-vault/index.mjs";
 import { loadVerifiedPolicyBundleFileSync } from "../policy-bundle/index.mjs";
 import { createProtocolAdapter } from "../protocol-adapters/index.mjs";
 import { applyPrivacyProfile, getPrivacyProfile } from "../privacy-profiles/index.mjs";
+import { createBearerAuthProvider } from "../auth/index.mjs";
 import { DEFAULT_PROXY_PORT } from "../proxy/index.mjs";
 
 export const DEFAULT_CONFIG_PATH = "haechi.config.json";
@@ -73,6 +74,11 @@ export function defaultConfig() {
     privacy: {
       profile: null
     },
+    auth: {
+      provider: "none",
+      store: ".haechi/auth.json",
+      allowedLabelKeys: ["team", "env", "tier", "role"]
+    },
     mcp: {
       allowedMethods: ["initialize", "tools/call", "resources/read", "prompts/get"],
       protectParams: true,
@@ -135,19 +141,25 @@ export function createRuntime(config, providers = {}) {
       ...normalized.policy,
       mode: normalized.policy.mode ?? normalized.mode
     };
-  const policy = buildPolicy(normalized.privacy.profile
-    ? applyPrivacyProfile(policySource, normalized.privacy.profile)
-    : policySource);
+  const policyProfiles = createPolicyProfiles(policySource, {
+    transform: (source) => normalized.privacy.profile
+      ? applyPrivacyProfile(source, normalized.privacy.profile)
+      : source
+  });
 
   const filterEngine = providers.filterEngine ?? createDefaultFilterEngine(normalized.filters);
   assertProvider("filterEngine", filterEngine, ["detect"]);
-  const policyEngine = providers.policyEngine ?? createPolicyEngine(policy);
+  const policyEngine = providers.policyEngine ?? policyProfiles.base.policyEngine;
   assertProvider("policyEngine", policyEngine, ["decide"]);
 
+  const authProvider = resolveAuthProvider(normalized, providers, cryptoProvider);
+
   return {
     config: normalized,
     tokenVault,
     auditSink,
+    authProvider,
+    policyProfiles,
     protocolAdapter: createProtocolAdapter(normalized.target),
     haechi: createHaechi({
       mode: normalized.mode,
@@ -212,6 +224,11 @@ export function normalizeConfig(config) {
       ...defaultConfig().privacy,
       ...(config.privacy ?? {})
     },
+    auth: {
+      ...defaultConfig().auth,
+      ...(config.auth ?? {}),
+      allowedLabelKeys: config.auth?.allowedLabelKeys ?? defaultConfig().auth.allowedLabelKeys
+    },
     mcp: {
       ...defaultConfig().mcp,
       ...(config.mcp ?? {}),
@@ -288,6 +305,17 @@ export function normalizeConfig(config) {
   if (typeof merged.limits.upstreamTimeoutMs !== "number" || merged.limits.upstreamTimeoutMs < 1) {
     throw new Error("limits.upstreamTimeoutMs must be a positive number");
   }
+  validatePolicyExtras(merged.policy);
+  if (!["none", "bearer", "external"].includes(merged.auth.provider)) {
+    throw new Error(`Invalid auth.provider: ${merged.auth.provider}`);
+  }
+  if (typeof merged.auth.store !== "string" || !merged.auth.store.trim()) {
+    throw new Error("auth.store must be a non-empty string");
+  }
+  if (!Array.isArray(merged.auth.allowedLabelKeys)
+    || !merged.auth.allowedLabelKeys.every((key) => typeof key === "string" && key.trim())) {
+    throw new Error("auth.allowedLabelKeys must be an array of non-empty strings");
+  }
   createProtocolAdapter(merged.target);
   return merged;
 }
@@ -296,6 +324,76 @@ export function isValidPort(port) {
   return Number.isInteger(port) && port >= 0 && port <= 65535;
 }
 
+function validatePolicyExtras(policy) {
+  if (policy.modelAllowlist !== undefined) {
+    assertModelAllowlist(policy.modelAllowlist, "policy.modelAllowlist");
+  }
+  if (policy.rate !== undefined) {
+    assertRate(policy.rate, "policy.rate");
+  }
+  if (policy.profiles !== undefined) {
+    if (typeof policy.profiles !== "object" || policy.profiles === null || Array.isArray(policy.profiles)) {
+      throw new Error("policy.profiles must be an object of named profiles");
+    }
+    for (const [name, profile] of Object.entries(policy.profiles)) {
+      if (typeof profile !== "object" || profile === null || Array.isArray(profile)) {
+        throw new Error(`policy.profiles.${name} must be an object`);
+      }
+      if (profile.modelAllowlist !== undefined) {
+        assertModelAllowlist(profile.modelAllowlist, `policy.profiles.${name}.modelAllowlist`);
+      }
+      if (profile.rate !== undefined) {
+        assertRate(profile.rate, `policy.profiles.${name}.rate`);
+      }
+    }
+  }
+  if (policy.profileBinding !== undefined) {
+    const binding = policy.profileBinding;
+    if (typeof binding !== "object" || binding === null || Array.isArray(binding)) {
+      throw new Error("policy.profileBinding must be an object");
+    }
+    if (typeof binding.default !== "string" || !binding.default.trim()) {
+      throw new Error("policy.profileBinding.default must be a profile name");
+    }
+    for (const field of ["byScope", "byLabel"]) {
+      if (binding[field] !== undefined
+        && (typeof binding[field] !== "object" || binding[field] === null || Array.isArray(binding[field]))) {
+        throw new Error(`policy.profileBinding.${field} must be an object`);
+      }
+    }
+  }
+}
+
+function assertModelAllowlist(value, label) {
+  if (!Array.isArray(value) || !value.every((model) => typeof model === "string" && model.trim())) {
+    throw new Error(`${label} must be an array of non-empty strings`);
+  }
+}
+
+function assertRate(value, label) {
+  if (typeof value !== "object" || value === null
+    || typeof value.requestsPerMinute !== "number" || value.requestsPerMinute < 1) {
+    throw new Error(`${label}.requestsPerMinute must be a positive number`);
+  }
+}
+
+function resolveAuthProvider(config, providers, cryptoProvider) {
+  if (config.auth.provider === "external") {
+    if (typeof providers.authProvider?.authenticate !== "function") {
+      throw new Error("auth.provider external requires createRuntime(config, { authProvider })");
+    }
+    return providers.authProvider;
+  }
+  if (providers.authProvider) {
+    // An injected provider overrides the built-in selection.
+    return providers.authProvider;
+  }
+  if (config.auth.provider === "bearer") {
+    return createBearerAuthProvider({ path: config.auth.store, cryptoProvider });
+  }
+  return null;
+}
+
 function createConfiguredCryptoProvider(config) {
   if (config.keys.provider === "external") {
     throw new Error("keys.provider external requires createRuntime(config, { cryptoProvider })");

package/packages/core/index.mjs

@@ -7,14 +7,19 @@ export function createHaechi({ filterEngine, policyEngine, cryptoProvider, audit
     throw new Error("Haechi requires filterEngine, policyEngine, cryptoProvider, and auditSink");
   }
 
-  async function protectJson(payload, context = {}) {
+  async function protectJson(payload, rawContext = {}) {
+    // A per-request policy engine (a named profile selected from identity)
+    // overrides the default. It is a control object, NOT data: strip it before
+    // anything downstream (tokenize AAD, audit) sees the context.
+    const { policyEngine: contextEngine, ...context } = rawContext;
     const effectiveMode = context.mode ?? mode;
+    const engine = contextEngine ?? policyEngine;
     const entries = collectStringEntries(payload);
     const detections = await filterEngine.detect({ entries, context });
     const decisions = [];
 
     for (const detection of detections) {
-      decisions.push(await policyEngine.decide({ detection, context, mode: effectiveMode }));
+      decisions.push(await engine.decide({ detection, context, mode: effectiveMode }));
     }
 
     const enforced = !NO_ENFORCE_MODES.has(effectiveMode);
@@ -55,8 +60,12 @@ export function createHaechi({ filterEngine, policyEngine, cryptoProvider, audit
   // Holds a bounded raw tail so a detection split across chunk boundaries is
   // caught before the leading part is emitted. maxMatchBytes bounds the
   // guarantee: a single match longer than it may still split across frames.
-  function createStreamProtector(context = {}) {
+  function createStreamProtector(rawContext = {}) {
+    // Strip the control-object policy engine from the data context (see
+    // protectJson) so it cannot leak into tokenize AAD or audit.
+    const { policyEngine: contextEngine, ...context } = rawContext;
     const effectiveMode = context.mode ?? mode;
+    const engine = contextEngine ?? policyEngine;
     const enforced = !NO_ENFORCE_MODES.has(effectiveMode);
     const maxMatchBytes = context.maxMatchBytes ?? 256;
     const byType = {};
@@ -76,7 +85,7 @@ export function createHaechi({ filterEngine, policyEngine, cryptoProvider, audit
     async function decideAll(detections) {
       const decisions = [];
       for (const detection of detections) {
-        decisions.push(await policyEngine.decide({ detection, context, mode: effectiveMode }));
+        decisions.push(await engine.decide({ detection, context, mode: effectiveMode }));
       }
       return decisions;
     }
@@ -378,9 +387,11 @@ function buildAuditEvent({ context, mode, enforced, blocked, payload, detections
     timestamp: new Date().toISOString(),
     protocol: context.protocol ?? "custom",
     operation: context.operation ?? "protect",
-    // Reserved for 0.6 auth: hard null so unvalidated identity objects cannot
-    // reach the audit log before the PII-safe hashing contract exists.
-    identity: null,
+    // PII-safe identity built by the auth layer (subject/issuer are keyed
+    // HMACs); null when no auth is configured. `profile` is the resolved
+    // policy profile name (or null).
+    identity: context.identity ?? null,
+    profile: context.profile ?? null,
     mode,
     enforced,
     blocked,

package/packages/policy/index.mjs

@@ -130,6 +130,88 @@ export function createPolicyEngine(policy) {
   };
 }
 
+// Compiles the base policy plus every named profile into ready policy engines
+// and a resolver that maps an identity to one. A profile inherits the base
+// policy's presets/actions and overrides on top (so a profile need only state
+// what differs). `transform` (e.g. applyPrivacyProfile) is applied to each
+// compiled policy source before buildPolicy.
+export function createPolicyProfiles(policyConfig = {}, { transform } = {}) {
+  const { profiles = {}, profileBinding = null, ...baseSource } = policyConfig;
+  const apply = (source) => (transform ? transform(source) : source);
+
+  const baseEngine = createPolicyEngine(buildPolicy(apply(baseSource)));
+  const profileNames = Object.keys(profiles);
+  const engines = new Map();
+
+  for (const name of profileNames) {
+    const override = profiles[name] ?? {};
+    const merged = {
+      ...baseSource,
+      ...override,
+      // Profile presets replace the base presets when given; actions merge over
+      // the base via buildPolicy's strengthen-only rules.
+      actions: { ...(baseSource.actions ?? {}), ...(override.actions ?? {}) },
+      modelAllowlist: override.modelAllowlist ?? baseSource.modelAllowlist,
+      rate: override.rate ?? baseSource.rate
+    };
+    engines.set(name, {
+      policyEngine: createPolicyEngine(buildPolicy(apply(merged))),
+      modelAllowlist: merged.modelAllowlist ?? null,
+      rate: merged.rate ?? null
+    });
+  }
+
+  if (profileBinding) {
+    if (!profileBinding.default || !engines.has(profileBinding.default)) {
+      throw new Error("policy.profileBinding.default must name a declared profile");
+    }
+    for (const map of [profileBinding.byScope ?? {}, profileBinding.byLabel ?? {}]) {
+      for (const [key, target] of Object.entries(map)) {
+        if (!engines.has(target)) {
+          throw new Error(`policy.profileBinding maps ${key} to unknown profile: ${target}`);
+        }
+      }
+    }
+  } else if (profileNames.length > 0) {
+    throw new Error("policy.profiles requires policy.profileBinding with a default");
+  }
+
+  const base = {
+    policyEngine: baseEngine,
+    modelAllowlist: baseSource.modelAllowlist ?? null,
+    rate: baseSource.rate ?? null
+  };
+
+  return {
+    base,
+    hasProfiles: profileNames.length > 0,
+    // Resolve identity → { profile, policyEngine, modelAllowlist, rate }.
+    // Order: scope match → label match → default. Without profiles or identity,
+    // the base policy applies.
+    resolve(identity) {
+      if (!profileBinding) {
+        return { profile: null, ...base };
+      }
+      if (identity) {
+        for (const scope of identity.scopes ?? []) {
+          const name = profileBinding.byScope?.[scope];
+          if (name) {
+            return { profile: name, ...engines.get(name) };
+          }
+        }
+        for (const [key, value] of Object.entries(identity.labels ?? {})) {
+          const name = profileBinding.byLabel?.[`${key}=${value}`];
+          if (name) {
+            return { profile: name, ...engines.get(name) };
+          }
+        }
+      }
+      const fallback = profileBinding.default;
+      return { profile: fallback, ...engines.get(fallback) };
+    }
+  };
+}
+
 export function validatePolicy(policy) {
   if (!policy || typeof policy !== "object") {
     throw new Error("Policy must be an object");