haechi 0.6.0 → 0.7.0

package/README.ko.md

@@ -243,6 +243,9 @@ Haechi는 로컬 정책 부트스트래핑을 위한 기본 지역별 Privacy Pr
 - `haechi init --force`는 로컬 키를 교체한다: 기존 키는 `retired` 상태로 보관되어 기존 암호문과 token vault 레코드를 `kid`로 복호화할 수 있다.
 - Privacy profile은 명시적으로 더 엄격한 사용자 action을 강화할 수는 있지만 약화할 수는 없다.
 - 탐지는 문자열 값, JSON 숫자(예: 카드 번호), 객체 키 이름을 검사한다. Base64/URL 인코딩된 값과 URL 쿼리 스트링은 검사되지 않는다.
+- Audit tail truncation: `audit.anchor.mode: file`을 설정하면(추가 전용/별도 미디어에서) `haechi audit-verify --anchor`가 마지막 anchor 이후 꼬리 레코드 삭제를 탐지한다. 동일한 쓰기 가능 파일시스템에서는 공격자가 두 파일을 함께 잘라낼 수 있다.
+- Key custody: `keys.provider: external`은 주입된 `cryptoProvider`를 허용한다; `assertCryptoProviderConformance`로 adapter를 검증한다. envelope 암호화 KMS adapter는 `examples/crypto-kms-reference/`를 참고한다.
+- Release integrity: 배포된 tarball에는 npm provenance attestation이 포함되며, GitHub release asset에는 sigstore attestation과 `SHA256SUMS`가 추가된다(`gh attestation verify`와 `node scripts/release-checksums.mjs --check`로 검증한다).
 - 이 패키지는 개발자 프리뷰이다. 인터넷에 노출된 운영 LLM 게이트웨이로 사용하지 않는다.
 
 ## 현재 범위
@@ -262,3 +265,5 @@ Haechi는 로컬 정책 부트스트래핑을 위한 기본 지역별 Privacy Pr
 0.5.0은 SSE/NDJSON 스트리밍 응답 검사를 추가한다: `streaming.requestMode: "inspect"`가 bounded sliding buffer로 응답을 stream-filter하여 프레임에 걸쳐 쪼개진 PII도 잡는다(`streaming.maxMatchBytes`). `docs/current/release-0.5-implementation-scope.md` 참고.
 
 0.6.0은 인증과 클라이언트별 통제를 추가한다: 해시 기반 token 저장소와 `haechi auth` CLI를 갖춘 내장 bearer auth, identity scope/label로 바인딩되는 named policy profile, model allowlisting, 그리고 identity별 rate limiting — audit 로그에는 PII-safe identity가 기록된다. `docs/current/release-0.6-implementation-scope.md` 참고.
+
+0.7.0은 운영 강화(ops-hardening) 릴리스이다: 꼬리 절단을 탐지하는 audit head-hash anchoring(`audit.anchor`), `assertCryptoProviderConformance`와 reference KMS adapter를 포함한 강화된 외부 `cryptoProvider` 계약, 그리고 서명/체크섬된 GitHub release artifact. `docs/current/release-0.7-implementation-scope.md` 참고.

package/README.md

@@ -243,6 +243,9 @@ Set `privacy.profile` in `haechi.config.json` to apply the profile's default act
 - `haechi init --force` rotates the local key: prior keys are kept as `retired` so existing envelopes and token vault records stay decryptable by `kid`.
 - Privacy profiles can strengthen but never weaken an explicitly stricter user action.
 - Detection scans string values, JSON numbers (e.g. card numbers), and object key names. Base64/URL-encoded values and URL query strings are NOT inspected.
+- Audit tail truncation: set `audit.anchor.mode: file` (on append-only/separate media) so `haechi audit-verify --anchor` detects deletion of trailing records back to the last anchor. On the same writable filesystem an attacker can truncate both files together.
+- Key custody: `keys.provider: external` accepts an injected `cryptoProvider`; validate adapters with `assertCryptoProviderConformance`. See `examples/crypto-kms-reference/` for an envelope-encryption KMS adapter.
+- Release integrity: published tarballs carry an npm provenance attestation; GitHub release assets add a sigstore attestation and `SHA256SUMS` (verify with `gh attestation verify` and `node scripts/release-checksums.mjs --check`).
 - The package is a developer preview. Do not expose it as an internet-facing production LLM gateway.
 
 ## Current Scope
@@ -262,3 +265,5 @@ Set `privacy.profile` in `haechi.config.json` to apply the profile's default act
 0.5.0 adds SSE/NDJSON streaming response inspection: `streaming.requestMode: "inspect"` stream-filters responses with a bounded sliding buffer that catches PII split across frames (`streaming.maxMatchBytes`). See `docs/current/release-0.5-implementation-scope.md`.
 
 0.6.0 adds authentication and per-client controls: built-in bearer auth with a hashed token store and `haechi auth` CLI, named policy profiles bound by identity scope/label, model allowlisting, and per-identity rate limiting — with PII-safe identity in the audit log. See `docs/current/release-0.6-implementation-scope.md`.
+
+0.7.0 is operational hardening: audit head-hash anchoring (`audit.anchor`) that detects tail truncation, a hardened external `cryptoProvider` contract with `assertCryptoProviderConformance` and a reference KMS adapter, and signed/checksummed GitHub release artifacts. See `docs/current/release-0.7-implementation-scope.md`.

package/docs/README.md

@@ -17,6 +17,7 @@ English is the primary documentation language. Korean translations are maintaine
 - `docs/current/release-0.4-implementation-scope.md`: 0.4 token round-trip, mcp-wrap, audit-verify/status, identity/authProvider contract reservation
 - `docs/current/release-0.5-implementation-scope.md`: 0.5 SSE/NDJSON streaming response inspection with bounded cross-frame buffer
 - `docs/current/release-0.6-implementation-scope.md`: 0.6 bearer auth, named policy profiles, model allowlist, rate limiting
+- `docs/current/release-0.7-implementation-scope.md`: 0.7 audit anchoring, cryptoProvider contract + reference KMS adapter, signed release artifacts
 - `docs/current/configuration.md`: full configuration reference (every key, defaults, validation, presets, common setups)
 - `docs/current/risk-register-release-gate.md`: release-blocking risks, security/operational risk status, npm release gates (0.3.2 baseline)
 - `docs/current/threat-model.md`: Haechi 0.3.2 trust boundaries, protected assets, key threats and controls

package/docs/current/api-stability.ko.md

@@ -2,7 +2,7 @@
 
 - 문서 상태: Draft 0.1
 - 작성일: 2026-06-10
-- 기준 버전: 0.6.0
+- 기준 버전: 0.7.0
 
 ## 1. 버전 해석
 
@@ -44,6 +44,9 @@
 - `haechi/stream-filter` (`inspectResponseStream`, path helpers) 및 `createStreamProtector` (스트리밍 검사 내부 구현)
 - `haechi/auth` (`createBearerAuthProvider`, token store, `buildIdentity`) 및 `authProvider` 계약
 - `policy.profiles`/`policy.profileBinding`/`modelAllowlist`/`rate` 및 `identity`/`profile` audit 필드
+- `assertCryptoProviderConformance` 및 강화된 cryptoProvider 계약 (envelope base shape + provider 확장)
+- `audit.anchor` 설정 및 `verifyAuditChain(path, { anchorPath })`
+- `scripts/release-checksums.mjs` (SHA256SUMS 생성/검증)
 
 ## 4. Migration note 기준
 

package/docs/current/api-stability.md

@@ -2,7 +2,7 @@
 
 - Status: Draft 0.1
 - Date: 2026-06-10
-- Target version: 0.6.0
+- Target version: 0.7.0
 
 ## 1. Version Interpretation
 
@@ -43,6 +43,9 @@ The following exports are treated as preview in 0.4.0.
 - `status` / `audit-verify` CLI output shapes
 - `haechi/stream-filter` (`inspectResponseStream`, path helpers) and `createStreamProtector` (streaming inspection internals)
 - `haechi/auth` (`createBearerAuthProvider`, token store, `buildIdentity`) and the `authProvider` contract
+- `assertCryptoProviderConformance` and the hardened cryptoProvider contract (envelope base shape + provider extensions)
+- `audit.anchor` config and `verifyAuditChain(path, { anchorPath })`
+- `scripts/release-checksums.mjs` (SHA256SUMS generate/verify)
 - `policy.profiles`/`policy.profileBinding`/`modelAllowlist`/`rate` and the `identity`/`profile` audit fields
 
 ## 4. Migration note criteria

package/docs/current/release-0.7-implementation-scope.ko.md

@@ -0,0 +1,91 @@
+# Haechi 0.7 Implementation Scope
+
+- 문서 상태: Final
+- 작성일: 2026-06-10
+- 기준 버전: 0.7.0 (0.6.0 이후)
+- 성격: ops hardening
+- 구현 완료: 2026-06-10 — PR #22 (audit anchoring), #23 (cryptoProvider 계약 + reference KMS), #24 (signed release artifacts)
+
+## 1. 릴리스 목표
+
+1.0("stable", developer-preview 레이블 제거)이 차단하는 운영 스토리를 강화한다: 단일 로컬 파일을 넘어선 audit 무결성, 외부 key custody, 검증 가능한 릴리스 아티팩트. 두 번의 1.0 차단 릴리스 중 첫 번째다.
+
+**범위 결정 (2026-06-10):** 0.7은 **ops hardening** — audit 무결성, key custody 계약, 서명된 아티팩트에 집중한다. 이전에 여기에 묶였던 **생태계** 항목들(npm org `@haechi/*`, `@haechi/crypto-kms` / `@haechi/auth-oidc` 게시, `@haechi/dashboard`, npm workspaces)은 **0.8**로 이월하며, 0.8에서 중복된 0.7 로드맵 행도 제거한다.
+
+Core의 **zero runtime dependency** 기조는 협상 불가: 0.7의 모든 것은 `node:` 빌트인만으로 제공된다. 무거운 어댑터(AWS KMS, Vault)는 satellite/example이며, 절대 core에 포함되지 않는다.
+
+## 2. 범위
+
+### 2.1 Audit tail-truncation 방어: head-hash anchoring (내장, zero-dep)
+
+audit hash chain은 변조와 재정렬은 탐지하지만, 마지막 N개 레코드의 **삭제**는 탐지하지 못한다 — 단축된 chain도 여전히 검증을 통과하기 때문이다. 0.7은 주기적 anchoring으로 일반적인 경우를 해결한다.
+
+- 추가 이후 JSONL sink는 현재 chain head를 별도의 **append-only anchor 스트림**에 기록한다: JSON 한 줄 `{ sequence, eventHash, timestamp }`.
+- Config `audit.anchor`:
+  - `mode`: `none` (기본값 — 현재 동작) | `file` | `stdout`.
+  - `path`: `mode: file`일 때의 anchor 파일 (다른 매체 / append-only 플래그가 설정된 경로 권장).
+  - `everyRecords`: anchor 주기 (기본값 `1` — 레코드마다 anchor; 배치 처리 시 값 증가). Anchor 라인은 매우 작다.
+- `verifyAuditChain(path, { anchorPath })`은 교차 검증한다: 최신 anchor의 `sequence`가 chain 길이를 초과해서는 안 되며, 앵커된 `sequence`의 chain 레코드는 앵커된 `eventHash`로 해시되어야 한다. 최신 anchor보다 짧은 chain → **truncation 탐지** (마지막 anchor 이후의 레코드가 제거된 것).
+- `haechi audit-verify --anchor <path>`로 확인하며; `haechi status`는 anchor 모드 + 마지막으로 앵커된 sequence를 보고한다.
+- **보장 범위의 한계:** truncation은 **마지막 anchor** 이전까지만 탐지된다; 마지막 anchor 이후, truncation 이전에 기록된 레코드는 여전히 조용히 손실될 수 있다. `everyRecords: 1`이면 그 범위는 레코드 하나다. 문서화되어 있다.
+
+### 2.2 외부 append-only audit sink 계약
+
+- 주입된 `auditSink` 계약을 공식화한다 (이미 `createRuntime(config, { auditSink })`를 통해 지원됨): `record(event)`는 append-only이며 순서를 보존한다; 외부 sink는 hash chain을 직접 구현하거나 내장 sink를 래핑한다. 기능 플래그(`writesAudit`, `integrity`, `appendOnly`)가 문서화된다.
+- HTTP/syslog/object-lock 전달 레퍼런스 sink는 **0.8 satellite/example**이다; 0.7은 계약 + 내장 anchoring을 zero-dep 해답으로 제공한다.
+
+### 2.3 cryptoProvider 계약 강화 + 레퍼런스 KMS 어댑터
+
+- `keys.provider: external`에 대한 `cryptoProvider` 계약을 강화하고 문서화한다: 외부 provider는 `encrypt`, `decrypt`, **그리고 `hmac`** (토큰/identity를 위해 0.4에서 추가됨)을 구현해야 하며, envelope 형태(`{ v, alg, kid, iv, ct, tag, aadHash }`)를 보존하고, canonical AAD를 바인딩하며, `kid`로 키를 선택해야 한다.
+- `assertCryptoProviderConformance(provider)` (익스포트된 테스트 헬퍼)를 제공한다: encrypt→decrypt 왕복, AAD 불일치 거부, `hmac` 결정론 + domain separation. Satellite 어댑터는 이를 통해 자체 테스트한다.
+- `examples/crypto-kms-reference/` 아래에 **레퍼런스 어댑터**를 제공한다 (자체 `package.json`, AWS/Vault SDK는 *optional/peer* 의존성으로, core의 `files`에 포함하지 않음): 주입 방법을 시연한다. 이것이 0.8에서(npm org 취득 후) 게시되는 **`@haechi/crypto-kms`** satellite의 소스가 된다.
+
+### 2.4 서명된 릴리스 아티팩트
+
+- npm provenance (SLSA attestation)는 신뢰할 수 있는 퍼블리싱을 통해 이미 제공된다 (0.4부터). 0.7은 **GitHub 릴리스 에셋 무결성**을 추가한다: 릴리스 워크플로가 `npm pack`을 실행하고, `SHA256SUMS`를 생성하며, 타볼 + 체크섬 (그리고 가능한 경우 sigstore/cosign 서명)을 각 GitHub 릴리스에 첨부한다.
+- 사용자가 설치 전 다운로드한 타볼을 검증할 수 있게 하고, 릴리스 에셋에 레지스트리 외의 변조 방지 매니페스트를 제공한다.
+
+## 3. 명시적 비범위 (0.8로 이월)
+
+- npm org `@haechi/*` 생성; `@haechi/crypto-kms`, `@haechi/auth-oidc`, `@haechi/auth-jwt` 게시.
+- `@haechi/dashboard` (읽기 전용 audit 뷰어) 및 npm workspaces 전환.
+- 게시된 패키지로서의 실제 AWS KMS / HashiCorp Vault SDK 연동 (0.7은 계약 + 레퍼런스 example만 제공).
+- 분산/공유 audit 또는 rate 상태.
+
+## 4. Config 스키마 요약
+
+```json
+"audit": {
+  "sink": "jsonl",
+  "path": ".haechi/audit.jsonl",
+  "anchor": { "mode": "none", "path": ".haechi/audit.anchor.jsonl", "everyRecords": 1 }
+}
+```
+Fail-closed 검증: 알 수 없는 `anchor.mode`; `path` 없이 `mode: file`; 비양수 `everyRecords`.
+
+## 5. 1.0 졸업 기준 진행
+
+0.7은 다섯 개의 1.0("developer-preview 레이블 제거") 차단 조건 중 세 개를 진전시킨다:
+
+| 1.0 차단 조건 | 0.7 기여 |
+|---|---|
+| 운영 key custody | cryptoProvider 계약 강화 + conformance 테스트 + 레퍼런스 어댑터 (게시 패키지는 0.8) |
+| 외부 / tamper-evident audit | 내장 anchoring으로 tail-truncation 해결; 외부 sink 계약 문서화 |
+| 검증 가능한 릴리스 아티팩트 | 서명/체크섬된 GitHub 릴리스 에셋 |
+| API stability freeze | (1.0) |
+| Plugin sandbox + 실환경 검증 | (1.0) |
+
+## 6. 테스트 기준 (구현 시)
+
+- Anchoring: `everyRecords`에 따라 anchor 라인이 기록됨; anchor가 포함된 `verifyAuditChain`이 truncation(최신 anchor보다 짧은 chain)을 탐지하고 온전한 chain은 통과시킴; `mode: none`이면 0.6 동작과 byte 단위로 동일.
+- `audit-verify --anchor` 종료 코드 + 출력; `status`가 anchor 모드/마지막 sequence를 보고.
+- cryptoProvider conformance 헬퍼가 로컬 provider를 통과시키고, `hmac` 누락 / AAD 불일치 provider를 실패시킴.
+- `audit.anchor` 블록에 대한 Config 검증.
+- 릴리스 워크플로가 팩된 타볼과 일치하는 `SHA256SUMS`를 생성함 (CI 검증 가능).
+
+## 7. 권장 PR 분할 (스택)
+
+1. Audit anchoring (sink가 anchor 기록) + `verifyAuditChain` anchor 교차 검증 + config + `audit-verify --anchor` / `status`.
+2. cryptoProvider 계약 문서 + `assertCryptoProviderConformance` + `examples/crypto-kms-reference/`.
+3. 서명된 릴리스 아티팩트 (릴리스 워크플로 + 검증 문서).
+4. 0.7.0 릴리스 컷 (버전, 문서 EN/KO, threat-model/risk-register/api-stability, wiki).

package/docs/current/release-0.7-implementation-scope.md

@@ -0,0 +1,92 @@
+# Haechi 0.7 Implementation Scope
+
+- Status: Final
+- Date: 2026-06-10
+- Target version: 0.7.0 (after 0.6.0)
+- Type: ops hardening
+- Shipped: 2026-06-10 — PRs #22 (audit anchoring), #23 (cryptoProvider contract + reference KMS), #24 (signed release artifacts)
+
+## 1. Release Goal
+
+Harden the operational story that 1.0 ("stable", developer-preview label removed) blocks on: audit integrity beyond a single local file, external key custody, and verifiable release artifacts. This is the first of the two 1.0-blocker releases.
+
+**Scope decision (2026-06-10):** 0.7 is focused on **ops hardening** — audit integrity, key custody contract, signed artifacts. The **ecosystem** items previously grouped here (npm org `@haechi/*`, publishing `@haechi/crypto-kms` / `@haechi/auth-oidc`, `@haechi/dashboard`, npm workspaces) move to **0.8**, which also removes the duplicate 0.7 roadmap row.
+
+Core's **zero runtime dependency** posture is non-negotiable: everything in 0.7 ships with `node:` builtins only. Heavy adapters (AWS KMS, Vault) are satellites/examples, never core.
+
+## 2. Scope
+
+### 2.1 Audit tail-truncation defense: head-hash anchoring (built-in, zero-dep)
+
+The audit hash chain detects tampering and reordering but **not** deletion of the last N records — the shortened chain still verifies. 0.7 closes this for the common case with periodic anchoring.
+
+- After appending, the JSONL sink writes the current chain head to a separate **append-only anchor stream**: one JSON line `{ sequence, eventHash, timestamp }`.
+- Config `audit.anchor`:
+  - `mode`: `none` (default — current behavior) | `file` | `stdout`.
+  - `path`: anchor file when `mode: file` (created `0600`). `stdout` writes anchor lines to stdout for capture by a long-running command's supervisor — not for JSON-emitting commands, whose output it would interleave.
+  - `everyRecords`: anchor cadence (default `1` — anchor every record; raise to batch). Anchor lines are tiny.
+- `verifyAuditChain(path, { anchorPath })` cross-checks: the latest anchor's `sequence` must not exceed the chain length, and the chain record at the anchored `sequence` must hash to the anchored `eventHash`. A chain shorter than the latest anchor → **truncation detected** (records after the last anchor were removed). A partial trailing anchor line (from a crash) is tolerated.
+- `haechi audit-verify --anchor <path>` surfaces this; `haechi status` reports anchor mode + last anchored sequence.
+- **Threat-model boundary (required, not optional):** the anchor adds tamper-evidence **only when it lives on append-only or physically separate media** (append-only-flagged FS, S3/GCS object-lock, syslog, a different host). On the **same writable filesystem** an attacker who truncates `audit.jsonl` can truncate `audit.anchor.jsonl` to match and verification passes — so file-mode on the same disk is a convenience, not a guarantee. The CLI (`status`, `audit-verify`, `config`) states this explicitly.
+- **Bounded guarantee:** even on proper media, truncation is detected only back to the **last anchor**; records written after the last anchor and before truncation can still be lost silently. With `everyRecords: 1` that window is one record. Documented.
+
+### 2.2 External append-only audit sink contract
+
+- Formalize the injected `auditSink` contract (already supported via `createRuntime(config, { auditSink })`): `record(event)` is append-only and order-preserving; an external sink either implements the hash chain itself or wraps the built-in sink. Capability flags (`writesAudit`, `integrity`, `appendOnly`) are documented.
+- A reference HTTP/syslog/object-lock forwarding sink is a **0.8 satellite/example**; 0.7 ships the contract + the built-in anchoring as the zero-dep answer.
+
+### 2.3 cryptoProvider contract hardening + reference KMS adapter
+
+- Tighten and document the `cryptoProvider` contract for `keys.provider: external`: a provider always implements `encrypt`/`decrypt`, binds canonical AAD, and selects keys by `kid`; the envelope **base shape** is `{ v, alg, kid, iv, ct, tag, aadHash }` and adapters **may add provider-specific fields** (e.g. a KMS adapter's `wrappedKey`). `hmac` is required **only by features that use it** — bearer auth and deterministic tokenization — and `createRuntime` fails closed at construction when one of those is configured without `hmac` (an encrypt-only provider is otherwise valid). Policy-bundle signing uses the local key file directly via the CLI, not the injected provider.
+- Ship `assertCryptoProviderConformance(provider, { requireHmac = true })` (an exported test helper): encrypt→decrypt round-trip (distinct plaintexts), AAD-mismatch rejection, **tampered-ciphertext rejection (real AEAD authentication)**, and `hmac` determinism + data-dependency + domain separation + invalid-domain rejection. Satellite adapters self-test against it; pass `requireHmac: false` for an encrypt-only provider.
+- Ship a **reference adapter** under `examples/crypto-kms-reference/` (its own `package.json`, AWS/Vault SDK as an *optional* dependency; the in-process `createInMemoryKms` is explicitly non-production) demonstrating envelope-encryption injection. It is the source that becomes the published **`@haechi/crypto-kms`** satellite in 0.8 (gated on the npm org).
+
+### 2.4 Signed release artifacts
+
+- npm provenance (SLSA attestation) already ships via trusted publishing (since 0.4). 0.7 adds **GitHub release asset integrity**: the release workflow runs `npm pack`, emits `SHA256SUMS`, and attaches the tarball + checksums (and, where available, a sigstore/cosign signature) to each GitHub release.
+- Lets users verify a downloaded tarball before install and gives the release assets a tamper-evident manifest beyond the registry.
+
+## 3. Explicit non-scope (deferred to 0.8)
+
+- Create npm org `@haechi/*`; publish `@haechi/crypto-kms`, `@haechi/auth-oidc`, `@haechi/auth-jwt`.
+- `@haechi/dashboard` (read-only audit viewer) and npm workspaces conversion.
+- Real AWS KMS / HashiCorp Vault SDK integration as a published package (0.7 ships the contract + reference example only).
+- Distributed/shared audit or rate state.
+
+## 4. Config schema summary
+
+```json
+"audit": {
+  "sink": "jsonl",
+  "path": ".haechi/audit.jsonl",
+  "anchor": { "mode": "none", "path": ".haechi/audit.anchor.jsonl", "everyRecords": 1 }
+}
+```
+Fail-closed validation: unknown `anchor.mode`; `mode: file` without a `path`; non-positive `everyRecords`.
+
+## 5. 1.0 exit-criteria progress
+
+0.7 advances three of the five 1.0 ("remove developer-preview label") blockers:
+
+| 1.0 blocker | 0.7 contribution |
+|---|---|
+| Operational key custody | cryptoProvider contract hardened + conformance test + reference adapter (published package in 0.8) |
+| External / tamper-evident audit | Built-in anchoring closes tail-truncation; external sink contract documented |
+| Verifiable release artifacts | Signed/checksummed GitHub release assets |
+| API stability freeze | (1.0) |
+| Plugin sandbox + real-environment validation | (1.0) |
+
+## 6. Test criteria (for implementation)
+
+- Anchoring: anchor lines written per `everyRecords`; `verifyAuditChain` with an anchor detects truncation (chain shorter than last anchor) and passes an intact chain; `mode: none` keeps 0.6 behavior byte-for-byte.
+- `audit-verify --anchor` exit code + output; `status` reports anchor mode/last sequence.
+- cryptoProvider conformance helper passes the local provider and fails a provider missing `hmac` / mismatching AAD.
+- Config validation for the `audit.anchor` block.
+- Release workflow produces `SHA256SUMS` matching the packed tarball (CI-verifiable).
+
+## 7. Suggested PR breakdown (stacked)
+
+1. Audit anchoring (sink writes anchors) + `verifyAuditChain` anchor cross-check + config + `audit-verify --anchor` / `status`.
+2. cryptoProvider contract doc + `assertCryptoProviderConformance` + `examples/crypto-kms-reference/`.
+3. Signed release artifacts (release workflow + verification doc).
+4. 0.7.0 release cut (version, docs EN/KO, threat-model/risk-register/api-stability, wiki).

package/docs/current/release-process.ko.md

@@ -38,14 +38,37 @@ provenance 없이 수행한 publish는 release note에 갭을 명시적으로
 - https://docs.npmjs.com/trusted-publishers/
 - https://docs.github.com/actions/publishing-packages/publishing-nodejs-packages
 
-## 3. GitHub Actions
+## 3. 서명된 릴리스 아티팩트
+
+**암호학적** 신뢰 앵커는 **npm provenance 증명**(레지스트리 아티팩트)과 **sigstore 증명**(release tarball)이며, 둘 다 GitHub OIDC로 아티팩트를 이 repo의 release workflow 신원에 묶는다. `SHA256SUMS`는 오프라인 체크섬(`sha256sum -c`)을 위한 **도구 호환 편의 수단**이고, 같은 workflow가 생성·업로드하므로 그 자체로는 신뢰 앵커가 아니다. provenance에 더해, publish workflow는 다운로드한 tarball을 설치 전에 검증할 수 있도록 다음 자산을 첨부한다.
+
+- `npm pack` 후 `node scripts/release-checksums.mjs <tarball>`로 `SHA256SUMS` 매니페스트(표준 `<sha256-hex>  <name>` 형식)를 생성한다.
+- `actions/attest-build-provenance`로 tarball의 **keyless sigstore 증명**(GitHub OIDC, 서명 키 없음)을 만든다.
+- tarball + `SHA256SUMS`를 GitHub release에 업로드한다.
+
+다운로드한 릴리스 검증:
+
+```bash
+# 체크섬 (크로스플랫폼: sha256sum -c, 또는 내장 스크립트)
+node scripts/release-checksums.mjs --check SHA256SUMS
+sha256sum -c SHA256SUMS            # GNU
+shasum -a 256 -c SHA256SUMS        # macOS
+
+# sigstore 증명 (이 repo의 release workflow가 빌드한 tarball)
+gh attestation verify haechi-<version>.tgz --repo raeseoklee/haechi
+
+# npm provenance (레지스트리 아티팩트)
+npm audit signatures
+```
+
+## 4. GitHub Actions
 
 | Workflow | 목적 |
 |---|---|
 | `.github/workflows/ci.yml` | test, release preflight, SBOM artifact |
-| `.github/workflows/npm-publish.yml` | GitHub release published 이벤트에서 npm publish (trusted publishing 구성 후 provenance 경로) |
+| `.github/workflows/npm-publish.yml` | GitHub release published 이벤트에서 npm provenance publish + 체크섬/증명 release 자산 |
 
-## 4. 배포 차단 조건
+## 5. 배포 차단 조건
 
 다음 중 하나라도 실패하면 npm publish를 하지 않는다.
 

package/docs/current/release-process.md

@@ -38,14 +38,37 @@ References:
 - https://docs.npmjs.com/trusted-publishers/
 - https://docs.github.com/actions/publishing-packages/publishing-nodejs-packages
 
-## 3. GitHub Actions
+## 3. Signed release artifacts
+
+The **cryptographic** trust anchors are the **npm provenance attestation** (registry artifact) and the **sigstore attestation** (release tarball) — both bind the artifact to this repository's release workflow identity via GitHub OIDC. `SHA256SUMS` is a **tooling-compatible convenience** for offline checksumming (`sha256sum -c`); on its own it is not a trust anchor, since the same workflow produces and uploads it. Beyond provenance, the publish workflow attaches these assets so a downloaded tarball can be verified before install:
+
+- It runs `npm pack`, then `node scripts/release-checksums.mjs <tarball>` to emit a `SHA256SUMS` manifest (standard `<sha256-hex>  <name>` format).
+- It produces a **keyless sigstore attestation** of the tarball via `actions/attest-build-provenance` (GitHub OIDC, no signing keys).
+- It uploads the tarball + `SHA256SUMS` to the GitHub release.
+
+Verify a downloaded release:
+
+```bash
+# checksum (cross-platform: sha256sum -c, or the bundled script)
+node scripts/release-checksums.mjs --check SHA256SUMS
+sha256sum -c SHA256SUMS            # GNU
+shasum -a 256 -c SHA256SUMS        # macOS
+
+# sigstore attestation (tarball was built by this repo's release workflow)
+gh attestation verify haechi-<version>.tgz --repo raeseoklee/haechi
+
+# npm provenance (registry artifact)
+npm audit signatures
+```
+
+## 4. GitHub Actions
 
 | Workflow | Purpose |
 |---|---|
 | `.github/workflows/ci.yml` | Tests, release preflight, SBOM artifact |
-| `.github/workflows/npm-publish.yml` | npm publish on GitHub release published event (provenance path once trusted publishing is configured) |
+| `.github/workflows/npm-publish.yml` | npm provenance publish + checksummed/attested release assets on GitHub release published |
 
-## 4. Deployment block conditions
+## 5. Deployment block conditions
 
 npm publish is not performed if any of the following fail.
 

package/docs/current/risk-register-release-gate.ko.md

@@ -2,7 +2,7 @@
 
 - 문서 상태: Draft 0.3
 - 작성일: 2026-06-10
-- 기준 버전: 0.6.0
+- 기준 버전: 0.7.0
 - 기준 브랜치: `main`
 
 ## 1. 현재 판단
@@ -129,7 +129,7 @@ base64/인코딩 값 디코딩 검사, query string 검사, audit tail truncatio
 | 0.4.0 ✅ | token round-trip and adoption | 2026-06-10 구현 완료: 요청 스코프 response detokenization, deterministic tokenization(파생 키), `haechi mcp-wrap`, `haechi audit-verify`/`haechi status`, injection detection type(기본 allow), `identity`/`authProvider` 계약 예약. `docs/current/release-0.4-implementation-scope.md` 참조 |
 | 0.5.0 ✅ | streaming hardening | 2026-06-10 출시: bounded cross-frame 버퍼를 사용한 SSE/NDJSON 스트리밍 응답 검사(`streaming.requestMode: inspect`). stream sequence AAD, replay cache, 강화된 원격 배포 가이드는 0.6+으로 이월. `docs/current/release-0.5-implementation-scope.md` 참조 |
 | 0.6.0 ✅ | Shipped 2026-06-10 (PRs #17–#19): built-in bearer auth, named policy profiles, model allowlist, request rate limit, PII-safe identity in audit. `docs/current/release-0.6-implementation-scope.md` 참조 |
-| 0.7.0 | observability | npm workspaces 전환, `@haechi/dashboard` read-only audit viewer (hash chain 무결성 표시, 요약/검색/타임라인) |
+| 0.7.0 ✅ | Shipped 2026-06-10 (PRs #22–#24): audit head-hash anchoring + external sink contract, cryptoProvider contract hardening + `assertCryptoProviderConformance` + reference KMS adapter, 서명/체크섬된 release artifact. `docs/current/release-0.7-implementation-scope.md` 참조 |
 | 1.0.0 | stable API contract | migration policy, long-term audit schema, plugin sandbox/runtime conformance 및 allowlist/manifest 통과 외부 auth/classifier package 동적 로딩 |
 
 동적 npm package 로딩은 1.0 plugin sandbox 이전까지 금지한다. 0.4~0.7의 외부 provider는 `createRuntime(config, providers)` 프로그래매틱 주입만 지원한다.

package/docs/current/risk-register-release-gate.md

@@ -2,7 +2,7 @@
 
 - Status: Draft 0.3
 - Date: 2026-06-10
-- Target version: 0.6.0
+- Target version: 0.7.0
 - Branch: `main`
 
 ## 1. Current Assessment
@@ -129,8 +129,8 @@ All checklist items below were completed for 0.3.2 on 2026-06-10 except the prov
 | 0.4.0 ✅ | Token round-trip and adoption | Shipped 2026-06-10: request-scoped response detokenization, deterministic tokenization (derived key), `haechi mcp-wrap`, `haechi audit-verify`/`haechi status`, injection detection type (default allow), `identity`/`authProvider` contracts reserved. See `docs/current/release-0.4-implementation-scope.md` |
 | 0.5.0 ✅ | Streaming hardening | Shipped 2026-06-10: SSE/NDJSON streaming response inspection with bounded cross-frame buffer (`streaming.requestMode: inspect`). Stream sequence AAD, replay cache, stronger remote deployment guide deferred to 0.6+. See `docs/current/release-0.5-implementation-scope.md` |
 | 0.6.0 ✅ | Auth and per-client controls | Shipped 2026-06-10 (PRs #17–#19): built-in bearer auth, named policy profiles, model allowlist, request rate limit, PII-safe identity in audit. See `docs/current/release-0.6-implementation-scope.md` |
-| 0.7.0 | Ops hardening and ecosystem | Vault/AWS KMS reference adapter, external append-only audit sink, signed release artifacts, npm org (`@haechi/*`), OIDC satellite, `@haechi/dashboard` |
-| 0.7.0 | Observability | npm workspaces migration, `@haechi/dashboard` read-only audit viewer (hash chain integrity display, summary/search/timeline) |
+| 0.7.0 ✅ | Ops hardening | Shipped 2026-06-10 (PRs #22–#24): audit head-hash anchoring + external sink contract, cryptoProvider contract hardening + `assertCryptoProviderConformance` + reference KMS adapter, signed/checksummed release artifacts. See `docs/current/release-0.7-implementation-scope.md` |
+| 0.8.0 | Ecosystem and observability | npm org (`@haechi/*`), publish `@haechi/crypto-kms` and `@haechi/auth-oidc`, npm workspaces, `@haechi/dashboard` read-only audit viewer (hash-chain integrity display, summary/search/timeline) |
 | 1.0.0 | Stable API contract | Migration policy, long-term audit schema, plugin sandbox/runtime conformance, and dynamic loading of external auth/classifier packages that pass allowlist/manifest |
 
 Dynamic npm package loading is prohibited until the 1.0 plugin sandbox. External providers in 0.4–0.7 are supported only via `createRuntime(config, providers)` programmatic injection.

package/docs/current/threat-model.ko.md

@@ -2,7 +2,7 @@
 
 - 문서 상태: Draft 0.1
 - 작성일: 2026-06-10
-- 기준 버전: 0.6.0
+- 기준 버전: 0.7.0
 
 ## 1. 보호 대상
 
@@ -48,6 +48,9 @@ Haechi가 보호하려는 주요 자산은 다음이다.
 | signing/encryption 키 혼용 | key separation 위반 | policy bundle 서명 키를 domain-separated 파생 키로 분리 |
 | JSON number/object key 은닉 | 카드번호 등 비문자열 leaf 미탐지 | number leaf와 object key도 detection/transform 대상 |
 | 인증 없는 멀티 클라이언트 접근 | 로컬 프로세스가 upstream / token round-trip 경로를 무단 사용 | 선택적 bearer auth (`auth.provider: bearer`); 없거나 잘못된 경우 → 바디 읽기 전 401; identity별 rate limit 및 model allowlist |
+| Audit tail truncation | 꼬리 audit 레코드의 무음 삭제 | 추가 전용/별도 미디어의 `audit.anchor` head-hash anchoring으로 마지막 anchor까지의 절단 탐지 (0.7) |
+| Local dev key in production | 소프트웨어 키의 운영 custody 오용 | `assertCryptoProviderConformance`를 통한 외부 `cryptoProvider` 주입; reference KMS adapter (envelope 암호화) |
+| Tampered release artifact | 변조된 tarball 설치 | npm provenance + GitHub release tarball의 sigstore attestation + `SHA256SUMS` (0.7) |
 | audit에 원시 credentials/identity 노출 | audit 로그를 통한 token 또는 subject 유출 | Token은 keyed-HMAC 해시로만 저장; identity subject/issuer는 keyed HMAC 처리; `auth_denied` 레코드에 token 미포함 |
 | token round-trip의 타 토큰 복원 | 클라이언트/요청 간 평문 복구 | detokenization은 opt-in(`detokenizeResponses`)이며 요청 스코프: 같은 요청을 보호하며 발급된 토큰만 복원 |
 | tool result/응답 내 간접 prompt injection | 심어진 지시문에 의한 agent 조작 | 응답 방향 휴리스틱, 기본 report-only(`injection` action `allow`), 격상은 명시적 정책 선택. 완전 방어 아님 |
@@ -66,7 +69,7 @@ Haechi가 보호하려는 주요 자산은 다음이다.
 - 외부 MCP server의 OAuth/resource binding 검증
 - base64/URL-encoded 값, 유니코드 난독화 값의 디코딩 후 검사
 - URL query string 내 민감값 검사 (JSON body만 검사)
-- audit hash chain의 tail truncation(꼬리 절단) 탐지 — 체인은 변조/재정렬은 탐지하지만 마지막 N개 레코드 삭제는 외부 보존 사본 없이는 탐지 불가
+- 마지막 anchor 이후의 audit tail truncation — `audit.anchor`(0.7)는 anchor가 추가 전용/별도 미디어에 있을 때 마지막 anchor까지의 레코드 삭제를 탐지한다; 마지막 anchor 이후 기록된 레코드와 동일 파일시스템 anchor는 대상에서 제외된다
 - JSON-RPC batch 메시지 처리 (MCP stdio filter는 batch를 fail-closed로 거부)
 
 ## 5. 남은 운영 전제

package/docs/current/threat-model.md

@@ -2,7 +2,7 @@
 
 - Status: Draft 0.1
 - Date: 2026-06-10
-- Target version: 0.6.0
+- Target version: 0.7.0
 
 ## 1. Assets Under Protection
 
@@ -48,6 +48,9 @@ The primary assets Haechi protects are:
 | Signing/encryption key conflation | Key separation violation | Policy bundle signing key isolated as a domain-separated derived key |
 | JSON number / object key concealment | Undetected non-string leaves such as card numbers | Number leaves and object keys included in detection/transform scope |
 | Unauthenticated multi-client access | Any local process uses the upstream / token round-trip | Optional bearer auth (`auth.provider: bearer`); missing/invalid → 401 before body read; per-identity rate limit and model allowlist |
+| Audit tail truncation | Silent deletion of trailing audit records | `audit.anchor` head-hash anchoring on append-only/separate media detects truncation back to the last anchor (0.7) |
+| Local dev key in production | Software key misused as production custody | External `cryptoProvider` injection with `assertCryptoProviderConformance`; reference KMS adapter (envelope encryption) |
+| Tampered release artifact | Modified tarball installed | npm provenance + sigstore attestation of the GitHub release tarball + `SHA256SUMS` (0.7) |
 | Raw credentials/identity in audit | Token or subject leak through the audit log | Tokens stored only as keyed-HMAC hashes; identity subject/issuer are keyed HMAC; `auth_denied` records no token |
 | Token round-trip restoring foreign tokens | Cross-client/request plaintext recovery | Detokenization is opt-in (`detokenizeResponses`) and request-scoped: only tokens issued while protecting the same request are restored |
 | Indirect prompt injection in tool results/responses | Agent manipulation via planted instructions | Response-direction heuristics, report-only by default (`injection` action `allow`); escalation is an explicit policy choice. Not a complete defense |
@@ -66,7 +69,7 @@ The primary assets Haechi protects are:
 - OAuth/resource binding validation for external MCP servers
 - Inspection of base64/URL-encoded values or unicode-obfuscated values after decoding
 - Detection of sensitive values in URL query strings (JSON body only)
-- Audit hash chain tail truncation detection — the chain detects tampering and reordering, but deletion of the last N records cannot be detected without an externally preserved copy
+- Audit tail truncation beyond the last anchor — `audit.anchor` (0.7) detects deletion of records back to the last anchor when the anchor is on append-only/separate media; records written after the last anchor, and same-filesystem anchors, are not covered
 - JSON-RPC batch message processing (the MCP stdio filter rejects batches fail-closed)
 
 ## 5. Remaining Operational Assumptions

package/examples/crypto-kms-reference/README.md

@@ -0,0 +1,47 @@
+# `@haechi/crypto-kms` (reference)
+
+A reference KMS-backed `cryptoProvider` for Haechi's `keys.provider: external` path. This is the **shape** of the satellite published as `@haechi/crypto-kms` in 0.8 — it lives here as a dependency-free reference so core stays zero-runtime-dependency.
+
+## How it works
+
+Envelope encryption: each `encrypt` generates a fresh AES-256-GCM **data key**, encrypts the plaintext locally, and **wraps the data key with the KMS**. The KMS master key never leaves the KMS. `decrypt` unwraps the data key via the KMS and decrypts locally. `hmac` derives a per-domain key from the KMS, preserving Haechi's domain-separation discipline (tokens, identity, policy bundles).
+
+The envelope matches Haechi's contract (`v, alg, kid, iv, ct, tag, aadHash`) plus a `wrappedKey`. AAD is canonicalized and bound exactly as the local provider does, so it passes `assertCryptoProviderConformance`.
+
+## The KMS client interface
+
+Inject any client implementing:
+
+```js
+{
+  keyId: string,
+  async wrap(dataKey: Buffer): string,          // KMS-encrypt a data key
+  async unwrap(wrapped: string): Buffer,         // KMS-decrypt it
+  async deriveHmacKey(domain: string): Buffer    // KMS-derived per-domain key
+}
+```
+
+`createInMemoryKms()` is a process-local stand-in for examples/tests. A real deployment swaps in an AWS KMS / HashiCorp Vault client (e.g. `@aws-sdk/client-kms` `GenerateDataKey`/`Decrypt`, plus an HKDF for `deriveHmacKey`).
+
+## Usage
+
+In 0.7 this is a repo reference example — import it by relative path
+(`./examples/crypto-kms-reference/index.mjs`). From 0.8 it is published as
+`@haechi/crypto-kms` and imported by name, as shown below.
+
+```js
+import { createRuntime } from "haechi/runtime";
+import { createKmsCryptoProvider, createInMemoryKms } from "@haechi/crypto-kms";
+
+const cryptoProvider = createKmsCryptoProvider({ kms: createInMemoryKms() });
+const runtime = createRuntime({ keys: { provider: "external" }, /* ... */ }, { cryptoProvider });
+```
+
+## Self-test
+
+```js
+import { assertCryptoProviderConformance } from "haechi/crypto";
+await assertCryptoProviderConformance(cryptoProvider); // throws on any contract violation
+```
+
+This reference is **not a production key provider**; `createInMemoryKms` holds a process-local master key. Use a real KMS client for custody.

package/examples/crypto-kms-reference/index.mjs

@@ -0,0 +1,133 @@
+// Reference KMS-backed cryptoProvider for Haechi (keys.provider: external).
+//
+// This is the *shape* a published @haechi/crypto-kms satellite (0.8) takes. It
+// uses envelope encryption: a fresh data key per record encrypts the plaintext
+// locally with AES-256-GCM, and the data key is wrapped by the KMS. The master
+// key never leaves the KMS. The `kms` client is injected, so this file has zero
+// real dependencies — a real adapter swaps createInMemoryKms() for an AWS KMS /
+// HashiCorp Vault client implementing the same small interface.
+//
+// Inject it:  createRuntime(config, { cryptoProvider: createKmsCryptoProvider({ kms }) })
+// and set keys.provider: "external".
+
+import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes } from "node:crypto";
+
+// The published @haechi/crypto-kms satellite imports this from `haechi/crypto`;
+// it is inlined here so the reference example is fully self-contained (no
+// cross-package import) and matches Haechi's canonical AAD exactly.
+function canonicalize(value) {
+  if (Array.isArray(value)) {
+    return `[${value.map((item) => canonicalize(item)).join(",")}]`;
+  }
+  if (value && typeof value === "object") {
+    return `{${Object.keys(value).sort().map((key) => `${JSON.stringify(key)}:${canonicalize(value[key])}`).join(",")}}`;
+  }
+  return JSON.stringify(value);
+}
+
+const ALG = "AES-256-GCM";
+const HMAC_KEY_DOMAIN = "haechi:crypto-kms:hmac-root:v1";
+
+// The injected KMS client must implement:
+//   keyId: string
+//   async wrap(dataKey: Buffer) -> string            (KMS-encrypt a data key)
+//   async unwrap(wrapped: string) -> Buffer          (KMS-decrypt it back)
+//   async deriveHmacKey(domain: string) -> Buffer    (KMS-derived per-domain key)
+export function createKmsCryptoProvider({ kms }) {
+  if (!kms || typeof kms.wrap !== "function" || typeof kms.unwrap !== "function" || typeof kms.deriveHmacKey !== "function") {
+    throw new Error("createKmsCryptoProvider requires a kms client with wrap/unwrap/deriveHmacKey");
+  }
+
+  function sha256(value) {
+    // Plain SHA-256, matching Haechi's core aadHash (defence-in-depth; GCM
+    // already authenticates the AAD via the tag).
+    return createHash("sha256").update(value).digest("base64url");
+  }
+
+  return {
+    id: "haechi.crypto.kms-reference",
+    version: "0.1.0",
+    capabilities: {
+      readsPlaintext: true,
+      networkEgress: true,   // a real KMS adapter calls out to the KMS
+      keyCustody: "external-kms"
+    },
+    async encrypt({ plaintext, aad }) {
+      const dataKey = randomBytes(32);
+      const iv = randomBytes(12);
+      const cipher = createCipheriv("aes-256-gcm", dataKey, iv);
+      const aadBytes = Buffer.from(canonicalize(aad), "utf8");
+      cipher.setAAD(aadBytes);
+      const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+      const tag = cipher.getAuthTag();
+      return {
+        v: 1,
+        alg: ALG,
+        kid: kms.keyId,
+        iv: iv.toString("base64url"),
+        ct: ciphertext.toString("base64url"),
+        tag: tag.toString("base64url"),
+        wrappedKey: await kms.wrap(dataKey),
+        aadHash: sha256(aadBytes)
+      };
+    },
+    async decrypt({ envelope, aad }) {
+      if (envelope.alg && envelope.alg !== ALG) {
+        throw new Error(`Unsupported algorithm: ${envelope.alg}`);
+      }
+      const aadBytes = Buffer.from(canonicalize(aad), "utf8");
+      if (envelope.aadHash && envelope.aadHash !== sha256(aadBytes)) {
+        throw new Error("AAD hash mismatch");
+      }
+      const dataKey = await kms.unwrap(envelope.wrappedKey);
+      const decipher = createDecipheriv("aes-256-gcm", dataKey, Buffer.from(envelope.iv, "base64url"));
+      decipher.setAAD(aadBytes);
+      decipher.setAuthTag(Buffer.from(envelope.tag, "base64url"));
+      return Buffer.concat([
+        decipher.update(Buffer.from(envelope.ct, "base64url")),
+        decipher.final()
+      ]).toString("utf8");
+    },
+    async hmac({ data, domain }) {
+      if (!domain || typeof domain !== "string") {
+        throw new Error("hmac requires a non-empty domain string");
+      }
+      // Domain-separated: derive a per-domain key from the KMS, then HMAC.
+      const derived = await kms.deriveHmacKey(domain);
+      return createHmac("sha256", derived).update(data).digest("hex");
+    }
+  };
+}
+
+// In-memory stand-in for AWS KMS / Vault — for examples and tests only. A real
+// deployment injects a client backed by the cloud KMS.
+//
+// WARNING: the default masterKey is a fresh random key PER PROCESS. Anything
+// encrypted in one run cannot be decrypted in the next — exactly the silent
+// data-loss footgun that key rotation must avoid. For any persistence across
+// restarts, supply a stable `masterKey` (or, in production, use a real KMS that
+// holds the master key). This fake is NOT a production key provider.
+export function createInMemoryKms({ keyId = "kms-ref-local", masterKey = randomBytes(32) } = {}) {
+  return {
+    keyId,
+    async wrap(dataKey) {
+      const iv = randomBytes(12);
+      const cipher = createCipheriv("aes-256-gcm", masterKey, iv);
+      const ct = Buffer.concat([cipher.update(dataKey), cipher.final()]);
+      const tag = cipher.getAuthTag();
+      return Buffer.concat([iv, tag, ct]).toString("base64url");
+    },
+    async unwrap(wrapped) {
+      const buffer = Buffer.from(wrapped, "base64url");
+      const iv = buffer.subarray(0, 12);
+      const tag = buffer.subarray(12, 28);
+      const ct = buffer.subarray(28);
+      const decipher = createDecipheriv("aes-256-gcm", masterKey, iv);
+      decipher.setAuthTag(tag);
+      return Buffer.concat([decipher.update(ct), decipher.final()]);
+    },
+    async deriveHmacKey(domain) {
+      return createHmac("sha256", masterKey).update(`${HMAC_KEY_DOMAIN}:${domain}`).digest();
+    }
+  };
+}

package/examples/crypto-kms-reference/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "@haechi/crypto-kms",
+  "version": "0.0.0-reference",
+  "private": true,
+  "description": "Reference KMS-backed cryptoProvider for Haechi (keys.provider: external). Promoted to a published @haechi/* satellite in 0.8.",
+  "type": "module",
+  "exports": {
+    ".": "./index.mjs"
+  },
+  "peerDependencies": {
+    "haechi": ">=0.7.0"
+  },
+  "optionalDependencies": {
+    "@aws-sdk/client-kms": "^3"
+  },
+  "engines": {
+    "node": ">=22"
+  }
+}

package/haechi.config.example.json

@@ -47,7 +47,12 @@
   },
   "audit": {
     "sink": "jsonl",
-    "path": ".haechi/audit.jsonl"
+    "path": ".haechi/audit.jsonl",
+    "anchor": {
+      "mode": "none",
+      "path": ".haechi/audit.anchor.jsonl",
+      "everyRecords": 1
+    }
   },
   "tokenVault": {
     "provider": "local",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "haechi",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Experimental developer preview for self-hosted AI context enforcement across LLM, MCP, vLLM, Ollama, and agent traffic.",
   "license": "Apache-2.0",
   "type": "module",
@@ -55,6 +55,7 @@
     "haechi.config.example.json",
     "packages/",
     "examples/",
+    "scripts/release-checksums.mjs",
     "docs/current/"
   ],
   "scripts": {
@@ -63,6 +64,7 @@
     "pack:dry": "npm pack --dry-run",
     "scan:stale-names": "node scripts/stale-name-scan.mjs",
     "sbom": "node scripts/generate-sbom.mjs",
+    "checksums": "node scripts/release-checksums.mjs",
     "bench:payload": "node scripts/bench-payload.mjs",
     "release:preflight": "node scripts/release-preflight.mjs",
     "release:preflight:npm": "node scripts/release-preflight.mjs --require-npm-auth",

package/packages/audit/index.mjs

@@ -7,20 +7,55 @@ import { setTimeout as delay } from "node:timers/promises";
 
 const FORBIDDEN_KEYS = new Set(["value", "plaintext", "payload", "content", "message", "prompt", "secret"]);
 
-export function createJsonlAuditSink({ path }) {
+export function createJsonlAuditSink({ path, anchor = null }) {
   if (!path) {
     throw new Error("JSONL audit sink requires path");
   }
+  const anchorMode = anchor?.mode ?? "none";
+  const anchorPath = anchor?.path ?? null;
+  const everyRecords = anchor?.everyRecords ?? 1;
+  if (!["none", "file", "stdout"].includes(anchorMode)) {
+    throw new Error(`Invalid audit anchor mode: ${anchorMode}`);
+  }
+  if (anchorMode === "file" && !anchorPath) {
+    throw new Error("audit anchor mode 'file' requires an anchor path");
+  }
+  // The sink is a public export reachable via auditSink injection, so it
+  // validates everyRecords itself rather than trusting normalizeConfig.
+  if (!Number.isInteger(everyRecords) || everyRecords < 1) {
+    throw new Error("audit anchor everyRecords must be a positive integer");
+  }
 
   let writeQueue = Promise.resolve();
 
+  async function writeAnchor(record) {
+    const { sequence, eventHash } = record.auditIntegrity;
+    // Tamper-evidence against tail truncation: the chain head is appended to a
+    // separate append-only stream, so deleting trailing records leaves the
+    // chain shorter than the last anchored sequence.
+    if (anchorMode === "none" || sequence % everyRecords !== 0) {
+      return;
+    }
+    const line = `${JSON.stringify({ sequence, eventHash, timestamp: record.timestamp })}\n`;
+    if (anchorMode === "stdout") {
+      process.stdout.write(line);
+    } else {
+      await mkdir(dirname(anchorPath), { recursive: true });
+      // 0600 on creation, like the key/lock files. Note this only matters for
+      // confidentiality of the timeline — tamper-evidence still requires the
+      // anchor to live on append-only/separate media (see docs).
+      await appendFile(anchorPath, line, { mode: 0o600 });
+    }
+  }
+
   return {
     id: "haechi.audit.jsonl",
     version: "0.1.0",
     capabilities: {
       writesAudit: true,
       writesPlaintext: false,
-      integrity: "sha256-hash-chain"
+      appendOnly: true,
+      integrity: anchorMode === "none" ? "sha256-hash-chain" : "sha256-hash-chain+anchor"
     },
     async record(event) {
       const write = writeQueue.then(async () => {
@@ -28,6 +63,7 @@ export function createJsonlAuditSink({ path }) {
         await withFileLock(`${path}.lock`, async () => {
           const record = await buildIntegrityRecord(path, sanitizeAudit(event));
           await appendFile(path, `${JSON.stringify(record)}\n`, "utf8");
+          await writeAnchor(record);
         });
       });
       writeQueue = write.catch(() => {});
@@ -87,7 +123,12 @@ export function sanitizeAudit(value) {
   return value;
 }
 
-export async function verifyAuditChain(path) {
+export async function verifyAuditChain(path, { anchorPath = null } = {}) {
+  // The anchor stream (if provided) records the chain head at past points; a
+  // chain shorter than the last anchor, or a hash that disagrees with an
+  // anchor, is tail truncation / tampering the chain alone cannot catch.
+  const anchors = anchorPath ? await readAnchors(anchorPath) : null;
+
   const lines = createInterface({
     input: createReadStream(path, { encoding: "utf8" }),
     crlfDelay: Infinity
@@ -122,14 +163,66 @@ export async function verifyAuditChain(path) {
       return { valid: false, records, reason: "event hash mismatch" };
     }
 
+    if (anchors && anchors.bySequence.has(expectedSequence)
+      && anchors.bySequence.get(expectedSequence) !== eventHash) {
+      return { valid: false, records, reason: `anchor hash mismatch at sequence ${expectedSequence}` };
+    }
+
     expectedPreviousHash = eventHash;
     expectedSequence += 1;
     records += 1;
   }
 
-  // headHash anchors the chain externally: publishing it out-of-band is the
-  // only defense against tail truncation, which the chain alone cannot detect.
-  return { valid: true, records, headHash: expectedPreviousHash };
+  if (anchors && anchors.lastSequence > records) {
+    return {
+      valid: false,
+      records,
+      reason: `tail truncation: chain has ${records} records but anchor attests sequence ${anchors.lastSequence}`
+    };
+  }
+
+  // headHash anchors the chain externally. With anchorPath, truncation back to
+  // the last anchor is now detected; the residual gap is records written after
+  // the last anchor.
+  const result = { valid: true, records, headHash: expectedPreviousHash };
+  if (anchors) {
+    result.anchored = { count: anchors.bySequence.size, lastSequence: anchors.lastSequence };
+  }
+  return result;
+}
+
+async function readAnchors(anchorPath) {
+  const bySequence = new Map();
+  let lastSequence = 0;
+  try {
+    const lines = createInterface({
+      input: createReadStream(anchorPath, { encoding: "utf8" }),
+      crlfDelay: Infinity
+    });
+    for await (const line of lines) {
+      if (!line.trim()) {
+        continue;
+      }
+      // A crash can leave a partial trailing anchor line; tolerate it (skip)
+      // rather than failing the whole verification. The chain check plus the
+      // remaining valid anchors still bound truncation detection.
+      let anchor;
+      try {
+        anchor = JSON.parse(line);
+      } catch {
+        continue;
+      }
+      if (typeof anchor.sequence === "number" && typeof anchor.eventHash === "string") {
+        bySequence.set(anchor.sequence, anchor.eventHash);
+        lastSequence = Math.max(lastSequence, anchor.sequence);
+      }
+    }
+  } catch (error) {
+    if (error.code !== "ENOENT") {
+      throw error;
+    }
+  }
+  return { bySequence, lastSequence };
 }
 
 async function buildIntegrityRecord(path, event) {

package/packages/cli/bin/haechi.mjs

@@ -147,19 +147,27 @@ async function reportCommand(argv) {
 async function auditVerifyCommand(argv) {
   const options = parseOptions(argv);
   let auditPath = options.audit ?? options.path;
-  if (!auditPath) {
+  let anchorPath = typeof options.anchor === "string" ? options.anchor : null;
+  if (!auditPath || (options.anchor === true && !anchorPath)) {
     try {
-      auditPath = (await loadConfig(options.config ?? DEFAULT_CONFIG_PATH)).audit.path;
+      const config = await loadConfig(options.config ?? DEFAULT_CONFIG_PATH);
+      auditPath = auditPath ?? config.audit.path;
+      // --anchor with no value (or no flag at all) falls back to the configured
+      // anchor path when anchoring is enabled.
+      if (!anchorPath && config.audit.anchor.mode === "file") {
+        anchorPath = config.audit.anchor.path;
+      }
     } catch {
-      auditPath = ".haechi/audit.jsonl";
+      auditPath = auditPath ?? ".haechi/audit.jsonl";
     }
   }
 
-  const result = await verifyAuditChain(auditPath);
+  const result = await verifyAuditChain(auditPath, { anchorPath });
   writeJson({
     ok: result.valid,
     command: "audit-verify",
     auditPath,
+    anchorPath,
     result
   });
   if (!result.valid) {
@@ -208,17 +216,30 @@ async function statusCommand(argv) {
     warnings.push(`key file ${config.keys.keyFile} does not exist; run haechi init`);
   }
 
-  const audit = { path: config.audit.path, exists: false, chain: null };
+  const anchorEnabled = config.audit.anchor.mode === "file";
+  const audit = {
+    path: config.audit.path,
+    exists: false,
+    chain: null,
+    anchor: { mode: config.audit.anchor.mode, path: anchorEnabled ? config.audit.anchor.path : null }
+  };
   try {
     await stat(config.audit.path);
     audit.exists = true;
-    audit.chain = await verifyAuditChain(config.audit.path);
+    audit.chain = await verifyAuditChain(config.audit.path, {
+      anchorPath: anchorEnabled ? config.audit.anchor.path : null
+    });
     if (!audit.chain.valid) {
       warnings.push(`audit chain verification failed: ${audit.chain.reason}`);
     }
   } catch {
     // No audit file yet is a normal pre-first-run state, not a warning.
   }
+  if (config.audit.anchor.mode === "none") {
+    warnings.push("audit.anchor.mode is none: tail truncation of the audit log cannot be detected");
+  } else if (config.audit.anchor.mode === "file") {
+    warnings.push("audit.anchor: real tail-truncation defense requires the anchor on append-only or separate media; on the same writable filesystem an attacker can truncate both files together");
+  }
 
   writeJson({
     ok: true,
@@ -566,9 +587,9 @@ const COMMAND_HELP = {
     summary: "Summarize audit events without raw payloads."
   },
   "audit-verify": {
-    usage: "haechi audit-verify [--audit .haechi/audit.jsonl] [--config haechi.config.json]",
+    usage: "haechi audit-verify [--audit .haechi/audit.jsonl] [--anchor [path]] [--config haechi.config.json]",
     summary: "Verify the audit hash chain; print validity, record count, and head hash.",
-    detail: "Exit 4 on a broken chain. The head hash is the value to anchor externally against tail truncation."
+    detail: "Exit 4 on a broken chain. With --anchor (or audit.anchor.mode: file in config) it cross-checks the anchor stream and detects tail truncation back to the last anchor. The anchor only adds real defense when kept on append-only or separate media — on the same writable filesystem an attacker can truncate both files together."
   },
   status: {
     usage: "haechi status [--config haechi.config.json]",
@@ -698,6 +719,17 @@ Tokenization (model sees token, caller sees plaintext)
   tokenVault.detokenizeResponses  restore request-issued tokens in the response
                             (needs responseProtection.enabled)
 
+Audit integrity
+  audit.anchor.mode         none | file | stdout                (default none)
+                            file/stdout anchor the chain head so tail
+                            truncation is detected (haechi audit-verify --anchor).
+                            Real defense needs the anchor on append-only or
+                            separate media; same-filesystem anchors can be
+                            truncated together. stdout mode is for long-running
+                            commands (proxy), not JSON-emitting ones.
+  audit.anchor.path         .haechi/audit.anchor.jsonl          (mode: file)
+  audit.anchor.everyRecords anchor cadence                      (default 1)
+
 Privacy + MCP
   privacy.profile           kr-pipa | eu-gdpr | us-general | null
   mcp.allowedMethods        client-callable method allowlist

package/packages/cli/runtime.mjs

@@ -60,7 +60,12 @@ export function defaultConfig() {
     },
     audit: {
       sink: "jsonl",
-      path: ".haechi/audit.jsonl"
+      path: ".haechi/audit.jsonl",
+      anchor: {
+        mode: "none",
+        path: ".haechi/audit.anchor.jsonl",
+        everyRecords: 1
+      }
     },
     tokenVault: {
       provider: "local",
@@ -117,7 +122,18 @@ export function createRuntime(config, providers = {}) {
   const normalized = normalizeConfig(config);
   const cryptoProvider = providers.cryptoProvider ?? createConfiguredCryptoProvider(normalized);
   assertProvider("cryptoProvider", cryptoProvider, ["encrypt", "decrypt"]);
-  const auditSink = providers.auditSink ?? createJsonlAuditSink({ path: normalized.audit.path });
+  // hmac is only required by features that use it (bearer auth, deterministic
+  // tokenization). An encrypt-only external provider is valid otherwise; fail
+  // closed at construction rather than deep in a request if a needing feature
+  // is configured without it.
+  if (typeof cryptoProvider.hmac !== "function"
+    && (normalized.auth.provider === "bearer" || normalized.tokenVault.deterministic)) {
+    throw new Error("cryptoProvider must implement hmac() for bearer auth / deterministic tokenization");
+  }
+  const auditSink = providers.auditSink ?? createJsonlAuditSink({
+    path: normalized.audit.path,
+    anchor: normalized.audit.anchor
+  });
   assertProvider("auditSink", auditSink, ["record"]);
   const tokenVault = providers.tokenVault ?? createLocalTokenVault({
     path: normalized.tokenVault.path,
@@ -214,7 +230,11 @@ export function normalizeConfig(config) {
     },
     audit: {
       ...defaultConfig().audit,
-      ...(config.audit ?? {})
+      ...(config.audit ?? {}),
+      anchor: {
+        ...defaultConfig().audit.anchor,
+        ...(config.audit?.anchor ?? {})
+      }
     },
     tokenVault: {
       ...defaultConfig().tokenVault,
@@ -248,6 +268,16 @@ export function normalizeConfig(config) {
   if (merged.audit.sink !== "jsonl") {
     throw new Error("Current implementation only supports jsonl audit sink");
   }
+  if (!["none", "file", "stdout"].includes(merged.audit.anchor.mode)) {
+    throw new Error(`Invalid audit.anchor.mode: ${merged.audit.anchor.mode}`);
+  }
+  if (merged.audit.anchor.mode === "file"
+    && (typeof merged.audit.anchor.path !== "string" || !merged.audit.anchor.path.trim())) {
+    throw new Error("audit.anchor.mode 'file' requires audit.anchor.path");
+  }
+  if (!Number.isInteger(merged.audit.anchor.everyRecords) || merged.audit.anchor.everyRecords < 1) {
+    throw new Error("audit.anchor.everyRecords must be a positive integer");
+  }
   if (merged.tokenVault.provider !== "local") {
     throw new Error("0.2 only supports local token vault provider");
   }

package/packages/crypto/index.mjs

@@ -139,6 +139,113 @@ export async function initLocalKeyFile(keyFile, { force = false } = {}) {
   return { created: true, keyFile, rotated: retiredKeys.length > 0 };
 }
 
+// Conformance suite for any cryptoProvider used via keys.provider: external.
+// Adapter authors (e.g. a KMS satellite) run this to self-test against the
+// contract. encrypt/decrypt are always required; hmac is required for
+// tokenization, auth, deterministic tokens, and policy bundles — pass
+// { requireHmac: false } for an encrypt-only provider.
+export async function assertCryptoProviderConformance(provider, { requireHmac = true } = {}) {
+  const failures = [];
+  const check = async (name, fn) => {
+    try {
+      await fn();
+    } catch (error) {
+      failures.push(`${name}: ${error.message}`);
+    }
+  };
+  const assert = (condition, message) => {
+    if (!condition) {
+      throw new Error(message);
+    }
+  };
+
+  if (typeof provider?.encrypt !== "function" || typeof provider?.decrypt !== "function") {
+    throw new Error("cryptoProvider must implement encrypt() and decrypt()");
+  }
+
+  const plaintext = `conformance-${randomBytes(8).toString("hex")}@example.com`;
+  const aad = { purpose: "conformance", path: "messages[0].content", type: "email" };
+
+  const other = `conformance-${randomBytes(8).toString("hex")}@example.org`;
+
+  await check("encrypt/decrypt round-trip", async () => {
+    const envelope = await provider.encrypt({ plaintext, aad });
+    assert(envelope && typeof envelope === "object", "encrypt must return an envelope object");
+    assert(envelope.kid, "envelope must carry a key id (kid)");
+    assert(envelope.aadHash, "envelope must carry an aadHash");
+    const back = await provider.decrypt({ envelope, aad });
+    assert(back === plaintext, "decrypt did not return the original plaintext");
+    // A second, distinct plaintext rules out a decrypt that returns a fixed value.
+    const back2 = await provider.decrypt({ envelope: await provider.encrypt({ plaintext: other, aad }), aad });
+    assert(back2 === other, "decrypt did not return the second plaintext (fixed/garbage output)");
+  });
+
+  await check("decrypt rejects a different AAD", async () => {
+    const envelope = await provider.encrypt({ plaintext, aad });
+    let rejected = false;
+    try {
+      await provider.decrypt({ envelope, aad: { ...aad, type: "phone" } });
+    } catch {
+      rejected = true;
+    }
+    assert(rejected, "decrypt accepted a mismatched AAD (no AAD binding)");
+  });
+
+  await check("decrypt rejects tampered ciphertext (real AEAD authentication)", async () => {
+    const envelope = await provider.encrypt({ plaintext, aad });
+    if (typeof envelope.ct !== "string" || envelope.ct.length === 0) {
+      return; // provider uses a non-ct envelope shape; the AAD check above still applies
+    }
+    // Flip a byte of the ciphertext; a real AEAD provider fails the auth tag.
+    const buf = Buffer.from(envelope.ct, "base64url");
+    buf[0] ^= 0xff;
+    let rejected = false;
+    try {
+      await provider.decrypt({ envelope: { ...envelope, ct: buf.toString("base64url") }, aad });
+    } catch {
+      rejected = true;
+    }
+    assert(rejected, "decrypt accepted tampered ciphertext (no AEAD authentication)");
+  });
+
+  if (requireHmac) {
+    if (typeof provider.hmac !== "function") {
+      failures.push("hmac: provider does not implement hmac() (required for tokenization/auth/bundles)");
+    } else {
+      await check("hmac is deterministic and data-dependent", async () => {
+        const a = await provider.hmac({ data: "x", domain: "haechi:conformance:v1" });
+        const b = await provider.hmac({ data: "x", domain: "haechi:conformance:v1" });
+        assert(typeof a === "string" && a.length > 0, "hmac must return a non-empty string");
+        assert(a === b, "hmac is not deterministic for the same (data, domain)");
+        // Different data MUST give different output — else tokens/identities collide.
+        const c = await provider.hmac({ data: "y", domain: "haechi:conformance:v1" });
+        assert(a !== c, "hmac ignores the data argument (same output for different data)");
+      });
+      await check("hmac separates domains", async () => {
+        const a = await provider.hmac({ data: "x", domain: "haechi:conformance:a" });
+        const b = await provider.hmac({ data: "x", domain: "haechi:conformance:b" });
+        assert(a !== b, "hmac does not separate domains (same output for different domains)");
+      });
+      await check("hmac requires a domain", async () => {
+        for (const badDomain of ["", undefined, null]) {
+          let rejected = false;
+          try {
+            await provider.hmac({ data: "x", domain: badDomain });
+          } catch {
+            rejected = true;
+          }
+          assert(rejected, `hmac accepted an invalid domain (${JSON.stringify(badDomain)})`);
+        }
+      });
+    }
+  }
+
+  if (failures.length > 0) {
+    throw new Error(`cryptoProvider conformance failed:\n- ${failures.join("\n- ")}`);
+  }
+  return { ok: true };
+}
+
 export function canonicalize(value) {
   if (Array.isArray(value)) {
     return `[${value.map((item) => canonicalize(item)).join(",")}]`;

package/scripts/release-checksums.mjs

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+// Generate or verify a SHA256SUMS manifest for release artifacts.
+//
+//   node scripts/release-checksums.mjs <file...>           # print "<hash>  <name>" lines
+//   node scripts/release-checksums.mjs --check SHA256SUMS  # verify files against a manifest
+//
+// Standard `<sha256-hex>  <basename>` format (two spaces), so `sha256sum -c`
+// and `shasum -a 256 -c` interoperate with what this prints.
+
+import { createHash } from "node:crypto";
+import { createReadStream } from "node:fs";
+import { readFile } from "node:fs/promises";
+import { basename, dirname, isAbsolute, join, relative } from "node:path";
+import { fileURLToPath } from "node:url";
+
+export async function sha256File(path) {
+  const hash = createHash("sha256");
+  for await (const chunk of createReadStream(path)) {
+    hash.update(chunk);
+  }
+  return hash.digest("hex");
+}
+
+export function formatManifestLine(hashHex, name) {
+  return `${hashHex}  ${name}`;
+}
+
+export function parseManifest(text) {
+  return text
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean)
+    .map((line) => {
+      const match = /^([a-f0-9]{64})\s+(.+)$/.exec(line);
+      if (!match) {
+        throw new Error(`Malformed SHA256SUMS line: ${line}`);
+      }
+      return { hash: match[1], name: match[2] };
+    });
+}
+
+export async function generateManifest(files) {
+  const lines = [];
+  for (const file of files) {
+    lines.push(formatManifestLine(await sha256File(file), basename(file)));
+  }
+  return `${lines.join("\n")}\n`;
+}
+
+export async function verifyManifest(manifestPath) {
+  const baseDir = dirname(manifestPath);
+  const entries = parseManifest(await readFile(manifestPath, "utf8"));
+  const results = [];
+  for (const entry of entries) {
+    // A manifest is untrusted input: never hash a path that escapes the
+    // manifest's own directory (no absolute paths, no `../` traversal).
+    const rel = relative(baseDir, join(baseDir, entry.name));
+    if (isAbsolute(entry.name) || rel.startsWith("..")) {
+      results.push({ name: entry.name, ok: false, reason: "unsafe path" });
+      continue;
+    }
+    let actual = null;
+    try {
+      actual = await sha256File(join(baseDir, entry.name));
+    } catch (error) {
+      results.push({ name: entry.name, ok: false, reason: error.code === "ENOENT" ? "missing" : error.message });
+      continue;
+    }
+    results.push({ name: entry.name, ok: actual === entry.hash, reason: actual === entry.hash ? null : "hash mismatch" });
+  }
+  return { ok: results.every((r) => r.ok), results };
+}
+
+async function main(argv) {
+  if (argv[0] === "--check") {
+    const manifestPath = argv[1];
+    if (!manifestPath) {
+      throw new Error("--check requires a SHA256SUMS path");
+    }
+    const { ok, results } = await verifyManifest(manifestPath);
+    for (const r of results) {
+      process.stderr.write(`${r.ok ? "OK  " : "FAIL"} ${r.name}${r.reason ? ` (${r.reason})` : ""}\n`);
+    }
+    process.exitCode = ok ? 0 : 1;
+    return;
+  }
+  if (argv.length === 0) {
+    throw new Error("usage: release-checksums.mjs <file...> | --check SHA256SUMS");
+  }
+  process.stdout.write(await generateManifest(argv));
+}
+
+// Run only as a CLI (not when imported by tests). fileURLToPath handles
+// Windows paths and URL encoding that a raw `file://` compare would miss.
+if (process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1]) {
+  main(process.argv.slice(2)).catch((error) => {
+    process.stderr.write(`release-checksums: ${error.message}\n`);
+    process.exitCode = 1;
+  });
+}