diff --git a/src/core/storage/api.js b/src/core/storage/api.js
index 17391d5..903ea2e 100644
--- a/src/core/storage/api.js
+++ b/src/core/storage/api.js
@@ -10,9 +10,9 @@
  *   - All other paths      → session required; access governed by registered policies
  *   - Unknown paths        → denied
  *
- * Call configureStorageApi({ getPublicPrefixes, getAccessPolicies }) during
+ * Call registerStoragePolicies() and registerStoragePublicPrefixes() during
  * initializeZen before the first request, following the same pattern as
- * configureRouter in core/api/runtime.js.
+ * registerFeatureRoutes in core/api/runtime.js.
  */
 
 import { cookies } from 'next/headers';
diff --git a/src/core/storage/index.js b/src/core/storage/index.js
index 01e9a0c..ffd43c1 100644
--- a/src/core/storage/index.js
+++ b/src/core/storage/index.js
@@ -350,4 +350,4 @@ export {
   moveFile,
 };
 
-export { configureStorageApi } from './storage-config.js';
+export { registerStoragePolicies, registerStoragePublicPrefixes, clearStorageConfig } from './storage-config.js';
diff --git a/src/core/storage/storage-config.js b/src/core/storage/storage-config.js
index aaf1ebe..16e21dc 100644
--- a/src/core/storage/storage-config.js
+++ b/src/core/storage/storage-config.js
@@ -1,21 +1,44 @@
 /**
  * Storage API runtime configuration.
- * Holds injected prefix/policy resolvers — same pattern as core/api/runtime.js.
- * Imported by both api.js (reads) and index.js (exports configureStorageApi).
+ *
+ * Additive registration — mirrors core/api/runtime.js:
+ *   registerStoragePolicies(policies)       called by features during initializeZen()
+ *   registerStoragePublicPrefixes(prefixes) called by features during initializeZen()
+ *   clearStorageConfig()                    called by resetZenInitialization() / tests
+ *
+ * getStorageAccessPolicies() and getStoragePublicPrefixes() are read-only readers
+ * used internally by api.js — they are not re-exported from index.js.
  */
 
-let _getPublicPrefixes = () => [];
-let _getAccessPolicies = () => [];
+const POLICIES_KEY = Symbol.for('__ZEN_STORAGE_POLICIES__');
+const PREFIXES_KEY = Symbol.for('__ZEN_STORAGE_PUBLIC_PREFIXES__');
 
-export function configureStorageApi({ getPublicPrefixes, getAccessPolicies }) {
-  _getPublicPrefixes = getPublicPrefixes;
-  _getAccessPolicies = getAccessPolicies;
+if (!globalThis[POLICIES_KEY]) globalThis[POLICIES_KEY] = [];
+if (!globalThis[PREFIXES_KEY]) globalThis[PREFIXES_KEY] = [];
+
+export function registerStoragePolicies(policies) {
+  if (!Array.isArray(policies)) {
+    throw new TypeError('registerStoragePolicies: policies must be an array');
+  }
+  globalThis[POLICIES_KEY].push(...policies);
+}
+
+export function registerStoragePublicPrefixes(prefixes) {
+  if (!Array.isArray(prefixes)) {
+    throw new TypeError('registerStoragePublicPrefixes: prefixes must be an array');
+  }
+  globalThis[PREFIXES_KEY].push(...prefixes);
+}
+
+export function clearStorageConfig() {
+  globalThis[POLICIES_KEY].length = 0;
+  globalThis[PREFIXES_KEY].length = 0;
 }
 
 export function getStoragePublicPrefixes() {
-  return _getPublicPrefixes();
+  return globalThis[PREFIXES_KEY];
 }
 
 export function getStorageAccessPolicies() {
-  return _getAccessPolicies();
+  return globalThis[POLICIES_KEY];
 }
diff --git a/src/features/auth/storage-policies.js b/src/features/auth/storage-policies.js
new file mode 100644
index 0000000..5bd2443
--- /dev/null
+++ b/src/features/auth/storage-policies.js
@@ -0,0 +1,11 @@
+/**
+ * Auth feature — storage access policies.
+ *
+ * Registered during initializeZen() via registerStoragePolicies().
+ * The auth feature owns its access rules; core/storage stays generic.
+ */
+
+export const storageAccessPolicies = [
+  // users/{userId}/... — seul le propriétaire ou un admin peut accéder
+  { prefix: 'users', type: 'owner' },
+];
diff --git a/src/shared/lib/init.js b/src/shared/lib/init.js
index a610c3c..c39f21f 100644
--- a/src/shared/lib/init.js
+++ b/src/shared/lib/init.js
@@ -15,8 +15,10 @@
  */
 
 import { configureRouter, registerFeatureRoutes, clearRouterConfig, clearFeatureRoutes } from '@zen/core/api';
+import { registerStoragePolicies, clearStorageConfig } from '@zen/core/storage';
 import { validateSession } from '../../features/auth/lib/session.js';
 import { routes as authRoutes } from '../../features/auth/api.js';
+import { storageAccessPolicies } from '../../features/auth/storage-policies.js';
 import { done, warn } from './logger.js';
 
 const ZEN_INIT_KEY = Symbol.for('__ZEN_INITIALIZED__');
@@ -35,6 +37,7 @@ export async function initializeZen() {
 
   configureRouter({ resolveSession: validateSession });
   registerFeatureRoutes(authRoutes);
+  registerStoragePolicies(storageAccessPolicies);
 
   done('ZEN: ready');
 
@@ -45,5 +48,6 @@ export function resetZenInitialization() {
   globalThis[ZEN_INIT_KEY] = false;
   clearRouterConfig();
   clearFeatureRoutes();
+  clearStorageConfig();
   warn('ZEN: initialization reset');
 }