@exfil/canary 1.0.0

package/dist/token.js

@@ -0,0 +1,146 @@
+/**
+ * Token generation, embedding, and detection utilities.
+ *
+ * Tokens are composed of invisible Unicode characters:
+ *   U+2060 WORD JOINER (anchor) +
+ *   40 × Variation Selector characters (U+FE00–U+FE0F, 4 bits each) +
+ *   U+2060 WORD JOINER (anchor)
+ *
+ * This gives 160 bits of entropy per token (40 nibbles × 4 bits).
+ * The token sequence is NEVER returned in tool outputs.
+ */
+import { randomBytes, randomInt } from 'crypto';
+/** U+2060 WORD JOINER — invisible, zero-width, not a space. */
+const ANCHOR = '\u2060';
+/** Base code point for Variation Selectors (U+FE00). */
+const VS_BASE = 0xfe00;
+/**
+ * Generates a fresh invisible Unicode canary sequence.
+ *
+ * Uses 20 crypto-random bytes: each byte is split into two 4-bit nibbles,
+ * each nibble maps to one Variation Selector character (U+FE00–U+FE0F).
+ *
+ * @returns 42-character string (anchor + 40 VS chars + anchor). NEVER expose.
+ */
+export function generateTokenSequence() {
+    const bytes = randomBytes(20);
+    let seq = ANCHOR;
+    for (const byte of bytes) {
+        const hi = (byte >> 4) & 0x0f;
+        const lo = byte & 0x0f;
+        seq += String.fromCodePoint(VS_BASE + hi);
+        seq += String.fromCodePoint(VS_BASE + lo);
+    }
+    seq += ANCHOR;
+    return seq;
+}
+/**
+ * Generates an opaque token identifier (32 lowercase hex chars).
+ *
+ * @returns 32-char lowercase hex string.
+ */
+export function generateTokenId() {
+    return randomBytes(16).toString('hex');
+}
+/**
+ * Embeds a canary sequence into `content` at the specified position.
+ *
+ * - 'prefix':              sequence prepended before all content.
+ * - 'suffix':              sequence appended after all content.
+ * - 'both':                sequence prepended AND appended.
+ * - 'random_word_boundary': sequence inserted at a random word boundary
+ *                           (space or start/end); falls back to prefix when
+ *                           no whitespace is found.
+ *
+ * @param content   The original content string.
+ * @param sequence  The generated canary sequence (invisible Unicode).
+ * @param position  Where to embed.
+ * @returns Content with the canary sequence embedded.
+ */
+export function embedToken(content, sequence, position) {
+    switch (position) {
+        case 'prefix':
+            return sequence + content;
+        case 'suffix':
+            return content + sequence;
+        case 'both':
+            return sequence + content + sequence;
+        case 'random_word_boundary': {
+            // Find all word boundaries (positions just before a space or at start/end).
+            const boundaries = [0];
+            for (let i = 0; i < content.length; i++) {
+                if (content[i] === ' ' || content[i] === '\n' || content[i] === '\t') {
+                    boundaries.push(i + 1);
+                }
+            }
+            boundaries.push(content.length);
+            if (boundaries.length <= 2) {
+                // No meaningful interior boundary — fall back to prefix.
+                return sequence + content;
+            }
+            // Pick a random interior boundary (exclude index 0 and last to keep
+            // it truly interior, but if only exterior ones exist, use index 0).
+            const pick = randomInt(1, boundaries.length - 1);
+            const insertAt = boundaries[pick];
+            return content.slice(0, insertAt) + sequence + content.slice(insertAt);
+        }
+    }
+}
+/**
+ * Builds a RegExp that matches `sequence` literally anywhere in a string.
+ * Each code point is escaped individually to be regex-safe.
+ *
+ * @param sequence  The canary sequence to search for.
+ * @returns A global RegExp for the sequence.
+ */
+export function buildTokenRegex(sequence) {
+    const escaped = [...sequence]
+        .map((ch) => escapeRegexChar(ch))
+        .join('');
+    return new RegExp(escaped, 'g');
+}
+/**
+ * Fast check: returns true if `content` contains `sequence`.
+ *
+ * Uses String.prototype.includes for O(n) performance before falling back
+ * to a regex scan — includes() is sufficient here since we own the sequence
+ * format and it contains no ambiguous surrogate pairs.
+ *
+ * @param content   The string to search within.
+ * @param sequence  The canary sequence to find.
+ */
+export function containsSequence(content, sequence) {
+    return content.includes(sequence);
+}
+/**
+ * Counts the number of non-overlapping occurrences of `sequence` in `content`.
+ *
+ * @param content   The string to search within.
+ * @param sequence  The canary sequence to count.
+ */
+export function countOccurrences(content, sequence) {
+    const regex = buildTokenRegex(sequence);
+    const matches = content.match(regex);
+    return matches ? matches.length : 0;
+}
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+/**
+ * Escapes a single character for use inside a RegExp pattern.
+ * Handles Unicode code points above U+FFFF via surrogate pairs.
+ */
+function escapeRegexChar(ch) {
+    // Characters that have special meaning in regex syntax.
+    const SPECIAL = /[.*+?^${}()|[\]\\]/;
+    if (SPECIAL.test(ch)) {
+        return `\\${ch}`;
+    }
+    const cp = ch.codePointAt(0);
+    if (cp > 0xffff) {
+        // Surrogate pair range — use Unicode escape sequence.
+        return `\\u{${cp.toString(16)}}`;
+    }
+    return ch;
+}
+//# sourceMappingURL=token.js.map

package/dist/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../src/token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAGhD,+DAA+D;AAC/D,MAAM,MAAM,GAAG,QAAQ,CAAC;AAExB,wDAAwD;AACxD,MAAM,OAAO,GAAG,MAAM,CAAC;AAEvB;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC9B,IAAI,GAAG,GAAG,MAAM,CAAC;IACjB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QAC9B,MAAM,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;QACvB,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;QAC1C,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;IAC5C,CAAC;IACD,GAAG,IAAI,MAAM,CAAC;IACd,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,UAAU,CACxB,OAAe,EACf,QAAgB,EAChB,QAAuB;IAEvB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,QAAQ,GAAG,OAAO,CAAC;QAE5B,KAAK,QAAQ;YACX,OAAO,OAAO,GAAG,QAAQ,CAAC;QAE5B,KAAK,MAAM;YACT,OAAO,QAAQ,GAAG,OAAO,GAAG,QAAQ,CAAC;QAEvC,KAAK,sBAAsB,CAAC,CAAC,CAAC;YAC5B,4EAA4E;YAC5E,MAAM,UAAU,GAAa,CAAC,CAAC,CAAC,CAAC;YACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACxC,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACrE,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;YACD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAEhC,IAAI,UAAU,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBAC3B,yDAAyD;gBACzD,OAAO,QAAQ,GAAG,OAAO,CAAC;YAC5B,CAAC;YAED,oEAAoE;YACpE,oEAAoE;YACpE,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACjD,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;YAClC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,MAAM,OAAO,GAAG,CAAC,GAAG,QAAQ,CAAC;SAC1B,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;SAChC,IAAI,CAAC,EAAE,CAAC,CAAC;IACZ,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAClC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,OAAO,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,MAAM,KAAK,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;GAGG;AACH,SAAS,eAAe,CAAC,EAAU;IACjC,wDAAwD;IACxD,MAAM,OAAO,GAAG,oBAAoB,CAAC;IACrC,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QACrB,OAAO,KAAK,EAAE,EAAE,CAAC;IACnB,CAAC;IACD,MAAM,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC,CAAE,CAAC;IAC9B,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC;QAChB,sDAAsD;QACtD,OAAO,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,CAAC;IACnC,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,190 @@
+/**
+ * Core type definitions for exfil/canary.
+ *
+ * SECURITY NOTE: The `sequence` field of CanaryToken contains raw Unicode
+ * variation-selector characters and MUST NEVER appear in any tool output,
+ * log line, or persisted plaintext. Every other field is safe to expose.
+ *
+ * SECURITY NOTE (v1.1): The `value` field of EntityCanary contains the
+ * actual extracted secret/entity. Treat with the same sensitivity as `sequence`.
+ */
+/** Where the original content came from. */
+export type SourceType = 'tool_result' | 'file_read' | 'api_response' | 'database_row' | 'user_message' | 'other';
+/** Where within the content the token sequence is embedded. */
+export type EmbedPosition = 'prefix' | 'suffix' | 'both' | 'random_word_boundary';
+/** Lifecycle status of a canary token. */
+export type TokenStatus = 'active' | 'expired' | 'unknown';
+/** What the server does when leakage is detected. */
+export type ResponseMode = 'log' | 'halt' | 'alert';
+/** What action was actually taken when a leakage event was recorded. */
+export type ActionTaken = 'logged' | 'halted' | 'alerted' | 'none';
+/** Which tool surface detected the token. */
+export type DetectionMethod = 'check_leakage' | 'scan_outbound';
+/** Minimum severity for log output. */
+export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
+/** Classification of an extracted named entity. */
+export type EntityType = 'api_key' | 'bearer_token' | 'credential_pair' | 'email' | 'url' | 'ip_address' | 'uuid' | 'high_entropy_string';
+/**
+ * A named entity extracted from content at wrap time.
+ *
+ * SECURITY: `value` is the actual extracted string (could be a real secret).
+ * Treat identically to `sequence` — never log, never return in tool output,
+ * never persist in plaintext.
+ */
+export interface EntityCanary {
+    entity_type: EntityType;
+    /**
+     * The extracted entity value. SENSITIVE. NEVER expose in tool outputs or logs.
+     * null after server restart (RC-1 — not persisted; cannot re-detect).
+     */
+    value: string | null;
+    /**
+     * Surrounding context with the value redacted to `[ENTITY]`.
+     * Safe to include in reports and logs.
+     */
+    context_hint: string;
+}
+/**
+ * Persisted form of an EntityCanary — value intentionally omitted.
+ * Retained for reporting/audit after a restart, but cannot re-detect.
+ */
+export interface PersistedEntityCanary {
+    entity_type: EntityType;
+    context_hint: string;
+}
+/** Internal result from scanning outbound data for a single entity canary. */
+export interface EntityScanResult {
+    token_id: string;
+    entity_type: EntityType;
+    /** context_hint from the matched entity — safe to include in leakage events. */
+    context_hint: string;
+}
+/**
+ * A canary token embedded into agent-processed content.
+ *
+ * SECURITY: `sequence` is the actual Unicode payload. It MUST NOT be
+ * serialised into tool responses or log output.
+ */
+export interface CanaryToken {
+    /** 32-char lowercase hex string; safe to expose in operator tooling. */
+    token_id: string;
+    /**
+     * Raw Unicode string (WORD JOINER + 40 Variation Selectors + WORD JOINER).
+     * NEVER expose in tool outputs or logs.
+     */
+    sequence: string;
+    source_type: SourceType;
+    source_server?: string;
+    source_tool?: string;
+    source_call_id?: string;
+    embed_position: EmbedPosition;
+    /** Unix epoch milliseconds. */
+    created_at: number;
+    /** Unix epoch milliseconds. */
+    expires_at: number;
+    leaked: boolean;
+    leakage_event_ids: string[];
+    /**
+     * v1.1: Named entities extracted from the wrapped content.
+     * Values are sensitive — never expose. Empty array when entity extraction
+     * is disabled or no entities were found.
+     */
+    entity_canaries: EntityCanary[];
+    /**
+     * v1.6: SimHash fingerprint of the wrapped content (64-bit, in-memory only).
+     * null when content was too short for reliable fingerprinting (< 5 bigrams).
+     * BigInt is not JSON-serialisable — intentionally excluded from persistence (RC-1).
+     */
+    simhash: bigint | null;
+}
+/** A single detected leakage incident. */
+export interface LeakageEvent {
+    /** UUID-style hex identifier. */
+    event_id: string;
+    token_id: string;
+    /** Unix epoch milliseconds. */
+    detected_at: number;
+    detection_method: DetectionMethod;
+    target_server?: string;
+    target_tool?: string;
+    target_call_id?: string;
+    turn_number?: number;
+    action_taken: ActionTaken;
+    webhook_attempted: boolean;
+    webhook_delivered: boolean | null;
+}
+/** In-memory session state. Never serialised in full (sequence omitted). */
+export interface SessionState {
+    session_id: string;
+    /** Unix epoch milliseconds. */
+    created_at: number;
+    tokens: Map<string, CanaryToken>;
+    leakage_events: Map<string, LeakageEvent>;
+    /** Monotonically increasing counter used to derive token IDs. */
+    token_counter: number;
+}
+/** Validated configuration derived from environment variables at startup. */
+export interface CanaryConfig {
+    persist_path: string | null;
+    /** Seconds; range 60–86400. */
+    token_ttl_seconds: number;
+    /** Validated HTTPS URL, or null. */
+    alert_webhook: string | null;
+    /** Optional HMAC secret for webhook signing. */
+    webhook_secret: string | null;
+    response_mode: ResponseMode;
+    log_level: LogLevel;
+}
+/**
+ * Result of a single-token scan operation.
+ * Internal use only — NOT returned to agents.
+ */
+export interface ScanResult {
+    token_id: string;
+    found: boolean;
+    match_count: number;
+}
+/**
+ * The safe shape returned to the agent by scan_outbound (RC-3).
+ * Contains NO token identifiers, sequences, or entity values.
+ */
+export interface ScanOutboundAgentResult {
+    clean: boolean;
+    tokens_scanned: number;
+    scan_duration_ms: number;
+    /** Count of unicode-marker leakage detections (v1.0). */
+    leakage_count: number;
+    /** Count of named-entity leakage detections (v1.1). */
+    entity_leakage_count: number;
+    /** Count of SimHash semantic-similarity leakage detections (v1.6). */
+    semantic_leakage_count: number;
+}
+/**
+ * Persisted representation of a CanaryToken — sequence is intentionally
+ * omitted (RC-1).  After a restart, existing tokens are tracked by ID/metadata
+ * but cannot re-detect the embedded sequence.  This is a documented limitation.
+ */
+export interface PersistedToken {
+    token_id: string;
+    source_type: SourceType;
+    source_server?: string;
+    source_tool?: string;
+    source_call_id?: string;
+    embed_position: EmbedPosition;
+    created_at: number;
+    expires_at: number;
+    leaked: boolean;
+    leakage_event_ids: string[];
+    /** v1.1: Entity metadata (values omitted — same RC-1 treatment as sequence). */
+    entity_canaries: PersistedEntityCanary[];
+}
+/** Full on-disk representation of session state. */
+export interface PersistedState {
+    version: number;
+    session_id: string;
+    created_at: number;
+    token_counter: number;
+    tokens: PersistedToken[];
+    leakage_events: LeakageEvent[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,4CAA4C;AAC5C,MAAM,MAAM,UAAU,GAClB,aAAa,GACb,WAAW,GACX,cAAc,GACd,cAAc,GACd,cAAc,GACd,OAAO,CAAC;AAEZ,+DAA+D;AAC/D,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,sBAAsB,CAAC;AAElF,0CAA0C;AAC1C,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;AAE3D,qDAAqD;AACrD,MAAM,MAAM,YAAY,GAAG,KAAK,GAAG,MAAM,GAAG,OAAO,CAAC;AAEpD,wEAAwE;AACxE,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;AAEnE,6CAA6C;AAC7C,MAAM,MAAM,eAAe,GAAG,eAAe,GAAG,eAAe,CAAC;AAEhE,uCAAuC;AACvC,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAI3D,mDAAmD;AACnD,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,cAAc,GACd,iBAAiB,GACjB,OAAO,GACP,KAAK,GACL,YAAY,GACZ,MAAM,GACN,qBAAqB,CAAC;AAE1B;;;;;;GAMG;AACH,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,UAAU,CAAC;IACxB;;;OAGG;IACH,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,UAAU,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,8EAA8E;AAC9E,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,UAAU,CAAC;IACxB,gFAAgF;IAChF,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B,wEAAwE;IACxE,QAAQ,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,UAAU,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,aAAa,CAAC;IAC9B,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B;;;;OAIG;IACH,eAAe,EAAE,YAAY,EAAE,CAAC;IAChC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAED,0CAA0C;AAC1C,MAAM,WAAW,YAAY;IAC3B,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,eAAe,CAAC;IAClC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,WAAW,CAAC;IAC1B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,iBAAiB,EAAE,OAAO,GAAG,IAAI,CAAC;CACnC;AAED,4EAA4E;AAC5E,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACjC,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAC1C,iEAAiE;IACjE,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,6EAA6E;AAC7E,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,+BAA+B;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oCAAoC;IACpC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,gDAAgD;IAChD,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,aAAa,EAAE,YAAY,CAAC;IAC5B,SAAS,EAAE,QAAQ,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,OAAO,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,uDAAuD;IACvD,oBAAoB,EAAE,MAAM,CAAC;IAC7B,sEAAsE;IACtE,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,UAAU,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,aAAa,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gFAAgF;IAChF,eAAe,EAAE,qBAAqB,EAAE,CAAC;CAC1C;AAED,oDAAoD;AACpD,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,cAAc,EAAE,YAAY,EAAE,CAAC;CAChC"}

package/dist/types.js

@@ -0,0 +1,12 @@
+/**
+ * Core type definitions for exfil/canary.
+ *
+ * SECURITY NOTE: The `sequence` field of CanaryToken contains raw Unicode
+ * variation-selector characters and MUST NEVER appear in any tool output,
+ * log line, or persisted plaintext. Every other field is safe to expose.
+ *
+ * SECURITY NOTE (v1.1): The `value` field of EntityCanary contains the
+ * actual extracted secret/entity. Treat with the same sensitivity as `sequence`.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@exfil/canary",
+  "version": "1.0.0",
+  "description": "Transparent MCP proxy that watermarks agent tool responses and blocks data exfiltration caused by prompt injection.",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "exfil-canary": "dist/index.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/exfil-hq/canary.git"
+  },
+  "homepage": "https://github.com/exfil-hq/canary#readme",
+  "files": [
+    "dist",
+    "README.md",
+    "SECURITY.md",
+    "LICENSE",
+    "proxy.example.json"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.19.37",
+    "typescript": "^5.4.0",
+    "vitest": "^2.1.9"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "security",
+    "prompt-injection",
+    "canary-token",
+    "data-exfiltration"
+  ]
+}

package/proxy.example.json

@@ -0,0 +1,53 @@
+{
+  "servers": [
+    {
+      "id": "filesystem",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/your/working/dir"]
+    },
+    {
+      "id": "web",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-fetch"]
+    },
+    {
+      "id": "github",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-github"],
+      "env": {
+        "GITHUB_PERSONAL_ACCESS_TOKEN": "your-token-here"
+      }
+    }
+  ],
+  "_comment_auditors": "Optional dual-LLM auditor. Remove this block to disable. Requires two entries with different providers.",
+  "auditors": [
+    {
+      "provider": "anthropic",
+      "model": "claude-haiku-4-5-20251001",
+      "api_key_env": "ANTHROPIC_API_KEY",
+      "timeout_ms": 5000
+    },
+    {
+      "provider": "openai",
+      "model": "gpt-4o-mini",
+      "api_key_env": "OPENAI_API_KEY",
+      "timeout_ms": 5000
+    }
+  ],
+  "audit_timeout_action": "block",
+
+  "_comment_allowed_domains": "Fail-closed. Absent or [] = all outbound URLs blocked. List every domain your agent legitimately calls.",
+  "allowed_domains": [
+    "api.github.com",
+    "*.githubusercontent.com",
+    "registry.npmjs.org",
+    "api.openai.com"
+  ],
+
+  "_comment_allowed_tools": "Optional tool allowlist. Absent or [] = all tools allowed. Non-empty = only listed tools callable. Entries ending with * are prefix wildcards (e.g. filesystem__* allows all filesystem tools).",
+  "allowed_tools": [
+    "filesystem__*",
+    "web__fetch",
+    "github__create_issue"
+  ]
+}