AI agent watchdog: prompt firewall + filesystem drift detection via IBM Granite.
Project description
canary
Canary is a terminal safety layer for AI coding sessions. In the current codebase it is centered on Claude Code: it can review prompts, install a guarded claude shim, audit tool calls, watch a repo for risky drift, and keep checkpoints ready for rollback.
What Ships Today
canary promptscans a prompt for secrets, PII, sensitive paths, and semantically similar confidential content before you hand it to an agent.canary on/canary offtoggle prompt screening for installed Claude guard shims.canary guard installinstalls a guardedclaudeshim in~/.canary/binand Claude hooks in~/.claude/settings.json.canary auditlistens for risky Bash / Write / Edit activity from the next Claude session.canary watchwaits for the next session, builds a file baseline, auto-creates a checkpoint, and monitors semantic drift and sensitive-file writes.canary checkpoint,canary checkpoints,canary rollback, andcanary logmanage snapshots and session history.canary modeswitches between online IBM watsonx.ai and local on-device Granite embeddings.canary usageshows daily soft usage limits for IBM online generation and embeddings.
Install
From this repo root:
pip install .
Optional extras:
pip install ".[local]"
pip install -e ".[dev]"
.[local] adds the Hugging Face / torch stack used for local embeddings. The package metadata currently installs the canary CLI only.
Quick Start
Set up the backend and optional Claude integration:
canary setup
Review a prompt directly:
canary prompt "fix the login bug"
canary prompt "here is my key sk-abc123xyzDEFGHIJKLMNOPQRSTUVWXYZ" --strict
Install the Claude guard shim:
canary guard install
export PATH="$HOME/.canary/bin:$PATH"
Turn prompt screening on or off for guarded Claude launches:
canary on
canary off
Start the background auditor and repo watcher:
canary audit
canary watch .
Inspect or restore a session:
canary log .
canary checkpoints .
canary rollback .
Command Reference
canary prompt "<text>" [--strict]
canary on
canary off
canary audit [--idle 60] [--log] [--stop]
canary watch [path] [--idle 30] [--continuous] [--log] [--stop]
canary checkpoint [path] [--name NAME] [--delete ID] [--delete-all]
canary checkpoints [path]
canary rollback [path] [checkpoint_id]
canary log [path] [--tail N] [--json]
canary setup [--prefer auto|local|online] [--guards auto|yes|no]
canary guard install [--watch]
canary guard status
canary guard remove
canary mode [status|local|online]
canary usage
canary docs [topic]
canary hook status and canary hook remove also exist, but they are hidden maintenance commands for the Claude hook wiring.
Claude Integration
canary guard install does two things:
- installs a
claudeshim in~/.canary/bin - adds Canary hook commands to
~/.claude/settings.json
With the shim installed and PATH updated, command-line Claude prompts are screened before launch. The shim also recognizes:
-ignore/--ignoreto bypass screening for one call-safe/--safeto force screening for one call even ifcanary offis active
Current limitation: prompts typed after Claude is already open in an interactive TUI are not intercepted yet.
Backends
Canary has two runtime modes:
online: IBM watsonx.ai for Granite embeddings and Granite chat-based bash auditinglocal: on-device Granite embeddings through Hugging Face +torch
Use:
canary mode status
canary mode local
canary mode online
canary setup and canary mode local both profile the machine first. On slower CPU-only devices, Canary warns before enabling local mode.
Important behavior difference:
- online mode uses IBM for embeddings and command auditing
- local mode still does semantic prompt scanning with local embeddings, but bash auditing falls back to built-in pattern rules because there is no local chat model wired in today
Prompt, Audit, And Watch Flow
Typical guarded workflow:
- Run
canary guard installonce and export~/.canary/binat the front ofPATH. - Start
canary auditto capture risky tool activity from the next Claude session. - Start
canary watch .to monitor the repo; it waits for the first hooked tool event, then indexes the workspace and creates a checkpoint. - Launch
claude "..."through the shim. - Use
canary log,canary checkpoints, andcanary rollbackif you need to inspect or restore the session.
canary watch --continuous skips the "next session" wait and watches immediately until you stop it.
Config
Project-local files:
IBM_API_KEY=
IBM_PROJECT_ID=
IBM_REGION=us-south
IBM_LOCAL=false
.envin the current working directory controls backend credentials and mode.canary.tomlcan override watch thresholds, ignore lists, entry-point files, and sensitive-file patterns
Online soft usage limits can be overridden with:
export CANARY_GENERATE_LIMIT=100
export CANARY_EMBED_LIMIT=300
State And Logs
Canary writes project-local session data to:
.canary/session.json.canary/checkpoints/
Home-directory state lives under ~/.canary/, including:
guard.jsonusage.jsonaudit.logwatch.logaudit_events.jsonlbin/claude
Built-In Docs
canary docs
canary docs install
canary docs setup
canary docs prompt
canary docs screening
canary docs audit
canary docs watch
canary docs checkpoints
canary docs backends
canary docs guard
canary docs usage
Current Limitations
- Direct guard installation is currently implemented for
claudeonly. - The packaged CLI entrypoint is
canary; wrapper functions likeclaude_safeare present in the codebase but are not installed as standalone scripts. - Interactive follow-up prompts typed inside an already-open Claude session are not screened.
- Local mode covers embeddings only; command auditing falls back to pattern rules instead of a local Granite chat model.
Tests
pip install -e ".[dev]"
python3 -m pytest
License
MIT
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file canary_tool-0.1.1.tar.gz.
File metadata
- Download URL: canary_tool-0.1.1.tar.gz
- Upload date:
- Size: 50.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fc4edf24d83022a89b7aefbe8205c47309897ae54dedc839f426e1c06b67f597
|
|
| MD5 |
450cee66f9fb1aeb46b4056f4abc3554
|
|
| BLAKE2b-256 |
3866e23daa8edefb66034dcb0c37b43638e0a44af2ed038cb8b55576856a37f8
|
File details
Details for the file canary_tool-0.1.1-py3-none-any.whl.
File metadata
- Download URL: canary_tool-0.1.1-py3-none-any.whl
- Upload date:
- Size: 53.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4c0ec946da4ceec7adeedc67db7a208de4e71186a5e978de256f9f060e66a143
|
|
| MD5 |
e2daf9b8a4d490e0678553326d8dc918
|
|
| BLAKE2b-256 |
b62c87c9e4f5ad5892f494ef6d5fbd693f2f705c35adf6382cde55d9bd87bc85
|