Skip to main content

AI agent watchdog: prompt firewall + filesystem drift detection via IBM Granite.

Project description

canary

Canary is a terminal safety layer for AI coding sessions. In the current codebase it is centered on Claude Code: it can review prompts, install a guarded claude shim, audit tool calls, watch a repo for risky drift, and keep checkpoints ready for rollback.

What Ships Today

  • canary prompt scans a prompt for secrets, PII, sensitive paths, and semantically similar confidential content before you hand it to an agent.
  • canary on / canary off toggle prompt screening for installed Claude guard shims.
  • canary guard install installs a guarded claude shim in ~/.canary/bin and Claude hooks in ~/.claude/settings.json.
  • canary audit listens for risky Bash / Write / Edit activity from the next Claude session.
  • canary watch waits for the next session, builds a file baseline, auto-creates a checkpoint, and monitors semantic drift and sensitive-file writes.
  • canary checkpoint, canary checkpoints, canary rollback, and canary log manage snapshots and session history.
  • canary mode switches between online IBM watsonx.ai and local on-device Granite embeddings.
  • canary usage shows daily soft usage limits for IBM online generation and embeddings.

Install

From this repo root:

pip install .

Optional extras:

pip install ".[local]"
pip install -e ".[dev]"

.[local] adds the Hugging Face / torch stack used for local embeddings. The package metadata currently installs the canary CLI only.

Quick Start

Set up the backend and optional Claude integration:

canary setup

Review a prompt directly:

canary prompt "fix the login bug"
canary prompt "here is my key sk-abc123xyzDEFGHIJKLMNOPQRSTUVWXYZ" --strict

Install the Claude guard shim:

canary guard install
export PATH="$HOME/.canary/bin:$PATH"

Turn prompt screening on or off for guarded Claude launches:

canary on
canary off

Start the background auditor and repo watcher:

canary audit
canary watch .

Inspect or restore a session:

canary log .
canary checkpoints .
canary rollback .

Command Reference

canary prompt "<text>" [--strict]
canary on
canary off
canary audit [--idle 60] [--log] [--stop]
canary watch [path] [--idle 30] [--continuous] [--log] [--stop]
canary checkpoint [path] [--name NAME] [--delete ID] [--delete-all]
canary checkpoints [path]
canary rollback [path] [checkpoint_id]
canary log [path] [--tail N] [--json]
canary setup [--prefer auto|local|online] [--guards auto|yes|no]
canary guard install [--watch]
canary guard status
canary guard remove
canary mode [status|local|online]
canary usage
canary docs [topic]

canary hook status and canary hook remove also exist, but they are hidden maintenance commands for the Claude hook wiring.

Claude Integration

canary guard install does two things:

  • installs a claude shim in ~/.canary/bin
  • adds Canary hook commands to ~/.claude/settings.json

With the shim installed and PATH updated, command-line Claude prompts are screened before launch. The shim also recognizes:

  • -ignore / --ignore to bypass screening for one call
  • -safe / --safe to force screening for one call even if canary off is active

Current limitation: prompts typed after Claude is already open in an interactive TUI are not intercepted yet.

Backends

Canary has two runtime modes:

  • online: IBM watsonx.ai for Granite embeddings and Granite chat-based bash auditing
  • local: on-device Granite embeddings through Hugging Face + torch

Use:

canary mode status
canary mode local
canary mode online

canary setup and canary mode local both profile the machine first. On slower CPU-only devices, Canary warns before enabling local mode.

Important behavior difference:

  • online mode uses IBM for embeddings and command auditing
  • local mode still does semantic prompt scanning with local embeddings, but bash auditing falls back to built-in pattern rules because there is no local chat model wired in today

Prompt, Audit, And Watch Flow

Typical guarded workflow:

  1. Run canary guard install once and export ~/.canary/bin at the front of PATH.
  2. Start canary audit to capture risky tool activity from the next Claude session.
  3. Start canary watch . to monitor the repo; it waits for the first hooked tool event, then indexes the workspace and creates a checkpoint.
  4. Launch claude "..." through the shim.
  5. Use canary log, canary checkpoints, and canary rollback if you need to inspect or restore the session.

canary watch --continuous skips the "next session" wait and watches immediately until you stop it.

Config

Project-local files:

IBM_API_KEY=
IBM_PROJECT_ID=
IBM_REGION=us-south
IBM_LOCAL=false
  • .env in the current working directory controls backend credentials and mode
  • .canary.toml can override watch thresholds, ignore lists, entry-point files, and sensitive-file patterns

Online soft usage limits can be overridden with:

export CANARY_GENERATE_LIMIT=100
export CANARY_EMBED_LIMIT=300

State And Logs

Canary writes project-local session data to:

  • .canary/session.json
  • .canary/checkpoints/

Home-directory state lives under ~/.canary/, including:

  • guard.json
  • usage.json
  • audit.log
  • watch.log
  • audit_events.jsonl
  • bin/claude

Built-In Docs

canary docs
canary docs install
canary docs setup
canary docs prompt
canary docs screening
canary docs audit
canary docs watch
canary docs checkpoints
canary docs backends
canary docs guard
canary docs usage

Current Limitations

  • Direct guard installation is currently implemented for claude only.
  • The packaged CLI entrypoint is canary; wrapper functions like claude_safe are present in the codebase but are not installed as standalone scripts.
  • Interactive follow-up prompts typed inside an already-open Claude session are not screened.
  • Local mode covers embeddings only; command auditing falls back to pattern rules instead of a local Granite chat model.

Tests

pip install -e ".[dev]"
python3 -m pytest

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

canary_tool-0.1.1.tar.gz (50.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

canary_tool-0.1.1-py3-none-any.whl (53.7 kB view details)

Uploaded Python 3

File details

Details for the file canary_tool-0.1.1.tar.gz.

File metadata

  • Download URL: canary_tool-0.1.1.tar.gz
  • Upload date:
  • Size: 50.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for canary_tool-0.1.1.tar.gz
Algorithm Hash digest
SHA256 fc4edf24d83022a89b7aefbe8205c47309897ae54dedc839f426e1c06b67f597
MD5 450cee66f9fb1aeb46b4056f4abc3554
BLAKE2b-256 3866e23daa8edefb66034dcb0c37b43638e0a44af2ed038cb8b55576856a37f8

See more details on using hashes here.

File details

Details for the file canary_tool-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: canary_tool-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 53.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for canary_tool-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 4c0ec946da4ceec7adeedc67db7a208de4e71186a5e978de256f9f060e66a143
MD5 e2daf9b8a4d490e0678553326d8dc918
BLAKE2b-256 b62c87c9e4f5ad5892f494ef6d5fbd693f2f705c35adf6382cde55d9bd87bc85

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page