Canary privacy & security
Canary’s job is to make AI-related PII exposure visible. That goal is undermined if Canary itself becomes a data-exfiltration surface. So everything about it is designed to keep findings on your machine.
What’s stored, in detail
A single file holds Canary’s state:
- Path:
~/.sonomos/leaks.jsonl - Format: JSON Lines (one detection per line, append-only).
- Permissions:
0600(owner read/write only). The parent directory is0700.
Each line records:
- The category (e.g.
aws_access_key,email,medical_record). - A redacted form of the matched value: first two and last two characters preserved, the rest replaced with
••. The original value is never persisted. - A timestamp.
- A source hint (which message or file the match came from), without the surrounding content.
That’s it. No prompts, no responses, no original PII text.
What’s not stored
- The original PII value — only its redacted form.
- The surrounding prompt or response — only a source hint identifying which event triggered the finding.
- Any identity, account, or telemetry data about you.
Network behaviour
Canary makes no outbound network requests. There is no remote backend, no analytics service, no error reporting, and no licensing check. You can verify this by reading the source at github.com/sonomos-ai/Canary or by watching network traffic while it runs.
Security hardening
The plugin is small but security-sensitive (it reads your AI conversations), so it ships with a few specific protections:
- Owner-only file permissions.
~/.sonomos/is created with mode0700and findings files with0600. Other local users can’t read them. - JSON built with
jq. Findings are written viajqrather than string concatenation, so a maliciously-shaped value can’t escape and corrupt the output. - Path-traversal validation. File operations validate paths before reading or writing so a crafted finding can’t escape the storage directory.
Threat model
Canary is designed against a specific set of risks:
| Risk | Canary’s defence |
|---|---|
Exposed PII in leaks.jsonl if a backup is leaked | Values are redacted at detection time — middle replaced with •• |
| Multi-user machine exposure | Owner-only permissions on the data directory and files |
| Supply-chain log tampering | Append-only JSONL written via jq; no string-concatenated output |
| Credential exfiltration via “detection” itself | No network calls at any point in the pipeline |
Canary is not designed to:
- Prevent the original AI request from being made (that’s masking, not observability).
- Provide forensic-grade tamper evidence (that’s Sonomos Desktop’s audit log).
- Protect against a compromised local user account — if an attacker has your shell, they have your data.
Open source and auditable
Canary is MIT-licensed and the source is public at github.com/sonomos-ai/Canary. It’s deliberately small (a few hundred lines of Bash and Python) so a security review fits inside an afternoon. If you find an issue, please file it on the GitHub repo or email info@sonomos.ai for security-sensitive reports.
Frequently asked questions
Does Canary share my prompts with Sonomos?
No. There is no Sonomos backend involved. Findings stay in ~/.sonomos/ on your machine.
Does Anthropic see Canary’s data?
No. The semantic-scan stage runs within Claude’s existing context — it doesn’t send your data to a separate place. And Canary doesn’t transmit findings anywhere itself.
Can I move ~/.sonomos/ somewhere else?
Today the path is fixed. If you need a different location for compliance or backup reasons, open an issue on the Canary repo.
Is Canary HIPAA-compliant?
Canary is a developer tool that observes PII exposure. It’s not a HIPAA-aligned system in itself — for a more compliance-oriented technical safeguard layer, see the Sonomos browser extension’s HIPAA guide and the planned Sonomos Desktop audit log.
Next steps
- Overview — back to the high-level intro.
- Sonomos Desktop preview — for system-wide protection including IDE assistants.