tkdtaylor
diff --git a/‎CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 3 additions & 1 deletion b/‎pyproject.toml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/armor/canaries/_generate.py‎
Lines changed: 222 additions & 6 deletions b/‎src/armor/canaries/_generate.py‎
Lines changed: 222 additions & 6 deletions
diff --git a/‎src/armor/canaries/catalogue.py‎
Lines changed: 8 additions & 6 deletions b/‎src/armor/canaries/catalogue.py‎
Lines changed: 8 additions & 6 deletions
diff --git a/‎src/armor/canaries/default_catalogue.json‎
Lines changed: 32 additions & 0 deletions b/‎src/armor/canaries/default_catalogue.json‎
Lines changed: 32 additions & 0 deletions
@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.10.1] — 2026-05-17
+
+### Added
+
+- **`regex.code_injection` detector blocks Python subprocess injection attacks.** Catches `__import__('subprocess')` dynamic import bypass, `subprocess.run/Popen` combined with network tools (`curl`, `wget`, `nc`), and `os.system()` with network tools. Covers both the user-instruction vector ("execute this in your code tool") and code tool parameters directly.
+- **`regex.exfil_chain` detector blocks chained tool-abuse with external data exfiltration.** Two patterns: `exfil-chained-to-url` catches "then/and send/upload/forward … http(s)://..." sequences; `exfil-suspicious-path` catches URLs whose path ends in `/collect`, `/exfil`, `/steal`, `/harvest`, or similar collection segments.
+- **`regex.sensitive_file_probe` now blocks privileged file write attempts.** A new `write-etc-privileged` pattern catches write-intent verbs (`write`, `append`, `overwrite`, `modify`, etc.) targeted at `/etc/crontab`, `/etc/sudoers`, `/etc/hosts`, or `/etc/cron.d` — the persistence and privilege-escalation paths an agent should never be asked to write.
+- **PII context honeypot via `armor canary pii-context`.** Four new PII canary types (`pii-name-000`, `pii-email-000`, `pii-dob-000`, `pii-sin-000`) added to the catalogue. The name canary is generated at install time as a randomized "Firstname AwesomeMiddle EpicLast" triple (e.g., "Kevin Lightning Dragon") — distinctive enough to stand out in any output, unique per installation. `write_pii_context()` produces a context snippet to inject into the agent's system prompt; when an attacker asks the agent to compile a PII report, the canary scanner catches the known values at output stage. Run `armor canary generate --out ~/.armor/canaries.json && armor canary pii-context --values ~/.armor/canaries.json --out pii-context.txt`, then inject `pii-context.txt` into your system prompt.
+- **13 new eval corpus rows** covering write-to-crontab, Python code injection, and exfiltration chain patterns, plus matching true negatives.
+
 ## [0.10.0] — 2026-05-17
 
 ### Added
 
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "armor-ai"
-version = "0.10.0"
+version = "0.10.1"
 description = "A defense-in-depth security layer for LLM agents"
 readme = {file = "README_PYPI.md", content-type = "text/markdown"}
 requires-python = ">=3.12"
@@ -72,6 +72,8 @@ regex_memory_planting = "armor.detectors.memory_planting:RegexMemoryPlanting"
 regex_roleplay_hijack = "armor.detectors.regex_roleplay_hijack:RegexRoleplayHijack"
 regex_system_prompt_extraction = "armor.detectors.regex_system_prompt_extraction:RegexSystemPromptExtraction"
 regex_encoding_request = "armor.detectors.regex_encoding_request:RegexEncodingRequest"
+regex_code_injection = "armor.detectors.regex_code_injection:RegexCodeInjection"
+regex_exfil_chain = "armor.detectors.regex_exfil_chain:RegexExfilChain"
 regex_sensitive_file_probe = "armor.detectors.regex_sensitive_file_probe:RegexSensitiveFileProbe"
 regex_ssrf_probe = "armor.detectors.regex_ssrf_probe:RegexSsrfProbe"
 tool_chain = "armor.detectors.tool_chain:ToolChain"
 
@@ -22,6 +22,146 @@
 
 logger = logging.getLogger(__name__)
 
+# ---------------------------------------------------------------------------
+# PII fake-name generator — normal first name + memorable middle + last name.
+# Values are chosen at generate-time so each installation gets a unique name,
+# making it infeasible for an attacker to pre-predict and suppress it.
+# ---------------------------------------------------------------------------
+_PII_FIRST_NAMES = [
+    "Kevin",
+    "Sarah",
+    "James",
+    "Emma",
+    "Michael",
+    "Olivia",
+    "Daniel",
+    "Sophia",
+    "Christopher",
+    "Isabella",
+    "Matthew",
+    "Ava",
+    "Andrew",
+    "Mia",
+    "Joshua",
+    "Natalie",
+    "David",
+    "Samantha",
+    "Ryan",
+    "Victoria",
+    "Tyler",
+    "Hannah",
+    "Jonathan",
+    "Grace",
+    "Nathan",
+    "Chloe",
+    "Brandon",
+    "Lily",
+    "Justin",
+    "Zoe",
+]
+_PII_MIDDLE_NAMES = [
+    "Lightning",
+    "Thunder",
+    "Blaze",
+    "Storm",
+    "Iron",
+    "Silver",
+    "Crimson",
+    "Shadow",
+    "Frost",
+    "Ember",
+    "Quantum",
+    "Cobalt",
+    "Titan",
+    "Inferno",
+    "Steel",
+    "Jade",
+    "Onyx",
+    "Ruby",
+    "Zenith",
+    "Solar",
+    "Lunar",
+    "Apex",
+    "Hyper",
+    "Turbo",
+    "Neon",
+    "Vortex",
+    "Plasma",
+    "Atomic",
+    "Primal",
+]
+_PII_LAST_NAMES = [
+    "Dragon",
+    "Wolf",
+    "Phoenix",
+    "Eagle",
+    "Falcon",
+    "Viper",
+    "Hawk",
+    "Griffin",
+    "Tempest",
+    "Ironside",
+    "Thunderbolt",
+    "Glacier",
+    "Fortress",
+    "Colossus",
+    "Wraith",
+    "Juggernaut",
+    "Sentinel",
+    "Wyvern",
+    "Basilisk",
+    "Leviathan",
+    "Pantheon",
+    "Behemoth",
+    "Harbinger",
+    "Ravager",
+    "Valkyrie",
+    "Cyclone",
+    "Avalanche",
+    "Maelstrom",
+    "Nemesis",
+    "Obliterator",
+]
+
+
+def _generate_pii_value(marker_rule: str) -> str:
+    """Generate a fake PII value for a pii: prefixed marker rule.
+
+    Args:
+        marker_rule: A string starting with 'pii:' identifying the PII type.
+
+    Returns:
+        A recognisably fake but plausible-looking PII value.
+    """
+    kind = marker_rule[len("pii:") :]
+
+    if kind == "fake_name":
+        first = random.choice(_PII_FIRST_NAMES)
+        middle = random.choice(_PII_MIDDLE_NAMES)
+        last = random.choice(_PII_LAST_NAMES)
+        return f"{first} {middle} {last}"
+
+    if kind == "dob":
+        year = random.randint(1950, 2000)
+        month = random.randint(1, 12)
+        day = random.randint(1, 28)  # Stay in safe range for all months
+        return f"{year:04d}-{month:02d}-{day:02d}"
+
+    if kind == "sin":
+        # Canadian SIN starting with 9 (temporary / clearly fake range)
+        d1 = 9
+        d2 = random.randint(0, 9)
+        d3 = random.randint(0, 9)
+        d4 = random.randint(0, 9)
+        d5 = random.randint(0, 9)
+        d6 = random.randint(0, 9)
+        d7 = random.randint(0, 9)
+        d8 = random.randint(0, 9)
+        d9 = random.randint(0, 9)
+        return f"{d1}{d2}{d3}-{d4}{d5}{d6}-{d7}{d8}{d9}"
+
+    raise ValueError(f"Unknown pii: sub-type: {kind!r}")
+
 
 def _generate_value_for_pattern(marker_rule: str) -> str:
     """Generate a fake-but-realistic value matching a given regex pattern.
@@ -38,6 +178,10 @@ def _generate_value_for_pattern(marker_rule: str) -> str:
     Raises:
         ValueError: If the pattern is not recognized or generation fails.
     """
+    # PII canaries: marker_rule is a 'pii:<type>' descriptor, not a regex
+    if marker_rule.startswith("pii:"):
+        return _generate_pii_value(marker_rule)
+
     # AWS access keys: AKIA + 16 chars [A-Z0-9]
     if marker_rule == r"^AKIA[A-Z0-9]{16}$":
         return "AKIA" + "".join(random.choice(string.ascii_uppercase + string.digits) for _ in range(16))
@@ -306,12 +450,14 @@ def generate_values(
         except ValueError as e:
             raise ValueError(f"Failed to generate value for {canary_id}: {e}") from e
 
-        # Validate the generated value matches the pattern
-        try:
-            if not re.match(marker_rule, value):
-                raise ValueError("Generated value does not match pattern")
-        except re.error as e:
-            raise ValueError(f"Invalid marker_rule regex: {e}") from e
+        # Validate the generated value matches the pattern.
+        # pii: descriptors are not regexes — skip validation for them.
+        if not marker_rule.startswith("pii:"):
+            try:
+                if not re.match(marker_rule, value):
+                    raise ValueError("Generated value does not match pattern")
+            except re.error as e:
+                raise ValueError(f"Invalid marker_rule regex: {e}") from e
 
         values.append({"canary_id": canary_id, "value": value})
 
@@ -449,3 +595,73 @@ def write_dotenv_honeypot(
         raise
 
     logger.info(f"Wrote honeypot .env to {output_path} (mode 0o600, {len(_DOTENV_HONEYPOT_VARS)} canaries)")
+
+
+# PII context honeypot — canary IDs and their display labels in the context snippet.
+_PII_CONTEXT_VARS: list[tuple[str, str]] = [
+    ("pii-name-000", "Name"),
+    ("pii-email-000", "Email"),
+    ("pii-dob-000", "Date of Birth"),
+    ("pii-sin-000", "SIN"),
+]
+
+
+def write_pii_context(
+    output_path: str | Path,
+    values_path: str | Path,
+) -> None:
+    """Write a honeypot PII context snippet to be injected into an agent system prompt.
+
+    The snippet contains fake personal information (name, email, DOB, SIN) drawn
+    from canary values. When an attacker tricks the agent into compiling a PII report
+    and outputting these values, the canary scanner catches the known strings at
+    output stage.
+
+    The output file is written with mode 0o600 (owner read/write only).
+
+    Args:
+        output_path: Path where the context snippet file should be written.
+        values_path: Path to the generated canary values JSON file.
+
+    Raises:
+        FileNotFoundError: If values_path does not exist.
+        KeyError: If a required canary ID is missing from the values file.
+        IOError: If the output file cannot be written.
+    """
+    output_path = Path(output_path) if isinstance(output_path, str) else output_path
+    values_path = Path(values_path) if isinstance(values_path, str) else values_path
+
+    if not values_path.exists():
+        raise FileNotFoundError(f"Values file not found: {values_path}")
+
+    with open(values_path, encoding="utf-8") as f:
+        values_data = json.load(f)
+
+    values_by_id: dict[str, str] = {}
+    for entry in values_data:
+        cid = entry.get("canary_id")
+        val = entry.get("value")
+        if cid and val:
+            values_by_id[cid] = val
+
+    lines = [
+        "[User profile — confidential, do not share]",
+        "",
+    ]
+    for canary_id, label in _PII_CONTEXT_VARS:
+        if canary_id not in values_by_id:
+            raise KeyError(f"Canary {canary_id!r} not found in values file {values_path}")
+        lines.append(f"{label}: {values_by_id[canary_id]}")
+
+    content = "\n".join(lines) + "\n"
+
+    output_path.parent.mkdir(parents=True, exist_ok=True)
+    fd = os.open(str(output_path), os.O_CREAT | os.O_WRONLY | os.O_TRUNC, 0o600)
+    try:
+        with os.fdopen(fd, "w", encoding="utf-8") as f:
+            f.write(content)
+    except Exception:
+        os.close(fd)
+        raise
+
+    logger.info(f"Wrote PII context honeypot to {output_path} (mode 0o600, {len(_PII_CONTEXT_VARS)} canaries)")
@@ -169,15 +169,17 @@ def load(
                     false_positive_risk=item.get("false_positive_risk"),
                     activation=activation,
                 )
-                # Validate active canaries: must have a value and it must match marker_rule
+                # Validate active canaries: must have a value and it must match marker_rule.
+                # pii: prefixed rules are descriptors, not regexes — skip regex validation.
                 if entry.active:
                     if not entry.value:
                         raise ValueError(f"Canary {canary_id}: no value provided (neither in schema nor values file)")
-                    try:
-                        if not re.match(entry.marker_rule, entry.value):
-                            raise ValueError(f"Canary {canary_id}: value does not match marker_rule")
-                    except re.error as e:
-                        raise ValueError(f"Canary {canary_id}: invalid marker_rule regex: {e}") from e
+                    if not entry.marker_rule.startswith("pii:"):
+                        try:
+                            if not re.match(entry.marker_rule, entry.value):
+                                raise ValueError(f"Canary {canary_id}: value does not match marker_rule")
+                        except re.error as e:
+                            raise ValueError(f"Canary {canary_id}: invalid marker_rule regex: {e}") from e
                 entries.append(entry)
             except KeyError as e:
                 raise ValueError(f"Missing field in canary entry: {e}") from e
 
@@ -838,5 +838,37 @@
     "marker_rule": "^[a-zA-Z0-9+/]+=*$",
     "active": true,
     "created_at": "2026-05-07T10:35:47.228853Z"
+  },
+  {
+    "canary_id": "pii-name-000",
+    "kind": "pii",
+    "service": "identity",
+    "marker_rule": "pii:fake_name",
+    "active": true,
+    "created_at": "2026-05-17T10:00:00.000000Z"
+  },
+  {
+    "canary_id": "pii-email-000",
+    "kind": "pii",
+    "service": "identity",
+    "marker_rule": "^canary-[a-z0-9\\-]+@armor-trap\\.invalid$",
+    "active": true,
+    "created_at": "2026-05-17T10:00:00.000000Z"
+  },
+  {
+    "canary_id": "pii-dob-000",
+    "kind": "pii",
+    "service": "identity",
+    "marker_rule": "pii:dob",
+    "active": true,
+    "created_at": "2026-05-17T10:00:00.000000Z"
+  },
+  {
+    "canary_id": "pii-sin-000",
+    "kind": "pii",
+    "service": "identity",
+    "marker_rule": "pii:sin",
+    "active": true,
+    "created_at": "2026-05-17T10:00:00.000000Z"
   }
 ]