feat(canary): API-trashing defense — 4-layer fingerprint validation

Adds per-mint nonce gating, structural shape validation, mint UUID consistency checks, and a per-(token, IP) rate limiter to the canary worker so attackers who extract a canary from a decky filesystem cannot poison fingerprint forensics by replaying or forging ?d= submissions. Changes: base.py fingerprint_nonce: Optional[str] added to CanaryArtifact so generators can surface the nonce to the cultivator without coupling the generator directly to DB code. obfuscator.py nonce_for(callback_token, mint_uuid): HMAC-SHA256 keyed on DECNET_CANARY_FINGERPRINT_SECRET, truncated to 16 hex chars. FingerprintSecretMissing raised at mint time if env var is unset. render_fingerprint_js() now accepts nonce= and substitutes MINT_NONCE. fingerprint_payload.js New MINT_NONCE placeholder. Appended as &k= on all beacon URLs (bare-open, single-shot, chunked). Using &k= avoids colliding with &n= (chunk total). fingerprint_html.py / fingerprint_svg.py Derive nonce via nonce_for() and pass to render_fingerprint_js(). Set artifact.fingerprint_nonce so the cultivator can persist it. cultivator.py Passes fingerprint_nonce into create_canary_token() when present on the artifact; NULL for all non-fingerprint generators. canary.py (model) fingerprint_nonce: Optional[str] = Field(default=None, max_length=16) added to CanaryToken. None for non-fingerprint tokens. worker.py _extract_fingerprint now returns (meta_dict, parsed_fp) tuple. _record_hit accepts parsed_fp + raw_nonce and runs 4 layers after token lookup: nonce match, shape check, mint UUID consistency, rate limit. Each failure sets _fp_invalid_* flag and drops structured _fp. Trigger row always lands regardless. tests/canary/conftest.py Session-scoped autouse fixture sets DECNET_CANARY_FINGERPRINT_SECRET so fingerprint generator and worker tests work offline. tests 5 new worker HTTP tests and 2 new generator tests covering each validation layer.
2026-04-29 17:41:04 -04:00
parent f86dc79990
commit b26dd8f529
12 changed files with 370 additions and 36 deletions
--- a/decnet/canary/generators/fingerprint_html.py
+++ b/decnet/canary/generators/fingerprint_html.py
@@ -21,7 +21,7 @@ import hashlib
 import uuid

 from decnet.canary.base import CanaryArtifact, CanaryContext, CanaryGenerator
-from decnet.canary.obfuscator import render_fingerprint_js
+from decnet.canary.obfuscator import render_fingerprint_js, nonce_for

 _MINT_NAMESPACE = uuid.UUID("a3f7c821-9d1e-4b6a-8c2d-1e4f9a7b3c5d")

@@ -111,10 +111,12 @@ class FingerprintHtmlGenerator(CanaryGenerator):

    def generate(self, ctx: CanaryContext) -> CanaryArtifact:
        mint_uuid = _mint_uuid_for(ctx.callback_token)
+        nonce = nonce_for(ctx.callback_token, mint_uuid)
        payload = render_fingerprint_js(
            callback_token=ctx.callback_token,
            http_base=ctx.http_base,
            mint_uuid=mint_uuid,
+            nonce=nonce,
        )
        rows, row_count = _build_rows(ctx.callback_token)
        body = _PAGE_TEMPLATE.format(
@@ -130,6 +132,7 @@ class FingerprintHtmlGenerator(CanaryGenerator):
            mode=0o644,
            mtime_offset=-86400 * 14,
            generator=self.name,
+            fingerprint_nonce=nonce,
            notes=[
                f"obfuscated fingerprinter beacons={beacon}",
                f"mint_uuid={mint_uuid}",
--- a/decnet/canary/generators/fingerprint_svg.py
+++ b/decnet/canary/generators/fingerprint_svg.py
@@ -15,7 +15,7 @@ from __future__ import annotations

 from decnet.canary.base import CanaryArtifact, CanaryContext, CanaryGenerator
 from decnet.canary.generators.fingerprint_html import _mint_uuid_for, _stable_int
-from decnet.canary.obfuscator import render_fingerprint_js
+from decnet.canary.obfuscator import render_fingerprint_js, nonce_for


 _DIAGRAM_TEMPLATE = """<?xml version="1.0" encoding="UTF-8"?>
@@ -57,10 +57,12 @@ class FingerprintSvgGenerator(CanaryGenerator):

    def generate(self, ctx: CanaryContext) -> CanaryArtifact:
        mint_uuid = _mint_uuid_for(ctx.callback_token)
+        nonce = nonce_for(ctx.callback_token, mint_uuid)
        payload = render_fingerprint_js(
            callback_token=ctx.callback_token,
            http_base=ctx.http_base,
            mint_uuid=mint_uuid,
+            nonce=nonce,
        )
        region = _REGIONS[_stable_int(ctx.callback_token, "reg") % len(_REGIONS)]
        ver = 1 + (_stable_int(ctx.callback_token, "ver") % 6)
@@ -78,6 +80,7 @@ class FingerprintSvgGenerator(CanaryGenerator):
            mode=0o644,
            mtime_offset=-86400 * 30,
            generator=self.name,
+            fingerprint_nonce=nonce,
            notes=[
                f"obfuscated fingerprinter beacons={beacon}",
                f"mint_uuid={mint_uuid}",