Skip to content

docs(cli): clarify --label as canary naming strategy #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
peg merged 1 commit into from
Mar 18, 2026
Merged

docs(cli): clarify --label as canary naming strategy #31

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions internal/cli/cli.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,13 +84,13 @@ Advanced:

Flags (arm):
--webhook <url> webhook URL (Discord, Slack, Telegram, or custom)
--label <name> prefix canary names (defaults to hostname)
--label <name> name your canary (e.g. prod-admin-legacy-2024) — defaults to hostname
--all plant all canary types including dotenv-based ones
(openai, anthropic, huggingface, npm, mcp, github, stripe, generic, docker, azure)
--dry-run show what would be planted without writing

Flags (plant):
--label <name> prefix canary names (defaults to hostname)
--label <name> name your canary (e.g. prod-admin-legacy-2024) — defaults to hostname
--type <type> canary type: aws, awsproc, gcp, github, stripe, openai, anthropic, ssh, k8s, npm, mcp, pypi, huggingface, docker, azure, generic
--all plant all high-reliability canary types at once
--dry-run show what would be planted without writing anything
Expand Down Expand Up @@ -363,17 +363,22 @@ Use --all to arm every canary type, or --select to pick interactively.

Flags:
--webhook <url> webhook URL (Discord, Slack, Telegram, PagerDuty, Teams)
--label <name> prefix canary names (defaults to hostname)
--label <name> name your canary (e.g. prod-admin-legacy-2024) — defaults to hostname
--all plant all canary types including dotenv-based ones
--select interactive checklist to pick which canaries to arm
--dry-run show what would be planted without writing anything
--help show this help

Examples:
snare arm --webhook https://discord.com/api/webhooks/...
snare arm --webhook https://hooks.slack.com/... --label prod-server
snare arm --webhook https://hooks.slack.com/... --label prod-admin-legacy-2024
snare arm --all --webhook <url>
snare arm --select --webhook <url>

Naming tip:
Use --label to make canaries look like real dormant infrastructure credentials.
A name like "prod-admin-legacy-2024" looks plausible to a compromised agent
and is something you'd never invoke yourself — maximizing signal quality.
`)
return
}
Expand Down
Loading