Security env vars

Every SENKANI_* variable that affects the trust boundary. Defaults are secure; overrides are explicit.

Prompt-injection guard

SENKANI_INJECTION_GUARD=on|off — default on. Scans every MCP tool response for instruction-override, tool-call injection, context-manipulation, and exfiltration patterns, with anti-evasion normalization (lowercase, zero-width strip, Cyrillic→Latin homoglyphs). Single linear pass.

Socket authentication

SENKANI_SOCKET_AUTH=on — default off (v0.2.0; flipping to on next release). Generates a 32-byte random token at ~/.senkani/.token (mode 0600), rotated on every server start. Every connection to mcp.sock/hook.sock/pane.sock must send a length-prefixed handshake frame matching the token before normal protocol begins. Raises the bar from ambient same-UID socket access to must-read-token-file.

Structured JSON logs

SENKANI_LOG_JSON=1 — default off. When on, emits one JSON object per critical event to stderr. Every .string(_) log field passes through SecretDetector.scan at emit time — a stray API key in a log field is automatically [REDACTED:…]'d.

Instructions payload byte cap

SENKANI_INSTRUCTIONS_BUDGET_BYTES — default 2048. The instructions string injected at MCP server start (repo map + session brief + skills) is capped at 2 KB by default. Prevents the per-session-start token tax from growing with project size.

Observability counters

Every security-defense site increments an event_counters row (migration v2): injection detections, SSRF blocks, socket handshake rejections, schema migrations, retention prunes, command redactions. Read them via senkani stats --security.