APOHARASYNTHEX
Web Data UNLOCKED · github
SCREEN IT · SEAL IT · INSIDE BRIGHT DATA

APOHARA SYNTHEX — the evidence layer for AI agents that scrape the live web

for AI agents that scrape the live web
Screen what your agents ingest. Seal what they found.
RFC 3161 · DigiCert · Rekor v2 · CMS chain verify L1→L2→L3 screen · two-axis FP+recall gate 6 / 6 Bright Data surfaces · live SLSA L3 · npm provenance
POWERED BY · THE STACK

Real partners. Real integrations.

Bright Data
The substrate — no Bright Data, no data.
FETCH · 6/6 VERIFIED LIVEWeb Unlocker · SERP · Browser · Datasets · Crawl · MCP↓ 41% less token spendscrape_batch dedup — our PR #140 (open PR, not merged) drops exact-duplicate pages before the LLM · measured on a 16-URL batch
AI/ML API
The classifier brain — frontier model.
CLASSIFY · VERIFIED LIVE4-lens extraction · structured signals + severity
Cognee
The knowledge-graph memory (OSS).
MEMORY · TOOLS CONFIRMEDremember / recall · opt-in on local/CLI
Triggerware
React → act on web deltas, no human in the loop.
REACT · LIVE APIpoll deltas → fire pipeline → alert
● APOHARA STACK · FORMAL-SAFETY LINEAGE Context Forge — INV-15 · Z3-proven · Zenodo DOI · prior art, not in this pipeline
SEE THE MCP WORK · ORCHESTRATOR → SYNTHEX

Your agent calls one tool. Every page comes back screened and sealed.

When a coding agent — Claude Code, Kiro, any MCP client — calls synthex_scrape_classify_prove, this is the Evidence Report it gets back: each page fetched through Bright Data, screened before the LLM, and given a verdict — allow, review, or block — with the rule that fired and the latency. Your client renders it as JSON; here it is visualized. The rule IDs and verdict types are the real ones from src/forge/; the page list is a representative sample. The live pipeline below runs it for real against Bright Data.

apohara-synthex · MCP tool synthex_scrape_classify_prove
evidence report · visualized
your agent calls synthex_scrape_classify_prove({ lens: "security" }) over a 12-URL shortlist — here is the sealed Evidence Report it gets back.
ALLOWstripe.com/docs/apiclassify: clean · sev 1126ms
ALLOWgithub.com/vendor/sdk/releasesclassify: clean · sev 298ms
ALLOWdocs.aws.amazon.com/iamclassify: clean · sev 1141ms
REVIEWblog.acme.io/llm-agentsguard: pii-pattern · DJL-PII-7 · sev 6173ms
ALLOWstatus.vendor.comclassify: clean · sev 088ms
REVIEWpastebin-mirror.xyz/raw/x9f2guard: prompt-injection · DJL-PI-001 · sev 9 — flagged REVIEW · L1 never blocks ingest79ms
ALLOWnpmjs.com/package/vendor-sdkclassify: clean · sev 1112ms
REVIEWgist.github.com/leak/config.envguard: secret-pattern · DJL-EXF-3 · sev 7156ms
ALLOWvendor-changelog.devclassify: clean · sev 2104ms
ALLOWapi-reference.io/v2classify: clean · sev 1133ms
ALLOWraw.forum-dump.net/thread/8821classify: clean · sev 3167ms
ALLOWcdn.assets.vendor.comclassify: clean · sev 071ms
12 pages · 9 allow · 3 review · 0 block · L1 regex never drops a scraped doc sealed · Ed25519 + RFC 3161 TSA + C2PA

9-page verifiable Evidence Report · Ed25519 + RFC 3161 timestamp · verify offline with openssl ts

MAY 2026 · THE WEB YOUR AGENTS TOUCH
Your agents scrape the live web right now.
Prompt injection is OWASP #1.
And you can't prove what they found.
OWASP LLM Top-10 2026 · BrowseSafe (Perplexity, 2026) · VPI-Bench — injection hides in the HTML your agent scrapes.
The MCP tooling layer is now a CVE surface too — CVE-2025-68143: CVSS 8.8 HIGH, path traversal in the official mcp-server-git (NVD, Dec 2025). Synthex screens the content your agents ingest; the ecosystem's urgency is broader than any one filter.
THE CATEGORY PROBLEM · 3 BARRIERS

Three reasons you can't trust what your agents scraped.

BARRIER 01

Malicious web content

Scraped pages carry prompt injection, hidden instructions, secret-exfil and SSRF — and it reaches the LLM unscreened.

Trust the scraped HTML
Let the LLM "figure it out"
Classifier-only filters
SYNTHEX SOLVES WITHA two-layer deterministic pre-LLM defense — 32 web-injection rules + 78 prompt-level rules (jailbreak, harm/PII bilingual EN+ES, SQLi/XSS, exfiltration, sector policy) — blocks payloads before spending an LLM token.
BARRIER 02

Unclassified intel

Raw scrapes aren't intelligence. Teams can't tell a pricing signal from a vendor risk from a CVE from a supply-chain shock.

Dump raw markdown into RAG
One generic summary
Manual triage
SYNTHEX SOLVES WITHFour lenses in parallel — GTM · Finance · Security · Supply-chain — structured signals + severity on the same scrape.
BARRIER 03

Unprovable evidence

Your CISO can't prove what the agent saw, when, or that the bytes are unchanged. Audit trails for web-grounded AI don't exist.

Unsigned logs
No timestamping
A PDF nobody can verify
SYNTHEX SOLVES WITHEd25519 signature + RFC 3161 timestamp (DigiCert) + C2PA Content Credentials → a 9-page Evidence Report anyone verifies offline with openssl or c2patool.
SYNTHEX · IN ONE SENTENCE

Synthex is the screen-and-seal layer that lives inside Bright Data — it screens what your agents ingest with a layered injection defense, then cryptographically seals what they found.

TWO JOBS · SCREEN IT · SEAL IT

Screen what they ingest. Seal what they found.

① Screen it
Layered injection defense — the poison never reaches the classifier. Every layer's false-positive is measured, not asserted.
DEFENSE IN DEPTH · FP MEASUREDL1 regex (78 DJL + 32 prefilter) — REVIEW-only on ingestpipeline drop 0/5L2 · two roles, one gate (≤ 20% benign FP earns BLOCK):Qwen3Guard-Gen-8B — recall 90%, FP 35% → REVIEW-breadth (DISQUALIFIED for BLOCK)NemoGuard — FP 11%, recall 66% → BLOCK-precision (QUALIFIES, opt-in)L3 AlignmentCheck — false-BLOCK 0/5 · the FP-killer · backstops NemoGuard's 34% miss+ grounding verifier · nonce Spotlighting · CaMeL flow gatemeasured: docs/guard-recall-measurement.md · n=647
② Seal it
Third-party-verifiable evidence — every layer composable, every report verifiable offline.
CRYPTOGRAPHIC SEAL · OFFLINE-VERIFIABLEHMAC-SHA256 + Ed25519 — publishable keyId · non-repudiationRFC 3161 TSA · CMS chain · multi-TSA (DigiCert + Actalis)C2PA Content Credentials (c2patool Valid) · Sigstore Rekor v2distinguishes forged vs untrusted-anchor — not a forgery alarm on a stale pinverify offline: node bin/decode-evidence.js
THE MOAT · ONE GATE, MEASURED · n=647

Honesty is the gate. Only NemoGuard earns BLOCK.

Two axes, three guards, one bar. A guard gets BLOCK authority only if its benign false-positive is ≤ 20% — drop a benign security page and you've failed the one job. We ran the gate against three guards on a 647-sample constructed corpus, and published the loser.

Guard Recall Benign FP · 20% gate Verdict
L1 heuristic zero-dependency baseline 14% 12% REVIEW-ONLY
Qwen3Guard-Gen-8B highest recall, too trigger-happy 90% 35% ✕ DISQUALIFIED
NemoGuard v3 Llama-3.1-Nemotron-Safety-Guard-8B-v3 66% 11% ✓ EARNS BLOCK
┊ 20% benign-FP gate (the L1 bar) — above it, a guard silently drops ~1 in 3 benign security pages. Qwen's 35% overshoots it; NemoGuard's 11% sits under it and earns BLOCK.
11%
BENIGN FALSE-POSITIVE · ≤ 20% gate · NemoGuard EARNS opt-in BLOCK
66%
RECALL · catches ~2 of 3 injections — L3 AlignmentCheck (false-BLOCK 0/5) backstops the rest
L1 REVIEW-only (drop 0/5) → L2 (Qwen REVIEW-breadth + NemoGuard BLOCK-precision) → L3 (FP-killer, false-BLOCK 0/5). No single guard is the moat — the layering is. Qwen catches more but is too trigger-happy to block; NemoGuard is precise enough to block but misses a third; L3 reads intent and closes the gap.

OPT-IN · measured, not on by default. NemoGuard's BLOCK is gated twice — SYNTHEX_GUARD_MODEL selects it, SYNTHEX_GUARD_BLOCK_ENABLED arms BLOCK; unset, every Unsafe degrades to REVIEW (the doc is kept). The measurement is what justifies that opt-in authority — not an always-on default. Corpus is CONSTRUCTED (OWASP LLM01 · MITRE ATLAS AML.T0051 · arXiv:2510.11570), a reproducible benchmark, not a field study; binary safe/unsafe, no native REVIEW tier; hosted inference is non-deterministic.

Reproduce: npm run guard:recall · Source: docs/guard-recall-measurement.md · docs/guard-fp-measurement.md

ARCHITECTURE · 4 STAGES · 1 SUBSTRATE

Four stages. One signed substrate.

01 · FETCH
Bright Data
  • · Web Unlocker (MCP+REST)
  • · SERP API · structured
  • · Browser API · CDP
  • · Datasets · Crawl
  • · smart router
02 · FORGE + SCREEN
layered L1→L3
  • · SHA-256 dedup
  • · L1: 78 DJL + 32 prefilter
  • · REVIEW-only on ingest
  • · L2 Qwen breadth + NemoGuard BLOCK
  • · L3 AlignmentCheck · FP-killer
03 · CLASSIFY
4 lenses
  • · GTM · Finance
  • · Security · Supply-chain
  • · in parallel
  • · via AI/ML API
  • · severity + signals
04 · PROVE
Seal
  • · Ed25519 signature
  • · RFC 3161 · DigiCert
  • · C2PA · Rekor v2
  • · Risk Score 0–100
  • · openssl/c2patool-verifiable
● EVERY BYTE SCREENED · EVERY REPORT SIGNEDEd25519 · RFC 3161 · C2PA
725
tests · 712 pass · 0 fail · 13 skip
6/6
Bright Data surfaces · live
110
pre-LLM rules · 2 layers · 78 DJL + 32 prefilter
500
URLs · 99.6% · $0.75 · live stress
UNDER THE HOOD · REAL CODE

Every stage is code you can read.

FETCHsrc/fetch/router.js
// route each target to the right Bright Data surface
if (!isUrl(target)) return serpSearch(target);   // SERP · JSON
if (mode === "browser") return browserFetch(target);
if (mode === "crawl")   return crawlSite(target);
return httpFetcher(opts)(target);   // Web Unlocker REST
SERP live · 200 · structured JSON6 / 6 SURFACES
FORGEsrc/forge/{djl,prefilter}.js
{ id:"DJL-PI-001", re:/ignore previous instructions/i, sev:9 },
{ id:"DJL-HARM-011", re:/(?:kill myself|suicidarme)/i, sev:10 },
{ id:"SSRF-1", re:/169\.254\.169\.254/, severity:9 },
// 78 DJL + 32 web · L1 REVIEW-only · NemoGuard/L3 BLOCK
110 pre-LLM rules (78 DJL + 32 prefilter) · 78/78 fixture coveragedeterministic regex
CLASSIFYsrc/pipeline.js
// lens="all" → 4 lenses in parallel on one scrape
await Promise.all(LENS_SET.map((l) =>
  classify(doc.content, l)));
// gtm · finance · security · supply-chain
4 lenses ‖ · severity + signalsAI/ML API
PROVEverify it yourself
# decode the RFC 3161 token from the report, then:
$ openssl ts -reply -in synthex.tsr -text
# messageImprint must equal the report SHA-256
→ TSA: DigiCert · OK
Ed25519 + RFC 3161 · openssl-verifiableDigiCert
THE EDGE · BEFORE THE LLM
Injection in a scraped page reaches the LLM in milliseconds.
Synthex screens it in layers — a doc that executes an attack never reaches the classifier.
L1 regex REVIEW-only (pipeline drop 0/5) → L2 two-axis gate: Qwen REVIEW-breadth (recall 90%, FP 35%) + NemoGuard BLOCK-precision (FP 11% ≤ 20%) → L3 AlignmentCheck · describing-vs-executing (false-BLOCK 0/5 · the FP-killer)
SEE IT LIVE · RUN IT YOURSELF

Don't trust the claims. Run the pipeline.

Paste a URL or term, pick a lens, watch the four stages execute against real Bright Data — then download the signed Evidence Report. This runs the actual pipeline, not a recording.

Rather not run it? See a real 9-page Evidence Report from a live injection-catch — sample PDF — sealed with Ed25519 + RFC 3161 TSA + Sigstore Rekor + a c2patool-validated C2PA card.

Flash is the fast, bulk default classifier; Pro is the higher-quality reasoner for high-stakes verdicts.

EMPIRICAL · 2026-05-28 · VERIFIABLE

Numbers that survive scrutiny. 500 URLs · 9 minutes · $0.75.

We ran the v0.6 stress test live against Bright Data on 2026-05-28 with a 60-URL allowlist (pricing pages, gov sources, GitHub releases, dev docs, market news), multiplied to 500 inputs across 8 parallel workers. Every input passed through the full pipeline — fetch → 2-layer pre-LLM screen (110 rules) → 4-lens classify → Ed25519 + RFC 3161 seal. Every number below comes from a real corrida; the per-URL evidence is in out/stress-500-2026-05-28/.

500
URLs processed
60 unique · ×8.3 multiplier · concurrency 8
99.6%
Success rate
498 / 500 OK · 2 fail server-side
$0.75
Bright Data spend
1.5% of $50 budget · $0.0015 per signed evidence
9.1min
Wall clock total
p50 7.5s · p95 18.4s · 549s end-to-end
99.6% 498 / 500 OK
BD spend vs $50 budget$0.75 · 1.5%
p50 latency (8s scale)7.5s · median
p95 latency (20s scale)18.4s · tail
DigiCert TSA p95 RTT (1500ms SC-3b gate)385ms · 26% of budget
The same architecture — same workers, same surfaces, same seal — would cover ~33,000 URLs before the $50 budget runs out. We spent 1.5%. Synthex is efficient by design, not by accident.

Source: docs/v060-stress-report.md · out/stress-500-2026-05-28/report.json · TSA bench: scripts/bench-tsa-rtt.mjs

WHO BUYS THIS · 4 BUYERS, 4 ARTIFACTS

One pipeline. Four people can act on it today.

AI Ops / Sec Eng
"What did my agent just scrape — and was it safe?"
ARTIFACTFORGE blocked-content log · 2-layer (32+78) defense · sealed decisions[] audit trail · per-stage latencies (OTel)
CISO
"Prove what the agent saw, and that the bytes are unchanged."
ARTIFACTRFC 3161-sealed Evidence Report · Ed25519 + SHA-256 · openssl-verifiable
General Counsel
"EU AI Act Art. 12 logging for AI data sources."
ARTIFACT9-page signed PDF · audit trace page · timestamped provenance
Risk / Board
"Can I price the risk of this agent fleet — and what does the board ask?"
ARTIFACTRisk Score 0–100 + Red-Team Board page — 5 adversarial prompt-lenses over one reasoner, on-demand · internal estimate, not a quote
HONESTY · WHAT WE DO NOT CLAIM

The pitch is honesty — so it applies to us too.

RFC 3161 proves when, not truth. The timestamp proves the bytes existed and are unchanged — not that the content is correct.
Both pre-LLM layers cover text/HTML + prompt-level, not visual VPI. 32 web-injection rules + 78 prompt-level rules (jailbreak, harm/PII, sector policy) with 78/78 fixture coverage — deterministic regex, not a formal proof, not screenshot-based attacks.
NemoGuard's BLOCK is opt-in and measured, not on by default. It earns BLOCK on a benign FP of 11% (≤ 20% gate) over n=647 — a constructed corpus, indicative not statistically robust. NemoGuard is binary safe/unsafe (no native REVIEW tier), hosted inference is non-deterministic, and BLOCK stays REVIEW-capped unless SYNTHEX_GUARD_BLOCK_ENABLED is set.
Crawl is a multi-page crawl over Web Unlocker — not Bright Data's native Crawl product. All 6 surfaces are verified live; we name the crawl honestly for what it is.
The C2PA signer is self-signed / untrusted. The Evidence Card proves integrity + provenance shape, not CA-rooted identity — c2patool reports the signer untrusted by design.
Multi-TSA is RFC 3161, not eIDAS-qualified. DigiCert + Actalis are standard RFC 3161 timestamps; the free Actalis endpoint uses a non-qualified policy OID — a qualified eIDAS timestamp stays roadmap.
The Risk Score is an internal estimate. A deterministic heuristic with its formula printed on the PDF — not a Munich Re rating or a broker quote.
OTel export and Cognee memory are opt-in. The public endpoint keeps Cognee off to control cost; the rate-limit is best-effort.

Prior art, cited not claimed: the INV-15 formal-safety paper (Apohara Context_Forge) and KVCOMM · MemArt ground the design — they are not part of this scraping pipeline.

MARKET · THREE TAMs · CITED, NOT INVENTED

Three markets, one wedge.

Synthex sits at the intersection of three real, separately-sized markets. We don't claim a TAM of our own — we address a slice of each. The bars below are scaled to the 2030–2035 projections from third-party analysts; sources are linked, not invented. Pricing OSS · Pro · Enterprise is proposed; no revenue yet.

AI agentsby 2030 · MarketsandMarkets
$52.6B2030 TAM
AI-driven web scrapingby 2035 · Market Research Future
$46.1B2035 TAM
AI observabilityby 2033 · Market.us
$10.7B2033 TAM

Bars are scaled relative to the largest of the three (AI agents $52.6B = 100%). The Synthex wedge inside each market is signed evidence + chain-of-custody for the web your agents touch — a layer above scraping (Bright Data), classification (AI/ML), and memory (Cognee), not a replacement of any of them. Sources: MarketsandMarkets AI Agents · Market Research Future AI Web Scraping · Market.us AI Observability.

WHY SYNTHEX WINS
0 / N

submissions ship all of these together.

The uniqueness: Synthex is the only Web Data UNLOCKED submission that cryptographically seals scraped content with third-party-verifiable, C2PA-standard provenance and a public transparency-log anchor. Two axes no one else ships:

Verify with the industry's own tool. The Evidence Card is a real C2PA Content Credential — validate it with c2patool, the standard, no Synthex code required.
Transparency log shipped, not roadmap. The seal keyId is anchored in a Sigstore Rekor v2 transparency log, with the inclusion proof verifiable fully offline.
Bright Data as runtime substrate — all 6 surfaces with real code (Unlocker/SERP/Browser/Datasets/Crawl/MCP)
RFC 3161 TSA (DigiCert) — verifiable offline with openssl ts
Downloadable 9-page signed Evidence Report — 4-buyer framing (CISO · GC · Risk · Board), with a sealed Red-Team Board Briefing page
4-lens classification in parallel — GTM · Finance · Security · Supply-chain
A guard that EARNS block, measured. A two-axis (FP + recall) open-model selection found NemoGuard at benign FP 11% ≤ 20% on n=647 — L1 REVIEW → L2 (Qwen breadth + NemoGuard precision) → L3 FP-killer (false-BLOCK 0/5). 110 deterministic rules (32 web + 78 prompt) sit in front. No other submission measured its own guard against a public bar and published the loser.
Tokens saved sealed inside every Evidence Report — dedup + blocked bytes + estimated tokens, verifiable with decode-evidence
OpenTelemetry GenAI spans + live SSE pipeline view — observable, not a black box

The web your agents touch, now classified and provable.

SHIP IT · TODAY · 60 SECONDS

Your agents are scraping the web right now.
Without a seal, every verdict is just text.

Apohara Synthex is the only OSS layer that screens, classifies, and cryptographically signs what your agents touched — RFC 3161 timestamps verified link-by-link against pinned DigiCert anchors, delta-chained across re-scrapes, sealed inside a 9-page verifiable Evidence Report. Live on npm, MIT, zero lock-in.

Two-axis guard gate · Ed25519 seal · C2PA Content Credentials · Rekor v2 · SLSA L3 · npm provenance · Web Data UNLOCKED · Bright Data × lablab.ai · MIT