Watermarker

What it does

Inspect what watermarks a PDF or Word file carries, and stamp a visible text watermark across the pages of a PDF — over a Kiteworks folder, without the content ever leaving the platform.

Relevant regulations and standards

Frameworks and mandates this agent helps you address. Not a certification — your own controls and assessment still apply.

Tags

Published version history. The latest version is what new installs receive; your administrator chooses when to upgrade.

1. 0.1.0 stable latest 2026-06-16

   Initial watermarker agent (WATERMARK-AGENT-PLAN, Phase 1 — visible marks + detection, no personal data by default). Three operations over the platform content lane (the agent never touches file bytes — the platform parses and renders in a kill-capable subprocess worker, presidio-independent):

   • inspect (read-only) — pins a folder and reports, per PDF / Word (.docx) file, the STRUCTURAL facts of any watermark/marking: carrier (content overlay, stamp/watermark annotation, XMP/Info metadata, Office header), kind (visible text / image / hidden text / metadata / provenance), a confidence level, a provenance state, and a closed structural location — never any document-derived text. Writes and saves nothing.
   • export_report (read-only) — the same inspection plus a saved CSV artifact.
   • apply (two-phase preview → confirm → mutate, ABAC role-gated, audited) — re-pins, re-inspects, builds an eligibility plan for the requested visible-text watermark, and returns a platform-keyed confirmation_token + preview; re-posting the matching token stamps the watermark. PDF only in v1 (Word is inspected but returns unsupported_carrier on apply, pending the §13 interop check); signed and PDF/A documents are inspected but refused on apply (signed_pdf / pdfa_input), and encrypted documents are skipped.

   W1 write-back: a <name>-watermarked.pdf copy is written next to the original and the original is moved into a per-folder "To delete" folder (a new file id); nothing is deleted automatically. The visible watermark text is the only caller-supplied content — it is stamped onto the page but never echoed back in any output, preview, receipt, or audit record. The confirmation token is a platform-keyed HMAC (HKDF-from-KW_SESSION_SECRET, a domain separate from literal-redaction); a bare hash of the low-entropy text is never returned.

   Security posture. The watermark is informational, not an integrity seal (that is a digital signature / C2PA, out of scope). It carries no personal data by default — only the text you choose. The cryptographic-provenance payload (Phase 2) is deliberately not in this release and is held pending Privacy/Legal review. Requires the optional [watermark] engine; without it (or, for apply, without a working renderer + a vendored font + the session secret) the watermark capabilities report unavailable and fail closed. Ships English-only; nl/he/ja storefront overlays are a reviewed fast-follow.

Install in Claude Code

claude plugin marketplace add \
  kiteworks/agent-marketplace
claude plugin install \
  kiteworks-watermarker@kiteworks

Prerequisites

• Kiteworks Compliance Runtime — install via pip install kw-mcp-gateway (host >=1.0.0,<2.0.0). This agent calls into the runtime for deterministic, audited execution.
• Official Kiteworks MCP >=9.3.0 (used by the runtime) — install and sign in from github.com/kiteworks/mcp.
• Python >=3.11.

Connect from Claude

Add this marketplace as a remote MCP connector in Claude Desktop or Claude Code — point it at <your-host>/mcp. One process per deployment; no per-machine install. Requires the official Kiteworks MCP to be configured.