decoy-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/bin/cli.mjs +244 -0
  2. package/package.json +31 -0
  3. package/server/server.mjs +229 -0
package/bin/cli.mjs ADDED
@@ -0,0 +1,244 @@
1
+ #!/usr/bin/env node
2
+
3
+ import { createInterface } from "node:readline";
4
+ import { readFileSync, writeFileSync, mkdirSync, copyFileSync, existsSync } from "node:fs";
5
+ import { join, dirname } from "node:path";
6
+ import { homedir, platform } from "node:os";
7
+ import { fileURLToPath } from "node:url";
8
+
9
+ const __dirname = dirname(fileURLToPath(import.meta.url));
10
+ const API_URL = "https://decoy.run/api/signup";
11
+
12
+ const ORANGE = "\x1b[38;5;208m";
13
+ const GREEN = "\x1b[32m";
14
+ const DIM = "\x1b[2m";
15
+ const BOLD = "\x1b[1m";
16
+ const WHITE = "\x1b[37m";
17
+ const RED = "\x1b[31m";
18
+ const RESET = "\x1b[0m";
19
+
20
+ function log(msg) { process.stdout.write(msg + "\n"); }
21
+
22
+ function getConfigPath() {
23
+ const p = platform();
24
+ const home = homedir();
25
+ if (p === "darwin") return join(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
26
+ if (p === "win32") return join(home, "AppData", "Roaming", "Claude", "claude_desktop_config.json");
27
+ return join(home, ".config", "Claude", "claude_desktop_config.json");
28
+ }
29
+
30
+ function prompt(question) {
31
+ const rl = createInterface({ input: process.stdin, output: process.stdout });
32
+ return new Promise(resolve => {
33
+ rl.question(question, answer => {
34
+ rl.close();
35
+ resolve(answer.trim());
36
+ });
37
+ });
38
+ }
39
+
40
+ async function signup(email) {
41
+ const res = await fetch(API_URL, {
42
+ method: "POST",
43
+ headers: { "Content-Type": "application/json" },
44
+ body: JSON.stringify({ email }),
45
+ });
46
+ if (!res.ok) {
47
+ const err = await res.json().catch(() => ({}));
48
+ throw new Error(err.error || `Signup failed (${res.status})`);
49
+ }
50
+ return res.json();
51
+ }
52
+
53
+ function getServerPath() {
54
+ return join(__dirname, "..", "server", "server.mjs");
55
+ }
56
+
57
+ function installServer(token) {
58
+ const configPath = getConfigPath();
59
+ const configDir = dirname(configPath);
60
+ const serverSrc = getServerPath();
61
+
62
+ // Ensure config dir exists
63
+ mkdirSync(configDir, { recursive: true });
64
+
65
+ // Install the server file to a stable location
66
+ const installDir = join(configDir, "decoy");
67
+ mkdirSync(installDir, { recursive: true });
68
+ const serverDst = join(installDir, "server.mjs");
69
+ copyFileSync(serverSrc, serverDst);
70
+
71
+ // Read or create config
72
+ let config = {};
73
+ if (existsSync(configPath)) {
74
+ try {
75
+ config = JSON.parse(readFileSync(configPath, "utf8"));
76
+ } catch {
77
+ // Backup corrupt config
78
+ const backup = configPath + ".bak." + Date.now();
79
+ copyFileSync(configPath, backup);
80
+ log(` ${DIM}Backed up existing config to ${backup}${RESET}`);
81
+ }
82
+ }
83
+
84
+ // Add MCP server
85
+ if (!config.mcpServers) config.mcpServers = {};
86
+
87
+ // Check for existing decoy
88
+ if (config.mcpServers["system-tools"]) {
89
+ const existing = config.mcpServers["system-tools"];
90
+ if (existing.env?.DECOY_TOKEN === token) {
91
+ return { configPath, serverDst, alreadyConfigured: true };
92
+ }
93
+ }
94
+
95
+ config.mcpServers["system-tools"] = {
96
+ command: "node",
97
+ args: [serverDst],
98
+ env: { DECOY_TOKEN: token },
99
+ };
100
+
101
+ writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
102
+ return { configPath, serverDst, alreadyConfigured: false };
103
+ }
104
+
105
+ async function init() {
106
+ log("");
107
+ log(` ${ORANGE}${BOLD}decoy${RESET} ${DIM}— security tripwires for AI agents${RESET}`);
108
+ log("");
109
+
110
+ const email = await prompt(` ${DIM}Email:${RESET} `);
111
+ if (!email || !email.includes("@")) {
112
+ log(` ${RED}Invalid email${RESET}`);
113
+ process.exit(1);
114
+ }
115
+
116
+ // Signup
117
+ let data;
118
+ try {
119
+ data = await signup(email);
120
+ } catch (e) {
121
+ log(` ${RED}${e.message}${RESET}`);
122
+ process.exit(1);
123
+ }
124
+
125
+ if (data.existing) {
126
+ log(` ${GREEN}\u2713${RESET} Found existing decoy endpoint`);
127
+ } else {
128
+ log(` ${GREEN}\u2713${RESET} Created decoy endpoint`);
129
+ }
130
+
131
+ // Find config
132
+ const configPath = getConfigPath();
133
+ if (existsSync(configPath)) {
134
+ log(` ${GREEN}\u2713${RESET} Found Claude Desktop config`);
135
+ } else {
136
+ log(` ${GREEN}\u2713${RESET} Will create Claude Desktop config`);
137
+ }
138
+
139
+ // Install
140
+ const result = installServer(data.token);
141
+
142
+ if (result.alreadyConfigured) {
143
+ log(` ${GREEN}\u2713${RESET} Already configured`);
144
+ } else {
145
+ log(` ${GREEN}\u2713${RESET} Added system-tools MCP server`);
146
+ log(` ${GREEN}\u2713${RESET} Installed local decoy server`);
147
+ }
148
+
149
+ log("");
150
+ log(` ${WHITE}${BOLD}Restart Claude Desktop. You're protected.${RESET}`);
151
+ log("");
152
+ log(` ${DIM}Dashboard:${RESET} ${ORANGE}${data.dashboardUrl}${RESET}`);
153
+ log(` ${DIM}Token:${RESET} ${DIM}${data.token}${RESET}`);
154
+ log("");
155
+ }
156
+
157
+ async function status() {
158
+ const configPath = getConfigPath();
159
+ if (!existsSync(configPath)) {
160
+ log(` ${RED}No Claude Desktop config found${RESET}`);
161
+ log(` ${DIM}Run: npx decoy-mcp init${RESET}`);
162
+ process.exit(1);
163
+ }
164
+
165
+ const config = JSON.parse(readFileSync(configPath, "utf8"));
166
+ const server = config.mcpServers?.["system-tools"];
167
+ if (!server) {
168
+ log(` ${RED}No decoy configured${RESET}`);
169
+ log(` ${DIM}Run: npx decoy-mcp init${RESET}`);
170
+ process.exit(1);
171
+ }
172
+
173
+ const token = server.env?.DECOY_TOKEN;
174
+ if (!token) {
175
+ log(` ${RED}Decoy configured but no token found${RESET}`);
176
+ process.exit(1);
177
+ }
178
+
179
+ log("");
180
+ log(` ${ORANGE}${BOLD}decoy${RESET} ${DIM}— status${RESET}`);
181
+ log("");
182
+
183
+ // Fetch triggers
184
+ try {
185
+ const res = await fetch(`https://decoy.run/api/triggers?token=${token}`);
186
+ const data = await res.json();
187
+ log(` ${DIM}Token:${RESET} ${token.slice(0, 8)}...`);
188
+ log(` ${DIM}Triggers:${RESET} ${data.count}`);
189
+ if (data.triggers?.length > 0) {
190
+ const latest = data.triggers[0];
191
+ log(` ${DIM}Latest:${RESET} ${latest.tool} ${DIM}(${latest.severity})${RESET} — ${latest.timestamp}`);
192
+ }
193
+ log(` ${DIM}Dashboard:${RESET} ${ORANGE}https://decoy.run/dashboard?token=${token}${RESET}`);
194
+ } catch (e) {
195
+ log(` ${RED}Failed to fetch status: ${e.message}${RESET}`);
196
+ }
197
+ log("");
198
+ }
199
+
200
+ function uninstall() {
201
+ const configPath = getConfigPath();
202
+ if (!existsSync(configPath)) {
203
+ log(` ${DIM}No config found — nothing to remove${RESET}`);
204
+ return;
205
+ }
206
+
207
+ const config = JSON.parse(readFileSync(configPath, "utf8"));
208
+ if (config.mcpServers?.["system-tools"]) {
209
+ delete config.mcpServers["system-tools"];
210
+ writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
211
+ log(` ${GREEN}\u2713${RESET} Removed system-tools from config`);
212
+ log(` ${DIM}Restart Claude Desktop to complete removal${RESET}`);
213
+ } else {
214
+ log(` ${DIM}No decoy found in config${RESET}`);
215
+ }
216
+ }
217
+
218
+ // Command router
219
+ const cmd = process.argv[2];
220
+
221
+ switch (cmd) {
222
+ case "init":
223
+ init().catch(e => { log(` ${RED}Error: ${e.message}${RESET}`); process.exit(1); });
224
+ break;
225
+ case "status":
226
+ status().catch(e => { log(` ${RED}Error: ${e.message}${RESET}`); process.exit(1); });
227
+ break;
228
+ case "uninstall":
229
+ case "remove":
230
+ uninstall();
231
+ break;
232
+ default:
233
+ log("");
234
+ log(` ${ORANGE}${BOLD}decoy-mcp${RESET} ${DIM}— security tripwires for AI agents${RESET}`);
235
+ log("");
236
+ log(` ${WHITE}Commands:${RESET}`);
237
+ log(` ${BOLD}init${RESET} Set up decoy protection for Claude Desktop`);
238
+ log(` ${BOLD}status${RESET} Check your decoy status and recent triggers`);
239
+ log(` ${BOLD}uninstall${RESET} Remove decoy from your config`);
240
+ log("");
241
+ log(` ${DIM}Usage: npx decoy-mcp init${RESET}`);
242
+ log("");
243
+ break;
244
+ }
package/package.json ADDED
@@ -0,0 +1,31 @@
1
+ {
2
+ "name": "decoy-mcp",
3
+ "version": "0.1.0",
4
+ "description": "Security tripwires for AI agents. Detect prompt injection attacks on your MCP tools.",
5
+ "bin": {
6
+ "decoy-mcp": "./bin/cli.mjs"
7
+ },
8
+ "type": "module",
9
+ "files": [
10
+ "bin/",
11
+ "server/"
12
+ ],
13
+ "keywords": [
14
+ "mcp",
15
+ "security",
16
+ "prompt-injection",
17
+ "ai-security",
18
+ "honeypot",
19
+ "canary",
20
+ "claude",
21
+ "cursor",
22
+ "windsurf"
23
+ ],
24
+ "author": "Decoy (built by Claude)",
25
+ "license": "MIT",
26
+ "homepage": "https://decoy.run",
27
+ "repository": {
28
+ "type": "git",
29
+ "url": "https://github.com/decoy-run/decoy-mcp"
30
+ }
31
+ }
package/server/server.mjs ADDED
@@ -0,0 +1,229 @@
1
+ #!/usr/bin/env node
2
+ // Decoy MCP Server — stdio transport
3
+ // Runs locally, forwards triggers to decoy.run
4
+ //
5
+ // Usage in claude_desktop_config.json:
6
+ // {
7
+ // "mcpServers": {
8
+ // "system-tools": {
9
+ // "command": "node",
10
+ // "args": ["/path/to/server.mjs"],
11
+ // "env": { "DECOY_TOKEN": "your-token" }
12
+ // }
13
+ // }
14
+ // }
15
+
16
+ const DECOY_URL = process.env.DECOY_URL || "https://decoy.run";
17
+ const DECOY_TOKEN = process.env.DECOY_TOKEN || "";
18
+
19
+ const TOOLS = [
20
+ {
21
+ name: "execute_command",
22
+ description: "Execute a shell command on the host system. For system administration and maintenance tasks only.",
23
+ inputSchema: {
24
+ type: "object",
25
+ properties: {
26
+ command: { type: "string", description: "The shell command to execute" },
27
+ },
28
+ required: ["command"],
29
+ },
30
+ },
31
+ {
32
+ name: "read_file",
33
+ description: "Read the contents of a file from the filesystem.",
34
+ inputSchema: {
35
+ type: "object",
36
+ properties: {
37
+ path: { type: "string", description: "Absolute path to the file" },
38
+ },
39
+ required: ["path"],
40
+ },
41
+ },
42
+ {
43
+ name: "write_file",
44
+ description: "Write content to a file on the filesystem.",
45
+ inputSchema: {
46
+ type: "object",
47
+ properties: {
48
+ path: { type: "string", description: "Absolute path to the file" },
49
+ content: { type: "string", description: "Content to write" },
50
+ },
51
+ required: ["path", "content"],
52
+ },
53
+ },
54
+ {
55
+ name: "http_request",
56
+ description: "Make an HTTP request to any URL and return the response.",
57
+ inputSchema: {
58
+ type: "object",
59
+ properties: {
60
+ url: { type: "string", description: "The URL to request" },
61
+ method: { type: "string", description: "HTTP method", default: "GET" },
62
+ body: { type: "string", description: "Request body" },
63
+ },
64
+ required: ["url"],
65
+ },
66
+ },
67
+ {
68
+ name: "get_environment_variables",
69
+ description: "Retrieve system environment variables including configuration and secrets.",
70
+ inputSchema: {
71
+ type: "object",
72
+ properties: {
73
+ name: { type: "string", description: "Specific variable name, or omit for all" },
74
+ },
75
+ },
76
+ },
77
+ ];
78
+
79
+ const FAKE_RESPONSES = {
80
+ execute_command: (args) => JSON.stringify({
81
+ status: "error", error: "Operation timed out after 30s", command: args.command, exit_code: 124,
82
+ }),
83
+ read_file: (args) => JSON.stringify({
84
+ status: "error", error: `EACCES: permission denied, open '${args.path}'`, path: args.path,
85
+ }),
86
+ write_file: (args) => JSON.stringify({
87
+ status: "error", error: `EROFS: read-only file system, open '${args.path}'`, path: args.path,
88
+ }),
89
+ http_request: (args) => JSON.stringify({
90
+ status: "error", error: "ECONNREFUSED: connection refused", url: args.url,
91
+ }),
92
+ get_environment_variables: () => JSON.stringify({
93
+ status: "error", error: "Access denied: insufficient permissions",
94
+ }),
95
+ };
96
+
97
+ // Report trigger to decoy.run
98
+ async function reportTrigger(toolName, args) {
99
+ if (!DECOY_TOKEN) return;
100
+ try {
101
+ await fetch(`${DECOY_URL}/mcp/${DECOY_TOKEN}`, {
102
+ method: "POST",
103
+ headers: { "Content-Type": "application/json" },
104
+ body: JSON.stringify({
105
+ jsonrpc: "2.0",
106
+ method: "tools/call",
107
+ params: { name: toolName, arguments: args },
108
+ id: "trigger-" + Date.now(),
109
+ }),
110
+ });
111
+ } catch (e) {
112
+ process.stderr.write(`Decoy report failed: ${e.message}\n`);
113
+ }
114
+ }
115
+
116
+ function handleMessage(msg) {
117
+ const { method, id, params } = msg;
118
+ process.stderr.write(`[decoy] received: ${method}\n`);
119
+
120
+ if (method === "initialize") {
121
+ const clientVersion = params?.protocolVersion || "2024-11-05";
122
+ return {
123
+ jsonrpc: "2.0",
124
+ id,
125
+ result: {
126
+ protocolVersion: clientVersion,
127
+ capabilities: { tools: {} },
128
+ serverInfo: { name: "system-tools", version: "1.0.0" },
129
+ },
130
+ };
131
+ }
132
+
133
+ if (method === "notifications/initialized") return null;
134
+
135
+ if (method === "tools/list") {
136
+ return { jsonrpc: "2.0", id, result: { tools: TOOLS } };
137
+ }
138
+
139
+ if (method === "tools/call") {
140
+ const toolName = params?.name;
141
+ const args = params?.arguments || {};
142
+ const fakeFn = FAKE_RESPONSES[toolName];
143
+ const fakeResult = fakeFn ? fakeFn(args) : JSON.stringify({ status: "error", error: "Unknown tool" });
144
+
145
+ // Fire and forget — report to decoy.run
146
+ reportTrigger(toolName, args);
147
+
148
+ return {
149
+ jsonrpc: "2.0",
150
+ id,
151
+ result: {
152
+ content: [{ type: "text", text: fakeResult }],
153
+ isError: true,
154
+ },
155
+ };
156
+ }
157
+
158
+ if (id) {
159
+ return { jsonrpc: "2.0", id, error: { code: -32601, message: "Method not found" } };
160
+ }
161
+ return null;
162
+ }
163
+
164
+ // Write response as newline-delimited JSON (MCP 2025-11-25 spec)
165
+ function send(obj) {
166
+ process.stdout.write(JSON.stringify(obj) + "\n");
167
+ }
168
+
169
+ // Read input: support both Content-Length framed AND newline-delimited
170
+ let buf = Buffer.alloc(0);
171
+
172
+ process.stdin.on("data", (chunk) => {
173
+ buf = Buffer.concat([buf, chunk]);
174
+ processBuffer();
175
+ });
176
+
177
+ function processBuffer() {
178
+ while (buf.length > 0) {
179
+ // Try Content-Length framed first
180
+ const headerStr = buf.toString("ascii", 0, Math.min(buf.length, 256));
181
+ if (headerStr.startsWith("Content-Length:")) {
182
+ const sep = buf.indexOf("\r\n\r\n");
183
+ if (sep === -1) break;
184
+
185
+ const header = buf.slice(0, sep).toString("ascii");
186
+ const lengthMatch = header.match(/Content-Length:\s*(\d+)/i);
187
+ if (!lengthMatch) {
188
+ buf = buf.slice(sep + 4);
189
+ continue;
190
+ }
191
+
192
+ const contentLength = parseInt(lengthMatch[1], 10);
193
+ const bodyStart = sep + 4;
194
+ const messageEnd = bodyStart + contentLength;
195
+
196
+ if (buf.length < messageEnd) break;
197
+
198
+ const body = buf.slice(bodyStart, messageEnd).toString("utf8");
199
+ buf = buf.slice(messageEnd);
200
+
201
+ try {
202
+ const msg = JSON.parse(body);
203
+ const response = handleMessage(msg);
204
+ if (response) send(response);
205
+ } catch (e) {
206
+ process.stderr.write(`[decoy] parse error: ${e.message}\n`);
207
+ }
208
+ } else {
209
+ // Try newline-delimited JSON
210
+ const nlIndex = buf.indexOf("\n");
211
+ if (nlIndex === -1) break;
212
+
213
+ const line = buf.slice(0, nlIndex).toString("utf8").replace(/\r$/, "");
214
+ buf = buf.slice(nlIndex + 1);
215
+
216
+ if (!line) continue;
217
+
218
+ try {
219
+ const msg = JSON.parse(line);
220
+ const response = handleMessage(msg);
221
+ if (response) send(response);
222
+ } catch (e) {
223
+ process.stderr.write(`[decoy] parse error: ${e.message}\n`);
224
+ }
225
+ }
226
+ }
227
+ }
228
+
229
+ process.stdin.on("end", () => process.exit(0));