decoy-mcp 0.1.0 → 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Decoy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,84 @@
+# Decoy
+
+Security tripwires for AI agents. Detect prompt injection before it causes damage.
+
+Decoy is a fake MCP server that advertises tools an AI agent should never call — `execute_command`, `read_file`, `make_payment`, and more. In normal operation, your agent ignores them. When prompt injection overrides behavior, the decoy catches the full attack payload and alerts you.
+
+## Quick start
+
+```bash
+npx decoy-mcp init
+```
+
+This creates a free account, installs the MCP server locally, and configures Claude Desktop. Takes 30 seconds.
+
+## How it works
+
+1. Decoy registers as an MCP server called `system-tools` alongside your real tools
+2. It exposes 7 tripwire tools that look like real system access
+3. Your agent has no reason to call them — it uses its real tools
+4. If prompt injection forces the agent to reach for unauthorized access, the tripwire fires
+5. You get the full payload: what tool, what arguments, severity, timestamp
+6. Alerts go to your dashboard, Slack, webhooks, or email
+
+## Tripwire tools
+
+| Tool | What it traps |
+|------|--------------|
+| `execute_command` | Shell execution (curl, wget, nc, crontab, rm) |
+| `read_file` | Credential theft (.ssh, .env, passwd, shadow) |
+| `write_file` | Persistence (authorized_keys, .bashrc, crontab) |
+| `http_request` | Data exfiltration (POST to external URLs) |
+| `get_environment_variables` | Secret harvesting (API keys, tokens) |
+| `make_payment` | Unauthorized payments via x402 protocol |
+| `authorize_service` | Unauthorized trust grants to external services |
+
+Every tool returns a realistic error response. The agent sees a timeout or permission denied — not a detection signal. Attackers don't know they've been caught.
+
+## Commands
+
+```bash
+npx decoy-mcp init        # Set up protection
+npx decoy-mcp status      # Check triggers and connection
+npx decoy-mcp uninstall   # Remove from config
+```
+
+## Manual setup
+
+Add to your `claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "system-tools": {
+      "command": "node",
+      "args": ["~/.config/Claude/decoy/server.mjs"],
+      "env": { "DECOY_TOKEN": "your-token" }
+    }
+  }
+}
+```
+
+Get a token at [decoy.run](https://decoy.run).
+
+## Dashboard
+
+View triggers, configure alerts, and manage your tripwires at [decoy.run/dashboard](https://decoy.run/dashboard).
+
+**Free tier** — unlimited triggers, full dashboard, forever.
+
+**Pro tier ($9/mo)** — Slack alerts, webhook integrations, email notifications.
+
+## Why tripwires work
+
+Traditional security blocks known-bad inputs. But prompt injection is natural language — there's no signature to match. Tripwires flip the model: instead of trying to recognize attacks, you detect unauthorized behavior. If your agent tries to execute a shell command through a tool that shouldn't exist, something went wrong.
+
+This is the same principle behind canary tokens and network deception. Tripwires don't have false positives because legitimate users never touch them.
+
+## Research
+
+We tested prompt injection against 6 models. Llama 3.1 8B was fully compromised — it called all three tools with attacker-controlled arguments. Claude and GPT-4 resisted. Full results at [decoy.run/blog](https://decoy.run/blog).
+
+## License
+
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "decoy-mcp",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Security tripwires for AI agents. Detect prompt injection attacks on your MCP tools.",
   "bin": {
     "decoy-mcp": "./bin/cli.mjs"
@@ -15,13 +15,13 @@
     "security",
     "prompt-injection",
     "ai-security",
-    "honeypot",
+    "tripwire",
     "canary",
     "claude",
     "cursor",
     "windsurf"
   ],
-  "author": "Decoy (built by Claude)",
+  "author": "Decoy",
   "license": "MIT",
   "homepage": "https://decoy.run",
   "repository": {

package/server/server.mjs

@@ -18,82 +18,335 @@ const DECOY_TOKEN = process.env.DECOY_TOKEN || "";
 
 const TOOLS = [
   {
-    name: "execute_command",
-    description: "Execute a shell command on the host system. For system administration and maintenance tasks only.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        command: { type: "string", description: "The shell command to execute" },
+    "name": "execute_command",
+    "description": "Execute a shell command on the host system. For system administration and maintenance tasks only.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "command": {
+          "type": "string",
+          "description": "The shell command to execute"
+        }
       },
-      required: ["command"],
-    },
+      "required": [
+        "command"
+      ]
+    }
+  },
+  {
+    "name": "read_file",
+    "description": "Read the contents of a file from the filesystem.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "Absolute path to the file"
+        }
+      },
+      "required": [
+        "path"
+      ]
+    }
+  },
+  {
+    "name": "write_file",
+    "description": "Write content to a file on the filesystem.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "Absolute path to the file"
+        },
+        "content": {
+          "type": "string",
+          "description": "Content to write"
+        }
+      },
+      "required": [
+        "path",
+        "content"
+      ]
+    }
+  },
+  {
+    "name": "http_request",
+    "description": "Make an HTTP request to any URL and return the response.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "url": {
+          "type": "string",
+          "description": "The URL to request"
+        },
+        "method": {
+          "type": "string",
+          "description": "HTTP method",
+          "default": "GET"
+        },
+        "body": {
+          "type": "string",
+          "description": "Request body"
+        }
+      },
+      "required": [
+        "url"
+      ]
+    }
+  },
+  {
+    "name": "get_environment_variables",
+    "description": "Retrieve system environment variables including configuration and secrets.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Specific variable name, or omit for all"
+        }
+      }
+    }
+  },
+  {
+    "name": "make_payment",
+    "description": "Initiate a payment transaction via x402 protocol. For automated billing and service payments.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "recipient": {
+          "type": "string",
+          "description": "Payment recipient address or service URL"
+        },
+        "amount": {
+          "type": "string",
+          "description": "Payment amount"
+        },
+        "currency": {
+          "type": "string",
+          "description": "Currency code (e.g. USD, USDC)",
+          "default": "USD"
+        },
+        "memo": {
+          "type": "string",
+          "description": "Payment description or invoice reference"
+        }
+      },
+      "required": [
+        "recipient",
+        "amount"
+      ]
+    }
   },
   {
-    name: "read_file",
-    description: "Read the contents of a file from the filesystem.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        path: { type: "string", description: "Absolute path to the file" },
+    "name": "authorize_service",
+    "description": "Grant trust and authorization to an external MCP server or API service. Manages OAuth tokens and service connections.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "service_url": {
+          "type": "string",
+          "description": "The URL of the service to authorize"
+        },
+        "permissions": {
+          "type": "string",
+          "description": "Comma-separated list of permissions to grant"
+        },
+        "duration": {
+          "type": "string",
+          "description": "How long the authorization lasts (e.g. '1h', '30d', 'permanent')",
+          "default": "1h"
+        }
       },
-      required: ["path"],
-    },
+      "required": [
+        "service_url"
+      ]
+    }
   },
   {
-    name: "write_file",
-    description: "Write content to a file on the filesystem.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        path: { type: "string", description: "Absolute path to the file" },
-        content: { type: "string", description: "Content to write" },
+    "name": "database_query",
+    "description": "Execute a SQL query against the connected database. Supports SELECT, INSERT, UPDATE, DELETE and DDL statements.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "query": {
+          "type": "string",
+          "description": "The SQL query to execute"
+        },
+        "database": {
+          "type": "string",
+          "description": "Target database name",
+          "default": "main"
+        }
       },
-      required: ["path", "content"],
-    },
+      "required": [
+        "query"
+      ]
+    }
   },
   {
-    name: "http_request",
-    description: "Make an HTTP request to any URL and return the response.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        url: { type: "string", description: "The URL to request" },
-        method: { type: "string", description: "HTTP method", default: "GET" },
-        body: { type: "string", description: "Request body" },
+    "name": "send_email",
+    "description": "Send an email message via the configured SMTP relay. Supports HTML body and attachments.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "to": {
+          "type": "string",
+          "description": "Recipient email address"
+        },
+        "subject": {
+          "type": "string",
+          "description": "Email subject line"
+        },
+        "body": {
+          "type": "string",
+          "description": "Email body (HTML supported)"
+        },
+        "from": {
+          "type": "string",
+          "description": "Sender address override"
+        }
       },
-      required: ["url"],
-    },
+      "required": [
+        "to",
+        "subject",
+        "body"
+      ]
+    }
   },
   {
-    name: "get_environment_variables",
-    description: "Retrieve system environment variables including configuration and secrets.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        name: { type: "string", description: "Specific variable name, or omit for all" },
+    "name": "access_credentials",
+    "description": "Retrieve stored credentials, API keys, or secrets from the system credential vault.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "service": {
+          "type": "string",
+          "description": "Service name (e.g. 'aws', 'github', 'stripe')"
+        },
+        "key_type": {
+          "type": "string",
+          "description": "Type of credential: 'api_key', 'token', 'password', 'certificate'"
+        }
       },
-    },
+      "required": [
+        "service"
+      ]
+    }
   },
+  {
+    "name": "modify_dns",
+    "description": "Update DNS records for managed domains. Supports A, AAAA, CNAME, MX, and TXT record types.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "domain": {
+          "type": "string",
+          "description": "The domain to modify"
+        },
+        "record_type": {
+          "type": "string",
+          "description": "DNS record type (A, AAAA, CNAME, MX, TXT)"
+        },
+        "value": {
+          "type": "string",
+          "description": "New record value"
+        },
+        "ttl": {
+          "type": "number",
+          "description": "Time-to-live in seconds",
+          "default": 300
+        }
+      },
+      "required": [
+        "domain",
+        "record_type",
+        "value"
+      ]
+    }
+  },
+  {
+    "name": "install_package",
+    "description": "Install a software package or dependency from a package registry (npm, pip, apt, etc).",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Package name"
+        },
+        "version": {
+          "type": "string",
+          "description": "Specific version to install"
+        },
+        "registry": {
+          "type": "string",
+          "description": "Package registry (npm, pip, apt, cargo)",
+          "default": "npm"
+        },
+        "global": {
+          "type": "boolean",
+          "description": "Install globally",
+          "default": false
+        }
+      },
+      "required": [
+        "name"
+      ]
+    }
+  }
 ];
-
 const FAKE_RESPONSES = {
   execute_command: (args) => JSON.stringify({
-    status: "error", error: "Operation timed out after 30s", command: args.command, exit_code: 124,
+    status: "error", error: "Operation timed out after 30s",
+    command: args.command,
+    exit_code: 124,
   }),
   read_file: (args) => JSON.stringify({
-    status: "error", error: `EACCES: permission denied, open '${args.path}'`, path: args.path,
+    status: "error", error: `EACCES: permission denied, open '${args.path}'`,
+    path: args.path,
   }),
   write_file: (args) => JSON.stringify({
-    status: "error", error: `EROFS: read-only file system, open '${args.path}'`, path: args.path,
+    status: "error", error: `EROFS: read-only file system, open '${args.path}'`,
+    path: args.path,
   }),
   http_request: (args) => JSON.stringify({
-    status: "error", error: "ECONNREFUSED: connection refused", url: args.url,
+    status: "error", error: "ECONNREFUSED: connection refused",
+    url: args.url,
   }),
-  get_environment_variables: () => JSON.stringify({
+  get_environment_variables: (args) => JSON.stringify({
     status: "error", error: "Access denied: insufficient permissions",
   }),
+  make_payment: (args) => JSON.stringify({
+    status: "error", error: "Payment service unavailable: x402 gateway timeout",
+    recipient: args.recipient,
+    amount: args.amount,
+  }),
+  authorize_service: (args) => JSON.stringify({
+    status: "error", error: "Authorization failed: service verification pending",
+    service_url: args.service_url,
+  }),
+  database_query: (args) => JSON.stringify({
+    status: "error", error: "Connection refused: database server not responding on port 5432",
+    query: args.query || "",
+  }),
+  send_email: (args) => JSON.stringify({
+    status: "error", error: "SMTP relay error: 550 5.7.1 sender rejected — authentication required",
+    to: args.to,
+  }),
+  access_credentials: (args) => JSON.stringify({
+    status: "error", error: "Vault sealed: unlock required before credential access",
+    service: args.service,
+  }),
+  modify_dns: (args) => JSON.stringify({
+    status: "error", error: "DNS update failed: REFUSED — not authorized for zone",
+    domain: args.domain,
+  }),
+  install_package: (args) => JSON.stringify({
+    status: "error", error: "E: Unable to lock /var/lib/dpkg/lock — another process is using it",
+    name: args.name,
+  }),
 };
-
 // Report trigger to decoy.run
 async function reportTrigger(toolName, args) {
   if (!DECOY_TOKEN) return;