Product updates

End-of-week polish release. Spent the week running Decoy against itself and closing everything the scanner found.

Fixes

• decoy-scan 0.4.6 — internal audit fixes across the CLI, including stricter handling of malformed tool descriptions that previously could cause a classifier to throw
• Dashboard security fixes across the worker — scoping and validation hardening for every /api/ endpoint, caught by our own red-team suite
• Config probe now distinguishes could not start from clean result so broken servers don't silently look healthy in the summary

Improvements

• CSP compliance: replaced all remaining inline onclick handlers in the dashboard with event-delegated listeners. Next step: stricter CSP header coming with next week's release.
• Scan detail header now reflects findingsBySeverity consistently, so the number at the top of a scan page matches the counts on the list view

Every MCP server running anywhere in your organization — approved or not — now surfaces in your Decoy dashboard automatically. Shadow MCP discovery graduates from beta this week and ships to all Pro and Business plans.

What's new

• Auto-discovery of servers running on dev machines via the CLI
• Org-wide inventory with per-team filtering
• One-click capture into your Decoy inventory, with provenance
• New CLI flag --discovery-only for silent inventory runs in CI

Improvements

• 3× faster initial discovery scan — under 8 seconds for 50+ servers on an M-series laptop
• Better fingerprinting for MCP servers behind HTTP gateways or wrappers
• Discovery runs now tag each server with a first_seen timestamp for drift tracking

Dashboard week. Guard's scan view now matches what the CLI prints locally, so you can start from a summary and dig into exactly what hit.

What's new

• Scan detail view — click a scan in your history to see every server it touched, with the findings grouped by severity and a remediation snippet for each
• New findingsBySeverity field on every scan summary, used everywhere counts are rendered so list view and detail view never disagree
• Typosquat findings now render with their own label on the finding card, making them easier to spot at a glance

Improvements

• Agent detail panel: light-mode text colors fixed — everything stayed dark-mode-only before the theme refresh
• Scan history counts pull from the new severity field directly; no more re-deriving numbers client-side
• Guard MCP server reached 9 tools with full test coverage (3 Free, 6 Pro)

The third and hardest tool in the Decoy suite is live. decoy-redteam is not a scanner — it's an attacker. It connects to every MCP server on your machine, sends adversarial payloads, and reports exactly what broke.

npx decoy-redteam --live

Dry-run by default. --live requires an explicit confirmation before any payloads leave the process.

What it tests

53 attack patterns across 6 categories, every finding mapped to OWASP Top 10 for Agentic Applications 2026:

• Input injection — SQL, command, path traversal, SSRF, template
• Prompt injection — instruction override, role hijack, indirect, encoding bypass, multi-turn
• Credential exposure — .env, cloud credentials, SSH keys, git tokens, shell history
• Protocol attacks — malformed JSON-RPC, capability escalation, replay, method injection
• Schema boundary — type coercion, null bytes, overflow, prototype pollution, NoSQL operators
• Privilege escalation — scope escape, undeclared access, dotfile enumeration, argument smuggling

What ships

• Zero-dependency CLI, works with Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, and Cline
• SARIF 2.1.0 output that uploads straight to the GitHub Security tab
• GitHub Action: uses: decoy-run/decoy-redteam@v1
• Exit codes for CI gating (0 clean, 1 high, 2 critical)
• Guard Pro support for AI-adaptive attacks and encoding variants (~198 extra)

Full docs at /docs/redteam/overview. The v1.1 point release shipped a few hours later with zero-dependency enforcement locked down.

decoy-scan v1 is now a first-class GitHub Action, listed in the Security category of the Marketplace. One step in a workflow, fails the build on critical tools or prompt injection, uploads SARIF to the GitHub Security tab automatically.

Usage

- uses: decoy-run/decoy-scan@v1
  with:
    policy: no-critical,no-poisoning,no-toxic-flows
    report: true
    token: ${{ secrets.DECOY_TOKEN }}

What the action gates on

Every policy rule matches a real class of finding:

• no-critical — any critical tool
• no-high — any high-risk tool
• no-poisoning — prompt injection in tool descriptions
• no-toxic-flows — dangerous cross-server data flows
• no-secrets — credentials exposed in MCP config
• require-tripwires — no Decoy Tripwires installed
• max-critical=N / max-high=N — budgeted tolerance

What's new vs the CLI-only release

• Inline remediation suggestions on every finding
• Job summary with pass/fail and counts
• Automatic SARIF upload (no separate upload step)
• Opt-in dashboard reporting via report: true

Docs: /docs/scan/ci-cd.

You can now scope which Decoy Guard tools an agent can call, per-agent or per-session. Useful for sandboxing untrusted agents while letting your production agents use the full toolkit.

What's new

• allowlist config in your Guard MCP server startup command
• Per-agent allowlist editor in the dashboard, with a "dry-run" mode to see what a rule change would have blocked over the last 7 days
• New webhook event: tool.blocked.by.allowlist, including the agent fingerprint and blocked tool name

A wide release. New detection categories in the scanner and a few features in the dashboard that make scan results actually useful in a team context.

Scanner

• Toxic data flows — dangerous tool chains across servers (e.g. a read-from-private-source tool paired with a send-to-public-endpoint tool on the same agent). Flagged even when each individual tool looks benign.
• Manifest hashing — every scan captures a content hash of the server's tool manifest, so you can detect silent changes (same version, different tools) without needing semver bumps
• Skill / prompt scanning — servers exposing prompts or skills now have those surfaces analyzed too, not just tool schemas
• --policy flag for CI gating on the CLI (matches the GitHub Action's policy input)
• --share flag to generate a public shareable URL for a scan result
• --fix flag (experimental) that emits a diff against your MCP config

Dashboard

• Auto-register — npx decoy-tripwire now handles account creation end-to-end, no dashboard visit required for first install
• Shareable reports — scan results get a public URL you can send to a team member or to an MCP maintainer without giving them account access
• RSS feed — decoy.run/monitor/feed.xml for advisories and attack patterns, public
• Tier gating — proper plan enforcement on every API endpoint, with -32000 error codes on the MCP surface
• Multiple KV correctness fixes caught by the new test suite

Product flow

decoy-scan is now the first thing every new user runs. The CLI, the docs, the dashboard onboarding — everything points to "scan something you already have" before "install tripwires." Faster time-to-value, and it proves Decoy is worth using before anyone has to install anything.

• npx decoy-scan is the headline command in every install path
• Dashboard empty state guides you to run a scan, not register a server
• Marketing site hero and footer all reference scan-first flow

Billing

• PCI fix (breaking): decoy_upgrade no longer collects card details. Returns a Stripe Checkout URL instead. Card data never touches our worker — it goes directly from the browser to Stripe.
• Checkout flow updated across tripwire CLI, Guard dashboard, and the upgrade email
• Pricing display updated to match current Guard Pro ($99/mo at the time; since adjusted)

Fixes

• Tripwire CLI: pad() no longer crashes on undefined agent.clientName for anonymous free-tier triggers
• Auth flow: fixed token-in-URL persistence after first passkey registration
• Agent-friendly API error messages (more descriptive action hints)

Two things that together make tripwire triggers actionable, not just visible. Static catalogs are fingerprintable — attackers can learn which tools are decoys. Trigger context with no session attribution is impossible to investigate. This release fixes both.

Dynamic tripwires

Alongside the 12 built-in decoy tools, every Decoy install now generates a deterministic set of additional tools drawn from 6 threat categories:

• Cloud infrastructure (IAM, compute, storage, metadata)
• Secrets management (vaults, KMS, credential stores)
• Payment systems (checkout, refunds, ledgers)
• CI/CD (deploy keys, workflow dispatch, build secrets)
• Identity (user admin, MFA, session management)
• Network (DNS, firewall, VPN)

Each workspace gets a unique-looking tool catalog. No two Decoy installs look alike to an attacker.

Session telemetry

Every tripwire hit now captures the full session context that led to the call:

• MCP initialize payload (client name, version, protocol version)
• Session fingerprint: SHA-256 of clientName + clientVersion + userAgent, truncated to 16 hex chars
• Request headers (user agent, IP prefix, geo hint where available)
• The last N messages of prompt context leading up to the call

Emitted as structured JSON lines to stderr for local ingestion and shipped to the dashboard for Pro+ users.

Improvements

• SSE transport security checks added to the scanner
• Input sanitization validation: schema completeness, type constraints, pattern validation — the scanner flags tools that accept unbounded input
• Explicit permission scope scoring on every tool, included in the risk classifier

A batch of reliability work on tripwire alerts. What you get notified about should match what actually happened — exactly once.

Fixes

• Fixed a race where simultaneous tripwire triggers on the same agent would send duplicate Slack alerts
• Fixed missing agent fingerprints on webhook deliveries when the session started mid-trigger
• Fixed alert timestamp drift in Slack messages for triggers older than 30 seconds

Improvements

• Slack alert formatting now uses blocks instead of plaintext — the agent fingerprint and tool name are clickable
• Webhook retries use exponential backoff (was linear) — fewer retry storms on flaky endpoints
• decoy-tripwire test now supports a --delivery flag to verify your alert channels end-to-end

First public release. npx decoy-scan and npx decoy-tripwire are live on npm today — both free, both zero-config, both work with the MCP clients you already use.

What ships today

• npx decoy-scan — static scanner for MCP servers. 50+ checks across supply-chain hygiene, tool scoping, credential handling, and prompt-surface risks. Runs anywhere npx runs.
• npx decoy-tripwire — 12 built-in decoy tools installed alongside your real MCP servers. Fires on any invocation. Alerts by email on the free tier.
• Decoy dashboard at app.decoy.run — passkey login, token-based auth, unified view for scan results and tripwire triggers.

What's coming

• Decoy Guard — the hosted MCP threat-intel server. Closed beta; join at decoy.run.
• Decoy Red Team — autonomous adversarial testing. Closed beta.
• GitHub Actions for decoy-scan and decoy-redteam landing in the coming weeks.