Decoy alerts

Register the SHA-256 fingerprint of any decoy controlData file. When the deny.sh decrypt endpoint sees a request whose controlData hashes to that fingerprint, we fire a critical audit-chain event and fan it out to your configured Datadog, PagerDuty, and Slack webhooks within ~5 seconds — before the attacker reads the bytes. The real controlData stays offsite; only the fingerprint is shared with us.