Skip to content

[SEC-2.2] MCP response sanitization boundary #1201

Closed
#1234
Closed
[SEC-2.2] MCP response sanitization boundary#1201
#1234
Labels
mcpMCP client/serverpriority/highHigh prioritysecuritySecurity-related issuesize/SSmall PR (11-50 lines)
@bug-ops

Description

@bug-ops
bug-ops
opened on Mar 4, 2026

Part of #1195 — Phase 2
Blocked by: #1175 (MCP DALIA policy layer — sanitization hooks into PolicyEnforcer middleware)

Apply sanitization to all MCP server responses before they enter agent context.

Crates: zeph-mcp
Depends on: SEC-1.4, #1175

Tasks:

  • MCP tool call results tagged ExternalUntrusted with server name as source
  • Apply ContentSanitizer in PolicyEnforcer response path (post-DALIA middleware)
  • Per-server trust override in config (future: trusted servers skip quarantine)
  • Unit tests with mock MCP response containing injection payload

Files: crates/zeph-mcp/src/client.rs, crates/zeph-mcp/src/policy.rs

Metadata

Metadata

Assignees

No one assigned

    Labels

    mcpMCP client/serverpriority/highHigh prioritysecuritySecurity-related issuesize/SSmall PR (11-50 lines)

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions