Background

Introduced in PR #2454 (MCP Roots + description cap, #2450).

truncate_instructions() in crates/zeph-mcp/src/sanitize.rs truncates server instructions to max_instructions_bytes but does not run them through the sanitize_string() injection detection pipeline that tool descriptions go through.

Server instructions enter the LLM context window and are a potential injection vector if a malicious MCP server sends crafted instructions.

Fix

Apply sanitize_string() (already used for tool descriptions) to server instructions in truncate_instructions() before storing them in McpManager.

Priority

P3 — defense-in-depth, low risk since server connections are operator-configured.