feat(054-B): output sanitisation enforcement (Spec 054 Track B)

[Dumbris]

Summary

Implements Spec 054 Track B — output sanitisation enforcement — the next track of the security-gateway umbrella (#521) after Track A (output-schema validation, #525/056). Makes mcpproxy's already-computed-but-discarded content-trust classification (Spec 035) and secret detector (Spec 026) actually contain untrusted tool output before it reaches the agent, at the single response chokepoint.

Fully opt-in — with no output_sanitisation block, every response is forwarded byte-for-byte (pre-feature behaviour; keeps the API E2E suite green).

Behaviours (all opt-in)

Config	Effect	FR
spotlight_untrusted: true	wrap untrusted (open-world) tool text in «untrusted:server/tool» delimiters, escaping the sentinel so content can't forge the wrapper	B1/B2
response_action: redact	mask detected secrets → [REDACTED:<category>] (reuses Spec 026 detector)	B3
strip_control_chars: true	neutralise ANSI / C0-C1 / zero-width / bidi on untrusted text (per-class toggles)	B4
response_action: block	replace payload with a remediation error on a critical detection	B7

Non-text blocks (image/audio/embedded) are never modified (B5). Mutating actions emit a policy_decision activity record.

Ordering / read_cache

Redact / strip / block run on the raw result before forwardContentResult truncates and caches it, so read_cache never stores an unredacted secret and a blocked response is never cached. The lossless spotlight wrapper is applied post-truncation and is not cached.

Verification

Verified end-to-end (artifacts kept local, not committed):

• curl/MCP roundtrip vs an untrusted stub upstream — spotlight, redact, strip, block, and the read_cache leak check (cached copy is [REDACTED:cloud_credentials], raw secret count 0)
• API E2E ./scripts/test-api-e2e.sh → 65/65, no regression
• Web UI activity view (Playwright) — Policy Decision/redact rows + redacted response body
• Unit + integration tests, -race, both editions build, lint clean

Spec artifacts

Speckit set under specs/059-output-sanitisation/ (spec, plan, research, data-model, tasks, quickstart).

Relates to Spec 054 Track B (#521).

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	523075c
Status:	✅  Deploy successful!
Preview URL:	https://33252495.mcpproxy-docs.pages.dev
Branch Preview URL:	https://059-output-sanitisation.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 69.27083% with 118 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
e2e/stubs/saniclient/main.go	0.00%	41 Missing ⚠️
e2e/stubs/sanitisation/main.go	0.00%	37 Missing ⚠️
internal/server/output_sanitisation.go	88.79%	7 Missing and 6 partials ⚠️
internal/security/detector.go	70.58%	5 Missing and 5 partials ⚠️
internal/server/mcp.go	65.38%	7 Missing and 2 partials ⚠️
internal/server/content_forward.go	61.11%	5 Missing and 2 partials ⚠️
internal/config/config.go	97.61%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: 059-output-sanitisation

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (27 MB)
• archive-windows-arm64 (24 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (18 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 26623650066 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.