fix(mcp): false positive injection detection in Todoist MCP tool descriptions #2170
Description
Summary
MCP content sanitizer fires on legitimate Todoist tool descriptions containing the phrase "new persona" — matched by the new_directive injection pattern. This is a false positive.
Evidence (production log 2026-03-23)
WARN zeph_mcp::sanitize: injection pattern detected in MCP tool field — replacing entire field
server_id="todoist" tool_name="add-labels" field="description"
pattern="new_directive" matched="new persona"
WARN zeph_mcp::sanitize: injection pattern detected in MCP tool field — replacing entire field
server_id="todoist" tool_name="add-filters" field="description"
pattern="new_directive" matched="new persona"
Root Cause
The new_directive security pattern matches "new persona" in legitimate API documentation text. Todoist's MCP tool descriptions for label/filter management apparently contain phrases like "create a new persona" or "new persona filter" as part of the API description.
The entire field is replaced (not just flagged), so the tool description is lost — the LLM sees a redacted placeholder instead of the actual tool description, degrading tool selection quality.
Impact
- Medium: tool descriptions for
add-labelsandadd-filtersare wiped every session startup, replacing useful context with a redaction marker. - The LLM may misuse or skip these tools due to missing descriptions.
Proposed Fix
- Narrow the regex:
new_directivepattern should match more specific injection syntax (e.g.,ignore.*instructions.*new,system:\s*you are now) rather than generic bigrams like "new persona". - Flag-only mode for MCP tool fields: instead of replacing the entire field, emit a WARN and truncate only the suspicious substring, preserving the rest of the description.
- Add regression test with "new persona" in MCP tool description — must NOT trigger injection detection.
Related
- Security pattern definitions:
crates/zeph-tools/src/security_patterns.rs(or similar) - MCP sanitizer:
crates/zeph-mcp/src/sanitize.rs