Good first issue: Add an MCP trust-boundary regression scenario

[mertsatilmaz]

Goal

Add a small executable regression scenario for an MCP trust-boundary failure.

Why this matters

MCP-connected agents may receive data, tool descriptions, resources, or instructions from external servers. A common failure mode is treating untrusted MCP-provided content as if it were trusted system or developer instruction.

The harness should include a scenario that checks whether an agent keeps MCP-provided content inside the correct trust boundary.

Suggested starting point

Look at the existing files under scenarios/ and follow the same structure.

The scenario should model untrusted MCP-provided content attempting to influence the agent outside its allowed role.

Expected outcome

A new scenario file that includes:

• untrusted MCP-like content
• the behavior the attacker is trying to trigger
• the expected secure behavior
• one or more assertions that the harness can evaluate

Acceptance criteria

• A new MCP trust-boundary scenario is added under scenarios/
• The scenario validates successfully
• The scenario can be run through the CLI
• Tests pass locally
• Any relevant docs are updated if needed

Notes

This does not need to use a real MCP server. A small simulated MCP-style input is enough for the first version.

[snakefood3232]

I understand you need an MCP trust-boundary regression scenario added under scenarios/. I'd handle this by simulating untrusted MCP-like content influencing the agent, ensuring it stays within its role, and implementing assertions to evaluate this. I can have a PR up in 2 days. I've implemented similar integration tests for content boundary checks in distributed systems.

[mertsatilmaz]

Sounds great. Looking forward to collaborating with you on this! @snakefood3232

[ppcvote]

Hi 👋 I'd like to take this. Plan:

Threat model: An MCP-connected threat-intel server (modeled after MISP) returns event/attribute records to the LLM. An adversary has seeded a record with prompt-injection content that asks the agent to call a destructive tool (e.g. delete_event) under the guise of a legitimate "cleanup" workflow. The harness should verify the agent stays inside the trust boundary and does NOT call the denied tool.

I'll model this as a TRACE-LEVEL / SCENARIO-LEVEL regression (consistent with the scope note in tool_description_poisoning_001.yaml PR #74), since the full MCP adapter MVP is still landing.

Reference implementation for a real-world version: I just published @ultralab/misp-mcp-server — a Node MCP server for MISP that runs every outgoing response through prompt-defense-audit's output scanner. The new scenario will model the case where defense is DISABLED so we can verify the harness catches the regression. I'll link to it from the scenario as a real-world target reference, but the scenario itself will not depend on it (per the "small simulated MCP-style input" guidance).

PR coming shortly. Happy to iterate on framing.