Add to ~/.mcpproxy/mcp_config.json (all optional — defaults already spotlight untrusted output):
{
"output_sanitisation": {
"spotlight_untrusted": true,
"response_action": "redact",
"strip_control_chars": true,
"strip_classes": ["ansi", "c0c1", "bidi", "zero_width"],
"max_redactions": 100
}
}response_action:"spotlight"(non-mutating) |"redact"(mask secrets) |"block"(replace payload on critical detection).- Fully opt-in: omit the block (or leave
spotlight_untrusted: false) → mcpproxy forwards everything unchanged. Setspotlight_untrusted: trueto enable the wrapper.
- curl / MCP roundtrip: stand up mcpproxy with a stub untrusted upstream that returns a secret + ANSI; call the tool via
/mcpandcall_tool_read; assert the response is wrapped («untrusted:…») and, withredact, the secret is[REDACTED:cloud_credentials]. - e2e script:
./scripts/test-api-e2e.shstays green (no regression). - Web UI / chrome ext: open the activity view; confirm a
policy_decisionrow appears for the redact/block call with the reason.
| Config | Untrusted tool text | Trusted tool text | Non-text blocks |
|---|---|---|---|
| default | wrapped in delimiters | unchanged | unchanged |
redact |
wrapped + secrets masked | secrets masked | unchanged |
block + critical |
payload → remediation error + audit | payload → remediation error + audit | n/a |
strip_control_chars |
wrapped + control seqs stripped | unchanged | unchanged |