feat(mcp): add input sanitization and test coverage

MCP-SAN (#49): Input sanitization for the MCP server layer.

- Add sanitize package: Content (Markdown structure injection),
  Reflect (truncate + strip control chars for error messages),
  SessionID (path-safe session identifiers), StripControl, Truncate
- Sanitize all reflected user inputs in dispatch error messages
  (tool names, prompt names, resource URIs) via sanitize.Reflect
- Reject unknown entry types before writing to .context/ files
- Enforce MaxContentLen (32KB) on entry content in extract.EntryArgs
- Sanitize entry content and optional fields via sanitize.Content
  and extract.SanitizedOpts before writing
- Cap journal source limit to MaxSourceLimit (100)
- Sanitize caller identifiers in session events
- Add input length constants to config/mcp/cfg
- Add error message keys for input-too-long and unknown-entry-type

MCP-COV (#50): Comprehensive test coverage for MCP subsystem.

- internal/mcp/proto: 22 schema round-trip and edge-case tests
- internal/mcp/session: 7 state lifecycle tests (100% coverage)
- internal/mcp/server: 4 integration tests (Serve edge cases,
  prompt add-learning)
- internal/mcp/server/def/tool: 9 tool definition tests
- internal/mcp/server/def/prompt: 9 prompt definition tests
- internal/mcp/server/extract: 7 extraction and sanitization tests
- internal/mcp/server/io: 3 WriteJSON tests (100% coverage)
- internal/mcp/server/out: 8 response builder tests (100% coverage)
- internal/mcp/server/parse: 3 request parsing tests (100% coverage)
- internal/mcp/server/stat: 2 statistics tests (100% coverage)
- internal/sanitize: 22 sanitization tests (Content, Reflect,
  SessionID, StripControl, Truncate + existing Filename)
- Server package coverage: 73% -> 92%

Closes #49
Closes #50

Signed-off-by: CoderMungan <codermungan@gmail.com>

Author: CoderMungan

internal/assets/commands/text/mcp.yaml

@@ -348,6 +348,10 @@ mcp.err-unknown-prompt:
   short: 'unknown prompt: %s'
 mcp.err-uri-required:
   short: uri is required
+mcp.err-input-too-long:
+  short: '%s exceeds maximum length (%d bytes)'
+mcp.err-unknown-entry-type:
+  short: 'unknown entry type: %s'
 mcp.format-watch-completed:
   short: 'Completed: %s'
 mcp.format-wrote:

internal/config/embed/text/mcp_err.go

@@ -30,14 +30,22 @@ const (
 	// DescKeyMCPErrTypeContentRequired is the text key for mcp err type content
 	// required messages.
 	DescKeyMCPErrTypeContentRequired = "mcp.err-type-content-required"
-	// DescKeyMCPErrQueryRequired is the text key for mcp err query required
-	// messages.
+	// DescKeyMCPErrQueryRequired is the text key for mcp err
+	// query required messages.
 	DescKeyMCPErrQueryRequired = "mcp.err-query-required"
-	// DescKeyMCPErrSearchRead is the text key for mcp err search read messages.
+	// DescKeyMCPErrSearchRead is the text key for mcp err
+	// search read messages.
 	DescKeyMCPErrSearchRead = "mcp.err-search-read"
-	// DescKeyMCPErrUnknownPrompt is the text key for mcp err unknown prompt
-	// messages.
+	// DescKeyMCPErrUnknownPrompt is the text key for mcp err
+	// unknown prompt messages.
 	DescKeyMCPErrUnknownPrompt = "mcp.err-unknown-prompt"
-	// DescKeyMCPErrURIRequired is the text key for mcp err uri required messages.
+	// DescKeyMCPErrURIRequired is the text key for mcp err
+	// uri required messages.
 	DescKeyMCPErrURIRequired = "mcp.err-uri-required"
+	// DescKeyMCPErrInputTooLong is the text key for mcp err
+	// input too long messages.
+	DescKeyMCPErrInputTooLong = "mcp.err-input-too-long"
+	// DescKeyMCPErrUnknownEntryType is the text key for mcp
+	// err unknown entry type messages.
+	DescKeyMCPErrUnknownEntryType = "mcp.err-unknown-entry-type"
 )

internal/config/mcp/cfg/config.go

@@ -13,8 +13,23 @@ const (
 
 	// DefaultSourceLimit is the max sessions returned by ctx_journal_source.
 	DefaultSourceLimit = 5
+	// MaxSourceLimit caps the source limit to prevent unbounded queries.
+	MaxSourceLimit = 100
 	// MinWordLen is the shortest word considered for overlap matching.
 	MinWordLen = 4
 	// MinWordOverlap is the minimum word matches to signal task completion.
 	MinWordOverlap = 2
+
+	// --- Input length limits (MCP-SAN.1) ---
+
+	// MaxContentLen is the maximum byte length for entry content fields.
+	MaxContentLen = 32_000
+	// MaxNameLen is the maximum byte length for tool/prompt/resource names.
+	MaxNameLen = 256
+	// MaxQueryLen is the maximum byte length for search queries.
+	MaxQueryLen = 1_000
+	// MaxCallerLen is the maximum byte length for caller identifiers.
+	MaxCallerLen = 128
+	// MaxURILen is the maximum byte length for resource URIs.
+	MaxURILen = 512
 )

internal/config/regex/sanitize.go

@@ -0,0 +1,33 @@
+//   /    ctx:                         https://ctx.ist
+// ,'`./    do you remember?
+// `.,'\
+//   \    Copyright 2026-present Context contributors.
+//                 SPDX-License-Identifier: Apache-2.0
+
+package regex
+
+import "regexp"
+
+// SanEntryHeader matches entry headers like "## [2026-" in
+// content sanitization (MCP-SAN.3).
+var SanEntryHeader = regexp.MustCompile(
+	`(?m)^##\s+\[\d{4}-`,
+)
+
+// SanTaskCheckbox matches task checkboxes "- [ ]" and
+// "- [x]" in content sanitization.
+var SanTaskCheckbox = regexp.MustCompile(
+	`(?m)^-\s+\[[x ]\]`,
+)
+
+// SanConstitutionRule matches constitution rule format
+// "- [ ] **Never" in content sanitization.
+var SanConstitutionRule = regexp.MustCompile(
+	`(?m)^-\s+\[[x ]\]\s+\*\*[A-Z]`,
+)
+
+// SanSessionIDUnsafe matches characters not safe for session
+// IDs in file paths: anything outside [a-zA-Z0-9._-].
+var SanSessionIDUnsafe = regexp.MustCompile(
+	`[^a-zA-Z0-9._-]`,
+)

internal/config/sanitize/doc.go

@@ -0,0 +1,13 @@
+//   /    ctx:                         https://ctx.ist
+// ,'`./    do you remember?
+// `.,'\
+//   \    Copyright 2026-present Context contributors.
+//                 SPDX-License-Identifier: Apache-2.0
+
+// Package sanitize defines string and length constants used by
+// the sanitize layer.
+//
+// Constants are referenced by internal/sanitize via config/sanitize.*.
+// Provides: [NullByte], [DotDot], [ForwardSlash], [Backslash],
+// [HyphenReplace], [EscapePrefix], [MaxSessionIDLen].
+package sanitize

internal/config/sanitize/sanitize.go

@@ -0,0 +1,34 @@
+//   /    ctx:                         https://ctx.ist
+// ,'`./    do you remember?
+// `.,'\
+//   \    Copyright 2026-present Context contributors.
+//                 SPDX-License-Identifier: Apache-2.0
+
+package sanitize
+
+// Sanitize-layer string and length constants.
+const (
+	// NullByte is the null character stripped from untrusted input.
+	NullByte = "\x00"
+
+	// DotDot is a path traversal sequence.
+	DotDot = ".."
+
+	// ForwardSlash is the forward slash stripped from session IDs.
+	ForwardSlash = "/"
+
+	// Backslash is the backslash stripped from session IDs.
+	Backslash = "\\"
+
+	// HyphenReplace is the replacement character for unsafe
+	// session ID characters.
+	HyphenReplace = "-"
+
+	// EscapePrefix is the backslash prefix for escaping Markdown
+	// structural patterns.
+	EscapePrefix = `\`
+
+	// MaxSessionIDLen is the maximum byte length for a session
+	// identifier.
+	MaxSessionIDLen = 128
+)

internal/entity/mcp_session_test.go

@@ -0,0 +1,98 @@
+//   /    ctx:                         https://ctx.ist
+// ,'`./    do you remember?
+// `.,'\
+//   \    Copyright 2026-present Context contributors.
+//                 SPDX-License-Identifier: Apache-2.0
+
+package entity
+
+import (
+	"testing"
+	"time"
+)
+
+func TestNewMCPSession(t *testing.T) {
+	s := NewMCPSession()
+	if s.ToolCalls != 0 {
+		t.Errorf("ToolCalls = %d, want 0", s.ToolCalls)
+	}
+	if s.AddsPerformed == nil {
+		t.Fatal("AddsPerformed should be initialized")
+	}
+	if len(s.AddsPerformed) != 0 {
+		t.Errorf(
+			"AddsPerformed length = %d, want 0",
+			len(s.AddsPerformed),
+		)
+	}
+	if s.SessionStartedAt.IsZero() {
+		t.Error("SessionStartedAt should be set")
+	}
+	if len(s.PendingFlush) != 0 {
+		t.Errorf(
+			"PendingFlush length = %d, want 0",
+			len(s.PendingFlush),
+		)
+	}
+}
+
+func TestRecordToolCall(t *testing.T) {
+	s := NewMCPSession()
+	s.RecordToolCall()
+	if s.ToolCalls != 1 {
+		t.Errorf("ToolCalls = %d, want 1", s.ToolCalls)
+	}
+	s.RecordToolCall()
+	s.RecordToolCall()
+	if s.ToolCalls != 3 {
+		t.Errorf("ToolCalls = %d, want 3", s.ToolCalls)
+	}
+}
+
+func TestRecordAdd(t *testing.T) {
+	s := NewMCPSession()
+	s.RecordAdd("task")
+	s.RecordAdd("task")
+	s.RecordAdd("decision")
+	if s.AddsPerformed["task"] != 2 {
+		t.Errorf(
+			"task adds = %d, want 2",
+			s.AddsPerformed["task"],
+		)
+	}
+	if s.AddsPerformed["decision"] != 1 {
+		t.Errorf(
+			"decision adds = %d, want 1",
+			s.AddsPerformed["decision"],
+		)
+	}
+}
+
+func TestQueuePendingUpdate(t *testing.T) {
+	s := NewMCPSession()
+	now := time.Now()
+	s.QueuePendingUpdate(PendingUpdate{
+		Type:     "task",
+		Content:  "Build feature",
+		QueuedAt: now,
+	})
+	if len(s.PendingFlush) != 1 {
+		t.Fatalf(
+			"PendingFlush length = %d, want 1",
+			len(s.PendingFlush),
+		)
+	}
+	pu := s.PendingFlush[0]
+	if pu.Type != "task" {
+		t.Errorf(
+			"Type = %q, want %q",
+			pu.Type, "task",
+		)
+	}
+	if pu.Content != "Build feature" {
+		t.Errorf(
+			"Content = %q, want %q",
+			pu.Content, "Build feature",
+		)
+	}
+}

internal/err/mcp/mcp.go

@@ -65,3 +65,19 @@ func UnknownEventType(eventType string) error {
 		eventType,
 	)
 }
+
+// InputTooLong returns an error when input exceeds the allowed
+// length.
+//
+// Parameters:
+//   - field: the field name that is too long
+//   - maxLen: the maximum allowed length
+//
+// Returns:
+//   - error: "<field> exceeds maximum length of <maxLen>"
+func InputTooLong(field string, maxLen int) error {
+	return fmt.Errorf(
+		desc.Text(text.DescKeyMCPErrInputTooLong),
+		field, maxLen,
+	)
+}