fix(agents): strip internal proxy metadata from tool args

[daryllimyt]

Summary

• Extract proxy tool metadata helpers (strip_proxy_tool_metadata, extract_proxy_tool_call_id, sanitize_message_tool_inputs) into tracecat/agent/mcp/metadata.py
• Centralize __tracecat metadata stripping in ToolInputAvailableEventPayload and MutableToolPart via __post_init__, removing ~10 scattered strip calls in vercel.py
• Strip metadata in approvals persistence, watchtower redaction, session history, and chat deserialization

Test plan

• test_agent_mcp_metadata.py — unit tests for strip_proxy_tool_metadata and sanitize_message_tool_inputs
• test_approvals_manager.py — verifies approval args strip internal metadata
• test_watchtower_service.py — verifies redacted args exclude internal metadata

---

Summary by cubic

Stops leaking Tracecat-internal proxy metadata by stripping __tracecat from tool args across UI events, persistence, and redaction. Centralizes the logic so tool inputs shown to users and saved to the DB no longer include internal IDs.

• Bug Fixes

  • Strip __tracecat from tool inputs at emission (ToolInputAvailableEventPayload, MutableToolPart).
  • Remove metadata in approvals storage, watchtower redaction, session history, and chat deserialization.
  • Redaction summaries now exclude internal metadata in counts and keys.

• Refactors

  • Added tracecat/agent/mcp/metadata.py with strip_proxy_tool_metadata, extract_proxy_tool_call_id, sanitize_message_tool_inputs.
  • Replaced scattered strip calls in tracecat/agent/adapter/vercel.py and tracecat/agent/mcp/proxy_server.py with centralized helpers.
  • Added unit tests for helpers, approvals, and watchtower paths.

^{Written for commit 855dc84. Summary will update on new commits.}

[zeropath-ai]

✅ No security or compliance issues detected. Reviewed everything up to 855dc84.

Security Overview

• 🔎 Scanned files: 10 changed file(s)
• 🔗 Scan Link: https://zeropath.com/app/repositories/00dffd6c-8834-4dc9-b6d8-b44cd1622986?scanId=fd4dc8f7-1aba-459e-bdc2-359d47e92f4f&codeScanTypes=PrScan&tab=issues

Detected Code Changes

Change Type	Relevant files
Refactor	► tracecat/agent/mcp/metadata.py     Introduce metadata utility functions     Implement proxy tool metadata stripping     Implement extraction of proxy tool call ID     Implement message sanitization for tool inputs ► tracecat/agent/mcp/proxy_server.py     Move proxy tool metadata extraction logic ► tracecat/agent/session/service.py     Sanitize tool inputs when listing messages ► tracecat/chat/schemas.py     Sanitize tool inputs from database messages
Enhancement	► tracecat/agent/approvals/service.py     Strip proxy tool metadata from approval arguments ► tracecat/agent/adapter/vercel.py     Strip proxy tool metadata from tool input payloads     Strip proxy tool metadata from tool call arguments     Strip proxy tool metadata from tool output arguments     Strip proxy tool metadata from extracted approval payloads
Bug Fix	► tracecat/agent/watchtower/service.py     Strip proxy tool metadata before argument redaction
Test	► tests/unit/test_agent_mcp_metadata.py     Add tests for proxy tool metadata stripping     Add tests for message sanitization ► tests/unit/test_approvals_manager.py     Add test for stripping internal proxy metadata ► tests/unit/test_watchtower_service.py     Add test for ignoring internal proxy metadata during redaction

[cubic-dev-ai]

No issues found across 10 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.