feat(security): MCP/A2A security hardening — tool collision detection, SMCP lifecycle, IBCT tokens (#2533)

* feat(security): MCP/A2A security hardening — tool collision detection, list locking, env isolation, intent-anchor wrapper, IBCT (#2496, #2497, #2504)

Phase 1 (no new deps):
- Cross-server sanitized_id collision detection in McpManager: warnings on connect and add_server, first-registered tool wins dispatch (MF-1, SF-6)
- Tool-list snapshot locking (lock_tool_list config): tools/list_changed rejected for connected servers; lock set atomically before connect_entry to eliminate TOCTOU race (MF-2)
- Per-server Stdio environment isolation (env_isolation config): spawned processes receive only BASE_ENV_VARS + server env; XDG dirs included for Linux (SF-3)
- Intent-anchor wrapper for MCP tool output: per-invocation UUID nonce boundary prevents delimiter injection; [TOOL_OUTPUT:: escaped in content (MF-5)

Phase 2 (hmac 0.13 + sha2 0.11):
- IBCT module (crates/zeph-a2a/src/ibct.rs): HMAC-SHA256, key_id field for rotation, Vec<IbctKey> for graceful key rollover, base64-JSON X-Zeph-IBCT header, vault_ref config field for secure key storage (MF-3, MF-4)
- ibct feature gate in zeph-a2a; enabled via a2a workspace feature

* fix(security): address code review issues RC-1, RC-2, RC-3, REC-1

RC-1: replace hex string comparison in ibct.rs with constant-time
  verify_signature() using Mac::verify_slice() to eliminate the
  timing side-channel in HMAC verification.

RC-2: remove hardcoded trust=untrusted field from intent-anchor wrapper
  format; the trust annotation was redundant and potentially misleading
  since callers already control context.

RC-3: replace all .expect("connected_server_ids lock poisoned") with
  .unwrap_or_else(PoisonError::into_inner) to avoid cascade panics
  on RwLock poison in manager.rs.

REC-1: add tool_list_locked.remove() in add_server() error branches
  for list_tools and run_probe failures, ensuring the lock is always
  cleaned up on early return.

* test(security): add unit tests for build_isolated_env and detect_collisions

Author: bug-ops

CHANGELOG.md

@@ -49,6 +49,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
   - new `set_working_directory` tool — explicit, persistent cwd change detected post-tool and fires `CwdChanged` hooks with `ZEPH_OLD_CWD`/`ZEPH_NEW_CWD` env vars
   - `FileChangeWatcher` monitors configured `watch_paths` via `notify-debouncer-mini` (debounced 500ms by default) and fires hooks with `ZEPH_CHANGED_PATH`
   - TUI spinner status emitted on both event types
+- security(mcp): cross-server `sanitized_id` collision detection in `McpManager` — logged as warnings on connect and `add_server`; first-registered tool wins dispatch (#2496)
+- security(mcp): tool-list snapshot locking (`[mcp] lock_tool_list = true`) — `tools/list_changed` refresh events are rejected for connected servers, preventing mid-session tool injection; lock flag set atomically before connection to eliminate TOCTOU race (#2497)
+- security(mcp): per-server Stdio environment isolation (`env_isolation = true` per server or `[mcp] default_env_isolation = true`) — spawned processes only receive a minimal base env plus server-specific `env` map; XDG dirs included for Linux compatibility (#2497)
+- security(mcp): intent-anchor wrapper for MCP tool output — each result is wrapped with a per-invocation nonce boundary `[TOOL_OUTPUT::{uuid}::BEGIN/END]`; boundary injection prevented by escaping `[TOOL_OUTPUT::` in tool output (#2497)
+- security(a2a): Invocation-Bound Capability Tokens (IBCT) — `crates/zeph-a2a/src/ibct.rs`; HMAC-SHA256 signing, `key_id` field for key rotation, base64-JSON `X-Zeph-IBCT` header; gated on `ibct` feature (#2504)
+- config: `[mcp] lock_tool_list`, `[mcp] default_env_isolation`, `[[mcp.servers]] env_isolation` fields
+- config: `[a2a] ibct_keys`, `[a2a] ibct_signing_key_vault_ref`, `[a2a] ibct_ttl_secs` fields
 
 ### Removed
 

Cargo.lock

@@ -71,6 +71,7 @@ rmcp = "1.3"
 audioadapter-buffers = "2.0"
 rubato = "1.0"
 schemars = "1.2"
+hmac = "0.13"
 sha2 = "0.11"
 scrape-core = "0.2"
 semver = "1.0.27"
@@ -176,7 +177,7 @@ full    = ["desktop", "ide", "server", "chat", "pdf", "stt", "acp-unstable", "ex
 bundled-skills = ["zeph-skills/bundled-skills", "zeph-core/bundled-skills"]
 
 # === Individual feature flags ===
-a2a = ["dep:zeph-a2a", "zeph-a2a?/server"]
+a2a = ["dep:zeph-a2a", "zeph-a2a?/server", "zeph-a2a?/ibct"]
 compression-guidelines = ["zeph-core/compression-guidelines", "zeph-memory/compression-guidelines"]
 acp = ["dep:zeph-acp"]
 acp-http = ["acp", "dep:axum", "zeph-acp/acp-http"]

Cargo.toml

@@ -14,12 +14,17 @@ description = "A2A protocol client and server with agent discovery for Zeph"
 readme = "README.md"
 
 [features]
+ibct = ["dep:hmac", "dep:sha2"]
 server = ["dep:axum", "dep:blake3", "dep:subtle", "dep:tower", "dep:tower-http"]
 
 [dependencies]
 axum = { workspace = true, optional = true }
+base64.workspace = true
 blake3 = { workspace = true, optional = true }
 eventsource-stream.workspace = true
+hex.workspace = true
+hmac = { workspace = true, optional = true }
+sha2 = { workspace = true, optional = true }
 futures.workspace = true
 futures-core.workspace = true
 reqwest = { workspace = true, features = ["json", "stream"] }