security(mcp): tool poisoning detection and per-tool trust metadata (#2459, #2420)

[bug-ops]

Summary

• Implement multi-layered MCP client-side defenses against tool poisoning per arXiv:2603.22489 (research(security): MCP tool poisoning threat model — multi-layered client-side mitigations (arXiv:2603.22489) #2459)
• Add per-tool capability/sensitivity metadata and data-flow policy enforcement per arXiv:2601.08012 (research(security): MCP tool trust/confidentiality metadata — capability labels + STPA-based data-flow policy (arXiv:2601.08012) #2420)
• 16 injection patterns with Unicode hardening (format-char stripping); sanitize_tools() returns SanitizeResult with injection count, flagged tools, and flagged pattern names
• apply_injection_penalties(): trust score penalties capped at 3 per registration batch, auto-demotes server trust level (never promotes)
• ToolSecurityMeta on McpTool: DataSensitivity (None/Low/Medium/High) + CapabilityClass set (FilesystemRead/Write, Network, Shell, DatabaseRead, MemoryWrite, ExternalApi)
• infer_security_meta() keyword heuristic with explicit filesystem keywords only; defaults unknown tools to DataSensitivity::Low
• Operator config override via mcp.servers[].tool_metadata TOML section
• check_data_flow() blocks High-sensitivity tools on Untrusted/Sandboxed servers at registration time

Test plan

• 6833 tests pass (cargo nextest run --workspace --lib --bins)
• cargo +nightly fmt --check clean
• cargo clippy --workspace -- -D warnings clean
• 59 new tests: injection patterns (16 individual + multi-tool + unicode), apply_injection_penalties (8 direct: zero/1/cap-at-3/cap-at-10/no-store/demotion), infer_security_meta (all keyword categories + false-positive guards), check_data_flow (all DataSensitivity x McpTrustLevel combinations), SanitizeResult population

Closes #2459
Closes #2420