take into account result list attributes as PII

betegon · betegon · commit 41556c8f49b9 · 2025-08-06T11:53:43.000+02:00
diff --git a/packages/core/src/integrations/mcp-server/attributes.ts b/packages/core/src/integrations/mcp-server/attributes.ts
@@ -76,6 +76,9 @@ export const MCP_TOOL_RESULT_CONTENT_COUNT_ATTRIBUTE = 'mcp.tool.result.content_
 /** Serialized content of the tool result */
 export const MCP_TOOL_RESULT_CONTENT_ATTRIBUTE = 'mcp.tool.result.content';
 
+/** Prefix for tool result attributes that contain sensitive content */
+export const MCP_TOOL_RESULT_PREFIX = 'mcp.tool.result';
+
 // =============================================================================
 // PROMPT RESULT ATTRIBUTES
 // =============================================================================
@@ -92,6 +95,9 @@ export const MCP_PROMPT_RESULT_MESSAGE_ROLE_ATTRIBUTE = 'mcp.prompt.result.messa
 /** Content of the message in the prompt result (for single message results) */
 export const MCP_PROMPT_RESULT_MESSAGE_CONTENT_ATTRIBUTE = 'mcp.prompt.result.message_content';
 
+/** Prefix for prompt result attributes that contain sensitive content */
+export const MCP_PROMPT_RESULT_PREFIX = 'mcp.prompt.result';
+
 // =============================================================================
 // REQUEST ARGUMENT ATTRIBUTES
 // =============================================================================
diff --git a/packages/core/src/integrations/mcp-server/piiFiltering.ts b/packages/core/src/integrations/mcp-server/piiFiltering.ts
@@ -11,9 +11,11 @@ import {
   MCP_LOGGING_MESSAGE_ATTRIBUTE,
   MCP_PROMPT_RESULT_DESCRIPTION_ATTRIBUTE,
   MCP_PROMPT_RESULT_MESSAGE_CONTENT_ATTRIBUTE,
+  MCP_PROMPT_RESULT_PREFIX,
   MCP_REQUEST_ARGUMENT,
   MCP_RESOURCE_URI_ATTRIBUTE,
   MCP_TOOL_RESULT_CONTENT_ATTRIBUTE,
+  MCP_TOOL_RESULT_PREFIX,
 } from './attributes';
 
 /**
@@ -31,11 +33,35 @@ const PII_ATTRIBUTES = new Set([
 ]);
 
 /**
- * Checks if an attribute key should be considered PII
+ * Checks if an attribute key should be considered PII.
+ *
+ * Returns true for:
+ * - Explicit PII attributes (client.address, client.port, mcp.logging.message, etc.)
+ * - All request arguments (mcp.request.argument.*)
+ * - Tool and prompt result content (mcp.tool.result.*, mcp.prompt.result.*) except metadata
+ *
+ * Preserves metadata attributes ending with _count, _error, or .is_error as they don't contain sensitive data.
+ *
+ * @param key - Attribute key to evaluate
+ * @returns true if the attribute should be filtered out (is PII), false if it should be preserved
  * @internal
  */
 function isPiiAttribute(key: string): boolean {
-  return PII_ATTRIBUTES.has(key) || key.startsWith(`${MCP_REQUEST_ARGUMENT}.`);
+  if (PII_ATTRIBUTES.has(key)) {
+    return true;
+  }
+
+  if (key.startsWith(`${MCP_REQUEST_ARGUMENT}.`)) {
+    return true;
+  }
+
+  if (key.startsWith(`${MCP_TOOL_RESULT_PREFIX}.`) || key.startsWith(`${MCP_PROMPT_RESULT_PREFIX}.`)) {
+    if (!key.endsWith('_count') && !key.endsWith('_error') && !key.endsWith('.is_error')) {
+      return true;
+    }
+  }
+
+  return false;
 }
 
 /**
diff --git a/packages/core/test/lib/integrations/mcp-server/piiFiltering.test.ts b/packages/core/test/lib/integrations/mcp-server/piiFiltering.test.ts
@@ -215,13 +215,16 @@ describe('MCP Server PII Filtering', () => {
       expect(result).not.toHaveProperty('mcp.tool.result.content');
       expect(result).not.toHaveProperty('mcp.prompt.result.description');
 
-      // Indexed/dynamic result attributes (not in PII_ATTRIBUTES) should remain
+      // Count attributes should remain as they don't contain sensitive content
       expect(result).toHaveProperty('mcp.tool.result.content_count', 1);
       expect(result).toHaveProperty('mcp.prompt.result.message_count', 2);
-      expect(result).toHaveProperty('mcp.prompt.result.0.role', 'user');
-      expect(result).toHaveProperty('mcp.prompt.result.0.content', 'Sensitive prompt content');
-      expect(result).toHaveProperty('mcp.prompt.result.1.role', 'assistant');
-      expect(result).toHaveProperty('mcp.prompt.result.1.content', 'Another sensitive response');
+
+      // All tool and prompt result content should be filtered (including indexed attributes)
+      expect(result).not.toHaveProperty('mcp.prompt.result.0.role');
+      expect(result).not.toHaveProperty('mcp.prompt.result.0.content');
+      expect(result).not.toHaveProperty('mcp.prompt.result.1.role');
+      expect(result).not.toHaveProperty('mcp.prompt.result.1.content');
+
       expect(result).toHaveProperty('mcp.resource.result.content_count', 1);
       expect(result).toHaveProperty('mcp.resource.result.uri', 'file:///private/file.txt');
       expect(result).toHaveProperty('mcp.resource.result.content', 'Sensitive resource content');
