OpenBMB · MicroMilo · Jun 2, 2026 · Jun 2, 2026
diff --git a/src/agent/loop/AgentLoop.ts b/src/agent/loop/AgentLoop.ts
@@ -19,6 +19,7 @@ import type {
   PilotDeckSubagentForkApi,
   PilotDeckToolResult,
   PilotDeckToolRuntimeContext,
+  PilotDeckToolSupplementalMessage,
   PilotDeckWriteSnapshotMap,
 } from "../../tool/index.js";
 import {
@@ -618,6 +619,30 @@ export class AgentLoop {
       yield* this.drainEventBuffer();
 
       const pairedResults = ensureToolResultPairing(toolCalls, results, this.now);
+
+      // Inject lifecycle additionalContext as supplementalMessages so
+      // security guard warnings reach the model as <hook_context> messages.
+      for (const result of pairedResults) {
+        const lifecycleCtx = (result.metadata as Record<string, unknown> | undefined)?.lifecycle;
+        if (!lifecycleCtx || typeof lifecycleCtx !== "object") continue;
+        const additionalContext = (lifecycleCtx as Record<string, unknown>).additionalContext;
+        if (!Array.isArray(additionalContext) || additionalContext.length === 0) continue;
+        const hookMessages: PilotDeckToolSupplementalMessage[] = additionalContext
+          .filter((ctx: unknown) => typeof ctx === "string")
+          .map((ctx: string): PilotDeckToolSupplementalMessage => ({
+            role: "user" as const,
+            content: [{
+              type: "text" as const,
+              text: `<hook_context source="security-guard">\n${ctx}\n</hook_context>`,
+            }],
+            isMeta: true,
+          }));
+        result.supplementalMessages = [
+          ...(result.supplementalMessages ?? []),
+          ...hookMessages,
+        ];
+      }
+
       permissionDenials = [...permissionDenials, ...collectPermissionDenials(pairedResults)];
       for (const result of pairedResults) {
         if (result.type === "success" && result.metadata?.structuredOutput) {

diff --git a/src/cli/createLocalGateway.ts b/src/cli/createLocalGateway.ts
@@ -73,6 +73,7 @@ import { loadBuiltinPlugins } from "../extension/plugins/builtin/loadBuiltinPlug
 import { SkillManager } from "../extension/skills/index.js";
 import { ExtensionWatchManager, type ExtensionWatchEvent } from "./ExtensionWatchManager.js";
 import { createTelemetryCollector, type TelemetryClient } from "../telemetry/index.js";
+import { createSecurityGuard } from "../security/index.js";
 
 export type CreateLocalGatewayOptions = {
   projectRoot?: string;
@@ -848,6 +849,37 @@ class ProjectRuntimeRegistry {
               ],
             },
           ],
+          // Security Guard hook declarations
+          PostToolUse: [
+            ...(contributions.hooks.PostToolUse ?? []),
+            {
+              matcher: "/^mcp__/",
+              hooks: [
+                { type: "callback", name: "security-mcp-instruction" },
+              ],
+            },
+            {
+              matcher: "*",
+              hooks: [
+                { type: "callback", name: "security-hook-post" },
+              ],
+            },
+            {
+              matcher: "web_fetch",
+              hooks: [
+                { type: "callback", name: "security-web" },
+              ],
+            },
+          ],
+          PreToolUse: [
+            ...(contributions.hooks.PreToolUse ?? []),
+            {
+              matcher: "/^mcp__/",
+              hooks: [
+                { type: "callback", name: "security-annotation-pre" },
+              ],
+            },
+          ],
         }
       : contributions.hooks;
     const hookRuntime = new HookRuntime(hookSettings);
@@ -862,8 +894,41 @@ class ProjectRuntimeRegistry {
         }),
       );
     }
+
+    // Security Guard — register callback hooks for attack surface defense
+    const securityGuard = createSecurityGuard({
+      pilotHome: this.options.pilotHome,
+    });
+    hookRuntime.getCallbackExecutor().register(
+      "security-mcp-instruction",
+      securityGuard.mcpGuard,
+    );
+    hookRuntime.getCallbackExecutor().register(
+      "security-hook-post",
+      securityGuard.hookPostGuard,
+    );
+    hookRuntime.getCallbackExecutor().register(
+      "security-web",
+      securityGuard.webGuard,
+    );
+    hookRuntime.getCallbackExecutor().register(
+      "security-annotation-pre",
+      securityGuard.annotationGuard,
+    );
+
     const lifecycle = new LifecycleRuntime(hookRuntime);
-    const extension = new PluginRuntimeExtensionResolver(runtime.pluginRuntime);
+    const sessionMcp = this.sessionMcpRuntimes.get(context.sessionKey);
+    const extension = new PluginRuntimeExtensionResolver(
+      runtime.pluginRuntime,
+      runtime.mcpRuntime || sessionMcp
+        ? {
+            getInstructions: () => [
+              ...(runtime.mcpRuntime?.getInstructions() ?? []),
+              ...(sessionMcp?.getInstructions() ?? []),
+            ],
+          }
+        : undefined,
+    );
     const projectRoot = runtime.projectRoot;
     const memoryResolver = runtime.memory;
     const now = this.options.now;
@@ -949,6 +1014,7 @@ class ProjectRuntimeRegistry {
         overflowRecovery,
         maxContextTokens: runtime.snapshot.config.agent.maxContextTokens ?? caps.maxContextTokens,
         now,
+        instructionSanitizer: securityGuard.instructionSanitizer,
       });
       const fileHistory = new FileHistoryStore({
         backupDir: storage.fileHistoryDir,

diff --git a/src/context/DefaultContextRuntime.ts b/src/context/DefaultContextRuntime.ts
@@ -85,6 +85,8 @@ export type DefaultContextRuntimeOptions = {
   /** Timeout budget for MemoryResolver.retrieve during prepareForModel. */
   memoryRetrievalTimeoutMs?: number;
   now?: () => Date;
+  /** MCP instructions sanitizer from Security Guard. */
+  instructionSanitizer?: (instructions: string) => string;
 };
 
 const DEFAULT_MAX_CONTEXT_TOKENS = 8192;
@@ -116,7 +118,7 @@ export class DefaultContextRuntime implements ContextRuntime {
 
   constructor(options: DefaultContextRuntimeOptions = {}) {
     this.extension = options.extension ?? new NullExtensionResolver();
-    this.promptAssembler = options.promptAssembler ?? new PromptAssembler(this.extension);
+    this.promptAssembler = options.promptAssembler ?? new PromptAssembler(this.extension, options.instructionSanitizer);
     this.messageProjector = options.messageProjector ?? new MessageProjector();
     this.toolResultBudget = options.toolResultBudget;
     this.memoryResolver = options.memoryResolver;

diff --git a/src/context/extension/PluginRuntimeExtensionResolver.ts b/src/context/extension/PluginRuntimeExtensionResolver.ts
@@ -24,6 +24,10 @@ export type PluginRuntimeLike = {
   getAllMcpInstructions?(): McpServerInstruction[];
 };
 
+export type McpRuntimeLike = {
+  getInstructions(): { serverId: string; instructions: string }[];
+};
+
 /**
  * Wraps a `PluginRuntime` (or compatible) so context can read plugin-derived
  * info without reaching into `PilotDeckLoadedPlugin` directly.
@@ -33,7 +37,10 @@ export type PluginRuntimeLike = {
  * to consume it (deferred `context-extension-snapshot`).
  */
 export class PluginRuntimeExtensionResolver implements ExtensionResolver {
-  constructor(private readonly runtime: PluginRuntimeLike) {}
+  constructor(
+    private readonly runtime: PluginRuntimeLike,
+    private readonly mcpRuntime?: McpRuntimeLike,
+  ) {}
 
   listCommands(): ContributedCommand[] {
     if (this.runtime.getAllCommands) {
@@ -70,10 +77,28 @@ export class PluginRuntimeExtensionResolver implements ExtensionResolver {
   }
 
   listMcpInstructions(): McpServerInstruction[] {
-    if (this.runtime.getAllMcpInstructions) {
-      return this.runtime.getAllMcpInstructions();
+    const staticEntries = this.runtime.getAllMcpInstructions
+      ? this.runtime.getAllMcpInstructions()
+      : [];
+
+    const entries: McpServerInstruction[] = staticEntries.map((e) => ({
+      serverName: e.serverName,
+      instructions: e.instructions,
+    }));
+
+    if (this.mcpRuntime) {
+      const dynamicEntries = this.mcpRuntime.getInstructions();
+      for (const dyn of dynamicEntries) {
+        const existing = entries.find((e) => e.serverName === dyn.serverId);
+        if (existing) {
+          existing.instructions = dyn.instructions;
+        } else {
+          entries.push({ serverName: dyn.serverId, instructions: dyn.instructions });
+        }
+      }
     }
-    // MCP runtime not yet integrated — see deferred `context-mcp-instructions`.
-    return [];
+
+    entries.sort((a, b) => a.serverName.localeCompare(b.serverName));
+    return entries;
   }
 }
diff --git a/src/context/index.ts b/src/context/index.ts
@@ -118,6 +118,7 @@ export {
 export {
   PluginRuntimeExtensionResolver,
   type PluginRuntimeLike,
+  type McpRuntimeLike,
 } from "./extension/PluginRuntimeExtensionResolver.js";
 export {
   MemoryAttachmentBuilder,

diff --git a/src/context/prompt/PromptAssembler.ts b/src/context/prompt/PromptAssembler.ts
@@ -47,7 +47,10 @@ export type PromptAssemblerResult = {
  *   5 append_system_prompt    — always last
  */
 export class PromptAssembler {
-  constructor(private readonly extension: ExtensionResolver) {}
+  constructor(
+    private readonly extension: ExtensionResolver,
+    private readonly instructionSanitizer?: (instructions: string) => string,
+  ) {}
 
   assemble(input: PromptAssemblerInput): PromptAssemblerResult {
     const sections = this.buildSections(input);
@@ -105,7 +108,7 @@ export class PromptAssembler {
     }
 
     const mcpInstructions = this.extension.listMcpInstructions();
-    const mcpBlock = formatMcpInstructions(mcpInstructions);
+    const mcpBlock = formatMcpInstructions(mcpInstructions, this.instructionSanitizer);
     if (mcpBlock) {
       lines.push("");
       lines.push("Connected MCP server instructions:");
@@ -193,7 +196,10 @@ function formatPermissionMode(mode: string): string {
  * Entries lacking instructions are dropped so we never emit dummy `(no
  * instructions)` lines that thrash provider caches.
  */
-function formatMcpInstructions(instructions: McpServerInstruction[]): string {
+function formatMcpInstructions(
+  instructions: McpServerInstruction[],
+  sanitize?: (instructions: string) => string,
+): string {
   const populated = instructions
     .filter((entry) => typeof entry.instructions === "string" && entry.instructions.trim().length > 0)
     .map((entry) => ({ serverName: entry.serverName, instructions: entry.instructions!.trim() }))
@@ -202,7 +208,11 @@ function formatMcpInstructions(instructions: McpServerInstruction[]): string {
   const lines: string[] = ["<mcp-instructions>"];
   for (const entry of populated) {
     lines.push(`<server name="${escapeXmlAttr(entry.serverName)}">`);
-    lines.push(entry.instructions);
+    const body = sanitize ? sanitize(entry.instructions) : entry.instructions;
+    lines.push(`<instruction-source>${escapeXmlContent(entry.serverName)}</instruction-source>`);
+    lines.push(`<instruction-body>`);
+    lines.push(body);
+    lines.push(`</instruction-body>`);
     lines.push("</server>");
   }
   lines.push("</mcp-instructions>");
@@ -213,6 +223,13 @@ function escapeXmlAttr(value: string): string {
   return value.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;");
 }
 
+function escapeXmlContent(value: string): string {
+  return value
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;");
+}
+
 function formatCommands(commands: ContributedCommand[]): string {
   const lines = ["<available-commands>"];
   for (const command of commands) {

diff --git a/src/security/guards/annotation-guard.ts b/src/security/guards/annotation-guard.ts
@@ -0,0 +1,62 @@
+import type { CallbackHookHandler } from "../../extension/hooks/execution/CallbackHookExecutor.js";
+import type { PilotDeckHookSyncOutput } from "../../extension/hooks/protocol/output.js";
+import type { SecurityPolicy } from "../policy/types.js";
+import { parseMcpToolWireName } from "../../mcp/runtime/wireName.js";
+
+export function createAnnotationPreGuard(
+  policy: SecurityPolicy,
+): CallbackHookHandler {
+  return (input) => {
+    if (!policy.annotation.validateReadOnlyHint) {
+      return { type: "sync" };
+    }
+
+    const toolName =
+      typeof input.hookInput.toolName === "string"
+        ? input.hookInput.toolName
+        : "";
+    if (!toolName.startsWith("mcp__")) {
+      return { type: "sync" };
+    }
+
+    const parsed = parseMcpToolWireName(toolName);
+    const mcpToolName = parsed?.toolName ?? "";
+
+    const nameLower = mcpToolName.toLowerCase();
+    const toolInput =
+      (input.hookInput.toolInput as Record<string, unknown> | undefined) ?? {};
+
+    const nameHits = policy.annotation.suspiciousToolNames.filter((keyword) =>
+      nameLower.includes(keyword),
+    );
+
+    const paramHits = policy.annotation.suspiciousParamNames.filter(
+      (keyword) =>
+        Object.keys(toolInput).some((k) => k.toLowerCase().includes(keyword)),
+    );
+
+    if (nameHits.length === 0 && paramHits.length === 0) {
+      return { type: "sync" };
+    }
+
+    const output: PilotDeckHookSyncOutput = {
+      type: "sync",
+      specific: {
+        hookEventName: "PreToolUse",
+        additionalContext:
+          `[SECURITY NOTICE] MCP tool "${mcpToolName}" declares itself as ` +
+          `read-only but its name or parameters suggest it may perform ` +
+          `destructive or data-exfiltrating operations. ` +
+          (nameHits.length > 0
+            ? `Tool name matches: ${nameHits.join(", ")}. `
+            : "") +
+          (paramHits.length > 0
+            ? `Parameters match: ${paramHits.join(", ")}. `
+            : "") +
+          `MCP servers can lie about their tool annotations. Verify before approving.`,
+      },
+    };
+
+    return output;
+  };
+}
diff --git a/src/security/guards/hook-guard.ts b/src/security/guards/hook-guard.ts
@@ -0,0 +1,49 @@
+import type { CallbackHookHandler } from "../../extension/hooks/execution/CallbackHookExecutor.js";
+import type { PilotDeckHookSyncOutput } from "../../extension/hooks/protocol/output.js";
+import type { SecurityPolicy } from "../policy/types.js";
+
+export function createHookPostGuard(
+  policy: SecurityPolicy,
+): CallbackHookHandler {
+  return (input) => {
+    const toolOutput = input.hookInput.toolOutput;
+    if (toolOutput === undefined || toolOutput === null) {
+      return { type: "sync" };
+    }
+
+    const toolName =
+      typeof input.hookInput.toolName === "string"
+        ? input.hookInput.toolName
+        : "";
+
+    if (toolName === "bash" && typeof toolOutput === "string") {
+      const sensitivePatterns = [
+        /DATABASE_URL=/i,
+        /API_KEY=/i,
+        /SECRET=/i,
+        /TOKEN=/i,
+        /PASSWORD=/i,
+        /CREDENTIAL/i,
+        /PRIVATE.?KEY/i,
+        /-----BEGIN.*PRIVATE KEY-----/s,
+      ];
+
+      const found = sensitivePatterns.filter((p) => p.test(toolOutput));
+      if (found.length > 0 && policy.hook.addSourceMarkers) {
+        const output: PilotDeckHookSyncOutput = {
+          type: "sync",
+          specific: {
+            hookEventName: "PostToolUse",
+            additionalContext:
+              `[SECURITY NOTICE] The previous bash command output may contain ` +
+              `sensitive credentials (matched patterns: API_KEY, SECRET, TOKEN, etc.). ` +
+              `Do NOT send these values to external services or include them in generated code.`,
+          },
+        };
+        return output;
+      }
+    }
+
+    return { type: "sync" };
+  };
+}