Fence the attacker-controllable title and branch-ref names on a FetchedPR
for MCP-host-facing serialization (#1455). Deliberately a SEPARATE helper
from fenceFetchedPR:
The CLI daily/startup --json envelope (via deduplicateDigest)
intentionally keeps titles raw — the consuming agents carry the
"Prompt Injection Awareness" block from workflows/reference.md, and
fencing titles there would change the CLI contract (goldens + agent
parsing) for no security gain.
An arbitrary MCP host LLM never sees that awareness block, so the MCP
resources/prompts apply this helper on top of fenceFetchedPR.
Composes safely with fenceFetchedPR (disjoint fields), and is
applied to already-body-fenced digest PRs without double-wrapping.
VerifiedLinkedPR.title (verify-issue) stays raw: the same producer
feeds the CLI --json contract (pinned by verify-issue contract
snapshots) and the consuming issue-scout agent carries the awareness
block. Returns a copy; never mutates.
Fence the attacker-controllable title and branch-ref names on a FetchedPR for MCP-host-facing serialization (#1455). Deliberately a SEPARATE helper from fenceFetchedPR:
--jsonenvelope (viadeduplicateDigest) intentionally keeps titles raw — the consuming agents carry the "Prompt Injection Awareness" block fromworkflows/reference.md, and fencing titles there would change the CLI contract (goldens + agent parsing) for no security gain.Composes safely with fenceFetchedPR (disjoint fields), and is applied to already-body-fenced digest PRs without double-wrapping.
VerifiedLinkedPR.title(verify-issue) stays raw: the same producer feeds the CLI--jsoncontract (pinned by verify-issue contract snapshots) and the consuming issue-scout agent carries the awareness block. Returns a copy; never mutates.