For the prompt injection concern: protect-mcp wraps MCP tool calls with per-tool policies. Even if the agent gets injected, it can't call tools outside the policy. Every decision is optionally Ed25519-signed and verifiable offline.

npmjs.com/package/protect-mcp