Prompt injection defence at ingestion boundary.

all external content entering *persistent* agent context passes through an ingestion sanitization layer before indexing. Scope is durable ingestion paths (memory writes, indexed knowledge, unsupervised scheduled ingestion); interactive turn context in user-supervised sessions is out of scope — blast radius there is contained by Pillar 4 substrate (`PL4-least-privilege`, `PL4-branch-protection`). The layer strips, escapes, or sandboxes instruction-shaped text. The same policy is applied consistently across every ingestion surface — `PL1-real-world-feedback` (real-world feedback loop), `PL5-signal-driven-tasks` (signal-driven task generation), `PL4-memory-safety` (memory write-path)