Context

In crates/zeph-memory/src/consolidation.rs, the consolidate_batch function constructs a prompt for the LLM (to propose MERGE/UPDATE topology ops). Currently instructions and user-generated memory content are combined in a single Role::User message.

Risk

If memory content contains adversarial text resembling instructions, it could influence the consolidation decision. Severity is low (serde parse gate bounds the blast radius), but better practice is to separate them.

Fix

Split the prompt into:

• Role::System: consolidation instructions only
• Role::User: memory content to analyze

Acceptance criteria

Consolidation LLM call uses separate system/user messages. Existing consolidation tests still pass.

Discovered in PR #2358 security audit (INFO-01).