Summary

Phase 4 of Untrusted Content Isolation epic (#1195). Adds ExfiltrationGuard to zeph-core with three independently toggleable guards:

• Markdown image scanner: strips inline (![](url)) and reference-style (![alt][ref]) image injection from LLM output at 5 integration points (streaming, non-streaming, native text, ToolUse text, cache hits)
• Tool URL validator: cross-references URLs in tool call arguments against flagged untrusted content; flag-only approach (no blocking) consistent with Phase 1 philosophy
• Memory write guard: skips Qdrant embedding for injection-flagged content while preserving SQLite conversation continuity

Config

[security.exfiltration_guard]
block_markdown_images = true   # default
validate_tool_urls = true      # default
guard_memory_writes = true     # default

Changes

• crates/zeph-core/src/sanitizer/exfiltration.rs (new): ExfiltrationGuard, ExfiltrationGuardConfig, ExfiltrationEvent, 20 unit tests
• crates/zeph-core/src/agent/tool_execution.rs: 5 scan integration points, tool URL validation, flagged URL collection
• crates/zeph-core/src/agent/persistence.rs: has_injection_flags parameter on persist_message
• crates/zeph-core/src/config/types.rs: ExfiltrationGuardConfig under SecurityConfig
• crates/zeph-core/src/metrics.rs: 3 new counters
• Docs, READMEs, CHANGELOG updated

Review process

Architecture critic (4 significant + 4 minor gaps) → all addressed in implementation → code review (2 critical + 3 important) → all fixed and re-review approved.

Known limitations (Phase 5)

• Percent-encoded scheme bypass (%68ttps://)
• HTML <img> tag injection
• Unicode zero-width joiner bypass
• Streaming chunks visible before accumulated scan

Test plan

• 20 unit tests for ExfiltrationGuard (scan_output, validate_tool_call, memory guard)
• cargo nextest run --features full: 4029/4029 pass
• cargo clippy --features full: 0 warnings
• cargo +nightly fmt --check: clean

Closes phase 4 of #1195.