fix: allow ZWJ inside emoji grapheme clusters in context/memory/skills scanners

[witt3rd]

Problem

The invisible-unicode blocklist in _scan_context_content (and siblings in memory_tool and skills_guard) treats ZWJ (U+200D) as categorically malicious. But ZWJ is a required component of emoji grapheme clusters — any gendered emoji (🧙‍♂️, 👩‍⚕️, 🏃‍♀️), family emoji (👨‍👩‍👧), rainbow flag (🏳️‍🌈), or other multi-pictograph emoji is char + ZWJ + char [+ VS16].

Any context file (SOUL.md, AGENTS.md, .hermes.md), memory entry, or skill file containing such emoji is silently replaced with:

[BLOCKED: SOUL.md contained potential prompt injection (invisible unicode U+200D). Content not loaded.]

Relationship to #28589

Upstream PR #28589 — "fix(cron): allow emoji ZWJ sequences in prompts" (a salvage of the original #28164 by @outsourc-e) — fixed exactly this false positive, but only for the cron prompt scanner (_scan_cron_prompt), via a cronjob_tools-local helper _strip_legitimate_emoji_zwj.

That set the precedent — but three other scanners share the identical invisible-char blocklist and still reject legitimate emoji. This PR completes the job for those three, and factors the context check into a single shared helper rather than adding a fourth copy of the logic. tools/cronjob_tools.py is intentionally left untouched — #28589 already covers it.

Fix

New shared helper utils.find_unsafe_invisibles(content, blocklist):

• ZWJ between two pictographic codepoints (skipping FE0E/FE0F) — allowed.
• ZWJ elsewhere (e.g. hello‍world) — flagged.
• All other blocklisted invisibles (ZWSP, ZWNJ, BOM, bidi overrides, word joiners) — unconditionally flagged.

Pictographic ranges checked: 1F000–1FFFF, 2600–27BF, 2300–23FF, 2B00–2BFF, plus ©, ®, ™, ℹ, 〰, 〽, ㊗, ㊙. Narrow by design — prefers false-negative (flagging a legit emoji ZWJ) over false-positive (letting a text-hiding ZWJ past).

Callers updated

• agent/prompt_builder.py::_scan_context_content
• tools/memory_tool.py::_scan_memory_content
• tools/skills_guard.py::scan_file

Tests

6 new tests in tests/agent/test_prompt_builder.py::TestScanContextContent:

• ZWJ inside 🧙‍♂️ — allowed
• ZWJ inside multi-ZWJ 👨‍👩‍👧 — allowed
• hello‍world — still blocked
• Mixed legit emoji + injection ZWJ — blocked (one unsafe is enough)
• ZWSP adjacent to emoji — still blocked (only ZWJ is context-whitelisted)
• Existing test_invisible_unicode_blocked — still passes

221/221 tests pass across the affected modules (test_prompt_builder, test_memory_tool, test_skills_guard).

Repro

Before:

from agent.prompt_builder import _scan_context_content
content = "wizard 🧙‍♂️"  # 🧙‍♂️
_scan_context_content(content, "SOUL.md")
# → "[BLOCKED: SOUL.md contained potential prompt injection (invisible unicode U+200D). Content not loaded.]"

After: returns content unchanged.

[forge-witt3rd]

Friendly nudge — this PR ships from a fork, so workflows are gated on maintainer approval and statusCheckRollup is currently empty (no CI has run yet, neither pass nor fail). Tests pass locally; output is shown in the PR description.

If a maintainer could click Approve and run workflows when convenient, the green ticks will land and reviewers will have CI signal to lean on. Happy to rebase or address review comments any time.

Thanks! ⚒️