[SEC-2.4] Memory retrieval sanitization boundary

[bug-ops]

Part of #1195 — Phase 2

Apply sanitization to memory search results (Qdrant/SQLite) to prevent poisoned memory attacks.

Crates: zeph-memory
Depends on: SEC-1.4

Tasks:

• SemanticMemory::search() results tagged ExternalUntrusted (memory could have been poisoned by earlier injected content)
• Apply ContentSanitizer to retrieved memory entries before returning to agent
• tracing::warn! if injection patterns detected in stored memory (indicates prior poisoning)
• Unit tests with mock memory entry containing injection payload

Files: crates/zeph-memory/src/orchestrator.rs

[bug-ops]

Coordinate merge order with #1160 (memory eviction) — both modify crates/zeph-memory/src/orchestrator.rs. Eviction should merge first to establish deleted_at filtering; this issue adds sanitizer on search() output path.

[bug-ops]

Cross-epic dependency

Related: #1226 (Graph-aware retrieval, epic #1222)

Graph memory adds a new retrieval path: graph_recall() returns GraphFact structs from the knowledge graph. This path must be covered by memory retrieval sanitization alongside existing SemanticMemory::search().

When implementing, ensure sanitization covers both:

1. SemanticMemory::recall() / recall_routed() (existing path)
2. graph_recall() → Vec<GraphFact> (new path from feat(memory): graph-aware retrieval with BFS traversal and RRF fusion #1226)