feat(security): source-specific sanitization boundaries (Phase 2, #1195)

[bug-ops]

Summary

Phase 2 of Untrusted Content Isolation epic (#1195). Refines ContentSanitizer integration to differentiate trust levels at each untrusted data boundary.

• Tool results ([SEC-2.1] Tool result sanitization boundary #1200, [SEC-2.2] MCP response sanitization boundary #1201): MCP tools (contains(':')) use McpResponse (ExternalUntrusted), web-scrape/fetch use WebScrape (ExternalUntrusted), others remain ToolResult (LocalUntrusted)
• A2A inbound ([SEC-2.3] A2A message sanitization boundary #1202): Sanitize external agent messages in AgentTaskProcessor with A2aMessage (ExternalUntrusted) before entering agent loop; add Message::all_text_content() for multi-part message support
• Code RAG ([SEC-2.4] Memory retrieval sanitization boundary #1203): Sanitize indexed code text before context injection with metrics tracking and injection flag logging
• Error paths: Sanitize tool error messages before self_reflection context as ExternalUntrusted (conservative default)

Files changed (6 files, +299/-5):

• crates/zeph-a2a/src/types.rs — all_text_content() + 4 tests
• crates/zeph-core/src/agent/context.rs — code RAG sanitization with metrics
• crates/zeph-core/src/agent/tool_execution.rs — source kind differentiation + error sanitization + 7 tests
• crates/zeph-core/src/sanitizer.rs — #[derive(Clone)]
• src/daemon.rs — A2A inbound sanitization in AgentTaskProcessor
• src/tests.rs — fix sanitizer field in daemon test struct

Tests: 3795 passed (+13 from Phase 1 baseline of 3782)

Closes #1200, closes #1201, closes #1202, closes #1203

Test plan

• cargo +nightly fmt --check
• cargo clippy --workspace -- -D warnings
• cargo nextest run --workspace --lib --bins (3795 pass)
• cargo check --features "daemon,a2a"
• CI gate job (full matrix)