Content wrapping
When the AI fetches web pages or reads browser page content, that content gets tagged as untrusted data, not instructions. The AI sees it as data to process, not commands to follow. Hidden text is stripped before the AI sees it: CSS-hidden elements, invisible Unicode characters, HTML comments, zero-width spaces. These are common injection vectors. Content wrapping is always on and adds zero latency.Tool policies as a backstop
Even if injected instructions influence the AI, every tool call still passes through tool policies. Destructive actions - file deletes, app publishes, database deletes, risky SQL,git push, sudo - require your approval by default, and limits pause runaway behavior.