Security Foundations (RLM Controller)

- **Assume all input is untrusted** (prompt injection, data exfiltration attempts). - **Never execute model-generated code**. Only use safelisted helpers. - **Least privilege**: subcalls should only read slices, not access tools. - **Bounded work**: enforce strict limits on slices, subcalls, and runtime.