Prompt Injection Is Unfixable (So We Stopped Trying)

Broadly agree. Moving from prompt to action is the right direction. I think the prepared statements analogy is not fully comparable in that SQL has a clear boundary between code and data whereas tool calls don't. However, this isn't fatal, just being honest about the shape of the trade-off.

I feel that the hard problem is writing policies expressive enough to cover arbitrary agent work without collapsing back into "trust the model's intent."