Really solid layered approach here. The defense-in-depth pipeline diagram is especially useful — too many teams treat prompt injection defense as a single-layer problem (just the system prompt) and miss that you need independent controls at input screening, output validation, and tool privilege boundaries. One thing I'd add: the regex-based input screening is a good first pass, but in practice attackers are moving toward multi-turn injection and encoded payloads (base64, Unicode homoglyphs) that regex misses entirely. The LLM classifier fallback helps, but there's an interesting cost-security tradeoff there since you're now spending tokens on every request just for classification. The RAG source trust scoring is underrated — I've seen production systems where user-uploaded PDFs get the same retrieval weight as internal docs, which is essentially handing attackers a direct line into the context window. Labeling unverified sources in the prompt context is a simple but effective mitigation that more teams should adopt.