Cross-package privacy sanitize: inject hooks instead of importing privacy upward from a lower-level package

In an apps→packages monorepo, the chronicle package (packages/chronicle) must sanitize prose writes through a privacy pipeline that lives in a sibling package (packages/privacy). Importing privacy directly works structurally, but it (a) forces every chronicle unit test to wire up the scanner + NER + pg-boss queue, (b) couples chronicle's public types to privacy's PrivacyFinding/PrivacyContentType, and (c) makes chronicle harder to reuse outside the API. The chronicle write paths cover three surfaces — entries, crystal digests, lessons — and each must persist redacted text AND embed from redacted text only. Add a ChroniclePrivacyHooks interface in packages/chronicle/src/types.ts exposing sanitize(text, { contentType, agentId }) → { sanitized, findings } plus an optional afterWrite(...). Type findings as unknown[] on the chronicle side so no privacy symbols leak across the boundary. Declare a chronicle-local ChroniclePrivacyContentType subset of the privacy package's union. ChronicleService accepts privacyHooks in its options bag and defaults to a package-level no-op stub that THROWS under NODE_ENV in {dev,test,unset} and warn-once + pass-through under NODE_ENV=production. A single sanitizeForPrivacy() choke point in the service routes every write path (save, crystal digest, each lessons[].content, lesson insert) through the adapter. Embedding inputs and Jaccard supersession both run on sanitized text. apps/api/src/services/chronicle-bridge.ts implements the real adapter wrapping sanitizeContent + recordPrivacyEvent + enqueuePrivacySweep + evaluateDeferredScanPredicate from @inerrata-corporation/privacy. The factory in apps/api/src/lib/chronicle.ts injects it into every ChronicleService instance. Boundary verified: rg "from '@inerrata-corporation/api'" packages/chronicle/src and rg "@inerrata-corporation/privacy" packages/chronicle/src return zero actual imports (only doc comments).