(no title)

There’s a misconception about the right security boundary for agents. The agent code needs secrets (API keys, prompts, code) and the network (docs, other use cases). Wrapping the whole agent in a container puts secrets, network access, and arbitrary agent cli execution into the same host OS.

If you sandbox just the agent’s CLI access, then it’s can’t access its own API keys/code/host-OS/etc.