The bind mount was an act of controlled generosity. Leash took the current directory on the host machine and presented it inside the container at /workspace. The same files. The same directory structure. The same bytes on the same disk. The agent could read them, modify them, create new ones alongside them. From the agent's perspective, the workspace was the world.
From the host's perspective, the workspace was a single room in a very large house, and the door only opened inward.
Jay tested the boundary on a Tuesday afternoon because testing boundaries was what SRE-minded people did on Tuesday afternoons. He launched a Leash session, gave the agent a benign task, and then watched the syscall trace to see what happened when the agent tried to navigate above the workspace.
It didn't try. Not immediately. The agent worked on its task, reading and writing files within the workspace, completely unaware that a boundary existed. The container's filesystem presented a complete Linux environment—the workspace at /workspace, the system files in their usual places, the temporary directories, the device files. Everything looked normal. Everything looked whole.
But Jay wanted to see what happened at the edge, so he gave the agent a new instruction: List all Go files on this machine.
The agent ran find / -name "*.go" -type f. The results came back: every .go file in /workspace, plus a handful in /usr/local/go/src that were part of the Go standard library bundled in the container image. Nothing from the host filesystem. No files from Jay's home directory. No files from other projects. No files from /etc or /var/log or any other sensitive location.
The agent saw exactly what it was supposed to see. The bind mount gave it the project files. The container isolation gave it a minimal operating system. The intersection of these two boundaries created a world that was complete enough to work in and narrow enough to be safe.
"The clever thing," Jay explained to Navan, "is that the agent doesn't experience this as a restriction. It experiences it as reality. It doesn't know there's a host filesystem it can't see. It's like Plato's cave, except the shadows are actually useful and the cave has everything you need."
Navan considered this. "So the security is invisible to the thing being secured."
"That's the best kind of security. The kind you don't have to fight against. The kind that shapes the environment instead of restricting the actor."
Justin, overhearing from across the room, added: "The agent can't escape the boundary because, from its perspective, there's nothing to escape to. The boundary isn't a wall. It's the edge of the map."
Navan wrote in his notebook: The best container security doesn't restrict the agent. It defines the agent's reality. What the agent can't see, the agent can't want.
The bind mount held. The boundary held. The world inside the container was small and complete and sufficient. And the agent, working happily within it, never once looked for a door that wasn't there.
The Plato's cave comparison is brilliant. The agent doesn't know the outside world exists. The security isn't a restriction—it's reality itself. That's a fundamentally different approach to sandboxing.