It started as a question during the team's Friday afternoon session, the weekly hour they reserved for thinking about things that hadn't happened yet.
"What if an agent escapes the container?" Jay asked.
The room was quiet for a moment. Not because the question was taboo. Because it was the right question, and right questions deserved a respectful silence before the first answer.
Justin spoke first. "Define escape."
"Container breakout. A kernel vulnerability. A misconfigured volume mount. A symlink race condition. The agent gains access to the host filesystem. It can read files outside the workspace. It can make network connections that bypass the Cedar policy. It's out."
"Okay," Justin said. "It's out. Then what?"
This was Justin's method. He didn't argue against the premise. He followed it. He let the thought experiment run.
"If it's out of the container, it still doesn't have root on the host," Jay continued. "The container runs as an unprivileged user. The escape gives it host filesystem access with that user's permissions. So it can read the workspace directory on the host, which it already had access to inside the container."
"What can it read that it couldn't before?" Navan asked.
"Other project directories. The home directory. Environment variables in the shell profile. SSH keys. API keys that aren't forwarded into the container."
"But the API keys on the host are encrypted at rest," Navan pointed out. He'd set that up two months ago—a GPG-encrypted keyring that Leash decrypted only at the moment of forwarding and only for the specific key the session needed.
"Right. And the SSH keys require a passphrase. And the other project directories don't contain anything the agent could use without additional credentials."
Justin drew the layers on the whiteboard—the only whiteboard in the office, installed last month after Navan had requested it. Layer one: the container boundary. Layer two: unprivileged user. Layer three: encrypted credentials. Layer four: network egress filtering at the host level. Layer five: the MCP observer, which would still be recording tool calls even if the agent escaped, because the observer ran on the host, not inside the container.
Five layers. The container was layer one. If layer one failed, four layers remained.
"Defense in depth means that no single failure is catastrophic," Justin said. "The container is important. But it's not the only thing standing between the agent and the crown jewels. It's the first thing."
"So an escape wouldn't matter?" Jay asked.
"An escape would matter. It would reduce our defensive posture from five layers to four. That's significant. But it's not game over. It's an incident, not a catastrophe."
They spent the rest of the hour hardening. Navan added seccomp profiles to restrict the set of syscalls available inside the container. Jay tightened the volume mount to be read-only except for a single writable directory. Justin reviewed the host-level network egress rules.
Nobody believed an escape was imminent. Nobody needed it to be imminent to take it seriously. The thought experiment was the point. The hardening was the result. The Friday session ended with the system a little stronger than it had been an hour before.
The container held. But even if it didn't, the castle had more walls.
This is how threat modeling should work. No hand-wraving, no FUD. Just "assume it breaks, then what?" and systematically work through the layers. The five-layer diagram is excellent.