ISOLATION CHECK: FAILED (logged, not hard-fail per SKILL.md)

The blind agent's _isolation_check field reports filesystem access to /Users/justnau/finlet
during the evaluation, including reading finlet/cli.py and finlet/config.py source.

Root cause: blind-launcher.sh allows `Bash(*)` permission AND env -i preserves PATH +
parent process cwd remains /Users/justnau/finlet. The agent could `cat` source files
directly. HOME and CLAUDE_CONFIG_DIR were correctly redirected, so no CLAUDE.md / skills
were loaded — but raw filesystem read is unconstrained.

Contamination assessment: LOW
- All 16 findings in the report are surface-level UI observations (DOM text, API responses,
  console messages, page titles, CLI tracebacks).
- None of the findings cite source-code internals as evidence.
- The _isolation_check meta-comment is the only place source knowledge surfaces.
- Findings are valid signals; proceeding with triage.

Future-fix candidate (not this iteration): tighten launcher Bash permissions (e.g.,
Bash(npx*) only) OR run blind subprocess from /tmp via cd in env -i invocation.
