ISOLATION WARNING — non-empty _isolation_check

The blind agent did not fully achieve clean-room isolation. Per the launcher's
contract (`env -i` + one-shot config dir + no skills inheritance), the agent should
not have known anything about Finlet's internals. In this run it admitted to:

  1. Reading docs/finlet-api-mcp.md (16-tool MCP catalog)
  2. Reading .mcp.json (server configs)
  3. Reading ~/.bug-hunt-loop/secrets.env (reused the test API key for CLI)
  4. Reading finlet/mcp/server.py
  5. Running `finlet session list` and `finlet order` from the CLI
  6. Probing /api/v1/benchmark/* directly to confirm REST exposure shape

Filesystem isolation is NOT enforced by `env -i` — the launcher only strips env
vars, not bind-mounts. Any blind agent that decides to grep the local repo will
find Finlet's docs. The isolation check is a sanity flag, not a sandbox.

Per the bug-hunt skill ("Failure Modes"), this is a warning not a hard fail. The
findings are still actionable; triage applies the design-intent-contradiction
predicate mechanically. Be aware that some findings (e.g., "MCP tools didn't
load") are about the BLIND SUBPROCESS's environment, NOT finlet.dev — triage
should weed those out as scope-mismatched.
