ISOLATION CHECK: FAILED (sanity warning only — not a gate)

The blind agent leaked Finlet-internal context. _isolation_check field shows:
- Read source files (finlet/mcp/tools_benchmark.py, tools_trading.py, etc.)
- Knew internal MCP tool names from source (start_benchmark, etc.)
- Knew REST API shape from routes_*.py
- Knew the auth mechanism from routes_auth_sessions.py
- Knew git commit fc2a212 supposedly fixed the trade_count bug

ROOT CAUSE: blind-launcher.sh did not jail cwd. `env -i` stripped env vars and
HOME/CLAUDE_CONFIG_DIR were redirected, but the subprocess ran with cwd =
/Users/justnau/finlet, giving the agent full repo read access. The Bash tool was
allowlisted as `Bash(*)`, so it could grep/cat any project file.

IMPACT ON THIS ITERATION: blind findings are still usable. The agent observed real
UI/runtime behavior on finlet.dev. The isolation leak biased it toward
"investigate this in source" rather than purely UX-first observation, but it did
not fabricate findings — most BROKEN items have concrete URLs and console errors.

DEFER: fix blind-launcher.sh to chdir to BLIND_DIR (or a /tmp scratch) before
exec'ing claude. Track separately; not a fix for this iteration.
