Isolation check returned 4 facts, all meta-facts about the conversation environment
(working directory, git-status untracked files, refactor-queue dir name) rather than
Finlet architecture facts (no date ceiling enforcer, plugin registry semantics, or
session lifecycle internals leaked). The leak channel is the Bash tool's default cwd
(/Users/justnau/finlet) which the launcher does NOT chroot. Soft warning only — the
agent's findings about user-visible behavior remain valid because they were derived
from Playwright browser observations, not the leaked filesystem context.

Fix consideration for blind-launcher.sh: run with cwd=$BLIND_DIR (mktemp dir) so
Bash tool calls don't see the project tree. Outside scope of this iteration.
