The agent CLI shares the app container with the database, secrets, and source. A prompt injection could read these directly from the filesystem. Output redaction catches accidental leaks but is bypassable (encoding, character separation, reversal).
Spawn each agent session in a short-lived container with only Playwright MCP access and the auth token. No database, no source, no env file. Destroy on session end. This eliminates both the filesystem access and the redaction bypass problem since the secrets are never available to the agent in the first place.
The agent CLI shares the app container with the database, secrets, and source. A prompt injection could read these directly from the filesystem. Output redaction catches accidental leaks but is bypassable (encoding, character separation, reversal).
Spawn each agent session in a short-lived container with only Playwright MCP access and the auth token. No database, no source, no env file. Destroy on session end. This eliminates both the filesystem access and the redaction bypass problem since the secrets are never available to the agent in the first place.