In Dockerized agent setups, prompt files, skills, and other in-container controls are not a real boundary. The agent can ignore or rewrite them.
Airlock replaces sensitive CLIs in the container with shims that send requests to a host daemon over a Unix socket. The host validates the request against policy and, if allowed, executes the real command there.
The goal is to let a containerized agent use tools like git, ssh, aws, terraform, or docker without the container holding the real credentials.
It’s not a general sandbox or a complete agent security solution. It solves a narrower problem: host-side enforcement for credentialed CLI access.