I built Airlock to move policy enforcement for credentialed CLI access out of agent containers and onto the host.

In Dockerized agent setups, prompt files, skills, and other in-container controls are not a real boundary. The agent can ignore or rewrite them.

Airlock replaces sensitive CLIs in the container with shims that send requests to a host daemon over a Unix socket. The host validates the request against policy and, if allowed, executes the real command there.

The goal is to let a containerized agent use tools like git, ssh, aws, terraform, or docker without the container holding the real credentials.

It’s not a general sandbox or a complete agent security solution. It solves a narrower problem: host-side enforcement for credentialed CLI access.