Drydock shifts the security model for agentic coding from trusting agent behavior to hardware-level containment, so threats like prompt injection or malicious dependencies cannot escape the sandbox to reach the host's credentials, filesystem, or network — regardless of what the agent attempts.