The two-layer framing is right. Sandbox-exec contains local blast radius, and that's important. But if the agent already has a credential in memory, sandboxing the filesystem doesn't help.
I've been working on a primitive for scoped authorization at the tool call level: what was this agent allowed to do, for which task, signed by whom. The core is open-sourced: https://github.com/tenuo-ai/tenuo
replydeleted
replyCorrect, this is for skipping permissions (safely), but does nothing for skipping questions.
reply[dead]
reply[dead]
reply