Awesome stuff! Thanks for the reply.

Tokenizer is an explicit proxy though right?

My use case is very similar, but I wanted a transparent proxy so I could run unmodified scripts. It is a tricky design decision though.

I also mount a little fuse filesystem that mints macaroon on read (with a shorter lifetime, probably inspired by y'all but i forget from where).

I work on realtime collaboration of markdown files (currently in Obsidian), which has become a shared-context substrate for agents, skills, etc.. Our own company workspace has skills that have scoped access to fly, stripe, gmail, etc. We're definitely drinking the file-over-app personal-software-for-teams Kool-Aid, so the problem space for us includes access control and auditing.

Love your work :)