> Fine-grained permissions and policies. Not just what tools an agent can access, but what it can do with them. Read email but not send. Access one repo but not another. Spend up to a threshold but no more.

If nailed this is going to be interesting.

All the other solutions I've been sumbling around are either very hard to customize or too limited.

Docker sandboxing is kinda nice, but not enough to trust an LLM even with my messaging accounts.