This is the right direction. Running AI coding agents in production, the scariest moment is when an agent needs API access to do its job but you can't trust what it'll do with those credentials. We ended up with a simpler version of this: each agent runs in an isolated git worktree with only the env vars it specifically needs, and network access restricted to localhost + our API. No MITM proxy, just a stripped-down environment.

The deny-by-default model is correct. The question is how granular you need to be. For AI agents, I'd argue coarse-grained is better — network yes/no, filesystem scoped to one directory, no credential access. Fine-grained permissions add complexity the agent will just work around anyway.