Really solid framework here. The chaperone layer approach makes alot more sense than trying to retrofit traditional API secruity. I've seen teams struggle with the exact "ambiguous intent" problem when agents start chaining tools together in unexpected ways. The JIT permissioning point is especially important bc static service accounts create such a huge blast radius if things go sideways.