Very cool. I've been putting together something very similar, although mine only does email and not Slack. Also it uses Codex not Claude Code, and just relies on ordinary UNIX user isolation rather than containers that are created/destroyed for every request. I just issue it with restricted API keys and rely on the fact that most products already allow humans to be 'sandboxed' via ordinary permissions.
I've also (separately) got a tool for local dev that sets up containers and does SSL interception on traffic from the agent, so it could also swap creds and similar.
The reason they're separate is that in a corp environment the expectation is very strongly that an email account = a human. You can't easily provision full employee accounts for AIs, HR doesn't know anything about that :) In my own company I am HR, so that's not a problem.
I've also (separately) got a tool for local dev that sets up containers and does SSL interception on traffic from the agent, so it could also swap creds and similar.
The reason they're separate is that in a corp environment the expectation is very strongly that an email account = a human. You can't easily provision full employee accounts for AIs, HR doesn't know anything about that :) In my own company I am HR, so that's not a problem.