Agents read untrusted text and hold real permissions — that combination is the attack surface. If you've shipped security-critical code before, those instincts transfer directly: validate inputs, least privilege, assume adversaries.
Tap each chip to flip it.