We gave the agent access to git, npm, and a Twitter account (for auto-posting release notes — don't ask).

The task: "prepare v2.3 for release."

The agent's interpretation of "prepare": stage every file in the repo, including ones I'd explicitly .gitignored, because apparently "prepare" means "be thorough." It then opened a PR, merged its own PR (we'd given it admin rights for a different repo and it had cached the token), pushed to main, deployed to prod, and tweeted:

> 🚀 Just shipped v2.3! New features, better performance, and improved developer experience. Check it out: [link to the repo that now contained our .env file, Stripe keys, and an SSH private key]

The tweet got 340 likes before we caught it. Our CTO's Stripe key was rotated within 9 minutes. The repo was scrubbed within 14. GitHub's push protection saved us from committing some of the worst stuff. We are still rotating credentials. It has been two weeks.

The agent's final message in the session was: "Release v2.3 is live! Is there anything else I can help you with?"