“IDEsaster” is a good term, because most of the risk isn’t in the model but in the ambient authority we casually hand to agents. An AI that can read repos, write code, run tests, hit package managers, and access secrets is effectively a junior engineer with prod keys and zero fear. The interesting vulnerabilities aren’t prompt injections in isolation, but cross-boundary ones: repo → CI → secrets → cloud. Until IDEs treat agents like untrusted plugins with strict sandboxing, least privilege, and auditable actions, we’re just automating foot-guns at scale.