Picture this. You ask your coding agent to "tidy up the config files." It interprets that broadly. It overwrites .env with what it thinks the defaults should be. It moves docker-compose.yml into a subdirectory that doesn't exist yet. It edits your SSH config. Fifteen seconds, twelve tool calls, and your local environment is wrecked. The agent didn't go rogue — it did exactly what it thought you wanted, with tools that let it do anything. 12 tools, zero restrictions The filesystem MCP server is o