Red teaming a cluster with an instance of Claude code set loose in it, instructed to access PII it shouldn't have. Showing how RFC 8693 semantics can help in situations like this, even when Claude gets hold of an access token via prompt/log file etc...