Four steps. The agent gets a passport and least-privilege capabilities — never a credential. Verified against the on-box Qwen2.5 runtime.