Skip to content
Agentic Control Plane
Incident series

Stop Your Agent From…

Every post in this series starts from an incident that actually happened to someone — a wiped home directory, a dropped production database, secrets in a commit, an $18,000 surprise bill — and ends with the exact configuration that stops it. Three steps each, a few minutes of work, no smarter prompting required.

Wondering what your agent could do beyond these? The Tool Surface Index lists every tool Claude Code and Codex declare, grouped by blast radius.

Posts in this series

Each post covers one incident class: what happened, why it's one tool call away in your setup, and the three steps that close it.

  1. 1.
    Stop your AI agent from running `rm -rf` on your filesystem — in three steps
    Cursor and Claude Code agents have wiped home directories mid-session. The fix isn't smarter prompting — it's a control plane between the agent's tool call and your filesystem. Here's the exact configuration.
  2. 2.
    Stop your AI agent from deleting your production database — in three steps
    If your agent has destructive credentials in its environment, it can use them. Recovery is rarely possible. Here's how to put a control plane between the agent's decision and your production system, with the exact configuration.
  3. 3.
    Stop your AI agent from touching files outside your project — in three steps
    Cursor and GitHub Copilot agents have wandered into Documents folders, root drives, and home directories — deleting files that had nothing to do with the project they were working on. The control-plane fix is workspace-scoping at the hook layer.
  4. 4.
    Stop your AI agent from rewriting your git history — in three steps
    Claude Code, Cline, and Cursor agents have force-pushed over teammates' work, reset uncommitted changes, and stripped commits from production branches. The model can't see what you'd lose. A control plane between the agent and your git remote can.
  5. 5.
    Stop your AI agent from leaking secrets in your `.env` file — in three steps
    AI coding agents read your .env files by default. They quote secrets back into commits, paste them into chat logs, and surface them in tool outputs. Here's how to gate that without breaking your agent's actual job.
  6. 6.
    Stop your AI agent from leaking PII through tool calls — in three steps
    Your AI agent runs SELECT email FROM users and gets back a list of customer emails. Now those emails are in the LLM's context, your conversation logs, and any downstream tool the agent calls afterward. The fix isn't smarter prompting — it's tool-output PII redaction at the gateway.
  7. 7.
    Stop your AI agent from burning through your API budget — in three steps
    Cursor agents have looped overnight and burned $135 of credits in a week. Codex sub-agents have run $350 over plan. A leaked GCP key produced an $18,000 bill. The fix isn't smarter prompting — it's a control plane with rate limits and budget caps.
  8. 8.
    Stop your AI agent from making payments without approval — in three steps
    Agentic commerce SDKs from Stripe, Visa, and Mastercard give your AI agent the ability to charge cards, transfer funds, and authorize subscriptions. One bad tool call is one real-world transaction. Here's how to put approval in the loop where it matters.
  9. 9.
    Stop your AI agent from dropping a Kubernetes namespace — in three steps
    An autonomous agent with kubectl access can `kubectl delete namespace prod` in one tool call. The OS doesn't ask twice. The control plane between the agent's intent and your cluster has to.
  10. 10.
    Stop your AI agent from escalating IAM permissions — in three steps
    If your agent can call `iam:CreatePolicy`, `iam:AttachRolePolicy`, or `gcloud projects add-iam-policy-binding`, it can grant itself anything the underlying credential allows. The blast radius of one bad tool call is your entire cloud account.
  11. 11.
    Stop your AI agent from being weaponized by a malicious package — in three steps
    The Nx s1ngularity attack used local Claude, Gemini, and Q CLIs to recon for SSH keys, .env files, and GitHub tokens. 2,349 secrets were exfiltrated. The control plane your AI agent needs is the same one that catches this — but you have to install it before the next compromise lands.

All eleven fixes ride the same install — see getting started, or the one-command setup for coding agents specifically.