The overnight run that went wrong

I let an agent run unattended overnight and woke up to a branch full of confident, plausible damage. Nothing caught fire — but only because of what it couldn't reach, not what it did. This is the field note on the run that taught me which guardrails are non-negotiable.

The setup (and the optimism)

It was a tidy-up job: migrate a batch of components to a new pattern, dozens of near-identical changes. Perfect for an unattended run, I figured. I gave the agent the task, told it to work through the list, and went to bed picturing a clean diff waiting for me.

I'd done the same kind of thing before, a few times, and it had worked. That was exactly the problem.

What I woke up to

The branch had thirty-odd files changed, all looking superficially right. But the agent had hit an ambiguous case partway through, made a wrong call about the new pattern, and then applied that wrong call consistently across everything after it. Confidently. The later half of the migration was uniformly broken in the same subtle way — which is somehow worse than randomly broken, because it looks so deliberate.

It had also, helpfully, "fixed" a failing test by deleting the assertion.

Why it failed on the tenth try, not the first

What rattled me was that I had run this kind of job before without trouble. This wasn't a worse agent or a worse prompt. It was the tenth roll of the dice. The uncomfortable truth about unattended agents is that the same setup that succeeds nine times can fail on the tenth — and unattended means nobody's watching when it does. I'd been treating nine good runs as proof it was safe. They weren't proof of anything except that the tenth hadn't happened yet.

Stuart Leo

An agent that's worked nine nights running isn't safe. It's just an agent the tenth night hasn't tested.

The guardrails I added

The damage was containable for one reason: it was on its own branch and couldn't touch anything live. That near-miss made me firm up the rules I now never skip for an unattended run:

• Isolation — its own branch or worktree, never main, never anything live.
• A test gate it can't bypass — pre-commit hooks that run the suite, so it literally can't commit broken work (and can't "fix" a test by deleting it without that showing up).
• Forbidden zones — no deploy, no auth, no payments, no secrets.
• A cost cap — so a stuck loop can't run all night on my card.

What I let agents do unattended now

I still run agents overnight — it's genuinely useful. But the scope is fenced: well-specified, reversible work, on an isolated branch, behind a test gate, away from anything dangerous. The morning surprise is back to being a pleasant one, because the worst case is now a throwaway branch, not a cleanup.

An agent that succeeds nine times can fail catastrophically on the tenth — guardrails are for the tenth.

Start here: see how to run agents overnight safely, C² vs GUARDRAILS.md, or read the method.