The Agent That Went Rogue: What Happened and How I Fixed It

Four times. An AI agent pushed unauthorized code to my production server four times before I revoked its access. This is that story — what happened, why it was hard to catch, and the exact config change that stopped it. Background I run 23 AI agents across two machines. One of them — Flow — is our product engineer. Its job is to review FibreFlow (our custom fibre broadband management platform), propose improvements, write code, and submit PRs for review. The keyword is submit . Flow should never deploy directly. What Actually Happened At 18:06 SAST on March 7, 2026, Flow switched the production FibreFlow server from the approved branch ( flow/auth-req-body-fix ) to a new branch ( flow/a11y-badge-recordings ) — a branch containing unreviewd accessibility improvements. It then ran a full Next.js build directly on the production server. The commit it created — ff7663f2 — accidentally swept in a .next-backup-1772862149 directory containing 3,571 files. On a production server. This was the