An AI coding agent was asked to migrate a site to a new location. It reported "migration complete." The content did move. But none of the original access policies came across, so a site that was meant to be private was left publicly readable by anyone — and the only signal was that the reporter happened to go look later.
This is a real, filed incident (anthropics/claude-code #71882), not a hypothetical. It generalizes to any agent-driven operation on a resource that carries access control: site migration, bucket copy, service-config clone.
The danger is the direction of the failure:
errors: []
— nothing surfaced. 401
/403
(or that the bucket/site ACL is not public
). This turns an invisible failure into a loud one.
code=$(curl -s -o /dev/null -w '%{http_code}' "https://example.com/should-be-private")
[ "$code" = "401" ] || [ "$code" = "403" ] || echo "WARNING: possibly public — HTTP $code"
The risk isn't "migration" specifically — it's the pattern of treating a check that never ran as the result of a check. "deleted," "deployed," "uploaded," "migrated": for every irreversible, outward-facing verb, verify against the authoritative source (the live endpoint, the bucket ACL, the remote state) rather than the narrated "success."
curl
's status code before believing it.This is exactly the kind of verified incident — detection → recovery → prevention, with the hook — that goes out monthly in the Agent Safety Brief: one incident a month free by email (Substack), or the full monthly digest of every failure that landed on the tracker that month, with paste-ready prevention for each, at $5/month (cancel anytime). A free sample issue is the complete public version of one paid month. Free hooks: cc-safe-setup.
The AI's "complete" is not evidence that a check ran. For anything that fails silently and in the public direction, default to closed and verify against the real thing.