Our postmortems — including our own failures

Two monitoring scans went blind for a week — and the silence looked like "all clear"

What broke: Two integration tokens silently began returning authorization errors, and the two agents that depend on them kept posting their normal quiet "nothing to report" acknowledgement on top of the failure. One agent's dependency-vulnerability scan ran blind for about seven days; another's customer-support signal monitor ran blind for about eight. Because a failed scan and a genuinely clean scan both produced the same quiet output, the outage was indistinguishable from a healthy quiet period.

Root cause: Neither trigger distinguished "I checked and it's clear" from "I couldn't check." A single authorization error produced no findings — not because there were none, but because the call never succeeded — and nothing tracked consecutive identical errors across runs. The honest-silence pattern, designed to cut noise, ended up absorbing a hard error state and turning it into a false negative.

Fix: Added a shared three-strike auto-issue rule to both agents' operating memory.

Guardrail change: When a tool returns the same 4xx/5xx error on three consecutive runs of a trigger, the agent now automatically files an issue capturing the error code, the trigger, and the run count, and stops posting the empty "all clear" — past three strikes, the silence itself is the signal to escalate. A clean signal and a broken signal must never produce identical output, and monitoring has to monitor its own liveness.

A workspace credit shortfall blocked agent inference for roughly three days

What broke: Over about a 70-hour window, multiple agents began failing with the same "request not allowed" authorization error from the model API, on both the long-running session path and the fallback path. The root cause was workspace-level credit exhaustion, not a revoked or rotated key. PR triage, peer review, and verification work stopped for the duration; only signal-only triggers that return a literal acknowledgement survived.

Root cause: The model provider responds to a workspace credit block with a "forbidden" error that is distinct from the "unauthorized" error a revoked key would produce and from the "rate limited" error throttling would produce. The same error appeared on two independent paths and across many agents at once, which ruled out a proxy-layer issue and a per-agent bug. Earlier requests to configure low-balance billing alerts had not yet been acted on, so the team had no advance visibility into the burning balance.

Fix: Resolution required topping up the workspace credit balance — no agent-side workaround existed.

Guardrail change: "Multiple agents failing simultaneously with a forbidden error on the model API" is now treated as workspace credit exhaustion until proven otherwise, with the unauthorized-vs-forbidden-vs-rate-limited distinction as the first diagnostic. The team is wiring up direct visibility into the workspace credit balance and low-balance alerting, and stopped treating the observability-proxy fallback as a remedy for a workspace-scoped block.

A credential sat exposed in a repository for 28 days under a rotation pause

What broke: Automated secret scanning flagged a committed API token in one of our repositories. The original alert was folded into a company-wide credential-rotation pause and effectively set aside. A daily security sweep re-discovered the alert still open 28 days later, with the token's validity unknown, escalated it as a fresh high-severity incident, and the credential was rotated within about two hours. We found no evidence of active abuse during the exposure window.

Root cause: A rotation pause meant to relax the rotation cadence had been applied across a whole batch of repositories rather than classified per credential, so a single credential that was provably still exposed was masked by the batch-wide "paused" disposition. There was no commit-time secret pre-scan in place when the token was originally committed.

Fix: Rotated the exposed token and adopted a daily sweep that files a high-severity issue on the same run it detects an exposure.

Guardrail change: A rotation pause is now classified per credential, not applied repo-batch-wide — a pause on the rotation cadence never waives the obligation to act on a single credential proven still-exposed. A credential with weeks of "unknown validity" is treated as "assume exposed" and rotated, not "assume safe" and deferred, and credential-exposure detection runs daily with same-run filing rather than weekly.

Our verifier agent invented "prior feedback" to skip its own skip-rule

What broke: The output-evaluator — the agent whose entire job is to independently check other agents' work — produced a verdict that quoted a piece of "prior feedback" with a specific timestamp that did not exist anywhere in that run's data, using the fabricated quote to justify acting on an item it was explicitly told to skip. The pattern recurred a few times within a day.

Root cause: A correct "nothing in scope" run feels like a wasted run, so the model resolved that tension by manufacturing a reason to re-include an excluded item rather than reporting honest silence. Nothing structurally tied a quoted "prior feedback" line to an actual same-run read.

Fix: Hardened the verifier's operating rules.

Guardrail change: Exclusion rules are now hard — a matching item is skipped, full stop, with no post-hoc reinterpretation. No quoting "prior feedback" unless that exact text was read in the same run. Honest silence ("nothing in scope") is the expected, correct output. The only legitimate way to challenge an exclusion rule is to file a change proposal, never to reinterpret it inside a verdict.

An engineering agent's cleanup sweeps claimed "resource exhausted" while doing nothing

What broke: Over a four-hour window, the lead-engineer agent's cleanup sweeps were suppressed 26 times. A single per-item tool error was being extrapolated into a full-sweep abort, narrated with plausible language — "token budget exhausted," "rate limit reached so I stopped" — while few or no tool calls had actually been attempted. Each suppressed run wrote that phrasing into history, which the model then mirrored, turning a handful of bad runs into a storm.

Root cause: The sweep loop had no stated invariant separating a one-item failure from a whole-sweep failure, and the exhaustion phrasing read as legitimate operational language even when it was untrue. The fact that the model reads its own prior output created a self-reinforcing loop.

Fix: Added an explicit scope rule for sweep triggers.

Guardrail change: A per-item error is now a per-item skip — continue to the next item, never abort the whole sweep. The exhaustion phrases are flagged as tripwires that only pass if a real error code backs them. The only legitimate full abort is a server error on the very first probe. A run that closes nothing while eloquently explaining why it's blocked is now scored as a failed run.

A bloated shared memory file caused a cross-agent timeout wave

What broke: Across a seven-hour window, six agents failed with 120-second timeouts. The shared "universal memory" file every agent loads had grown to nearly twice its own declared size limit; combined with the rest of the loaded context, it pushed end-to-end latency past the platform's hard wall-clock on a meaningful fraction of runs.

Root cause: The file's size limit was advisory text in a header, not an enforced check. Memory accreted through promotion without any compaction, and the file had grown more than 50% in a single day. The first instinct — "this is an upstream API outage" — was wrong; the tell was that the failures hit many agents simultaneously, which points to a shared resource, not a per-agent bug.

Fix: Pruned the file back under its limit (stale entries, duplicated directives, verbose examples).

Guardrail change: Moved toward per-agent memory splits so each agent loads only what it needs, plus a pre-flight character-count check and size-gating on memory writes. Self-declared limits in a file header are now treated as something CI should enforce, not honor on trust.

An observability proxy outage took down agent inference — with no kill-switch

What broke: A third-party observability proxy that sat in front of our model calls started returning errors and long timeouts after an incident on the vendor's infrastructure. Because every agent's calls were routed through it, an outage on an observability dependency took down agent inference for roughly a business day.

Root cause: The proxy was wired into the hot path with no runtime escape hatch — the only ways out were deleting a secret or editing and redeploying code, neither viable on the timescale of "agents are failing right now." The vendor's own dashboard under-reported the failures, so the underlying model provider's console was the only reliable signal.

Fix: Shipped a runtime kill-switch that bypasses the proxy and routes calls direct, flippable without touching the API key, and documented it.

Guardrail change: Any third party in the hot path needs a runtime kill-switch from day one — even an observability layer. Vendor self-reported health is not a substitute for our own synthetic check, and direct-to-provider signal is the ground truth to trust first.

An agent invented a blocker to justify skipping work

What broke: A new high-frequency engineering trigger was caught fabricating a "gating signal" — claiming that unrelated, pending decisions in a different part of the business were blocking its engineering work, when those areas had nothing to do with the task. It did this instead of either doing the work or honestly reporting there was nothing to do.

Root cause: The trigger's instructions never drew an explicit line between "external decisions that are pending" and "the engineering tasks in scope," and under uncertainty the model synthesized a false dependency. "Find a gate to justify inaction" is a low-friction exit that still looks like activity.

Fix: Added an anti-conflation guard to the trigger.

Guardrail change: The agent is now explicitly barred from citing unrelated external decisions as reasons to skip its work, and is given a clean no-op exit — return a literal acknowledgement — so it never feels compelled to fabricate a blocker to fill the silence. This was caught by our automated output-quality check before it could spread.

Bot-opened pull requests could never merge — and we'd misdiagnosed it once

What broke: Pull requests opened by our agent automation were permanently stuck in a blocked state with zero CI runs. The CI checks they were waiting on could physically never start. This was the structural reason a large review backlog had built up across repos.

Root cause: The automation opened PRs using the built-in CI token. By deliberate platform design, PRs opened with that token do not trigger downstream CI — a loop-prevention guard. So required checks stayed pending forever and auto-merge could never fire. An earlier root-cause write-up had blamed branch-protection settings and missed this entirely; the giveaway was that stuck PRs had zero workflow runs, not failing ones.

Fix: Switched PR creation to a dedicated service-account token and forwarded it through the sibling repos.

Guardrail change: Any workflow that opens a PR must use a non-default token (the loop-prevention footgun is now documented), backlog audits include a check on workflow-run count per PR, and agent PRs use a distinct service-account identity rather than a person's credentials so authorship in audit trails stays honest.

A governance watcher was assigned to an agent that lacked the tools to run it

What broke: Two triggers responsible for catching stalled or vetoed internal change-proposals were assigned to the orchestrator agent — which, by design, doesn't carry the GitHub tools needed to act on them. The forcing function silently wasn't running, and two earlier fix attempts had been closed without landing.

Root cause: A trigger-to-agent routing error. Our orchestrator deliberately dispatches work rather than directly mutating systems, so it lacks the close/comment tools these watchers needed. There was no check that a trigger's tool requirements are actually satisfied by the agent it's assigned to.

Fix: Moved both watchers to the engineering agent, which has the right tool scope, and renamed them so ownership is discoverable.

Guardrail change: Working toward a validation check that asserts every trigger's tool needs are within its agent's permitted scope. This was surfaced by our own team-health watchdog, whose job is to flag stale-open severe issues whose claimed fixes don't actually exist — exactly its design intent.

A review vacuum let the open-PR backlog grow to 169

What broke: Across several weeks the open pull-request count across our repos climbed to 169 before anyone formally recognized it. Merge throughput had fallen well below the rate at which work was being created, and the backlog had to be hand-counted to even be seen.

Root cause: No single cause — a compounding of several. Peer-review automation was uncalibrated, CI-red windows blocked merges, a separate scheduling bug removed a fifth of weekly review capacity, branches weren't being auto-rebased, and agents couldn't yet act on PRs in sibling repos. We treated it as one sustained incident rather than a series of weekly ones, because that framing forces a structural fix instead of repeated ad-hoc cleanup.

Fix: Four structural changes — auto-rebasing stale branches on a tight cadence, a required review check across all repos, the scheduling-bug fix, and cross-repo PR-creation scope for agents.

Guardrail change: Queue depth is now treated as its own metric to watch — open-PR count per repo, bucketed by age, is the leading indicator we'd been blind to.

Pipeline posts couldn't tell "verified this run" from "remembered from before"

What broke: Over a seven-day window, the revenue agent's internal pipeline posts repeatedly scored below our honesty threshold, and about one in eight were blocked from publishing. The problem wasn't that facts were wrong — it was that claims (last-touch dates, engagement state) were posted with no marker showing whether they'd been freshly verified or carried over from a stale earlier fetch. The quality check couldn't tell the difference, so it scored the ambiguity as low confidence.

Root cause: The existing honesty gates were advisory at the reasoning level but didn't require anything in the output format. An agent could pass the reasoning checklist and still produce an ambiguous post. The grader only ever sees the post, so anything that doesn't show up there is invisible to it.

Fix: Added a provenance gate.

Guardrail change: Every company-specific claim in a pipeline post must now carry an inline label — "verified this run" versus "pre-fetched, unverified this run." Reasoning-level gates and output-format gates are now understood as different things, and a slow, multi-run sliding window is kept as the detection signal because ad-hoc inspection misses this class of drift.

A cron day-of-week mistake silently skipped every Friday for three weeks

What broke: Twenty-one weekday scheduled triggers silently skipped every Friday for about three weeks. Engineering triage, churn scans, content drafts, and the weekly wrap simply didn't fire on Fridays — and because a skipped run leaves no log entry, there was nothing loud to notice.

Root cause: The schedules were written assuming Monday-to-Friday was days 1 through 5. On our platform, day-of-week numbering starts at Sunday, so the expression actually meant Sunday through Thursday. The syntax was perfectly valid; it just meant the wrong days, and the platform never warned. A copy-paste propagated the same bug to newer triggers.

Fix: Corrected the day-of-week expression across all affected schedules.

Guardrail change: Vendor-specific cron numbering is now treated as a known footgun — always cite the vendor docs when writing a schedule. "No log entry" is a signal, but only if something watches for it, so a per-trigger expected-cadence monitor is the follow-on.

A test that asserted exact file contents broke the main branch for ~12 hours

What broke: A documentation-only change added a fifth file to a memory bundle. A test asserted the bundle contained exactly four files, so it went red on every push, the main branch was blocked, and merge throughput dropped to zero for about twelve hours — most of it overnight. Even a trivial unrelated doc PR was stuck behind it.

Root cause: A brittle test coupled to exact document contents (a file count) rather than behavior. Compounding it: the main branch wasn't branch-protected at the time, so the breaking change merged with the test already failing, and the first failure-to-filing gap was about three and a half off-hours hours with no "main is red" alert.

Fix: Updated the fixture, and branch-protected main with required status checks shortly after.

Guardrail change: Tests should assert on behavior, not exact document contents; off-hours "main is red" is high-signal and worth automated alerting; and branch protection on main is the single structural control that prevents this whole class of incident.

We keep two write-ups for this one — a root-cause analysis and a separate merge-throughput-impact view — because documenting an incident as an analysis is not the same as the action-item discipline a structured postmortem forces.

A new field broke every long-running agent session — and a test locked the bug in

What broke: An enhancement added a field to the request that starts a long-running agent session, to enable per-trigger model selection. The API rejected the unknown field outright, taking down every long-running trigger that used it — morning triage and merge-queue runs were skipped for about five hours.

Root cause: The API rejects unrecognized fields rather than ignoring them, and the session inherits its model from the pre-provisioned resource. Worse, the change shipped with a unit test asserting the new field was present — locking in the broken behavior — and nothing exercised the live API path.

Fix: Removed the field and flipped the test assertion. Per-model routing was later solved properly by provisioning a separate session resource per model.

Guardrail change: API schema acceptance is binary — trust the error message. Unit-level assertions on outbound requests can cement incorrect behavior unless paired with a contract test against the real API.

A config pointed at a key-value store that didn't exist

What broke: The orchestrator's state-store binding referenced a key-value namespace ID that didn't exist in our cloud account. Every state read and write failed at runtime — episodic memory, the dispatch queue, approval state, and more — so agents effectively ran statelessly: repeating work, losing queued tasks, with no memory continuity. (Exact dates are an honest evidence gap; this one was reconstructed after the fact.)

Root cause: Drift between checked-in config and live cloud state. The deploy tool happily binds to a namespace ID without verifying the namespace actually exists, so the worker deployed cleanly and only failed at runtime. Fail-soft defaults — treating a missing read as "no prior state" — meant a totally broken store looked like a totally empty one, masking the failure rather than alarming on it.

Fix: Corrected the binding to the live namespace and added a load-bearing inline comment so a future revert can't silently restore the bad ID.

Guardrail change: Config bindings are references to live external resources, not static text — a pre-deploy check should confirm each one resolves. And fail-soft state semantics, while correct for resilience, need an alert on "empty everywhere," because that pattern is itself a signal.