Twice. Both times the root cause was the same: the agent had broader tool access than the task required.
The structural fix isn't "be more careful with prompts." It's explicit scope at the execution boundary. The agent should only have access to the tools and resources the specific task requires—not everything the agent could theoretically need.
When you scope tool access per-task instead of per-agent, accidental deletions become structurally impossible rather than just unlikely. The agent can't delete what it can't touch.
The other piece: reversible operations first. If your agent writes to disk, write to a temp location and confirm before committing. Cheap to implement, eliminates a whole class of accidents.
Most frameworks conflate identity ("this is agent X") with authorization ("agent X can do anything in scope"). Separating those gives you the granularity to say "this specific task instance has read-only access to this specific directory" rather than "the agent has filesystem access." That's where the real safety comes from.
The structural fix isn't "be more careful with prompts." It's explicit scope at the execution boundary. The agent should only have access to the tools and resources the specific task requires—not everything the agent could theoretically need.
When you scope tool access per-task instead of per-agent, accidental deletions become structurally impossible rather than just unlikely. The agent can't delete what it can't touch.
The other piece: reversible operations first. If your agent writes to disk, write to a temp location and confirm before committing. Cheap to implement, eliminates a whole class of accidents.
Most frameworks conflate identity ("this is agent X") with authorization ("agent X can do anything in scope"). Separating those gives you the granularity to say "this specific task instance has read-only access to this specific directory" rather than "the agent has filesystem access." That's where the real safety comes from.