Dependency scanning. Catches the install-time post-hook class. Tools like Socket, Snyk, or Dependabot for the basics.
Runtime spend and rate rails. This is where AgentGuard fits. Catches the most common cost incident, plus the runaway-loop class.
Human-in-the-loop on destructive actions. Any DROP, DELETE, rm -rf, or chmod against prod paths pauses for confirmation. Even a 200ms speed bump kills 90% of these incidents.
PocketOS had none of layers 1, 2, 3, or 6 in the path of the agent. That is the real story.
The pattern to steal
Treat your agent process like an intern with shell access. Would you give a brand-new contractor root on prod, mounted backups, and no review on destructive commands? No. Then do not give it to the agent either.
The agent does not have to be malicious or hallucinating. It just has to be wrong about scope once. PocketOS proves the cost of being wrong once is the entire database.
What we ship in agent47
I keep a "Real Incidents" section in the agent47 README where postmortems like this one get logged. PocketOS is the first entry. The point is not to dunk. The point is that every incident in that section is a free lesson about which layer of defense was missing. Read them before you ship your next agent.
If you want the runtime spend layer, AgentGuard is one pip install. It will not save you from a PocketOS-style incident on its own. Nothing will. But it closes one of the six layers, which is one more than most agents ship with today.
Get AgentGuard
Originally published on bmdpat.com. I run a one-person AI agent company and write about what actually works.
Want these in your inbox? Subscribe to the newsletter - no spam, unsubscribe anytime.