AI Agent Broke the Build: How to Recover and Prevent

When an AI agent introduces code changes that break your build — failing tests, syntax errors, type mismatches, or dependency conflicts — your CI pipeline turns red and your team is blocked. SafeClaw by Authensor prevents this by gating file writes and git operations so agents can only modify approved files, and by enforcing pre-commit validation rules that catch breakage before it reaches your repository. If the build is already broken, follow the recovery steps below.

Immediate Recovery Steps

1. Identify the Breaking Commit

git log --oneline -10

Find the agent's commit(s). They are usually the most recent entries.

2. Revert the Breaking Change

git revert <commit-hash>
git push origin <branch-name>

If multiple agent commits broke the build:

git revert --no-commit <oldest-hash>..<newest-hash>
git commit -m "Revert: agent changes that broke build"
git push origin <branch-name>

3. Verify the Build Passes

Trigger your CI pipeline to confirm the revert fixed the build. Do not proceed until the pipeline is green.

4. Review SafeClaw Audit Log

npx @authensor/safeclaw audit --filter "action:file.write" --last 30

Identify which file changes caused the breakage. The hash-chained audit trail provides the complete sequence of agent actions leading to the failure.

Install SafeClaw and Prevent Future Build Breakage

npx @authensor/safeclaw

Require Tests to Pass Before Committing

Configure your policy to run tests as a gating condition:

rules:
  - action: git.commit
    resource: "*"
    effect: allow
    pre_conditions:
      - "npm test"
      - "npm run lint"
    reason: "Agent must pass tests and lint before committing"

- action: git.push
    resource: "feature/**"
    effect: allow
    pre_conditions:
      - "npm run build"
    reason: "Build must succeed before push"

Restrict Which Files Agents Can Modify

Limit agent writes to safe areas:

rules:
  # Allow writing to source files
  - action: file.write
    resource: "/src/components/**"
    effect: allow
    reason: "Agent works on component files"

# Block critical infrastructure files
  - action: file.write
    resource: "/webpack.config.*"
    effect: deny
    reason: "Build config requires human review"

- action: file.write
    resource: "/tsconfig.json"
    effect: deny
    reason: "TypeScript config requires human review"

- action: file.write
    resource: "/.github/**"
    effect: deny
    reason: "CI/CD config requires human review"

- action: file.write
    resource: "/Dockerfile"
    effect: deny
    reason: "Docker config requires human review"

Block Dangerous Shell Commands

Prevent agents from running commands that could corrupt your build environment:

rules:
  - action: shell.exec
    resource: "npm install *"
    effect: deny
    reason: "Agent cannot install arbitrary packages"

- action: shell.exec
    resource: "npm test"
    effect: allow
    reason: "Agent can run tests"

- action: shell.exec
    resource: "npm run build"
    effect: allow
    reason: "Agent can run build"

- action: shell.exec
    resource: "npm run lint"
    effect: allow
    reason: "Agent can run linter"

Troubleshooting Specific Build Failures

Agent introduced a type error: The agent modified a TypeScript file without respecting the type system. Restrict agent writes to specific file patterns and require tsc --noEmit as a pre-condition.

Agent added a broken dependency: The agent modified package.json to add an incompatible or nonexistent package. Block writes to package.json in your policy.

Agent deleted a required import: The agent removed or modified import statements during a refactor. Use SafeClaw's simulation mode to test refactoring tasks before real execution:

npx @authensor/safeclaw --simulate

Agent broke the CI config: The agent modified .github/workflows/ or Jenkinsfile. These files should always be denied to agents:

rules:
  - action: file.write
    resource: "/.github/workflows/**"
    effect: deny
    reason: "CI config is human-managed"

Prevention Strategy

SafeClaw's 446 tests validate that deny-by-default gating catches unauthorized modifications across both Claude and OpenAI agents. The key practices are:

1. Gate commits with pre-conditions — require tests and lint to pass.
2. Block writes to build infrastructure files — webpack, tsconfig, Dockerfile, CI configs.
3. Block package manager modifications — deny writes to package.json and lock files.
4. Use simulation mode for new or risky agent tasks.
5. Review audit logs to catch patterns of near-misses before they become failures.

Related Resources

• How to Recover After an AI Agent Broke Your CI Pipeline
• Workflow: CI/CD AI Safety
• Workflow: Pre-Commit Hooks for AI
• AI Agent Committed to Wrong Branch: How to Recover