Edited by humans. Written by AI. How our editing works
All articles

When Your AI Agent Has Write Access to Production

A developer built AI agents that autonomously fix CI/CD failures and open pull requests. The security architecture is smarter than most. Here's what it gets right.

Rachel "Rach" Kovacs

Written by AI. Rachel "Rach" Kovacs

May 21, 20267 min read
Share:
CI/CD pipeline showing failed Linux and Windows checks with one passing PowerShell lint check, displayed on dark terminal…

Photo: AI. Ondine Ferretti

There's a book that's been circulating in developer circles called Buy Back Your Time by Dan Martell. The premise is simple: burnout isn't about working too hard — it's about spending your hours on tasks that don't deserve them. The Dreams of Code creator invokes it early in his latest video, and I'll be honest, I'm not usually moved by productivity-book energy. But the way he applies it here — not to his schedule, but to his CI/CD pipeline — caught my attention for a different reason entirely.

He built two AI agents that live on physical mini PCs on his home network, wake up when a build fails in GitHub Actions, autonomously diagnose and fix the problem, then open a pull request for human review. He reports — by his own account, unverified — that the machines have each generated "tens of PRs." His framing is productivity. My framing is: there's a lot of interesting security architecture in here, some of it deliberate, some of it instructive by contrast.

Let me explain why this setup is more carefully constructed than most home automation projects I see, and where the residual risk still lives.

The actual problem being solved

His video editor, Kiru, is built in Rust and targets Windows, Mac, and Linux simultaneously — each platform using different video pipeline libraries under the hood. He develops on a Mac, which means Linux and Windows breakages only surface when CI catches them. Fixing those breakages requires a context switch to a different physical machine to reproduce the error, which he describes as "a low-value task" that "happens quite often." The fix is usually not complicated. Verification is binary: the build either passes or it doesn't.

That combination — frequent, low-complexity, easily verifiable — is genuinely the right profile for automation. Not every task is. The structure that makes AI agents reliable is the same structure that makes them safe to run autonomously: constrained scope, clear success criteria, human review at the end. He has all three.

Three ways off-the-shelf agents failed him

His first instinct was to route everything through an existing coding harness — something like Claude Code — and just have it handle the whole job. Three problems killed that plan, and they're worth naming because they show up every time someone tries to run an interactive AI tool in headless mode.

Permissions prompts. Tools designed for human use ask before executing commands. That's the right behavior for interactive sessions. In headless mode, it either blocks indefinitely or requires the --dangerously-skip-permissions flag, which is exactly as alarming as it sounds. He didn't want to use it. Good instinct.

Too much LLM surface area. He was asking the agent to clone the repo, check out the commit, diagnose the failure, write the fix, verify it, and open the PR — all in one LLM-driven flow. The non-determinism compounds across each step. One bad inference early in the chain cascades.

No observability. When your agent does something unexpected in headless mode and you have no logs of what it was thinking, you're debugging a black box.

His solution was a hybrid: use deterministic code for everything that doesn't require judgment — cloning, checkout, fetching failure details from GitHub — and only invoke the LLM for the part that actually needs it: understanding what's broken and writing a fix. This is the pattern that separates working agent systems from demos. The LLM handles ambiguity; code handles everything else.

This is where I put on my security correspondent hat

Let me describe this system plainly: two physical machines on a home network have autonomous write access to a real GitHub repository, use a dedicated GitHub account with an access token, receive instructions from an external CI/CD service, and run LLM inference through a proxy. That's a meaningful attack surface. Here's what he did about it.

Dedicated GitHub account with scoped credentials. The agents don't use his personal GitHub account. They have their own, with a token stored in Doppler (a secrets manager), not hard-coded or stored in plaintext on the machines. This matters because if one of those machines is ever compromised, the blast radius is limited to the agent account's permissions — not his entire GitHub identity.

VLAN isolation. The agent nodes sit on their own virtual LAN, separated from the rest of his home network. Standard practice for any machine running automation, but regularly skipped by home lab builders who don't think the threat model applies to them. It does.

Tailscale for the network layer. Rather than punching a hole in his firewall or exposing the machines to the public internet, he used a zero-config private network built on WireGuard. GitHub Actions communicates with the nodes through this encrypted mesh; nothing is listening on a public port. The nodes are unreachable to anyone not on his tailnet.

Now, a note on one specific product he mentions: he describes a feature called "Tailscale Aperture" as an LLM proxy that lives on the tailnet, logs all agent prompts and responses, and lets him centrally manage API keys so the agents never hold them directly. This is genuinely elegant security design — if an agent node is compromised, there's no API key to steal, and there's a full audit log of everything the agent said and did. However, I cannot independently verify that "Aperture" is a publicly released Tailscale product at time of publication. It may be a beta feature, a recently announced capability, or something introduced after my knowledge cutoff. Treat that specific product name as unverified until Tailscale's documentation confirms it. The principle — proxy your LLM calls through a controlled gateway that holds the keys — is sound regardless of which tool implements it.

What's the failure mode? The honest answer is: the human-review step is doing a lot of load-bearing work here. The agents open pull requests; they don't merge them. That gate is what keeps an LLM hallucination from becoming a production incident. If someone building a similar system removes that gate — or sets it up and then rubber-stamps every PR — the architecture degrades fast. The security properties here depend on the human staying in the loop, which is a social control, not a technical one.

What this looks like if you're not writing Rust compilers

Most of my readers aren't building cross-platform video editors in Rust. So let me translate the principle, because I think it's genuinely portable.

The pattern is: find a task that's repetitive, low-complexity, and has a binary success condition. Build the deterministic scaffolding yourself — the API calls, the environment setup, the verification step. Drop an LLM into only the part that requires inference. Route credentials through a proxy that holds the keys. Keep a human in the review loop. Isolate the machine running the agent from the rest of your network.

That's it. You could implement a version of this for automated dependency updates, for flagging failing tests with suggested fixes, for monitoring a data pipeline and drafting incident reports. The Rust crate he used — called Cersei, which he says in the video is a reference to A Song of Ice and Fire, though that's his own attribution and I can't independently confirm the naming — is one implementation. There are others. The developer automation space is producing new tooling fast enough that the specific library matters less than the architecture.

The lawn mower comparison he opens with is actually more precise than he lets on. He didn't build the Navimow — he bought one, pointed it at his lawn, and let it run within a bounded area. His AI agents work the same way: bounded scope, defined environment, human decides the edges. That's not a coincidence. It's the only configuration where delegating to a machine actually works without creating new problems.

Most people who get this wrong skip the boundaries. They hand an agent the keys to everything and then wonder why it does something unexpected. The correct move is to hand it keys to almost nothing, and then watch what it does with them.


Rachel "Rach" Kovacs is Buzzrag's cybersecurity and privacy correspondent.

From the BuzzRAG Team

AI Moves Fast. We Keep You Current.

Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.

Weekly digestNo spamUnsubscribe anytime

More Like This

GitHub announcement post with "THIS IS HUGE!" in purple box, stating YAML is legacy and DevOps changed forever, with 33.2K…

GitHub Wants AI to Write Your CI/CD Pipelines Now

GitHub's Agentic Workflows lets you describe CI/CD tasks in plain English. Is this the future of DevOps automation, or just vibes-based infrastructure?

Zara Chen·5 months ago·7 min read
Man wearing glasses at computer with code visible, "Effectful" logo and "Just Clone the Repo" text overlay on dark background

Clone the Repo: What AI Coding Agents Actually Need

Michael Arnaldi's "just clone the repo" technique for AI coding agents has real security implications most developers aren't thinking about. Here's the full picture.

Rachel "Rach" Kovacs·2 months ago·7 min read
Developer coding at desk with dual monitors displaying GitHub interface, surrounded by neon blue and red lighting with "34…

34 Open-Source Tools Rewriting How Developers Work With AI

From AI agents that run in isolated VMs to databases that forget like humans, these 34 projects represent a different kind of AI tooling—paranoid, practical, weird.

Marcus Chen-Ramirez·3 months ago·5 min read
Developer woman at dual monitors displaying code and analytics with neon pink-purple lighting and "30 Trending Open Source…

GitHub's AI Agent Explosion: 30 Tools Reshaping Dev Work

From $10 AI agents to browser-based coding assistants, GitHub's latest trending repos reveal how developers are hacking their own workflows with AI tools.

Zara Chen·5 months ago·7 min read
Man in dark hoodie standing before a whiteboard with handwritten notes, "think series" logo and "4 Rules for Safer AI" text…

IBM's Take on AI Agents: Less Skynet, More Assembly Line

IBM's Grant Miller argues against 'super agents' in favor of specialized AI systems. It's the principle of least privilege, repackaged for the AI era.

Mike Sullivan·4 months ago·6 min read
A shocked man gestures at a GitHub Copilot Pro+ billing screen displaying $46,567 in metered usage charges against a…

GitHub Copilot's $40 Plan Has a $40,000 Problem

A developer burned $40,000 in Copilot inference for $40. It's not a hack—it's how the billing was designed. Here's what it means for you.

Rachel "Rach" Kovacs·2 months ago·7 min read
Desktop with Command Prompt and browser warning of unsafe site, overlaid with illustration of robotic face with glowing…

What Happens When AI Gets Root Access to Your Computer

A YouTuber gave an AI agent root access to his Linux system. The results reveal both the promise and the friction of our autonomous software future.

Bob Reynolds·3 months ago·5 min read
Bearded man wearing glasses and a beanie gestures toward camera with confused expression, text reads "NOW WHAT?

Why Your AI Agent Sits Idle After Installation

Installing an AI agent takes 10 minutes. Making it actually useful takes 40 hours. Here's why the industry keeps solving the wrong problem.

Rachel "Rach" Kovacs·3 months ago·6 min read

RAG·vector embedding

2026-05-21
1,787 tokens1536-dimmodel text-embedding-3-small

This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.