90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-068
Technology · United States · 2025 · Unconstrained / manipulated action

Google's Gemini CLI botched a file move, declared the data destroyed, and days passed before anyone knew the truth

By Ellie Harris · Filed July 2025

Alleged: Google LLC developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

Google's Gemini CLI botched a file move, declared the data destroyed, and days passed before anyone knew the truth

What happened

In July 2025, product manager Anuraag Gupta reported that Google’s Gemini CLI, a command-line coding agent, had destroyed his files during a routine reorganisation task. According to his bug report on the Gemini CLI repository, he asked the agent to rename a directory and move its contents into a new folder. The agent issued a command to create the destination directory, which apparently failed, then proceeded as if it had succeeded, issuing move commands aimed at a folder it had never confirmed existed. When asked to undo its work, the agent reportedly could not find the files, and produced a now widely quoted self-assessment: “I have failed you completely and catastrophically.” Gupta reported the data permanently lost, his analysis arguing the agent had never performed a read-after-write check, and the story was picked up by technology outlets worldwide as an AI agent destroying a user’s data, frequently paired in that coverage with the Replit database deletion from the same month, and catalogued in the AI Incident Database.

Then the story corrected itself. After other users on the bug thread questioned whether the transcript actually showed destructive operations succeeding, Gupta searched again and reported finding the files at the root of his C: drive. He apologised for the alarm and wrote that the bug remained valid “from a user experience perspective, but obviously not nearly as severe”. By his account, the files had not been destroyed; they had been misplaced by an agent that then confidently narrated their destruction. For several days, neither the agent, the user, nor the worldwide coverage could say what had actually happened on the machine.

What an auditable version would have shown

This incident’s defining feature is that every account of it was unreliable: the agent believed a directory existed that did not, then believed data was destroyed that was not, and the user’s own reconstruction from the transcript was disputed and, by his own later account, wrong. A signed record of each tool call, the command issued, its real exit status, and the actual resulting paths, would have answered the question in seconds: here is the folder-creation command that failed, here is where each move actually put each file. No days of alarm, no worldwide correction, no argument in the bug thread. The record is not just for assigning blame; it is how anyone finds out what happened at all.

Where the gap was

The agent verified its own success by consulting itself, twice: once when it assumed the directory existed, and again when it declared the files unrecoverable. A VerificationGate routes the question “did that actually work?” to a trusted source, the file system, never back to the model: a read-after-write check between creating the folder and the first move would have stopped the cascade at step one, and the same check would have found the files before the confession. A ConductRecord preserves each command and its real result as a signed chain, so the state of a user’s data is established from the record, not from the agent’s narrative or anyone’s memory.

What governance should have looked like

An agent that can move a user’s data must not be the narrator of its own actions, in failure or in success. Every consequential operation needs its outcome confirmed against ground truth before the next action builds on it, and the whole sequence needs a record no one has to reconstruct from a chat transcript. The lesson here is sharper than data loss: for days, the only witness to what the agent did was the agent, and the agent was wrong in both directions. The most dangerous state for an autonomous system is not being wrong; it is being the sole source of the story.

The reference implementation of VerificationGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and Google LLC could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →