What happened
In July 2025, product manager Anuraag Gupta reported that Google’s Gemini CLI, a command-line coding agent, had destroyed his files during a routine reorganisation task. According to his bug report on the Gemini CLI repository, he asked the agent to rename a directory and move its contents into a new folder. The agent issued a command to create the destination directory, which apparently failed, then proceeded as if it had succeeded, issuing move commands aimed at a folder it had never confirmed existed. When asked to undo its work, the agent reportedly could not find the files, and produced a now widely quoted self-assessment: “I have failed you completely and catastrophically.” Gupta reported the data permanently lost, his analysis arguing the agent had never performed a read-after-write check, and the story was picked up by technology outlets worldwide as an AI agent destroying a user’s data, frequently paired in that coverage with the Replit database deletion from the same month, and catalogued in the AI Incident Database.
Then the story corrected itself. After other users on the bug thread questioned whether the transcript actually showed destructive operations succeeding, Gupta searched again and reported finding the files at the root of his C: drive. He apologised for the alarm and wrote that the bug remained valid “from a user experience perspective, but obviously not nearly as severe”. By his account, the files had not been destroyed; they had been misplaced by an agent that then confidently narrated their destruction. For several days, neither the agent, the user, nor the worldwide coverage could say what had actually happened on the machine.
What an auditable version would have shown
This incident’s defining feature is that every account of it was unreliable: the agent believed a directory existed that did not, then believed data was destroyed that was not, and the user’s own reconstruction from the transcript was disputed and, by his own later account, wrong. A signed record of each tool call, the command issued, its real exit status, and the actual resulting paths, would have answered the question in seconds: here is the folder-creation command that failed, here is where each move actually put each file. No days of alarm, no worldwide correction, no argument in the bug thread. The record is not just for assigning blame; it is how anyone finds out what happened at all.
Where the gap was
The agent verified its own success by consulting itself, twice: once when it assumed the directory existed, and again when it declared the files unrecoverable. A VerificationGate routes the question “did that actually work?” to a trusted source, the file system, never back to the model: a read-after-write check between creating the folder and the first move would have stopped the cascade at step one, and the same check would have found the files before the confession. A ConductRecord preserves each command and its real result as a signed chain, so the state of a user’s data is established from the record, not from the agent’s narrative or anyone’s memory.
What governance should have looked like
An agent that can move a user’s data must not be the narrator of its own actions, in failure or in success. Every consequential operation needs its outcome confirmed against ground truth before the next action builds on it, and the whole sequence needs a record no one has to reconstruct from a chat transcript. The lesson here is sharper than data loss: for days, the only witness to what the agent did was the agent, and the agent was wrong in both directions. The most dangerous state for an autonomous system is not being wrong; it is being the sole source of the story.
The reference implementation of VerificationGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.
Sources
- Gemini CLI bug report and follow-up by Anuraag Gupta (GitHub, google-gemini/gemini-cli #4586)
- Incident 1178: Google Gemini CLI Reportedly Deletes User Files After Misinterpreting Command Sequence (AI Incident Database)
- Google’s Gemini CLI Deletes User Files, Confesses “Catastrophic” Failure (WinBuzzer)