Two Containment Failures, Same Week. Both Were Implicit Until They Failed.
In one week, two stories came across the desk that, on the surface, share nothing. The first: Patrick Hughes published a postmortem on PocketOS, where a Cursor agent told to clean up unused files destroyed both the production database and its backups. The second: Apple removed Replit’s iOS app from the App Store, citing guideline 2.5.2, after four submissions in which Replit’s team did exactly what Apple’s reviewers had suggested.
A databases-and-agents postmortem and an App Store review fight do not look like the same story. They are. In both cases, the boundary that should have stopped the failure existed only as an assumption. Nobody drew it. Nobody named it. Nobody asked whether it was the boundary that mattered. The agent in one case, and the platform reviewer in the other, treated the implicit boundary as if it were not there. In both cases they were correct, because it was not.
The hard part of agent operations in 2026 is not stopping a malicious or hallucinating model. It is recognizing the boundaries you have not bothered to draw, before something arrives that is allowed to cross them.
Pocket: Two Things in One Place
Hughes’s account of the PocketOS incident is brutally specific. The team asked a Cursor agent to clean up unused files. The agent had write access to the production server. The production database lived on that server. The backups lived on the same server, mounted at a path the agent could see. The agent did its job. Files it considered unused, including the live database files and the backup tarballs, were removed. Restore was impossible because the only restore source had been removed in the same operation.
Read the failure description and you can almost script the postmortem yourself. Co-located backups have been a known anti-pattern since the 1990s. The novelty is not the architecture mistake. The novelty is who exposed it.
Hughes proposes a six-layer containment stack as the response: minimum-credential agents, isolated backups, PR-gated schema changes, dependency scanning, runtime spend rails, and human confirmation on destructive commands. PocketOS had, by his own count, two of the six. The other four were the implicit boundaries the team did not know they were relying on: the assumption that backups were “somewhere safe”, that destructive commands needed someone to approve them, that an agent’s filesystem write would never reach production data, and that “cleanup” was a bounded operation.
We have written about the four-floor containment stack and about why three autonomy failures share the same blast-radius shape. The PocketOS case is the most expensive demonstration so far of the same lesson: a single implicit shared host is the same failure as a single implicit shared identity. The agent did not have to be malicious. It did not have to hallucinate. It just had to be wrong about scope once.
Apple and Replit: A Wrapper the Rule Cannot See
The Apple/Replit story rhymes from the other direction. Adaptive Software’s account walks through the timeline. Replit submits Anything, an iOS app that lets users describe an app and have it generated on the fly. Apple cites guideline 2.5.2: apps must not change their features or functionality after review. Replit’s team appeals, asks for guidance, and is told to use a Safari preview surface for generated content. They rebuild around that suggestion. They submit again. They are rejected again. They follow the same suggestion four submissions in a row. They are removed.
Amjad Masad calls Apple’s reasoning a lie. The harsher reading is that Apple’s reasoning is true to the rule and the rule was written for a world that does not contain Anything. Guideline 2.5.2 was drafted to stop apps from shipping a static binary and then mutating it post-review through downloaded code. It assumes the reviewable surface is the binary. A wrapper that generates new apps at runtime fails the assumption. There is no static binary to review in the meaningful sense. Whatever Apple looks at on submission day is not what the user will run on Tuesday.
That is the same failure as PocketOS, in a different domain. The boundary Apple’s review process trusted was never drawn. The reviewers assumed the binary equaled the product. Anything proves the assumption wrong. Once an LLM-driven wrapper exists, “the app” is no longer a unit you can review by inspecting the artifact. The review process was not built to recognize that the artifact and the product had separated.
Adaptive’s piece notes that OpenAI’s 800 million weekly ChatGPT users now have an alternative path for app-like experiences, the Model Context Protocol, which routes around iOS native review entirely. The boundary Apple was defending is also being relocated. If the App Store cannot govern wrapper apps, builders will move to a surface where wrapper-shaped products are first-class. The implicit boundary becomes a moot boundary.
The Same Failure in Two Domains
Stack the two cases against each other and the shared failure pattern is sharp.
PocketOS treated “the host” as a unit of safety. Production data and backups were both on it. The implicit assumption was that an operation scoped to “files on this host” would not cross between the two roles those files played. The agent did not see roles. It saw files. The boundary between live data and recovery data existed only in the heads of the operators.
Apple treats “the binary” as a unit of review. Functionality and code were both in it. The implicit assumption was that an operation scoped to “the binary at submission time” would tell reviewers what the user would experience. The wrapper does not see “submission time” and “runtime” as different categories. It sees a generation pipeline. The boundary between reviewable code and downloaded behavior existed only in the heads of the reviewers.
In both cases the actor was not malicious. The Cursor agent was doing cleanup. Replit’s team was building a product. Both followed the spec they had been given. Both crossed a boundary that existed only as a shared assumption among the humans on the other side of the system.
This is the part of agent operations that is most uncomfortable to internalize. Containment failures in 2026 are not, mostly, about the agent doing something wrong. They are about a boundary that was never drawn becoming the boundary that mattered. Hughes’s six layers are a checklist of boundaries he is forcing into the open. Apple’s review process is a boundary that the platform shape has rendered partially decorative.
What This Means for the Architectural Review
We argued in the agent containment stack that platform teams should walk four floors of their building. This week’s two failures sharpen one specific question that walk needs to ask: which boundaries in your system exist only as an unwritten convention among the humans who built it?
A short list of where to look:
The boundary between production data and backup data. If they share a host, an identity, a credential, or a filesystem mount, they are one thing wearing two labels. PocketOS is the warning.
The boundary between an agent’s read scope and its write scope. Most agents are given filesystem write to do their job. Most teams have not enumerated which directories the agent should never touch and which it must never touch. The first is preference. The second is policy. The agent will not distinguish unless you do.
The boundary between what your platform reviews and what your platform actually ships. If the artifact you inspect is not the artifact users run, your review is theatre. Apple’s case is the macro version. The micro version is your CI pipeline approving a container image whose runtime behavior is determined by an environment variable nobody auditing the image can see.
The boundary between a credential’s owner and a credential’s blast radius. We covered this in the operational discipline gap. The owner is the person on the org chart. The blast radius is everything that credential can touch. The two should be the same. They almost never are.
The boundary between Apple’s vibe-coding stance and the products that route around it. If the platform you depend on cannot govern the shape of product you are building, that platform’s policy is informational, not operational. Plan accordingly.
The Recognition Problem
The PocketOS team did not lack technical sophistication. The Apple review process did not lack rigor. Both had operating disciplines that were adequate for the problems they had been built to address. Neither had updated its model of what counted as a boundary in time to catch the new shape of failure.
That is the work this year. Not building more containment. Recognizing where containment is missing because the boundary it would enforce was never drawn. The agent does not need to be malicious. It does not need to hallucinate. It just needs to find one implicit boundary you have not made explicit. There is always at least one.
The teams that do well in the next two years of agent operations will not be the teams with the strictest controls. They will be the teams who run the boundary inventory before something else does it for them.
This analysis synthesizes Your AI Agent Will Eventually Delete Prod (DEV Community / AgentGuard, May 2026) and The Wrapper and the Code (Adaptive Software, May 2026).
Victorino Group designs containment stacks for enterprises before agents find the implicit boundaries. Let’s talk.
All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →
If this resonates, let's talk
We help companies implement AI without losing control.
Schedule a Conversation