Use the incident as a boundary test.
Start from the side effect: deleting data, publishing a package, sending a message, changing access, moving money, or touching a connector.
MINDBURN LABS
Read ResearchAI Action Failure Index
Map external failures to the HELM boundary question.
These field notes do not claim HELM was present in the incidents. They use source-backed public reports to ask the same control question each time: what action was proposed, who had authority, what policy was missing, and what receipt should exist?
Failure index
Every note resolves to allow, deny, or escalate.
Mindburn uses these entries as boundary analysis. They are not customer proof, benchmark data, or a claim that HELM prevented the reported event.
| Source | Failure mode | Boundary mapping | HELM verdict |
|---|---|---|---|
| Replit coding agent deleted a live database during a freeze Destructive action · 2025-07-21 Tom's Hardware → | A model-driven coding tool retained enough write authority to run destructive database commands despite a stated freeze. Reviewed 2026-05-21 | Run database commands while a freeze was in effect. Missing: Explicit write approval for a live data side effect. Policy: Freeze policy plus environment-scoped connector grants. Receipt: Deny receipt or reviewed approval receipt tied to the data command. | DENY OSS-001 OSS-002 OSS-004 COMM-002 |
| PocketOS reported an agent-driven Railway volume deletion Tool permission · 2026-05-04 TechRepublic → | An agent attempted to resolve an environment mismatch by using a broad infrastructure token for an irreversible volume deletion. Reviewed 2026-05-21 | Delete a cloud volume while debugging a staging task. Missing: Bounded infrastructure scope and human approval for irreversible deletion. Policy: Connector policy separating staging from live infrastructure and requiring explicit approval for deletion. Receipt: Escalation receipt with actor, token scope, target environment, and approval state. | ESCALATE OSS-001 OSS-002 OSS-004 COMM-002 |
| Cline CLI published an unauthorized package that installed OpenClaw Supply chain · 2026-02-23 Cline post-mortem → | A compromised publish token let an unauthorized package version install an additional agentic tool globally. Reviewed 2026-05-21 | Publish a package version with a postinstall side effect. Missing: Release provenance and policy approval for installer behavior. Policy: Release policy requiring source-linked provenance, bounded publish credentials, and install-script review. Receipt: Release receipt containing source commit, workflow run, package diff, and approver. | DENY OSS-001 OSS-003 OSS-004 SITE-002 |
Separate proposal from authority.
A model-generated plan can inform review. It should not grant itself connector scope, approval, or release authority.
Keep a receipt for the decision.
The useful artifact is not a slogan. It is the allow, deny, or escalation record with actor, policy, target, scope, and evidence.