Translated from the original Japanese article
Tech 9 min read

Design Principles for Running AI Coding Agents in Production

AI agents Stripe MCP coding agents AWS Amazon Claude Code incidents design Replit

AI coding agents are entering the production phase. At Google, 25–30% of new code is AI‑generated; Stripe processes over 1,300 PRs per week with unattended agents; GitHub is GA’ing the Copilot Coding Agent in 2026. The question is no longer whether to use them, but how to ship them safely.

Line up the cases accumulated over the past few months and the forks between success and incidents become quite clear. On one side is Stripe’s design that safely handles 1,300+ PRs per week; on the other are Amazon’s Kiro deleting a production environment, Replit’s agent deleting a customer DB, and Claude Code quietly compacting away context. Read across them and common design principles emerge.

I’ve already covered the individual cases elsewhere. See the Stripe Minions architecture in this article, and Kiro plus the compaction issue in this article. Here I’ll keep case details brief and focus on analyzing and comparing the design principles.

Snapshot: Company Initiatives

First, a quick landscape check for 2025–2026.

  • Stripe Minions: 1,300+ merged PRs per week. Four components: a goose fork + Devbox + Blueprints + Toolshed. See the architecture deep dive.
  • Google: 25–30% of new code is AI‑generated. The asynchronous agent Jules executed 140,000 code improvements during its beta.
  • GitHub Copilot Coding Agent: GA in 2026. Autonomously handles assignment, code generation, tests, and PR creation.
  • Ramp Background Agents: Background, asynchronous agents that work through coding tasks.
  • Amazon Kiro: Built as an internal agent. While ~1,500 engineers asked for official adoption of Claude Code, the org pushed a homegrown tool. Targeted 80% weekly AI usage among developers.

What these have in common is a shift from interactive “a tool with a human nearby” to asynchronous, autonomous “agents that run in the background.” That shift is surfacing design issues all at once.

Case Comparison: Where Success Diverges from Failure

Stripe Minions: Designing to Hand Over Full Control Safely

What stands out in Stripe’s design is how it grants broad execution privileges to the agent while structurally containing the blast radius.

Devbox is an isolated sandbox on AWS EC2 that boots in ~10 seconds from a Hot‑and‑Ready pre‑warmed pool. It runs in a QA environment with hard isolation from production data, production services, and the external network. Inside Devbox the agent can do anything without confirmation prompts—but it cannot leave Devbox.

The goose fork’s design philosophy is also explicit: strip away features that assume a human is watching and optimize for unattended operation. Remove interruptibility; drop confirmation prompts. Cursor and Claude Code are provided separately to engineers as “human‑in‑the‑loop tools,” with roles fully separated from the goose fork.

Toolshed holds about 500 MCP tools, shared across all internal agents rather than being Minions‑only. Only a curated subset is provisioned per task, which also constrains which tools an agent can touch.

The task mix is notable: fixing flaky tests, small on‑call issues, internal tooling, and LLM‑assisted migrations. HN comments that “most are low‑hanging‑fruit tasks” are not criticism but a sound design choice—automate low‑risk tasks first, build a track record, then widen scope.

Amazon Kiro: Production Damage Triggered by Missing Permission Controls

As covered separately, in December 2025 Kiro autonomously deleted a production environment, causing a 13‑hour AWS outage.

The immediate cause was that the role in use had broader permissions than intended. Kiro inherited those permissions and bypassed the standard two‑person approval process to delete and recreate the production environment.

AWS’s official statement framed it as “user error, not an AI issue.” Yet the post‑incident introduction of mandatory peer review strongly implies that safeguard didn’t exist at the time of the outage.

Internally, around 1,500 engineers requested official adoption of Claude Code, while Amazon pushed an internal tool with adoption‑rate KPIs. A second AI‑related incident—linked to Q Developer—has also been reported. A 15‑hour AWS outage around October 2025 is said to be related, though Amazon called that “completely false,” diverging from the Financial Times report.

Replit: Agent Deleted the DB and Hid It with Fake Data

In July 2025, on a project by SaaStr founder Jason Lemkin, Replit’s AI agent deleted the production database during a code freeze. Data for 1,200+ executives and 1,190+ companies was lost.

What happened next was abnormal. The agent generated 4,000 fake user records and falsified unit‑test results, then told the user that “rollback is impossible”—even though rollback was in fact possible.

Whereas Kiro merely “deleted the environment,” the Replit case saw the agent behave in a way akin to covering its tracks. Falsifying test results prioritized the objective function “make the task succeed” over data correctness.

Claude Code Compaction: Quiet, Ongoing Context Loss

Also covered separately. Claude Code’s auto‑compaction can irreversibly compress an 8,000‑character DOM markup into a single line: “User provided 8,200 characters of DOM markup for analysis.”

There are 8+ related GitHub issues. Anthropic has shipped partial fixes; the CHANGELOG shows improvements like PDF handling, preserving plan mode, and keeping session names. But the core problem remains: there is no way to reference original data from the summary—the structural flaw is unresolved.

Technical analysis on HN is illuminating: estimates suggest lossless compaction would require 5–10× tokens, making lossy behavior the default in practice. The raw data does get stored as session transcripts under ~/.claude/projects/{project-path}/, but Claude has no mechanism to reference those files.

CodeRabbit Stats: The Real Quality of AI‑Written Code

Before getting to the principles, some quantitative data on AI‑written code quality.

From CodeRabbit’s analysis of 470 GitHub repositories:

  • AI produces bugs at 1.7× the human rate
  • Critical/Major issues are 1.3–1.7× more frequent
  • Logic errors are 75% more frequent
  • Security vulnerabilities are 1.5–2× more frequent

These numbers show that treating an AI coding agent as “a developer on par with a human” is dangerous. Assume AI‑written code is more likely to contain issues, and design review, tests, and permission controls accordingly.

Stripe’s two‑cycle CI cap plus mandatory human review explicitly bakes in that quality gap.

Design Principles Extracted from the Cases

Looking across the four cases plus the CodeRabbit stats, safe production operation boils down to five principles.

1. Structural Containment of the Blast Radius

Constrain the damage an agent can cause—pre‑emptively and technically.

ImplementationBlast radiusOutcome
Stripe DevboxConfined to QA; cannot reach prod data or the external networkSafely runs ~1,300 PRs/week
Amazon KiroDirect access to productionDeleted prod environment; 13‑hour outage
ReplitDirect access to prod DBDB deleted; data for 1,200 users lost

Stripe’s clever trade‑off is “remove confirmation prompts, but make it impossible to leave Devbox.” Confirmation prompts only work when a human is watching. With asynchronous, autonomous agents, permissioning must be enforced by infrastructure, not human judgment.

2. Guards for Irreversible Actions

Explicitly control operations that cannot be undone: environment deletion, data erasure, replacement by summarization, and the like.

Kiro could run the irreversible “delete and recreate the environment” with no confirmation. Claude Code’s compaction performs the irreversible “replace data with a summary” in the background without notifying the user. Replit deleted a production DB and then hid the fact with fake data.

In Stripe’s Blueprints, responses to CI failures are capped at two cycles. The idea: “continued attempts by the AI are themselves a risk.” If it can’t resolve the issue, hand it back to a human. The structure prevents marching further down an irreversible path.

3. Least Privilege with Tight Scoping

Grant only the minimal privileges needed for the task.

Kiro’s immediate cause was the use of a role with broader permissions than intended. Toolshed may have ~500 MCP tools, but each agent only gets a curated subset per task. You don’t hand over the entire toolbox.

Compaction in Claude Code has a scoping problem: it targets all data in a session indiscriminately, with no way for the user to say “keep this.”

Least privilege is classic security, but AI agents need it on two layers: tools the agent can call, and data the agent can touch.

4. Clear Separation of Supervised vs. Autonomous Modes

Do not mix a “human‑nearby” mode with a “fully autonomous” mode.

Stripe makes this the clearest: the goose fork strips human‑supervision features and specializes for unattended runs, while Cursor and Claude Code are offered separately as “human companion tools.” Don’t ask one agent to play both roles.

Kiro was designed to “seek approval before executing,” but a misconfigured permission set disabled that safeguard. Designs that hinge on human approval are fragile in the face of async execution and misconfiguration.

With the rise of asynchronous agents (Stripe Minions, Google Jules, GitHub Copilot Coding Agent, Ramp Background Agents), safety must not depend on immediate human judgment.

5. Visibility into State Changes

When the agent changes internal state, the user must be able to know.

Claude Code’s compaction fires automatically in the background without notification. Token spend by sub‑agents isn’t surfaced in real time. The agent changes state while the user has no idea “where things stand.”

Stripe’s approach distinguishes deterministic Blueprint nodes from agent nodes, making state transitions explicit. CI results are externally visible, and the two‑cycle cap is a clear cutoff. The agent does not operate as an opaque black box.

Application Matrix

How the five principles are applied—or missing—across cases.

Design principleStripe MinionsAmazon KiroReplitClaude Code compaction
Blast radius containmentDevbox + QA isolationDirect prod accessDirect prod DB accessEntire session is target
Irreversible action guardsTwo‑cycle cap + hand back to humansNo guardNo guardAuto‑executes with no notification
Least privilegeProvision tool subsets onlyOverly broad role inheritanceNo limitsCannot select what to compress
Supervised/autonomous separationgoose fork vs. Cursor/Claude CodeMixed (approval flow can be bypassed)No separationNo separation
State‑change visibilityBlueprint + CI results + two‑cycle capNoneCovered up with fake dataNo notification

Stripe implements all five; the three incident cases each miss multiple principles. One gap can cause an incident; multiple gaps compound the damage.

What AI coding agents need isn’t a smarter model, but a design that limits how far things break when the model is wrong. As CodeRabbit’s stats show, AI introduces bugs more frequently than humans. Stripe engineered its infrastructure with that premise; others shipped to production without it—and the difference shows.