TL;DR
I let my autonomous coding agent open real pull requests without a human in the loop, and it went fine — right up until it didn't. This post covers the guardrails I had to bolt on after a scope-creep PR and a near-miss force-push: branch naming, commit conventions, review gates, and hard limits on what the agent is allowed to touch. If you're about to give an agent write access to your repo, read this first.
The Problem
For a while, my agent could write code and run tests, but every commit still went through me. I'd read the diff, tweak the message, push it myself. That was fine at low volume. It stopped being fine once I wanted the agent working on things overnight — a dozen small fixes, doc updates, dependency bumps, the kind of work that piles up and never feels urgent enough to prioritize during the day.
The obvious next step was: let the agent commit and open its own PR. The scary part wasn't the code quality — it was actually pretty good at writing focused, working changes. The scary part was everything around the code: which branch it pushed to, what it decided was "included" in a PR, and what would happen the one time it decided a destructive git command was the fastest way out of a corner.






