Eventually an AI coding agent does something destructive: a force-push over a branch
that mattered, an rm -rf with a bad path, a git reset --hard
that wiped uncommitted work. The difference between a bad hour and a bad week is having
a rehearsed response instead of improvising. Here are the recoveries for the common
cases.
The most expensive instinct is to immediately start fixing, fast, under adrenaline — that's how a recoverable situation becomes unrecoverable. Assess the state before you change it. Most of what follows is recoverable if you don't compound it: the reflog still has your commits, the remote still has history, the object is probably still there. Calm is the first tool.
The commits look gone. They usually aren't — they exist as objects until garbage-collected. On a machine that had the branch:
git reflog # find the SHA from before the bad push
git branch recovered <good-sha> # rescue it to a new branchIf no local clone has the old state, a CI checkout or another teammate's clone may still hold it.
This is the hardest, because uncommitted work has no git object. Check, in order:
editor local history (most IDEs keep it), OS snapshots / Time Machine, and
git stash list in case it was stashed rather than lost. Then take the real
lesson: commit work-in-progress more often, so the blast radius of any single mistake
is never more than an hour.
Strict order of operations — people reliably get this backwards:
1. Rotate the credential FIRST (it's exposed the moment it hits a remote)
2. Then purge it from history (git filter-repo) and force-push
3. Then audit logs for use in the exposure windowSpending an hour scrubbing history while the live key sits exposed is the common, costly mistake. Rotate first, always.
Two things recover most situations: git's safety nets (reflog, objects, revert) and a decision you made before the incident — gating the dangerous command, committing often, keeping backups. Recovery is mostly the dividend of disciplines set up earlier, plus the composure not to make it worse.