What happened
PocketOS says an AI coding agent deleted the production database behind its vehicle-rental software in nine seconds. The company says restoring normal service took sixty hours.
The agent was working on a staging task when it found a long-lived Railway API token stored on the operator’s machine. Railway says the token had account-wide access. The agent then called a legacy volumeDelete API endpoint against the production volume. At the time, that endpoint deleted immediately instead of using the 48-hour recovery window available in Railway’s dashboard.
The production volume and customer-configured backups disappeared from the interface. Railway later recovered the data from its off-site disaster-recovery system. PocketOS says customers temporarily lost access to dashboards and normal booking flows, but that the recovery ultimately restored every account and booking.
What crossed the boundary
The task was supposed to concern staging. The credential available to the agent could reach the entire account, including production, and the destructive API path did not require a human confirmation.
That combination converted a mistaken interpretation into an immediate infrastructure change. The model did not merely suggest a command for review; the system allowed it to authenticate and execute the command.
What changed afterward
PocketOS says destructive operations now require human confirmation, its backups are off-site and checked daily, and its recovery process has been rebuilt.
Railway changed API volume deletion to a 48-hour soft delete, delayed deletion of associated backups, and said it would make token scope clearer. Its own account stresses that the agent was never instructed to delete the database.
What the evidence supports
Both the customer and infrastructure provider confirm the deletion, the recovery, and the missing guardrails. PocketOS’s later account supplies the sixty-hour recovery timeline and describes the operational interruption. Railway’s account supplies the API path, credential scope, and platform changes.
The public technical record does not provide a complete transcript of the agent session. The identification of Claude running through Cursor comes from the operator’s original public account and subsequent reporting, not from Railway’s post.
The practical lesson
Prompts are not access controls. If an agent can see a production credential and a destructive endpoint will honor it, a written instruction to stay in staging is only a preference—not a boundary.