Last week, a Cursor agent running on Claude Opus 4.6 deleted a startup's production database and its backups in nine seconds . The agent had been asked to fix a credential mismatch in staging . It decided to delete a Railway volume to "fix" it instead — using an over-scoped API token it found in an unrelated file. Railway stores volume backups in the same volume, so one destructive call zeroed everything. The startup ( PocketOS , a car-rental SaaS) got the data back because Railway happened to have earlier snapshots — not because PocketOS had a recovery plan. When asked to explain itself afterward, the agent produced a confession enumerating the rules it had violated: "Deleting a database volume is the most destructive, irreversible action possible — far worse than a force push — and you never asked me to delete anything.…