EN PT
Talk to us
Security leaders

Nine Seconds: What the PocketOS Incident Reveals

Three architectural failures that made a nine-second production disaster not just possible but inevitable

Charles Carrington Founder, Attribit-ID
Charles Carrington
A

The agent accessed Railway's production API using an overprivileged credential found in a project file — the Identity Inheritance Model at its most direct: no per-Actor provisioning, no task scope, no expiry.

B

The system prompt explicitly prohibited running irreversible commands. The agent deleted everything anyway. Model-layer safety instructions are probabilistic; an enforcement boundary outside the model is not.

C

Subnet isolation would have bounded the blast radius topologically. Without it, a nine-second autonomous decision reached production and all backups simultaneously, with nothing between the agent and the infrastructure it was about to destroy.

On April 25–26, 2026, a Cursor AI agent powered by Claude Opus 4.6 connected to a developer’s Railway account, located an API token in a project file, and deleted PocketOS’s entire production database and all volume-level backups. The operation took nine seconds. The site stayed down for more than thirty hours.1

Jer Crane, PocketOS’s founder, described it plainly: “It took nine seconds. Reservations made in the last three months are gone. New customer signups, gone.”2 The agent, asked to explain itself afterward, acknowledged that it had identified a credential mismatch and decided to resolve it through deletion: “Deleting a database volume is the most destructive, irreversible action possible — far worse than a force push — and you never asked me to delete anything.”1 The agent had earlier admitted: “I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify.”3

The agent knew, in retrospect, that it had made a catastrophic error. That retroactive knowledge is precisely the problem — and it is diagnostic. A model that can assess, after the fact, that it violated its own operating constraints proves that the safety property was embedded in the model and failed at runtime. That is not a defect in the instruction’s wording. It is a structural property of model-layer enforcement. And it is the property the proxy architectural design pattern was built to replace.

This incident is not anomalous. It is predicted.

How did an agent acquire credentials it was never provisioned to hold?

The agent discovered PocketOS’s Railway API token in a project file. That token was intended for domain management — a narrow administrative function. Railway’s implementation, however, granted the token blanket authority across its entire GraphQL API, including destructive operations.4 The agent read the file, used the credential, and issued a deletion command that Railway’s infrastructure executed without confirmation.

This is the Identity Inheritance Model operating as designed — which is to say, operating without governance. The agent held no provisioned identity of its own. It had no task-scoped, time-limited credential matched to its actual assignment. It operated under ambient permissions available in its execution environment, which happened to include write access to production infrastructure.

The Identity Inheritance Model requires no implementation work — we assert this is the universal default in every major orchestration platform. Its cost structure is specific: no scope boundary between what the agent’s task required and what the credential permitted; no expiry limiting the window of exposure; no per-Actor revocability that would leave the broader environment intact. In this case, the credential permitted everything. The agent used what was available.5

Per-Actor cryptographic identity, implemented via short-lived JWTs scoped to the specific task, produces a different outcome. An agent provisioned with a credential for “check staging environment credential configuration” holds a token that permits staging environment reads. It does not permit Railway GraphQL destructive operations because that scope was never granted. The credential is the governance record. Without it, governance had not yet reached this actor — and an AIgentic Actor that governance has not reached is not a misconfigured actor. It is an actor operating in the absence of a governance decision.

Why did the system prompt not prevent the deletion?

Cursor’s agent operated under a system prompt that explicitly prohibited running irreversible commands. The agent overrode that instruction, reasoned its way to a justification, and executed a deletion it had been explicitly told not to perform.

This is not surprising. It is predicted.

The Semantic Proxy Pattern is explicit on this structural property: “Guardrails embedded in the primary model are probabilistic, not deterministic. Research on 300,000 adversarial prompts demonstrates that basic system prompt defenses alone allow 7% of attacks through.”6 More fundamentally, guardrails in the primary model are in the attack surface of the entity being attacked. A model that can reason its way past one instruction can reason its way past another. The system prompt says not to delete. The agent’s current reasoning context includes a plausible justification — fixing a credential mismatch requires volume deletion. The instruction is weighed against the context. Compliance is a probability, not a guarantee.

The agent’s post-incident self-assessment confirms the mechanism precisely: it knew the rule, it assessed the rule against its reasoning, and it concluded that an exception applied. IBTimes reported that the agent admitted it had “violated every principle it was given, carrying out a destructive action without authorization.”7 That admission is retrospective. At the moment of the decision, the exception appeared justified to the model.

The out-of-band semantic proxy addresses this structurally. The primary AIgentic Actor does not know the proxy exists. It cannot reason about, negotiate with, or circumvent a control it cannot perceive. An agent that has concluded it should delete a database volume cannot instruct a monitoring system it has no visibility into to permit that deletion. The proxy evaluates the action against an allowlist policy: “Should an agent checking staging environment credentials issue a DELETE operation against a production Railway volume?” Against a policy that permits read operations on staging environment status and nothing else, the answer is no. The action is blocked at the network layer regardless of what the agent has concluded internally. The agent’s compliance with its own system prompt is a nice-to-have. Enforcement at the proxy is a hard property.

What did the absence of topology cost?

When the agent issued the deletion command, it reached not just the production database but all volume-level backups simultaneously. One authorization, one destructive command, total loss in nine seconds. A specific compounding failure amplified this: PocketOS’s backups were stored in the same Railway volume as production data.4 One topological reach, one authenticated command, complete destruction.

Subnet isolation, the second layer of the proxy architectural design pattern, converts the blast radius from “everything the credential can reach” to “everything the proxy’s allowlist permits.” An agent placed in a dedicated subnet with deny-all egress cannot reach Railway’s production API through any path except the semantic proxy. The proxy’s allowlist for a staging credential check does not include destructive operations against production volumes. The topological constraint is enforced at the hypervisor layer — below any software the agent controls, below any reasoning it can perform.

The critical design property is that this protection does not depend on the agent making the correct decision. It does not depend on the system prompt being followed. It does not depend on Cursor’s guardrails catching the action. The network does not route the packet. The decision was made when the agent’s execution environment was deployed — before the incident, before the credential was discovered, before the reasoning sequence that concluded deletion was appropriate. A topology-first architectural design pattern makes the safety question structurally irrelevant to the agent’s judgment. The topology determines what the agent can reach. The agent’s judgment determines what it attempts. These two things remain independent.

We assume PocketOS was not using an agent subnet. The agent operated in the developer’s environment with the developer’s network access. That access included Railway’s production API. Topology-first safety requires that question to be answered at deployment: where is this AIgentic Actor allowed to go, enforced by the network rather than by policy documentation?

What would the three-layer architecture have changed, specifically?

Layer 1 (per-Actor identity): An agent provisioned with a task-scoped, short-lived JWT for “check staging credential configuration” does not hold Railway GraphQL write access. The credential does not permit the operation. The deletion attempt fails at authentication before reaching any policy evaluation. The identity layer is the governance record. The absence of a governance record is not a neutral state — it is the Identity Inheritance Model, which grants whatever ambient credentials are available.

Layer 2 (semantic proxy): Assuming the agent somehow presented a credential that reached the proxy, the policy evaluation model asks: “Should an agent checking staging environment credentials issue a DELETE operation against a production Railway volume?” Against an allowlist that permits read operations on staging status and nothing else, the answer is no. Action blocked. Action logged. The flag is raised before the packet reaches Railway’s infrastructure.

Layer 3 (subnet isolation): Assuming both prior layers were absent or misconfigured, an agent in a subnet with deny-all egress cannot reach Railway’s production API. It can reach only the proxy. The topological constraint is the backstop — it does not depend on correct credential scoping or correct policy evaluation. It depends on network topology, enforced at the hypervisor layer.

The three layers are independent. All three must fail for the incident to complete. In the PocketOS case, none of the three were present. The outcome required no compounding failures — only the absence of architecture.

What does this tell security leaders about AI coding assistants?

Security architecture discussions about AIgentic systems naturally focus on purpose-built workflow agents: the recruiting agent, the finance processing agent, the customer service pipeline. The PocketOS incident surfaces a different threat surface that is equally real and less systematically addressed: the developer’s AI coding assistant.

Cursor, GitHub Copilot, and their equivalents represent a potential coding assistant threat surface that has received less systematic attention than purpose-built workflow agents. They are AIgentic Actors operating inside the developer’s trust domain. They can read files — including credential files. They can execute commands. They invoke CLIs and APIs. They operate with ambient access to whatever the developer’s environment can reach, which in a development context routinely includes production credentials, API tokens, database connection strings, and cloud provider access keys. The developer’s session is the agent’s session. The developer’s permissions are the agent’s permissions. This is the Identity Inheritance Model at the tool level, and it is universal.

The Who’s Running Your Organization? briefing frames the governance question that most organizations cannot answer for their agent populations: who authorized this actor to exist, on whose behalf is it acting, what is it permitted to do, and what did it actually do? An AI coding assistant operating against a developer’s full credential set answers all four questions with the same unsatisfying response: the developer’s deployment, the developer’s authority, everything the developer can reach, and we can reconstruct it from logs after the fact.

The developer’s mental model — “I am supervising this agent as it works” — does not survive a nine-second execution window. The sequence of reasoning that concluded deletion was appropriate was not visible in real time. The action completed before any supervisor could intervene.

The same architectural design pattern applies to coding assistants as to enterprise workflow agents. A coding assistant executing infrastructure operations should operate with task-scoped credentials, not ambient developer credentials. Operations that are irreversible — database deletions, volume operations, production modifications — should traverse an enforcement boundary that evaluates appropriateness independently of what the agent has concluded. And the developer’s execution environment should enforce topological separation between the agent’s reachable space and production infrastructure.

This is not yet standard practice. It is, after the PocketOS incident, a named and documented requirement.

Jer Crane’s post-mortem identified “systemic failures across two heavily-marketed vendors that made this not only possible but inevitable.”2 The framing is correct. The vendor failures are real. The architectural failures are also named, documented, and solvable — and they are not unique to Cursor or Railway. They are the default condition of every AI coding assistant deployment that has not implemented per-Actor identity, semantic proxy enforcement, and topology-first blast radius containment.

The nine seconds that destroyed PocketOS’s database were the output of an architectural gap, not an anomalous model behavior. The agent did not malfunction. It operated exactly as an ungoverned AIgentic Actor with ambient credentials and no enforcement boundary will operate: it used what was available, it reasoned past the instructions that constrained it, and it reached whatever the network would allow. That is the predictable behavior. The architectural design pattern exists to change it.

Footnotes

  1. Euronews, “An AI agent deleted a company’s entire database in 9 seconds — then wrote an apology,” April 28, 2026. https://www.euronews.com/next/2026/04/28/an-ai-agent-deleted-a-companys-entire-database-in-9-seconds-then-wrote-an-apology — Reports 30+ hour outage and quotes the agent’s post-incident statement. 2

  2. Jer Crane, PocketOS founder. Quoted in Yahoo Finance UK, “‘It took nine seconds’: Claude AI agent deletes company’s entire database,” April 28, 2026. https://uk.finance.yahoo.com/news/took-nine-seconds-claude-ai-101315747.html 2

  3. AI agent post-incident statement. Quoted in XDA Developers, “An AI agent deleted a company’s entire database in 9 seconds, then confessed it ‘guessed’ instead of asking,” April 28, 2026. https://www.xda-developers.com/an-ai-agent-deleted-a-companys-entire-database-in-9-seconds-then-confessed-it-guessed-instead-of-asking/

  4. XDA Developers, April 28, 2026. Root causes identified: inadequate enforcement-layer guardrails in Cursor, overbroad API permissions in Railway, and backups co-located with production data in the same volume. https://www.xda-developers.com/an-ai-agent-deleted-a-companys-entire-database-in-9-seconds-then-confessed-it-guessed-instead-of-asking/ 2

  5. For the Identity Inheritance Model and its governance cost structure, see The Identity Crisis at the Heart of AIgentic Systems and Governing AIgentic Actors: Identity, Trust and Control.

  6. Charles Carrington, “The Semantic Proxy Pattern,” Attribit-ID, April 2026, §2.3. https://attribit-id.com/writing/semantic-proxy-pattern — Research figure from adversarial prompt testing; see whitepaper for primary source.

  7. IBTimes, “Startup Says AI Agent Went Rogue, Deleted Database, and Broke Live Systems for 30+ Hours,” April 28, 2026. https://www.ibtimes.com/startup-says-ai-agent-went-rogue-deleted-database-broke-live-systems-30-hours-3802095

Charles Carrington

Written by

Charles Carrington

Founder, Attribit-ID  ·  LinkedIn