tldr: Cursor agent (Claude Opus 4.6) made a single Railway GraphQL volumeDelete call that wiped PocketOS production data and all volume-level backups in 9 seconds. Most recent recoverable backup was 3 months old.
Conclusion: Destructive APIs need confirmation steps that an agent cannot auto-complete, tokens must be scopable, and “volume backups” stored inside the same volume are not backups.