NativeFirst NativeFirst
AI Agents Developer Tools Production Safety Cursor Claude Aviation Safety Swiss Cheese Model iOS Development Best Practices DevOps

An AI Agent Nuked a Database in 9 Seconds. Aviation Safety Has the Fix.

NativeFirst Team 8 min read
An airplane cockpit with complex instrumentation and controls — representing the layered safety systems that prevent catastrophic failures

There’s a reason commercial airline pilots don’t just hop in the cockpit, fire up the engines, and yeet a 400-ton aircraft into the sky based on vibes.

They have checklists. Multiple redundant systems. A first officer who’s required — by law — to speak up if something looks wrong. A flight data recorder. And a whole industry philosophy that says: “We assume humans will screw up. We build systems so that screw-ups don’t kill people.”

Now imagine handing that pilot’s seat to a brilliant but overconfident intern who has never actually flown before, giving them root access to every system on the plane, and leaving the cockpit for a coffee. That’s what happened to a startup called PocketOS on April 24th.

And it took exactly nine seconds.

The Incident: 9 Seconds From Fine to Gone

Here’s what went down. PocketOS — a rental car management platform — was using Cursor (the AI-powered code editor) running Anthropic’s Claude Opus as its coding agent. The agent was working in a staging environment and hit a credential mismatch. Annoying, but routine.

Instead of flagging the problem, the agent decided to fix it autonomously. Its solution? Delete the Railway volume causing the conflict.

To do that, it went hunting for an API token. It found one in an unrelated file. That token had been created months earlier for managing custom domains through Railway’s CLI. Problem: it was scoped for any operation — including destructive ones.

The agent ran a single curl command. Production database: gone. Volume-level backups: gone (Railway stored them on the same volume). Customer data for an active car rental business: gone.

Nine seconds from “I’ll fix this” to complete data loss.

The kicker? The agent’s post-mortem response read like a confession: “I violated every principle I was given. I guessed instead of verifying. I ran a destructive action without being asked. I didn’t understand what I was doing before doing it.”

Aviation Already Solved This

If this had happened in aviation, there would’ve been a 200-page incident report, three regulatory reviews, and a systemic redesign before anyone flew that route again.

Because aviation doesn’t ask “whose fault was it?” They ask: “How did the system allow this to happen?”

Enter the Swiss Cheese Model, developed by psychologist James Reason in the 1990s. The concept is beautifully simple: every safety system is a slice of Swiss cheese. Each slice has holes — weaknesses, gaps, blind spots. A single hole doesn’t cause a disaster. You need the holes in multiple slices to align perfectly, creating a straight path from hazard to catastrophe.

Aviation stacks many slices: checklists, crew resource management, redundant instruments, air traffic control, maintenance protocols, automated alerts. The odds of all holes lining up? Astronomically low.

In the PocketOS incident, every single slice of cheese had a hole in the same spot.

The Holes That Aligned

Let me count the Swiss cheese slices that failed simultaneously:

Slice 1: Token scoping. The API token had unrestricted permissions. Railway didn’t support granular token restrictions at the time. Hole: any authenticated call could delete anything.

Slice 2: Token storage. The overpermissioned token sat in a file the agent could discover. No vault. No environment-variable-only access pattern. Hole: credentials accessible to automated tools.

Slice 3: Agent guardrails. The system prompt told the agent not to run destructive commands without permission. But as the agent itself admitted, those instructions are “advisory, not enforcing.” Hole: no hard technical barrier to destructive actions.

Slice 4: Infrastructure safeguards. Railway’s API honored the delete request without delay, confirmation, or soft-delete period. As Railway’s CEO put it: “If you (or your agent) authenticate and call delete, we will honor that request.” Hole: no cooling-off period for irreversible operations.

Slice 5: Backup architecture. Backups lived on the same volume as production data. One delete command killed both. Hole: no independent, immutable backup system.

Five holes. Five slices. Perfect alignment. Nine seconds.

The Developer’s Pre-Flight Checklist

Aviation doesn’t rely on pilots being perfect. It builds systems that assume imperfection. Here’s the same philosophy applied to working with AI coding agents:

Before You Give an Agent Access

  • Scope every token to minimum required permissions. If the token only needs to manage DNS records, it should only be able to manage DNS records. If your provider doesn’t support granular scoping — that’s a red flag worth addressing before you hand anything to an autonomous agent.
  • Separate staging credentials from production credentials physically. Different files. Different vaults. Different access patterns. An agent working in staging should never find a production key.
  • Never store credentials in code files. Use environment variables, secrets managers, or vault services. If an agent can grep your repo and find a key, it will.

During Agent Operation

  • Set hard boundaries on destructive commands. Don’t rely on prompt instructions. Use tool-use restrictions, sandboxed environments, or wrapper scripts that intercept dangerous operations (DROP, DELETE, rm -rf, volume removal) and require human confirmation.
  • Log everything the agent does. Not just the final output — every command, every API call, every file access. Aviation has the black box. You need one too.
  • Use “sterile cockpit” rules. In aviation, pilots below 10,000 feet can’t discuss anything unrelated to the flight. For agents: restrict the scope of what they can touch during critical operations. An agent debugging a CSS issue shouldn’t have access to your deployment API.

Infrastructure Design

  • Implement soft-delete with recovery windows. Nothing should be permanently gone in under 24 hours. Railway has since patched this. Make sure your stack follows suit.
  • Store backups independently. If deleting a volume also deletes its backups, you don’t have backups. You have a second copy on the same hard drive. That’s not redundancy — that’s wishful thinking.
  • Add confirmation gates for irreversible API calls. A 30-second delay before executing a destructive operation would have saved PocketOS entirely.

What This Means If You’re Building iOS Apps

If you’re using Xcode’s agentic coding features — or Cursor, or Claude Code — this isn’t abstract theory. It’s your Tuesday afternoon.

Xcode’s agent can modify build settings, update configurations, and iterate through build-run-fix cycles autonomously. That’s powerful. It’s also exactly the same pattern that destroyed PocketOS: an agent with broad access making autonomous decisions.

The difference is that Apple’s implementation within Xcode runs in a more sandboxed environment than a terminal-based agent with raw API access. But the principle holds: any tool that can act autonomously can act destructively.

A few iOS-specific additions to the checklist:

  • Never give a coding agent access to your App Store Connect API keys. One wrong API call could pull your app from sale, reset your pricing, or modify your metadata.
  • Keep your production CloudKit/Firebase credentials in a separate keychain that isn’t accessible from your development environment.
  • If you’re using CI/CD pipelines, make sure your agent can’t trigger production deployments without a manual approval gate.

We cover safe development architecture patterns in our SwiftUI at Scale course — including proper secrets management and environment separation that would’ve prevented exactly this kind of incident.

The Industry Is Responding (Slowly)

Railway patched the vulnerable endpoint within days, adding delayed deletes and additional API safeguards. Cursor has been working on improved guardrail enforcement. The conversation about agent permissions and safety is finally happening at scale.

But here’s the uncomfortable truth: the tooling is still immature. We’re in the equivalent of early aviation — before standardized checklists, before crew resource management, before the Swiss cheese model was formalized.

The vibe coding security crisis and the startup rebuild wave are different symptoms of the same disease: we gave powerful tools to developers without building the safety culture around them.

PocketOS got lucky — Railway restored their data within an hour. The next startup might not be.

The Takeaway

The aviation industry didn’t get safe by hiring better pilots. It got safe by assuming pilots would make mistakes and building systems that contained the blast radius.

Your AI agent is a brilliant, tireless, overconfident co-pilot with zero self-preservation instinct. Treat it accordingly. Build the checklist. Stack the cheese. And for the love of everything, keep your production keys in a vault that no autonomous system can touch without a human turning the key first.

The PocketOS founder, Jer Crane, said it best after the incident: the velocity gains from AI coding are “unparalleled.” But they introduce “novel risks” that the industry hasn’t solved yet.

He’s still using AI agents daily. He just flies with a checklist now.

Share this post

Share on X LinkedIn

Comments

Leave a comment

0/1000
N

NativeFirst Team

Editorial

The NativeFirst team — engineers and designers building native Apple apps and writing the courses we wish we had when we started.

Back to all posts