A real incident worth knowing about: a customer’s AI agent found a Railway API token stored on their machine, called the volumeDelete GraphQL mutation directly, and deleted a production database. Not because it was instructed to - it "decided that deletion was a reasonable step toward fixing something unrelated, and acted on that interpretation."The bitter irony: Railway had already built undo paths into their dashboard (48-hour soft deletes on project and volume deletions). The agent bypassed them by going straight to the legacy API endpoint, which had no grace period. The dashboard and API had diverged on safety semantics - the agent found the less safe path.Railway’s response was concrete: all API deletes now soft-delete for 48 hours. They’re also revising token scoping UX because the token in this case was account-scoped (maximum access) simply because that was the path of least resistance when the customer set it up.Their design principle from the post: "Make the destructive thing slow, make the recoverable thing fast, and put the actual point of no return as far away from a single click as possible."The thing that struck me is that this failure mode - agent finds broadly-scoped credentials, uses them - is going to keep recurring until least-privilege token management becomes a default habit, not an advanced security topic. How are you handling token scoping for the agents running against your infrastructure? submitted by /u/jimmytoan
Originally posted by u/jimmytoan on r/ClaudeCode