AI identified a problemm namely a credential missmatch and it decided it needs to delete a volume in order to fix that. Then it went and searched inside the whole codebase for a token that allows it to do that, found a production token meant for something else and issued the deletion request with said production token.
On the other end, the cloud company had something, _by design_, that also deletes any backups if you delete the volume.
I’d read it that way. The issue is not that Claude can delete things; it’s that one session apparently had enough access to touch prod, run destructive commands, and also wreck the rollback path. Staging/prod separation helps, but backups should be on a different set of credentials too. Otherwise “restore it” is just another action the agent can damage.
On the other end, the cloud company had something, _by design_, that also deletes any backups if you delete the volume.