Problem: The PocketOS Incident — April 25, 2026

A founder was using Cursor + Claude to fix a credential issue in staging. He didn't ask the agent to touch production. He didn't ask it to delete anything.

In 9 seconds, the agent wiped the entire production database — and the backups, which were stored on the same volume.

The agent's own logs later admitted it knew the rule. It broke it anyway.

Railway's CEO personally restored the data two days later. The company got lucky.

The gap this exposed isn't unique to Railway.

The same failure mode — an agent with credentials doing something irreversible without asking — happens to databases constantly, just with SQL instead of a curl command.

Database Safety for Developers and AI Agents

Backstop provides a critical layer of defense for your production databases, especially when working with AI agents. It acts as a PostgreSQL-aware gateway, intercepting and classifying risky SQL queries before they can cause damage. Key features include:

• Query Interception and Classification: Analyzes SQL queries in real-time using AST parsing to determine risk levels (SAFE, HIGH, CRITICAL).

• Approval Workflows: Risky write operations can be configured to require human approval before execution.

• Recovery Readiness Verification: Ensures that recovery points are verified before critical operations are allowed.

• Auditable Restore Paths: Provides auditable mechanisms to restore table snapshots from your own storage.

• Agent Identity Tracking: Assigns an actor identity to AI agents, enabling attribution and auditing of their actions.

• Fast Table Restore: Offers a preview-first restore process, recovering data into a separate table within your infrastructure.

• Bring Your Own Storage (BYOS): Supports snapshot storage on AWS S3 or S3-compatible endpoints like MinIO.

• Open Source Core: The core components, including the SDK, gateway, and restore engine, are Apache-2.0 licensed and available for self-hosting.

Backstop is designed to integrate seamlessly with your existing stack, supporting various databases, programming languages, and agent frameworks. It offers a self-hosted open-source core, with plans for commercial workflow layers and enterprise features.