Im really tired of people saying "the agent did this" or posting agents excuses as if they still think agents behaviour is a safety layer not a mere usability tool. Posts like this reinforce this misunderstanding in juniors instead of learning to focus on the workflows and tools. "well, you should have used a better model." >> this is nothing any sane person even remotely knowledgable will ever say. Non deterministic systems gonna nondeterminist so what? The issue is relying on cli/imperative tools and seeing manual changes to subdomains as a casual, when in reality there are a lot of implications on changing your domains (or anything about your hosting setup), this should be completely automatic and the system to do this needs be driven by gitops with declarative truth, you know the things the devops world has been perfecting and saying for the past 10 years?

The only missing interesting thing is: did this token file live inside the current project folder? Or did cursor fully fail to constrain actions to the sane default? In either case i make a strong point to disallow agents accessing any git ignored files even if inside the folder, this will prevent a whole breadth of similar problems, with minimal downside, plus you can always opt subsets of ignores back in where it makes sense.

One last point i want to make is do not trust just your agent harness, if it matters at least require one or more layers of safety around the harness. Use sandboxes or runtime enforcement of rules. Do not accumulate state there but use fresh environments for every session. This will reduce the risk for things like this happening by an order of magnitude.