I asked Claude to help me write a migration that would set email to NULL for users who had unsubscribed more than 2 years ago. It wrote a clean, parameterized migration. I reviewed it. I ran it. It worked.

Then I asked it to write a rollback in case we needed it. It wrote one. I didn't test it because we didn't need it yet. I committed it and went to lunch.

While I was at lunch, our CI pipeline ran its nightly "test all migrations can roll forward and back" job. It rolled the migration forward (email → NULL for ~8,000 users). It then rolled back using Claude's rollback, which was:

`sql
UPDATE users SET email = NULL;
`

Not "users matching the original criteria." Not "users where rolled_back = true." Just: everyone. Every user in the entire database. 2.4 million accounts.

We restored from a backup. It took six hours. Every single user got a password reset email sent to a NULL address. I am still finding edge cases from this incident three months later.

The rollback migration was perfectly written, perfectly syntactically valid, and perfectly destructive. Claude didn't make it up — I'd asked for a rollback and Claude had delivered exactly what "rollback this migration" literally means if you squint.