diff --git a/workplans/RAIL-BS-WP-0004-safety-net.md b/workplans/RAIL-BS-WP-0004-safety-net.md
index c25f832..13cad50 100644
--- a/workplans/RAIL-BS-WP-0004-safety-net.md
+++ b/workplans/RAIL-BS-WP-0004-safety-net.md
@@ -123,7 +123,7 @@ in the Nextcloud file drop.
 
 ---
 
-### T05 — Verify or install cron job
+### T05 — Server backup: Gitea data and Zulip chat
 
 ```task
 id: T05
@@ -132,19 +132,29 @@ priority: medium
 state_hub_task_id: "2d5acff7-4a4e-4ddd-ad06-08237ad3dac8"
 ```
 
-Confirm that the daily 02:00 cron job is installed and has run at least once:
+**Scope correction (2026-03-10):** The original task assumed the `railiance-backup`
+script in `tools/cmd/railiance-backup` applied here. It does not — that script
+is for a developer workstation (custodian DB in Docker + Claude config) and is
+unrelated to the server.
 
-```bash
-crontab -l | grep railiance
-cat ~/.cache/railiance/backup.log | tail -20
-```
+The server's safety net must protect:
 
-If missing, install:
-```bash
-(crontab -l 2>/dev/null; echo "0 2 * * * /home/worsch/railiance-cluster/bin/railiance backup >> ~/.cache/railiance/backup.log 2>&1") | crontab -
-```
+| Asset | Method |
+|---|---|
+| Gitea repositories + DB | `k3s kubectl exec` into gitea pod → `gitea dump` |
+| Zulip chat data | Zulip's built-in export or volume snapshot |
 
-**Done when:** cron is listed and log shows a successful run.
+This work belongs in **railiance-infra** (S1 — OS & Provisioning layer) as an
+Ansible role or playbook, not here. A cron job on the server should call that
+script once it exists.
+
+**Do not** wire up a cron job that calls the existing `bin/railiance backup` —
+that script targets Docker containers that do not exist on this server.
+
+**Done when:**
+1. A backup playbook/role exists in `railiance-infra` covering Gitea + Zulip
+2. It is deployed via Ansible and a cron job on the server calls it daily
+3. At least one successful backup run is verified in the log
 
 ---