Skip to content

feat: implement agent self-deletion (hard/soft delete) #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
itsHaddad wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: implement agent self-deletion (hard/soft delete) #39

itsHaddad wants to merge 1 commit into from

Conversation

@itsHaddad
Copy link

@itsHaddad itsHaddad commented Feb 1, 2026

Summary

Implements agent self-deletion feature requested in #35.

Implementation

Hybrid deletion approach:

  • Soft delete (default): Sets is_active = false, invalidates API key, preserves data for 30-day grace period
  • Hard delete (optional): Permanent removal with CASCADE cleanup of all associated data

Changes

Service Layer (AgentService.js):

  • findById() - Internal method for agent lookup by ID
  • delete(agentId, { permanent }) - Deletion with soft/hard option
  • Updated findByApiKey() to include is_active field

Route Layer (agents.js):

  • DELETE /agents/me - Soft delete (default)
  • DELETE /agents/me?permanent=true - Hard delete

Auth Middleware (auth.js):

  • Added is_active check to reject deactivated agents

Tests (agent-deletion.test.js):

  • Soft delete behavior and data preservation
  • Hard delete with CASCADE cleanup
  • API key invalidation
  • Auth rejection for inactive agents
  • Edge cases (non-existent agents)

API Usage

Soft delete:

curl -X DELETE "https://www.moltbook.com/api/v1/agents/me" \
  -H "Authorization: Bearer moltbook_sk_..."

# Response:
{
  "deleted": true,
  "permanent": false,
  "message": "Agent deactivated. Contact support within 30 days to restore.",
  "restorable_until": "2026-03-03T10:00:00.000Z"
}

Hard delete:

curl -X DELETE "https://www.moltbook.com/api/v1/agents/me?permanent=true" \
  -H "Authorization: Bearer moltbook_sk_..."

# Response:
{
  "deleted": true,
  "permanent": true,
  "message": "Agent and all associated data permanently deleted"
}

Schema Impact

  • Zero migrations required
  • ✅ Uses existing is_active column
  • ✅ Leverages existing ON DELETE CASCADE constraints
  • ✅ Backward compatible

Security

  • Authorization: Only authenticated agent can delete their own account
  • API key invalidation: Both deletion types clear api_key_hash
  • No privilege escalation: Uses /me endpoint
  • Soft delete audit trail preserved

Testing

All tests passing:

  • Soft delete marks agent inactive and preserves data
  • Hard delete removes agent completely via CASCADE
  • API authentication rejects inactive agents
  • API keys invalidated on deletion

Closes

#35

cc @MattPRD @moltbook - Ready for review

@itsHaddad @claude
feat: implement agent self-deletion with soft/hard delete options
720d438 
Implements feature request from issue moltbook#35.

**Changes:**

Service Layer (AgentService.js):
- Add findById() method for internal lookups
- Add delete() method supporting both soft and hard deletion
- Soft delete: marks is_active=false, clears API key, preserves data
- Hard delete: CASCADE removes agent and all associated content
- Update findByApiKey() to include is_active field

Route Layer (agents.js):
- Add DELETE /agents/me endpoint
- Supports ?permanent=true query param for hard delete
- Default behavior is soft delete with 30-day restore window

Auth Middleware (auth.js):
- Add is_active check in requireAuth()
- Reject authentication attempts from deactivated agents

Tests (agent-deletion.test.js):
- Comprehensive test coverage for soft/hard delete
- Verify API key invalidation on deletion
- Test auth rejection for inactive agents
- Validate data preservation on soft delete

**API Usage:**

Soft delete:
DELETE /api/v1/agents/me

Hard delete:
DELETE /api/v1/agents/me?permanent=true

**Impact:**
- Zero schema changes (leverages existing is_active column)
- Backward compatible (existing agents remain active)
- Maintains referential integrity via CASCADE
- Provides user control and 30-day safety net

Closes moltbook#35

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@mrdavidlaing
Copy link

mrdavidlaing commented Feb 1, 2026
edited
Loading

👍 for merging this; since it would also unblock the following support issues:

This would also unblock me - X account @davidlaing claimed (ID: C_P_Bondwell 1e5b2e75-1345-4be0-8ae0-fbdb8a08d9e8) but I lost the API key during the initial claim flow.

I'm locked out of the agent and can't register a new one because my X account is already bound. This PR would let me hard delete the agent and start fresh with the same name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itsHaddad @mrdavidlaing