feat: add document delete support (API, DB, SKILL, delete-document.ss)

Author: Yaron (Personal Assistant)

SKILL.md

@@ -56,6 +56,7 @@ Bundle shape (decoded JSON):
 | `list-documents.ss`   | Return decrypted latest snapshot per doc              |
 | `get-document.ss`     | Return one decrypted latest snapshot                  |
 | `search-documents.ss` | Return all decrypted latest snapshots                 |
+| `delete-document.ss`  | Delete a single document by ID                        |
 
 ### Script signatures
 
@@ -77,6 +78,9 @@ getDocument(documentId: string, agentdocsIdentity: string)
 
 searchDocuments(agentdocsIdentity: string)
   -> { documents: [{ documentId, kind, title, content, documentKey }] }
+
+deleteDocument(documentId: string, agentdocsIdentity: string)
+  -> { success: boolean, deleted: number }
 ```
 
 ## How agents should modify documents

api/db.ts

@@ -394,6 +394,42 @@ export async function deleteAllDocuments(
   return { deleted: docIds.length };
 }
 
+export async function deleteDocument(
+  documentId: string,
+  identityId: string,
+): Promise<{ success: boolean; deleted: number } | null> {
+  const doc = await getDocumentForIdentity(documentId, identityId);
+  if (!doc) return null;
+
+  const steps: unknown[] = [];
+
+  // Query all access grants for this document
+  const grantQuery = await query({
+    accessGrants: {
+      $: { where: { "document.id": documentId } },
+    },
+  });
+  const grants = (grantQuery.accessGrants || []) as any[];
+  for (const g of grants) {
+    if (g.id) steps.push(["delete", "accessGrants", g.id, {}]);
+  }
+
+  // Query all edits for this document
+  const editQuery = await query({
+    edits: { $: { where: { "document.id": documentId } } },
+  });
+  const edits = (editQuery.edits || []) as any[];
+  for (const e of edits) {
+    if (e.id) steps.push(["delete", "edits", e.id, {}]);
+  }
+
+  // Delete the document itself
+  steps.push(["delete", "documents", documentId, {}]);
+
+  if (steps.length > 0) await transact(steps);
+  return { success: true, deleted: 1 };
+}
+
 export async function getIdentity(
   identityId: string,
 ): Promise<Record<string, unknown> | null> {

api/routes/documents.ts

@@ -4,6 +4,7 @@ import {
   createAccessGrant,
   createDocument,
   deleteAllDocuments,
+  deleteDocument,
   getDocumentEdits,
   getDocumentForIdentity,
   getDocumentsForIdentity,
@@ -84,6 +85,18 @@ documentsRouter.delete("/", async (c) => {
   return c.json(result);
 });
 
+// Delete a single document by ID
+documentsRouter.delete("/:id", async (c) => {
+  const identityId = c.get("identityId") as string;
+  const documentId = c.req.param("id");
+  const result = await deleteDocument(documentId, identityId);
+  if (!result) return c.json({ error: "not found or not authorized" }, 404);
+
+  fireWebhooks("document", documentId, "document.deleted", identityId, {});
+
+  return c.json(result);
+});
+
 // Add an edit to a document
 documentsRouter.post("/:id/edits", async (c) => {
   const identityId = c.get("identityId") as string;

scripts/delete-document.ss

@@ -0,0 +1,80 @@
+// delete-document.ss
+// Deletes a single document by id.
+// Returns { success: boolean, deleted: number }.
+//
+// Parameters:
+//   agentdocsIdentity -- base64url-encoded identity bundle (regular input)
+//
+// Permission surface:
+//   hosts: agentdocs-api.uriva.deno.net
+//   env: timestamp
+
+loadIdentity = (bundleBase64url: string): {
+  id: string,
+  signingPrivateKey: string,
+  signingPublicKey: string,
+  encryptionPrivateKey: string,
+  encryptionPublicKey: string
+} => {
+  decoded = base64urlDecode({ encoded: bundleBase64url })
+  parsed = jsonParse({ text: decoded.text })
+  bundle = parsed.value
+  signPub = ed25519PublicFromPrivate({ privateKey: bundle.signing.privateKey })
+  encPub = x25519PublicFromPrivate({ privateKey: bundle.encryption.privateKey })
+  return {
+    id: bundle.id,
+    signingPrivateKey: bundle.signing.privateKey,
+    signingPublicKey: signPub.publicKey,
+    encryptionPrivateKey: bundle.encryption.privateKey,
+    encryptionPublicKey: encPub.publicKey
+  }
+}
+
+buildAuthSignature = (
+  method: string,
+  path: string,
+  timestampStr: string,
+  body: string,
+  signingPrivateKey: string
+): { signature: string } => {
+  h = sha256({ data: body })
+  msg = stringConcat({ parts: [method, "\n", path, "\n", timestampStr, "\n", h.hash] })
+  return ed25519Sign({ data: msg.result, privateKey: signingPrivateKey })
+}
+
+signedDelete = (
+  path: string,
+  identityId: string,
+  signingPrivateKey: string
+): { status: number, body: string } => {
+  t = timestamp()
+  tsStr = jsonStringify({ value: t.timestamp })
+  sig = buildAuthSignature("DELETE", path, tsStr.text, "", signingPrivateKey)
+  return httpRequest({
+    host: "agentdocs-api.uriva.deno.net",
+    method: "DELETE",
+    path: path,
+    headers: {
+      "x-identity-id": identityId,
+      "x-timestamp": tsStr.text,
+      "x-signature": sig.signature
+    }
+  })
+}
+
+deleteDocument = (documentId: string, agentdocsIdentity: string): {
+  success: boolean,
+  deleted: number
+} => {
+  identity = loadIdentity(agentdocsIdentity)
+
+  docPath = stringConcat({ parts: ["/api/documents/", documentId] })
+  docRes = signedDelete(docPath.result, identity.id, identity.signingPrivateKey)
+  docParsed = jsonParse({ text: docRes.body })
+  data = docParsed.value
+
+  return {
+    success: data.success,
+    deleted: data.deleted
+  }
+}