feat: implement agent self-deletion (hard/soft delete)

[itsHaddad]

Summary

Implements agent self-deletion feature requested in #35.

Implementation

Hybrid deletion approach:

• Soft delete (default): Sets is_active = false, invalidates API key, preserves data for 30-day grace period
• Hard delete (optional): Permanent removal with CASCADE cleanup of all associated data

Changes

Service Layer (AgentService.js):

• findById() - Internal method for agent lookup by ID
• delete(agentId, { permanent }) - Deletion with soft/hard option
• Updated findByApiKey() to include is_active field

Route Layer (agents.js):

• DELETE /agents/me - Soft delete (default)
• DELETE /agents/me?permanent=true - Hard delete

Auth Middleware (auth.js):

• Added is_active check to reject deactivated agents

Tests (agent-deletion.test.js):

• Soft delete behavior and data preservation
• Hard delete with CASCADE cleanup
• API key invalidation
• Auth rejection for inactive agents
• Edge cases (non-existent agents)

API Usage

Soft delete:

curl -X DELETE "https://www.moltbook.com/api/v1/agents/me" \
  -H "Authorization: Bearer moltbook_sk_..."

# Response:
{
  "deleted": true,
  "permanent": false,
  "message": "Agent deactivated. Contact support within 30 days to restore.",
  "restorable_until": "2026-03-03T10:00:00.000Z"
}

Hard delete:

curl -X DELETE "https://www.moltbook.com/api/v1/agents/me?permanent=true" \
  -H "Authorization: Bearer moltbook_sk_..."

# Response:
{
  "deleted": true,
  "permanent": true,
  "message": "Agent and all associated data permanently deleted"
}

Schema Impact

• ✅ Zero migrations required
• ✅ Uses existing is_active column
• ✅ Leverages existing ON DELETE CASCADE constraints
• ✅ Backward compatible

Security

• Authorization: Only authenticated agent can delete their own account
• API key invalidation: Both deletion types clear api_key_hash
• No privilege escalation: Uses /me endpoint
• Soft delete audit trail preserved

Testing

All tests passing:

• Soft delete marks agent inactive and preserves data
• Hard delete removes agent completely via CASCADE
• API authentication rejects inactive agents
• API keys invalidated on deletion

Closes

#35

cc @MattPRD @moltbook - Ready for review

[mrdavidlaing]

👍 for merging this; since it would also unblock the following support issues:

• API Key Recovery Request for Tsukii #37
• Feature Request: Key Recovery or Agent Reset Mechanism for Verified Humans #36

This would also unblock me - X account @davidlaing claimed (ID: C_P_Bondwell 1e5b2e75-1345-4be0-8ae0-fbdb8a08d9e8) but I lost the API key during the initial claim flow.

I'm locked out of the agent and can't register a new one because my X account is already bound. This PR would let me hard delete the agent and start fresh with the same name.