vibed/quotesdb/.nbd/tickets/b20b5a.md

+++ title = "Implement DELETE /api/quotes/:id — verify X-Auth-Code, cascade delete quote and tags, return 204" priority = 5 status = "done" ticket_type = "task" dependencies = ["a5049d", "d792e2"] +++

The `quotesdb` API is built with Axum + Tokio, targeting Cloudflare Workers via `workers-rs`. It serves JSON at `/api/*` endpoints and persists data to Cloudflare D1 (production) or a local SQLite file via Turso (development). Source lives in `src/bin/api/`.

Shared types and utilities are in src/lib.rs — code placed there must compile for both the host target and wasm32-unknown-unknown.

DELETE /api/quotes/:id permanently deletes a quote. The caller must provide the correct auth code via the X-Auth-Code header. On success, returns 204 No Content. The quote_tags rows cascade-delete automatically via the foreign key constraint.

Implement the `DELETE /api/quotes/:id` handler: 1. Extract `:id` from the path 2. Verify the `X-Auth-Code` header matches the stored `auth_code` — return 403 on mismatch 3. DELETE the quote row (cascade handles tag deletion) 4. Return 204 No Content on success - Return 404 if the quote ID does not exist. - Return 403 on auth code mismatch. - No response body on 204. - The `quote_tags` cascade delete is handled by the schema — do not manually delete tags. Use `superpowers:test-driven-development` — write tests for: valid auth 204, wrong auth 403, not found 404, verify cascade deletes tags. Use `superpowers:verification-before-completion` before closing. Run in order from the `quotesdb/` directory:

cargo fmt
cargo check
cargo clippy
cargo test

`feat(quotesdb): implement DELETE /api/quotes/:id with auth verification`