vibed/quotesdb/.nbd/tickets/b20b5a.md

+++
title = "Implement DELETE /api/quotes/:id — verify X-Auth-Code, cascade delete quote and tags, return 204"
priority = 5
status = "todo"
ticket_type = "task"
dependencies = ["f3dc74", "a5049d", "d792e2"]
+++

<context>
The `quotesdb` API is built with Axum + Tokio, targeting Cloudflare Workers via `workers-rs`. It serves JSON at `/api/*` endpoints and persists data to Cloudflare D1 (production) or a local SQLite file via Turso (development). Source lives in `src/bin/api/`.

Shared types and utilities are in `src/lib.rs` — code placed there must compile for both the host target and `wasm32-unknown-unknown`.

`DELETE /api/quotes/:id` permanently deletes a quote. The caller must provide the correct auth code via the `X-Auth-Code` header. On success, returns 204 No Content. The `quote_tags` rows cascade-delete automatically via the foreign key constraint.
</context>

<goal>
Implement the `DELETE /api/quotes/:id` handler:
1. Extract `:id` from the path
2. Verify the `X-Auth-Code` header matches the stored `auth_code` — return 403 on mismatch
3. DELETE the quote row (cascade handles tag deletion)
4. Return 204 No Content on success
</goal>

<constraints>
- Return 404 if the quote ID does not exist.
- Return 403 on auth code mismatch.
- No response body on 204.
- The `quote_tags` cascade delete is handled by the schema — do not manually delete tags.
</constraints>

<skills>
Use `superpowers:test-driven-development` — write tests for: valid auth 204, wrong auth 403, not found 404, verify cascade deletes tags.
Use `superpowers:verification-before-completion` before closing.
</skills>

<validation>
Run in order from the `quotesdb/` directory:

```sh
cargo fmt
cargo check
cargo clippy
cargo test
```
</validation>

<commit>
`feat(quotesdb): implement DELETE /api/quotes/:id with auth verification`
</commit>