Secure Asset Delete

Feature Owner: Joshua Uriel Tribiana
Module: Develop
Priority: P1
Week 5 Sprint: Fully Implemented
Date: 06-30-2026

EXECUTIVE SUMMARY

What is this feature?
Secure Asset Delete adds a safe, explicit deletion workflow for creator-uploaded assets. Instead of allowing immediate hard deletion, the system first moves assets to trash, then requires a second, explicit confirmation step to permanently remove them from storage and the database.

Why does it matter?
Creators may accidentally delete valuable assets or want a safety net before permanent removal. This flow reduces destructive mistakes, protects media files, and makes asset lifecycle management more trustworthy.

What’s the MVP scope?

• Soft-delete of assets into a trash state with a retention window

• Owner authorization checks for delete and purge operations

• Permanent deletion from both storage and the asset metadata table

• A typed confirmation challenge to prevent accidental destructive actions

1. USER PAIN POINT & SOLUTION

Current State (Without Feature)

Deleting an asset can feel risky because there is no strong safety net. A creator might delete something useful and have no recovery path beyond manual re-upload.

Pain Point

Emotional: Anxiety about losing uploaded media permanently
Functional: No clear recovery path and no confirmation barrier for destructive action
Business Impact: Accidental data loss, support burden, and low confidence in media management

Future State (With Feature)

Creators can move assets to trash first, recover them within a grace period, and only permanently delete them after an explicit confirmation step.

Marketing Hook

“Delete with confidence: assets are safely moved to trash first, then permanently removed only after explicit confirmation.”

2. CODEBASE ASSESSMENT

Current Implementation Status

The secure delete flow is implemented through a soft-delete route and a hard-delete/purge route, backed by the creator trash experience.

Primary Files

• app/api/creator/(background-assets)/delete-assets/route.ts

  • Soft-deletes an asset by setting deleted_at and expires_at

  • Enforces authentication and ownership checks

• app/api/creator/(background-assets)/purge-assets/route.ts

  • Permanently deletes the asset record and removes its storage file from Supabase storage

  • Also handles video thumbnail cleanup for video assets

• app/api/creator/(background-assets)/get-trash-assets/route.ts

  • Lists assets currently in the trash state for the authenticated creator

• app/api/creator/(background-assets)/restore-assets/route.ts

  • Restores a soft-deleted asset back to the active library

• components/creator/background-assets/PurgeAssetModal.tsx

  • Typed confirmation UI requiring the user to enter “DELETE”

• app/creator/trash/page.tsx

  • Trash-bin experience with restore and permanent delete actions

Current Architecture Summary

The flow is split into two steps:

1. Soft delete into trash with a 30-day retention window

2. Explicit purge from trash with a typed confirmation challenge and storage cleanup

Strengths Already Present

• Strong ownership enforcement on both delete and purge routes

• Storage cleanup is included for permanent deletion

• Trash view is available to creators

• The purge step requires explicit typed confirmation, reducing accidental deletion

Gaps / Hardening Opportunities

• The typed confirmation currently lives in the client UI; the server route still relies on the caller providing the correct asset ID and ownership context

• More audit logging around purge actions would help with support and safety review

3. 4D FRAMEWORK MAPPING

Diagnose

The feature helps creators recover from accidental or temporary asset removal by giving them a safe transition path rather than immediate irreversible deletion.

Design

The experience is designed around a two-stage lifecycle: trash first, then purge. This creates a deliberate, low-risk mental model for media management.

Develop

Creators can continue building content without worrying that an asset is permanently gone after a single click.

Deliver

Assets can be safely managed in the creator workspace and later restored or permanently removed when appropriate.

4. USER FLOWS

Entry Point

A creator is in the background asset library or trash view and chooses to delete an asset.

Success Criteria

• The asset moves to trash and is no longer treated as active

• A creator can restore it within the retention window

• A creator must confirm a second destructive action to permanently delete it

Main Flow (Happy Path)

1. Creator selects an asset and chooses to delete it

2. The API soft-deletes the asset by recording deleted_at and expires_at

3. The asset appears in the trash view with a countdown to expiry

4. Creator can restore it from trash before expiration

5. Creator can permanently delete it from trash using the confirmation modal

Edge Cases

• Unauthorized user: The route rejects the action with a 403 response

• Missing asset: The route returns 404 if the asset cannot be found

• Invalid payload: The route returns 400 for malformed input

• Storage cleanup failure: The metadata entry is still removed, but storage cleanup is logged as a warning

Decision Points

• IF the asset is soft-deleted → it is moved to trash

• IF the creator restores it → it returns to the active asset library

• IF the creator purges it → it is removed from storage and the database

5. INFORMATION ARCHITECTURE

Primary Information (Always visible)

• Asset name

• Asset type

• Days remaining before automatic expiration

• Restore and permanent delete actions

Secondary Information

• Thumbnail preview

• Upload metadata

• Trash retention countdown

Tertiary Information (Hidden until needed)

• Storage path used for cleanup

• Internal retention metadata such as expires_at

Actions

Primary CTA:

• Restore asset

Secondary Actions:

• Delete permanently

• Close modal

6. WIREFRAMES

No dedicated new screen is required for this feature. The workflow is embedded in the asset library and trash UI.

Key Screens:

1. Asset list delete action

2. Trash-bin listing of soft-deleted assets

3. Confirmation modal for permanent deletion

Annotations:

• Delete is soft by default

• Permanent delete is explicit and delayed

• The confirmation step uses the typed challenge “DELETE”

7. WIREFLOWS

Creator chooses asset → asset is soft-deleted → asset appears in trash → creator restores or permanently deletes it

8. PROTOTYPE

Excluded — feature is fully implemented

How to test:

1. Upload or select a background asset

2. Delete it from the asset library

3. Confirm it appears in the trash view

4. Restore it and confirm it returns to the library

5. Delete it permanently from trash and confirm it is removed

9. BACKEND SCHEMA

Relevant Table

The behavior relies on the asset_metadata table and its lifecycle columns such as:

• deleted_at

• expires_at

• creator_id

• file_path

• file_url

• asset_type

• file_name

Runtime Validation

The API routes use Zod validation for the incoming asset ID payload.

const SoftDeleteAssetSchema = z.object({
  asset_id: z.string().uuid("Invalid asset ID format"),
});

Constraints

• Only the asset owner can soft-delete, restore, or purge it

• Permanent deletion should only occur for assets already in the trash lifecycle

• Storage cleanup should remove the file from Supabase storage when available

10. API ENDPOINTS

Endpoint 1: DELETE /api/creator/delete-assets

Purpose: Soft-deletes an asset into trash
Auth: Required
Request Body:

{
  "asset_id": "uuid"
}

Response 200:

{
  "success": true,
  "message": "Asset moved to trash"
}

Endpoint 2: DELETE /api/creator/purge-assets

Purpose: Permanently deletes an asset from storage and the database
Auth: Required
Request Body:

{
  "asset_id": "uuid"
}

Response 200:

{
  "success": true,
  "message": "Asset permanently deleted"
}

Endpoint 3: PATCH /api/creator/restore-assets

Purpose: Restores a soft-deleted asset back to the active library
Auth: Required
Request Body:

{
  "asset_id": "uuid"
}

Endpoint 4: GET /api/creator/get-trash-assets

Purpose: Lists all assets currently in the trash for the authenticated creator
Auth: Required

11. DATA REQUIREMENTS

Frontend Needs

The UI needs to:

• Show the delete confirmation experience

• Show trash state with remaining retention time

• Allow restore and permanent deletion

• Show the typed confirmation input before purge

API Calls Frontend Will Make

• DELETE /api/creator/delete-assets

• GET /api/creator/get-trash-assets

• PATCH /api/creator/restore-assets

• DELETE /api/creator/purge-assets

Caching Strategy

No special client-side caching is required. The trash view should reflect the current server state on each refresh.

12. PERFORMANCE CONSIDERATIONS

Database Optimization

The trash list query is simple and should remain efficient with proper filtering on creator_id and deleted_at.

Storage Cleanup

Permanent delete should remove the primary storage file and, for videos, the associated thumbnail file if present.

API Response Time

The purge route should remain fast because it performs a small number of targeted storage and metadata operations.

13. SECURITY & AUTHORIZATION

Who can access this feature?

• Creator: ✓

• Reviewer: ✗

• Learner: ✗

Authorization Logic

The server routes verify that the authenticated creator owns the asset before allowing any delete, restore, or purge action.

Data Validation

• UUID validation is enforced for the asset ID

• Ownership is checked before any destructive action

• A typed confirmation challenge is used in the UI before permanent delete

14. ERROR HANDLING

Common Errors

• 400 Invalid Request: The asset ID format is invalid

• 403 Forbidden: The creator does not own the asset

• 404 Not Found: The asset cannot be found

• 500 Internal Server Error: The database or storage operation failed

Handling Guidance

• Display a user-friendly message and keep the modal open on failure

• Ensure the trash state remains consistent if a restore or purge request fails

15. TESTING CHECKLIST

Happy Path

• A creator can soft-delete an asset

• The asset appears in the trash view

• The creator can restore the asset from trash

• The creator can permanently delete the asset after confirmation

Edge Cases

• An unauthorized user cannot delete or purge another creator’s asset

• Invalid asset IDs fail with a 400 response

• Missing assets fail with a 404 response

• The typed confirmation challenge blocks accidental purge

16. OPEN QUESTIONS

For Frontend

• Should the typed confirmation challenge be enforced server-side as well, instead of only in the client UI?

• Should the purge modal include additional warnings for video assets or large files?

For Backend

• Should purge actions be auditable in a dedicated admin or support log?

• Should there be a stricter retention policy or an automated cleanup job after 30 days?

17. OUT OF SCOPE (v1.1+)

Not building in this sprint:

• A dedicated asset restore history view

• Automated purge jobs beyond the existing retention window behavior

• Bulk purge or bulk restore workflows

Why: The current scope is to ship a safe, explicit asset deletion lifecycle that protects creators from accidental loss while keeping the implementation simple.

18. SUCCESS METRICS

How will we know this feature is working well?

• Fewer accidental asset losses

• Higher restore rates for assets moved to trash

• Creators trust the delete flow enough to use it regularly

• Permanent deletion only happens after explicit user intent

19. DEPENDENCIES

This feature depends on:

• The background-assets metadata model

• Supabase storage access for file removal

• The creator authentication layer

These features depend on this:

• Trash-bin management for creator media assets

• Any future media lifecycle or retention management workflow

20. TIMELINE & OWNERSHIP

Implementation Ownership

• Owner: Joshua Uriel Tribiana

• QA: Patrick Babala