Lethe Delete · for AI agents (M2M)

An agent can run the deletion — and verify the proof — itself

Lethe Delete ships an MCP server so an autonomous agent can execute a data-subject deletion end-to-end and verify the signed certificate machine-to-machine. The destructive step is two-step and fails closed; verifying a certificate needs zero infrastructure.

Two things an agent does

1. Verify a certificate — zero infra. Given a signed deletion certificate and the operator's published public key, any agent can confirm it's authentic and unaltered, with no database. An unpinned check only proves self-consistency, so the pin is mandatory. Try it on three live certs →

2. Run a deletion end-to-end. With a configured store, an agent previews the blast radius, runs the forget behind a single-use confirm token, and gets the certificate back.

The MCP tools

The server runs over stdio (there is no remote/HTTP MCP today). Six tools:

ToolWhat it does
lethe_statusHealth + mode (full vs verify-only) + cert schema version.
lethe_tagTag a record to its data subject on write, so a later forget can find it.
lethe_forget_previewRead-only blast radius: what a forget would delete, per layer — plus a single-use confirm token.
lethe_forgetThe destructive step. Runs only if the data still matches the preview the token was minted for; a stale or wrong-subject token fails closed.
lethe_verify_subjectRead-only check of whether a subject's records are currently absent, per layer.
lethe_verify_certificateVerify a signed certificate against a pinned public key. Works in verify-only mode with no database.

The two-step guard (why a hallucinated id can't delete the wrong person)

Deletion is irreversible, so lethe_forget is never a one-shot. lethe_forget_preview returns the exact records in scope and a single-use token bound to that snapshot; lethe_forget only proceeds if the data still matches. A stale token, a changed blast radius, or a wrong-subject id all fail closed rather than deleting something unintended.

What the certificate gives an agent back

A lethe.cert/2 payload the agent can read and reason over:

FieldMeaning
declared_scopeThe stores that were in scope — so the agent can infer what was not checked.
residual_countRecords the post-delete re-query still found (0 backs the absence claim).
verify_methodThe exact query behind each verified-absent claim.
valid_untilFreshness bound — re-verify past it; a deletion cert is not eternal.

Wire it up

pip install "lethe-delete[mcp]"

# verify-only server (no DB) — for an agent that only checks certs
LETHE_TRUSTED_PUBLIC_KEY=<operator pubkey> lethe-mcp

# or verify a cert directly
lethe verify cert.json --public-key <operator pubkey>
Honest scope. A certificate proves absence from the configured retrieval layers at issue time — not backups, model weights, or read replicas; for eventually-consistent stores (e.g. Pinecone) it reflects the configured endpoint at issue time, not every replica. MCP is stdio-only today. A self-signed certificate proves self-consistency; independent third-party attestation is a separate layer.