Lethe Delete ships an MCP server so an autonomous agent can execute a data-subject deletion end-to-end and verify the signed certificate machine-to-machine. The destructive step is two-step and fails closed; verifying a certificate needs zero infrastructure.
1. Verify a certificate — zero infra. Given a signed deletion certificate and the operator's published public key, any agent can confirm it's authentic and unaltered, with no database. An unpinned check only proves self-consistency, so the pin is mandatory. Try it on three live certs →
2. Run a deletion end-to-end. With a configured store, an agent previews the blast radius, runs the forget behind a single-use confirm token, and gets the certificate back.
The server runs over stdio (there is no remote/HTTP MCP today). Six tools:
| Tool | What it does |
|---|---|
lethe_status | Health + mode (full vs verify-only) + cert schema version. |
lethe_tag | Tag a record to its data subject on write, so a later forget can find it. |
lethe_forget_preview | Read-only blast radius: what a forget would delete, per layer — plus a single-use confirm token. |
lethe_forget | The destructive step. Runs only if the data still matches the preview the token was minted for; a stale or wrong-subject token fails closed. |
lethe_verify_subject | Read-only check of whether a subject's records are currently absent, per layer. |
lethe_verify_certificate | Verify a signed certificate against a pinned public key. Works in verify-only mode with no database. |
Deletion is irreversible, so lethe_forget is never a one-shot. lethe_forget_preview returns the exact records in scope and a single-use token bound to that snapshot; lethe_forget only proceeds if the data still matches. A stale token, a changed blast radius, or a wrong-subject id all fail closed rather than deleting something unintended.
A lethe.cert/2 payload the agent can read and reason over:
| Field | Meaning |
|---|---|
declared_scope | The stores that were in scope — so the agent can infer what was not checked. |
residual_count | Records the post-delete re-query still found (0 backs the absence claim). |
verify_method | The exact query behind each verified-absent claim. |
valid_until | Freshness bound — re-verify past it; a deletion cert is not eternal. |
pip install "lethe-delete[mcp]" # verify-only server (no DB) — for an agent that only checks certs LETHE_TRUSTED_PUBLIC_KEY=<operator pubkey> lethe-mcp # or verify a cert directly lethe verify cert.json --public-key <operator pubkey>