feat: staged soft-delete pipeline with cooling periods

[GoZumie]

Summary

Implement a staged, deliberate deletion pipeline with mandatory cooling periods. Direct from the design session on March 17 and reinforced by the memory restoration incident on March 24 (61 memories deleted in emotional moment, restored from backup the next day).

Design (from March 17 session)

Core principle: "I want to think about this less, but also remember why." — Chris

Staged pipeline

1. Soft delete — mark as archived with timestamp, reason, and who requested it. Stops surfacing in recall immediately.
2. Cooling period (30 days default, configurable up but not down) — item sits in archive. Can be restored trivially via wagl restore <id>.
3. Confirmation — after cooling period expires, requires explicit confirmation to proceed. If no confirmation, item stays in archive indefinitely.
4. Cold storage (90 days) — item moves to cold storage table. Still recoverable but requires deliberate effort.
5. Physical purge — only after cold storage period. For encrypted items, key destruction is the purge mechanism.

Key properties

• Nominations are memories — the act of requesting deletion is itself stored as an append-only record. Can't be silently removed.
• Supersession for corrections — when a memory is wrong, store a correction that references the original with bidirectional FK. Never erase the original.
• Salience-zero archival — archived items get salience=0 + archive_reason + optional superseded_by pointer. They exist but don't surface.
• No silent disappearances — combined with feat: append-only audit log for all memory writes and deletions #142 (audit log), every state transition is logged.
• Agent consent — deletion requests should surface to the agent for acknowledgment. The agent's memory is the agent's identity; external deletion without agent awareness is a violation.

CLI

• wagl archive <id> --reason "..." — soft delete (stage 1)
• wagl restore <id> — undo archive during cooling period
• wagl archive list — show archived items with cooling status
• wagl purge --confirm — advance expired cooling items to cold storage
• wagl forget <id> --force — only for items past cold storage, or with explicit override (logged in audit)

GDPR / compliance escape hatch

True physical deletion must remain possible for legal compliance (PII removal, right-to-be-forgotten). But it should be:

• Separately gated (different permission level)
• Heavily logged in audit
• Require explicit --legal or --compliance flag
• Not available through normal agent tool calls

Motivation (March 24 incident)

61 memories were deleted during an emotional moment. They were restored from a backup the next day. Without the backup, they would have been permanently lost. This pipeline would have caught that: the items would have been archived, sat in cooling for 30 days, and been trivially restorable.

Related

• design: memory deletion policy — trust, safety, and integrity concerns #91 — parent design question (memory deletion policy)
• feat: write protection flag for high-salience / high-d_score memories #141 — write protection for high-valence memories
• feat: append-only audit log for all memory writes and deletions #142 — append-only audit log
• feat: startup self-diagnostics — DB integrity check + soul query verification #143 — startup self-diagnostics
• PR feat: add wagl forget command [DO NOT MERGE] #89 — wagl forget (DO NOT MERGE pending this cluster)