destroy --purge: also wipe agent state dirs

new --purge flag on the destroy verb (cli + admin socket + dashboard). default destroy still keeps /var/lib/hyperhive/{agents,applied}/<name>/ so recreating with the same name reuses prior config + creds. with --purge, both dirs go too (config history, claude creds, /state/ notes). no undo. dashboard adds a separate PURG3 button with an explicit confirmation copy; the existing DESTR0Y button keeps the soft semantics. claude.md dashboard-action-surface section updated; todo entry dropped.
2026-05-15 19:29:14 +02:00 · 2026-05-15 19:29:14 +02:00 · 48ebfefd1a
commit 48ebfefd1a
parent 8d3df656de
8 changed files with 78 additions and 28 deletions
--- a/hive-c0re/src/actions.rs
+++ b/hive-c0re/src/actions.rs
@ -132,22 +132,40 @@ fn finish_approval(
 /// kept, so recreating an agent of the same name reuses prior config + creds
 /// (no re-login). The ephemeral runtime dir under `/run/hyperhive/agents/`
 /// is cleared because its contents (the mcp socket) don't survive restarts
-/// anyway. A future `--purge` path can wipe state when the operator opts in.
+/// anyway. With `purge=true` the persistent trees are also wiped — config
+/// history, claude creds, notes — there is no undo.
 /// Refuses the manager (declarative; would fight with the host's nixos config).
-pub async fn destroy(coord: &Coordinator, name: &str) -> Result<()> {
+pub async fn destroy(coord: &Coordinator, name: &str, purge: bool) -> Result<()> {
    if name == MANAGER_NAME || name == MANAGER_AGENT {
        bail!("refusing to destroy the manager ({name})");
    }
-    tracing::info!(%name, "destroy");
+    tracing::info!(%name, purge, "destroy");
    lifecycle::destroy(name).await?;
    coord.unregister_agent(name);
    let runtime = Coordinator::agent_dir(name);
    if runtime.exists() {
        let _ = std::fs::remove_dir_all(&runtime);
    }
-    let _ = coord
-        .approvals
-        .fail_pending_for_agent(name, "agent destroyed");
+    if purge {
+        for dir in [
+            Coordinator::agent_state_root(name),
+            Coordinator::agent_applied_dir(name),
+        ] {
+            if dir.exists()
+                && let Err(e) = std::fs::remove_dir_all(&dir)
+            {
+                tracing::warn!(error = ?e, dir = %dir.display(), "purge: remove failed");
+            }
+        }
+    }
+    let _ = coord.approvals.fail_pending_for_agent(
+        name,
+        if purge {
+            "agent purged"
+        } else {
+            "agent destroyed"
+        },
+    );
    coord.notify_manager(&HelperEvent::Destroyed {
        agent: name.to_owned(),
    });