HYPERFLEET-895 - feat: Add force delete design

[pnguyen44]

Summary

Jira ticket

Design document for the force deletion mechanism. Force delete is a synchronous, admin-only API action that hard-deletes resources stuck in Finalizing, bypassing the Reconciled=True gate.

Covers:

• API contract and response codes
• Cascade semantics for resource and subresource deletion
• Sentinel stuck detection via Prometheus metrics
• Audit logging
• Rejected alternatives with rationale

Summary by CodeRabbit

• Documentation
  • Added Force Deletion Design specification for admin-only recovery of resources stuck in deletion state, including new API endpoints and audit logging requirements
  • Updated related design documents with force deletion references
  • Added Architecture Decision Record defining force deletion scope and trade-offs

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This pull request introduces documentation and architectural decisions for a force-deletion feature in HyperFleet. It adds a comprehensive design specification for admin-only synchronous force-delete endpoints that allow recovery of resources stuck in Finalizing state. The design specifies database-level hard deletion with cascade semantics, validation requirements, audit logging, and error handling. An accompanying ADR establishes that force deletion operates only at the database level without performing adapter-managed infrastructure cleanup. References to the force-deletion design are updated in three related documentation files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: adding force delete design documentation. It is specific, concise, and directly related to all the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hyperfleet/docs/force-deletion-design.md`:
- Around line 72-78: Add "500 Internal Server Error: delete failed due to
unexpected server error" to the Response codes list in the "Response codes:"
block so it matches the sequence diagram's error case; update the Response codes
section (the list currently containing 204, 403, 404, 409) to include the 500
entry and ensure the phrasing mirrors the sequence diagram's "500 Internal
Server Error" wording for consistency.
- Around line 83-86: The Database Impact section currently references the Hard
Delete Design but doesn't explicitly state that force delete uses the identical
bottom-up deletion ordering; update the prose under "Database Impact" (and/or
the "Force delete" description) to explicitly confirm that force delete performs
the same bottom-up ordering as normal hard-delete (e.g., nodepools before
clusters, child resources before parents) despite bypassing the Reconciled=True
gate, and add a short example or clause referencing the Hard Delete Design to
make the guarantee clear.
- Around line 68-79: Mark the missing authz middleware as a hard blocker for the
force-delete feature and update the design to require authz middleware be
implemented and enabled before any force-delete route is added; specifically
note in the document that routes.go's TODO for authz must be completed and
deployment must be gated (either via CI check, feature-flag, or a runtime
startup validation) so the force-delete endpoint cannot be active until authz is
registered, and ensure the handler that performs the force delete only accepts
requests when the resource is in Finalizing (deleted_time set).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: a29836ee-e833-4547-b7a0-e48699fd4528

📥 Commits

Reviewing files that changed from the base of the PR and between 3869e40 and 506cc90.

📒 Files selected for processing (1)

• hyperfleet/docs/force-deletion-design.md

[ciaranRoche]

Nice work, just a small piece of house keeping, i think there is some reference in the existing delete docs to force deletion having a separate spike, so might be worth updating and linking to this doc 🙏

[rh-amarin]

I think it should be enough having the special /force-delete endpoint to control the access to this functionality.

I still think of it as a valid operation on a versioned API resource.

I just want to have more opinions here

[pnguyen44]

Fair point. I went with /admin/ to make privileged operations structurally distinct at the URL level, but I agree it could live under the versioned path too. Happy to go either way if there's a team preference.

[rafabene]

Do we plan to send a payload where the version of it is controlled?

[pnguyen44]

The payload is minimal (just a reason string in, 204 out), so nothing to version today. I could see it going either way. What's your preference?

[rafabene]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rafabene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment