feat: DELETE /transcripts/{filename} — delete transcript with path-confinement check

api/router.py

@@ -134,6 +134,18 @@ async def get_transcript(filename: str, user: dict = Depends(current_user)):
     return PlainTextResponse(content)
 
 
+@router.delete("/transcripts/{filename}")
+async def delete_transcript(filename: str, user: dict = Depends(current_user)):
+    user_dir = os.path.join(user["output_dir"], user["username"])
+    if os.path.basename(filename) != filename or not filename.endswith(".md"):
+        raise HTTPException(status_code=404, detail="Nicht gefunden")
+    path = os.path.join(user_dir, filename)
+    if not os.path.exists(path):
+        raise HTTPException(status_code=404, detail="Nicht gefunden")
+    os.unlink(path)
+    return {"ok": True}
+
+
 @router.get("/config")
 async def get_config(user: dict = Depends(current_user)):
     return load_config()

tests/test_api.py

@@ -69,6 +69,21 @@ def test_get_transcript_rejects_path_traversal(tmp_path):
     assert r.status_code == 404
 
 
+def test_delete_transcript_removes_file(tmp_path):
+    f = tmp_path / "2026-01-01-0900-test.md"
+    f.write_text("content")
+    client = TestClient(make_app_for_dir(str(tmp_path)))
+    r = client.delete("/transcripts/2026-01-01-0900-test.md")
+    assert r.status_code == 200
+    assert not f.exists()
+
+
+def test_delete_transcript_rejects_path_traversal(tmp_path):
+    client = TestClient(make_app_for_dir(str(tmp_path)))
+    r = client.delete("/transcripts/..%2Fsecret.md")
+    assert r.status_code == 404
+
+
 def test_login_rejects_wrong_credentials():
     import tempfile, os
     from unittest.mock import patch