bat-bs · robflowk · Mar 5, 2026 · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026
diff --git a/apiproxy/validateToken.go b/apiproxy/validateToken.go
@@ -14,6 +14,9 @@ import (
 func CompareToken(hashes []db.ApiKey, apiKey string) (string, error) {
 
 	for _, hash := range hashes {
+		if hash.Deactivated {
+			continue
+		}
 		err := bcrypt.CompareHashAndPassword([]byte(hash.ApiKey), []byte(apiKey))
 		// log.Printf("Compared %s with %s", apiKey, hash.ApiKey)
 		if err == nil {

diff --git a/apiproxy/validateToken_test.go b/apiproxy/validateToken_test.go
@@ -0,0 +1,58 @@
+package apiproxy
+
+import (
+	"testing"
+
+	db "openai-api-proxy/db"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+func mustHash(t *testing.T, plain string) string {
+	t.Helper()
+	hash, err := bcrypt.GenerateFromPassword([]byte(plain), bcrypt.MinCost)
+	if err != nil {
+		t.Fatalf("failed to hash token: %v", err)
+	}
+	return string(hash)
+}
+
+func TestCompareToken_IgnoresDeactivatedKeys(t *testing.T) {
+	activeToken := "active-secret"
+	deactivatedToken := "deactivated-secret"
+
+	keys := []db.ApiKey{
+		{
+			UUID:        "dead-key",
+			ApiKey:      mustHash(t, deactivatedToken),
+			Deactivated: true,
+		},
+		{
+			UUID:        "active-key",
+			ApiKey:      mustHash(t, activeToken),
+			Deactivated: false,
+		},
+	}
+
+	if got, err := CompareToken(keys, activeToken); err != nil || got != "active-key" {
+		t.Fatalf("expected active key to validate, got uuid=%q err=%v", got, err)
+	}
+
+	if got, err := CompareToken(keys, deactivatedToken); err == nil {
+		t.Fatalf("expected deactivated key to be rejected, got uuid=%q", got)
+	}
+}
+
+func TestCompareToken_AllDeactivatedRejected(t *testing.T) {
+	keys := []db.ApiKey{
+		{
+			UUID:        "dead-1",
+			ApiKey:      mustHash(t, "dead-secret"),
+			Deactivated: true,
+		},
+	}
+
+	if got, err := CompareToken(keys, "dead-secret"); err == nil {
+		t.Fatalf("expected deactivated key to be rejected, got uuid=%q", got)
+	}
+}
diff --git a/app/AGENTS.md b/app/AGENTS.md
@@ -1,3 +1,5 @@
 Always run `npm run typecheck` after making changes that affect TypeScript types.
 Always run `npm run check:write` to auto-fix Biome issues and surface remaining errors.
 Always run `npm run build` when finishing a feature to do a final check.
+Always add new feature entries to `app/RELEASE_NOTES.md`.
+When finishing a feature, ask the user whether a new version should be added to `app/RELEASE_NOTES.md`.
diff --git a/app/RELEASE_NOTES.md b/app/RELEASE_NOTES.md
@@ -0,0 +1,4 @@
+# Release Notes
+
+## 0.1.0 - 2026-03-04
+- Initial release notes tracking.
diff --git a/app/drizzle/schema.ts b/app/drizzle/schema.ts
@@ -85,6 +85,7 @@ export const apikeys = pgTable(
 		owner: varchar({ length: 255 }).notNull(),
 		aiapi: varchar({ length: 255 }),
 		description: varchar({ length: 255 }),
+		deactivated: boolean("deactivated").default(false).notNull(),
 	},
 	(table) => [
 		foreignKey({