fix(#707): scope session GC retention
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful

This commit is contained in:
Jarvis
2026-07-12 15:57:09 -05:00
parent ca9c2b5c23
commit 5ad29926d9
9 changed files with 100 additions and 174 deletions

View File

@@ -301,6 +301,10 @@ Each OIDC provider requires its client ID, client secret, and issuer URL togethe
| `TELEGRAM_BOT_TOKEN` | Telegram bot token (enables Telegram plugin) |
| `TELEGRAM_GATEWAY_URL` | Gateway URL for Telegram plugin to call |
### Session retention and garbage collection
Session cleanup is scoped to one session identifier and only removes that session's Valkey keys and demotes that session's hot logs. Gateway startup and scheduled jobs do not perform global session cleanup; startup removes legacy repeatable `session-gc` schedules created by older deployments. The `/gc` command is intentionally disabled until a distinct global-retention job supplies explicit authorization and audit evidence. This prevents one tenant or session's cleanup from changing another's retained data.
### Observability
| Variable | Default | Description |

View File

@@ -0,0 +1,22 @@
# Scratchpad — TESS-M1-SEC-006 Session GC scope
- **Task / issue:** TESS-M1-SEC-006 / #707
- **Branch:** `fix/tess-session-gc-scope` from `origin/main` at `59e49cfd`
- **Objective:** Make session cleanup session-scoped and prevent automatic global retention/GC without an authorized, auditable operation.
- **Scope:** `apps/gateway`, `packages/log`, admin/developer operations documentation.
- **Budget:** Task estimate 18K; no explicit hard cap supplied.
- **Assumption:** No authorized global retention service exists today. Existing full/sweep GC must therefore be disabled from startup and cron paths, while single-session cleanup remains available.
## Plan
1. Add failing isolation tests proving single-session cleanup only demotes its own logs and automatic startup/scheduled GC cannot globally delete session data.
2. Add session-scoped log repository retention and make `collect(sessionId)` use it.
3. Remove automatic full/sweep GC invocation; preserve any future global operation behind an explicit authorization/audit seam.
4. Document the operational boundary, run gates, review, and commit without push.
## Verification evidence
- Isolation TDD: `pnpm --filter @mosaicstack/gateway test -- session-gc.service.spec.ts commands.integration.spec.ts command-executor-p8012.spec.ts` — 61 passed.
- `pnpm typecheck` — passed.
- `pnpm lint` — passed.
- `pnpm format:check` remains red only on the known pre-existing Tess documentation debt; changed files are Prettier-clean.