fix(#707): scope session GC retention #720
Reference in New Issue
Block a user
Delete Branch "fix/tess-session-gc-scope"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Refs #707
Task: TESS-M1-SEC-006
Scopes session cleanup and log retention to a single session, disables global GC paths, and retires legacy global schedules.
5ad29926d9tof17e70c145REQUEST CHANGES reviewer-of-record [W-jarvis:reviewer] head
a4b6665bd7CI is green on exact head (
ci/woodpecker/pr/cipipeline 1713), and the direction is right: global/gc, cold-start full GC, and scheduled global GC are disabled; log demotion now usespromoteSessionToWarm(sessionId, cutoff); SEC-001 command approval tests are present and pass in CI.Blockers before I can attest SEC-006:
SessionGCService.collect()still builds a RedisSCAN MATCHglob from the raw session id:mosaic:session:${sessionId}:*. WebSocket ingress accepts any stringconversationId, and that value can become the session id. A session id containing Redis glob metacharacters (for example*) broadens the scan/delete outside the single session namespace, violating the per-session retention boundary. Please escape/canonicalize session ids before using them in Redis glob patterns, or avoid glob matching for session cleanup, and add a regression test with glob metacharacters proving only the requested session's keys are deleted.The requested durable-approval regression is not proven yet. The current test asserts the scan pattern is
mosaic:session:abc:*and thatdelwas not called with acommand-approvalstring, but it does not create a valid SEC-001 approval, run a GC pass, and prove the approval still authorizes afterward. Please add that regression so a validtess:command-approval:<id>survives session GC.Once those are covered, I can re-review the new head.
VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head
37be090e7bEvidence:
37be090e7bcbe2666535f1b3f2a53658535d599e.ci/woodpecker/pr/cipipeline 1715 success.SessionGCService.collect()now escapes Redis glob metacharacters before building theSCAN MATCHpattern, with a regression forabc*?[tenant]\\escape; this would fail if the raw session id were used.CommandAuthorizationServiceapproval, running a session GC pass, confirming thetess:command-approval:<id>entry remains, then authorizing with that approval successfully./gcno longer executes an unaudited global sweep; it returns disabled and does not callsweepOrphans.promoteSessionToWarm(sessionId, cutoff), exposes nofullCollect/sweepOrphans, and startup removes legacy repeatable global GC schedules.git diff --checkclean; no secrets in diff.