You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -111,7 +124,7 @@ Several use cases have been identified:
111
124
112
125
### Configurable idle TTL enforcement
113
126
114
-
- An admin sets an idle timeout (e.g., 30 minutes) for a tenant.
127
+
- An administrator sets an idle timeout (e.g., 30 minutes) for a tenant.
115
128
- When a conversation is inactive longer than the TTL, the system automatically deletes it from every configured persistence layer.
116
129
117
130
### Active session usability preserved
@@ -303,7 +316,73 @@ have to be persisted - it will be recreated after LCore restart.
303
316
| database_reconnection_count | integer | Database reconnection count on startup. When database with conversations is not available on startup, the service tries to reconnect N times with specified delay. |
304
317
| database_reconnection_delay | integer | Database reconnection delay specified in seconds. When database with conversations is not available on startup, the service tries to reconnect N times with specified delay. |
305
318
306
-
"2 days 5 hours"
319
+
The `minimal_retention_time` is written in a human readable format, for example:
320
+
321
+
```
322
+
2 days 5 hours
323
+
600 minutes
324
+
```
325
+
326
+
etc.
327
+
328
+
### Conclusion
329
+
330
+
In conclusion, the runner-based approach was selected because it is consistent
331
+
with the system’s current background job architecture, can be implemented using
332
+
the existing schema with limited or no disruptive changes, and provides
333
+
predictable, policy-aligned deletion behavior. This minimizes integration risk
334
+
and avoids shifting cleanup work into the critical request path, while still
335
+
allowing performance safeguards through indexing and controlled execution.
336
+
337
+
## Audit log
338
+
339
+
### Requirements for audit log
340
+
341
+
Audit logging is needed for conversation deletion because deleting
342
+
user-generated conversational data is a high-impact, policy-driven operation
343
+
that must be transparent, traceable, and verifiable.
344
+
345
+
### Security reviews
346
+
347
+
First, audit logs provide evidence for compliance and security reviews. When
348
+
deletion is triggered automatically (for example by an idle TTL/retention
349
+
policy), the audit entry records that the system enforced the configured
350
+
policy, including when the deletion happened, which conversation was affected,
351
+
and the reason code (e.g., “idle TTL expired” vs “manual deletion”). This
352
+
enables auditors to confirm that stale data is not retained longer than
353
+
intended.
354
+
355
+
### Operational troubleshooting
356
+
357
+
Second, audit logs support operational troubleshooting. Conversation deletion
358
+
may touch multiple persistence layers (primary storage, caches, indexes,
359
+
derived artifacts). If a later inconsistency occurs—such as a conversation
360
+
still appearing in a UI, search results, or a downstream index—audit records
361
+
help identify the exact cleanup run, the deletion path taken, and the decision
362
+
timing. This makes it far easier to diagnose whether the issue is due to missed
363
+
propagation, temporary failures, or a race condition.
364
+
365
+
### Accountability and governance
366
+
367
+
Third, audit logs improve accountability and governance. Manual REST deletions
368
+
should be attributable to a caller or request context, while automatic
369
+
deletions should be attributable to the lifecycle/cleanup subsystem and its
370
+
configuration state. Recording both types of events provides a complete
371
+
narrative of “what happened” and “what triggered it,” which is important for
372
+
incident response and for change control when retention settings are modified.
373
+
374
+
### Correctness
375
+
376
+
Fourth, audit logs help ensure correctness in edge cases. TTL-based cleanup can
377
+
be affected by near-boundary timing, concurrent activity, retries, and partial
378
+
failures. Having a durable audit trail makes it possible to confirm that the
379
+
system applied idle semantics correctly (e.g., did not delete a conversation
380
+
that received new activity just before TTL expiry) and that retries did not
381
+
accidentally reprocess or resurrect data.
382
+
383
+
Overall, audit logging turns deletion from a silent background action into an
384
+
observable, reviewable workflow—critical for both meeting retention
385
+
expectations and maintaining confidence in the system’s behavior over time.
307
386
308
387
## Performance impact
309
388
@@ -343,27 +422,61 @@ does not exceed 1% under representative production-like workloads.
343
422
344
423
## Requirements
345
424
425
+
Different part of source code need to be updated:
426
+
427
+
1. New runner need to be added
428
+
1. Existing database schema need to be altered
429
+
1. New table for audit log need to be added
430
+
346
431
# Architecture
347
432
348
433
## Trigger mechanism
349
434
435
+
The runner will trigger the conversation deletion subroutines in a timely
436
+
manner, driven by a configurable `period` option. That period defines how often
437
+
the runner wakes up to evaluate which conversations are eligible for cleanup
438
+
(for example, based on idle time exceeding the configured TTL), and then
439
+
initiates the appropriate deletion workflow.
440
+
441
+
When the configured period elapses, the runner executes its selection logic,
442
+
processes eligible conversations (typically in controlled batches), and calls
443
+
the underlying deletion subroutines for each candidate. After completing the
444
+
current cycle, the runner waits until the next scheduled period before
445
+
repeating the process. This ensures deletion is performed predictably according
446
+
to configuration, while avoiding unnecessary database load from overly frequent
447
+
scans.
448
+
449
+
A very similar mechanism is already implemented in the quota handler. The quota
450
+
handler runs as a background component that periodically wakes up based on
451
+
configuration, evaluates what work is due (for example, quota items or
452
+
scheduled quota updates), and then executes the corresponding operations in a
453
+
loop. This includes controlled batching to limit load, and it relies on the
454
+
same overall runner lifecycle pattern used elsewhere in the system (start,
455
+
periodic execution, and graceful shutdown).
456
+
457
+
Because the quota handler already solves the problem of “run scheduled work
458
+
reliably without impacting request latency,” the conversation cleanup runner
459
+
can reuse the same implementation approach: a configurable schedule/period, a
460
+
loop-driven execution model, and consistent error handling and backoff
0 commit comments