Skip to content

[Phase 1.4.2] Add session TTL and auto-expiry #24

Open
#32
Open
[Phase 1.4.2] Add session TTL and auto-expiry#24
#32
@richard-devbot

Description

@richard-devbot
richard-devbot
opened on Mar 29, 2026

Phase

Phase 1 — Critical Security | Track 1.4 — Resource Controls | Priority: P1 MEDIUM

Problem

CWE: CWE-613 — Insufficient Session Expiration

Sessions persist indefinitely in plaintext JSONL files. No TTL, no expiry, no cleanup. This means:

  • Sensitive conversation data accumulates forever
  • Stale sessions consume disk space
  • No way to force re-authentication

Fix

  • Add configurable session TTL (default: 24 hours)
  • Auto-expire sessions older than TTL on next access
  • Add `session.cleanup()` method for manual purge
  • Option for encrypted-at-rest sessions (AES-256, key from env var)
  • Config: `"session": {"ttl_hours": 24, "encrypt": false}`

Acceptance Criteria

  • Session TTL configurable in config.json
  • Expired sessions automatically cleaned up
  • Manual cleanup method available
  • Optional encryption at rest
  • Tests for: TTL enforcement, cleanup, encryption round-trip

References

  • CWE-613
  • Design Doc: docs/plans/2026-03-29-security-ai-guardrails-performance-design.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions