feat: monitoring retention policy and ingest hardening (#540, #543)

[2witstudios]

Summary

• Retention policies for monitoring tables that previously grew unbounded: api_metrics 90d, system_logs 30d, security_audit_log 365d — configurable via RETENTION_*_DAYS env vars
• Ingest hardening with PII redaction (query params stripped from stored URLs), payload sanitization (truncation, clamping), and graceful degradation for missing MONITORING_INGEST_KEY
• Integrated monitoring cleanup into existing runRetentionCleanup pipeline

Changes

• packages/lib/src/compliance/retention/monitoring-retention.ts — new retention cleanup functions
• apps/web/src/lib/monitoring/ingest-sanitizer.ts — URL redaction, payload sanitization
• apps/web/src/middleware/monitoring.ts — apply endpoint sanitization, remove query from payloads
• apps/web/src/app/api/internal/monitoring/ingest/route.ts — apply sanitizer, improve missing key handling

Test plan

• Retention config defaults (90d/30d/365d) verified
• Env var override and invalid value fallback tested
• Query params redacted from URLs
• Payload fields truncated/clamped
• Missing MONITORING_INGEST_KEY warns instead of errors
• 34 new unit tests passing (13 retention + 21 ingest sanitizer)
• Existing monitoring tests unaffected (7 passing)

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Warning

Rate limit exceeded

@2witstudios has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 35 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between afb36e6 and 029a245.

📒 Files selected for processing (9)

• apps/web/src/app/api/internal/monitoring/ingest/route.ts
• apps/web/src/lib/monitoring/__tests__/ingest-sanitizer.test.ts
• apps/web/src/lib/monitoring/ingest-sanitizer.ts
• apps/web/src/middleware/monitoring.ts
• packages/lib/package.json
• packages/lib/src/compliance/retention/monitoring-retention.test.ts
• packages/lib/src/compliance/retention/monitoring-retention.ts
• packages/lib/src/compliance/retention/retention-engine.test.ts
• packages/lib/src/compliance/retention/retention-engine.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ppg/monitoring-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}