Skip to main content

Audit archival (future)

Status: target, not shipped

The audit service itself is in production today — both write paths and the dual-identity audit record shape are shipped. What's not shipped is the long-horizon retention: events expire after 24 hours via a TTL index. Replacing the TTL with Atlas Online Archive is tracked under WEN-992 / OpenSpec proposal add-audit-archival.

Atlas Online Archive replaces the 24-hour TTL

Today: The two-tier audit service writes sensitive events synchronously and routine events asynchronously through an SQS-backed queue. Events persist to a single MongoDB collection with a 24-hour TTL index. See Current state → Audit and observability for the shipped pipeline. Within the 24-hour window, audit response works correctly — actor and target identities are recorded, write durability matches the sensitivity tier, queries return current events. Outside it, the records are gone.

Target: Replace the TTL index with MongoDB Atlas Online Archive:

  • Recent events (last N days; N tuned to query patterns) stay in the live audit_events collection
  • Older events migrate to Atlas Online Archive's federated storage tier
  • Queries spanning the archive boundary union live + archive transparently
  • Total retention extends to 1+ years (the SOC 2 compliance target)

This is a configuration change at the persistence boundary, not a code change. The audit collection schema and the AuditService public API stay the same; only the lifecycle policy on the collection changes.

Open:

  • Atlas Online Archive provisioning (cost + ops involvement)
  • Query-pattern characterization to set the live-collection cutoff
  • A documented backfill path for any 24-hour-window data that pre-dated the cutover (or an explicit acceptance that pre-cutover data is unrecoverable)

None of these are technical risk; they are organizational sequencing. The shipped audit service is already SOC 2-correct for the writing — this work extends the retention boundary to match.

Tracking: WEN-992. OpenSpec: openspec/changes/add-audit-archival/{proposal,design,tasks}.md.

Operational implication during the gap

Until WEN-992 ships, audit events older than 24 hours are unavailable. Incident response within the 24-hour window is supported; compliance-audit response for older events is not. Treat the gap accordingly.