Audit archival (future)
The audit service itself is in production today — both write paths and the dual-identity audit record shape are shipped. What's not shipped is the long-horizon retention: events expire after 24 hours via a TTL index. Replacing the TTL with Atlas Online Archive is tracked under WEN-992 / OpenSpec proposal add-audit-archival.
Atlas Online Archive replaces the 24-hour TTL
Today: The two-tier audit service writes sensitive events synchronously and routine events asynchronously through an SQS-backed queue. Events persist to a single MongoDB collection with a 24-hour TTL index. See Current state → Audit and observability for the shipped pipeline. Within the 24-hour window, audit response works correctly — actor and target identities are recorded, write durability matches the sensitivity tier, queries return current events. Outside it, the records are gone.
Target: Replace the TTL index with MongoDB Atlas Online Archive:
- Recent events (last N days; N tuned to query patterns) stay in the live
audit_eventscollection - Older events migrate to Atlas Online Archive's federated storage tier
- Queries spanning the archive boundary union live + archive transparently
- Total retention extends to 1+ years (the SOC 2 compliance target)
This is a configuration change at the persistence boundary, not a code change. The audit collection schema and the AuditService public API stay the same; only the lifecycle policy on the collection changes.
Open:
- Atlas Online Archive provisioning (cost + ops involvement)
- Query-pattern characterization to set the live-collection cutoff
- A documented backfill path for any 24-hour-window data that pre-dated the cutover (or an explicit acceptance that pre-cutover data is unrecoverable)
None of these are technical risk; they are organizational sequencing. The shipped audit service is already SOC 2-correct for the writing — this work extends the retention boundary to match.
Tracking: WEN-992. OpenSpec: openspec/changes/add-audit-archival/{proposal,design,tasks}.md.
Operational implication during the gap
Until WEN-992 ships, audit events older than 24 hours are unavailable. Incident response within the 24-hour window is supported; compliance-audit response for older events is not. Treat the gap accordingly.
Related
- Current state → Audit and observability — shipped two-tier service
- OpenSpec:
openspec/specs/audit-service/spec.md,openspec/changes/add-audit-archival/