Periodic auth cleanup — sweeps expired sessions and role_grant offers.
Single entry point for consumers scheduling auth maintenance. Internally runs every known sweep and emits the corresponding audit events so consumer code only manages cadence, not per-task wiring.
The per-task primitives remain exported from their home modules
(query_session_cleanup_expired, query_role_grant_offer_sweep_expired);
cleanup_expired_role_grant_offers here wraps the latter with the required
role_grant_offer_expire audit emission and is the piece most likely to be
reused in a consumer's bespoke scheduler.
Idempotency: the audit log has no tombstone on role_grant_offer_expire, so
concurrent sweep runs double-audit. The expected deployment pattern is a
single scheduled invocation per instance — matching
query_session_cleanup_expired.
4 declarations
AuthCleanupDeps Dependencies for the cleanup helpers.
logLoggerauditBound audit emitter. cleanup_expired_role_grant_offers writes via
audit.emit_pool (the captured pool + config + listener chain), so
one slot covers both row persistence and SSE/WS fan-out. Required —
production wiring always has a bound emitter on AppDeps.audit, and
tests that need a no-op pass create_test_audit_emitter().
AuthCleanupResult Result of run_auth_cleanup.
expired_sessionsNumber of expired session rows deleted.
numberexpired_offersNumber of expired role_grant offer rows audit-stamped.
number(deps: AuthCleanupDeps): Promise<number> Sweep expired role_grant offers and emit one role_grant_offer_expire audit
event per row.
Returns the count of offers audit-stamped. The offer rows themselves are preserved — offers carry audit value for the history view even after expiry, and accepted rows are the provenance for the resulting role_grant (deleting expired rows would not threaten that, but keeping them uniform with the retention policy for terminal rows is simpler).
depsPromise<number> (deps: AuthCleanupDeps): Promise<AuthCleanupResult> Run every auth cleanup sweep — expired sessions and expired role_grant offers — and return the counts.
Consumers call this from a scheduled task (setInterval, cron, etc.) alongside their own domain cleanup. Errors from individual sweeps are re-thrown so the caller's scheduler can log/alert; use the per-task helpers (query_session_cleanup_expired, cleanup_expired_role_grant_offers) directly if you need finer error isolation.
depsPromise<AuthCleanupResult> Error - re-thrown from any sweep that fails (no per-sweep isolation here)