multi: add DeleteForwardingHistory to selectively purge old forwarding history

[ziggie1984]

This PR supersedes #10319.

Overview

Routing nodes and LSPs accumulate forwarding history over time which, if
compromised or subpoenaed, could reveal sensitive information about payment
flows. Prior to this change, the only way to purge old forwarding history was
to reset the database and restore from backup — a disruptive operation with
significant operational risk.

This PR adds a DeleteForwardingHistory RPC to the Router sub-server that
allows operators to permanently delete forwarding events older than a specified
time threshold, without any node downtime.

Changes

channeldb

• Adds DeleteForwardingEvents to ForwardingLog, which deletes all events
  with a timestamp at or before a specified cutoff time
• Deletion is performed in configurable batches (default 10k, max 50k per
  transaction) to avoid holding large database locks
• Context is threaded through so callers can cancel between batches; already
  committed batches are permanent and the operation is safe to re-run
• Returns DeleteStats with event count and total fees (msat) for accounting

routerrpc

• Defines the DeleteForwardingHistory RPC in router.proto with a oneof
  time spec: absolute Unix timestamp (delete_before_time) or relative
  duration string (delete_before_duration, e.g. "-90d", "-1M")
• Adds a parseDuration helper extending Go's standard duration parser with
  d, w, M, y units and fractional value support
• Implements the RPC handler with a configurable minimum age guard
  (--routerrpc.min-fwd-history-age, default 1h) to prevent accidental
  deletion of recent data
• Uses the injected clock.Clock for testability

lncli

• Adds deletefwdhistory command with --age (relative) and --before
  (absolute Unix timestamp) flags
• Interactive confirmation prompt, bypassable with --force/-f for
  automation
• Configurable --batch_size flag (default 10000)

Tests

• Unit tests for DeleteForwardingEvents covering basic deletion, partial
  deletion, batching, idempotency, empty database, and boundary conditions
• Property-based tests using rapid validating key invariants across
  randomised inputs
• Unit tests for parseDuration covering all supported units and error cases
• Integration tests exercising the full RPC path end-to-end

Docs

• Adds docs/forwarding_history_privacy.md covering privacy implications,
  CLI usage, batch size tuning, cron automation, database compaction, and
  fee accounting

Notes

• The DeleteForwardingHistory RPC lives in routerrpc (consistent with
  keeping routing-related operations out of the main Lightning service)
• Deletion is synchronous and batched — no background goroutines needed
• Partial deletion on cancellation is safe and idempotent

Closes #10319

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances LND's operational capabilities by providing a non-disruptive method for managing forwarding history data. It addresses privacy concerns and facilitates compliance with data retention policies by allowing operators to purge old forwarding events without requiring node downtime or database resets. The new functionality is robust, user-friendly, and includes safeguards to prevent accidental data loss, making it a valuable tool for routing node operators.

Highlights

• New RPC for Forwarding History Deletion: Introduced a new DeleteForwardingHistory RPC in the Router sub-server, allowing operators to selectively purge old forwarding events based on a specified time threshold.
• Batched Database Deletion: Implemented a batched deletion mechanism in channeldb to remove forwarding events efficiently, avoiding large database locks and supporting cancellation between batches. It also returns statistics on deleted events and total fees.
• Flexible Time Specification: The lncli deletefwdhistory command now supports specifying the deletion cutoff time using either relative durations (e.g., '-90d', '-1M') or absolute Unix timestamps, with custom units for days, weeks, months, and years.
• Safety Mechanisms: The deletion process includes a configurable minimum age guard (default 1 hour) to prevent accidental deletion of recent data, interactive confirmation in lncli, and requires offchain:write macaroon permission.
• Comprehensive Documentation and Testing: Added a new documentation file (docs/forwarding_history_privacy.md) detailing privacy implications, usage, and best practices. Extensive unit and integration tests, including property-based testing, ensure the reliability and idempotency of the deletion logic.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new feature to delete old forwarding history events from the database, primarily for privacy and data retention purposes. This includes the database logic, a new lncli command, RPC definitions, and extensive testing and documentation. The review comments suggest removing //nolint:ll comments as they do not adhere to the style guide's principle of explaining code intention.

[calvinrzachman]

All comments from #10319 addressed + some nice additions like context based cancellation. Looks good to me.

[ellemouton]

lgtm! 👍