Problem
Authority-backed dashboard sessions currently need provider-neutral lifecycle bounds. Session creation does not prune expired/idle records or enforce a finite semantic-session cap, and delete/revoke/expiry paths can leave seeded auxiliary touch records behind. Long-running deployments therefore grow every authority snapshot/auxiliary map and eventually hit S3 auxiliary limits.
Acceptance criteria
- Creation prunes expired/idle sessions before append and enforces a documented finite cap.
- Delete, revoke, logout, and expiry remove the matching auxiliary touch record across filesystem, SQLite, PostgreSQL, and S3.
- Revocation remains checked on every request while last-used persistence is throttled to a bounded window to avoid one shared write per dashboard API request.
- Deterministic tests cover cap pressure, expiry, revoke/delete cleanup, replica propagation, and no resurrection after replay.
Evidence
Review anchors: packages/core/src/dashboard/session-store.ts around create (~299), touch (~379), and delete/revoke (~408).
Problem
Authority-backed dashboard sessions currently need provider-neutral lifecycle bounds. Session creation does not prune expired/idle records or enforce a finite semantic-session cap, and delete/revoke/expiry paths can leave seeded auxiliary touch records behind. Long-running deployments therefore grow every authority snapshot/auxiliary map and eventually hit S3 auxiliary limits.
Acceptance criteria
Evidence
Review anchors: packages/core/src/dashboard/session-store.ts around create (~299), touch (~379), and delete/revoke (~408).