Agentic implementation of deletion policy

Author: thijslemmens

agents/content-deletion-design.md

@@ -0,0 +1,219 @@
+# Content Deletion Design
+
+## Overview
+
+ContentGrid previously did not delete content from the ContentStore when:
+- Entity was deleted
+- Content property was set to null
+
+This design implements a **verified reference counting** approach to safely delete orphaned content.
+
+## Design Decisions
+
+| Aspect | Decision | Rationale |
+|--------|----------|-----------|
+| Tracking | Reference counting table `_content_references` | Incremental tracking, supports multi-entity sharing |
+| Safety check | Query each entity table before deletion | Catches count drift, prevents premature deletion |
+| Drift handling | Alert only (log + metrics) | Manual intervention required |
+| Deletion trigger | K8s CronJob (one-shot) | Full app context, scales independently |
+| Grace period | Configurable (default 7 days) | Allows recovery, ensures backup coverage |
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────────┐
+│                     contentgrid-appserver-app                        │
+│  ┌──────────────────────────────────────────────────────────────┐  │
+│  │              HTTP API Layer (Controllers)                     │  │
+│  └──────────────────────────────────────────────────────────────┘  │
+│                              │                                      │
+│  ┌───────────────────────────┼───────────────────────────────────┐  │
+│  │                      domain module                             │  │
+│  │  ┌─────────────────────┐  │  ┌─────────────────────────────┐  │  │
+│  │  │ContentUploadMapper  │  │  │ContentModificationValidator│  │  │
+│  │  │(upload → increment) │  │  │(null → decrement)          │  │  │
+│  │  └─────────────────────┘  │  └─────────────────────────────┘  │  │
+│  └───────────────────────────┼───────────────────────────────────┘  │
+│                              │                                      │
+│  ┌───────────────────────────┼───────────────────────────────────┐  │
+│  │              content-lifecycle module                          │  │
+│  │                          │                                     │  │
+│  │  ┌───────────────────────┴───────────────────────────────┐   │  │
+│  │  │         ContentReferenceTracker                        │   │  │
+│  │  │  - incrementReference()                                │   │  │
+│  │  │  - decrementReference() (afterCommit)                  │   │  │
+│  │  └───────────────────────────────────────────────────────┘   │  │
+│  │                          │                                     │  │
+│  │  ┌───────────────────────┴───────────────────────────────┐   │  │
+│  │  │       _content_references table                        │   │  │
+│  │  │  content_id | ref_count | last_dereferenced | marked   │   │  │
+│  │  └───────────────────────────────────────────────────────┘   │  │
+│  └───────────────────────────────────────────────────────────────┘  │
+└─────────────────────────────────────────────────────────────────────┘
+
+                    K8s CronJob (configurable schedule)
+                           │
+┌──────────────────────────┼──────────────────────────────────────────┐
+│           content-lifecycle module (ContentDeletionJob)             │
+│  ┌───────────────────────┴───────────────────────────────┐          │
+│  │  1. Find candidates: marked_for_deletion_at <= now    │          │
+│  │  2. Safety check: query all entity tables             │          │
+│  │  3a. If referenced: clear mark, log drift alert       │          │
+│  │  3b. If orphaned: delete from ContentStore, DEKs,     │          │
+│  │                    _content_references                 │          │
+│  └───────────────────────────────────────────────────────┘          │
+└─────────────────────────────────────────────────────────────────────┘
+```
+
+## Database Schema
+
+```sql
+CREATE TABLE _content_references (
+    content_id VARCHAR(36) PRIMARY KEY,
+    reference_count INTEGER NOT NULL DEFAULT 1,
+    first_referenced_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    last_dereferenced_at TIMESTAMP,
+    marked_for_deletion_at TIMESTAMP
+);
+```
+
+## Components
+
+### ContentReferenceTracker (interface)
+Location: `contentgrid-appserver-content-lifecycle`
+
+```java
+public interface ContentReferenceTracker {
+    void incrementReference(ContentReference ref);
+    void decrementReference(ContentReference ref);
+}
+```
+
+### JooqContentReferenceTracker
+- Implements reference counting with JOOQ
+- On increment: INSERT or UPDATE (upsert), clear deletion marker
+- On decrement: Reduce count, mark for deletion if count reaches 0
+
+### DeferredContentReferenceTracker
+- Wraps `ContentReferenceTracker` with after-commit callback
+- Uses `TransactionSynchronizationManager` to ensure decrements only happen after successful commit
+- Prevents premature deletion if transaction rolls back
+
+### ContentReferenceVerificationQuery
+- Safety check before deletion
+- Queries each entity table with content attributes
+- Returns true if content_id is still referenced anywhere
+
+### ContentDeletionJob
+- One-shot job for K8s CronJob
+- Finds content past grace period
+- Verifies not referenced, then deletes
+- Metrics: `content.deletion.success`, `content.deletion.failure`, `content.deletion.drift`
+
+## Integration Points
+
+### 1. Content Upload (`ContentUploadAttributeMapper`)
+After `contentStore.writeContent()`:
+```java
+if (contentReferenceTracker != null) {
+    contentReferenceTracker.incrementReference(contentAccessor.getReference());
+}
+```
+
+### 2. Content Dereference (`ContentAttributeModificationValidator`)
+When content is set to null:
+```java
+// In validate() method - track dereferenced content IDs
+if (hasContent && dataEntry instanceof NullDataEntry) {
+    // Extract content_id and add to dereferencedContentIds list
+}
+```
+
+Then in `DatamodelApiImpl.update()` and `updatePartial()`:
+```java
+for (String contentId : contentModificationValidator.getDereferencedContentIds()) {
+    if (contentReferenceTracker != null) {
+        contentReferenceTracker.decrementReference(ContentReference.of(contentId));
+    }
+}
+```
+
+### 3. Entity Delete (`DatamodelApiImpl.deleteEntity()`)
+After entity deletion:
+```java
+if (contentReferenceTracker != null) {
+    for (var contentAttr : entity.getContentAttributes()) {
+        // Extract content_id from deleted entity
+        // Call decrementReference()
+    }
+}
+```
+
+## Configuration
+
+```yaml
+contentgrid:
+  content:
+    lifecycle:
+      enabled: true
+      deletion:
+        enabled: true
+        grace-period: P7D  # ISO-8601 Duration
+        batch-size: 100
+```
+
+## Metrics
+
+| Metric | Description |
+|--------|-------------|
+| `content.deletion.success` | Successfully deleted content |
+| `content.deletion.failure` | Failed to delete content |
+| `content.deletion.drift` | Count drift detected (marked but still referenced) |
+
+## Edge Cases
+
+| Scenario | Behavior |
+|----------|----------|
+| Content uploaded then immediately deleted | Count → 1 → 0, marked for deletion after grace period |
+| Transaction rollback after upload | No increment (never tracked) |
+| Transaction rollback after delete | Decrement in afterCommit, so no decrement |
+| Content shared across entities | Each entity increments count |
+| Content resurrected (deleted, then re-uploaded with same ID) | Increment clears `marked_for_deletion_at` |
+| Count drift detected | Clear deletion marker, log warning, increment drift counter |
+| Content without entry in `_content_references` | Safety check finds reference, no deletion |
+
+## Migration
+
+Before enabling the deletion job, populate `_content_references` from existing data:
+
+```sql
+INSERT INTO _content_references (content_id, reference_count, first_referenced_at)
+SELECT content_id, 1, NOW()
+FROM (
+    SELECT content_id FROM invoices WHERE content_id IS NOT NULL
+    UNION ALL
+    SELECT attachment_id FROM documents WHERE attachment_id IS NOT NULL
+    -- ... all content columns
+) AS all_content_ids
+GROUP BY content_id;
+```
+
+## Future Considerations
+
+1. **Content sharing API**: Currently content sharing is database-only. API support could allow explicit content reuse.
+
+2. **Bulk operations**: Batch deletion for efficiency with large content volumes.
+
+3. **Soft delete**: Move to trash location before final deletion for additional safety.
+
+4. **Deduplication**: If same content uploaded multiple times, could share content_id to save storage.
+
+## Files Changed
+
+- `settings.gradle` - Added new module
+- `contentgrid-appserver-content-lifecycle/` - New module
+- `contentgrid-appserver-domain/build.gradle` - Added dependency
+- `contentgrid-appserver-domain/.../DatamodelApiImpl.java` - Integration
+- `contentgrid-appserver-domain/.../ContentUploadAttributeMapper.java` - Integration
+- `contentgrid-appserver-domain/.../ContentAttributeModificationValidator.java` - Integration
+- `contentgrid-appserver-autoconfigure/.../AutoConfiguration.imports` - Registered auto-config

contentgrid-appserver-autoconfigure/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports

@@ -11,3 +11,4 @@ com.contentgrid.appserver.autoconfigure.rest.ContentGridRestFormatterAutoConfigu
 com.contentgrid.appserver.autoconfigure.actuator.ContentgridActuatorAutoConfiguration
 com.contentgrid.appserver.autoconfigure.security.DefaultSecurityAutoConfiguration
 com.contentgrid.appserver.autoconfigure.webjars.WebjarsRestAutoConfiguration
+com.contentgrid.appserver.content.lifecycle.autoconfigure.ContentLifecycleAutoConfiguration

contentgrid-appserver-content-lifecycle/build.gradle

@@ -0,0 +1,17 @@
+plugins {
+    id 'java-library'
+    id 'maven-publish'
+    id 'io.freefair.lombok'
+}
+
+dependencies {
+    api project(':contentgrid-appserver-contentstore-api')
+    api project(':contentgrid-appserver-application-model')
+    
+    implementation 'org.jooq:jooq'
+    implementation 'org.slf4j:slf4j-api'
+    implementation 'org.springframework:spring-tx'
+    implementation 'org.springframework.boot:spring-boot'
+    implementation 'org.springframework.boot:spring-boot-autoconfigure'
+    implementation 'io.micrometer:micrometer-core'
+}

contentgrid-appserver-content-lifecycle/src/main/java/com/contentgrid/appserver/content/lifecycle/ContentDeletionJob.java

@@ -0,0 +1,118 @@
+package com.contentgrid.appserver.content.lifecycle;
+
+import static org.jooq.impl.DSL.currentTimestamp;
+import static org.jooq.impl.DSL.field;
+import static org.jooq.impl.DSL.name;
+import static org.jooq.impl.DSL.table;
+
+import com.contentgrid.appserver.contentstore.api.ContentReference;
+import com.contentgrid.appserver.contentstore.api.ContentStore;
+import com.contentgrid.appserver.contentstore.api.UnwritableContentException;
+import io.micrometer.core.instrument.Counter;
+import io.micrometer.core.instrument.MeterRegistry;
+import java.util.List;
+import lombok.extern.slf4j.Slf4j;
+import org.jooq.DSLContext;
+import org.jooq.Record1;
+import org.jooq.Select;
+
+@Slf4j
+public class ContentDeletionJob {
+    private static final String TABLE_NAME = "_content_references";
+    private static final org.jooq.Table<org.jooq.Record> CONTENT_REFERENCES = table(name(TABLE_NAME));
+    private static final org.jooq.Field<String> CONTENT_ID = field(name(TABLE_NAME, "content_id"), org.jooq.impl.SQLDataType.VARCHAR);
+    private static final org.jooq.Field<java.sql.Timestamp> MARKED_FOR_DELETION_AT = field(name(TABLE_NAME, "marked_for_deletion_at"), org.jooq.impl.SQLDataType.TIMESTAMP);
+
+    private final DSLContext dslContext;
+    private final ContentStore contentStore;
+    private final ContentReferenceVerificationQuery verificationQuery;
+    private final ContentLifecycleProperties properties;
+    private final Counter successCounter;
+    private final Counter failureCounter;
+    private final Counter driftCounter;
+
+    public ContentDeletionJob(
+            DSLContext dslContext,
+            ContentStore contentStore,
+            ContentReferenceVerificationQuery verificationQuery,
+            ContentLifecycleProperties properties,
+            MeterRegistry meterRegistry
+    ) {
+        this.dslContext = dslContext;
+        this.contentStore = contentStore;
+        this.verificationQuery = verificationQuery;
+        this.properties = properties;
+        this.successCounter = Counter.builder("content.deletion")
+            .tag("result", "success")
+            .register(meterRegistry);
+        this.failureCounter = Counter.builder("content.deletion")
+            .tag("result", "failure")
+            .register(meterRegistry);
+        this.driftCounter = Counter.builder("content.deletion.drift")
+            .register(meterRegistry);
+    }
+
+    public void run() {
+        log.info("Starting content deletion job");
+        int processed = 0;
+        int deleted = 0;
+        int skipped = 0;
+
+        List<String> candidates = findDeletionCandidates();
+        
+        for (String contentId : candidates) {
+            processed++;
+            
+            if (verificationQuery.isStillReferenced(contentId)) {
+                log.warn("Count drift detected: content_id {} marked for deletion but still referenced", contentId);
+                driftCounter.increment();
+                clearDeletionMarker(contentId);
+                skipped++;
+                continue;
+            }
+
+            if (deleteContent(contentId)) {
+                deleted++;
+            }
+        }
+
+        log.info("Content deletion job completed: processed={}, deleted={}, skipped={}", processed, deleted, skipped);
+    }
+
+    private List<String> findDeletionCandidates() {
+        Select<Record1<String>> query = dslContext
+            .select(CONTENT_ID)
+            .from(CONTENT_REFERENCES)
+            .where(MARKED_FOR_DELETION_AT.isNotNull())
+            .and(MARKED_FOR_DELETION_AT.le(currentTimestamp()))
+            .orderBy(MARKED_FOR_DELETION_AT)
+            .limit(properties.getDeletion().getBatchSize());
+        
+        return query.fetch(CONTENT_ID);
+    }
+
+    private void clearDeletionMarker(String contentId) {
+        dslContext.update(CONTENT_REFERENCES)
+            .setNull(MARKED_FOR_DELETION_AT)
+            .where(CONTENT_ID.eq(contentId))
+            .execute();
+    }
+
+    private boolean deleteContent(String contentId) {
+        try {
+            contentStore.remove(ContentReference.of(contentId));
+            
+            dslContext.deleteFrom(CONTENT_REFERENCES)
+                .where(CONTENT_ID.eq(contentId))
+                .execute();
+            
+            successCounter.increment();
+            log.debug("Deleted content_id {}", contentId);
+            return true;
+        } catch (UnwritableContentException e) {
+            log.error("Failed to delete content_id {}", contentId, e);
+            failureCounter.increment();
+            return false;
+        }
+    }
+}

contentgrid-appserver-content-lifecycle/src/main/java/com/contentgrid/appserver/content/lifecycle/ContentLifecycleProperties.java

@@ -0,0 +1,20 @@
+package com.contentgrid.appserver.content.lifecycle;
+
+import java.time.Duration;
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@Data
+@ConfigurationProperties(prefix = "contentgrid.content.lifecycle")
+public class ContentLifecycleProperties {
+    private boolean enabled = true;
+    
+    private Deletion deletion = new Deletion();
+    
+    @Data
+    public static class Deletion {
+        private boolean enabled = true;
+        private Duration gracePeriod = Duration.ofDays(7);
+        private int batchSize = 100;
+    }
+}

contentgrid-appserver-content-lifecycle/src/main/java/com/contentgrid/appserver/content/lifecycle/ContentReferenceTracker.java

@@ -0,0 +1,8 @@
+package com.contentgrid.appserver.content.lifecycle;
+
+import com.contentgrid.appserver.contentstore.api.ContentReference;
+
+public interface ContentReferenceTracker {
+    void incrementReference(ContentReference ref);
+    void decrementReference(ContentReference ref);
+}