feat(activity): size-based retention cap for the activity log (spec 073, MCP-1002) (#585)

* feat(activity): size-based retention cap for the activity log (spec 073)

Bounds config.db growth: the activity log was pruned only by age (90d) and count
(100k); large per-record payloads let it reach hundreds of MB while under both
caps (~438MB/93k rows observed). Add a configurable total-size cap.

- config: activity_max_size_mb (default 256, 0=disabled)
- storage: Manager.PruneActivitiesToSize(maxBytes) — deletes oldest-first until
  the activity_records bucket data is within budget; always keeps the newest
  record; <=0 is a no-op
- runtime: plumb the byte budget into ActivityService; run the size prune in
  runRetentionCleanup after the age/count prunes (and at startup)
- docs: document activity_max_size_mb + the compaction caveat

TDD: 4 storage tests (size, oldest-first, keep-newest, disabled) + 2 runtime
wiring tests; go test ./internal/storage ./internal/config + activity runtime
tests green; go vet + gofmt clean.

Refs MCP-1002.

* chore(oas): regenerate swagger for activity_max_size_mb config field

Author: Dumbris

docs/features/activity-log.md

@@ -405,6 +405,7 @@ Activity logging is enabled by default. Configure via `mcp_config.json`:
 {
   "activity_retention_days": 90,
   "activity_max_records": 100000,
+  "activity_max_size_mb": 256,
   "activity_max_response_size": 65536,
   "activity_cleanup_interval_min": 60
 }
@@ -414,9 +415,12 @@ Activity logging is enabled by default. Configure via `mcp_config.json`:
 |---------|---------|-------------|
 | `activity_retention_days` | 90 | Days to retain activity records |
 | `activity_max_records` | 100000 | Maximum records before pruning oldest |
+| `activity_max_size_mb` | 256 | Maximum total activity-log size in MB before pruning oldest (`0` disables). Runs alongside the age and count caps to bound `config.db` growth when records carry large payloads. |
 | `activity_max_response_size` | 65536 | Max response size stored (bytes) |
 | `activity_cleanup_interval_min` | 60 | Background cleanup interval (minutes) |
 
+> **Why the size cap?** The age and count caps alone do not bound disk: with large per-record payloads the log can reach hundreds of MB while still under 100k records / 90 days. `activity_max_size_mb` removes the oldest records (always keeping the newest) until the log is within the byte budget. Note: pruning frees pages for reuse but does not shrink the database file on disk (BBolt does not return freed pages to the OS).
+
 ## Use Cases
 
 ### Debugging Tool Calls

internal/config/config.go

@@ -138,6 +138,7 @@ type Config struct {
 	// Activity logging settings (RFC-003)
 	ActivityRetentionDays      int `json:"activity_retention_days,omitempty" mapstructure:"activity-retention-days"`             // Max age before pruning (default: 90)
 	ActivityMaxRecords         int `json:"activity_max_records,omitempty" mapstructure:"activity-max-records"`                   // Max records before pruning (default: 100000)
+	ActivityMaxSizeMB          int `json:"activity_max_size_mb,omitempty" mapstructure:"activity-max-size-mb"`                   // Max total activity-log size in MB before pruning oldest (default: 256, 0=disabled)
 	ActivityMaxResponseSize    int `json:"activity_max_response_size,omitempty" mapstructure:"activity-max-response-size"`       // Response truncation limit in bytes (default: 65536)
 	ActivityCleanupIntervalMin int `json:"activity_cleanup_interval_min,omitempty" mapstructure:"activity-cleanup-interval-min"` // Background cleanup interval in minutes (default: 60)
 
@@ -1030,6 +1031,7 @@ func DefaultConfig() *Config {
 		// Activity logging defaults (RFC-003)
 		ActivityRetentionDays:      90,     // 90 days retention
 		ActivityMaxRecords:         100000, // 100K records max
+		ActivityMaxSizeMB:          256,    // 256MB total activity-log size cap (0 = disabled)
 		ActivityMaxResponseSize:    65536,  // 64KB response truncation
 		ActivityCleanupIntervalMin: 60,     // 1 hour cleanup interval
 

internal/runtime/activity_service.go

@@ -20,6 +20,8 @@ const (
 	DefaultRetentionMaxRecords = 10000
 	// DefaultRetentionCheckInterval is the default interval between retention checks (1 hour)
 	DefaultRetentionCheckInterval = 1 * time.Hour
+	// DefaultRetentionMaxSizeBytes is the default total activity-log size cap (256MB)
+	DefaultRetentionMaxSizeBytes int64 = 256 * 1024 * 1024
 )
 
 // SensitiveDataEventEmitter provides the ability to emit sensitive data detection events.
@@ -43,6 +45,7 @@ type ActivityService struct {
 	// Retention configuration
 	maxAge        time.Duration
 	maxRecords    int
+	maxSizeBytes  int64 // total activity-log size cap in bytes (0 = disabled)
 	checkInterval time.Duration
 
 	// Sensitive data detector (Spec 026)
@@ -68,6 +71,7 @@ func NewActivityService(storage *storage.Manager, logger *zap.Logger) *ActivityS
 		done:          make(chan struct{}),
 		maxAge:        DefaultRetentionMaxAge,
 		maxRecords:    DefaultRetentionMaxRecords,
+		maxSizeBytes:  DefaultRetentionMaxSizeBytes,
 		checkInterval: DefaultRetentionCheckInterval,
 		detector:      nil, // Detector is optional, set via SetDetector
 		usage:         newUsageStore(),
@@ -92,7 +96,7 @@ func (s *ActivityService) SetEventEmitter(emitter SensitiveDataEventEmitter) {
 // maxAge: maximum age for records (0 = no age limit)
 // maxRecords: maximum number of records (0 = no count limit)
 // checkInterval: how often to run retention cleanup
-func (s *ActivityService) SetRetentionConfig(maxAge time.Duration, maxRecords int, checkInterval time.Duration) {
+func (s *ActivityService) SetRetentionConfig(maxAge time.Duration, maxRecords int, checkInterval time.Duration, maxSizeBytes int64) {
 	if maxAge > 0 {
 		s.maxAge = maxAge
 	}
@@ -102,6 +106,11 @@ func (s *ActivityService) SetRetentionConfig(maxAge time.Duration, maxRecords in
 	if checkInterval > 0 {
 		s.checkInterval = checkInterval
 	}
+	// maxSizeBytes may be explicitly set to 0 to DISABLE the size cap, so a
+	// negative sentinel (-1) means "leave unchanged"; >= 0 is applied verbatim.
+	if maxSizeBytes >= 0 {
+		s.maxSizeBytes = maxSizeBytes
+	}
 }
 
 // Start begins listening for activity events and persisting them.
@@ -189,6 +198,19 @@ func (s *ActivityService) runRetentionCleanup() {
 				zap.Int("max_records", s.maxRecords))
 		}
 	}
+
+	// Prune by total size (runs after age+count; 0 disables). Bounds config.db
+	// growth from large per-record payloads that stay under the count/age caps.
+	if s.maxSizeBytes > 0 {
+		deleted, err := s.storage.PruneActivitiesToSize(s.maxSizeBytes)
+		if err != nil {
+			s.logger.Error("Failed to prune activities to size budget", zap.Error(err))
+		} else if deleted > 0 {
+			s.logger.Info("Pruned activity records to size budget",
+				zap.Int("deleted", deleted),
+				zap.Int64("max_size_mb", s.maxSizeBytes/(1024*1024)))
+		}
+	}
 }
 
 // Stop gracefully shuts down the activity service.

internal/runtime/activity_size_retention_test.go

@@ -0,0 +1,72 @@
+package runtime
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+
+	"github.com/smart-mcp-proxy/mcpproxy-go/internal/storage"
+)
+
+func seedRuntimeActivities(t *testing.T, store *storage.Manager, prefix string, n, payload int) {
+	t.Helper()
+	now := time.Now().UTC()
+	for i := 0; i < n; i++ {
+		require.NoError(t, store.SaveActivity(&storage.ActivityRecord{
+			ID:        fmt.Sprintf("%s-%02d", prefix, i),
+			Type:      storage.ActivityTypeToolCall,
+			Status:    "success",
+			Response:  strings.Repeat("x", payload),
+			Timestamp: now.Add(time.Duration(i) * time.Second), // all recent; last is newest
+		}))
+	}
+}
+
+// The size cap runs inside the existing retention cleanup and removes oldest
+// records until the log is within budget, leaving the age/count caps intact.
+func TestActivityRetention_SizeCapRemovesOldest(t *testing.T) {
+	store, cleanup := setupTestStorage(t)
+	defer cleanup()
+	svc := NewActivityService(store, zap.NewNop())
+
+	// Only the size cap should act: keep default age/count caps (7d / 10000),
+	// seed recent records well under those, and set a small size budget.
+	svc.SetRetentionConfig(0, 0, 0, 30*1024) // 30KB; age/count left unchanged
+	seedRuntimeActivities(t, store, "rt", 10, 10*1024)
+
+	svc.runRetentionCleanup()
+
+	newest, err := store.GetActivity("rt-09")
+	require.NoError(t, err)
+	assert.NotNil(t, newest, "newest record must survive the size cap")
+	oldest, err := store.GetActivity("rt-00")
+	require.NoError(t, err)
+	assert.Nil(t, oldest, "oldest record should be pruned by the size cap")
+
+	// Log is now within budget: a direct size prune deletes nothing more.
+	again, err := store.PruneActivitiesToSize(30 * 1024)
+	require.NoError(t, err)
+	assert.Equal(t, 0, again, "log should already be within the size budget")
+}
+
+func TestActivityRetention_SizeCapDisabled(t *testing.T) {
+	store, cleanup := setupTestStorage(t)
+	defer cleanup()
+	svc := NewActivityService(store, zap.NewNop())
+
+	svc.SetRetentionConfig(0, 0, 0, 0) // disable size cap (age/count stay default)
+	seedRuntimeActivities(t, store, "d", 5, 10*1024)
+
+	svc.runRetentionCleanup()
+
+	for i := 0; i < 5; i++ {
+		rec, err := store.GetActivity(fmt.Sprintf("d-%02d", i))
+		require.NoError(t, err)
+		assert.NotNilf(t, rec, "d-%02d must survive when the size cap is disabled", i)
+	}
+}

internal/runtime/runtime.go

@@ -212,13 +212,17 @@ func New(cfg *config.Config, cfgPath string, logger *zap.Logger) (*Runtime, erro
 	}
 
 	// Wire activity retention config from config file
-	if cfg.ActivityRetentionDays > 0 || cfg.ActivityMaxRecords > 0 || cfg.ActivityCleanupIntervalMin > 0 {
+	if cfg.ActivityRetentionDays > 0 || cfg.ActivityMaxRecords > 0 || cfg.ActivityCleanupIntervalMin > 0 || cfg.ActivityMaxSizeMB >= 0 {
 		maxAge := time.Duration(cfg.ActivityRetentionDays) * 24 * time.Hour
 		checkInterval := time.Duration(cfg.ActivityCleanupIntervalMin) * time.Minute
-		activityService.SetRetentionConfig(maxAge, cfg.ActivityMaxRecords, checkInterval)
+		// ActivityMaxSizeMB: 0 disables the size cap, so pass the explicit byte
+		// value (>= 0 is applied; -1 would mean "unchanged").
+		maxSizeBytes := int64(cfg.ActivityMaxSizeMB) * 1024 * 1024
+		activityService.SetRetentionConfig(maxAge, cfg.ActivityMaxRecords, checkInterval, maxSizeBytes)
 		logger.Info("Activity retention config applied",
 			zap.Int("retention_days", cfg.ActivityRetentionDays),
 			zap.Int("max_records", cfg.ActivityMaxRecords),
+			zap.Int("max_size_mb", cfg.ActivityMaxSizeMB),
 			zap.Int("cleanup_interval_min", cfg.ActivityCleanupIntervalMin))
 	}
 

internal/storage/activity.go

@@ -454,6 +454,76 @@ func (m *Manager) PruneExcessActivities(maxRecords int, targetPercent float64) (
 	return deleted, nil
 }
 
+// PruneActivitiesToSize deletes the oldest activity records until the activity
+// log's stored data (sum of key+value bytes) is at or below maxBytes. Activity
+// keys are timestamp-ordered, so a single forward cursor pass removes
+// oldest-first. The newest record is ALWAYS retained — the log is never emptied
+// while any record exists, even if that newest record alone exceeds the budget.
+// maxBytes <= 0 disables size pruning (no-op). Returns the number deleted.
+func (m *Manager) PruneActivitiesToSize(maxBytes int64) (int, error) {
+	if maxBytes <= 0 {
+		return 0, nil
+	}
+
+	var deleted int
+
+	err := m.db.db.Update(func(tx *bbolt.Tx) error {
+		bucket := tx.Bucket([]byte(ActivityRecordsBucket))
+		if bucket == nil {
+			return nil
+		}
+
+		keyCount := bucket.Stats().KeyN
+		if keyCount <= 1 {
+			return nil // never empty the log (always keep the newest record)
+		}
+
+		// Total stored bytes for the bucket.
+		var total int64
+		_ = bucket.ForEach(func(k, v []byte) error {
+			total += int64(len(k) + len(v))
+			return nil
+		})
+		if total <= maxBytes {
+			return nil
+		}
+
+		// Delete oldest-first (smallest keys) until within budget, but NEVER the
+		// last (newest) record — stop before processing it.
+		var keysToDelete [][]byte
+		cursor := bucket.Cursor()
+		processed := 0
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			if total <= maxBytes || processed == keyCount-1 {
+				break
+			}
+			keysToDelete = append(keysToDelete, append([]byte{}, k...))
+			total -= int64(len(k) + len(v))
+			processed++
+		}
+
+		for _, key := range keysToDelete {
+			if err := bucket.Delete(key); err != nil {
+				return fmt.Errorf("failed to delete activity for size cap: %w", err)
+			}
+			deleted++
+		}
+		return nil
+	})
+
+	if err != nil {
+		return deleted, err
+	}
+
+	if deleted > 0 {
+		m.logger.Infow("Pruned activity records to size budget",
+			"deleted", deleted,
+			"max_bytes", maxBytes)
+	}
+
+	return deleted, nil
+}
+
 // SaveActivityAsync saves an activity record asynchronously.
 // This is non-blocking and suitable for recording tool calls without impacting latency.
 func (m *Manager) SaveActivityAsync(record *ActivityRecord) {

internal/storage/activity_size_test.go

@@ -0,0 +1,103 @@
+package storage
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// saveSizedActivities saves n records (id-00 oldest → id-(n-1) newest), each
+// padded so its stored value is ~payload bytes.
+func saveSizedActivities(t *testing.T, m *Manager, n, payload int) {
+	t.Helper()
+	base := time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC)
+	for i := 0; i < n; i++ {
+		require.NoError(t, m.SaveActivity(&ActivityRecord{
+			ID:        fmt.Sprintf("id-%02d", i),
+			Type:      ActivityTypeToolCall,
+			Status:    "success",
+			Response:  strings.Repeat("x", payload),
+			Timestamp: base.Add(time.Duration(i) * time.Minute),
+		}))
+	}
+}
+
+// exists reports whether an activity record with the given id is present.
+// GetActivity returns (nil, nil) — not an error — when a record is absent.
+func exists(t *testing.T, m *Manager, id string) bool {
+	t.Helper()
+	rec, err := m.GetActivity(id)
+	require.NoError(t, err)
+	return rec != nil
+}
+
+func TestPruneActivitiesToSize_RemovesOldestUntilUnderBudget(t *testing.T) {
+	m, cleanup := setupTestStorageForActivity(t)
+	defer cleanup()
+
+	// 10 records × ~10KB ≈ 100KB total.
+	saveSizedActivities(t, m, 10, 10*1024)
+	budget := int64(45 * 1024) // only the newest few fit
+
+	deleted, err := m.PruneActivitiesToSize(budget)
+	require.NoError(t, err)
+	assert.Greater(t, deleted, 0)
+
+	// Oldest pruned, newest retained.
+	assert.False(t, exists(t, m, "id-00"), "oldest record should be pruned")
+	assert.True(t, exists(t, m, "id-09"), "newest record must be retained")
+
+	// Idempotent: a second pass deletes nothing more.
+	again, err := m.PruneActivitiesToSize(budget)
+	require.NoError(t, err)
+	assert.Equal(t, 0, again, "second pass should be a no-op")
+}
+
+func TestPruneActivitiesToSize_AlreadyUnderBudget_NoOp(t *testing.T) {
+	m, cleanup := setupTestStorageForActivity(t)
+	defer cleanup()
+	saveSizedActivities(t, m, 5, 1024) // ~5KB total
+
+	deleted, err := m.PruneActivitiesToSize(10 * 1024 * 1024) // 10MB budget
+	require.NoError(t, err)
+	assert.Equal(t, 0, deleted)
+	for i := 0; i < 5; i++ {
+		assert.True(t, exists(t, m, fmt.Sprintf("id-%02d", i)))
+	}
+}
+
+func TestPruneActivitiesToSize_KeepsNewestEvenIfOverBudget(t *testing.T) {
+	m, cleanup := setupTestStorageForActivity(t)
+	defer cleanup()
+	// 5 records × 10KB; budget smaller than a single record.
+	saveSizedActivities(t, m, 5, 10*1024)
+
+	deleted, err := m.PruneActivitiesToSize(1024) // 1KB < one record
+	require.NoError(t, err)
+	assert.Equal(t, 4, deleted, "all but the newest should be deleted")
+
+	// Only the newest survives — the log is never emptied.
+	assert.True(t, exists(t, m, "id-04"), "newest must survive")
+	for i := 0; i < 4; i++ {
+		assert.Falsef(t, exists(t, m, fmt.Sprintf("id-%02d", i)), "id-%02d should be pruned", i)
+	}
+}
+
+func TestPruneActivitiesToSize_DisabledWhenZeroOrNegative(t *testing.T) {
+	m, cleanup := setupTestStorageForActivity(t)
+	defer cleanup()
+	saveSizedActivities(t, m, 4, 10*1024)
+
+	for _, budget := range []int64{0, -1} {
+		deleted, err := m.PruneActivitiesToSize(budget)
+		require.NoError(t, err)
+		assert.Equalf(t, 0, deleted, "budget %d disables size pruning", budget)
+	}
+	for i := 0; i < 4; i++ {
+		assert.True(t, exists(t, m, fmt.Sprintf("id-%02d", i)))
+	}
+}

oas/docs.go

@@ -11,6 +11,10 @@ components:
         activity_max_response_size:
           description: 'Response truncation limit in bytes (default: 65536)'
           type: integer
+        activity_max_size_mb:
+          description: 'Max total activity-log size in MB before pruning oldest (default:
+            256, 0=disabled)'
+          type: integer
         activity_retention_days:
           description: Activity logging settings (RFC-003)
           type: integer