Plan per-stream retention delivery slice

• [MSN] 1 mission driving 1 epic forward
• [EXC] 1 story executing across 1 voyage
• [HLT] 1 warnings, no structural errors detected

Author: rupurt

.keel/README.md

@@ -201,6 +201,12 @@
 |--------|--------|
 | [Deliver Hosted Transport Robustness Improvements](epics/VHRmIhDsm/voyages/VHRmIjGvL/) | done |
 
+### [Add Per-Stream Retention Policies And Retained Frontier Semantics](epics/VHUAlZWZG/) (active)
+
+| Voyage | Status |
+|--------|--------|
+| [Deliver Per-Stream Retention Configuration And Visibility](epics/VHUAlZWZG/voyages/VHUApus0L/) | in-progress |
+
 ### [Research Branch-Aware Materialization And Processing](epics/VDd0u3PFg/) (done)
 
 | Voyage | Status |

.keel/epics/VHUAlZWZG/PRD.md

@@ -0,0 +1,93 @@
+# Add Per-Stream Retention Policies And Retained Frontier Semantics - Product Requirements
+
+## Problem Statement
+
+Transit needs explicit per-stream retention controls for age- and size-bounded history, plus stream status surfaces that show configured retention and the retained frontier, without changing the default append-only behavior.
+
+## Goals & Objectives
+
+| ID | Goal | Success Metric | Target |
+|----|------|----------------|--------|
+| GOAL-01 | Let operators configure per-stream retention explicitly while keeping Transit’s default history-unbounded behavior unchanged. | Targeted tests and CLI proof coverage show `stream create`, `streams list`, and stream status surfaces preserve `retention = none` by default and expose explicit age/size retention when configured. | Voyage `VHUApus0L` planned |
+
+## Users
+
+| Persona | Description | Primary Need |
+|---------|-------------|--------------|
+| Transit Operator | Engineer running Transit as shared infrastructure for applications with bounded-retention requirements. | A first-class way to set per-stream age or size retention without accidentally changing every stream’s replay contract. |
+| Downstream Application Engineer | Engineer creating streams that should retain history indefinitely by default but may require bounded replay for selected workloads. | Stream creation and inspection surfaces that make retention policy explicit and predictable. |
+| Transit Maintainer | Engineer responsible for preserving shared-engine semantics and operator clarity. | A retention design that stays distinct from compaction and surfaces retained-frontier behavior explicitly. |
+
+## Scope
+
+### In Scope
+
+- [SCOPE-01] Per-stream retention metadata with optional `max_age_days` and `max_bytes`, defaulting to no retention when unset.
+- [SCOPE-02] Stream creation surfaces that accept `--retention-max-age-days` and `--retention-max-bytes`.
+- [SCOPE-03] Shared-engine retention enforcement that removes oldest eligible rolled segments while preserving the active segment.
+- [SCOPE-04] Stream inspection surfaces that expose configured retention and the retained frontier via `retained_start_offset` or equivalent earliest-available status.
+- [SCOPE-05] Documentation and proof coverage that explain bounded replay and distinguish retention from compaction.
+
+### Out of Scope
+
+- [SCOPE-06] Key-aware log compaction, tombstones, or Kafka-style latest-value retention.
+- [SCOPE-07] Any global default retention window such as `30 days` applied implicitly to all streams.
+- [SCOPE-08] Partial trimming or in-place rewrite of the active segment.
+- [SCOPE-09] Selective subject erasure or GDPR workflow claims beyond coarse-grained retention controls.
+
+## Requirements
+
+### Functional Requirements
+
+<!-- BEGIN FUNCTIONAL_REQUIREMENTS -->
+| ID | Requirement | Goals | Priority | Rationale |
+|----|-------------|-------|----------|-----------|
+| FR-01 | Add per-stream retention metadata that can represent `none`, optional maximum age in days, and optional maximum retained bytes, with no retention applied when the policy is absent. | GOAL-01 | must | Retention must be explicit and opt-in so Transit does not silently change its default replay semantics. |
+| FR-02 | Expose retention policy at stream creation time through CLI and supporting engine/protocol surfaces using `--retention-max-age-days` and `--retention-max-bytes`. | GOAL-01 | must | Operators need a practical way to configure retention when streams are created. |
+| FR-03 | Enforce retention in the shared engine by removing oldest eligible rolled segments under age and/or size limits while preserving append-only behavior for the active segment. | GOAL-01 | must | The retention model should bound stored history without inventing a compaction semantic. |
+| FR-04 | Surface configured retention in `transit streams list` and expose the retained frontier through stream status using `retained_start_offset` or an equivalent earliest-available field. | GOAL-01 | must | Once replay becomes bounded, operators need explicit visibility into policy and the earliest retained offset. |
+| FR-05 | Publish proof coverage and operator guidance that explain bounded replay, retained-frontier semantics, and the distinction between retention and compaction. | GOAL-01 | must | This feature changes operator expectations about replay availability and needs explicit guidance. |
+<!-- END FUNCTIONAL_REQUIREMENTS -->
+
+### Non-Functional Requirements
+
+<!-- BEGIN NON_FUNCTIONAL_REQUIREMENTS -->
+| ID | Requirement | Goals | Priority | Rationale |
+|----|-------------|-------|----------|-----------|
+| NFR-01 | The default retention posture must remain `none`; unconfigured streams must preserve today’s history-unbounded behavior. | GOAL-01 | must | A hidden default retention window would silently change Transit’s core replay contract. |
+| NFR-02 | Retention must remain shared-engine semantics that behave the same in embedded and hosted modes. | GOAL-01 | must | This repository does not allow server-only storage semantics to bypass the shared engine model. |
+| NFR-03 | Retention must stay semantically distinct from compaction: no key-aware collapse, no latest-value projection, and no in-place mutation of retained records. | GOAL-01 | must | Operators need a clear contract that bounded replay does not imply Kafka-style compaction. |
+<!-- END NON_FUNCTIONAL_REQUIREMENTS -->
+
+## Verification Strategy
+
+| Area | Method | Evidence |
+|------|--------|----------|
+| Retention creation surface | Targeted CLI and engine tests for retention metadata plus create-time flags | Story-level evidence under voyage `VHUApus0L` |
+| Retention enforcement | Targeted shared-engine tests for age/size trimming and retained frontier behavior | Story-level evidence under voyage `VHUApus0L` |
+| Operator visibility | CLI proof coverage and docs review for list/status retention fields and bounded replay guidance | Story-level evidence under voyage `VHUApus0L` |
+
+## Assumptions
+
+| Assumption | Impact if Wrong | Validation |
+|------------|-----------------|------------|
+| Retention can be delivered by trimming oldest rolled segments without introducing key-aware compaction semantics. | The epic could drift into a broader storage rewrite or compaction design. | Validate in SDD and story contracts that the active segment remains untouched and retained history stays append-only. |
+| Stream status surfaces are sufficient to communicate replay bounds if they expose retention policy and retained frontier explicitly. | Operators may still misread bounded replay as silent data loss. | Validate through proof/docs coverage and user-facing field naming. |
+
+## Open Questions & Risks
+
+| Question/Risk | Owner | Status |
+|---------------|-------|--------|
+| Should the public field name be `earliest_offset` or `retained_start_offset` on the status surface? | Epic owner | Open |
+| How should cursor validation behave once a cursor falls behind the retained frontier? | Epic owner | Open |
+| What deterministic enforcement point should own retention trimming: append, recovery, explicit maintenance step, or a combination? | Epic owner | Open |
+
+## Success Criteria
+
+<!-- BEGIN SUCCESS_CRITERIA -->
+- [ ] Streams default to no retention unless an explicit policy is configured.
+- [ ] `transit stream create` exposes `--retention-max-age-days` and `--retention-max-bytes`.
+- [ ] `transit streams list` exposes configured `retention_age` and `retention_bytes`.
+- [ ] Stream status exposes the earliest retained frontier via `retained_start_offset` or equivalent.
+- [ ] Shared-engine retention enforcement trims oldest eligible rolled segments under configured limits without changing the active append path into compaction.
+<!-- END SUCCESS_CRITERIA -->

.keel/epics/VHUAlZWZG/README.md

@@ -0,0 +1,29 @@
+---
+# system-managed
+id: VHUAlZWZG
+created_at: 2026-04-21T20:10:17
+# authored
+title: Add Per-Stream Retention Policies And Retained Frontier Semantics
+index: 30
+mission: VHUAhwLlS
+---
+
+# Add Per-Stream Retention Policies And Retained Frontier Semantics
+
+> Transit needs explicit per-stream retention controls for age- and size-bounded history, plus stream status surfaces that show configured retention and the retained frontier, without changing the default append-only behavior.
+
+## Documents
+
+| Document | Description |
+|----------|-------------|
+| [PRD.md](PRD.md) | Product requirements and success criteria |
+| `PRESS_RELEASE.md` (optional) | Working-backwards artifact for large user-facing launches; usually skip for incremental/refactor/architecture-only work |
+
+## Voyages
+
+<!-- BEGIN GENERATED -->
+**Progress:** 0/1 voyages complete, 0/3 stories done
+| Voyage | Status | Stories |
+|--------|--------|---------|
+| [Deliver Per-Stream Retention Configuration And Visibility](voyages/VHUApus0L/) | in-progress | 0/3 |
+<!-- END GENERATED -->

.keel/epics/VHUAlZWZG/voyages/VHUApus0L/README.md

@@ -0,0 +1,37 @@
+---
+# system-managed
+id: VHUApus0L
+status: in-progress
+epic: VHUAlZWZG
+created_at: 2026-04-21T20:10:34
+# authored
+title: Deliver Per-Stream Retention Configuration And Visibility
+index: 1
+updated_at: 2026-04-21T20:15:13
+started_at: 2026-04-21T20:15:22
+---
+
+# Deliver Per-Stream Retention Configuration And Visibility
+
+> Let operators configure per-stream retention with no default policy, enforce age/size-based retention in the shared engine, and surface retention policy plus retained start offset in list and status outputs.
+
+## Documents
+
+<!-- BEGIN DOCUMENTS -->
+| Document | Description |
+|----------|-------------|
+| [SRS.md](SRS.md) | Requirements and verification criteria |
+| [SDD.md](SDD.md) | Architecture and implementation details |
+<!-- END DOCUMENTS -->
+
+## Stories
+
+<!-- BEGIN GENERATED -->
+**Progress:** 0/3 stories complete
+
+| Title | Type | Status |
+|-------|------|--------|
+| [Add Per-Stream Retention Metadata And Create-Time Surface](../../../../stories/VHUAuqNpn/README.md) | feat | in-progress |
+| [Enforce Retention And Surface Retained Frontier Status](../../../../stories/VHUAuquph/README.md) | feat | backlog |
+| [Publish Retention Proof Coverage And Operator Guidance](../../../../stories/VHUAurAqP/README.md) | feat | backlog |
+<!-- END GENERATED -->

.keel/epics/VHUAlZWZG/voyages/VHUApus0L/SDD.md

@@ -0,0 +1,126 @@
+# Deliver Per-Stream Retention Configuration And Visibility - Software Design Description
+
+> Let operators configure per-stream retention with no default policy, enforce age/size-based retention in the shared engine, and surface retention policy plus retained start offset in list and status outputs.
+
+**SRS:** [SRS.md](SRS.md)
+
+## Overview
+
+This voyage adds explicit per-stream retention policy to the shared engine, threads that policy through stream creation and inspection surfaces, and exposes the retained frontier so operators understand when replay is bounded. The design keeps Transit’s current default semantics by making retention opt-in and enforcing it through whole-segment lifecycle management rather than compaction.
+
+## Context & Boundaries
+
+- In scope:
+  - retention metadata for streams
+  - create-time CLI/protocol surface for age- and size-based retention
+  - shared-engine trimming of oldest rolled segments
+  - list and status fields for configured retention and retained frontier
+  - proof and docs explaining bounded replay
+- Out of scope:
+  - Kafka-style compaction and tombstones
+  - global default retention windows
+  - in-place rewrite of active or retained records
+  - selective privacy erasure semantics above coarse-grained retention
+
+```
+┌────────────────────────────────────────────────────────────┐
+│                    This Voyage                            │
+│                                                            │
+│  CLI / Protocol  ->  Shared Engine Policy  ->  Status UX   │
+│  create flags        retention trimming       list/status   │
+│                                                            │
+└────────────────────────────────────────────────────────────┘
+              ↑                                ↑
+        Stream authors                   Operators / proofs
+```
+
+## Dependencies
+
+| Dependency | Type | Purpose | Version/API |
+|------------|------|---------|-------------|
+| `transit-core` storage state and manifest model | Internal | Stores retention metadata, evaluates eligible rolled segments, and computes retained-frontier status. | Current workspace crate API |
+| `transit-cli` command surface | Internal | Accepts retention flags and renders retention/frontier status. | Current workspace crate API |
+| Hosted server protocol surfaces | Internal | Carries stream status and create-time retention options for downstream clients. | Current workspace crate API |
+
+## Key Decisions
+
+| Decision | Choice | Rationale |
+|----------|--------|-----------|
+| Default retention posture | `none` | Preserves existing Transit replay semantics unless a stream is explicitly opted into bounded history. |
+| Retention granularity | Whole rolled segments only | Keeps enforcement deterministic and append-only without introducing record-level compaction semantics. |
+| Active segment behavior | Never partially trimmed | Avoids rewriting hot append state and preserves the current append path contract. |
+| Frontier visibility | Expose configured retention plus `retained_start_offset` or equivalent earliest-available field | Once replay is bounded, operators need explicit visibility into where retained history begins. |
+
+## Architecture
+
+The design threads one policy through three layers:
+
+- Stream creation layer:
+  - accepts optional retention flags
+  - stores policy alongside stream metadata
+- Shared engine lifecycle layer:
+  - evaluates retention eligibility against rolled segments only
+  - trims oldest eligible segments under age and/or size limits
+  - recomputes earliest retained offset after enforcement
+- Operator visibility layer:
+  - includes retention policy in `streams list`
+  - includes retained frontier in stream status
+  - documents bounded replay and cursor fallout
+
+## Components
+
+- Retention policy model:
+  - purpose: represent `none`, `max_age_days`, and `max_bytes`
+  - interface: stream metadata and create surfaces
+  - behavior: absent policy means no trimming
+- Retention evaluator:
+  - purpose: determine which oldest rolled segments are eligible to drop
+  - interface: shared engine storage lifecycle
+  - behavior: applies age and size limits without touching the active segment
+- Frontier reporter:
+  - purpose: compute earliest retained replay position
+  - interface: status/list surfaces
+  - behavior: surfaces retained-frontier state explicitly so bounded replay is visible
+- Proof/docs surface:
+  - purpose: explain semantics and prove expected behavior
+  - interface: CLI proof path and public docs
+  - behavior: distinguishes retention from compaction and describes retained-frontier consequences
+
+## Interfaces
+
+- Stream creation:
+  - add optional `--retention-max-age-days <days>`
+  - add optional `--retention-max-bytes <bytes>`
+- Streams list:
+  - add `retention_age`
+  - add `retention_bytes`
+- Stream status:
+  - add `retained_start_offset` or equivalent earliest-retained field
+  - include configured retention policy so the frontier is interpretable
+- Internal engine/state:
+  - persist retention policy with stream metadata
+  - expose retained-frontier status alongside `next_offset`, active-head, and manifest data
+
+## Data Flow
+
+- Operator creates a stream with no retention flags:
+  - stream metadata persists `retention = none`
+  - list/status surfaces report no retention and unbounded replay semantics remain
+- Operator creates a stream with age and/or size retention:
+  - stream metadata persists the configured policy
+  - append/maintenance lifecycle evaluates oldest rolled segments against the policy
+  - eligible oldest rolled segments are removed
+  - retained frontier advances to the earliest remaining offset
+  - list/status surfaces report configured retention and new retained frontier
+- Operator inspects the stream:
+  - `streams list` shows retention policy
+  - status surface shows earliest retained offset so replay bounds are explicit
+
+## Error Handling
+
+| Error Condition | Detection | Response | Recovery |
+|-----------------|-----------|----------|----------|
+| Invalid retention input such as zero/negative age or bytes | CLI/parser validation or config validation | Reject stream creation/update request with explicit validation error | Operator corrects the supplied policy |
+| Size policy smaller than current active segment footprint | Retention evaluator sees no eligible rolled segments to drop | Preserve active segment and report retained frontier based on remaining history | Retention catches up after future segment rolls create eligible old segments |
+| Cursor or replay request falls behind retained frontier | Status/frontier comparison during read/cursor validation | Return explicit out-of-retention error or earliest-retained guidance | Operator resets the cursor/read start to the retained frontier |
+| Operator misreads retention as compaction | Proof/docs review and status field naming | Publish explicit documentation and proof coverage | Maintain vocabulary separation between retention and compaction |