--- name: cto-codex-retention-archive-executor-packet tier: T1 status: validated owner: jp source: CTO-WORK-095 last_reviewed: 2026-06-04 description: Local CTO packet for the guarded Codex inactive-thread archive executor. --- # CTO Codex Retention Archive Executor Packet Local planning SOT only. Not a Core Protocol. Not active Core authority. ## Claim Codex retention cleanup now has a guarded archive-only executor. Default mode is dry-run. Mutation requires an exact approval token. ## Context `CTO-WORK-094` defined the retention policy. The next vertical move is executable archive-only cleanup, not more Core output tuning. This packet keeps the destructive boundary intact. It prepares phase 2 only: set inactive Codex thread records to archived. It does not delete session JSONL, truncate logs, checkpoint, vacuum, read transcript bodies, or import transcripts into Core. ## Executor Dry-run: ```bash python3 tools/archive_codex_inactive_threads.py ``` Focused check: ```bash python3 tools/archive_codex_inactive_threads.py --check ``` Native Codex retention probe: ```bash python3 tools/probe_codex_native_retention.py --check ``` Approved archive-only execution: ```bash python3 tools/archive_codex_inactive_threads.py --execute --approval-token "I approve CTO-WORK-095 archive-only Codex threads older than 7 days." ``` ## Guardrails - candidate selection reads only `id`, `rollout_path`, `updated_at`, `archived`, and file size; - raw transcript bodies are not read; - thread title, preview, and first user message are not read; - default execution is dry-run; - execution requires the exact approval token; - backup runs before DB mutation; - mutation is limited to `threads.archived=1` and `archived_at`; - session JSONL deletion is blocked; - log deletion or truncation is blocked; - SQLite checkpoint or vacuum is blocked; - Core source mutation is blocked. Installed Codex `0.134.0` advertises `--ephemeral` prevention but no native cleanup/archive/retention command. Cached latest is `0.137.0`; update and re-probe before approved archive execution if latest native behavior should be considered. ## Backup Before any approved archive update, the executor backs up: - `state_5.sqlite`; - `logs_2.sqlite`; - `state_5.sqlite-wal` when present; - `state_5.sqlite-shm` when present; - `logs_2.sqlite-wal` when present; - `logs_2.sqlite-shm` when present. Default backup path is inside `~/.codex/backups/cto-codex-retention//`. ## Approval Boundary Still blocked without separate approval: - delete archived session JSONL; - delete or truncate Codex logs; - run SQLite checkpoint or vacuum; - read raw transcript bodies; - import raw transcripts into Cortex OS Core. ## Decision Use this executor only after JP gives the exact archive-only approval token. Keep delete, log cleanup, checkpoint, and vacuum as later decisions. ## New Issues - must-fix: obtain exact approval token before running `--execute`. - follow-up: decide whether to update Codex and re-run the native retention probe before archive-only execution. - follow-up: after archive-only execution, re-run retention planner and decide whether deletion is still worth separate approval.