3.1 KiB
name, tier, status, owner, source, last_reviewed, description
| name | tier | status | owner | source | last_reviewed | description |
|---|---|---|---|---|---|---|
| cto-codex-retention-archive-executor-packet | T1 | validated | jp | CTO-WORK-095 | 2026-06-04 | Local CTO packet for the guarded Codex inactive-thread archive executor. |
CTO Codex Retention Archive Executor Packet
Local planning SOT only. Not a Core Protocol. Not active Core authority.
Claim
Codex retention cleanup now has a guarded archive-only executor. Default mode is dry-run. Mutation requires an exact approval token.
Context
CTO-WORK-094 defined the retention policy. The next vertical move is executable archive-only cleanup, not more Core output tuning.
This packet keeps the destructive boundary intact. It prepares phase 2 only: set inactive Codex thread records to archived. It does not delete session JSONL, truncate logs, checkpoint, vacuum, read transcript bodies, or import transcripts into Core.
Executor
Dry-run:
python3 tools/archive_codex_inactive_threads.py
Focused check:
python3 tools/archive_codex_inactive_threads.py --check
Native Codex retention probe:
python3 tools/probe_codex_native_retention.py --check
Approved archive-only execution:
python3 tools/archive_codex_inactive_threads.py --execute --approval-token "I approve CTO-WORK-095 archive-only Codex threads older than 7 days."
Guardrails
- candidate selection reads only
id,rollout_path,updated_at,archived, and file size; - raw transcript bodies are not read;
- thread title, preview, and first user message are not read;
- default execution is dry-run;
- execution requires the exact approval token;
- backup runs before DB mutation;
- mutation is limited to
threads.archived=1andarchived_at; - session JSONL deletion is blocked;
- log deletion or truncation is blocked;
- SQLite checkpoint or vacuum is blocked;
- Core source mutation is blocked.
Installed Codex 0.134.0 advertises --ephemeral prevention but no native cleanup/archive/retention command. Cached latest is 0.137.0; update and re-probe before approved archive execution if latest native behavior should be considered.
Backup
Before any approved archive update, the executor backs up:
state_5.sqlite;logs_2.sqlite;state_5.sqlite-walwhen present;state_5.sqlite-shmwhen present;logs_2.sqlite-walwhen present;logs_2.sqlite-shmwhen present.
Default backup path is inside ~/.codex/backups/cto-codex-retention/<timestamp>/.
Approval Boundary
Still blocked without separate approval:
- delete archived session JSONL;
- delete or truncate Codex logs;
- run SQLite checkpoint or vacuum;
- read raw transcript bodies;
- import raw transcripts into Cortex OS Core.
Decision
Use this executor only after JP gives the exact archive-only approval token. Keep delete, log cleanup, checkpoint, and vacuum as later decisions.
New Issues
- must-fix: obtain exact approval token before running
--execute. - follow-up: decide whether to update Codex and re-run the native retention probe before archive-only execution.
- follow-up: after archive-only execution, re-run retention planner and decide whether deletion is still worth separate approval.