Files
cto/.sot/03-PROTOCOLS/CTO-CODEX-RETENTION-ARCHIVE-EXECUTOR-PACKET.md
2026-06-04 13:35:39 -04:00

3.1 KiB

name, tier, status, owner, source, last_reviewed, description
name tier status owner source last_reviewed description
cto-codex-retention-archive-executor-packet T1 validated jp CTO-WORK-095 2026-06-04 Local CTO packet for the guarded Codex inactive-thread archive executor.

CTO Codex Retention Archive Executor Packet

Local planning SOT only. Not a Core Protocol. Not active Core authority.

Claim

Codex retention cleanup now has a guarded archive-only executor. Default mode is dry-run. Mutation requires an exact approval token.

Context

CTO-WORK-094 defined the retention policy. The next vertical move is executable archive-only cleanup, not more Core output tuning.

This packet keeps the destructive boundary intact. It prepares phase 2 only: set inactive Codex thread records to archived. It does not delete session JSONL, truncate logs, checkpoint, vacuum, read transcript bodies, or import transcripts into Core.

Executor

Dry-run:

python3 tools/archive_codex_inactive_threads.py

Focused check:

python3 tools/archive_codex_inactive_threads.py --check

Native Codex retention probe:

python3 tools/probe_codex_native_retention.py --check

Approved archive-only execution:

python3 tools/archive_codex_inactive_threads.py --execute --approval-token "I approve CTO-WORK-095 archive-only Codex threads older than 7 days."

Guardrails

  • candidate selection reads only id, rollout_path, updated_at, archived, and file size;
  • raw transcript bodies are not read;
  • thread title, preview, and first user message are not read;
  • default execution is dry-run;
  • execution requires the exact approval token;
  • backup runs before DB mutation;
  • mutation is limited to threads.archived=1 and archived_at;
  • session JSONL deletion is blocked;
  • log deletion or truncation is blocked;
  • SQLite checkpoint or vacuum is blocked;
  • Core source mutation is blocked.

Installed Codex 0.134.0 advertises --ephemeral prevention but no native cleanup/archive/retention command. Cached latest is 0.137.0; update and re-probe before approved archive execution if latest native behavior should be considered.

Backup

Before any approved archive update, the executor backs up:

  • state_5.sqlite;
  • logs_2.sqlite;
  • state_5.sqlite-wal when present;
  • state_5.sqlite-shm when present;
  • logs_2.sqlite-wal when present;
  • logs_2.sqlite-shm when present.

Default backup path is inside ~/.codex/backups/cto-codex-retention/<timestamp>/.

Approval Boundary

Still blocked without separate approval:

  • delete archived session JSONL;
  • delete or truncate Codex logs;
  • run SQLite checkpoint or vacuum;
  • read raw transcript bodies;
  • import raw transcripts into Cortex OS Core.

Decision

Use this executor only after JP gives the exact archive-only approval token. Keep delete, log cleanup, checkpoint, and vacuum as later decisions.

New Issues

  • must-fix: obtain exact approval token before running --execute.
  • follow-up: decide whether to update Codex and re-run the native retention probe before archive-only execution.
  • follow-up: after archive-only execution, re-run retention planner and decide whether deletion is still worth separate approval.