99 lines
3.1 KiB
Markdown
99 lines
3.1 KiB
Markdown
---
|
|
name: cto-codex-retention-archive-executor-packet
|
|
tier: T1
|
|
status: validated
|
|
owner: jp
|
|
source: CTO-WORK-095
|
|
last_reviewed: 2026-06-04
|
|
description: Local CTO packet for the guarded Codex inactive-thread archive executor.
|
|
---
|
|
|
|
# CTO Codex Retention Archive Executor Packet
|
|
|
|
Local planning SOT only. Not a Core Protocol. Not active Core authority.
|
|
|
|
## Claim
|
|
|
|
Codex retention cleanup now has a guarded archive-only executor. Default mode is dry-run. Mutation requires an exact approval token.
|
|
|
|
## Context
|
|
|
|
`CTO-WORK-094` defined the retention policy. The next vertical move is executable archive-only cleanup, not more Core output tuning.
|
|
|
|
This packet keeps the destructive boundary intact. It prepares phase 2 only: set inactive Codex thread records to archived. It does not delete session JSONL, truncate logs, checkpoint, vacuum, read transcript bodies, or import transcripts into Core.
|
|
|
|
## Executor
|
|
|
|
Dry-run:
|
|
|
|
```bash
|
|
python3 tools/archive_codex_inactive_threads.py
|
|
```
|
|
|
|
Focused check:
|
|
|
|
```bash
|
|
python3 tools/archive_codex_inactive_threads.py --check
|
|
```
|
|
|
|
Native Codex retention probe:
|
|
|
|
```bash
|
|
python3 tools/probe_codex_native_retention.py --check
|
|
```
|
|
|
|
Approved archive-only execution:
|
|
|
|
```bash
|
|
python3 tools/archive_codex_inactive_threads.py --execute --approval-token "I approve CTO-WORK-095 archive-only Codex threads older than 7 days."
|
|
```
|
|
|
|
## Guardrails
|
|
|
|
- candidate selection reads only `id`, `rollout_path`, `updated_at`, `archived`, and file size;
|
|
- raw transcript bodies are not read;
|
|
- thread title, preview, and first user message are not read;
|
|
- default execution is dry-run;
|
|
- execution requires the exact approval token;
|
|
- backup runs before DB mutation;
|
|
- mutation is limited to `threads.archived=1` and `archived_at`;
|
|
- session JSONL deletion is blocked;
|
|
- log deletion or truncation is blocked;
|
|
- SQLite checkpoint or vacuum is blocked;
|
|
- Core source mutation is blocked.
|
|
|
|
Installed Codex `0.134.0` advertises `--ephemeral` prevention but no native cleanup/archive/retention command. Cached latest is `0.137.0`; update and re-probe before approved archive execution if latest native behavior should be considered.
|
|
|
|
## Backup
|
|
|
|
Before any approved archive update, the executor backs up:
|
|
|
|
- `state_5.sqlite`;
|
|
- `logs_2.sqlite`;
|
|
- `state_5.sqlite-wal` when present;
|
|
- `state_5.sqlite-shm` when present;
|
|
- `logs_2.sqlite-wal` when present;
|
|
- `logs_2.sqlite-shm` when present.
|
|
|
|
Default backup path is inside `~/.codex/backups/cto-codex-retention/<timestamp>/`.
|
|
|
|
## Approval Boundary
|
|
|
|
Still blocked without separate approval:
|
|
|
|
- delete archived session JSONL;
|
|
- delete or truncate Codex logs;
|
|
- run SQLite checkpoint or vacuum;
|
|
- read raw transcript bodies;
|
|
- import raw transcripts into Cortex OS Core.
|
|
|
|
## Decision
|
|
|
|
Use this executor only after JP gives the exact archive-only approval token. Keep delete, log cleanup, checkpoint, and vacuum as later decisions.
|
|
|
|
## New Issues
|
|
|
|
- must-fix: obtain exact approval token before running `--execute`.
|
|
- follow-up: decide whether to update Codex and re-run the native retention probe before archive-only execution.
|
|
- follow-up: after archive-only execution, re-run retention planner and decide whether deletion is still worth separate approval.
|