-
Notifications
You must be signed in to change notification settings - Fork 0
Safety Model
Nick Hamze edited this page Jun 2, 2026
·
1 revision
Codex Refit is designed to be conservative by default.
- Generated images are never deleted by Refit.
- Generated image folders are move-only: Refit may move older folders out of the active generated-images area, but it preserves them.
- Destructive actions stay locked unless Hard Mode is enabled and Deletes On is explicitly turned on.
- SQLite operations create backups under the app data directory.
- Refit does not print conversation text while checking transcript size, media markers, task shape, Goal Mode, turn telemetry, or approval friction.
- Refit does not inspect auth token contents.
- Refit does not print provider token values, app-server WebSocket token paths, SSH usernames, SSH hostnames, or SSH key paths.
- Refit does not silently rewrite Codex config.
- Refit does not connect to SSH hosts.
- Refit does not move custom storage paths.
- Refit does not emit telemetry.
Smart Optimize starts with non-destructive work:
- move archived transcripts out of active sessions
- archive stale thread rows
- compact local state databases
- prune and checkpoint logs with a backup
- clear crash dumps
- remove rebuildable browser caches
Recover Space can remove old archived conversations and old Refit backups after the selected age. This requires explicit delete permission in the UI.
Full Pass can also move older generated-image folders from ~/.codex/generated_images to ~/.codex/archived_generated_images.
Generated images are still preserved.