Feature Request: Native Pseudonymization Mode for Codex App

I would like to suggest a native privacy feature for Codex App: a local pseudonymization and rehydration layer.

The idea is:

The user sees real data locally. The model only sees pseudonymized data. The mapping never leaves the device.

Example:

Before sending context to the model: “María García Pérez” → “STUDENT_0007”

The model responds: “STUDENT_0007 needs additional support in criterion EF.3.2.”

Codex App locally displays: “María García Pérez needs additional support in criterion EF.3.2.”

This would be very useful in regulated domains such as education, healthcare, legal work, HR, research, and public administration.

Even when data is not used for training, many users still need to ensure that personal or sensitive data never reaches the model at all.

Suggested features:

• pre-model local transform
• post-model local rehydration
• encrypted local identity vault
• safe transcript mode with only pseudonymized logs
• PII detection and blocking
• folder/file classification: safe for model, pseudonymize before sending, never send

This would make Codex App much safer and more practical for privacy-sensitive workflows without forcing users to build external scripts, wrappers, or separate applications.