fix(runtime): pin codex setup to rust-v0.118.0 for security (#663)

* fix(runtime): pin codex setup to rust-v0.118.0 for security (#662)

- Pin CODEX_VERSION to rust-v0.118.0 (latest stable) instead of 'latest'
  to prevent supply-chain attacks via compromised upstream releases
- Update wire_api from 'chat' to 'responses' (the only protocol
  supported by current Codex releases)
- Add user-facing messages about the pin and how to override
- Apply same changes to both .sh (Linux/macOS) and .ps1 (Windows)

Closes #662

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address Copilot review feedback (#663)

- Use correct CLI syntax: apm runtime setup codex --version <version>
- Replace 'pinned to' wording with neutral 'Using Codex $VERSION'
- Fix CHANGELOG entry to reference PR #663 instead of issue #662
- Update runtime-compatibility.md to reflect pinned default version

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Sergio Sisternes <sergio.sisternes@epam.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Pin codex setup to `rust-v0.118.0` for security and reproducibility; update config to `wire_api = "responses"` (#663)
 - Propagate headers and environment variables through OpenCode MCP adapter with defensive copies to prevent mutation (#622)
 ### Changed
 

docs/src/content/docs/integrations/runtime-compatibility.md

@@ -83,7 +83,7 @@ apm runtime setup codex
 ```
 
 This automatically:
-- Downloads the latest Codex binary for your platform
+- Downloads Codex binary `rust-v0.118.0` for your platform (override with `--version`)
 - Installs to `~/.apm/runtimes/codex`
 - Creates configuration for GitHub Models (`github/gpt-4o`)
 - Updates your PATH

scripts/runtime/setup-codex.ps1

@@ -1,9 +1,11 @@
 # Setup script for Codex runtime (Windows)
 # Downloads Codex binary from GitHub releases and configures with GitHub Models
 
+# Pin to a known stable release for security and reproducibility (#662).
+# Users can override with: apm runtime setup codex --version <version> (e.g. 'latest')
 param(
     [switch]$Vanilla,
-    [string]$Version = "latest"
+    [string]$Version = "rust-v0.118.0"
 )
 
 $ErrorActionPreference = "Stop"
@@ -161,10 +163,12 @@ model = "openai/gpt-4o"
 name = "GitHub Models"
 base_url = "https://models.github.ai/inference/"
 env_key = "$githubTokenVar"
-wire_api = "chat"
+wire_api = "responses"
 "@ | Set-Content -Path $codexConfig -Encoding UTF8
 
         Write-Success "Codex configuration created at $codexConfig"
+        Write-Info "Using Codex $Version."
+        Write-Info "Override with: apm runtime setup codex --version <version> (e.g. 'latest')"
     } else {
         Write-Info "Vanilla mode: Skipping APM configuration"
     }

scripts/runtime/setup-codex.sh

@@ -23,7 +23,9 @@ source "$SCRIPT_DIR/setup-common.sh"
 
 # Configuration
 CODEX_REPO="openai/codex"
-CODEX_VERSION="latest"  # Default version
+# Pin to a known stable release for security and reproducibility (#662).
+# Users can override with: apm runtime setup codex --version <version> (e.g. 'latest')
+CODEX_VERSION="rust-v0.118.0"
 VANILLA_MODE=false
 
 # Parse command line arguments
@@ -204,10 +206,12 @@ model = "openai/gpt-4o"
 name = "GitHub Models"
 base_url = "https://models.github.ai/inference/"
 env_key = "$github_token_var"
-wire_api = "chat"
+wire_api = "responses"
 EOF
 
         log_success "Codex configuration created at $codex_config"
+        log_info "Using Codex $CODEX_VERSION."
+        log_info "Override with: apm runtime setup codex --version <version> (e.g. 'latest')"
         log_info "APM configured Codex with GitHub Models as default provider"
         log_info "Use 'apm install' to configure MCP servers for your projects"
     else