Pin codex setup to a known release for security and reproducibility

[sergio-sisternes-epam]

Summary

The codex runtime setup scripts (scripts/runtime/setup-codex.sh and .ps1) currently use CODEX_VERSION="latest", which resolves to the newest GitHub release at install time. This is a supply-chain risk — an attacker who compromises the openai/codex release pipeline could inject malicious binaries that APM would blindly download.

Problem

1. Security: Using "latest" means APM has no control over which binary version is downloaded. A compromised release would be automatically pulled by every apm runtime setup codex invocation.
2. Reproducibility: Different users running the same APM version get different codex binaries depending on when they run setup, making issues harder to reproduce.
3. Breaking changes: The codex project has migrated from old-format tags (0.1.YYYYMMDDXX) to rust-v* tags, and removed wire_api="chat" from the config schema. Only wire_api="responses" is now supported.

Proposed fix

• Pin CODEX_VERSION to rust-v0.118.0 (latest stable, non-alpha release) in both .sh and .ps1 scripts
• Update the generated Codex config to use wire_api = "responses" (the only option available in current releases)
• Keep the --version override parameter so users can opt into other versions
• Add clear messaging about the pin rationale

Context

This was discovered during CI investigation of PR #651, where an earlier attempt to pin to 0.1.2025051600 failed because that tag was deleted from the codex repo. See root cause analysis.