diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1dd952a19..cc4bcd896 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Pin codex setup to `rust-v0.118.0` for security and reproducibility; update config to `wire_api = "responses"` (#663)
 - Propagate headers and environment variables through OpenCode MCP adapter with defensive copies to prevent mutation (#622)
 ### Changed
 
diff --git a/docs/src/content/docs/integrations/runtime-compatibility.md b/docs/src/content/docs/integrations/runtime-compatibility.md
index fd3d0550c..e2c90e21e 100644
--- a/docs/src/content/docs/integrations/runtime-compatibility.md
+++ b/docs/src/content/docs/integrations/runtime-compatibility.md
@@ -83,7 +83,7 @@ apm runtime setup codex
 ```
 
 This automatically:
-- Downloads the latest Codex binary for your platform
+- Downloads Codex binary `rust-v0.118.0` for your platform (override with `--version`)
 - Installs to `~/.apm/runtimes/codex`
 - Creates configuration for GitHub Models (`github/gpt-4o`)
 - Updates your PATH
diff --git a/scripts/runtime/setup-codex.ps1 b/scripts/runtime/setup-codex.ps1
index 5396e4b8e..2b3f61a75 100644
--- a/scripts/runtime/setup-codex.ps1
+++ b/scripts/runtime/setup-codex.ps1
@@ -1,9 +1,11 @@
 # Setup script for Codex runtime (Windows)
 # Downloads Codex binary from GitHub releases and configures with GitHub Models
 
+# Pin to a known stable release for security and reproducibility (#662).
+# Users can override with: apm runtime setup codex --version <version> (e.g. 'latest')
 param(
     [switch]$Vanilla,
-    [string]$Version = "latest"
+    [string]$Version = "rust-v0.118.0"
 )
 
 $ErrorActionPreference = "Stop"
@@ -161,10 +163,12 @@ model = "openai/gpt-4o"
 name = "GitHub Models"
 base_url = "https://models.github.ai/inference/"
 env_key = "$githubTokenVar"
-wire_api = "chat"
+wire_api = "responses"
 "@ | Set-Content -Path $codexConfig -Encoding UTF8
 
         Write-Success "Codex configuration created at $codexConfig"
+        Write-Info "Using Codex $Version."
+        Write-Info "Override with: apm runtime setup codex --version <version> (e.g. 'latest')"
     } else {
         Write-Info "Vanilla mode: Skipping APM configuration"
     }
diff --git a/scripts/runtime/setup-codex.sh b/scripts/runtime/setup-codex.sh
index 8e0593dd5..ac87296fc 100755
--- a/scripts/runtime/setup-codex.sh
+++ b/scripts/runtime/setup-codex.sh
@@ -23,7 +23,9 @@ source "$SCRIPT_DIR/setup-common.sh"
 
 # Configuration
 CODEX_REPO="openai/codex"
-CODEX_VERSION="latest"  # Default version
+# Pin to a known stable release for security and reproducibility (#662).
+# Users can override with: apm runtime setup codex --version <version> (e.g. 'latest')
+CODEX_VERSION="rust-v0.118.0"
 VANILLA_MODE=false
 
 # Parse command line arguments
@@ -204,10 +206,12 @@ model = "openai/gpt-4o"
 name = "GitHub Models"
 base_url = "https://models.github.ai/inference/"
 env_key = "$github_token_var"
-wire_api = "chat"
+wire_api = "responses"
 EOF
         
         log_success "Codex configuration created at $codex_config"
+        log_info "Using Codex $CODEX_VERSION."
+        log_info "Override with: apm runtime setup codex --version <version> (e.g. 'latest')"
         log_info "APM configured Codex with GitHub Models as default provider"
         log_info "Use 'apm install' to configure MCP servers for your projects"
     else