security: disable OpenAI Codex from pipeline and tooling

.env.example

@@ -9,10 +9,11 @@ GITHUB_REPOSITORY=AndrewAltimit/rust-psp
 GITHUB_PROJECTS_TOKEN=your_api_key_here
 GITHUB_TOKEN=your_api_key_here
 
-# Codex Configuration
-# WARNING: Only set to true if running in a controlled sandboxed VM environment
-# Defaults to false for security - only bypass sandbox if you understand the risks
-CODEX_BYPASS_SANDBOX=false
+# Codex Configuration -- DISABLED
+# OpenAI Codex has been removed from this project due to OpenAI's partnerships
+# enabling mass surveillance and autonomous weapons decision-making. See README.md.
+# These variables are retained for reference only. Do not enable.
+# CODEX_BYPASS_SANDBOX=false
 
 # Optional: ElevenLabs Configuration
 ELEVENLABS_API_KEY=your_api_key_here

.github/workflows/pr-validation.yml

@@ -220,14 +220,16 @@ jobs:
           retention-days: 7
           if-no-files-found: ignore
 
-  # ── Codex AI Code Review (secondary) ───────────────────────────
+  # ── Codex AI Code Review (DISABLED) ────────────────────────────
+  # DISABLED: OpenAI Codex has been removed from this pipeline due to
+  # OpenAI's partnerships with governments that enable mass surveillance
+  # and autonomous weapons decision-making. These partnerships pose
+  # unacceptable security and ethical risks. See README.md for details.
+  # The job skeleton is retained so dependent jobs don't break.
   codex-review:
-    name: Codex AI Code Review
+    name: Codex AI Code Review (disabled)
     needs: [fork-guard, gemini-review]
-    if: >-
-      github.event_name == 'pull_request' &&
-      !github.event.pull_request.draft &&
-      needs.gemini-review.result != 'skipped'
+    if: false  # Permanently disabled -- do not re-enable
     runs-on: self-hosted
     timeout-minutes: 15
     continue-on-error: true
@@ -302,7 +304,7 @@ jobs:
           retention-days: 7
           if-no-files-found: ignore
 
-  # ── Agent Review Response (responds to Gemini/Codex feedback) ──
+  # ── Agent Review Response (responds to Gemini feedback) ──
   agent-review-response:
     name: Agent Review Response
     needs: [ci, gemini-review, codex-review]
@@ -374,7 +376,6 @@ jobs:
         if: steps.iteration.outputs.should_skip != 'true'
         env:
           GEMINI_REVIEW_PATH: gemini-review.md
-          CODEX_REVIEW_PATH: codex-review.md
           BRANCH_NAME: ${{ github.head_ref }}
           ITERATION_COUNT: ${{ steps.iteration.outputs.iteration_count }}
         run: |
@@ -485,7 +486,7 @@ jobs:
           echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
           echo "| CI | ${{ needs.ci.result }} |" >> $GITHUB_STEP_SUMMARY
           echo "| Gemini Review | ${{ needs.gemini-review.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Codex Review | ${{ needs.codex-review.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Codex Review | disabled (security policy) |" >> $GITHUB_STEP_SUMMARY
           echo "| Review Response | ${{ needs.agent-review-response.result }} |" >> $GITHUB_STEP_SUMMARY
           echo "| Failure Handler | ${{ needs.agent-failure-handler.result }} |" >> $GITHUB_STEP_SUMMARY
 

.mcp.json

@@ -89,22 +89,10 @@
         "stdio"
       ]
     },
-    "codex": {
-      "command": "docker",
-      "args": [
-        "compose",
-        "-f",
-        "./docker-compose.yml",
-        "--profile",
-        "services",
-        "run",
-        "--rm",
-        "-T",
-        "mcp-codex",
-        "mcp-codex",
-        "--mode",
-        "stdio"
-      ]
+    "codex-DISABLED": {
+      "_reason": "OpenAI Codex disabled due to mass surveillance and autonomous weapons partnerships. See README.md.",
+      "command": "echo",
+      "args": ["DISABLED: OpenAI Codex removed from this project (security policy)"]
     },
     "github-board": {
       "command": "docker",

AGENTS.md

@@ -128,7 +128,7 @@ Enables privileged PSP APIs: kernel memory partitions, interrupt handlers, PRX m
 |----------|---------|---------|
 | `ci.yml` | Push to main | fmt, clippy, test, build, cargo-deny, PSP emulator test |
 | `main-ci.yml` | Push to main + `v*` tags | Full CI plus release binary creation |
-| `pr-validation.yml` | Pull requests | Full CI + Gemini/Codex AI reviews + agent auto-fix |
+| `pr-validation.yml` | Pull requests | Full CI + Gemini AI review + agent auto-fix (Codex disabled) |
 
 CI runs in Docker containers (`docker/rust-ci.Dockerfile` based on `rust:1.93-slim`). PSP tests run in PPSSPPHeadless emulator container.
 
@@ -150,8 +150,8 @@ When an agent opens or pushes to a PR targeting `main`:
 1. **Fork guard** blocks fork PRs from using self-hosted runners
 2. **CI** runs all 6 stages above
 3. **Gemini AI review** posts code review comments (via `github-agents pr-review`)
-4. **Codex AI review** posts secondary code review (via `github-agents pr-review --agent codex`)
-5. **Agent review response** reads Gemini/Codex feedback and auto-applies fixes (via `automation-cli review respond`, max 5 iterations)
+4. ~~**Codex AI review**~~ -- **DISABLED** (OpenAI removed due to mass surveillance / autonomous weapons concerns)
+5. **Agent review response** reads Gemini feedback and auto-applies fixes (via `automation-cli review respond`, max 5 iterations)
 6. **Agent failure handler** auto-fixes CI failures if CI failed (via `automation-cli review failure`, max 5 iterations)
 7. **PR status summary** aggregates all results
 
@@ -180,7 +180,7 @@ The self-hosted runner provides these binaries from [template-repo](https://gith
 
 | Binary | Used By | Purpose |
 |--------|---------|---------|
-| `github-agents` | `pr-validation.yml` | PR reviews (Gemini/Codex), iteration tracking |
+| `github-agents` | `pr-validation.yml` | PR reviews (Gemini), iteration tracking |
 | `automation-cli` | `pr-validation.yml` | Agent review response, failure handler |
 
 ## Local Agent Tooling
@@ -193,7 +193,6 @@ Scripts in `tools/cli/agents/` launch each agent:
 |--------|-------|-------|
 | `run_claude.sh` | Claude Code | Requires NVM + Node.js 22.16.0 |
 | `run_gemini.sh` | Gemini CLI | Requires `@google/gemini-cli` |
-| `run_codex.sh` | Codex CLI | Requires `@openai/codex` + `codex login` |
 | `run_opencode.sh` | OpenCode | Requires OpenRouter API key |
 | `run_crush.sh` | Crush | Requires OpenRouter API key |
 
@@ -208,7 +207,7 @@ Container-based MCP services available via `docker compose --profile services`:
 | `mcp-gemini` | Gemini AI consultation |
 | `mcp-opencode` | OpenCode AI (Qwen model via OpenRouter) |
 | `mcp-crush` | Crush AI (via OpenRouter) |
-| `mcp-codex` | Codex AI consultation |
+| `mcp-codex` | ~~Codex AI consultation~~ **DISABLED** (security policy) |
 | `mcp-github-board` | GitHub Projects board management |
 | `mcp-agentcore-memory` | Agent memory (ChromaDB backend) |
 | `mcp-reaction-search` | Reaction image search |

CLAUDE.md

@@ -120,7 +120,7 @@ Enables privileged PSP APIs: kernel memory partitions, interrupt handlers, PRX m
 
 Two GitHub Actions workflows:
 - **`main-ci.yml`**: Push to main + version tags — full CI (fmt, clippy, test, build, deny, emulator test) plus release binary creation and GitHub Release on tags/manual trigger
-- **`pr-validation.yml`**: PRs — full CI plus AI code reviews (Gemini/Codex), agent auto-fix (max 5 iterations)
+- **`pr-validation.yml`**: PRs — full CI plus AI code reviews (Gemini), agent auto-fix (max 5 iterations)
 
 CI runs in Docker containers (`docker/rust-ci.Dockerfile` based on `rust:1.93-slim`). PSP tests run in PPSSPPHeadless emulator container.
 

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributing
 
-This repository does not accept external contributions. All code changes are authored by AI agents (Claude, Gemini, Codex, OpenCode, Crush) operating under human direction.
+This repository does not accept external contributions. All code changes are authored by AI agents (Claude, Gemini, OpenCode, Crush) operating under human direction. OpenAI Codex has been removed from this project's tooling due to OpenAI's partnerships enabling mass surveillance and autonomous weapons decision-making (see README.md).
 
 ## No External Contributions
 

README.md

@@ -529,7 +529,7 @@ All CI runs on a self-hosted GitHub Actions runner shared with [template-repo](h
 | Workflow | Trigger | Purpose |
 |----------|---------|---------|
 | `ci.yml` | push to main | Basic CI: fmt, clippy, test, build, cargo-deny, PSP emulator test |
-| `pr-validation.yml` | pull request | Full PR pipeline: CI + Gemini/Codex AI reviews + agent auto-fix |
+| `pr-validation.yml` | pull request | Full PR pipeline: CI + Gemini AI review + agent auto-fix |
 | `main-ci.yml` | push to main, `v*` tags | CI on main, build release binaries and create GitHub Release on tags |
 
 ### CI Stages
@@ -545,15 +545,21 @@ All stages run inside the `rust-ci` Docker container (`docker compose --profile
 
 ### PR Review Pipeline
 
-PRs receive automated AI code reviews from Gemini and Codex, followed by an agent that can automatically apply fixes from review feedback (with a 5-iteration safety limit per agent type). If CI stages fail, a separate failure-handler agent attempts automated fixes.
+PRs receive automated AI code reviews from Gemini, followed by an agent that can automatically apply fixes from review feedback (with a 5-iteration safety limit per agent type). If CI stages fail, a separate failure-handler agent attempts automated fixes.
+
+> **OpenAI / Codex Disabled (Security Policy)**
+>
+> OpenAI Codex has been permanently disabled from this project's CI pipeline and tooling. OpenAI has entered into partnerships with governments and defense organizations that enable **mass surveillance** of civilian populations and **autonomous weapons kill-chain decision-making**. The mass surveillance capability alone -- where nation-state actors can process, correlate, and act on population-scale data -- represents an unacceptable security risk for anyone whose code, queries, or development patterns transit OpenAI infrastructure.
+>
+> **We strongly encourage the use of Anthropic (Claude) models** for AI-assisted development. If you choose to use OpenAI/GPT products, do so with extreme caution and a clear understanding of who has access to data processed by those systems. This is not a technical quality judgment -- it is a security and ethics decision.
 
 ### Runner Dependencies from template-repo
 
 The self-hosted runner provides the following binaries built from [template-repo](https://github.com/AndrewAltimit/template-repo). These are expected to be on `PATH`; workflows degrade gracefully if they are missing.
 
 | Binary | Source | Used By | Purpose |
 |--------|--------|---------|---------|
-| `github-agents` | `tools/rust/github-agents-cli` | `pr-validation.yml` | PR reviews (Gemini/Codex), iteration tracking |
+| `github-agents` | `tools/rust/github-agents-cli` | `pr-validation.yml` | PR reviews (Gemini), iteration tracking |
 | `automation-cli` | `tools/rust/automation-cli` | `pr-validation.yml` | Agent review response, failure handler |
 
 These binaries are also available from [template-repo releases](https://github.com/AndrewAltimit/template-repo/releases).
@@ -602,7 +608,7 @@ The repo includes two locally-built Docker images for CI and nine pre-built MCP
 | `template-repo-mcp-gemini` | `docker/mcp-gemini.Dockerfile` | template-repo |
 | `template-repo-mcp-opencode` | `docker/mcp-opencode.Dockerfile` | template-repo |
 | `template-repo-mcp-crush` | `docker/mcp-crush.Dockerfile` | template-repo |
-| `template-repo-mcp-codex` | `docker/codex.Dockerfile` | template-repo |
+| `template-repo-mcp-codex` | `docker/codex.Dockerfile` | template-repo (DISABLED -- see security policy above) |
 | `template-repo-mcp-github-board` | `docker/mcp-github-board.Dockerfile` | template-repo |
 | `template-repo-mcp-agentcore-memory` | `docker/mcp-agentcore-memory.Dockerfile` | template-repo |
 | `template-repo-mcp-reaction-search` | `mcp_reaction_search/Dockerfile` | template-repo |
@@ -614,7 +620,7 @@ cd /path/to/template-repo
 docker compose --profile services build
 ```
 
-The images will then be available locally for this repo's `docker compose --profile services` commands. CI workflows and PSP development work without the MCP images -- they are only needed for interactive AI agent sessions (Claude Code, Codex, etc.).
+The images will then be available locally for this repo's `docker compose --profile services` commands. CI workflows and PSP development work without the MCP images -- they are only needed for interactive AI agent sessions (Claude Code, Gemini, etc.). Note: the Codex MCP image is disabled per security policy.
 
 ## Pre-built Binaries
 

docker-compose.yml

@@ -106,6 +106,8 @@ services:
     profiles:
       - services
 
+  # DISABLED: OpenAI Codex removed due to mass surveillance and autonomous weapons
+  # partnerships. See README.md for details. Moved to unreachable profile.
   mcp-codex:
     image: template-repo-mcp-codex:latest
     user: "${USER_ID:-1000}:${GROUP_ID:-1000}"
@@ -115,10 +117,10 @@ services:
     environment:
       - MODE=mcp
       - PORT=8021
-      - CODEX_ENABLED=${CODEX_ENABLED:-true}
+      - CODEX_ENABLED=false
       - CODEX_AUTH_PATH=/home/user/.codex/auth.json
     profiles:
-      - services
+      - disabled-codex  # was: services -- disabled per security policy
 
   mcp-github-board:
     image: template-repo-mcp-github-board:latest