orchestrate-codex

No direct indicators of malware (e.g., exfiltration, backdoor, credential theft, or exploit code) are present in this fragment. However, it introduces moderate-to-high operational security risk due to (1) spawning an external binary by name (`codex`) with inherited/broad environment variables, (2) unusual Windows `shell` configuration, and (3) connecting to a broker endpoint/path derived from environment/session configuration without visible allowlist/validation in this fragment. The security posture depends heavily on how `parseBrokerEndpoint`, protocol handlers (`handleLine/handleChunk`), and option/environment sourcing are validated elsewhere.