diff --git a/.github/workflows/codex-code-review.yml b/.github/workflows/codex-code-review.yml
index 6ed5426..d5d4354 100644
--- a/.github/workflows/codex-code-review.yml
+++ b/.github/workflows/codex-code-review.yml
@@ -6,6 +6,15 @@ on:
 
 jobs:
   codex-review:
+    # Trusted-author gate: the model gets OPENAI_API_KEY in env and its output is
+    # posted verbatim, so untrusted PR text could try to exfiltrate secrets via
+    # the review comment. Restrict to authors with push access — they already
+    # have repo-secret access, so this adds no exposure; fork/untrusted PRs don't
+    # run. (Mirrors claude-code-review.yml.)
+    if: >-
+      github.event.pull_request.author_association == 'OWNER' ||
+      github.event.pull_request.author_association == 'MEMBER' ||
+      github.event.pull_request.author_association == 'COLLABORATOR'
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -32,7 +41,8 @@ jobs:
         uses: openai/codex-action@v1
         with:
           openai-api-key: ${{ secrets.OPENAI_API_KEY }}
-          responses-api-endpoint: ${{ secrets.CODEX_OPENAI_BASE_URL }}v1/responses
+          # OPENAI_BASE_URL secret has no trailing slash, e.g. https://host/openai
+          responses-api-endpoint: ${{ secrets.OPENAI_BASE_URL }}/v1/responses
           model: gpt-5.5
           sandbox: read-only
           prompt: |
diff --git a/.gitignore b/.gitignore
index 9e226eb..418bab1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,7 @@ test-results/
 .chisel/
 docs/superpowers/
 dots-break.png
+audio_pcm_waveform.png
 
 # Local turn_taking reference YAMLs (paste into the console UI; not tracked)
 vox_eval_agentd/eval-sets/