codex consults broken on macOS: @openai/codex-sdk@0.101.0 binary revoked by XProtect (Axios supply-chain fallout)

[amrmelsayed]

Summary

@cluesmith/codev pins @openai/codex-sdk@^0.101.0, and pnpm-lock.yaml hard-resolves it to exactly 0.101.0. The bundled @openai/codex@0.101.0-darwin-arm64 Rust binary was signed with an OpenAI macOS code-signing certificate that was revoked after the 2026-03-31 Axios npm supply-chain compromise. Apple's XProtect now flags and deletes binaries signed with the revoked certificate, surfacing to users as:

"Codev has malware and has been removed from your Mac"

(The flagged binary is the bundled codex CLI inside codev's dependency tree; XProtect names the parent install.)

Impact

• Every codev install on macOS (npm and local-install) gets the lockfile-pinned 0.101.0 binary that XProtect removes. Not local-install-specific.
• This is the root cause of the recurring "Codex skipped (EPIPE)" CMAP failures observed on PIR builders (pir-1298, pir-1326): the SDK spawns a binary XProtect already deleted → broken stdio pipe → EPIPE. Same root cause, two symptoms.
• Codex consults are effectively broken on macOS until the dependency is bumped. CMAP-2/CMAP-3 silently degrade or fail.

Root cause

OpenAI's response to the Axios developer-tool compromise: a GitHub Actions workflow used for macOS app signing pulled malicious axios@1.14.1, which had access to OpenAI's macOS code-signing certificate material. OpenAI revoked that certificate and re-signed ChatGPT / Codex / Codex CLI with a new one. Pre-incident binaries (incl. @openai/codex@0.101.0) remain signed with the revoked cert; XProtect removes them.

Refs:

• https://openai.com/index/axios-developer-tool-compromise/
• https://appleinsider.com/articles/26/05/14/another-openai-hack-puts-chatgpt-mac-users-on-an-update-deadline

Fix

Bump @openai/codex-sdk from ^0.101.0 to the latest post-incident release (0.130.0, re-signed with OpenAI's new certificate) and refresh pnpm-lock.yaml (the caret range alone won't move it — the lockfile hard-pins 0.101.0).

API delta is effectively zero. Comparing the TypeScript surface codev uses (packages/codev/src/commands/consult/index.ts:388-431) between 0.101.0 and 0.130.0: Codex, CodexOptions, startThread, ThreadOptions, SandboxMode, ModelReasoningEffort, runStreamed, StreamedTurn, ItemCompletedEvent, AgentMessageItem, TurnFailedEvent, ThreadErrorEvent are all byte-identical. The only change is Usage gaining an additive reasoning_output_tokens field, which codev's cost calc does not read → no source change required for the bump.

Acceptance criteria

• @openai/codex-sdk bumped to 0.130.0 (or latest stable) in packages/codev/package.json + pnpm-lock.yaml refreshed
• pnpm build clean; consult unit tests green
• pnpm -w run local-install; the bundled codex binary survives an XProtect scan window (not removed after several minutes)
• A real consult -m codex --type impl runs end-to-end with no EPIPE / no "removed from your Mac"
• Lockfile diff reviewed — only codex-sdk + its platform binary move, no unexpected transitive churn

Follow-up (separate issue, not blocking)

Graceful codex-missing degradation: detect ENOENT/EPIPE on spawn in runCodexConsultation and emit a clear "codex unavailable — CMAP continuing with gemini only" instead of a raw EPIPE. Defense-in-depth for future incidents / auth / network failures.