node_repl JS kernel fails on macOS with sandbox-exec sandbox_apply Operation not permitted

[Jordak]

node_repl JS kernel fails on macOS with sandbox-exec: sandbox_apply: Operation not permitted

Summary

In Codex Desktop on macOS, Browser/Chrome plugin control is unusable because the node_repl MCP server can initialize, but every js tool call fails when the JavaScript kernel is launched through Codex's sandbox wrapper. The same minimal js call succeeds when node_repl is run without CODEX_CLI_PATH or with --disable-sandbox, which points to the sandbox launch path rather than the browser plugins, Chrome, or bundled Node itself.

Environment

• Platform: macOS 26.5, build 25F71, arm64
• Codex app bundled CLI: codex-cli 0.136.0-alpha.2
• Codex app/manual build channel observed in plugin metadata: 26.601.21317
• node_repl path: /Applications/Codex.app/Contents/Resources/node_repl
• bundled Node path: /Applications/Codex.app/Contents/Resources/node
• configured MCP server:

[mcp_servers.node_repl]
command = "/Applications/Codex.app/Contents/Resources/node_repl"
args = []
startup_timeout_sec = 120

[mcp_servers.node_repl.env]
NODE_REPL_NODE_PATH = "/Applications/Codex.app/Contents/Resources/node"
CODEX_CLI_PATH = "/Applications/Codex.app/Contents/Resources/codex"
CODEX_HOME = "/Users/<user>/.codex"
NODE_REPL_TRUSTED_CODE_PATHS = "/Users/<user>/.codex"
BROWSER_USE_AVAILABLE_BACKENDS = "chrome,iab"

User-visible impact

• mcp__node_repl.js fails even for nodeRepl.write("alive").
• The in-app Browser and Chrome plugin cannot be controlled, because both depend on node_repl.
• Restarting Chrome and restarting Codex did not fix it.
• Chrome-specific health checks pass: Chrome is running, the Codex Chrome Extension is installed/enabled, and the native host manifest is correct.

Minimal repro

This succeeds when CODEX_CLI_PATH is not forcing the sandboxed launch path:

printf '%s\n' \
  '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"diagnostic","version":"0"}}}' \
  '{"jsonrpc":"2.0","method":"notifications/initialized","params":{}}' \
  '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"js","arguments":{"code":"nodeRepl.write(\"alive\")","timeout_ms":30000,"title":"diagnostic"}}}' \
  | /Applications/Codex.app/Contents/Resources/node_repl

Output includes:

"text":"alive"

This fails when the MCP server is run with the same sandbox-related env shape as the configured Codex MCP server:

printf '%s\n' \
  '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"diagnostic","version":"0"}}}' \
  '{"jsonrpc":"2.0","method":"notifications/initialized","params":{}}' \
  '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"js","arguments":{"code":"nodeRepl.write(\"alive\")","timeout_ms":30000,"title":"diagnostic"}}}' \
  | env \
      CODEX_CLI_PATH=/Applications/Codex.app/Contents/Resources/codex \
      NODE_REPL_NODE_PATH=/Applications/Codex.app/Contents/Resources/node \
      CODEX_HOME=/Users/<user>/.codex \
      NODE_REPL_TRUSTED_CODE_PATHS=/Users/<user>/.codex \
      /Applications/Codex.app/Contents/Resources/node_repl

Output:

node_repl kernel exited unexpectedly

node_repl diagnostics: {"kernel_pid":62545,"kernel_status":"exited(code=71)","kernel_stderr_tail":"WARNING: proceeding, even though we could not update PATH: Operation not permitted (os error 1) | sandbox-exec: sandbox_apply: Operation not permitted","reason":"stdout_eof","stream_error":null}

The same command succeeds if --disable-sandbox is added to node_repl, even with CODEX_CLI_PATH present.

Expected behavior

node_repl should be able to launch its JavaScript kernel inside the normal Codex sandbox and run a minimal nodeRepl.write("alive") call. Browser and Chrome plugins should then be able to initialize.

Actual behavior

The MCP server initializes, but the JS kernel exits immediately with:

sandbox-exec: sandbox_apply: Operation not permitted

Diagnostics

codex doctor --json overall status: fail.

Relevant checks:

• runtime.provenance: ok, macos-aarch64, version 0.136.0-alpha.2
• sandbox.helpers: ok, filesystem sandbox restricted, network sandbox restricted, approval policy OnRequest
• mcp.config: ok, one stdio server configured
• installation: ok, bundled executable /Applications/Codex.app/Contents/Resources/codex
• system.environment: ok, macOS 26.5
• network.provider_reachability: fail due DNS/network being unavailable in this sandboxed session
• terminal.env: fail because this noninteractive diagnostic has TERM=dumb

The network and terminal doctor failures do not appear causative: the minimal node_repl repro fails before any browser/network action, and the direct non-sandboxed node_repl JS call succeeds.

Workaround

Adding --disable-sandbox to the node_repl MCP server args appears to make the minimal JS call succeed, but that weakens isolation for JavaScript tool execution and is not a good default workaround.

Related issues checked

Searched existing issues for:

• node_repl sandbox-exec sandbox_apply Operation not permitted
• sandbox_apply Operation not permitted
• node_repl

Found several Windows node_repl sandbox setup issues, but no exact macOS sandbox_apply match.