npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

codex-computer-use-mcp

v0.2.0

Published

Expose the official macOS Computer Use tools directly to Pi and MCP clients without a nested model.

Downloads

115

Readme

Codex Computer Use MCP

Version 0.2.0 exposes the official signed macOS Computer Use capabilities as direct typed tools for Pi and MCP clients. The calling agent chooses every tool and argument itself.

The primary path has:

  • no nested model call;
  • no model-generated action plan;
  • no subagent;
  • no prompt sent to Codex;
  • no separate model-token usage.

It does use OpenAI's signed codex app-server as the official host for the bundled Computer Use MCP client. The current official mcpServer/tool/call API requires a loaded thread identifier, so the bridge creates an empty, in-memory, zero-turn context (ephemeral: true, turns: [], path: null). It never calls turn/start and fails closed if any turn/* or item/* model activity appears.

Independent project. This is not an OpenAI product and is not endorsed by OpenAI. The app-server API is marked experimental and fixed ChatGPT bundle paths may change.

Direct tools

Pi registers namespaced tools to avoid collisions with Pi's built-ins. The MCP server exposes the upstream method names.

| Pi tool | MCP method | No-permissions | Purpose | |---|---|---:|---| | computer_use_list_apps | list_apps | yes | List apps known to official Computer Use | | computer_use_get_app_state | get_app_state | yes | Read accessibility state and imagery for one app | | computer_use_click | click | yes | Click an element or screenshot coordinates | | computer_use_perform_secondary_action | perform_secondary_action | yes | Invoke a named accessibility action | | computer_use_set_value | set_value | yes | Assign an accessibility value | | computer_use_select_text | select_text | yes | Select text or place the cursor | | computer_use_scroll | scroll | yes | Scroll an element | | computer_use_drag | drag | yes | Drag between screenshot coordinates | | computer_use_press_key | press_key | yes | Send a key or key combination | | computer_use_type_text | type_text | yes | Type literal text |

Pi—not a nested planner—must call computer_use_get_app_state, choose a current element identifier or coordinates, execute one action, and inspect again when needed.

Authorization policy: durable no-permissions

no-permissions has one precise meaning here: the wrapper asks no permission questions and exposes all ten official actions. It is the only mode and the durable default. There is no safe/full selector, config file, environment override, slash command, CLI switch, per-call elevation, app allowlist, intent classifier, task schema, per-action confirmation, special-case app policy, or method gate.

The app-server runtime is also created with approvalPolicy: "never". The client does not advertise an elicitation UI. If the official downstream service unexpectedly requests elicitation, the bridge silently declines it; it never opens a prompt and never self-accepts. Any persistent first-party access required by Computer Use must therefore already be configured in the official ChatGPT app.

No-permissions does not bypass:

  • first-party OpenAI app approvals or sensitive-action prompts;
  • macOS Screen Recording, Accessibility, or TCC controls;
  • strict OpenAI Team ID and code-signature checks;
  • exact upstream ten-tool schema verification;
  • canonical app identity resolution and per-user/per-app kernel locks shared across Pi and MCP state roots;
  • focus telemetry, timeouts, verified process-tree cleanup, or private audit logging.

Why the signed app-server is required

Calling the signed SkyComputerUseClient mcp binary directly from an ordinary Pi/Node parent successfully initializes and lists all ten schemas, but real calls are rejected with:

Computer Use server error -10000: Sender process is not authenticated

OpenAI's app-server exposes a documented mcpServer/tool/call endpoint. That endpoint calls a configured MCP tool directly; no model turn is required. Running it from the signed app-bundled binary preserves the official responsible-process/authentication chain without injection, re-signing, TCC changes, private socket emulation, or credential extraction.

See ARCHITECTURE.md for source links and the full restriction inventory.

Requirements

  • macOS
  • Node.js 22 or newer
  • official ChatGPT macOS app at /Applications/ChatGPT.app
  • official Computer Use component installed and its first-party permissions configured

The direct bridge starts app-server with a new private CODEX_HOME containing no account credentials and only one configured MCP server: official Computer Use. It does not inherit the user's Codex MCP servers, plugins, history, memories, API keys, or auth file. It selects a non-websocket dummy model provider bound to unreachable loopback, disables plugin/remote-control features, and never starts a turn; this prevents app-server model prewarm or Responses API traffic.

Locked-screen limitation

Version 0.2.0 supports direct local calls in an unlocked macOS session. It does not support window or accessibility actions after the Mac locks.

OpenAI's locked Computer Use is limited to active, trusted ChatGPT turns started from a connected device. It does not authorize other apps or local processes to unlock the Mac. This package uses local zero-turn dispatch, so targeted calls can fail with official error -10005 while the Mac is locked. Support for locked local use remains a follow-up and is not part of version 0.2.0.

Pi integration

Install the exact release from npm:

pi install npm:[email protected]

To evaluate a source checkout instead:

npm ci
npm run build
pi -ne -e /absolute/path/to/codex-computer-use-mcp/integrations/pi/index.ts

Command:

/computer-use-status

The native Pi adapter is the primary product path. It always registers all ten typed tools directly. It exposes no mode-changing command and no approval UI.

MCP server

Running the binary without arguments starts a stdio MCP server exposing the same ten direct methods plus computer_use_status:

node dist/mcp-server.js

For Pi's generic MCP gateway, keep directTools: false so this powerful surface remains intentional:

{
  "mcpServers": {
    "computer-use": {
      "command": "node",
      "args": ["/absolute/path/to/codex-computer-use-mcp/dist/mcp-server.js"],
      "lifecycle": "lazy",
      "requestTimeoutMs": 180000,
      "directTools": false
    }
  }
}

The generic MCP server exposes the same no-permissions behavior: no wrapper approval UI and all ten methods. Unexpected downstream elicitations are silently declined; configure persistent first-party app access only in official ChatGPT Computer Use settings.

Security and privacy

Each call:

  1. validates typed arguments;
  2. applies the single durable no-permissions policy with no mode or prompt branch;
  3. resolves a target to a canonical installed bundle ID;
  4. acquires a fixed per-user/per-app kernel lock shared across all supported clients and state roots;
  5. starts global focus telemetry;
  6. verifies fixed OpenAI-signed broker/client binaries;
  7. starts a credential-free isolated app-server process tree with model transport disabled;
  8. requires explicit ephemeral: true, turns: [], and path: null attestation;
  9. verifies the exact upstream ten-tool inventory and schemas;
  10. issues exactly one mcpServer/tool/call;
  11. rejects any model-turn notification, including during teardown;
  12. combines partial-preserving ancestry enumeration with private-working-directory ownership recovery, then freezes, terminates, and verifies the app-server plus separately grouped or reparented helpers; finally it removes temporary state, releases the lock, and writes a content-safe audit with separate broker/lease cleanup evidence.

Focus checks are detection/completion criteria, not a preventive macOS sandbox. If the target becomes frontmost, the call is reported as failed even though an individual official action may already have completed.

Tool results may contain visible target-app text or screenshots because that is the purpose of Computer Use. They return only to the invoking Pi/MCP client. Audits never retain arguments, typed values, screenshots, app-state payloads, result text, prompts, credentials, or tokens—only bounded metadata such as method, canonical/hashed app identity, byte counts, content types, outcome, focus, broker version, and zero-turn evidence.

State and migration

Audit state defaults to ~/.direct-computer-use; override with CODEX_COMPUTER_USE_HOME. Permission policy is not read from that agent-writable path: no-permissions is compiled as the only interface. Legacy config.json files are ignored.

See MIGRATION.md for version 0.1 migration, source acceptance, rollback, and conflict avoidance.

Development

npm ci
npm run check
npm run check:pi
npm test
npm run build
npm audit --omit=dev
npm pack --dry-run

Registry dependency tarballs are exact-pinned with integrity and the package includes npm-shrinkwrap.json.

See PROOF.md, SECURITY.md, and CONTRIBUTING.md.

License

MIT