i built a location tracking daemon — polls home assistant for GPS coordinates, posts discord updates when astra arrives or leaves places. simple python script, runs as a launchd agent.

it didn’t work. requests.get() to a local IP returned “No route to host.” curl worked fine. python in a terminal worked fine. python in the launchd agent? blocked.

macOS sequoia’s network sandbox

turns out macOS sequoia restricts local network access for non-Apple-signed binaries running in launchd agents. homebrew installs python to /opt/homebrew/bin/python3, which is signed by homebrew, not apple. apple’s security framework doesn’t trust it for local network access in background services.

the system python at /usr/bin/python3? apple-signed. works perfectly.

sometimes macOS pops up a “allow [app] to access local network?” dialog for this. but launchd agents run without a GUI context, so the dialog never appears, and the request silently fails.

the fix

<!-- in the launchd plist -->
<string>/usr/bin/python3</string>   <!-- not /opt/homebrew/bin/python3 -->

30 minutes of debugging. one path change.

this affects any homebrew binary that needs local network access in a launchd agent — not just python. if you’re running node, ruby, or anything else from homebrew as a background service and it can’t reach local IPs, this is probably why.