diff --git a/Dockerfile b/Dockerfile
index 59c9331a6..99fce8f2b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,6 +52,15 @@ RUN apt-get update \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo \"$VERSION_CODENAME\") stable" > /etc/apt/sources.list.d/docker.list \
     && apt-get update \
     && apt-get install -y --no-install-recommends docker-ce-cli \
+    # Install Node.js LTS so the sandbox (nsjail/Docker box) can run npx-based
+    # stdio MCP servers. node/npx land in /usr/bin, which is on the nsjail
+    # read-only mount whitelist (_READONLY_SYSTEM_MOUNTS), so they are bound
+    # into the sandbox chroot automatically. Without node, any npx-launched
+    # MCP server exits with return_code=127 (command not found).
+    && curl -fsSL https://deb.nodesource.com/setup_22.x -o /tmp/nodesource_setup.sh \
+    && bash /tmp/nodesource_setup.sh \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -f /tmp/nodesource_setup.sh \
     && python -m pip install --no-cache-dir uv \
     && uv sync \
     && apt-get purge -y --auto-remove curl gnupg \