A computer agent on your Mac is mostly a permission probe with a model attached

A program that drives a computer the way a person would. It reads the screen, decides what to click, and types into apps that were never designed for automation. The 2026 wave of these agents (Claude Computer Use, OpenAI Operator, Manus, Grok Computer, Fazm) all share that definition. Where they split is on how they read the screen and where they run. The cloud-side ones rent a sandboxed Linux VM, take screenshots, and send pixels to a vision model. A consumer Mac agent like Fazm runs on your real machine, reads the macOS accessibility tree as structured text, and uses native AXUIElement calls to click on stable element IDs.

Because that is where the user's Calendar, Mail, Messages, Cursor, and Figma already live, signed in, with their actual data. A cloud computer use agent in a sandbox VM has none of that. Either you log in inside the VM (sketchy and slow) or you give it OAuth tokens (now you have a credential storage problem). Running on the real Mac avoids both, but the price is engineering against macOS itself: TCC permission prompts, accessibility cache invalidation on macOS 26 Tahoe, screen recording entitlements, and the AXError surface area documented below.

Every native macOS window exposes a structured tree of its UI through the AX (accessibility) APIs, the same data Apple's VoiceOver screen reader consumes. AXUIElementCreateApplication takes a process ID, AXUIElementCopyAttributeValue with kAXFocusedWindowAttribute walks the tree, and you get back an enumerable list of buttons, rows, text fields, and groups with stable identifiers and bounding rects. A Gmail inbox rendered as an accessibility tree is roughly two kilobytes of text. The same inbox as a base64 PNG screenshot is closer to eighty kilobytes. Sending the tree is faster, cheaper, and gives the model element IDs to act on instead of pixel coordinates that go stale the moment a window resizes.

Three layers, all in /Users/matthewdi/fazm/Desktop/Sources/AppState.swift. Layer one is AXIsProcessTrusted at line 311, the standard TCC trust check that almost every macOS automation tutorial stops at. Layer two is testAccessibilityPermission at line 433, which makes a real AXUIElementCopyAttributeValue call against the frontmost app and inspects the AXError result. Layer three is probeAccessibilityViaEventTap at line 490, which calls CGEvent.tapCreate with cgSessionEventTap because on macOS 26 Tahoe, AXIsProcessTrusted maintains a per-process cache that returns true even after the user has revoked permission. The event tap creation API hits the live TCC database directly and is the only reliable way to invalidate that cache.

It runs a confirmation probe against Finder. AXError.cannotComplete is genuinely ambiguous on macOS: it can mean the agent's own permission has gone stale, OR that the frontmost app is one of the handful that does not implement AX at all (Qt apps, OpenGL games, PyMOL, and a few others). If Fazm sees cannotComplete from the frontmost app, confirmAccessibilityBrokenViaFinder at line 468 makes a second AX call against Finder, which is guaranteed to be AX-compliant. If Finder also fails, the permission is genuinely broken; if Finder succeeds, the original failure was app-specific and the permission is fine. Without this disambiguation, every Qt-based app would falsely flag the agent as broken.

When testAccessibilityPermission returns false but TCC says trusted, Fazm starts a 5-second-interval retry timer in startAccessibilityRetryTimer at line 375 with a max of 3 attempts (maxAccessibilityRetries at line 304). On each tick it re-runs checkAccessibilityPermission. If three retries fail, showAccessibilityRestartAlert at line 404 surfaces an NSAlert titled 'Accessibility Permission Needs Restart' with two buttons: 'Quit & Reopen' and 'Later.' Choosing 'Quit & Reopen' calls relaunchApp at line 422, which spawns 'sleep 1 && open <bundlePath>' through /bin/sh and terminates the current process. The reason for the spawn-and-terminate dance is that the macOS Accessibility daemon binds permission state to the process ID, and the only way to clear a stuck binding without a reboot is to fully replace the process.

No, just demoted. ScreenCaptureManager at /Users/matthewdi/fazm/Desktop/Sources/FloatingControlBar/ScreenCaptureManager.swift uses CGWindowListCreateImage with .optionIncludingWindow, .boundsIgnoreFraming, and .bestResolution flags to capture the frontmost app's window when the agent genuinely needs pixel context (a PDF with images, a Figma canvas, a WebGL surface). The capture is gated behind Screen Recording permission, and the function returns .permissionDenied as a distinct case from .success when the window metadata is readable but pixel capture fails, which is the signal that Screen Recording was revoked while Accessibility stayed granted. The default for native Catalyst apps like Mail, Calendar, and Messages is to skip the screenshot entirely.

Five, hardcoded as BUILTIN_MCP_NAMES at line 1266 of /Users/matthewdi/fazm/acp-bridge/src/index.ts: fazm_tools, playwright, macos-use, whatsapp, and google-workspace. The macos-use binary is the bridge into the AX layer described above; it is bundled at Contents/MacOS/mcp-server-macos-use inside the signed app and resolved at line 63 of the same bridge file. The reason a computer agent ships an MCP server inside the .app instead of asking the user to install one is that the agent layer (Claude, in Fazm's case) speaks the Agent Client Protocol; tool calls flow through MCP; and bundling means the user grants Accessibility once to the parent app and the bundled binary inherits that permission, which it would not if it were installed separately.

Not yet, on either, because the engineering is platform-specific to the macOS AX surface, the TCC cache behavior, and the CGEvent tap API. Windows has a similar concept (UI Automation, IAccessible2, the Windows Automation API) and Linux has AT-SPI, but the failure modes are different and the permission models are completely different. Fazm is Mac-only at v2.4.1; the cloud-only computer use agents are platform-agnostic by design because their VM is always Linux. If you want a real consumer agent that drives the apps already installed on your real machine, the work is platform-by-platform.

Three files. /Users/matthewdi/fazm/Desktop/Sources/AppState.swift lines 300 to 504 for the entire permission probe (timers, three-layer check, retry alert, relaunch). /Users/matthewdi/fazm/Desktop/Sources/FloatingControlBar/ScreenCaptureManager.swift lines 14 to 44 for the demoted screenshot path with .permissionDenied disambiguation. /Users/matthewdi/fazm/acp-bridge/src/index.ts line 63 for the bundled macos-use binary path and line 1266 for the BUILTIN_MCP_NAMES constant. The CHANGELOG entry that documents the dynamic MCP server list is at /Users/matthewdi/fazm/CHANGELOG.json line 20, version 2.4.0, dated 2026-04-20.