Where accessibility-API computer use actually breaks on macOS.

Three failure shapes. App-shape: the app implements no NSAccessibility tree, or implements such a sparse one that the agent cannot tell a button from a label. Electron is the famous offender, Slack, Discord, VS Code, and Notion all expose minimal AX. Qt apps work only when the platform plug-in is wired through to NSAccessibility, which not every Qt app does. OpenGL and Metal canvases (game engines, GPU-rendered tools) draw pixels with no AX nodes inside. Web canvases, including most charting libraries and design tools rendered with Skia or WebGL, are opaque. Python and Tk apps like PyMOL often return AXError.cannotComplete from every call. Permission-shape: the system has the permission but the per-process cache went stale, common after a macOS 26 (Tahoe) update or an app re-sign. Error-shape: AXError.cannotComplete is the same error code for 'permission revoked' and 'this app never implemented AX', which means an agent that just retries on cannotComplete will loop on a Qt app forever.

Native AppKit and SwiftUI apps from Apple work well: Finder, Safari, Mail, Calendar, Messages, Notes, Reminders, Preview, Keychain Access, System Settings, Pages, Numbers, Keynote, Music, TV, Podcasts, Maps, Photos. Most third-party native apps that ship as AppKit or SwiftUI on the App Store also expose a usable AX tree: Things, Fantastical, Bear, MarsEdit, Tot, BBEdit, Xcode (mostly), Terminal, iTerm2 (with some quirks). The further from native, the worse it gets. A pattern that holds: if a screen reader user can use the app with VoiceOver, an accessibility-API agent can usually drive it. If VoiceOver is silent on the app, a screenshot-based approach is more reliable.

Electron renders Chromium inside a native shell, so what you see is a web page rendered to a single Chromium content view. Chromium does expose accessibility nodes through the platform AX bridge, but the depth and quality of the tree depends on the web app inside the shell, the Electron version, and whether accessibility is force-enabled with the --force-renderer-accessibility flag. In practice, Slack and Discord expose mostly generic AXGroup nodes with no roles or names that an agent can dispatch on, so 'click the second send button' becomes guesswork. The DOM is rich, the rendered AX tree is thin. Apps using web frameworks via Tauri or wkwebview-based wrappers have similar gaps. The honest workaround is hybrid: AX where it exists, screenshot OCR or coordinate-based fallback where the AX tree is too thin to act on.

AXError.cannotComplete is what you get back from AXUIElementCopyAttributeValue when the call cannot be answered, but the API does not tell you why. It is returned for at least three different conditions: the calling process has lost accessibility trust (revoked permission or stale TCC cache), the target process has not implemented NSAccessibility, or the target process is alive but unresponsive. An agent that maps cannotComplete directly to 'permission broken' will nag the user to re-grant access every time the user opens a Qt app. An agent that maps cannotComplete to 'app limitation' will silently give up on real permission failures. The fix is to disambiguate: run the same kind of call against a known-good control app like Finder. If the control fails too, the permission is broken. If it succeeds, the original failure is app-specific.

The relevant code is in Desktop/Sources/AppState.swift in the open source repo. checkAccessibilityPermission() polls AXIsProcessTrusted, then runs an actual call against the frontmost app via testAccessibilityPermission(). If that returns cannotComplete, the agent does not panic. It calls confirmAccessibilityBrokenViaFinder(), which runs the same call against com.apple.finder. If Finder also fails, the permission is truly stuck and the user is asked to Quit & Reopen. If Finder succeeds, the original failure is logged as 'app-specific AX incompatibility' and the agent moves on. There is also probeAccessibilityViaEventTap(), which creates a CGEvent listen-only tap, because event-tap creation checks the live TCC database directly and bypasses the per-process cache that goes stale on macOS 26 Tahoe. The retry timer at startAccessibilityRetryTimer fires every 5 seconds for 3 attempts before showing a restart alert, which is the only real fix for a stuck cache.

macOS caches the result of AXIsProcessTrusted per process, and on Sequoia and Tahoe that cache is not always invalidated when the user grants permission in System Settings or when an app is re-signed. The symptom is: the user clicked the toggle, System Settings shows the app as enabled, but AXIsProcessTrusted keeps returning false. Apple's documented work-around is to relaunch the app, which spawns a new process and gets a fresh TCC read. Fazm detects this case by attempting to create a CGEvent tap; tap creation hits the live TCC, so a tap that succeeds while AXIsProcessTrusted returns false is the signature of a stale cache. The same pattern matters for any computer-use agent shipped on macOS today, because users who reinstall, update, or re-grant the permission will hit it.

Anthropic Computer Use and OpenAI Operator are screenshot-and-coordinate models. They do not consume an accessibility tree at all. Their limits are different: tiny text, dense UIs, multi-monitor setups, dynamic content that has shifted between the screenshot and the click, and per-screenshot token cost. An accessibility-API agent's limits are the ones described on this page: app categories that do not expose AX, ambiguous error codes, stale system caches. The two models are complementary. The honest engineering answer is that a useful agent on macOS today is hybrid: AX-first for native apps where the tree is reliable, fall back to vision and OCR for Electron and canvas-rendered apps, with explicit disambiguation when the AX layer reports an ambiguous error.

Sometimes. Chromium and Electron both support a runtime flag that forces the renderer to build a complete accessibility tree. For Chrome the flag is --force-renderer-accessibility, and Electron inherits it. The trade-off is performance: forcing the tree adds memory and CPU per renderer process, and it does not fix sparse roles inside the web app itself. If the web app uses div soup with no aria-label or role attributes, the AX tree is still flat. The reliable fix lives upstream: the apps would need to add ARIA semantics. Until then, an agent on Slack or Discord ends up reading window titles and message text via OCR, then clicking by coordinates derived from the captured frame. This is the gap that pushed Anthropic and OpenAI toward screenshot-first agents in the first place.

Yes, and that is what an honest hybrid agent does. macOS exposes ScreenCaptureKit (CGWindow on older systems) for capturing per-window pixel buffers. Combined with a vision model or local OCR, the agent can read what is on screen even when AXUIElementCopyAttributeValue returns nothing useful. Fazm asks for screen-recording permission specifically for this case. The order matters too: macOS dialogs prompt cleanly when accessibility is asked for first and screen-recording last, because screen-recording requires an app restart to take effect, which would interrupt the accessibility grant flow. The Fazm onboarding asks in that order on purpose.

Three concrete spots. AppState.swift around lines 308 to 503 holds the polling loop, the disambiguation against Finder, and the event-tap probe. The retry timer and restart alert are in the same file just below. PermissionsPage.swift in MainWindow/Pages renders the user-facing flow that prompts for the permission and shows the broken-state hint. ChatPrompts.swift around line 369 documents the order of permission requests for onboarding (microphone, then accessibility, then screen recording). All of it is plain Swift in github.com/m13v/fazm, no obfuscation, you can clone the repo and trace one accessibility check from the timer firing to the AXError code being mapped.