diff --git a/docs/channels/imessage-from-bluebubbles.md b/docs/channels/imessage-from-bluebubbles.md index 0e145d38536..b9aa8f43a35 100644 --- a/docs/channels/imessage-from-bluebubbles.md +++ b/docs/channels/imessage-from-bluebubbles.md @@ -65,7 +65,7 @@ Use this checklist when you already know your old BlueBubbles config and want th imsg rpc --help ``` - Replace `42` with a real chat id from `imsg chats`. Sending requires Automation permission for Messages.app. If OpenClaw will run through SSH, run these commands through the same SSH wrapper or user context that OpenClaw will use. + Replace `42` with a real chat id from `imsg chats`. Sending requires Automation permission for Messages.app. If OpenClaw will run through SSH, run these commands through the same SSH wrapper or user context that OpenClaw will use. If reads/probes work but sends fail with AppleEvents `-1743`, check whether Automation landed on `/usr/libexec/sshd-keygen-wrapper`; see [SSH wrapper sends fail with AppleEvents -1743](/channels/imessage#ssh-wrapper-sends-fail-with-appleevents-1743). 3. Enable the private API bridge when you need advanced actions: diff --git a/docs/channels/imessage.md b/docs/channels/imessage.md index a851998b3b3..18baa135e3f 100644 --- a/docs/channels/imessage.md +++ b/docs/channels/imessage.md @@ -151,6 +151,29 @@ imsg send "test" + + A remote-SSH setup can read chats, pass `channels status --probe`, and process inbound messages while outbound sends still fail with an AppleEvents authorization error: + +```text +Not authorized to send Apple events to Messages. (-1743) +``` + +Check the signed-in Mac user's TCC database or System Settings > Privacy & Security > Automation. If the Automation entry is recorded for `/usr/libexec/sshd-keygen-wrapper` instead of the `imsg` or local shell process, macOS may not expose a usable Messages toggle for that SSH server-side client: + +```text +kTCCServiceAppleEvents | /usr/libexec/sshd-keygen-wrapper | auth_value=0 | com.apple.MobileSMS +``` + +In that state, repeating `tccutil reset AppleEvents` or rerunning `imsg send` through the same SSH wrapper may keep failing because the process context that needs Messages Automation is the SSH wrapper, not an app the UI can grant. + +Use one of the supported `imsg` process contexts instead: + +- Run the Gateway, or at least the `imsg` bridge, in the logged-in Messages user's local session. +- Start the Gateway with a LaunchAgent for that user after granting Full Disk Access and Automation from the same session. +- If you keep the two-user SSH topology, verify that a real outbound `imsg send` succeeds through the exact wrapper before enabling the channel. If it cannot be granted Automation, reconfigure to a single-user `imsg` setup instead of relying on the SSH wrapper for sends. + + + ## Enabling the imsg private API `imsg` ships in two operational modes: diff --git a/docs/gateway/config-channels.md b/docs/gateway/config-channels.md index f1a60937d0f..a5058344fc4 100644 --- a/docs/gateway/config-channels.md +++ b/docs/gateway/config-channels.md @@ -597,6 +597,8 @@ BlueBubbles support was removed. `channels.bluebubbles` is not a supported runti If the Gateway is not running on the signed-in Messages Mac, keep `channels.imessage.enabled=true` and set `channels.imessage.cliPath` to an SSH wrapper that runs `imsg "$@"` on that Mac. The default local `imsg` path is macOS-only. +Before relying on an SSH wrapper for production sends, verify an outbound `imsg send` through that exact wrapper. Some macOS TCC states assign Messages Automation to `/usr/libexec/sshd-keygen-wrapper`, which can make reads and probes work while sends fail with AppleEvents `-1743`; see [SSH wrapper sends fail with AppleEvents -1743](/channels/imessage#ssh-wrapper-sends-fail-with-appleevents-1743). + ```json5 { channels: {