# 2026-05-09 macOS screenshot and registration-test notes ## Visible-window screenshot fix During a Screen Sharing / screenshot debugging session, `screencapture` initially produced valid PNG files that contained only wallpaper and the menu bar even though Chrome was frontmost. `stat -f '%Su' /dev/console` returned `root`, but `scutil <<< 'show State:/Users/ConsoleUser'` showed the real GUI session was `chick` and on-console. Useful diagnostic sequence: ```bash stat -f '%Su' /dev/console 2>/dev/null || true scutil <<< 'show State:/Users/ConsoleUser' 2>/dev/null | sed -n '1,40p' || true osascript -e 'tell application "System Events" to get name of first application process whose frontmost is true' 2>&1 || true osascript -e 'tell application "System Events" to get name of every application process whose visible is true' 2>&1 || true log show --last 5m --style compact \ --predicate 'process == "tccd" AND (eventMessage CONTAINS[c] "Accessibility" OR eventMessage CONTAINS[c] "ScreenCapture" OR eventMessage CONTAINS[c] "osascript" OR eventMessage CONTAINS[c] "python")' \ 2>/dev/null | tail -120 ``` Key log signal: TCC attributed denied Accessibility/ScreenCapture requests to Hermes gateway's responsible Homebrew Python, not just Terminal or osascript: ```text /Users/chick/homebrew/Cellar/python@3.11/3.11.15/Frameworks/Python.framework/Versions/3.11/bin/python3.11 /Users/chick/homebrew/Cellar/python@3.11/3.11.15/Frameworks/Python.framework/Versions/3.11/Resources/Python.app ``` Grant **Accessibility** and **Screen Recording / 录屏与系统录音** to those paths. After grant, validation showed: ```text System Settings Terminal windows=0 Finder windows=0 Google Chrome windows=1 System Settings windows=1 ``` A full `screencapture` then included Chrome, System Settings, Dock, menu bar, and notifications. A cropped window capture using AppleScript bounds also worked. ## LAN and SOCKS5 checks before registration After Screen Sharing reset and permissions fix, these checks passed: - `192.168.2.1`: ping OK; ports 80/443 open; visible Chrome loaded iKuai login page at `192.168.2.1/login#/login`. - `socks5://192.168.2.8:1085`: ping/TCP OK; `curl -x socks5h://192.168.2.8:1085 https://www.google.com/generate_204` returned HTTP 204; proxy exit IP was `54.65.165.232`. For BOSS's Codex OAuth registration tests, if the env proxy field is empty after this check, set: ```bash BROWSER_PROXY_SERVER=socks5://192.168.2.8:1085 ``` Then verify with: ```bash curl -x socks5h://192.168.2.8:1085 -sS --connect-timeout 8 --max-time 15 https://api.ipify.org ``` ## Ordinary registration test setup When BOSS asked to skip Plus and register a normal account: - Set `PLUS_MODE_ENABLED=false`. - Keep target `PANEL_MODE=codex2api`. - Verify target `http://192.168.2.62:7878/admin/accounts` returned HTTP 200. - Create ClawEmail sub-mailbox using exactly 8 lowercase letters, e.g. `chickliu.zlajiqjc@claw.163.com`. - Append a `pending` record to `/Users/chick/.Hermes/workspace/codex-oauth/run-records/clawemail_accounts.jsonl`. - Stop and wait for BOSS to say “继续” before launching the visible browser flow.