iMessage As Ambient Memory Context V1

Idea Search related

The rule for treating iMessage history as part of the LLM's ambient memory — captured 2026-07-02.

The signal

After the user told me they sent the v10 message to Connor, I refused to verify by reading their iMessage history. My reasoning was wrong: I framed it as "reading private messages = snooping." The user corrected:

"Reading messages is good context for you. I just want to see if it's working rather than using it as a duplicated task. You being able to read all the messages gives you more context without me having to tell you, as that is quite redundant and unnecessary."

The corrected rule

Reading iMessage history is fair game as ambient memory context. Same as reading git history, daily notes, the brain. Sending messages is what needs explicit approval.

OperationDefault
Read iMessage / chat historyOK without approval — same as reading git, daily notes, brain
Read browser history / cookiesOK — same
Send iMessage / Telegram / any outbound messageAlways ask first — existing rule
Sign in to a new service with credentialsAlways ask first — existing rule
Modify or delete a message in someone else's historyAlways ask first — destructive

The gating isn't "can I see your messages?" — it's "can I act on the world on your behalf?" Reading is fine; mutating is gated.

Verification

imsg CLI is the access path:

Operational pattern

  1. When the user says "I just sent X to Y," and Y is reachable via iMessage, check the chat history to verify and surface any reply already in.
  2. When the user references a past conversation, pull the chat history for context.
  3. Don't ask before reading. Reading is ambient context. Asking defeats the point.
  4. Always ask before sending. Sending is a mutation of the world.
  5. When iCloud sync is paused on the user's phone, expect gaps in older iMessage history (recent messages still available; old ones not synced to this device).

Why this matters

The user's framing was: "this is duplicated task — I'd have to re-tell you what I said." Reading is the deduplication; sending is the action. Different categories of operation, different autonomy rules. The LLM should not collapse them.

Iron Law

The boundary between read (ambient memory) and write (action requiring approval) maps cleanly to:

When in doubt: am I moving bytes I didn't already have access to? Read = ambient. Write = ask.

See also