Phone-native operations software

AI agent recovery notification software for iMessage

Turn partial failures into clear delay notices, scoped approval requests, and verified recovery receipts inside the conversation where the user’s intent began.

Abstract iMessage recovery notification control surface
Recovered: one appointment is confirmed for 3:00 PM. I verified the first request and did not submit another.
DELAY NOTICEAPPROVAL REPLYDELIVERY RECONCILIATIONRECOVERY RECEIPTQUIET HOURSNO DUPLICATE SENDDELAY NOTICEAPPROVAL REPLYDELIVERY RECONCILIATIONRECOVERY RECEIPTQUIET HOURSNO DUPLICATE SEND

A notification layer built for recovery state

AI agent recovery notification software turns execution evidence into phone-native updates without exposing every retry or inventing certainty.

The category sits between an agent runtime, a recovery control room, and the user’s message conversation. It listens for meaningful recovery milestones, composes from structured facts, applies channel policy, sends with a stable operation identity, reconciles delivery, and records exactly what the user saw.

That is different from generic alerts. A tool error is not automatically a message. A timeout may indicate an unknown external outcome rather than failure. The software must understand whether the user’s expectation changed, whether another request could duplicate work, whether fresh approval is needed, and whether the final result has actually been verified.

iMessage-style conversations add a useful interaction loop. The user can approve a changed appointment, stop a recovery, supply missing context, or ask for details in the same thread that captured the original intent. But reply convenience increases the need for scope: a “yes” must bind to an exact proposal, inputs, authorization, and expiry.

The product succeeds when the user receives fewer messages with more meaning. Internal attempts remain in the operations history. The conversation receives delay, action, stop, unresolved, and verified outcome milestones.

Core capabilities

The category promise

State-aware triggers

Map run and effect evidence into user milestones rather than forwarding raw errors and retry events.

Constrained composition

Build copy from task, state, verified outcome, required action, deadline, and detail-link fields.

Reply approvals

Bind expected responses to exact recovery actions and re-check context before the agent resumes.

Delivery receipts

Track stable outbound identity, provider acceptance, delivery state, content hash, and evidence revision.

01

Ingest a recovery milestone

Accept a structured event carrying intent, recovery case, audience, state, severity, user impact, evidence revision, and trace context. Deduplicate by stable event identity before any composition work begins.

02

Evaluate notification policy

Decide whether the state meaningfully changes user understanding. Apply urgency, quiet hours, user preferences, batching, prior milestone, and whether an unsent message can be superseded.

  • Quiet internal retries should remain quiet.
  • Potential duplicate risk may justify immediate notice.
  • Approval deadlines may override normal deferral.
03

Resolve identity and conversation

Map the recovery case to the correct person, account, phone identity, and thread. Verify that the user still owns or is authorized for the intent. Cross-account or ambiguous phone matches must stop rather than guess.

04

Compose from evidence

Populate a versioned template schema from current recovery facts. A model can improve clarity inside those fields, but unsupported causes, confidence, completion claims, and instructions must fail validation.

Lead with state, name the task naturally, state what is verified, and put the next action on its own clear sentence.

05

Send idempotently

Create one stable operation identity from intent, recovery case, recipient, and milestone. Persist the content fingerprint before sending. If provider confirmation is lost, reconcile delivery before retrying the same logical message.

06

Process replies safely

Parse constrained replies through the core message processor, attach them to the open recovery case, verify the proposal and expiry, then write a durable approval, rejection, or context event. Do not let a reply bypass recovery policy.

07

Close with a receipt

Record the exact rendered message, template and policy versions, source evidence, provider identity, delivery state, and user response. Link the final phone-native receipt to the complete operational record.

The notification state model

Delayed

The task is still active, but expected completion changed or the user might otherwise repeat it. State what is being checked and whether they should wait.

Action needed

The agent needs approval, updated information, authentication, or a choice. Name the proposal, response options, and expiry.

Unresolved or stopped

The system cannot safely continue, the user revoked intent, or a critical effect remains unknown. Preserve honest uncertainty and the next review step.

Recovered

The user-visible outcome is independently verified. Include the decisive result and relevant duplicate-prevention fact, not every internal action.

Product requirements

Evidence schema

Require structured state, effect classification, verification method, action, deadline, and detail references. Do not treat a free-form run summary as the source of truth.

Message identity

Separate recovery-event identity, notification milestone, outbound operation, provider message, and delivery event. Each answers a different deduplication question.

Channel policy

Support urgency, quiet hours, preferences, lock-screen sensitivity, authenticated links, fallback channels, and rate limits at user and tenant levels.

Conversation context

Preserve the original intent and thread while ensuring a reply cannot authorize changed inputs or a different recovery case.

Operator controls

Offer preview, suppress, send now, request approval, invalidate prompt, resend after confirmed absence, and terminate case controls with reason capture.

A four-phase implementation

Foundation

Define milestones

Map execution and effect states into delayed, action needed, unresolved, stopped, and recovered user states.

Identity

Deduplicate sends

Add stable milestone and operation identities, content fingerprints, provider IDs, and delivery reconciliation.

Interaction

Bind replies

Connect constrained replies to exact recovery proposals with authorization, version, and expiry checks.

Proof

Issue receipts

Store evidence revision, rendered content, policy decision, delivery, response, and final verified outcome.

The minimum notification data model

A reliable phone-native receipt needs more structure than recipient, body, and sent time.

The notification milestone record should identify the intent, recovery case, user state, audience, severity, evidence revision, creation time, and supersession rules. The composition record should preserve template version, constrained input fields, rendered content hash, redaction result, and any model-assisted rewrite.

The outbound operation record needs a stable logical key, recipient identity, channel, conversation linkage, provider request fingerprint, and attempt history. Provider message and delivery-event records should remain separate so a retry does not masquerade as another milestone and a late delivery event can reconcile a timeout.

For interactive messages, store the proposal identity, exact parameters, allowed replies, authorization scope, expiry, and current validity. A reply event should capture sender identity, received time, parsed choice, original message, and the policy decision that accepted or rejected it.

Finally, the recovery receipt should project these records alongside the operational evidence. It can show what state triggered the message, what the user was told, whether it arrived, what they replied, and how that reply affected the resumed agent run.

Applied personal-agent workflows

Text-message assistant

The original request, recovery update, approval reply, and final outcome remain one coherent conversation while delivery and effect identities prevent duplication.

See the messaging workflow

Computer-use recovery

After browser session loss, notify only when the user may repeat the task or needs to act. Send completion after inspecting the actual external postcondition.

Explore computer-use caching

Website release recovery

Request approval for a changed release plan and send the final revision and verified live state without narrating every deployment poll.

Review the website agent

Buyer checklist

Can it distinguish retry state from user state?

Does it preserve unknown external outcomes?

Are composition fields backed by structured evidence?

Can unsupported model claims be rejected?

Does every milestone have a stable identity?

Are provider timeouts reconciled before resend?

Can policy suppress quiet internal retries?

Are urgency, quiet hours, and preferences supported?

Do replies bind to an exact proposal and expiry?

Are changed inputs forced through fresh approval?

Can sensitive details move behind authenticated links?

Are previews and sends controlled by operator roles?

Does the receipt store exactly what was delivered?

Can support trace the message back to evidence?

What this software should not become

The category fails if it turns an intimate conversation into a noisy operations console.

Forwarding raw exceptions and tool names shifts interpretation to the user. Sending every retry trains them to ignore the channel. Generating reassuring prose before an external outcome is reconciled hides uncertainty. Reusing a generic “notification sent” flag across milestones makes duplicates difficult to detect.

Reply automation can also become dangerous when scope is loose. A user who approved one changed appointment time did not approve arbitrary future changes. The software must preserve proposal identity, input fingerprint, authorization scope, and expiry.

Finally, notification software cannot repair a workflow by itself. It needs stable intent and effect identities, durable events, reconciliation adapters, checkpoint controls, and independently verified outcomes. The messaging layer makes those controls legible and actionable; it does not replace them.

Frequently asked questions

Is this different from generic notification software?

Yes. It understands agent recovery states, external-effect ambiguity, checkpoint decisions, scoped approvals, and durable receipts. Generic notification tools can deliver a message but usually do not decide whether the recovery evidence supports it.

Does every failed run send an iMessage?

No. Notify only when user understanding changes, repeat-request risk rises, action is needed, recovery stops, or a final outcome is verified. Routine internal retries should stay quiet.

Can a model compose every message?

A model can improve clarity inside a constrained template. State, facts, action, deadline, and links must come from structured records. Unsupported completion or causal claims should fail validation.

How are duplicate messages prevented?

Use stable milestone and outbound operation identities. Persist the content fingerprint and provider message state. After a timeout, reconcile provider delivery before retrying the same logical send.

Can replies directly resume an agent?

Only after the system binds the reply to a specific proposal, checks identity, authorization, inputs, and expiry, and records a durable decision. The runtime should resume through guarded recovery controls.

What metrics matter?

Track meaningful messages per recovery case, duplicate sends prevented, approval response time, suppressed retry noise, delivery reconciliation time, unresolved-effect duration, user opt-outs, and final outcome verification.

Primary references

Make recovery feel like part of the conversation.

Super connects personal-agent work to phone-native messaging, computer use, and website operations where clear recovery states matter.

Explore Super