@team-agent/installer 0.2.0 → 0.2.2

package/src/team_agent/messaging/leader_panes.py

@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+import hashlib
+
 from team_agent.messaging.deps import (
     EventLog,
     RuntimeError,
@@ -9,6 +11,7 @@ from team_agent.messaging.deps import (
     _tmux_current_client_pane_info as _runtime_tmux_current_client_pane_info,
     _tmux_list_panes as _runtime_tmux_list_panes,
     _tmux_pane_info as _runtime_tmux_pane_info,
+    _tmux_inject_text,
     core_list_targets,
     datetime,
     os,
@@ -20,6 +23,8 @@ from team_agent.messaging.deps import (
 from pathlib import Path
 from typing import Any
 
+_AMBIGUOUS_DEBOUNCE_SECONDS = 60
+
 def _resolve_leader_pane(
     pane: str | None,
     provider: str,
@@ -208,17 +213,40 @@ def _target_fingerprint(pane_info: dict[str, Any]) -> str:
     )
 
 
+def is_bound_pane_still_valid(state: dict[str, Any], store: Any | None = None) -> dict[str, Any]:
+    receiver = dict(state.get("leader_receiver") or {})
+    owner = state.get("team_owner") if isinstance(state.get("team_owner"), dict) else {}
+    if owner and owner.get("leader_session_uuid") and not receiver.get("leader_session_uuid"):
+        receiver["leader_session_uuid"] = owner["leader_session_uuid"]
+    return _validate_leader_receiver(receiver)
+
+
 def _rediscover_leader_receiver(
     receiver: dict[str, Any],
     event_log: EventLog,
     owner_identity: dict[str, Any] | None = None,
+    invalidation_reason: str | None = None,
+    team_id: str | None = None,
 ) -> dict[str, Any]:
     provider = str(receiver.get("provider") or "codex")
-    if provider != "codex":
-        return {"status": "missing", "reason": "rediscovery_only_for_codex"}
+    if provider == "fake":
+        return {"status": "missing", "reason": "rediscovery_not_supported_for_fake"}
     targets = core_list_targets()
     if not targets.get("ok"):
         event_log.write("leader_receiver.rediscover_failed", provider=provider, error=targets.get("error"))
+        # Stage 15 CI fix: when the tmux target scan itself fails (no server, no daemon,
+        # CI env without tmux), the caller has no way to recover unless we also emit
+        # rebind_required. Without this, _refresh_leader_receiver_or_flag_rebind silently
+        # returns and report_result queues against the stale pane with zero audit signal.
+        event_log.write(
+            "leader_receiver.rebind_required",
+            old_pane_id=receiver.get("pane_id"),
+            reason=invalidation_reason,
+            provider=provider,
+            team_id=team_id,
+            rediscovery_status="failed",
+            error=targets.get("error"),
+        )
         return {"status": "failed", "error": targets.get("error")}
     candidates = [
         target
@@ -228,16 +256,26 @@ def _rediscover_leader_receiver(
     if owner_identity:
         owner_candidates = [target for target in candidates if _target_matches_owner_identity(target, owner_identity)]
         if len(owner_candidates) == 1:
-            return _rediscovered_receiver(receiver, provider, owner_candidates[0], event_log, owner_identity)
+            return _rediscovered_receiver(receiver, provider, owner_candidates[0], event_log, owner_identity, invalidation_reason)
         if len(owner_candidates) > 1:
+            incident = _broadcast_ambiguous_candidates(
+                receiver,
+                provider,
+                owner_candidates,
+                event_log,
+                owner_identity,
+                team_id,
+            )
             event_log.write(
                 "leader_receiver.rediscover_ambiguous",
                 provider=provider,
                 old_target=receiver.get("pane_id"),
                 candidates=[target.get("pane_id") for target in owner_candidates],
                 owner_identity=owner_identity,
+                incident_id=incident.get("incident_id"),
+                deduped=incident.get("deduped"),
             )
-            return {"status": "ambiguous", "candidates": owner_candidates, "owner_identity": owner_identity}
+            return {"status": "ambiguous", "candidates": owner_candidates, "owner_identity": owner_identity, **incident}
         event_log.write(
             "leader_receiver.rediscover_missing",
             provider=provider,
@@ -245,9 +283,19 @@ def _rediscover_leader_receiver(
             owner_identity=owner_identity,
             candidate_count=len(candidates),
         )
+        event_log.write(
+            "leader_receiver.rebind_required",
+            old_pane_id=receiver.get("pane_id"),
+            reason=invalidation_reason,
+            provider=provider,
+            team_id=team_id,
+            uuid_prefix=_uuid_prefix(owner_identity),
+            owner_identity=owner_identity,
+            recovery_action="open the owning leader pane or run team-agent claim-leader --confirm from a matching pane",
+        )
         return {"status": "missing", "owner_identity": owner_identity}
     if len(candidates) == 1:
-        return _rediscovered_receiver(receiver, provider, candidates[0], event_log, None)
+        return _rediscovered_receiver(receiver, provider, candidates[0], event_log, None, invalidation_reason)
     if len(candidates) > 1:
         event_log.write(
             "leader_receiver.rediscover_ambiguous",
@@ -255,12 +303,19 @@ def _rediscover_leader_receiver(
             old_target=receiver.get("pane_id"),
             candidates=[target.get("pane_id") for target in candidates],
         )
+        event_log.write("leader_receiver.rebind_required", old_pane_id=receiver.get("pane_id"), reason=invalidation_reason, provider=provider, team_id=team_id, rediscovery_status="ambiguous")
         return {"status": "ambiguous", "candidates": candidates}
     event_log.write("leader_receiver.rediscover_missing", provider=provider, old_target=receiver.get("pane_id"))
+    event_log.write("leader_receiver.rebind_required", old_pane_id=receiver.get("pane_id"), reason=invalidation_reason, provider=provider, team_id=team_id, rediscovery_status="missing")
     return {"status": "missing"}
 
 
 def _target_matches_owner_identity(target: dict[str, Any], owner_identity: dict[str, Any]) -> bool:
+    expected_uuid = owner_identity.get("leader_session_uuid")
+    if expected_uuid:
+        actual_uuid = _target_leader_session_uuid(target)
+        if actual_uuid:
+            return actual_uuid == expected_uuid
     env = target.get("leader_env") if isinstance(target.get("leader_env"), dict) else {}
     return (
         env.get("TEAM_AGENT_LEADER_PANE_ID") == (owner_identity.get("pane_id") or "")
@@ -269,14 +324,31 @@ def _target_matches_owner_identity(target: dict[str, Any], owner_identity: dict[
     )
 
 
-def _rediscovered_receiver(
-    receiver: dict[str, Any],
-    provider: str,
-    target: dict[str, Any],
-    event_log: EventLog,
-    owner_identity: dict[str, Any] | None,
-) -> dict[str, Any]:
-    updated = {
+def _target_leader_session_uuid(target: dict[str, Any]) -> str:
+    env = target.get("leader_env") if isinstance(target.get("leader_env"), dict) else {}
+    return str(target.get("leader_session_uuid") or env.get("TEAM_AGENT_LEADER_SESSION_UUID") or "")
+
+
+def _leader_uuid_for_bound_pane(receiver: dict[str, Any], pane_info: dict[str, Any]) -> str:
+    direct = _target_leader_session_uuid(pane_info) or _target_leader_session_uuid(receiver)
+    if direct:
+        return direct
+    targets = core_list_targets()
+    if not targets.get("ok"):
+        return ""
+    pane_id = pane_info.get("pane_id")
+    for target in targets.get("targets", []):
+        if target.get("pane_id") == pane_id:
+            return _target_leader_session_uuid(target)
+    return ""
+
+
+def _uuid_prefix(owner_identity: dict[str, Any] | None) -> str:
+    return str((owner_identity or {}).get("leader_session_uuid") or "")[:8]
+
+
+def _receiver_from_target(target: dict[str, Any], provider: str, leader_uuid: str | None, owner_epoch: int | None = None) -> dict[str, Any]:
+    receiver = {
         "mode": "direct_tmux",
         "status": "attached",
         "provider": provider,
@@ -289,8 +361,83 @@ def _rediscovered_receiver(
         "pane_current_command": target["pane_current_command"],
         "fingerprint": target.get("fingerprint") or _target_fingerprint(target),
         "attached_at": datetime.now(timezone.utc).isoformat(),
-        "discovery": "stale_rediscovery_owner_identity" if owner_identity else "stale_rediscovery_unique_candidate",
     }
+    if leader_uuid:
+        receiver["leader_session_uuid"] = leader_uuid
+    if owner_epoch is not None:
+        receiver["owner_epoch"] = owner_epoch
+    return receiver
+
+
+def _broadcast_ambiguous_candidates(
+    receiver: dict[str, Any],
+    provider: str,
+    candidates: list[dict[str, Any]],
+    event_log: EventLog,
+    owner_identity: dict[str, Any],
+    team_id: str | None,
+) -> dict[str, Any]:
+    candidate_ids = sorted(str(candidate.get("pane_id")) for candidate in candidates)
+    bucket = _ambiguous_debounce_bucket()
+    incident_id = hashlib.sha256("\0".join([str(team_id or ""), *candidate_ids, bucket]).encode("utf-8")).hexdigest()[:16]
+    if any(event.get("event") == "leader_receiver.ambiguous_candidates" and event.get("incident_id") == incident_id for event in event_log.tail(200)):
+        return {"incident_id": incident_id, "deduped": True}
+    prompt = _ambiguous_candidate_prompt(team_id, len(candidates))
+    event_log.write(
+        "leader_receiver.ambiguous_candidates",
+        incident_id=incident_id,
+        old_pane_id=receiver.get("pane_id"),
+        candidates=candidate_ids,
+        provider=provider,
+        team_id=team_id,
+        uuid_prefix=_uuid_prefix(owner_identity),
+        debounce_bucket=bucket,
+    )
+    for candidate in candidates:
+        pane_id = str(candidate.get("pane_id") or "")
+        injected = _tmux_inject_text(
+            pane_id,
+            prompt,
+            "Enter",
+            f"team-agent-leader-ambiguous-{incident_id}-{pane_id.strip('%')}",
+            provider=provider,
+        )
+        event_log.write(
+            "leader_receiver.ambiguous_candidate_queued",
+            incident_id=incident_id,
+            pane_id=pane_id,
+            ok=bool(injected.get("ok")),
+            error=injected.get("error"),
+        )
+    return {"incident_id": incident_id, "deduped": False}
+
+
+def _ambiguous_debounce_bucket() -> str:
+    now = datetime.now(timezone.utc)
+    epoch = int(now.timestamp() // _AMBIGUOUS_DEBOUNCE_SECONDS) * _AMBIGUOUS_DEBOUNCE_SECONDS
+    return datetime.fromtimestamp(epoch, timezone.utc).isoformat()
+
+
+def _ambiguous_candidate_prompt(team_id: str | None, candidate_count: int) -> str:
+    others = max(candidate_count - 1, 0)
+    return (
+        f"Team `{team_id or 'current'}` has no bound leader. This window and {others} other window(s) all qualify. "
+        "To claim this window as the team leader, run: `team-agent claim-leader --confirm`. "
+        "Only the first such call wins; subsequent calls from other windows will be refused."
+    )
+
+
+def _rediscovered_receiver(
+    receiver: dict[str, Any],
+    provider: str,
+    target: dict[str, Any],
+    event_log: EventLog,
+    owner_identity: dict[str, Any] | None,
+    invalidation_reason: str | None = None,
+) -> dict[str, Any]:
+    leader_uuid = _target_leader_session_uuid(target) or (owner_identity or {}).get("leader_session_uuid") or receiver.get("leader_session_uuid")
+    updated = _receiver_from_target(target, provider, leader_uuid)
+    updated["discovery"] = "stale_rediscovery_owner_identity" if owner_identity else "stale_rediscovery_unique_candidate"
     event_log.write(
         "leader_receiver.rediscovered",
         provider=provider,
@@ -299,6 +446,14 @@ def _rediscovered_receiver(
         candidate_count=1,
         owner_identity=owner_identity,
     )
+    event_log.write(
+        "leader_receiver.rebind_applied",
+        old_pane_id=receiver.get("pane_id"),
+        new_pane_id=updated["pane_id"],
+        reason=invalidation_reason,
+        owner_identity=owner_identity,
+        uuid_prefix=_uuid_prefix(owner_identity),
+    )
     return {"status": "updated", "receiver": updated, "owner_identity": owner_identity}
 
 
@@ -306,6 +461,26 @@ def _validate_leader_receiver(receiver: dict[str, Any]) -> dict[str, Any]:
     pane_info = _runtime_tmux_pane_info(receiver.get("pane_id"))
     if not pane_info:
         return {"ok": False, "reason": "leader_pane_missing", "error": "tmux pane does not exist"}
+    provider = str(receiver.get("provider") or "codex")
+    if not _leader_command_looks_usable(pane_info.get("pane_current_command", ""), provider):
+        return {
+            "ok": False,
+            "reason": "leader_pane_wrong_command",
+            "error": f"pane command {pane_info.get('pane_current_command')!r} is not a leader host",
+            "pane": pane_info,
+        }
+    expected_uuid = receiver.get("leader_session_uuid")
+    if expected_uuid:
+        actual_uuid = _leader_uuid_for_bound_pane(receiver, pane_info)
+        if not actual_uuid:
+            return {"ok": False, "reason": "leader_uuid_missing", "error": "bound pane has no TEAM_AGENT_LEADER_SESSION_UUID", "pane": pane_info}
+        if actual_uuid != expected_uuid:
+            return {
+                "ok": False,
+                "reason": "leader_uuid_mismatch",
+                "error": "bound pane TEAM_AGENT_LEADER_SESSION_UUID does not match stored team owner",
+                "pane": pane_info,
+            }
     capture = run_cmd(["tmux", "capture-pane", "-p", "-S", "-40", "-t", pane_info["pane_id"]], timeout=5)
     if capture.returncode != 0:
         return {
@@ -314,14 +489,7 @@ def _validate_leader_receiver(receiver: dict[str, Any]) -> dict[str, Any]:
             "error": capture.stderr.strip() or "tmux capture-pane failed",
             "pane": pane_info,
         }
-    warning = None
-    provider = str(receiver.get("provider") or "codex")
-    if not _leader_command_looks_usable(pane_info.get("pane_current_command", ""), provider):
-        warning = (
-            f"pane command {pane_info.get('pane_current_command')!r} is not a typical {provider} host; "
-            "continuing because tmux capture works"
-        )
-    return {"ok": True, "pane": pane_info, "capture": capture.stdout, "warning": warning}
+    return {"ok": True, "pane": pane_info, "capture": capture.stdout, "warning": None}
 
 
 def _leader_command_looks_usable(command: str, provider: str) -> bool:
@@ -330,7 +498,9 @@ def _leader_command_looks_usable(command: str, provider: str) -> bool:
     command_name = Path(command).name
     if provider == "codex":
         return command_name in {"codex", "node", "nodejs"}
-    return bool(command_name)
+    if provider in {"claude", "claude_code"}:
+        return command_name in {"claude", "claude.exe"}
+    return command_name in {"codex", "node", "nodejs", "claude", "claude.exe"}
 
 
 def _choose_leader_submit_key(provider: str, capture_text: str) -> tuple[str, str]:

package/src/team_agent/messaging/owner_bypass.py

@@ -0,0 +1,29 @@
+from __future__ import annotations
+
+from typing import Any
+
+from team_agent.events import EventLog
+from team_agent.state import worker_sender_bypasses_owner_gate
+
+
+def apply_worker_sender_bypass(
+    state: dict[str, Any],
+    sender: str | None,
+    target: Any,
+    task_id: str | None,
+    event_log: EventLog,
+) -> bool:
+    via = worker_sender_bypasses_owner_gate(state, sender)
+    if not via:
+        return False
+    event_log.write(
+        "send.bypassed_owner_gate_worker_sender",
+        sender=sender,
+        env_team_agent_id=via,
+        target=target if isinstance(target, str) else None,
+        task_id=task_id,
+    )
+    return True
+
+
+__all__ = ["apply_worker_sender_bypass"]

package/src/team_agent/messaging/result_delivery.py

@@ -1,11 +1,14 @@
 from __future__ import annotations
 
 import json
+from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any
 
 from team_agent.events import EventLog
 from team_agent.message_store import MessageStore
+from team_agent.message_store.leader_notification_log import peek_leader_notification
+from team_agent.message_store.result_watchers import leader_notified_message_id_for_result
 from team_agent.messaging.deps import send_message
 from team_agent.messaging.internal_delivery import deliver_stored_message
 
@@ -22,7 +25,13 @@ def retry_result_deliveries(workspace: Path, event_log: EventLog) -> list[dict[s
         row = store.result_by_id(str(watcher["result_id"]))
         if not row:
             continue
-        notified.extend(notify_result_watchers(workspace, _result_entry_from_row(row), event_log, watchers=[watcher]))
+        notified.extend(notify_result_watchers(
+            workspace,
+            _result_entry_from_row(row),
+            event_log,
+            watchers=[watcher],
+            dedupe_reason="rebind_retry",
+        ))
     return notified
 
 
@@ -31,6 +40,7 @@ def notify_result_watchers(
     result: dict[str, Any],
     event_log: EventLog,
     watchers: list[dict[str, Any]] | None = None,
+    dedupe_reason: str | None = None,
 ) -> list[dict[str, Any]]:
     store = MessageStore(workspace)
     candidates = [
@@ -67,9 +77,44 @@ def notify_result_watchers(
             }
         )
     attempts = result_delivery_attempts(event_log, primary["watcher_id"], str(result.get("result_id") or ""))
+    # Stage 12 (Gap 26 ∩ Gap 32 roundtable consolidation 2026-05-26): exactly-once dedupe
+    # lives in leader_notification_log keyed by (result_id, leader_session_uuid) and is
+    # consulted atomically at the injection boundary inside _send_to_leader_receiver. Here
+    # we add a read-only fast-path peek so concurrent notify_result_watchers calls for the
+    # same result short-circuit without spinning up a deliver_stored_message round-trip.
+    # The peek is NOT the dedupe primitive — the atomic INSERT OR IGNORE at injection is.
+    result_id_str = str(result.get("result_id") or "") or None
+    if result_id_str:
+        leader_uuid = _resolve_leader_session_uuid(workspace, primary.get("owner_team_id"))
+        if leader_uuid:
+            prior = peek_leader_notification(
+                store, result_id=result_id_str, leader_session_uuid=leader_uuid,
+            )
+            if prior:
+                notified.append(_mark_watcher_dedupe_skip(
+                    store, event_log, primary, result, attempts,
+                    prior["notified_message_id"],
+                    dedupe_reason or "injection_log_already_notified",
+                    notified_at=prior.get("notified_at"),
+                    leader_session_uuid=leader_uuid,
+                ))
+                return notified
+        # Legacy compat: watcher.notified_message_id set by a prior path (Gap 32 reversal of
+        # 78055bc, or any pre-Stage-12 code) also blocks redelivery. This preserves the
+        # Stage 11.9-11.12 era contract while the new gate (leader_notification_log) is the
+        # authoritative dedupe primitive going forward.
+        legacy_canonical = leader_notified_message_id_for_result(
+            store, primary.get("owner_team_id"), result_id_str,
+        )
+        if legacy_canonical:
+            notified.append(_mark_watcher_dedupe_skip(
+                store, event_log, primary, result, attempts,
+                legacy_canonical,
+                dedupe_reason or "rebind_retry",
+            ))
+            return notified
     existing = delivered_result_message(
-        store,
-        str(result.get("result_id") or ""),
+        store, str(result.get("result_id") or ""),
         task_id=result.get("task_id"),
         owner_team_id=primary.get("owner_team_id"),
     )
@@ -83,6 +128,75 @@ def notify_result_watchers(
     return notified
 
 
+def _resolve_leader_session_uuid(workspace: Path, owner_team_id: str | None) -> str | None:
+    """Helper: read the team's leader_session_uuid from runtime state for gate lookups."""
+    try:
+        from team_agent.messaging.deps import load_runtime_state, team_state_key
+        state = load_runtime_state(workspace)
+        if owner_team_id and isinstance(state.get("teams"), dict):
+            scoped = state["teams"].get(owner_team_id)
+            if isinstance(scoped, dict):
+                state = scoped
+        elif owner_team_id and team_state_key(state) != owner_team_id:
+            return None
+        owner = state.get("team_owner") or {}
+        return str(owner.get("leader_session_uuid") or "") or None
+    except Exception:
+        return None
+
+
+def _infer_dedupe_reason(primary: dict[str, Any], store: MessageStore) -> str:
+    if primary.get("notified_message_id"):
+        return "rebind_retry"
+    return "watcher_duplicate"
+
+
+def _mark_watcher_dedupe_skip(
+    store: MessageStore,
+    event_log: EventLog,
+    watcher: dict[str, Any],
+    result: dict[str, Any],
+    attempts: int,
+    canonical_message_id: str,
+    reason: str,
+    *,
+    notified_at: str | None = None,
+    leader_session_uuid: str | None = None,
+) -> dict[str, Any]:
+    original_message_id = watcher.get("notified_message_id")
+    # Stage 12: the canonical message_id (or sentinel from the gate) is auditing metadata
+    # here. The authoritative dedupe gate is leader_notification_log; this mark just keeps
+    # the watcher row from being re-picked by retry scans.
+    store.mark_result_watcher(
+        watcher["watcher_id"],
+        "notified",
+        result_id=result.get("result_id"),
+        notified_message_id=canonical_message_id,
+    )
+    event_log.write(
+        "leader_receiver.notification_dedupe_skip",
+        result_id=result.get("result_id"),
+        original_message_id=original_message_id,
+        suppressed_message_id=canonical_message_id,
+        reason=reason,
+        team_id=watcher.get("owner_team_id"),
+        watcher_id=watcher["watcher_id"],
+        task_id=result.get("task_id"),
+        agent_id=result.get("agent_id"),
+        attempt=attempts + 1,
+        leader_session_uuid=leader_session_uuid,
+        prior_notified_at=notified_at,
+    )
+    return {
+        "watcher_id": watcher["watcher_id"],
+        "result_id": result.get("result_id"),
+        "ok": True,
+        "message_id": canonical_message_id,
+        "deduped": True,
+        "dedupe_reason": reason,
+    }
+
+
 def _dedupe_watchers_for_result(
     watchers: list[dict[str, Any]],
 ) -> tuple[dict[str, Any], list[dict[str, Any]]]:
@@ -114,11 +228,19 @@ def _deliver_result_to_watcher(
         return _mark_delivery_failed(store, event_log, watcher, result, attempts, str(exc))
     status = "notified" if delivery.get("ok") else "notify_failed"
     error = delivery.get("reason") or delivery.get("error")
+    # Stage 12: notified_message_id is now auditing metadata. The exactly-once contract
+    # lives in the leader_notification_log table consulted by _send_to_leader_receiver;
+    # whatever the gate suppresses comes back as ok=true deduped=true, and the watcher row
+    # records this as a successful notification with the canonical message_id.
+    persisted_message_id = (
+        delivery.get("canonical_message_id") if delivery.get("deduped")
+        else (delivery.get("message_id") if delivery.get("ok") else None)
+    )
     store.mark_result_watcher(
         watcher["watcher_id"],
         status,
         result_id=result.get("result_id"),
-        notified_message_id=delivery.get("message_id"),
+        notified_message_id=persisted_message_id,
         error=error,
     )
     event_log.write(
@@ -279,6 +401,99 @@ def watcher_matches_result(watcher: dict[str, Any], result: dict[str, Any]) -> b
     return (not task_id or task_id == result.get("task_id")) and (not agent_id or agent_id == result.get("agent_id"))
 
 
+def requeue_after_claim_leader(
+    workspace: Path,
+    store: MessageStore,
+    event_log: EventLog,
+    owner_team_id: str,
+    claimed_pane_id: str,
+    *,
+    incident_ts: str | None = None,
+) -> list[dict[str, Any]]:
+    """Post-claim hook (Gap 26 / Mac mini Stage 11 Scenarios 3, 11.10): re-route every
+    not-yet-delivered leader-bound notification to the newly claimed pane. Returns the
+    list of requeued watcher records (may be empty).
+
+    Stage 11.10 semantic reframe: claim-leader means "all not-yet-delivered leader-bound
+    notifications for this team_id reroute to the claimed pane". Watcher status is
+    irrelevant — `notified_message_id` is the only dedupe gate. Gap 32 exactly-once
+    contract still holds: notified_message_id non-null blocks redelivery.
+
+    Selection rules:
+      - watcher is scoped to this team (owner_team_id match)
+      - watcher has no notified_message_id (Gap 32 once-only)
+      - watcher's latest activity timestamp (completed_at fallback created_at) is
+        at-or-after incident_ts when provided; without an incident_ts every
+        un-notified watcher is requeued.
+      - watcher status is otherwise ignored (pending / delivery_blocked /
+        delivery_exhausted / notify_failed all become candidates).
+
+    Atomicity vs coordinator's own scheduled retry: just before flipping a watcher's
+    status, re-fetch the row from the store. If notified_message_id became non-null
+    in the gap (the scheduled retry beat us), emit a benign
+    leader_receiver.claim_requeue_already_in_flight event and skip. If the race
+    leaks past this check, Gap 32 dedupe inside notify_result_watchers still
+    guarantees exactly-once injection.
+    """
+    # Stage 11.12: CAS re-fetch + claim_requeue_already_in_flight event retired. The atomic
+    # UPSERT in notify_result_watchers (claim_leader_notification) is now the single race
+    # gate. We mark eligible watchers to notify_failed and let retry_result_deliveries route
+    # through the UPSERT — concurrent claim/scheduled-retry paths both pass through the
+    # same atomic claim and only one fires deliver_attempt.
+    incident_dt = _parse_iso(incident_ts)
+    requeued: list[dict[str, Any]] = []
+    for watcher in store.result_watchers(owner_team_id=owner_team_id):
+        if watcher.get("notified_message_id"):
+            continue
+        latest_ts = _parse_iso(watcher.get("completed_at")) or _parse_iso(watcher.get("created_at"))
+        if incident_dt and latest_ts and latest_ts < incident_dt:
+            continue
+        watcher_id = watcher["watcher_id"]
+        prior_state = str(watcher.get("status") or "")
+        store.mark_result_watcher(
+            watcher_id, "notify_failed",
+            result_id=watcher.get("result_id"),
+        )
+        event_log.write(
+            "leader_receiver.claim_requeue",
+            result_id=watcher.get("result_id"),
+            watcher_id=watcher_id,
+            prior_state=prior_state,
+            requeued_at=datetime.now(timezone.utc).isoformat(),
+            claimed_pane_id=claimed_pane_id,
+            team_id=owner_team_id,
+        )
+        requeued.append({
+            "watcher_id": watcher_id,
+            "result_id": watcher.get("result_id"),
+            "prior_state": prior_state,
+        })
+    if requeued:
+        try:
+            retry_result_deliveries(workspace, event_log)
+        except Exception as exc:
+            event_log.write(
+                "leader_receiver.claim_requeue_delivery_failed",
+                error=str(exc),
+                watcher_ids=[r["watcher_id"] for r in requeued],
+                team_id=owner_team_id,
+                claimed_pane_id=claimed_pane_id,
+            )
+    return requeued
+
+
+def _parse_iso(text: Any) -> datetime | None:
+    if not isinstance(text, str) or not text:
+        return None
+    try:
+        dt = datetime.fromisoformat(text.replace("Z", "+00:00"))
+    except ValueError:
+        return None
+    if dt.tzinfo is None:
+        dt = dt.replace(tzinfo=timezone.utc)
+    return dt
+
+
 def format_result_watcher_notification(result: dict[str, Any]) -> str:
     task_id = result.get("task_id") or "unknown task"
     agent_id = result.get("agent_id") or "unknown agent"