@team-agent/installer 0.2.2 → 0.2.4

package/src/team_agent/messaging/leader_api_errors.py

@@ -0,0 +1,216 @@
+"""Gap 28 (Slice 2 Stage 2): observe-only detection of leader-pane API errors.
+
+The coordinator tick captures the leader pane scrollback once per cycle, scans it for
+known upstream-API error patterns (Claude/Codex CLI errors that occur mid-turn), and
+emits a structured `leader.api_error` audit event. The intent is observability — auto-
+retry belongs to the upstream CLI; this module never touches the pane.
+
+Event schema (logged via EventLog.write):
+
+  event:                          'leader.api_error'
+  ts:                             ISO-8601 UTC (added by EventLog)
+  leader_session_uuid:            str | None
+  error_class:                    'Overloaded' | 'RateLimit' | 'Timeout' |
+                                  'NetworkError' | 'Unknown'
+  provider:                       'claude' | 'codex' | 'claude_code' | str | None
+  partial_response_streamed:      bool  (heuristic: assistant text before the error)
+  worker_dispatch_just_before:    list[str]  (leader→worker msg_ids in the prior 60s)
+  retry_count:                    int   (always 0 — the framework does not retry today)
+  matched_pattern_snippet:        str   (the captured error line, ≤160 chars)
+
+Detection dedupes within the coordinator state via a (error_class, snippet-tail)
+fingerprint stored under `state['coordinator']['last_api_error_fingerprint']`. A
+clean tick (no error pattern present) clears the fingerprint so the next genuine
+error re-emits. This keeps event volume bounded while still catching distinct
+errors as they occur.
+"""
+from __future__ import annotations
+
+import re
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from typing import Any, Callable
+
+from team_agent.events import EventLog
+from team_agent.message_store import MessageStore
+
+
+# Spark MEDIUM sweeps (2026-05-26):
+# (#3) Require an API/provider context marker near the error keyword. Bare '503' /
+#      'fetch failed' / 'timed out' in user text used to false-fire.
+# (#7) Match across short sliding windows of 1-3 adjacent lines so wrapped tmux
+#      output ("claude:\n  request timed out") still resolves to a single
+#      detection. Window joined with a single space; capped at _WINDOW_MAX_CHARS
+#      so the scan stays bounded.
+_API_CONTEXT = (
+    r"(?:API\s+Error|HTTP\s*Error|HTTPError|request\s+failed|"
+    r"codex|claude|Anthropic|OpenAI|TypeError)"
+)
+
+# Patterns operate against a sliding window of up to 3 joined lines. The window
+# never contains '\n' (lines are joined with a single space), so `[^\n]` and `.`
+# behave the same; we use `[^\n]` for self-documentation.
+_ERROR_PATTERNS: list[tuple[re.Pattern[str], str]] = [
+    # Overloaded — keyword itself already includes the "API Error:" prefix.
+    (re.compile(r"API\s+Error:\s*Overloaded", re.IGNORECASE), "Overloaded"),
+    # RateLimit — 429 with "Too Many Requests" is sufficiently specific; require it
+    # appear AFTER an API context marker OR before "Too Many Requests" tightly.
+    (re.compile(rf"(?:{_API_CONTEXT}[^\n]*\b429\b|\b429\s+Too\s+Many\s+Requests)", re.IGNORECASE), "RateLimit"),
+    # 5xx — must share a window with an API-context marker on either side.
+    (re.compile(rf"{_API_CONTEXT}[^\n]{{0,200}}\b5(?:00|02|03|04)\b", re.IGNORECASE), "NetworkError"),
+    (re.compile(rf"\b5(?:00|02|03|04)\b[^\n]{{0,200}}{_API_CONTEXT}", re.IGNORECASE), "NetworkError"),
+    # fetch failed — needs an API-context marker in the same window. The TypeError
+    # marker on its own counts (Node fetch frames the error this way).
+    (re.compile(rf"{_API_CONTEXT}[^\n]{{0,200}}fetch\s+failed", re.IGNORECASE), "NetworkError"),
+    (re.compile(rf"fetch\s+failed[^\n]{{0,200}}{_API_CONTEXT}", re.IGNORECASE), "NetworkError"),
+    # Timeout — likewise requires an API-context marker in the window, except for
+    # the unambiguous syscall token ETIMEDOUT.
+    (re.compile(rf"{_API_CONTEXT}[^\n]{{0,200}}(?:request|connection)\s+(?:timed\s+out|timeout)", re.IGNORECASE), "Timeout"),
+    (re.compile(rf"(?:request|connection)\s+(?:timed\s+out|timeout)[^\n]{{0,200}}{_API_CONTEXT}", re.IGNORECASE), "Timeout"),
+    (re.compile(r"\bETIMEDOUT\b", re.IGNORECASE), "Timeout"),
+]
+
+_RECENT_LINE_WINDOW = 100        # scan only the most recent N lines
+_SLIDING_WINDOW_LINES = 3        # join up to 3 adjacent lines per scan window
+_WINDOW_MAX_CHARS = 400          # discard windows beyond this length to bound work
+_DISPATCH_WINDOW_SECONDS = 60    # leader→worker sends counted within this lookback
+_PARTIAL_RESPONSE_HEAD_BYTES = 4000
+
+_PARTIAL_RESPONSE_HINT = re.compile(
+    r"(?:^|\n)\s*(?:Assistant|⏺|●|> |I'll |I will |I'm |I am |Let me )",
+    re.IGNORECASE,
+)
+
+
+def detect_leader_api_errors(
+    workspace: Path,
+    state: dict[str, Any],
+    store: MessageStore,
+    event_log: EventLog,
+    *,
+    capture_fn: Callable[[str], dict[str, Any]] | None = None,
+    now_fn: Callable[[], datetime] | None = None,
+) -> list[dict[str, Any]]:
+    """Coordinator-tick entry point. Returns a list of emitted events (0 or 1)."""
+    receiver = state.get("leader_receiver") or {}
+    pane = receiver.get("pane_id") if receiver.get("mode") == "direct_tmux" else None
+    if not pane:
+        return []
+    capture_fn = capture_fn or _default_capture_fn()
+    capture = capture_fn(str(pane))
+    if not capture.get("ok"):
+        return []
+    scrollback = str(capture.get("capture") or "")
+    coordinator_state = state.setdefault("coordinator", {})
+    found = _match_first_error(scrollback)
+    if not found:
+        if coordinator_state.get("last_api_error_fingerprint"):
+            coordinator_state["last_api_error_fingerprint"] = None
+        return []
+    error_class, snippet = found
+    fingerprint = f"{error_class}::{snippet[-120:]}"
+    if coordinator_state.get("last_api_error_fingerprint") == fingerprint:
+        return []
+    coordinator_state["last_api_error_fingerprint"] = fingerprint
+    now = (now_fn() if now_fn else datetime.now(timezone.utc))
+    cutoff_iso = (now - timedelta(seconds=_DISPATCH_WINDOW_SECONDS)).isoformat()
+    leader_uuid = (
+        str((state.get("team_owner") or {}).get("leader_session_uuid") or "")
+        or str(receiver.get("leader_session_uuid") or "")
+        or None
+    )
+    provider = str(receiver.get("provider") or "") or None
+    event = event_log.write(
+        "leader.api_error",
+        leader_session_uuid=leader_uuid,
+        error_class=error_class,
+        provider=provider,
+        partial_response_streamed=_scrollback_has_partial_response(scrollback, snippet),
+        worker_dispatch_just_before=_recent_leader_dispatches(store, cutoff_iso),
+        retry_count=0,
+        matched_pattern_snippet=snippet[:160],
+    )
+    return [event]
+
+
+def _default_capture_fn() -> Callable[[str], dict[str, Any]]:
+    from team_agent.messaging.deps import _capture_tmux_pane_text
+    return _capture_tmux_pane_text
+
+
+def _match_first_error(scrollback: str) -> tuple[str, str] | None:
+    """Spark MEDIUM #7: sliding window of 1..N adjacent lines. Lines inside a
+    window are joined with a single space so a wrapped pair such as
+        claude:
+          request timed out
+    is detected as one event without permitting unbounded cross-line matches.
+    Latest window wins so the freshest error is reported."""
+    if not scrollback:
+        return None
+    lines = [line.strip() for line in scrollback.splitlines()[-_RECENT_LINE_WINDOW:]]
+    if not lines:
+        return None
+    best: tuple[int, str, str] | None = None
+    for start in range(len(lines)):
+        for size in range(1, _SLIDING_WINDOW_LINES + 1):
+            end = start + size
+            if end > len(lines):
+                break
+            window = " ".join(line for line in lines[start:end] if line)
+            if not window:
+                continue
+            # Spark MEDIUM sweep #3 (2026-05-26): tail-preserve instead of
+            # dropping the window wholesale. Errors land at the END of verbose
+            # diagnostics (stack traces, retry chatter, etc.). If we discarded
+            # any window over the cap we silently lost recall on long wrapped
+            # output. Scanning the LAST _WINDOW_MAX_CHARS still bounds regex
+            # cost while keeping the freshest context — the bit most likely to
+            # contain the actual provider error keyword.
+            if len(window) > _WINDOW_MAX_CHARS:
+                window = window[-_WINDOW_MAX_CHARS:]
+            for pattern, error_class in _ERROR_PATTERNS:
+                match = pattern.search(window)
+                if not match:
+                    continue
+                snippet = window[:240]
+                if best is None or start > best[0]:
+                    best = (start, error_class, snippet)
+                # First match per window is enough; later windows may override.
+                break
+    if best is None:
+        return None
+    return best[1], best[2]
+
+
+def _scrollback_has_partial_response(scrollback: str, error_snippet: str) -> bool:
+    idx = scrollback.rfind(error_snippet)
+    if idx == -1:
+        return False
+    head = scrollback[max(0, idx - _PARTIAL_RESPONSE_HEAD_BYTES): idx]
+    return bool(_PARTIAL_RESPONSE_HINT.search(head))
+
+
+def _recent_leader_dispatches(store: MessageStore, cutoff_iso: str) -> list[str]:
+    out: list[str] = []
+    try:
+        rows = store.messages()
+    except Exception:
+        return out
+    for row in rows:
+        sender = str(row.get("sender") or "")
+        if sender not in {"leader", "Leader"} and not _looks_like_leader_sender(sender):
+            continue
+        created = str(row.get("created_at") or "")
+        if not created or created < cutoff_iso:
+            continue
+        msg_id = str(row.get("message_id") or "")
+        if msg_id:
+            out.append(msg_id)
+    return out
+
+
+def _looks_like_leader_sender(sender: str) -> bool:
+    return sender.startswith("leader") or sender.lower() == "leader"
+
+
+__all__ = ["detect_leader_api_errors"]

package/src/team_agent/messaging/leader_panes.py

@@ -392,6 +392,9 @@ def _broadcast_ambiguous_candidates(
         team_id=team_id,
         uuid_prefix=_uuid_prefix(owner_identity),
         debounce_bucket=bucket,
+        # C16/C22: two or more live candidates remain; each must explicitly claim
+        # with --confirm, so the broadcast carries the closed-enum lease reason.
+        reason="force_confirm_required",
     )
     for candidate in candidates:
         pane_id = str(candidate.get("pane_id") or "")
@@ -503,6 +506,297 @@ def _leader_command_looks_usable(command: str, provider: str) -> bool:
     return command_name in {"codex", "node", "nodejs", "claude", "claude.exe"}
 
 
+def attempt_trust_auto_answer(
+    workspace: Path,
+    pane_id: str | None,
+    pane_capture_tail: str,
+    event_log: EventLog,
+    *,
+    spec: dict[str, Any] | None = None,
+    state: dict[str, Any] | None = None,
+) -> dict[str, Any]:
+    """Gap 29 (Slice 2 Stage 2) — opt-in auto-answer of the codex first-run trust prompt.
+
+    Called by the inject path when developer's structured envelope reports
+    detected=='codex_trust_prompt'. Auto-answers ONLY when both:
+      (1) runtime is opted in. The PREFERRED opt-in is the per-session env var
+          TEAM_AGENT_AUTO_TRUST_OWN_WORKSPACE in {1,true,yes,on}. The legacy
+          spec.runtime.auto_trust_own_workspace=True path is still honoured for
+          backwards compatibility but is DEPRECATED (constitution-reviewer F3:
+          a YAML field permanently erases the trust prompt's cognitive moment
+          across all sessions, defeating its purpose). The spec path will be
+          removed in 0.3.0.
+      (2) the trust-prompt pane capture references this workspace's absolute path
+          (so a worker can only trust its own dir, never some arbitrary path).
+
+    On match, sends '1' + Enter to the pane and emits
+    leader_panes.trust_auto_answered. Default is opt-out — every refusal returns
+    answered=False with a structured reason and the existing failure envelope
+    bubbles up unchanged.
+
+    Return: {"ok": bool, "answered": bool, "reason": str, ...}
+    """
+    if spec is None and state is not None:
+        spec_path_str = state.get("spec_path")
+        if spec_path_str:
+            try:
+                from team_agent.spec import load_spec as _load_spec
+                spec = _load_spec(Path(spec_path_str))
+            except Exception:
+                spec = None
+    if not _auto_trust_opt_in(spec, event_log=event_log):
+        # Spark LOW #6: emit a structured event so the not-opted-in branch is
+        # as observable as the workspace_dir_mismatch / tmux_send_keys_failed
+        # branches. Keeps the decision matrix uniformly auditable.
+        event_log.write(
+            "leader_panes.trust_auto_answer_skipped",
+            pane_id=pane_id,
+            workspace=str(workspace),
+            reason="not_opted_in",
+        )
+        return {"ok": False, "answered": False, "reason": "not_opted_in"}
+    if not pane_id:
+        event_log.write(
+            "leader_panes.trust_auto_answer_skipped",
+            pane_id=None,
+            workspace=str(workspace),
+            reason="pane_id_missing",
+        )
+        return {"ok": False, "answered": False, "reason": "pane_id_missing"}
+    pane_width = state.get("pane_width") if isinstance(state, dict) else None
+    if not _capture_tail_references_workspace(pane_capture_tail, workspace, pane_width):
+        event_log.write(
+            "leader_panes.trust_auto_answer_refused",
+            pane_id=pane_id,
+            workspace=str(workspace),
+            reason="workspace_dir_mismatch",
+        )
+        return {"ok": False, "answered": False, "reason": "workspace_dir_mismatch"}
+    # Round-5 (post Round-1..4 withdrawal): Codex's trust prompt already
+    # highlights `1. Yes, continue` as the default choice; a plain Enter
+    # accepts it. Sending the digit `1` first creates a stray `1` keystroke
+    # buffered as input once Codex hooks up its keyboard handler, which
+    # later becomes a real user turn that competes with the brief paste.
+    # Drop the digit; submit Enter only.
+    answer = _tmux_inject_text(
+        str(pane_id),
+        "",
+        "Enter",
+        f"team-agent-trust-auto-answer-{str(pane_id).strip('%') or 'pane'}",
+        attempts=1,
+        provider="fake",
+        bypass_non_input_gate=True,
+    )
+    if not answer.get("ok"):
+        error = answer.get("error") or "tmux send-keys failed"
+        event_log.write(
+            "leader_panes.trust_auto_answer_failed",
+            pane_id=pane_id,
+            workspace=str(workspace),
+            error=error,
+        )
+        return {"ok": False, "answered": False, "reason": "tmux_send_keys_failed", "error": error}
+    event_log.write(
+        "leader_panes.trust_auto_answered",
+        pane_id=pane_id,
+        workspace=str(workspace),
+        opted_in=True,
+    )
+    return {"ok": True, "answered": True, "reason": "trust_auto_answered"}
+
+
+_SPEC_OPT_IN_DEPRECATION_MESSAGE = (
+    "WARNING: spec.runtime.auto_trust_own_workspace is deprecated. "
+    "Use env TEAM_AGENT_AUTO_TRUST_OWN_WORKSPACE=1 per session instead. "
+    "Spec-field will be removed in 0.3.0."
+)
+
+
+def _auto_trust_opt_in(spec: dict[str, Any] | None, *, event_log: EventLog | None = None) -> bool:
+    """Constitution-reviewer F3 (2026-05-26): env-var per-session opt-in is the
+    preferred path. spec.runtime.auto_trust_own_workspace remains honoured for
+    backwards compatibility but emits a one-shot stderr deprecation warning AND
+    a structured trust_auto_answer_spec_opt_in_deprecated event so a normalized
+    YAML field is auditable from a fresh log."""
+    spec_opted_in = (
+        isinstance(spec, dict)
+        and bool((spec.get("runtime") or {}).get("auto_trust_own_workspace"))
+    )
+    if spec_opted_in:
+        _emit_spec_opt_in_deprecation(event_log)
+    env = os.environ.get("TEAM_AGENT_AUTO_TRUST_OWN_WORKSPACE", "").strip().lower()
+    env_opted_in = env in {"1", "true", "yes", "on"}
+    return env_opted_in or spec_opted_in
+
+
+def _emit_spec_opt_in_deprecation(event_log: EventLog | None) -> None:
+    """Emit the deprecation warning once per process. The structured event still
+    fires per call so an audit log captures every yaml-driven decision."""
+    import sys
+    global _SPEC_OPT_IN_DEPRECATION_WARNED
+    if not _SPEC_OPT_IN_DEPRECATION_WARNED:
+        try:
+            print(_SPEC_OPT_IN_DEPRECATION_MESSAGE, file=sys.stderr, flush=True)
+        except Exception:
+            pass
+        _SPEC_OPT_IN_DEPRECATION_WARNED = True
+    if event_log is not None:
+        try:
+            event_log.write(
+                "trust_auto_answer_spec_opt_in_deprecated",
+                preferred_opt_in="env:TEAM_AGENT_AUTO_TRUST_OWN_WORKSPACE",
+                deprecated_field="spec.runtime.auto_trust_own_workspace",
+                removal_target_version="0.3.0",
+            )
+        except Exception:
+            pass
+
+
+_SPEC_OPT_IN_DEPRECATION_WARNED = False
+
+
+def _reset_spec_opt_in_deprecation_state() -> None:
+    """Test-only helper: reset the per-process one-shot guard so multiple cases
+    in the same interpreter can each observe the warning. Not part of the
+    public API."""
+    global _SPEC_OPT_IN_DEPRECATION_WARNED
+    _SPEC_OPT_IN_DEPRECATION_WARNED = False
+
+
+def _capture_tail_references_workspace(tail: str, workspace: Path, pane_width: int | None = None) -> bool:
+    """Decide whether the Codex trust-prompt tail names the worker's own
+    workspace cwd. The runtime cwd is the source of truth; the prompt path is a
+    consistency guard. Match cases (one converged helper per token):
+
+      - exact canonical equality (the unchanged baseline);
+      - mid-ellipsis ``head…tail`` / ``head...tail`` where head is a prefix of
+        the runtime cwd and tail is its suffix;
+      - hard right-edge truncation: the canonical runtime cwd starts with the
+        canonical captured path AND the captured token reaches the capture
+        line's right boundary (pane_width).
+
+    Without a pane_width signal, prefix matching is forbidden — the captured
+    path is treated as a complete token and must exactly equal the runtime cwd
+    (this is what stops ``/repo`` from sliding into ``/repo-backup``).
+    """
+    if not tail:
+        return False
+    workspace_canonical = _canonicalize_path(workspace)
+    if not workspace_canonical:
+        return False
+    for token, source_line in _candidate_path_lines_from_prompt(tail):
+        if _workspace_matches_token(workspace_canonical, token, source_line, pane_width):
+            return True
+    return False
+
+
+_PATH_LINE_RE = re.compile(r"(/[\w\-./~+@…]+)")
+_ELLIPSIS_TOKENS = ("…", "...")
+
+
+def _candidate_path_lines_from_prompt(tail: str) -> list[tuple[str, str]]:
+    """Pull (path_token, source_line) pairs out of the prompt's tail. The
+    source line is the line AFTER stripping Codex box-drawing glyphs, so the
+    matcher can locate the token's end column relative to the visible width."""
+    pairs: list[tuple[str, str]] = []
+    seen: set[tuple[str, str]] = set()
+    for raw_line in tail.splitlines():
+        line = raw_line.strip()
+        for glyph in ("▌", "▎", "│"):
+            line = line.lstrip(glyph).strip()
+        if not line:
+            continue
+        for match in _PATH_LINE_RE.finditer(line):
+            token = match.group(1).rstrip("/")
+            if not token:
+                continue
+            key = (token, line)
+            if key in seen:
+                continue
+            seen.add(key)
+            pairs.append(key)
+    return pairs
+
+
+def _candidate_paths_from_prompt(tail: str) -> list[str]:
+    """Backwards-compatible token-only view (kept for any external callers)."""
+    out: list[str] = []
+    for token, _line in _candidate_path_lines_from_prompt(tail):
+        if token not in out:
+            out.append(token)
+    return out
+
+
+def _workspace_matches_token(
+    workspace_canonical: str,
+    token: str,
+    source_line: str,
+    pane_width: int | None,
+) -> bool:
+    """The converged trust-prompt match logic.
+
+    Order matters:
+      1. exact canonical equality;
+      2. mid-ellipsis head/tail match;
+      3. right-edge hard truncation (prefix + boundary-reached).
+    A captured token that does NOT reach the line's right boundary is treated
+    as a complete short path and must equal the runtime cwd exactly.
+    """
+    # 1. Exact canonical equality.
+    captured_canonical = _canonicalize_path(Path(token))
+    if not captured_canonical:
+        return False
+    if captured_canonical == workspace_canonical:
+        return True
+    # 2. Mid-ellipsis: split on … or ..., require head ⊑ workspace and workspace ⊐ tail.
+    for ellipsis in _ELLIPSIS_TOKENS:
+        if ellipsis in token:
+            head, _, tail_part = token.partition(ellipsis)
+            head_canonical = _canonicalize_path(Path(head)) if head.startswith("/") else head
+            if not head_canonical or not tail_part:
+                return False
+            return (
+                workspace_canonical.startswith(head_canonical)
+                and workspace_canonical.endswith(tail_part)
+            )
+    # 3. Right-edge hard truncation: prefix + boundary.
+    if not _token_reaches_right_edge(token, source_line, pane_width):
+        # No boundary signal → captured must be a complete token; exact already
+        # failed → mismatch (this rejects /repo vs /repo-backup both ways).
+        return False
+    return (
+        workspace_canonical == captured_canonical
+        or workspace_canonical.startswith(captured_canonical + "/")
+        or workspace_canonical.startswith(captured_canonical)
+    )
+
+
+def _token_reaches_right_edge(token: str, source_line: str, pane_width: int | None) -> bool:
+    """The token reaches the capture line's right boundary iff the line is wide
+    enough to be at pane capacity AND the token sits flush against the line's
+    end. Without a pane_width we cannot prove truncation — return False so the
+    caller falls back to exact-equality (this is the C/repo vs C/repo-backup
+    safeguard)."""
+    if not pane_width or pane_width <= 0:
+        return False
+    rstripped = source_line.rstrip()
+    if not rstripped.endswith(token):
+        return False
+    # Allow a one-column tolerance for trailing whitespace stripped from the
+    # raw capture; the line must be at pane capacity to count as hard-cut.
+    return len(rstripped) >= max(1, pane_width - 1)
+
+
+def _canonicalize_path(p: Path | str) -> str:
+    try:
+        resolved = Path(p).expanduser().resolve(strict=False)
+    except OSError:
+        return ""
+    text = resolved.as_posix()
+    # Strip a trailing slash so boundary-safe equality holds.
+    return text.rstrip("/") if text != "/" else "/"
+
+
 def _choose_leader_submit_key(provider: str, capture_text: str) -> tuple[str, str]:
     if provider != "codex":
         return "Enter", "non_codex_provider"

package/src/team_agent/messaging/scheduler.py

@@ -84,6 +84,18 @@ def _fire_due_scheduled_events(workspace: Path, store: MessageStore, event_log:
             elif row["kind"] == "health_ping":
                 result = {"ok": True, "status": "logged"}
                 event_log.write("coordinator.health_ping", target=row["target"], payload=payload)
+            elif row["kind"] == "trust_retry":
+                # Spark MEDIUM sweep #3 (2026-05-26) — bounded-backoff consumer
+                # for delivery.py:_handle_trust_retry_needed. payload carries the
+                # message_id and current attempt; _execute_trust_retry resets the
+                # row to 'accepted', re-runs _deliver_pending_message with the
+                # attempt threaded through, and either delivers, reschedules, or
+                # hits the terminal trust_auto_answer_exhausted branch.
+                from team_agent.messaging.delivery import _execute_trust_retry
+                result = _execute_trust_retry(
+                    workspace, store, event_log, payload,
+                    owner_team_id=row.get("owner_team_id"),
+                )
             else:
                 result = {"ok": False, "error": f"unknown scheduled event kind: {row['kind']}"}
             if not result.get("ok") and row["kind"] == "send":

package/src/team_agent/messaging/send.py

@@ -34,19 +34,10 @@ from pathlib import Path
 from typing import Any
 
 def send_message(
-    workspace: Path,
-    target: str | list[str] | None,
-    content: str,
-    task_id: str | None = None,
-    sender: str = "leader",
-    requires_ack: bool = True,
-    confirm_human: bool = False,
-    wait_visible: bool = True,
-    timeout: float = 30.0,
-    lock_timeout: float = 5.0,
-    watch_result: bool = False,
-    block_until_delivered: bool = True,
-    team: str | None = None,
+    workspace: Path, target: str | list[str] | None, content: str, task_id: str | None = None,
+    sender: str = "leader", requires_ack: bool = True, confirm_human: bool = False,
+    wait_visible: bool = True, timeout: float = 30.0, lock_timeout: float = 5.0,
+    watch_result: bool = False, block_until_delivered: bool = True, team: str | None = None,
 ) -> dict[str, Any]:
     with _runtime_lock(workspace, "send", timeout=lock_timeout):
         return _send_message_unlocked(
@@ -66,18 +57,10 @@ def send_message(
 
 
 def _send_message_unlocked(
-    workspace: Path,
-    target: str | list[str] | None,
-    content: str,
-    task_id: str | None = None,
-    sender: str = "leader",
-    requires_ack: bool = True,
-    confirm_human: bool = False,
-    wait_visible: bool = True,
-    timeout: float = 30.0,
-    watch_result: bool = False,
-    block_until_delivered: bool = True,
-    team: str | None = None,
+    workspace: Path, target: str | list[str] | None, content: str, task_id: str | None = None,
+    sender: str = "leader", requires_ack: bool = True, confirm_human: bool = False,
+    wait_visible: bool = True, timeout: float = 30.0, watch_result: bool = False,
+    block_until_delivered: bool = True, team: str | None = None,
 ) -> dict[str, Any]:
     if team is None:
         ambiguous = ambiguous_team_target_result(load_runtime_state(workspace))
@@ -94,6 +77,7 @@ def _send_message_unlocked(
             return gate
     owner_team_id = team_state_key(state)
     leader_id = _leader_id(state, spec)
+    _flag_rebind_required_when_unbound_plain_shell_leader(workspace, state, spec, sender, leader_id, event_log)
 
     if isinstance(target, list):
         if watch_result:
@@ -151,6 +135,38 @@ def _send_message_unlocked(
     )
 
 
+def _flag_rebind_required_when_unbound_plain_shell_leader(
+    workspace: Path,
+    state: dict[str, Any],
+    spec: dict[str, Any],
+    sender: str,
+    leader_id: str,
+    event_log: EventLog,
+) -> None:
+    # Gap 39 C5: a leader send from a plain shell (no $TMUX_PANE) must never self-bind
+    # the caller as the leader receiver. When the lease is fully unbound, flag a
+    # rebind_required so the message stays queued and the operator knows to reconnect
+    # from a real tmux leader pane. Only fires for an unbound lease + no caller pane.
+    import os
+    from team_agent.messaging.deps import _leader_receiver_is_direct
+    if not _is_leader_sender(sender, leader_id):
+        return
+    if isinstance(state.get("team_owner"), dict) and state["team_owner"].get("pane_id"):
+        return
+    if _leader_receiver_is_direct(state.get("leader_receiver")):
+        return
+    if os.environ.get("TEAM_AGENT_LEADER_PANE_ID") or os.environ.get("TMUX_PANE"):
+        return
+    event_log.write(
+        "leader_receiver.rebind_required",
+        reason="not_in_tmux_pane",
+        old_pane_id=(state.get("leader_receiver") or {}).get("pane_id"),
+        new_pane_id=None,
+        team_id=team_state_key(state),
+        recovery_action="run team-agent claim-leader --confirm from the leader's tmux pane",
+    )
+
+
 def _send_single_message_unlocked(
     workspace: Path,
     state: dict[str, Any],
@@ -336,6 +352,8 @@ def _send_single_message_unlocked(
         "submit_verification": delivered_result.get("submit_verification"),
         "turn_verification": delivered_result.get("turn_verification"),
     }
+    result.update({key: delivered_result[key] for key in ("reason", "stage") if delivered_result.get(key)})
+    result.update(_structured_delivery_refusal(delivered_result))
     if delivered_result.get("queued"):
         result["queued"] = True
         result["reason"] = delivered_result.get("reason")
@@ -490,7 +508,7 @@ def _broadcast_targets(state: dict[str, Any], spec: dict[str, Any], sender: str)
 
 
 def _compact_broadcast_delivery(result: dict[str, Any]) -> dict[str, Any]:
-    keys = ["ok", "status", "message_id", "to", "reason", "channel"]
+    keys = ["ok", "status", "message_id", "to", "reason", "channel", "detected", "pane_id", "pane_mode", "pane_capture_tail", "stage", "verification"]
     return {key: result[key] for key in keys if key in result}
 
 
@@ -498,3 +516,13 @@ def _compact_fanout_delivery(result: dict[str, Any]) -> dict[str, Any]:
     compact = _compact_broadcast_delivery(result)
     compact["delivered"] = bool(result.get("submitted") or result.get("visible") or result.get("status") in {"submitted", "visible", "delivered", "acknowledged"})
     return compact
+
+
+def _structured_delivery_refusal(delivered_result: dict[str, Any]) -> dict[str, Any]:
+    attempts = delivered_result.get("paste_attempts")
+    if not isinstance(attempts, list):
+        return {}
+    for attempt in attempts:
+        if isinstance(attempt, dict) and attempt.get("reason") == "recipient_pane_in_non_input_mode":
+            return {key: attempt[key] for key in ("detected", "pane_id", "pane_mode", "pane_capture_tail") if key in attempt}
+    return {}