@team-agent/installer 0.3.4 → 0.3.5

package/crates/team-agent/src/lifecycle/profile_launch.rs

@@ -385,6 +385,31 @@ fn provider_env_exports(
                 exports.insert("GEMINI_API_KEY".to_string(), value.to_string());
             }
         }
+        // C-A-4 cr verdict v2 — copilot BYOK(== compatible_api 档,help-providers 原文
+        // "GitHub authentication is not required" when COPILOT_PROVIDER_BASE_URL set):
+        // profile 值经 env_overlay 落 COPILOT_PROVIDER_BASE_URL/TYPE/API_KEY/WIRE_API
+        // + COPILOT_MODEL。BYOK 必须含 MODEL("A model is required for BYOK")—
+        // 这一硬性校验在 launch 路径处理(profile compile 时无法判别 model 来源)。
+        // Subscription/OfficialApi 不导出 COPILOT_PROVIDER_*(避免误改 auth 通道)。
+        Provider::Copilot => {
+            if auth_mode == AuthMode::CompatibleApi {
+                if let Some(value) = value_or_alternate(values, "COPILOT_PROVIDER_BASE_URL", "BASE_URL") {
+                    exports.insert("COPILOT_PROVIDER_BASE_URL".to_string(), value.to_string());
+                }
+                if let Some(value) = value_or_alternate(values, "COPILOT_PROVIDER_TYPE", "PROVIDER_TYPE") {
+                    exports.insert("COPILOT_PROVIDER_TYPE".to_string(), value.to_string());
+                }
+                if let Some(value) = value_or_alternate(values, "COPILOT_PROVIDER_API_KEY", "API_KEY") {
+                    exports.insert("COPILOT_PROVIDER_API_KEY".to_string(), value.to_string());
+                }
+                if let Some(value) = value_or_alternate(values, "COPILOT_PROVIDER_WIRE_API", "WIRE_API") {
+                    exports.insert("COPILOT_PROVIDER_WIRE_API".to_string(), value.to_string());
+                }
+                if let Some(value) = value_or_alternate(values, "COPILOT_MODEL", "MODEL") {
+                    exports.insert("COPILOT_MODEL".to_string(), value.to_string());
+                }
+            }
+        }
         Provider::Fake => {}
     }
     exports
@@ -412,6 +437,9 @@ fn provider_env_unsets(provider: Provider, auth_mode: AuthMode) -> BTreeSet<Stri
                 unsets.insert("GEMINI_API_KEY".to_string());
             }
         }
+        // C-7-1 cr verdict: 一期 subscription-only(已登录态),exports/unsets 空;
+        // BYOK(COPILOT_PROVIDER_*)二期立项时单独 cr verdict 再开。
+        Provider::Copilot => {}
         Provider::Fake => {}
     }
     unsets
@@ -429,7 +457,48 @@ fn provider_command_overrides(
         _ if agent.model.is_some() => agent.model.clone(),
         _ => profile_model(values).map(str::to_string),
     };
-    ProviderCommandOverrides { model }
+    let mut codex_profile = None;
+    let mut codex_config = Vec::new();
+    // Python provider_env.py:62-79 (_provider_command_overrides codex branch).
+    match agent.provider {
+        Provider::Codex => {
+            codex_profile = value_or_alternate(values, "CODEX_PROFILE", "NATIVE_PROFILE")
+                .map(str::to_string);
+            let model_provider = values.get("MODEL_PROVIDER").filter(|v| !v.is_empty());
+            let base_url = values.get("BASE_URL").filter(|v| !v.is_empty());
+            if agent.auth_mode == AuthMode::CompatibleApi {
+                if let (Some(model_provider), Some(base_url)) = (model_provider, base_url) {
+                    if safe_codex_provider_id(model_provider) {
+                        codex_config.push(format!("model_provider=\"{model_provider}\""));
+                        let prefix = format!("model_providers.{model_provider}");
+                        codex_config.push(format!("{prefix}.base_url=\"{base_url}\""));
+                        codex_config
+                            .push(format!("{prefix}.env_key=\"TEAM_AGENT_PROVIDER_API_KEY\""));
+                        if let Some(wire_api) = values.get("WIRE_API").filter(|v| !v.is_empty()) {
+                            codex_config.push(format!("{prefix}.wire_api=\"{wire_api}\""));
+                        }
+                        if let Some(name) = values.get("PROVIDER_NAME").filter(|v| !v.is_empty()) {
+                            codex_config.push(format!("{prefix}.name=\"{name}\""));
+                        }
+                    }
+                }
+            }
+        }
+        _ => {}
+    }
+    ProviderCommandOverrides {
+        model,
+        codex_profile,
+        codex_config,
+    }
+}
+
+/// Python helpers.py:33-34 `_safe_codex_provider_id`: `[A-Za-z0-9_-]+`.
+fn safe_codex_provider_id(value: &str) -> bool {
+    !value.is_empty()
+        && value
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || c == '_' || c == '-')
 }
 
 fn write_runtime_env_file(
@@ -636,15 +705,48 @@ fn mcp_server_names(mcp_servers: &serde_json::Value) -> Vec<String> {
         .unwrap_or_default()
 }
 
+/// swallow batch 4 C1-C4 (MUST-NOT-9/13): a CORRUPT provider-config JSON fails
+/// EXPLICITLY — the old `unwrap_or_default` turned a parse failure into an empty map
+/// that the subsequent write flattened back over the user's file (silent destructive
+/// rewrite). A missing file stays Ok(empty) — only an existing-but-unparseable file
+/// errors, naming the path + parse detail + next action; the file is never touched.
 fn read_json_object(
     path: &Path,
 ) -> Result<serde_json::Map<String, serde_json::Value>, LifecycleError> {
-    let Ok(text) = std::fs::read_to_string(path) else {
-        return Ok(serde_json::Map::new());
+    let text = match std::fs::read_to_string(path) {
+        Ok(text) => text,
+        Err(error) if error.kind() == std::io::ErrorKind::NotFound => {
+            return Ok(serde_json::Map::new());
+        }
+        Err(error) => {
+            return Err(LifecycleError::RequirementUnmet(format!(
+                "profile_invalid_json: {} could not be read: {error}; fix or remove the file (or restore a backup) and relaunch",
+                path.display()
+            )));
+        }
     };
     match serde_json::from_str::<serde_json::Value>(&text) {
         Ok(serde_json::Value::Object(map)) => Ok(map),
-        Ok(_) | Err(_) => Ok(serde_json::Map::new()),
+        Ok(other) => Err(LifecycleError::RequirementUnmet(format!(
+            "profile_invalid_json: {} is not a JSON object (found {}); fix or remove the file (or restore a backup) and relaunch",
+            path.display(),
+            json_kind(&other)
+        ))),
+        Err(error) => Err(LifecycleError::RequirementUnmet(format!(
+            "profile_invalid_json: {} could not be parsed: {error}; fix or remove the file (or restore a backup) and relaunch",
+            path.display()
+        ))),
+    }
+}
+
+fn json_kind(value: &serde_json::Value) -> &'static str {
+    match value {
+        serde_json::Value::Null => "null",
+        serde_json::Value::Bool(_) => "a boolean",
+        serde_json::Value::Number(_) => "a number",
+        serde_json::Value::String(_) => "a string",
+        serde_json::Value::Array(_) => "an array",
+        serde_json::Value::Object(_) => "an object",
     }
 }
 
@@ -732,6 +834,9 @@ fn required_profile_keys(provider: Provider, auth_mode: AuthMode) -> &'static [&
             AuthMode::Subscription => &[],
         },
         Provider::GeminiCli => &["API_KEY"],
+        // C-7-1 cr verdict: copilot 一期 subscription-only,无 BYOK required key 集合;
+        // 二期 BYOK 立项时填(向后兼容字段保留)。
+        Provider::Copilot => &[],
         Provider::Fake => &[],
     }
 }
@@ -794,6 +899,7 @@ pub(crate) fn parse_provider(raw: &str) -> Option<Provider> {
         "claude" => Some(Provider::Claude),
         "claude_code" => Some(Provider::ClaudeCode),
         "codex" => Some(Provider::Codex),
+        "copilot" => Some(Provider::Copilot),
         "gemini_cli" => Some(Provider::GeminiCli),
         "fake" => Some(Provider::Fake),
         _ => None,

package/crates/team-agent/src/lifecycle/profile_smoke.rs

@@ -184,7 +184,9 @@ impl SmokeTarget {
                     kind: SmokeKind::OpenAi,
                 })
             }
-            Provider::GeminiCli | Provider::Fake => Err("unsupported_provider_smoke_skipped"),
+            // C-7-1 cr verdict: copilot 一期 subscription-only,无 BYOK HTTP smoke
+            // 入口;同 GeminiCli/Fake 走 unsupported_provider_smoke_skipped。
+            Provider::Copilot | Provider::GeminiCli | Provider::Fake => Err("unsupported_provider_smoke_skipped"),
         }
     }
 
@@ -508,6 +510,7 @@ fn provider_wire(provider: Provider) -> &'static str {
         Provider::Claude => "claude",
         Provider::ClaudeCode => "claude_code",
         Provider::Codex => "codex",
+        Provider::Copilot => "copilot",
         Provider::GeminiCli => "gemini_cli",
         Provider::Fake => "fake",
     }

package/crates/team-agent/src/lifecycle/restart/common.rs

@@ -131,10 +131,25 @@ pub(super) fn spawn_agent_window(
                 .map(Path::new)
         })
         .unwrap_or(workspace);
+    let env_unset: Vec<String> = profile_launch.env_unset.iter().cloned().collect();
     let result = if into_existing_session {
-        transport.spawn_into(session_name, &window, &plan.argv, spawn_cwd, &env)
+        transport.spawn_into_with_env_unset(
+            session_name,
+            &window,
+            &plan.argv,
+            spawn_cwd,
+            &env,
+            &env_unset,
+        )
     } else {
-        transport.spawn_first(session_name, &window, &plan.argv, spawn_cwd, &env)
+        transport.spawn_first_with_env_unset(
+            session_name,
+            &window,
+            &plan.argv,
+            spawn_cwd,
+            &env,
+            &env_unset,
+        )
     };
     let spawn = result.map_err(|e| LifecycleError::Transport(e.to_string()))?;
     let _ = adapter.handle_startup_prompts(
@@ -344,6 +359,7 @@ pub(super) fn parse_provider(raw: &str) -> Option<Provider> {
         "claude" => Some(Provider::Claude),
         "claude_code" => Some(Provider::ClaudeCode),
         "codex" => Some(Provider::Codex),
+        "copilot" => Some(Provider::Copilot),
         "gemini_cli" => Some(Provider::GeminiCli),
         "fake" => Some(Provider::Fake),
         _ => None,
@@ -355,6 +371,7 @@ pub(super) fn provider_wire(provider: Provider) -> &'static str {
         Provider::Claude => "claude",
         Provider::ClaudeCode => "claude_code",
         Provider::Codex => "codex",
+        Provider::Copilot => "copilot",
         Provider::GeminiCli => "gemini_cli",
         Provider::Fake => "fake",
     }

package/crates/team-agent/src/lifecycle/tests/agent_ops.rs

@@ -90,7 +90,7 @@ fn lanea_stop_agent_unknown_agent_is_unknown_worker_not_owner_refused() {
 #[test]
 fn lanea_fork_agent_unknown_source_is_unknown_worker_before_session_check() {
     let ws = lanea_team_ws("stopped");
-    let text = format!("{:?}", fork_agent(&ws, &aid("ghost"), &aid("newfork"), false, None));
+    let text = format!("{:?}", fork_agent(&ws, &aid("ghost"), &aid("newfork"), None, false, None));
     assert!(
         text.contains("unknown worker"),
         "fork_agent must reject an UNKNOWN source as 'unknown worker agent id: ghost' BEFORE the session-id \
@@ -105,7 +105,7 @@ fn lanea_fork_agent_unknown_source_is_unknown_worker_before_session_check() {
 fn lanea_fork_agent_duplicate_target_is_already_exists_before_session_check() {
     let ws = lanea_team_ws("stopped");
     // target 'bravo' already exists in the spec -> duplicate; source 'alpha' exists (its session_id is irrelevant).
-    let text = format!("{:?}", fork_agent(&ws, &aid("alpha"), &aid("bravo"), false, None));
+    let text = format!("{:?}", fork_agent(&ws, &aid("alpha"), &aid("bravo"), None, false, None));
     assert!(
         text.contains("already exists"),
         "fork_agent must reject a DUPLICATE target 'bravo' as 'agent id already exists' BEFORE the session-id \

package/crates/team-agent/src/lifecycle/tests/core.rs

@@ -841,7 +841,7 @@ fn close_team_display_empty_workspace_closes_nothing_not_error() {
 #[test]
 fn fork_agent_on_unowned_workspace_does_not_silently_fork() {
     let ws = temp_ws();
-    match fork_agent(&ws, &aid("src"), &aid("dst"), false, None) {
+    match fork_agent(&ws, &aid("src"), &aid("dst"), None, false, None) {
         // 允许:owner 门 / team 选择 / 缺 spec(provider 命令构造前的上游门)。
         Err(LifecycleError::OwnerRefused(_))
         | Err(LifecycleError::TeamSelect(_))

package/crates/team-agent/src/lifecycle/tests/lane_ops.rs

@@ -464,7 +464,7 @@ fn lanea_remove_rollback_restores_via_spec_state_file_path() {
 fn lanea_fork_dup_target_leader_id_is_already_exists() {
     let ws = fork_ws(DELEG_ROLE_ALPHA);
     let tx = LaneTransport::new("team-laneateam", &[]);
-    let text = format!("{:?}", fork_agent_with_transport(&ws, &aid("alpha"), &aid("leader"), false, None, &tx));
+    let text = format!("{:?}", fork_agent_with_transport(&ws, &aid("alpha"), &aid("leader"), None, false, None, &tx));
     assert!(
         text.contains("already exists"),
         "golden operations.py:301-302 (_find_agent matches the leader): forking ONTO the leader id must raise \
@@ -481,7 +481,7 @@ fn lanea_fork_dup_target_leader_id_is_already_exists() {
 fn lanea_fork_window_already_exists_guard_before_spec_mutation() {
     let ws = fork_ws(DELEG_ROLE_ALPHA);
     let tx = LaneTransport::new("team-laneateam", &["newfork"]); // the target window already exists
-    let text = format!("{:?}", fork_agent_with_transport(&ws, &aid("alpha"), &aid("newfork"), false, None, &tx));
+    let text = format!("{:?}", fork_agent_with_transport(&ws, &aid("alpha"), &aid("newfork"), None, false, None, &tx));
     assert!(
         text.contains("tmux window already exists for fork target: team-laneateam:newfork"),
         "golden operations.py:310-312: a pre-existing target window must raise 'tmux window already exists for \
@@ -505,7 +505,7 @@ fn lanea_fork_window_already_exists_guard_before_spec_mutation() {
 fn lanea_fork_gate_error_text_and_spec_rollback_on_adapter_arm() {
     let ws = fork_ws(DELEG_ROLE_ALPHA_COMPAT); // source alpha auth_mode=compatible_api -> native fork unsupported
     let tx = LaneTransport::new("team-laneateam", &[]);
-    let result = fork_agent_with_transport(&ws, &aid("alpha"), &aid("newfork"), false, None, &tx);
+    let result = fork_agent_with_transport(&ws, &aid("alpha"), &aid("newfork"), None, false, None, &tx);
     let text = format!("{result:?}");
     assert!(
         text.contains("codex does not support native session fork"),
@@ -530,7 +530,7 @@ fn lanea_fork_gate_error_text_and_spec_rollback_on_adapter_arm() {
 fn lanea_fork_report_session_id_is_not_pane_id() {
     let ws = fork_ws(DELEG_ROLE_ALPHA); // codex+subscription -> native fork supported -> full success path
     let tx = LaneTransport::new("team-laneateam", &[]);
-    let report = fork_agent_with_transport(&ws, &aid("alpha"), &aid("newfork"), false, None, &tx).expect("fork ok (codex subscription supports fork)");
+    let report = fork_agent_with_transport(&ws, &aid("alpha"), &aid("newfork"), None, false, None, &tx).expect("fork ok (codex subscription supports fork)");
     assert_ne!(
         report.session_id,
         Some(crate::provider::SessionId::new("%newfork")),

package/crates/team-agent/src/lifecycle/tests/launch_spawn.rs

@@ -226,6 +226,7 @@ fn fork_agent_proceeds_past_owner_gate_for_unowned_workspace() {
         &ws,
         &AgentId::new("w1"),
         &AgentId::new("w1-fork"),
+        None,
         false,
         None,
         &transport,
@@ -960,7 +961,8 @@ fn quick_start_running_agent_state_shape_after_spawn_is_golden() {
     assert!(agent["captured_at"].is_null());
     assert!(agent["captured_via"].is_null());
     assert!(agent["attribution_confidence"].is_null());
-    assert_eq!(agent["spawn_cwd"], json!(team.to_string_lossy()));
+    // D5 (#264) / Python launch/core.py:253 — fresh launch persists spawn_cwd=workspace.
+    assert_eq!(agent["spawn_cwd"], json!(workspace.to_string_lossy()));
     assert_eq!(agent["spawned_at"], json!(FIXED_SPAWNED_AT));
     assert_eq!(
         agent["pane_id"],

package/crates/team-agent/src/lifecycle/worker_command_context.rs

@@ -144,9 +144,13 @@ impl WorkerCommandAgent {
 pub(crate) fn compile_worker_system_prompt(
     agent: &WorkerCommandAgent,
 ) -> Result<String, LifecycleError> {
+    // Python prompt.py:39 — chunks = [identity, TEAMMATE_SYSTEM_PROMPT, ...]: the worker
+    // identity line anchors the very first section (live Python worker argv confirms).
+    // C-1 cr verdict / B2 灵魂件 — identity 必须 FIRST(MUST-4 行为层守:空白上下文问
+    // "你是谁"必须先答 Team Agent worker 身份)。runtime contract 跟后。
     let mut chunks = vec![
-        runtime_contract_section(),
         identity_section(agent),
+        runtime_contract_section(),
         role_body(agent)?,
     ];
     if let Some(contract) = output_contract(agent) {
@@ -225,23 +229,42 @@ fn output_contract(agent: &WorkerCommandAgent) -> Option<String> {
 
 fn permission_notes(agent: &WorkerCommandAgent) -> Result<Option<String>, LifecycleError> {
     let permissions = resolve_agent_permissions(agent, agent.provider)?;
-    if !permissions.has_prompt_only {
-        return Ok(None);
-    }
-    let mut prompt_only: Vec<String> = permissions
+    // C-2-1/C-2-2 cr verdict — Copilot 一期 framework 不替决 fs_read/fs_list/git_diff/
+    // provider_builtin(provider prompt 控);为诚实(MUST-NOT-13)在 system prompt 内
+    // 总是声明这些 provider-level prompt_only 工具,即便角色未显式声明。
+    let provider_prompt_only_extras = provider_default_prompt_only_tools(agent.provider);
+    let mut prompt_only: std::collections::BTreeSet<String> = permissions
         .resolved_tools
         .iter()
         .filter(|tool| tool.enforcement == Enforcement::PromptOnly)
         .filter_map(|tool| serde_json::to_value(tool.tool).ok())
         .filter_map(|value| value.as_str().map(str::to_string))
         .collect();
-    prompt_only.sort();
+    for tool in provider_prompt_only_extras {
+        prompt_only.insert((*tool).to_string());
+    }
+    if prompt_only.is_empty() {
+        return Ok(None);
+    }
+    let prompt_only: Vec<String> = prompt_only.into_iter().collect();
     Ok(Some(format!(
         "Permission note: these tools are prompt-only for this provider and not hard-enforced: {}",
         prompt_only.join(", ")
     )))
 }
 
+/// C-2-1 cr verdict — provider-level prompt_only tools that the framework cannot
+/// hard-enforce. The system prompt declares them so the worker is honest about
+/// where consent gates actually live (provider prompt vs framework).
+fn provider_default_prompt_only_tools(provider: Provider) -> &'static [&'static str] {
+    match provider {
+        // C-2-1: fs_read / fs_list / git_diff / provider_builtin 由 provider prompt
+        // 控制,framework 不替决(prompt_only 诚实声明)。
+        Provider::Copilot => &["fs_list", "fs_read", "git_diff", "provider_builtin"],
+        _ => &[],
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -298,7 +321,14 @@ mod tests {
     }
 
     #[test]
-    fn system_prompt_uses_runtime_contract_identity_role_output_permissions_order() {
+    fn system_prompt_uses_identity_then_runtime_contract_python_order() {
+        // #264 D6: Python truth source (prompt.py:39, live ps confirmed) builds
+        // chunks = [identity, TEAMMATE_SYSTEM_PROMPT, role_body, output, permissions].
+        // The previous assertion locked the inverted contract-first order with no
+        // Python evidence; this is the corrected golden.
+        // 0.3.5 union (copilot v2 C-1 / B2 MUST-4 行为层守): identity 必须 FIRST —
+        // 空白上下文问"你是谁"的第一行答案必须先答 Team Agent worker 身份;
+        // Copilot 适配的 C-1-3 行为层要求与其它 provider 同步。
         let agent = WorkerCommandAgent {
             id: Some("coder".to_string()),
             provider: Provider::Codex,
@@ -309,16 +339,21 @@ mod tests {
             output_contract_format: Some("result_envelope_v1".to_string()),
         };
         let prompt = compile_worker_system_prompt(&agent).unwrap();
+        assert!(
+            prompt.starts_with("You are Team Agent worker `coder` with role `Runtime Developer`."),
+            "compiled prompt must start with the identity section (Python prompt.py:39); head={:?}",
+            prompt.chars().take(120).collect::<String>()
+        );
+        let identity = prompt.find("worker `coder`").unwrap();
         let runtime = prompt
             .find(RUNTIME_CONTRACT_SECTION.lines().next().unwrap_or(""))
             .unwrap();
-        let identity = prompt.find("worker `coder`").unwrap();
         let role = prompt.find("Implement the assigned slice.").unwrap();
         let output = prompt
             .find("Final completion must call team_orchestrator.report_result exactly once")
             .unwrap();
         let permissions = prompt.find("Permission note:").unwrap();
-        assert!(runtime < identity && identity < role && role < output && output < permissions);
+        assert!(identity < runtime && runtime < role && role < output && output < permissions);
         let slowdown_phrase = format!("500/{}", 500 + 29);
         assert!(prompt.contains(&slowdown_phrase));
         assert!(prompt.contains("Runtime Developer"));

package/crates/team-agent/src/mcp_server/lifecycle_tools/agent_ops.rs

@@ -88,12 +88,13 @@ pub(crate) fn fork_agent(
     as_agent_id: &str,
     label: Option<&str>,
 ) -> ToolResult {
-    let _ = label;
     let lifecycle_workspace = lifecycle_workspace(workspace, owner_team, false)?;
+    // operations.py:315 — the label becomes the forked agent's role.
     let report = crate::lifecycle::launch::fork_agent(
         &lifecycle_workspace,
         &AgentId::new(source_agent_id),
         &AgentId::new(as_agent_id),
+        label,
         false,
         owner_team.map(TeamKey::as_str),
     )

package/crates/team-agent/src/mcp_server/tests/scoped.rs

@@ -1,7 +1,20 @@
     #[test]
     fn dispatch_send_message_worker_accepted_returned_verbatim() {
+        // A-7: accepted requires a REAL stored message_id (no fabricated ids), so the
+        // workspace seeds a running worker-1 the delivery layer can actually queue for.
+        let ws = unique_ws("dispatch-accepted");
+        crate::state::persist::save_runtime_state(
+            &ws,
+            &serde_json::json!({
+                "session_name": "team-x",
+                "agents": {
+                    "worker-1": {"status": "running", "agent_id": "worker-1", "window": "worker-1"},
+                },
+            }),
+        )
+        .unwrap();
         let tools = TeamOrchestratorTools::with_identity(
-            &unique_ws("dispatch-accepted"),
+            &ws,
             Some(AgentId::new("leader")), // legacy single-team bypasses cross-team refusal
             None,
         );

package/crates/team-agent/src/mcp_server/tests/send.rs

@@ -96,8 +96,22 @@
         // refusal first (worker-1 not in visible peers) -> PeerNotInScope. owner_team_id=None
         // (legacy single-team) bypasses that, isolating the worker-recipient accepted path.
         // The cross-team refusal has its own tests (refuse_cross_team_peer_* / send_message_cross_team_*).
+        // A-7: the accepted path needs a REAL stored message_id (tools.py:175-181 —
+        // fabricated ids are gone), so the workspace seeds a running worker-1 the
+        // delivery layer can actually queue for.
+        let ws = unique_ws("send-worker");
+        crate::state::persist::save_runtime_state(
+            &ws,
+            &serde_json::json!({
+                "session_name": "team-x",
+                "agents": {
+                    "worker-1": {"status": "running", "agent_id": "worker-1", "window": "worker-1"},
+                },
+            }),
+        )
+        .unwrap();
         let tools = TeamOrchestratorTools::with_identity(
-            &unique_ws("send-worker"),
+            &ws,
             Some(AgentId::new("leader")),
             None,
         );

package/crates/team-agent/src/mcp_server/tools.rs

@@ -189,11 +189,12 @@ impl TeamOrchestratorTools {
         };
         if is_worker_recipient(to) {
             let out = messaging::send_message(&self.workspace, to, content, &opts).map_err(tool_runtime_error)?;
+            // tools.py:175-181 — accepted+poll_via ONLY for a REAL message_id; any other
+            // outcome falls back to the compacted direct result. Never invent an
+            // `mcp_<timestamp>` id: it does not exist in the store and makes the
+            // advertised `team-agent inbox <id>` poll a dead end.
             let message_id = match out.message_id {
                 Some(message_id) if out.ok => message_id,
-                None if self.owner_team_id.is_none() => {
-                    format!("mcp_{}", chrono::Utc::now().timestamp_micros())
-                }
                 _ => {
                     let value = delivery_outcome_value(&out);
                     let ok = compact_tool_result(&value)?;
@@ -229,7 +230,13 @@ impl TeamOrchestratorTools {
         let team_widens = match (owner_team.as_ref(), requested_team.as_deref()) {
             (_, None) => false,
             (Some(owner), Some(requested)) => {
-                let state = load_runtime_state(&self.workspace).unwrap_or(serde_json::json!({}));
+                // swallow batch 4 C6: an unreadable state cannot verify the requested
+                // team — fail closed (structured transient refusal), never compare
+                // against an empty substitute.
+                let state = match load_runtime_state(&self.workspace) {
+                    Ok(state) => state,
+                    Err(error) => return Err(self.scope_unverifiable(&error.to_string())),
+                };
                 let requested_canonical = crate::state::projection::resolve_owner_team_id(&state, requested)
                     .canonical_key()
                     .unwrap_or(requested)
@@ -463,7 +470,18 @@ impl TeamOrchestratorTools {
             "idle_fallback" => Some(messaging::AlertType::IdleFallback),
             "cross_worker_deadlock" => Some(messaging::AlertType::CrossWorkerDeadlock),
             "all" => None,
-            _ => None,
+            // scheduler.py:268-273 — an unknown alert_type refuses with the Python
+            // literal instead of silently widening to suppressing ALL alert families.
+            _ => {
+                return Ok(ToolOk {
+                    fields: object_fields(serde_json::json!({
+                        "ok": false,
+                        "status": "refused",
+                        "reason": "invalid_alert_type",
+                        "alert_type": alert_type,
+                    })),
+                });
+            }
         };
         let suppressed_by = self.agent_id.as_ref().map(AgentId::as_str).unwrap_or("leader");
         messaging::stuck_cancel(&self.workspace, agent_id, alert, suppressed_by)
@@ -571,7 +589,12 @@ impl TeamOrchestratorTools {
         // Unresolved/ambiguous owner scope emits mcp.scope_refused; never fallback
         // to active/top-level/sibling teams in a multi-team state.
         let Some(owner_team_id) = &self.owner_team_id else {
-            let state = load_runtime_state(&self.workspace).unwrap_or(serde_json::json!({}));
+            // swallow batch 4 C5-C8 (MUST-16 fail-closed): the runtime state is the
+            // scope truth source — when it cannot be read, the gate REFUSES with a
+            // structured transient scope_unverifiable instead of silently treating
+            // the workspace as legacy single-team (silent privilege widening).
+            let state = load_runtime_state(&self.workspace)
+                .map_err(|error| self.scope_unverifiable(&error.to_string()))?;
             if state
                 .get("teams")
                 .and_then(Value::as_object)
@@ -582,7 +605,7 @@ impl TeamOrchestratorTools {
             return Ok(None);
         };
         let state = load_runtime_state(&self.workspace)
-            .map_err(|_| self.scope_refused("owner team could not be resolved"))?;
+            .map_err(|error| self.scope_unverifiable(&error.to_string()))?;
         match canonicalize_owner_team_id(&state, owner_team_id.as_str()) {
             Some(team) => Ok(Some(TeamKey::new(team))),
             None => Err(self.scope_refused("owner team could not be resolved")),
@@ -591,7 +614,12 @@ impl TeamOrchestratorTools {
 
     fn canonical_owner_team_key_for_mcp(&self) -> Result<Option<TeamKey>, ToolError> {
         let Some(owner_team_id) = &self.owner_team_id else {
-            let state = load_runtime_state(&self.workspace).unwrap_or(serde_json::json!({}));
+            // swallow batch 4 C5-C8 (MUST-16 fail-closed): the runtime state is the
+            // scope truth source — when it cannot be read, the gate REFUSES with a
+            // structured transient scope_unverifiable instead of silently treating
+            // the workspace as legacy single-team (silent privilege widening).
+            let state = load_runtime_state(&self.workspace)
+                .map_err(|error| self.scope_unverifiable(&error.to_string()))?;
             if state
                 .get("teams")
                 .and_then(Value::as_object)
@@ -602,13 +630,41 @@ impl TeamOrchestratorTools {
             return Ok(None);
         };
         let state = load_runtime_state(&self.workspace)
-            .map_err(|_| self.scope_refused("owner team could not be resolved"))?;
+            .map_err(|error| self.scope_unverifiable(&error.to_string()))?;
         match canonicalize_owner_team_id(&state, owner_team_id.as_str()) {
             Some(team) => Ok(Some(TeamKey::new(team))),
             None => Err(self.scope_refused("owner team could not be resolved")),
         }
     }
 
+    /// swallow batch 4 C5/C6/N38: the structured FAIL-CLOSED refusal for "the scope
+    /// could not be verified" (state read failed). Transient by design — the same call
+    /// passes once the state is readable again; the caller's self-reported scope is
+    /// never trusted as a fallback (MUST-16 ceiling).
+    fn scope_unverifiable(&self, io_error: &str) -> ToolError {
+        let _ = EventLog::new(&self.workspace).write(
+            "mcp.scope_state_read_failed",
+            serde_json::json!({
+                "reason": "scope_unverifiable",
+                "requested_owner_team_id": self.owner_team_id.as_ref().map(TeamKey::as_str),
+                "error": io_error,
+            }),
+        );
+        let mut extra = serde_json::Map::new();
+        extra.insert("status".to_string(), Value::String("refused".to_string()));
+        extra.insert("kind".to_string(), Value::String("scope_unverifiable".to_string()));
+        extra.insert(
+            "next_action".to_string(),
+            Value::String("retry shortly or check the runtime state path".to_string()),
+        );
+        ToolError {
+            reason: ToolErrorReason::McpScopeRefused,
+            exc_type: "McpScopeUnverifiable".to_string(),
+            message: format!("scope_unverifiable: state read failed: {io_error}"),
+            extra,
+        }
+    }
+
     fn scope_refused(&self, message: &str) -> ToolError {
         let canonical_owner_team_id = self.canonical_owner_team_key_for_event();
         let _ = EventLog::new(&self.workspace).write(

package/crates/team-agent/src/mcp_server/wire.rs

@@ -444,7 +444,8 @@ pub(crate) fn dispatch_tool(tools: &TeamOrchestratorTools, tool: McpTool, args:
         McpTool::StuckList => tools.stuck_list(),
         McpTool::StuckCancel => tools.stuck_cancel(
             args.get("agent_id").and_then(Value::as_str).unwrap_or(""),
-            args.get("alert_type").and_then(Value::as_str).unwrap_or("all"),
+            // tools.py:351 — the MCP default alert_type is "stuck", not "all".
+            args.get("alert_type").and_then(Value::as_str).unwrap_or("stuck"),
         ),
     }
 }