@team-agent/installer 0.3.8 → 0.3.10

package/crates/team-agent/src/lifecycle/restart/rebuild.rs

@@ -1,5 +1,5 @@
 use super::common::*;
-use super::selection::classify_restart_plan;
+use super::selection::classify_restart_plan_with_resume_validation;
 use super::*;
 
 // ── lifecycle::restart —— 整队 Route B resume-or-fresh 重建 ──────────────────
@@ -29,6 +29,7 @@ pub fn restart_with_session_convergence_deadline(
         team,
         &crate::tmux_backend::TmuxBackend::for_workspace(&run_ws),
         session_converge_deadline_ms,
+        None,
     )
 }
 
@@ -40,6 +41,16 @@ pub fn restart_with_transport(
     allow_fresh: bool,
     team: Option<&str>,
     transport: &dyn crate::transport::Transport,
+) -> Result<RestartReport, LifecycleError> {
+    restart_with_transport_with_readiness_deadline(workspace, allow_fresh, team, transport, None)
+}
+
+pub fn restart_with_transport_with_readiness_deadline(
+    workspace: &Path,
+    allow_fresh: bool,
+    team: Option<&str>,
+    transport: &dyn crate::transport::Transport,
+    readiness_deadline_ms: Option<u64>,
 ) -> Result<RestartReport, LifecycleError> {
     match restart_with_transport_with_session_convergence_deadline(
         workspace,
@@ -47,6 +58,7 @@ pub fn restart_with_transport(
         team,
         transport,
         None,
+        readiness_deadline_ms,
     )? {
         RestartReport::RefusedResumeNotReady {
             missing,
@@ -76,11 +88,19 @@ pub fn restart_with_transport_with_session_convergence_deadline(
     team: Option<&str>,
     transport: &dyn crate::transport::Transport,
     session_converge_deadline_ms: Option<u64>,
+    readiness_deadline_ms: Option<u64>,
 ) -> Result<RestartReport, LifecycleError> {
-    if crate::lifecycle::restart::input_has_no_local_team_context(workspace) {
+    // RED-2-STILL(P0):入口门必须在 canonical_run_workspace 解析后的路径上判,不用 raw workspace。
+    // 根因:quick-start <dir> 把 .team/runtime/spec 落在 team_workspace(dir)=**parent**/.team;
+    // 入口门查 raw dir 自身的 .team/state(空,它在 parent)→ 误判"无 team context"早退,到不了
+    // 067f78f 下移后的第二道门。canonical_run_workspace 已能正确解析到 parent(走 parent.join(".team")
+    // 分支),在它之上判 input_has_no_local_team_context 才对齐 quick-start 落点。
+    let resolved_ws = crate::model::paths::canonical_run_workspace(workspace)
+        .map_err(|e| LifecycleError::StatePersist(e.to_string()))?;
+    if crate::lifecycle::restart::input_has_no_local_team_context(&resolved_ws) {
         return Err(LifecycleError::TeamSelect(format!(
-            "missing spec for restart: {}",
-            workspace.join("team.spec.yaml").display()
+            "missing spec for restart: {} (run `team-agent quick-start <teamdir>` first)",
+            crate::model::paths::runtime_dir(&resolved_ws).display()
         )));
     }
     // RED-2(P0)修:存在性门下移到 resolve 之后,用 selected.spec_path(读序 B:runtime 优先、
@@ -159,7 +179,7 @@ pub fn restart_with_transport_with_session_convergence_deadline(
         convergence.missing.iter().cloned().collect()
     };
     let forced_fresh_convergence = (!convergence.converged).then_some(convergence.clone());
-    let plan = classify_restart_plan(&state, allow_fresh)?;
+    let plan = classify_restart_plan_with_resume_validation(Some(&selected.run_workspace), &state, allow_fresh)?;
     write_restart_resume_decision_events(
         &selected.run_workspace,
         &state,
@@ -179,7 +199,7 @@ pub fn restart_with_transport_with_session_convergence_deadline(
         return Ok(RestartReport::RefusedResumeAtomicity {
             unresumable: plan.unresumable,
             allow_fresh,
-            error: "restart requires resumable workers before live spawn".to_string(),
+            error: "restart requires resumable workers before live spawn; rerun with --allow-fresh to start fresh".to_string(),
         });
     }
     let session_name = state_session_name(&state);
@@ -246,6 +266,15 @@ pub fn restart_with_transport_with_session_convergence_deadline(
     crate::state::projection::save_team_scoped_state(&selected.run_workspace, &state)
         .map_err(|e| LifecycleError::StatePersist(e.to_string()))?;
     let coordinator_started = start_coordinator_for_workspace(&selected.run_workspace)?;
+    wait_restart_readiness_or_timeout(
+        &selected.run_workspace,
+        &state,
+        &session_name,
+        &plan.decisions,
+        transport,
+        restart_readiness_deadline(readiness_deadline_ms),
+        restart_readiness_poll_interval(),
+    )?;
     let attach_commands = crate::tmux_backend::attach_commands_for_windows(
         &selected.run_workspace,
         &session_name,
@@ -448,6 +477,182 @@ fn parse_duration_value_seconds_ms(value: &str) -> Option<u64> {
     }
 }
 
+fn restart_readiness_deadline(requested_ms: Option<u64>) -> std::time::Duration {
+    requested_ms.map(std::time::Duration::from_millis).unwrap_or_else(|| {
+        env_duration_ms(&["TEAM_AGENT_RESTART_READINESS_DEADLINE_MS"], 30_000)
+    })
+}
+
+fn restart_readiness_poll_interval() -> std::time::Duration {
+    env_duration_ms(&["TEAM_AGENT_RESTART_READINESS_POLL_MS"], 200)
+}
+
+#[derive(Debug, Clone, Copy)]
+struct RestartReadiness {
+    session_created: bool,
+    worker_pane_addressable: bool,
+    coordinator_alive: bool,
+}
+
+impl RestartReadiness {
+    fn ready(self) -> bool {
+        self.session_created && self.worker_pane_addressable && self.coordinator_alive
+    }
+}
+
+fn wait_restart_readiness_or_timeout(
+    workspace: &Path,
+    state: &serde_json::Value,
+    session_name: &SessionName,
+    decisions: &[RestartedAgent],
+    transport: &dyn crate::transport::Transport,
+    deadline: std::time::Duration,
+    poll_interval: std::time::Duration,
+) -> Result<(), LifecycleError> {
+    let started = std::time::Instant::now();
+    loop {
+        let readiness = restart_readiness(workspace, state, session_name, decisions, transport);
+        if readiness.ready() {
+            return Ok(());
+        }
+        let elapsed = started.elapsed();
+        if elapsed >= deadline {
+            write_restart_readiness_timeout_event(workspace, readiness, deadline, elapsed)?;
+            return Err(LifecycleError::RequirementUnmet(restart_readiness_timeout_message(
+                workspace, readiness, deadline,
+            )));
+        }
+        std::thread::sleep(std::cmp::min(poll_interval, deadline.saturating_sub(elapsed)));
+    }
+}
+
+fn restart_readiness(
+    workspace: &Path,
+    state: &serde_json::Value,
+    session_name: &SessionName,
+    decisions: &[RestartedAgent],
+    transport: &dyn crate::transport::Transport,
+) -> RestartReadiness {
+    let session_created = session_live_or_default(transport, session_name, false);
+    let worker_pane_addressable = restart_worker_panes_addressable(state, decisions, transport);
+    let coordinator_workspace = crate::coordinator::WorkspacePath::new(workspace.to_path_buf());
+    let coordinator_alive =
+        crate::coordinator::coordinator_health(&coordinator_workspace).ok && session_created;
+    RestartReadiness { session_created, worker_pane_addressable, coordinator_alive }
+}
+
+fn restart_worker_panes_addressable(
+    state: &serde_json::Value,
+    decisions: &[RestartedAgent],
+    transport: &dyn crate::transport::Transport,
+) -> bool {
+    if decisions.is_empty() {
+        return true;
+    }
+    decisions.iter().all(|decision| {
+        let Some(pane_id) = state
+            .get("agents")
+            .and_then(|agents| agents.get(decision.agent_id.as_str()))
+            .and_then(|agent| agent.get("pane_id"))
+            .and_then(serde_json::Value::as_str)
+            .filter(|pane| !pane.is_empty())
+            .map(crate::transport::PaneId::new)
+        else {
+            return false;
+        };
+        pane_addressable(transport, &pane_id)
+    })
+}
+
+fn pane_addressable(
+    transport: &dyn crate::transport::Transport,
+    pane_id: &crate::transport::PaneId,
+) -> bool {
+    match transport.has_pane(pane_id) {
+        Ok(Some(present)) => present,
+        Ok(None) | Err(_) => {
+            transport
+                .list_targets()
+                .map(|targets| targets.iter().any(|pane| pane.pane_id == *pane_id))
+                .unwrap_or(false)
+                || transport
+                    .liveness(pane_id)
+                    .map(|state| state == crate::transport::PaneLiveness::Live)
+                    .unwrap_or(false)
+        }
+    }
+}
+
+fn write_restart_readiness_timeout_event(
+    workspace: &Path,
+    readiness: RestartReadiness,
+    deadline: std::time::Duration,
+    elapsed: std::time::Duration,
+) -> Result<(), LifecycleError> {
+    crate::event_log::EventLog::new(workspace)
+        .write(
+            "restart.readiness_timeout",
+            serde_json::json!({
+                "tmux_session_created": readiness.session_created,
+                "worker_pane_addressable": readiness.worker_pane_addressable,
+                "coordinator_alive": readiness.coordinator_alive,
+                "deadline_ms": deadline.as_millis(),
+                "elapsed_ms": elapsed.as_millis(),
+                "coordinator_log": crate::coordinator::coordinator_log_path(
+                    &crate::coordinator::WorkspacePath::new(workspace.to_path_buf())
+                ).display().to_string(),
+                "state_path": crate::state::persist::runtime_state_path(workspace).display().to_string(),
+                "pid_path": crate::coordinator::coordinator_pid_path(
+                    &crate::coordinator::WorkspacePath::new(workspace.to_path_buf())
+                ).display().to_string(),
+            }),
+        )
+        .map(|_| ())
+        .map_err(|e| LifecycleError::StatePersist(e.to_string()))
+}
+
+fn restart_readiness_timeout_message(
+    workspace: &Path,
+    readiness: RestartReadiness,
+    deadline: std::time::Duration,
+) -> String {
+    let coordinator_workspace = crate::coordinator::WorkspacePath::new(workspace.to_path_buf());
+    let deadline_s = deadline.as_secs_f64();
+    format!(
+        "restart not ready within {deadline_s:.1}s: {missing}\n\
+         - tmux session created: {session}\n\
+         - worker pane addressable: {pane}\n\
+         - coordinator alive: {coordinator}\n\
+         Action: check coordinator log {log}, then `team-agent restart <agent> --allow-fresh` or `team-agent diagnose`\n\
+         Log: coordinator_log={log} state={state} pid_file={pid}",
+        missing = restart_readiness_missing_summary(readiness),
+        session = yes_no(readiness.session_created),
+        pane = yes_no(readiness.worker_pane_addressable),
+        coordinator = yes_no(readiness.coordinator_alive),
+        log = crate::coordinator::coordinator_log_path(&coordinator_workspace).display(),
+        state = crate::state::persist::runtime_state_path(workspace).display(),
+        pid = crate::coordinator::coordinator_pid_path(&coordinator_workspace).display(),
+    )
+}
+
+fn restart_readiness_missing_summary(readiness: RestartReadiness) -> String {
+    let mut missing = Vec::new();
+    if !readiness.session_created {
+        missing.push("tmux session created");
+    }
+    if !readiness.worker_pane_addressable {
+        missing.push("worker pane addressable");
+    }
+    if !readiness.coordinator_alive {
+        missing.push("coordinator alive");
+    }
+    missing.join(", ")
+}
+
+fn yes_no(value: bool) -> &'static str {
+    if value { "yes" } else { "no" }
+}
+
 fn verify_spawned_agent_live(
     _agent_id: &AgentId,
     _spawn: &SpawnedAgentWindow,

package/crates/team-agent/src/lifecycle/restart/selection.rs

@@ -4,32 +4,35 @@ use super::common::*;
 /// bug-085 四象限 `start_mode` 决策(`start.py:179-188` + `_resume_rollout_missing` `start.py:66-69`),
 /// **从 start_agent 的整条 lock+spawn 路径里分离出的纯函数**(gate gap:porter 需要单元级 RED
 /// for `FreshAfterMissingRollout`,而 start_agent 全路径不可单测)。语义:
-/// - `_resume_rollout_missing` 仅 codex 且有 session_id 时可能 true:`!rollout_path || !exists`。
+/// - resume backing 缺失时不可 resume:codex/claude 用 transcript/rollout 文件,
+///   copilot 用 session-store 行存在性(由调用方折叠进 `rollout_exists`)。
 /// - 初始 `start_mode = if session_id { Resumed } else { Fresh }`(`start.py:179`)。
-/// - **仅当** `missing && allow_fresh` 才升级为 `FreshAfterMissingRollout` 并清空 session_id
-///   (`start.py:180-190`)。`missing && !allow_fresh` 仍 `Resumed`(随后真实 resume 会 fail)。
-/// - 非 codex:rollout 永不"缺失",直接看 session_id。
+/// - `missing && allow_fresh` 升级为 `FreshAfterMissingRollout` 并清空 session_id。
+/// - `missing && !allow_fresh` 返回 `Noop`,调用方据此诚实拒绝并提示 `--allow-fresh`。
 pub fn decide_start_mode(
     provider: &str,
     session_id: Option<&SessionId>,
-    rollout_path: Option<&RolloutPath>,
+    _rollout_path: Option<&RolloutPath>,
     rollout_exists: bool,
     allow_fresh: bool,
 ) -> StartMode {
     match session_id {
         None => StartMode::Fresh,
         Some(_) => {
-            let missing_codex_rollout =
-                provider == "codex" && (rollout_path.is_none() || !rollout_exists);
-            if missing_codex_rollout && allow_fresh {
-                StartMode::FreshAfterMissingRollout
-            } else {
-                StartMode::Resumed
+            let missing_resume_backing = resumable_provider_requires_backing(provider) && !rollout_exists;
+            match (missing_resume_backing, allow_fresh) {
+                (true, true) => StartMode::FreshAfterMissingRollout,
+                (true, false) => StartMode::Noop,
+                (false, _) => StartMode::Resumed,
             }
         }
     }
 }
 
+pub(crate) fn resumable_provider_requires_backing(provider: &str) -> bool {
+    matches!(provider, "codex" | "claude" | "claude_code" | "copilot")
+}
+
 /// `first_send_at` 严格分类(`_classify_first_send_at`,`orchestration.py:399`)。
 /// **绝不靠 truthiness**:`""`/`0`/`False`/`"null"`/非 ISO → `Corrupt`。
 pub fn classify_first_send_at(raw: &serde_json::Value) -> FirstSendAtState {
@@ -129,6 +132,14 @@ pub fn python_type_name(value: &serde_json::Value) -> &'static str {
 pub fn classify_restart_plan(
     state: &serde_json::Value,
     allow_fresh: bool,
+) -> Result<RestartPlan, LifecycleError> {
+    classify_restart_plan_with_resume_validation(None, state, allow_fresh)
+}
+
+pub(crate) fn classify_restart_plan_with_resume_validation(
+    workspace: Option<&Path>,
+    state: &serde_json::Value,
+    allow_fresh: bool,
 ) -> Result<RestartPlan, LifecycleError> {
     let mut decisions = Vec::new();
     let mut corrupt_entries = Vec::new();
@@ -171,21 +182,47 @@ pub fn classify_restart_plan(
             .and_then(|v| v.as_str())
             .filter(|s| !s.is_empty())
             .map(SessionId::new);
+        let agent_id = AgentId::new(worker_id.clone());
         // E6 层2 (C2, 用户裁定"绝不静默 fresh"): null session 只有显式 --allow-fresh 才 fresh,
         // 否则 Refuse(→ resume_not_ready + 指引)。删 `!interacted` 短路 —— 自启动 worker
         // (leader 从未发消息 → first_send_at=null → interacted=false)会被它静默 fresh 丢上下文。
-        let decision = if session_id.is_some() {
+        let provider = agent_provider(agent);
+        let provider_wire = provider_wire(provider);
+        let resume_backing_exists = match (workspace, session_id.as_ref()) {
+            (Some(workspace), Some(session)) => resume_backing_exists_for_agent(
+                workspace,
+                &agent_id,
+                agent,
+                provider,
+                session,
+                agent_rollout_path(agent).as_ref(),
+            ),
+            (None, Some(_)) if resumable_provider_requires_backing(provider_wire) => {
+                agent_rollout_path(agent)
+                    .as_ref()
+                    .is_some_and(|path| path.as_path().exists())
+            }
+            _ => true,
+        };
+        let decision = if session_id.is_some() && resume_backing_exists {
             ResumeDecision::Resume
+        } else if session_id.is_some() && allow_fresh {
+            ResumeDecision::FreshStart
+        } else if session_id.is_some() {
+            ResumeDecision::Refuse
         } else if allow_fresh {
             ResumeDecision::FreshStart
         } else {
             ResumeDecision::Refuse
         };
-        let agent_id = AgentId::new(worker_id.clone());
         if matches!(decision, ResumeDecision::Refuse) {
             unresumable.push(UnresumableWorker {
                 agent_id: agent_id.clone(),
-                reason: "no_persisted_session_id".to_string(),
+                reason: if session_id.is_some() {
+                    "session_unresumable".to_string()
+                } else {
+                    "no_persisted_session_id".to_string()
+                },
                 session_id: session_id.clone(),
                 first_send_at: first_send_at_raw.as_str().map(|s| s.to_string()),
             });

package/crates/team-agent/src/lifecycle/restart.rs

@@ -37,7 +37,7 @@ pub(crate) use common::refresh_missing_provider_sessions;
 pub use orchestrator::{halt_plan, plan_status};
 pub use rebuild::{
     restart, restart_candidates, restart_with_session_convergence_deadline, restart_with_transport,
-    select_restart_state,
+    restart_with_transport_with_readiness_deadline, select_restart_state,
 };
 pub use remove::{remove_agent, remove_agent_with_transport};
 pub use selection::{classify_first_send_at, classify_restart_plan, decide_start_mode, python_type_name};
@@ -49,11 +49,15 @@ pub(crate) fn lifecycle_run_workspace(workspace: &Path) -> Result<std::path::Pat
 }
 
 fn lifecycle_paths(workspace: &Path, team: Option<&str>) -> Result<LifecyclePaths, LifecycleError> {
-    if input_has_no_local_team_context(workspace) {
+    // RED-2-STILL(P0):入口门在 canonical_run_workspace 解析后的路径上判(quick-start 的 .team 落
+    // team_dir 父目录,raw team_dir 必 miss)。期望路径报解析后 runtime 落点,不指 raw team_dir。
+    let resolved_ws = crate::model::paths::canonical_run_workspace(workspace)
+        .map_err(|e| LifecycleError::StatePersist(e.to_string()))?;
+    if input_has_no_local_team_context(&resolved_ws) {
         return Err(LifecycleError::TeamSelect(format!(
-            "active team spec not found: input_workspace={} expected_spec_path={}",
+            "active team spec not found: input_workspace={} expected_runtime_dir={}",
             workspace.display(),
-            workspace.join("team.spec.yaml").display()
+            crate::model::paths::runtime_dir(&resolved_ws).display()
         )));
     }
     let selected = crate::state::selector::resolve_active_team(

package/crates/team-agent/src/lifecycle/tests/core.rs

@@ -342,13 +342,12 @@ fn start_mode_serde_names_match_python_start_mode_strings() {
 }
 
 // ───────────────────────────────────────────────────────────────────────
-// decide_start_mode — bug-085 四象限 (start.py:66-69 + 179-190)
-// golden 实跑(PYTHONPATH=… python3 /tmp/x.py,_resume_rollout_missing + start_mode 逻辑):
+// decide_start_mode — bug-085 四象限 + E20 #264 gap closure.
 //   codex sess  rollout-present any-fresh   -> resumed
-//   codex sess  rollout-MISSING !allow_fresh -> resumed  (随后真实 resume 失败)
-//   codex sess  rollout-MISSING  allow_fresh -> fresh_after_missing_rollout   ← bug-085 唯一臂
+//   codex sess  backing-MISSING !allow_fresh -> noop/refuse (绝不静默 resume 死 session)
+//   codex sess  backing-MISSING  allow_fresh -> fresh_after_missing_rollout
 //   codex no-sess any                        -> fresh
-//   claude(非codex) sess rollout-missing fresh -> resumed (非 codex 永不"缺 rollout")
+//   claude/copilot sess backing-missing       -> fresh_after_missing_rollout 或 noop/refuse
 //   claude no-sess                            -> fresh
 // 这是 bug-085 把 start_mode 分类从 start_agent 的 lock+spawn 全路径剥离出来的命门。
 // ───────────────────────────────────────────────────────────────────────
@@ -375,11 +374,11 @@ fn decide_start_mode_codex_missing_rollout_with_allow_fresh_is_fresh_after_missi
 }
 
 #[test]
-fn decide_start_mode_codex_missing_rollout_without_allow_fresh_stays_resumed() {
-    // 关键陷阱:rollout 缺但 !allow_fresh → 仍 Resumed(start.py 不擅自丢 context)。
+fn decide_start_mode_codex_missing_rollout_without_allow_fresh_refuses() {
+    // E20 C①:backing 缺且 !allow_fresh → 诚实拒绝,绝不 resume 进死 session。
     assert_eq!(
         decide_start_mode("codex", Some(&sid("s1")), None, false, false),
-        StartMode::Resumed
+        StartMode::Noop
     );
 }
 
@@ -408,12 +407,24 @@ fn decide_start_mode_no_session_is_fresh() {
 }
 
 #[test]
-fn decide_start_mode_non_codex_never_fresh_after_missing_rollout() {
-    // 非 codex provider:rollout 概念不适用,_resume_rollout_missing 恒 false。
-    assert_eq!(
-        decide_start_mode("claude", Some(&sid("s1")), None, false, true),
-        StartMode::Resumed
-    );
+fn decide_start_mode_checks_backing_for_all_resumable_providers() {
+    for provider in ["claude", "claude_code", "copilot"] {
+        assert_eq!(
+            decide_start_mode(provider, Some(&sid("s1")), None, false, true),
+            StartMode::FreshAfterMissingRollout,
+            "{provider} missing backing + allow_fresh must not resume"
+        );
+        assert_eq!(
+            decide_start_mode(provider, Some(&sid("s1")), None, false, false),
+            StartMode::Noop,
+            "{provider} missing backing + !allow_fresh must refuse"
+        );
+        assert_eq!(
+            decide_start_mode(provider, Some(&sid("s1")), Some(&rp("/r")), true, false),
+            StartMode::Resumed,
+            "{provider} existing backing remains resumable"
+        );
+    }
     assert_eq!(
         decide_start_mode("claude", None, None, false, true),
         StartMode::Fresh
@@ -533,8 +544,11 @@ fn classify_restart_plan_never_interacted_null_session_with_allow_fresh_marks_fo
 fn classify_restart_plan_codex_with_session_still_resumes() {
     // E6 层2 回归锁(不误伤): codex worker first_send_at=null 但 session_id 已捕 →
     // 仍走 Resume(分流轴是 session_id 有无,不是 interacted)。防层2 修法把 has_session 也误判。
+    let ws = temp_ws();
+    let rollout = ws.join("codex-rollout.jsonl");
+    std::fs::write(&rollout, "{}\n").unwrap();
     let state = json!({
-        "agents": { "w1": { "provider": "codex", "session_id": "sess-codex-abc" } }
+        "agents": { "w1": { "provider": "codex", "session_id": "sess-codex-abc", "rollout_path": rollout.to_string_lossy() } }
     });
     let plan = classify_restart_plan(&state, false).expect("纯验证不应 Err");
     assert_eq!(plan.decisions.len(), 1);
@@ -978,6 +992,66 @@ fn leader_pane_env_cross_socket_all_probe_errors_stays_unknown() {
     assert_eq!(state, LeaderPaneEnvState::Unknown);
 }
 
+#[test]
+fn mcp_auto_approval_env_marks_leader_bypass_namespace_only() {
+    let mut env = std::collections::BTreeMap::new();
+    let safety = DangerousApproval {
+        enabled: true,
+        source: DangerousApprovalSource::LeaderProcess,
+        inherited: true,
+        provider: Some("codex".to_string()),
+        flag: Some("--dangerously-bypass-approvals-and-sandbox".to_string()),
+        worker_capability_above_leader: false,
+        ancestry_binary_name: Some("codex".to_string()),
+        unexpected_binary: false,
+    };
+
+    apply_mcp_auto_approval_env(&mut env, &safety);
+
+    assert_eq!(env.get("TEAM_AGENT_LEADER_BYPASS").map(String::as_str), Some("1"));
+    assert_eq!(
+        env.get("TEAM_AGENT_MCP_AUTO_APPROVE").map(String::as_str),
+        Some("team_orchestrator")
+    );
+    assert_eq!(
+        env.get("TEAM_AGENT_MCP_AUTO_APPROVE_SOURCE").map(String::as_str),
+        Some("leader_bypass")
+    );
+    assert_eq!(
+        env.get("TEAM_AGENT_LEADER_BYPASS_FLAG").map(String::as_str),
+        Some("--dangerously-bypass-approvals-and-sandbox")
+    );
+}
+
+#[test]
+fn mcp_auto_approval_env_clears_when_leader_is_restricted() {
+    let mut env = std::collections::BTreeMap::from([
+        (
+            "TEAM_AGENT_MCP_AUTO_APPROVE".to_string(),
+            "team_orchestrator".to_string(),
+        ),
+        ("TEAM_AGENT_MCP_AUTO_APPROVE_SOURCE".to_string(), "leader_bypass".to_string()),
+    ]);
+    let safety = DangerousApproval {
+        enabled: false,
+        source: DangerousApprovalSource::Disabled,
+        inherited: false,
+        provider: None,
+        flag: None,
+        worker_capability_above_leader: false,
+        ancestry_binary_name: None,
+        unexpected_binary: false,
+    };
+
+    apply_mcp_auto_approval_env(&mut env, &safety);
+
+    assert_eq!(env.get("TEAM_AGENT_LEADER_BYPASS").map(String::as_str), Some("0"));
+    assert!(
+        !env.contains_key("TEAM_AGENT_MCP_AUTO_APPROVE"),
+        "restricted leader must not leave MCP auto-approval env behind: {env:?}"
+    );
+}
+
 struct EnvVarGuard {
     key: &'static str,
     previous: Option<String>,