@team-agent/installer 0.3.8 → 0.3.10

package/crates/team-agent/src/lifecycle/tests/launch_spawn.rs

@@ -581,6 +581,82 @@ fn red2_restart_empty_workspace_still_reports_missing() {
     let _ = std::fs::remove_dir_all(&ws);
 }
 
+// RED-2-STILL (P0) — the ENTRY gate (input_has_no_local_team_context) must judge on the
+// canonical_run_workspace-resolved path, not raw. quick-start <team_dir> lands .team under the
+// resolved workspace (team_dir's parent when invoked from there); restart <team_dir> with raw gate
+// checks team_dir's own (empty) .team → false "no context" early-exit before the down-moved gate.
+//
+// Two forms (leader hard requirement — must lock BOTH, not the coincidental same-dir form):
+//   Form A: .team in the team_dir's PARENT (standard quick-start <dir> from parent cwd).
+//   Form B: .team in the team_dir itself (cwd == team_dir).
+#[test]
+fn red2still_entry_gate_resolves_parent_dot_team_form_a() {
+    // Build: base/  (has .team)  + base/teamdir/{TEAM.md, agents/} (role docs, NO own .team).
+    let base = temp_ws();
+    let team_dir = base.join("teamdir");
+    std::fs::create_dir_all(team_dir.join("agents")).unwrap();
+    std::fs::write(team_dir.join("TEAM.md"), "---\nname: teamdir\nobjective: o\nprovider: codex\n---\nt.\n").unwrap();
+    std::fs::write(team_dir.join("agents").join("w1.md"), QS_VALID_ROLE).unwrap();
+    // .team lives in the PARENT (base), with a runtime spec — mirrors quick-start <dir> from base cwd.
+    let spec = crate::compiler::compile_team(&team_dir).unwrap();
+    let runtime_spec = crate::model::paths::runtime_spec_path(&base, "teamdir");
+    std::fs::create_dir_all(runtime_spec.parent().unwrap()).unwrap();
+    std::fs::write(&runtime_spec, crate::model::yaml::dumps(&spec)).unwrap();
+    // Seed minimal team state under base so resolve finds it.
+    crate::state::persist::save_runtime_state(
+        &base,
+        &json!({"session_name": "team-teamdir", "team_dir": team_dir.to_string_lossy(),
+                "spec_path": runtime_spec.to_string_lossy(),
+                "agents": {"w1": {"status": "running", "provider": "codex"}}}),
+    )
+    .unwrap();
+    // Entry gate on team_dir: raw team_dir has NO .team (it's in parent), but resolved → base has it.
+    assert!(
+        crate::lifecycle::restart::input_has_no_local_team_context(&team_dir),
+        "precondition: raw team_dir has no local .team (it's in the parent)"
+    );
+    let resolved = crate::model::paths::canonical_run_workspace(&team_dir).unwrap();
+    assert!(
+        !crate::lifecycle::restart::input_has_no_local_team_context(&resolved),
+        "RED-2-STILL: gate on canonical_run_workspace-resolved path must see parent .team (false)"
+    );
+    // Full restart on team_dir must NOT early-exit with missing spec.
+    let transport = OfflineTransport::new();
+    let text = format!("{:?}", restart_with_transport(&team_dir, false, None, &transport));
+    assert!(
+        !text.contains("missing spec for restart") && !text.contains("active team spec not found"),
+        "RED-2-STILL Form A: restart <team_dir> (.team in parent) must not report missing; got {text}"
+    );
+    let _ = std::fs::remove_dir_all(&base);
+}
+
+#[test]
+fn red2still_entry_gate_same_dir_dot_team_form_b() {
+    // Form B: .team in team_dir itself (cwd == team_dir at quick-start time).
+    let team_dir = temp_ws();
+    std::fs::create_dir_all(team_dir.join("agents")).unwrap();
+    std::fs::write(team_dir.join("TEAM.md"), "---\nname: tb\nobjective: o\nprovider: codex\n---\nt.\n").unwrap();
+    std::fs::write(team_dir.join("agents").join("w1.md"), QS_VALID_ROLE).unwrap();
+    let spec = crate::compiler::compile_team(&team_dir).unwrap();
+    let runtime_spec = crate::model::paths::runtime_spec_path(&team_dir, "tb");
+    std::fs::create_dir_all(runtime_spec.parent().unwrap()).unwrap();
+    std::fs::write(&runtime_spec, crate::model::yaml::dumps(&spec)).unwrap();
+    crate::state::persist::save_runtime_state(
+        &team_dir,
+        &json!({"session_name": "team-tb", "team_dir": team_dir.to_string_lossy(),
+                "spec_path": runtime_spec.to_string_lossy(),
+                "agents": {"w1": {"status": "running", "provider": "codex"}}}),
+    )
+    .unwrap();
+    let transport = OfflineTransport::new();
+    let text = format!("{:?}", restart_with_transport(&team_dir, false, None, &transport));
+    assert!(
+        !text.contains("missing spec for restart") && !text.contains("active team spec not found"),
+        "RED-2-STILL Form B: restart <team_dir> (.team in team_dir) must not report missing; got {text}"
+    );
+    let _ = std::fs::remove_dir_all(&team_dir);
+}
+
 // E5 task#3 / RC-A6b — restart with role definitions MISSING explicitly refuses (lists what's
 // missing) and leaves the previous runtime spec in place (no silent path, no data destruction).
 #[test]
@@ -869,6 +945,10 @@ const DELEG_ROLE_WORKER2: &str = "---\nname: worker2\nrole: Second Worker\nprovi
 pub(super) fn restart_ws_two_resumable_workers() -> PathBuf {
     let ws = temp_ws().join("restartteam");
     std::fs::create_dir_all(ws.join("agents")).unwrap();
+    let alpha_rollout = ws.join("alpha-rollout.jsonl");
+    let bravo_rollout = ws.join("bravo-rollout.jsonl");
+    std::fs::write(&alpha_rollout, "{}\n").unwrap();
+    std::fs::write(&bravo_rollout, "{}\n").unwrap();
     std::fs::write(ws.join("TEAM.md"), "---\nname: restartteam\nobjective: Restart probe.\nprovider: codex\n---\n\nteam.\n").unwrap();
     std::fs::write(ws.join("agents").join("alpha.md"), DELEG_ROLE_ALPHA).unwrap();
     std::fs::write(ws.join("agents").join("bravo.md"), DELEG_ROLE_BRAVO).unwrap();
@@ -879,8 +959,8 @@ pub(super) fn restart_ws_two_resumable_workers() -> PathBuf {
         &json!({
             "session_name": "team-restartteam",
             "agents": {
-                "alpha": {"status": "running", "provider": "codex", "session_id": "sess-a", "first_send_at": "2026-05-27T10:00:00+00:00"},
-                "bravo": {"status": "running", "provider": "codex", "session_id": "sess-b", "first_send_at": "2026-05-27T10:00:00+00:00"}
+                "alpha": {"status": "running", "provider": "codex", "session_id": "sess-a", "rollout_path": alpha_rollout.to_string_lossy(), "first_send_at": "2026-05-27T10:00:00+00:00"},
+                "bravo": {"status": "running", "provider": "codex", "session_id": "sess-b", "rollout_path": bravo_rollout.to_string_lossy(), "first_send_at": "2026-05-27T10:00:00+00:00"}
             }
         }),
     )
@@ -889,6 +969,33 @@ pub(super) fn restart_ws_two_resumable_workers() -> PathBuf {
     ws
 }
 
+fn restart_ws_one_resumable_worker() -> PathBuf {
+    let ws = temp_ws().join("restartone");
+    std::fs::create_dir_all(ws.join("agents")).unwrap();
+    let rollout = ws.join("alpha-rollout.jsonl");
+    std::fs::write(&rollout, "{}\n").unwrap();
+    std::fs::write(
+        ws.join("TEAM.md"),
+        "---\nname: restartone\nobjective: Restart readiness probe.\nprovider: codex\n---\n\nteam.\n",
+    )
+    .unwrap();
+    std::fs::write(ws.join("agents").join("alpha.md"), DELEG_ROLE_ALPHA).unwrap();
+    let spec = crate::compiler::compile_team(&ws).expect("compile 1-agent team");
+    std::fs::write(ws.join("team.spec.yaml"), crate::model::yaml::dumps(&spec)).unwrap();
+    crate::state::persist::save_runtime_state(
+        &ws,
+        &json!({
+            "session_name": "team-restartone",
+            "agents": {
+                "alpha": {"status": "running", "provider": "codex", "session_id": "sess-a", "rollout_path": rollout.to_string_lossy(), "first_send_at": "2026-05-27T10:00:00+00:00"}
+            }
+        }),
+    )
+    .unwrap();
+    seed_healthy_coordinator(&ws);
+    ws
+}
+
 // 2 [P0] — restart_with_transport must drive the REAL Route-B resume spawn: one spawn per resumable
 // worker. The first resumed worker recreates the session with spawn_first; later workers may use
 // spawn_into only after a live-session check proves that recreated session still exists. Each spawn
@@ -944,6 +1051,38 @@ fn restart_with_transport_spawns_resumable_workers_not_stub() {
     );
 }
 
+#[test]
+fn restart_times_out_when_spawned_worker_pane_is_not_addressable() {
+    let ws = restart_ws_one_resumable_worker();
+    let transport = OfflineTransport::new().with_spawned_panes_addressable(false);
+
+    let result =
+        restart_with_transport_with_readiness_deadline(&ws, false, None, &transport, Some(0));
+
+    let text = format!("{result:?}");
+    assert!(
+        text.contains("restart not ready")
+            && text.contains("worker pane addressable: no")
+            && text.contains("Action:")
+            && text.contains("Log:"),
+        "restart must refuse with N38 readiness timeout details, not return ok; got {text}"
+    );
+    assert!(
+        !matches!(result, Ok(RestartReport::Restarted { .. })),
+        "restart readiness timeout must not return Restarted ok"
+    );
+    let events = crate::event_log::EventLog::new(&ws).tail(20).unwrap();
+    let timeout = events
+        .iter()
+        .find(|event| event.get("event").and_then(|v| v.as_str()) == Some("restart.readiness_timeout"))
+        .expect("restart.readiness_timeout event");
+    assert_eq!(
+        timeout.get("worker_pane_addressable").and_then(|v| v.as_bool()),
+        Some(false),
+        "timeout event must carry the failed readiness condition: {timeout}"
+    );
+}
+
 // 3 [P0] — start_agent_with_transport on a non-paused agent with a session_id must spawn EXACTLY ONE
 // worker (resume) carrying the provider build_command. Today the stub returns RequirementUnmet with
 // ZERO spawns -> RED at recorded.len().
@@ -951,11 +1090,13 @@ fn restart_with_transport_spawns_resumable_workers_not_stub() {
 fn start_agent_with_transport_spawns_resume_not_stub() {
     let ws = temp_ws().join("startagentws");
     std::fs::create_dir_all(&ws).unwrap();
+    let rollout = ws.join("alpha-rollout.jsonl");
+    std::fs::write(&rollout, "{}\n").unwrap();
     crate::state::persist::save_runtime_state(
         &ws,
         &json!({
             "session_name": "team-sa",
-            "agents": {"alpha": {"status": "running", "provider": "codex", "session_id": "sess-a", "first_send_at": "2026-05-27T10:00:00+00:00"}}
+            "agents": {"alpha": {"status": "running", "provider": "codex", "session_id": "sess-a", "rollout_path": rollout.to_string_lossy(), "first_send_at": "2026-05-27T10:00:00+00:00"}}
         }),
     )
     .unwrap();

package/crates/team-agent/src/lifecycle/tests/main_preserved.rs

@@ -88,11 +88,13 @@ impl crate::transport::Transport for SessionProbeRecordingTransport {
 fn respawn_ws_one_resumable_worker() -> PathBuf {
     let ws = temp_ws().join("respawn_dead_session");
     std::fs::create_dir_all(&ws).unwrap();
+    let rollout = ws.join("alpha-rollout.jsonl");
+    std::fs::write(&rollout, "{}\n").unwrap();
     crate::state::persist::save_runtime_state(
         &ws,
         &json!({
             "session_name": "team-sa",
-            "agents": {"alpha": {"status": "running", "provider": "codex", "session_id": "sess-a", "first_send_at": "2026-05-27T10:00:00+00:00"}}
+            "agents": {"alpha": {"status": "running", "provider": "codex", "session_id": "sess-a", "rollout_path": rollout.to_string_lossy(), "first_send_at": "2026-05-27T10:00:00+00:00"}}
         }),
     )
     .unwrap();

package/crates/team-agent/src/messaging/delivery.rs

@@ -17,7 +17,7 @@ use crate::transport::{
 use super::helpers::{message_exists, MessageStatusShadow};
 use super::{
     DeliveryOutcome, DeliveryRefusal, DeliveryStage, DeliveryStatus, MessagingError,
-    PaneWidthQuery, TrustRetryPayload,
+    PaneWidthQuery, TrustRetryPayload, SEND_RETRY_MAX_ATTEMPTS,
 };
 use crate::state::projection::OwnerTeamResolution;
 
@@ -286,7 +286,6 @@ pub fn deliver_pending_message(
             "submit_unverified:{}",
             submit_verification_wire(inject_report.submit_verification)
         );
-        store.mark(message_id, "submitted_unverified", Some(&reason))?;
         event_log.write(
             "send.unverified",
             serde_json::json!({
@@ -296,6 +295,29 @@ pub fn deliver_pending_message(
                 "attempts": inject_report.attempts,
             }),
         )?;
+        if inject_report.attempts >= u32::from(SEND_RETRY_MAX_ATTEMPTS) {
+            store.mark(message_id, "failed", Some("send_unverified_exhausted"))?;
+            emit_send_failed_exhausted(
+                workspace,
+                state,
+                event_log,
+                message_id,
+                &message.recipient,
+                inject_report.attempts,
+                &reason,
+            )?;
+            return Ok(DeliveryOutcome {
+                ok: false,
+                status: DeliveryStatus::Failed,
+                message_status: MessageStatusShadow("failed".to_string()),
+                message_id: Some(message_id.to_string()),
+                verification: Some(reason),
+                stage: Some(DeliveryStage::Submit),
+                reason: None,
+                channel: None,
+            });
+        }
+        store.mark(message_id, "submitted_unverified", Some(&reason))?;
         return Ok(DeliveryOutcome {
             ok: false,
             status: DeliveryStatus::Failed,
@@ -538,6 +560,65 @@ fn leader_receiver_field_in_state<'a>(
         .filter(|value| !value.is_empty())
 }
 
+fn emit_send_failed_exhausted(
+    workspace: &Path,
+    state: &serde_json::Value,
+    event_log: &EventLog,
+    message_id: &str,
+    recipient: &str,
+    attempts: u32,
+    verification: &str,
+) -> Result<(), MessagingError> {
+    event_log.write(
+        "send.failed",
+        serde_json::json!({
+            "message_id": message_id,
+            "recipient": recipient,
+            "attempts": attempts,
+            "max_attempts": SEND_RETRY_MAX_ATTEMPTS,
+            "reason": "send_unverified_exhausted",
+            "verification": verification,
+        }),
+    )?;
+    let content = format!(
+        "send.failed\nerror: send to {recipient} remained unverified after {attempts}/{SEND_RETRY_MAX_ATTEMPTS} attempts\naction: inspect the target pane and retry the send\nlog: .team/logs/events.jsonl"
+    );
+    match crate::messaging::send_to_leader_receiver(
+        workspace,
+        state,
+        "leader",
+        &content,
+        None,
+        "coordinator",
+        false,
+        Some(&format!("send.failed:{message_id}")),
+        event_log,
+    ) {
+        Ok(outcome) => {
+            event_log.write(
+                "send.failed_notification",
+                serde_json::json!({
+                    "message_id": message_id,
+                    "recipient": recipient,
+                    "leader_notification_status": super::helpers::status_wire(outcome.status),
+                    "leader_message_id": outcome.message_id,
+                }),
+            )?;
+        }
+        Err(error) => {
+            event_log.write(
+                "send.failed_notification_failed",
+                serde_json::json!({
+                    "message_id": message_id,
+                    "recipient": recipient,
+                    "error": error.to_string(),
+                }),
+            )?;
+        }
+    }
+    Ok(())
+}
+
 fn active_team_entry(state: &serde_json::Value) -> Option<&serde_json::Value> {
     let team = state.get("active_team_key").and_then(serde_json::Value::as_str)?;
     state

package/crates/team-agent/src/messaging/results.rs

@@ -689,28 +689,33 @@ pub fn report_result_for_owner_team(
                     std::thread::sleep(std::time::Duration::from_millis(50));
                 }
             }
-            match inject_leader_notification_direct(workspace, &delivery_state, &content, &message_id) {
-                Ok(()) => {
-                    store.mark(&message_id, "delivered", None)?;
-                    outcome = crate::messaging::DeliveryOutcome {
-                        ok: true,
-                        status: crate::messaging::DeliveryStatus::Delivered,
-                        message_status: super::helpers::MessageStatusShadow("delivered".to_string()),
-                        message_id: Some(message_id),
-                        verification: None,
-                        stage: None,
-                        reason: None,
-                        channel: Some("leader_receiver".to_string()),
-                    };
-                }
-                Err(reason) => {
-                    event_log.write(
-                        "leader_receiver.direct_inject_skipped",
-                        serde_json::json!({
-                            "message_id": message_id,
-                            "reason": reason,
-                        }),
-                    )?;
+            // E15(F4.4 双投修):direct inject 是 deliver **失败时的兜底**,不是无条件第二投。
+            // deliver loop 成功(outcome.ok)→ 跳过 direct inject,leader 仅收 deliver 那一条;
+            // 全失败 → direct inject 兜底投一条(不丢 result,守 #230/MUST-8)。两全:恰一条。
+            if !outcome.ok {
+                match inject_leader_notification_direct(workspace, &delivery_state, &content, &message_id) {
+                    Ok(()) => {
+                        store.mark(&message_id, "delivered", None)?;
+                        outcome = crate::messaging::DeliveryOutcome {
+                            ok: true,
+                            status: crate::messaging::DeliveryStatus::Delivered,
+                            message_status: super::helpers::MessageStatusShadow("delivered".to_string()),
+                            message_id: Some(message_id),
+                            verification: None,
+                            stage: None,
+                            reason: None,
+                            channel: Some("leader_receiver".to_string()),
+                        };
+                    }
+                    Err(reason) => {
+                        event_log.write(
+                            "leader_receiver.direct_inject_skipped",
+                            serde_json::json!({
+                                "message_id": message_id,
+                                "reason": reason,
+                            }),
+                        )?;
+                    }
                 }
             }
     }

package/crates/team-agent/src/messaging/tests/runtime.rs

@@ -1068,6 +1068,96 @@ fn fire_due_scheduled_events_fires_each_scheduled_kind() {
     assert_eq!(fired.len(), 3, "exactly the three seeded due events fire, no extras");
 }
 
+struct UnverifiedInjectTransport;
+impl Transport for UnverifiedInjectTransport {
+    fn kind(&self) -> BackendKind {
+        BackendKind::Tmux
+    }
+    fn spawn_first(&self, _s: &SessionName, _w: &WindowName, _a: &[String], _c: &Path, _e: &BTreeMap<String, String>) -> Result<SpawnResult, TransportError> {
+        unimplemented!("not reached in delivery")
+    }
+    fn spawn_into(&self, _s: &SessionName, _w: &WindowName, _a: &[String], _c: &Path, _e: &BTreeMap<String, String>) -> Result<SpawnResult, TransportError> {
+        unimplemented!("not reached in delivery")
+    }
+    fn inject(&self, _t: &Target, _p: &InjectPayload, _s: Key, _b: bool) -> Result<InjectReport, TransportError> {
+        Ok(InjectReport {
+            stage_reached: crate::transport::InjectStage::Submit,
+            inject_verification: crate::transport::InjectVerification::CaptureContainsToken,
+            submit_verification: crate::transport::SubmitVerification::PastedContentPromptStillPresentAfterSubmit,
+            turn_verification: crate::transport::TurnVerification::NotYetObserved,
+            attempts: u32::from(SEND_RETRY_MAX_ATTEMPTS),
+        })
+    }
+    fn send_keys(&self, _t: &Target, _k: &[Key]) -> Result<(), TransportError> {
+        Ok(())
+    }
+    fn capture(&self, _t: &Target, range: CaptureRange) -> Result<CapturedText, TransportError> {
+        Ok(CapturedText { text: String::new(), range })
+    }
+    fn query(&self, _t: &Target, _f: PaneField) -> Result<Option<String>, TransportError> {
+        Ok(None)
+    }
+    fn liveness(&self, _p: &PaneId) -> Result<PaneLiveness, TransportError> {
+        Ok(PaneLiveness::Unknown)
+    }
+    fn list_targets(&self) -> Result<Vec<PaneInfo>, TransportError> {
+        Ok(Vec::new())
+    }
+    fn has_session(&self, _s: &SessionName) -> Result<bool, TransportError> {
+        Ok(true)
+    }
+    fn list_windows(&self, _s: &SessionName) -> Result<Vec<WindowName>, TransportError> {
+        Ok(Vec::new())
+    }
+    fn set_session_env(&self, _s: &SessionName, _k: &str, _v: &str) -> Result<SetEnvOutcome, TransportError> {
+        Ok(SetEnvOutcome::Applied)
+    }
+    fn kill_session(&self, _s: &SessionName) -> Result<(), TransportError> {
+        Ok(())
+    }
+    fn kill_window(&self, _t: &Target) -> Result<(), TransportError> {
+        Ok(())
+    }
+    fn attach_session(&self, _s: &SessionName) -> Result<AttachOutcome, TransportError> {
+        Ok(AttachOutcome::Attached)
+    }
+}
+
+#[test]
+fn deliver_pending_exhausted_unverified_send_emits_failed_event() {
+    let ws = tmp_ws("sendfailed");
+    let store = store_for(&ws);
+    let log = EventLog::new(&ws);
+    let state = serde_json::json!({
+        "session_name": "team-sendfailed",
+        "leader_receiver": {"pane_id": "%leader"},
+        "agents": {"w1": {"provider": "fake", "pane_id": "%1"}}
+    });
+    crate::state::persist::save_runtime_state(&ws, &state).unwrap();
+    let message_id = store
+        .create_message(None, "leader", "w1", "ping", None, false, None)
+        .unwrap();
+
+    let out = deliver_pending_message(&ws, &store, &UnverifiedInjectTransport, &message_id, &log, &state)
+        .unwrap();
+
+    assert!(!out.ok);
+    assert_eq!(out.message_status.0, "failed");
+    let events = log.tail(0).unwrap();
+    assert!(
+        events
+            .iter()
+            .any(|event| event.get("event").and_then(serde_json::Value::as_str) == Some("send.failed")),
+        "exhausted unverified send must emit send.failed; got {events:?}"
+    );
+    assert!(
+        events
+            .iter()
+            .any(|event| event.get("event").and_then(serde_json::Value::as_str) == Some("send.failed_notification")),
+        "exhausted unverified send must queue a leader-visible notification; got {events:?}"
+    );
+}
+
 // ════════════════════════════════════════════════════════════════════════
 // GROUP V — retry_result_deliveries: re-route notify_failed watchers with
 // dedupe_reason rebind_retry. result_delivery.py:19-35.
@@ -1435,3 +1525,21 @@ fn r8_attach_requeue_exhausted_to_notify_failed_golden_attach_event() {
     assert_eq!(ev.get("trigger").and_then(|v| v.as_str()), Some("attach_leader"));
     assert_eq!(ev.get("new_pane_id").and_then(|v| v.as_str()), Some("%leader-new"));
 }
+
+// E15 (F4.4 双投修)·源码守卫:report_result 的 direct inject 必须被 `if !outcome.ok` 守为
+// deliver 失败时的真兜底,绝不在 deliver 成功后无条件再投一次(=用户看到两条同内容回复)。
+#[test]
+fn e15_direct_inject_is_gated_by_deliver_failure_not_unconditional() {
+    let src = include_str!("../results.rs");
+    // 锁:inject_leader_notification_direct 调用点之前必须有 `if !outcome.ok` 门。
+    let gate = "if !outcome.ok {";
+    let inject_call = "match inject_leader_notification_direct(";
+    let gate_pos = src.find(gate);
+    let inject_pos = src.find(inject_call);
+    assert!(gate_pos.is_some(), "E15: direct inject must be gated by `if !outcome.ok` (deliver-fail fallback)");
+    assert!(inject_pos.is_some(), "inject_leader_notification_direct call site must exist (do NOT delete it; #230 fallback)");
+    assert!(
+        gate_pos.unwrap() < inject_pos.unwrap(),
+        "E15: the `if !outcome.ok` gate must precede the direct-inject call (deliver-success must skip inject → leader gets exactly one copy)"
+    );
+}