diff --git a/README.md b/README.md
index cda15700..f717c2de 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@
-
+
diff --git a/agent-teams-controller/src/internal/context.js b/agent-teams-controller/src/internal/context.js
index abe218e1..e9dec826 100644
--- a/agent-teams-controller/src/internal/context.js
+++ b/agent-teams-controller/src/internal/context.js
@@ -16,6 +16,7 @@ function createControllerContext(options = {}) {
teamName,
claudeDir: paths.claudeDir,
paths,
+ allowUserMessageSender: options.allowUserMessageSender !== false,
};
}
diff --git a/agent-teams-controller/src/internal/messages.js b/agent-teams-controller/src/internal/messages.js
index 357feb7f..7a678404 100644
--- a/agent-teams-controller/src/internal/messages.js
+++ b/agent-teams-controller/src/internal/messages.js
@@ -158,15 +158,22 @@ function normalizeMessageSendFlags(context, flags) {
next.member = resolvedTo;
}
+ const fromRequiredForAgentTool = context.allowUserMessageSender === false;
if (typeof next.from === 'string' && next.from.trim()) {
const rawFrom = next.from.trim();
if (rawFrom.toLowerCase() !== 'user') {
next.from = runtimeHelpers.assertExplicitTeamMemberName(context.paths, rawFrom, 'from', {
allowLeadAliases: true,
});
+ } else if (fromRequiredForAgentTool) {
+ throw new Error(
+ 'message_send from user is reserved for the human user. Set from to your configured teammate name.'
+ );
} else {
next.from = 'user';
}
+ } else if (fromRequiredForAgentTool) {
+ throw new Error('message_send requires from to be your configured teammate name.');
}
return next;
diff --git a/agent-teams-controller/src/internal/runtimeHelpers.js b/agent-teams-controller/src/internal/runtimeHelpers.js
index 91003302..93784df0 100644
--- a/agent-teams-controller/src/internal/runtimeHelpers.js
+++ b/agent-teams-controller/src/internal/runtimeHelpers.js
@@ -225,6 +225,85 @@ function resolveExplicitTeamMemberName(paths, candidate, options = {}) {
return null;
}
+function getLeadProviderKeys(paths, explicitMembers) {
+ const leadName = inferLeadName(paths);
+ const leadKey = normalizeMemberKey(leadName);
+ const leadMember =
+ (leadKey ? explicitMembers.membersByKey.get(leadKey) : null) ||
+ Array.from(explicitMembers.membersByKey.values()).find((member) => isCanonicalLeadMember(member));
+ if (!leadMember) return { leadName: '', keys: new Set() };
+
+ const keys = new Set();
+ for (const field of ['providerId', 'provider', 'providerBackendId']) {
+ const key = normalizeMemberKey(leadMember[field]);
+ if (key) keys.add(key);
+ }
+ return { leadName: leadMember.name, keys };
+}
+
+function formatAllowedTaskCommentAuthors(paths, explicitMembers, options = {}) {
+ const allowed = new Set();
+ if (options.allowReservedAuthors !== false) {
+ allowed.add('user');
+ allowed.add('system');
+ }
+ for (const member of explicitMembers.membersByKey.values()) {
+ if (member && typeof member.name === 'string' && member.name.trim()) {
+ allowed.add(member.name.trim());
+ }
+ }
+
+ const leadName = inferLeadName(paths);
+ const leadKey = normalizeMemberKey(leadName);
+ if (leadKey && explicitMembers.membersByKey.has(leadKey)) {
+ allowed.add('lead');
+ allowed.add('team-lead');
+ }
+
+ return Array.from(allowed).sort((a, b) => a.localeCompare(b)).join(', ');
+}
+
+function resolveTaskCommentAuthorName(paths, candidate, label = 'task comment author', options = {}) {
+ const normalized = typeof candidate === 'string' && candidate.trim() ? candidate.trim() : '';
+ if (!normalized) {
+ return inferLeadName(paths);
+ }
+
+ const key = normalizeMemberKey(normalized);
+ if (key === 'user' || key === 'system') {
+ if (options.allowReservedAuthors === false) {
+ throw new Error(
+ `${label} "${key}" is reserved for app-owned writes. Set from to your configured teammate name.`
+ );
+ }
+ return key;
+ }
+
+ const explicit = collectExplicitTeamMembers(paths);
+ const directMember = explicit.membersByKey.get(key);
+ if (directMember && !explicit.removedNames.has(key)) {
+ return directMember.name;
+ }
+
+ const leadAlias = resolveExplicitTeamMemberName(paths, normalized, { allowLeadAliases: true });
+ if (leadAlias) {
+ return leadAlias;
+ }
+
+ const { leadName, keys } = getLeadProviderKeys(paths, explicit);
+ if (leadName && keys.has(key)) {
+ return leadName;
+ }
+
+ throw new Error(
+ `Unknown ${label}: ${normalized}. Use one of: ${formatAllowedTaskCommentAuthors(
+ paths,
+ explicit,
+ options
+ )}.`
+ );
+}
+
function assertExplicitTeamMemberName(paths, candidate, label = 'member', options = {}) {
const resolved = resolveExplicitTeamMemberName(paths, candidate, options);
if (!resolved) {
@@ -626,6 +705,7 @@ module.exports = {
readMembersMeta,
readTeamConfig,
resolveExplicitTeamMemberName,
+ resolveTaskCommentAuthorName,
resolveTeamMembers,
getCurrentRuntimeMemberIdentity,
resolveCanonicalLeadSessionId,
diff --git a/agent-teams-controller/src/internal/tasks.js b/agent-teams-controller/src/internal/tasks.js
index 5e05992f..13dea345 100644
--- a/agent-teams-controller/src/internal/tasks.js
+++ b/agent-teams-controller/src/internal/tasks.js
@@ -229,14 +229,16 @@ function maybeNotifyTaskOwnerOnComment(context, task, comment, options = {}) {
}
const leadName = runtimeHelpers.inferLeadName(context.paths);
- if (isSameTaskMember(owner, comment.author, leadName)) {
+ const rawAuthor = normalizeActorName(comment.author);
+ const sender = rawAuthor.toLowerCase() === 'system' ? leadName : rawAuthor || leadName;
+ if (isSameTaskMember(owner, sender, leadName)) {
return;
}
const leadSessionId = runtimeHelpers.resolveLeadSessionId(context.paths);
messages.sendMessage(context, {
member: owner,
- from: normalizeActorName(comment.author) || leadName,
+ from: sender,
text: buildCommentNotificationMessage(context, task, comment),
taskRefs: Array.isArray(comment.taskRefs) ? comment.taskRefs : undefined,
summary: `Comment on #${task.displayId || task.id}`,
@@ -410,11 +412,16 @@ function notifyUnblockedOwners(context, completedTask) {
// Stable comment ID prevents duplicates when completeTask is called
// multiple times for the same task (e.g. agent retry). addTaskComment
// in taskStore.js deduplicates by id (line 485).
- addTaskComment(context, blockedTask.id, {
- id: `dep-resolved-${completedTask.id}-${blockedTask.id}`,
- text: lines.join('\n'),
- from: 'system',
- });
+ addTaskCommentWithOptions(
+ context,
+ blockedTask.id,
+ {
+ id: `dep-resolved-${completedTask.id}-${blockedTask.id}`,
+ text: lines.join('\n'),
+ from: 'system',
+ },
+ { trustedInternalWrite: true }
+ );
} catch {
// Best-effort per blocked task: skip on failure
}
@@ -497,23 +504,37 @@ function updateTaskFields(context, taskId, fields) {
);
}
-function addTaskComment(context, taskId, flags) {
+function addTaskCommentWithOptions(context, taskId, flags, options = {}) {
+ const commentFlags = flags || {};
+ const fromRequiredForAgentTool =
+ context.allowUserMessageSender === false && options.trustedInternalWrite !== true;
+ if (
+ fromRequiredForAgentTool &&
+ !(typeof commentFlags.from === 'string' && commentFlags.from.trim())
+ ) {
+ throw new Error('task_add_comment requires from to be your configured teammate name.');
+ }
+ const author = runtimeHelpers.resolveTaskCommentAuthorName(
+ context.paths,
+ commentFlags.from,
+ 'task comment author',
+ { allowReservedAuthors: !fromRequiredForAgentTool }
+ );
const result = withTeamBoardLock(context.paths, () =>
- taskStore.addTaskComment(context.paths, taskId, flags.text, {
- author: typeof flags.from === 'string' && flags.from.trim() ?
- flags.from.trim() : runtimeHelpers.inferLeadName(context.paths),
- ...(flags.id ? { id: flags.id } : {}),
- ...(flags.createdAt ? { createdAt: flags.createdAt } : {}),
- ...(flags.type ? { type: flags.type } : {}),
- ...(Array.isArray(flags.taskRefs) ? { taskRefs: flags.taskRefs } : {}),
- ...(Array.isArray(flags.attachments) ? { attachments: flags.attachments } : {}),
+ taskStore.addTaskComment(context.paths, taskId, commentFlags.text, {
+ author,
+ ...(commentFlags.id ? { id: commentFlags.id } : {}),
+ ...(commentFlags.createdAt ? { createdAt: commentFlags.createdAt } : {}),
+ ...(commentFlags.type ? { type: commentFlags.type } : {}),
+ ...(Array.isArray(commentFlags.taskRefs) ? { taskRefs: commentFlags.taskRefs } : {}),
+ ...(Array.isArray(commentFlags.attachments) ? { attachments: commentFlags.attachments } : {}),
})
);
try {
maybeNotifyTaskOwnerOnComment(context, result.task, result.comment, {
inserted: result.inserted,
- notifyOwner: flags.notifyOwner,
+ notifyOwner: commentFlags.notifyOwner,
});
} catch (notifyError) {
warnNonCritical(`[tasks] owner notification failed for task ${taskId}`, notifyError);
@@ -529,6 +550,10 @@ function addTaskComment(context, taskId, flags) {
};
}
+function addTaskComment(context, taskId, flags) {
+ return addTaskCommentWithOptions(context, taskId, flags);
+}
+
function attachTaskFile(context, taskId, flags) {
const canonicalTaskId = resolveTaskId(context, taskId);
const saved = runtimeHelpers.saveTaskAttachmentFile(context.paths, canonicalTaskId, flags);
diff --git a/agent-teams-controller/test/controller.test.js b/agent-teams-controller/test/controller.test.js
index e95b3655..b0494fd4 100644
--- a/agent-teams-controller/test/controller.test.js
+++ b/agent-teams-controller/test/controller.test.js
@@ -1080,6 +1080,52 @@ describe('agent-teams-controller API', () => {
).toThrow('message_send cannot target cross_team_send. Use cross_team_send with toTeam.');
});
+ it('prevents agent-facing message_send from impersonating the human user', () => {
+ const claudeDir = makeClaudeDir();
+ const appController = createController({ teamName: 'my-team', claudeDir });
+ const agentController = createController({
+ teamName: 'my-team',
+ claudeDir,
+ allowUserMessageSender: false,
+ });
+
+ const appMessage = appController.messages.sendMessage({
+ to: 'team-lead',
+ from: 'user',
+ text: 'Real user question.',
+ summary: 'User question',
+ });
+ expect(appMessage.deliveredToInbox).toBe(true);
+
+ expect(() =>
+ agentController.messages.sendMessage({
+ to: 'team-lead',
+ from: 'user',
+ text: 'Forged user message.',
+ summary: 'Forged',
+ })
+ ).toThrow('message_send from user is reserved for the human user');
+
+ expect(() =>
+ agentController.messages.sendMessage({
+ to: 'team-lead',
+ text: 'Missing sender should not default to user.',
+ })
+ ).toThrow('message_send requires from to be your configured teammate name');
+
+ const agentMessage = agentController.messages.sendMessage({
+ to: 'team-lead',
+ from: 'bob',
+ text: 'Legitimate teammate message.',
+ summary: 'Teammate update',
+ });
+ expect(agentMessage.deliveredToInbox).toBe(true);
+
+ const leadInboxPath = path.join(claudeDir, 'teams', 'my-team', 'inboxes', 'alice.json');
+ const leadRows = JSON.parse(fs.readFileSync(leadInboxPath, 'utf8'));
+ expect(leadRows.map((row) => row.from)).toEqual(['user', 'bob']);
+ });
+
it('wakes task owner on regular comment from another member', () => {
const claudeDir = makeClaudeDir();
const controller = createController({ teamName: 'my-team', claudeDir });
@@ -1099,6 +1145,181 @@ describe('agent-teams-controller API', () => {
expect(rows[0].leadSessionId).toBe('lead-session-1');
});
+ it('normalizes task comment authors at the write boundary', () => {
+ const claudeDir = makeClaudeDir();
+ fs.writeFileSync(
+ path.join(claudeDir, 'teams', 'my-team', 'config.json'),
+ JSON.stringify(
+ {
+ name: 'my-team',
+ leadSessionId: 'lead-session-1',
+ members: [
+ { name: 'team-lead', role: 'team-lead', providerId: 'codex', provider: 'codex' },
+ { name: 'bob', role: 'developer' },
+ ],
+ },
+ null,
+ 2
+ )
+ );
+
+ const controller = createController({ teamName: 'my-team', claudeDir });
+ const task = controller.tasks.createTask({ subject: 'Review result', notifyOwner: false });
+
+ const fromProvider = controller.tasks.addTaskComment(task.id, {
+ from: 'codex',
+ text: 'Lead runtime finished review.',
+ });
+ const fromAlias = controller.tasks.addTaskComment(task.id, {
+ from: 'lead',
+ text: 'Lead alias finished review.',
+ });
+ const fromUser = controller.tasks.addTaskComment(task.id, {
+ from: 'User',
+ text: 'User follow-up.',
+ });
+ const fromSystem = controller.tasks.addTaskComment(task.id, {
+ from: 'System',
+ text: 'System note.',
+ });
+
+ expect(fromProvider.comment.author).toBe('team-lead');
+ expect(fromAlias.comment.author).toBe('team-lead');
+ expect(fromUser.comment.author).toBe('user');
+ expect(fromSystem.comment.author).toBe('system');
+ });
+
+ it('does not map a real teammate named like the lead provider id to the lead', () => {
+ const claudeDir = makeClaudeDir();
+ fs.writeFileSync(
+ path.join(claudeDir, 'teams', 'my-team', 'config.json'),
+ JSON.stringify(
+ {
+ name: 'my-team',
+ leadSessionId: 'lead-session-1',
+ members: [
+ { name: 'team-lead', role: 'team-lead', providerId: 'codex', provider: 'codex' },
+ { name: 'codex', role: 'developer' },
+ ],
+ },
+ null,
+ 2
+ )
+ );
+
+ const controller = createController({ teamName: 'my-team', claudeDir });
+ const task = controller.tasks.createTask({ subject: 'Member named codex', notifyOwner: false });
+
+ const commented = controller.tasks.addTaskComment(task.id, {
+ from: 'codex',
+ text: 'Real teammate comment.',
+ });
+
+ expect(commented.comment.author).toBe('codex');
+ });
+
+ it('rejects task comments from unknown authors', () => {
+ const claudeDir = makeClaudeDir();
+ const controller = createController({ teamName: 'my-team', claudeDir });
+ const task = controller.tasks.createTask({ subject: 'Reject unknown author', notifyOwner: false });
+
+ expect(() =>
+ controller.tasks.addTaskComment(task.id, {
+ from: 'ghost',
+ text: 'This should not be persisted.',
+ })
+ ).toThrow('Unknown task comment author: ghost');
+
+ expect(controller.tasks.getTask(task.id).comments || []).toEqual([]);
+ });
+
+ it('prevents agent-facing task_add_comment from impersonating app-owned authors', () => {
+ const claudeDir = makeClaudeDir();
+ const appController = createController({ teamName: 'my-team', claudeDir });
+ const agentController = createController({
+ teamName: 'my-team',
+ claudeDir,
+ allowUserMessageSender: false,
+ });
+ const task = appController.tasks.createTask({ subject: 'Reserved comment authors', notifyOwner: false });
+
+ const appComment = appController.tasks.addTaskComment(task.id, {
+ from: 'user',
+ text: 'Real user comment.',
+ });
+ expect(appComment.comment.author).toBe('user');
+
+ expect(() =>
+ agentController.tasks.addTaskComment(task.id, {
+ from: 'user',
+ text: 'Forged user comment.',
+ })
+ ).toThrow('task comment author "user" is reserved for app-owned writes');
+
+ expect(() =>
+ agentController.tasks.addTaskComment(task.id, {
+ text: 'Missing sender should not default to lead.',
+ })
+ ).toThrow('task_add_comment requires from to be your configured teammate name');
+
+ let unknownAuthorError;
+ try {
+ agentController.tasks.addTaskComment(task.id, {
+ from: 'ghost',
+ text: 'Unknown teammate should get a useful recovery error.',
+ });
+ } catch (error) {
+ unknownAuthorError = error;
+ }
+ expect(unknownAuthorError.message).toContain('Unknown task comment author: ghost');
+ expect(unknownAuthorError.message).not.toContain('user');
+ expect(unknownAuthorError.message).not.toContain('system');
+
+ const agentComment = agentController.tasks.addTaskComment(task.id, {
+ from: 'bob',
+ text: 'Legitimate teammate comment.',
+ });
+ expect(agentComment.comment.author).toBe('bob');
+
+ const comments = agentController.tasks.getTask(task.id).comments || [];
+ expect(comments.map((comment) => comment.author)).toEqual(['user', 'bob']);
+ });
+
+ it('keeps internal dependency comments when agent-facing task_complete unblocks a task', () => {
+ const claudeDir = makeClaudeDir();
+ const appController = createController({ teamName: 'my-team', claudeDir });
+ const agentController = createController({
+ teamName: 'my-team',
+ claudeDir,
+ allowUserMessageSender: false,
+ });
+ const dependency = appController.tasks.createTask({
+ subject: 'Prepare calculator API',
+ owner: 'bob',
+ notifyOwner: false,
+ });
+ const blocked = appController.tasks.createTask({
+ subject: 'Build calculator UI',
+ owner: 'bob',
+ 'blocked-by': dependency.displayId,
+ notifyOwner: false,
+ });
+
+ expect(() => agentController.tasks.completeTask(dependency.id, 'bob')).not.toThrow();
+
+ const comments = appController.tasks.getTask(blocked.id).comments || [];
+ expect(comments).toHaveLength(1);
+ expect(comments[0].author).toBe('system');
+ expect(comments[0].id).toBe(`dep-resolved-${dependency.id}-${blocked.id}`);
+ expect(comments[0].text).toContain('Dependency resolved');
+
+ const inboxPath = path.join(claudeDir, 'teams', 'my-team', 'inboxes', 'bob.json');
+ const rows = JSON.parse(fs.readFileSync(inboxPath, 'utf8'));
+ expect(rows).toHaveLength(1);
+ expect(rows[0].from).toBe('alice');
+ expect(rows[0].text).toContain('Dependency resolved');
+ });
+
it('includes the assigned task ref in owner assignment notifications', () => {
const claudeDir = makeClaudeDir();
const controller = createController({ teamName: 'my-team', claudeDir });
diff --git a/docs/research/messenger-connectors-uncertainty-pass-27.md b/docs/research/messenger-connectors-uncertainty-pass-27.md
new file mode 100644
index 00000000..f55de1b9
--- /dev/null
+++ b/docs/research/messenger-connectors-uncertainty-pass-27.md
@@ -0,0 +1,345 @@
+# Messenger Connectors - Uncertainty Pass 27
+
+Date: 2026-04-28
+Scope: remaining low-confidence areas after topic capability design
+Context source: previous architecture worktree doc at `/Users/belief/dev/projects/claude/_worktrees/claude_team_messenger_connectors/docs/messenger-connectors-architecture.md`
+
+## Executive Delta
+
+The highest risk is no longer "can Telegram topics work at all". The design now has proof and fallback paths.
+
+The next real risk is identity and lifecycle:
+
+```text
+Telegram topic route -> team identity -> member identity -> message identity
+```
+
+Current app code is mostly keyed by `teamName`. That is workable for UI, but risky for messenger routes because external provider state can outlive local team folders.
+
+## Source Facts Rechecked
+
+Telegram official docs checked on 2026-04-28:
+
+- `getUpdates` update ids are useful for ignoring repeated webhook or polling updates.
+- Telegram stores incoming updates only until the bot receives them, and not longer than 24 hours.
+- Webhooks retry on non-2xx responses.
+- `User.has_topics_enabled` and `User.allows_users_to_create_topics` are returned only by `getMe`.
+- Bot API 9.4 allowed bots to create topics in private chats and allowed bots to prevent users from creating/deleting topics through BotFather Mini App.
+- `reply_to_message` is only for replies in the same chat and message thread.
+- `external_reply` can come from another chat or forum topic and must not be used for teammate routing.
+- MTProto send errors include `TOPIC_CLOSED` and `TOPIC_DELETED`; Bot API adapter should classify equivalent provider failures into typed sanitized errors.
+
+Local code facts checked:
+
+- `TeamConfig` has `name`, `description`, `color`, `members`, `projectPath`, `leadSessionId`, `deletedAt`, but no public stable `teamId`.
+- `TeamChangeEvent` does not include delete, restore, permanent-delete or rename event types.
+- `deleteTeam` soft-deletes by writing `deletedAt` into `config.json`.
+- `restoreTeam` removes `deletedAt`.
+- `permanentlyDeleteTeam` removes team and task dirs.
+- Team backup has private `identityId` and writes `_backupIdentityId` into config as a backup guard, but this is not a product-level team identity.
+- Many runtime paths use `teamName` as the runtime/team id.
+
+Sources:
+
+- https://core.telegram.org/bots/api
+- https://core.telegram.org/bots/api-changelog
+- https://core.telegram.org/method/messages.sendMessage
+
+## 1. Team Identity Gap
+
+Messenger routes must not be keyed only by `teamName`.
+
+Danger scenario:
+
+```text
+1. User connects Telegram topic to teamName="frontend".
+2. User permanently deletes the team.
+3. User later creates a new unrelated team with the same teamName="frontend".
+4. Old Telegram topic receives a message.
+5. If route is keyed only by teamName, message can route to the new unrelated team.
+```
+
+This is worse than a normal UI cache bug because Telegram routes are external and long-lived.
+
+Top 3 team identity options:
+
+1. Add feature-owned `messengerTeamIdentityId` registry keyed by current `teamName` and backup marker if available - π― 8 π‘οΈ 8 π§ 5, approx 700-1400 LOC.
+ - Does not require changing global `TeamConfig` schema immediately.
+ - Gives messenger routes stable identity.
+ - Can reconcile with `_backupIdentityId` but does not depend on it.
+
+2. Promote a stable `teamId` into `TeamConfig` globally - π― 7 π‘οΈ 9 π§ 8, approx 1800-4000 LOC.
+ - Best long-term domain model.
+ - Larger migration blast radius because many services assume `teamName`.
+
+3. Keep `teamName` only and rely on tombstones - π― 5 π‘οΈ 6 π§ 3, approx 400-900 LOC.
+ - Fast.
+ - Still fragile when tombstones are pruned or route state is restored from backup.
+
+Recommendation:
+
+```text
+Use option 1 for messenger MVP.
+Design it so global TeamConfig.teamId can replace it later.
+```
+
+Suggested identity record:
+
+```ts
+type MessengerTeamIdentityRecord = {
+ messengerTeamIdentityId: string;
+ currentTeamName: string;
+ observedDisplayName: string;
+ backupIdentityId?: string;
+ firstSeenAt: string;
+ lastSeenAt: string;
+ state:
+ | "active"
+ | "soft_deleted"
+ | "restored_requires_reconnect"
+ | "permanently_deleted"
+ | "name_reused_different_identity";
+};
+```
+
+Route binding should store both:
+
+```text
+teamNameSnapshot
+messengerTeamIdentityId
+routeGeneration
+```
+
+The runtime delivery adapter can still call existing services by `teamName`, but only after the identity registry confirms that the route still points to the current team folder.
+
+## 2. Lifecycle Hooks Need Command-Side Events
+
+File watcher events are not enough for messenger routes.
+
+Why:
+
+- Soft delete and restore are command intents, not just file changes.
+- Permanent delete removes files before a watcher can read useful context.
+- Connector cleanup must run before or during destructive operations.
+- Renderer-only refresh events cannot protect background delivery.
+
+Required main-process lifecycle port:
+
+```ts
+type MessengerTeamLifecyclePort = {
+ beforeSoftDeleteTeam(input: { teamName: string }): Promise;
+ afterSoftDeleteTeam(input: { teamName: string; deletedAt: string }): Promise;
+ beforeRestoreTeam(input: { teamName: string }): Promise;
+ afterRestoreTeam(input: { teamName: string }): Promise;
+ beforePermanentDeleteTeam(input: { teamName: string; deleteLocalConnectorPlaintext: boolean }): Promise;
+ afterPermanentDeleteTeam(input: { teamName: string }): Promise;
+ afterTeamConfigChanged(input: { teamName: string; previousDisplayName: string; nextDisplayName: string }): Promise;
+};
+```
+
+Top 3 integration points:
+
+1. Call messenger facade directly from team IPC handlers around delete/restore/updateConfig - π― 8 π‘οΈ 9 π§ 6, approx 900-1800 LOC.
+ - Strong command ordering.
+ - Easy to test with mocked facade.
+
+2. Emit richer domain events from `TeamDataService` and subscribe in messenger feature - π― 8 π‘οΈ 9 π§ 7, approx 1200-2500 LOC.
+ - Cleaner long-term.
+ - Wider refactor.
+
+3. Infer lifecycle from file watcher and config scans - π― 5 π‘οΈ 6 π§ 4, approx 600-1200 LOC.
+ - Too late for permanent delete.
+ - Race-prone.
+
+Recommendation:
+
+```text
+Use option 1 first.
+Keep the facade shape compatible with option 2 later.
+```
+
+## 3. Member Identity Gap
+
+Team members are also name-keyed.
+
+Risk:
+
+```text
+1. Telegram bot sends a teammate message from "Alex".
+2. User replies to that bot message later.
+3. Meanwhile "Alex" was removed and a different member with same name was added.
+4. Reply may route to the wrong teammate unless the message link stores member generation.
+```
+
+Minimum route target identity:
+
+```ts
+type MessengerRouteTarget =
+ | { kind: "lead"; teamIdentityId: string; leadSessionId?: string | null }
+ | {
+ kind: "teammate";
+ teamIdentityId: string;
+ memberNameSnapshot: string;
+ memberAgentIdSnapshot?: string;
+ memberRouteGeneration: number;
+ };
+```
+
+Top 3 member identity strategies:
+
+1. Use `agentId` when present, otherwise member name plus `memberRouteGeneration` - π― 8 π‘οΈ 8 π§ 5, approx 700-1500 LOC.
+ - Fits current data.
+ - Avoids blocking MVP on member schema migration.
+
+2. Add stable `memberId` to every member and migrate roster stores - π― 7 π‘οΈ 9 π§ 8, approx 1800-4000 LOC.
+ - Best long-term.
+ - Larger blast radius.
+
+3. Use member display name only - π― 5 π‘οΈ 5 π§ 2, approx 200-600 LOC.
+ - Too weak for delayed Telegram replies.
+
+Recommendation:
+
+```text
+Use option 1 in MVP.
+Store target snapshots in every ProviderMessageLink.
+```
+
+## 4. ProviderMessageLink Must Be A Contract, Not Cache
+
+The link is the most important durable object in the feature.
+
+Recommended shape:
+
+```ts
+type ProviderMessageLink = {
+ linkId: string;
+ provider: "telegram";
+ accountBindingId: string;
+ routeId: string;
+ routeGeneration: number;
+ providerChatId: string;
+ providerThreadId: string | null;
+ providerMessageId: string;
+ internalMessageId: string;
+ internalMessageKind:
+ | "messenger_inbound"
+ | "lead_reply"
+ | "teammate_reply"
+ | "system_notice"
+ | "topic_probe";
+ origin:
+ | "provider_user"
+ | "team_lead"
+ | "team_teammate"
+ | "connector_system";
+ target: MessengerRouteTarget;
+ createdAt: string;
+ expiresAt?: string;
+};
+```
+
+Rules:
+
+- Never trim links only because UI messages were trimmed.
+- Links for route targets should outlive `sentMessages.json`.
+- Links for topic probes can have short TTL.
+- Links from tombstoned routes should remain as tombstones long enough to block stale replies.
+
+## 5. Reply Routing Should Be Two-Phase
+
+Do not immediately turn a Telegram reply into a teammate message.
+
+Phase 1 - resolve anchor:
+
+```text
+reply_to_message.message_id -> ProviderMessageLink
+same chat id?
+same thread id?
+same account binding?
+same route generation?
+link target still valid?
+```
+
+Phase 2 - route message:
+
+```text
+valid teammate target -> teammate inbox
+valid lead target -> lead
+missing/stale target -> lead with context
+tombstoned route -> reject with reconnect notice
+unknown topic -> help flow
+```
+
+Critical rule:
+
+```text
+external_reply must never route to a teammate.
+```
+
+Bot API explicitly distinguishes same-thread `reply_to_message` from `external_reply`, so adapter normalization must preserve that distinction.
+
+## 6. Privacy Risk Shift
+
+After the no-plaintext-queue decision, the main privacy risk is not storage. It is accidental logging and diagnostic capture.
+
+High-risk payloads:
+
+```text
+Telegram update JSON
+callback_query data if it embeds route ids
+Bot API error description if request URL/token leaks through HTTP client
+message text in failed sends
+team display names in topic titles
+member names in projected message prefixes
+```
+
+Top 3 diagnostic strategies:
+
+1. Feature-owned sanitized diagnostic DTOs plus tests - π― 9 π‘οΈ 9 π§ 5, approx 700-1500 LOC.
+2. Generic logger wrapper only - π― 6 π‘οΈ 6 π§ 4, approx 400-900 LOC.
+3. Rely on "do not log raw errors" convention - π― 3 π‘οΈ 3 π§ 1, 0 LOC.
+
+Recommendation:
+
+```text
+Use option 1.
+Also add Sentry beforeSend scrubbing as defense in depth.
+```
+
+## 7. Current Lowest-Confidence Map
+
+1. Cross-client Telegram private topic UX - π― 5 π‘οΈ 8 π§ 6.
+ - Requires live probe.
+ - Design is resilient because of account-level confirmation and fallback.
+
+2. Stable local team identity for external routes - π― 6 π‘οΈ 8 π§ 6.
+ - Current app is name-keyed.
+ - Needs a messenger-owned identity registry before route activation.
+
+3. Member identity for delayed teammate replies - π― 6 π‘οΈ 8 π§ 6.
+ - Current member names can be reused.
+ - Store `agentId` and member generation snapshots.
+
+4. Lifecycle ordering on permanent delete - π― 7 π‘οΈ 9 π§ 6.
+ - Policy is clear.
+ - Needs command-side hook, not watcher inference.
+
+5. Outbound ambiguous Telegram sends - π― 7 π‘οΈ 9 π§ 6.
+ - Technical state is clear: `acceptance_unknown`.
+ - UX still needs concise wording.
+
+6. Flat menu fallback correctness - π― 8 π‘οΈ 8 π§ 6.
+ - Good fallback.
+ - Needs strict selection lease tests to avoid wrong-team delivery.
+
+## 8. Revised Next Slice
+
+Before building UI, implement/test these core pieces:
+
+1. Messenger identity registry and route generation policy - π― 9 π‘οΈ 9 π§ 6, approx 1000-2200 LOC.
+2. ProviderMessageLink repository and reply route resolver - π― 9 π‘οΈ 9 π§ 6, approx 1200-2600 LOC.
+3. Team lifecycle facade hooks around delete/restore/permanent delete/updateConfig - π― 8 π‘οΈ 9 π§ 6, approx 900-1800 LOC.
+4. Telegram topic live probe fixtures - π― 9 π‘οΈ 9 π§ 5, approx 700-1500 LOC.
+
+This is the point where the design becomes robust against the bugs most likely to happen months later, not only during the happy-path onboarding demo.
diff --git a/docs/research/messenger-connectors-uncertainty-pass-28.md b/docs/research/messenger-connectors-uncertainty-pass-28.md
new file mode 100644
index 00000000..64cc363f
--- /dev/null
+++ b/docs/research/messenger-connectors-uncertainty-pass-28.md
@@ -0,0 +1,528 @@
+# Messenger Connectors - Uncertainty Pass 28
+
+Date: 2026-04-28
+Scope: internal delivery, reply capture, projection correctness, and loop prevention
+Context source: local code in `src/main/services/team`, `src/main/ipc/teams.ts`, `src/renderer/utils/teamMessageFiltering.ts`
+
+## Executive Delta
+
+The next weakest area is the internal app boundary:
+
+```text
+Telegram inbound -> durable local turn -> lead/teammate runtime -> user-visible reply -> Telegram outbound
+```
+
+The current app has several strong pieces, especially OpenCode prompt delivery ledgers, but the existing UI send path and lead inbox relay are not safe enough to reuse directly as the messenger protocol.
+
+New conclusion:
+
+```text
+Build a dedicated MessengerInternalTurnLedger and MessengerReplyCollector.
+Do not use renderer message feed or TeamMessageFeedService.feedRevision as the projection authority.
+Do not rely on leadRelayCapture batch semantics for Telegram replies.
+```
+
+## Source Facts Rechecked
+
+Local code facts:
+
+- `TeamDataService.sendMessage()` delegates to the controller and invalidates message feed. It is not a messenger-specific durable state machine.
+- UI direct-to-live-lead path sends stdin first, then persists best-effort through `sendDirectToLead()`.
+- If stdin succeeds but persistence fails, existing UI code intentionally does not fall back to inbox because that would duplicate.
+- `sendDirectToLead()` appends a `user_sent` message and returns `deliveredViaStdin: true`.
+- Offline lead or teammate path writes to inbox files through `TeamInboxWriter`, which uses file locks and verifies the write.
+- `relayLeadInboxMessages()` is batch-oriented, can relay up to 10 unread messages, and has an in-memory `leadRelayCapture` with a 15 second timeout.
+- `relayLeadInboxMessages()` is built for lead inbox maintenance, not for exact provider-message correlation.
+- `sentMessages.json` is capped at 200 messages.
+- `TeamMessageFeedService` merges inbox, lead session messages, and sent messages. It dedupes, attaches session ids, links passive summaries, caches for 5 seconds and emits a `feedRevision`.
+- Renderer `filterTeamMessages()` hides task comment notifications, noise, relay duplicates and other UI-only details.
+- OpenCode prompt delivery already has a stronger model: ledger, response states, visible reply proof via `relayOfMessageId`, acceptance unknown and retry policy.
+
+Telegram facts already relevant:
+
+- Telegram update ids support deduping inbound updates.
+- Telegram outbound `sendMessage` has no client-supplied idempotency key.
+- Telegram `reply_to_message` is same chat and same thread; `external_reply` can cross chat/topic and must not drive teammate routing.
+
+Sources:
+
+- https://core.telegram.org/bots/api
+- https://core.telegram.org/method/messages.sendMessage
+
+## 1. Existing UI Send Path Is Not The Messenger Delivery Protocol
+
+The UI path is optimized for responsiveness:
+
+```text
+alive lead:
+ send stdin
+ persist user_sent best-effort
+
+offline lead or teammate:
+ write inbox
+ maybe relay later
+```
+
+For Telegram this is too weak because the provider side needs durable causality.
+
+Danger scenario:
+
+```text
+1. Telegram update arrives.
+2. Desktop sends to live lead stdin.
+3. App crashes before persisting internal message/link.
+4. Lead may answer, but connector cannot prove which Telegram message it answered.
+```
+
+Top 3 internal delivery options:
+
+1. Dedicated `MessengerInternalTurnLedger` with durable inbound-before-runtime and runtime ambiguity states - π― 9 π‘οΈ 9 π§ 7, approx 2000-4200 LOC.
+ - Correct for provider causality.
+ - Can reuse `TeamInboxWriter`, `TeamSentMessagesStore`, and OpenCode ledger ideas.
+ - More code, but isolates messenger invariants.
+
+2. Reuse existing `handleSendMessage`/`TeamDataService.sendMessage` and add source metadata - π― 5 π‘οΈ 5 π§ 3, approx 500-1200 LOC.
+ - Fast demo.
+ - Does not solve stdin-first persistence gap.
+ - Hard to prove reply correlation.
+
+3. Reuse `relayLeadInboxMessages()` as the main Telegram delivery path - π― 4 π‘οΈ 5 π§ 4, approx 600-1400 LOC.
+ - Has some capture behavior.
+ - Batch semantics are wrong for one Telegram turn.
+ - In-memory capture is not enough.
+
+Recommendation:
+
+```text
+Use option 1.
+Treat existing send paths as adapters, not as the messenger protocol.
+```
+
+## 2. Internal Runtime Delivery Also Has An Ambiguous Boundary
+
+Earlier we identified Telegram outbound ambiguity. The same class of bug exists inside the app:
+
+```text
+persist send_in_flight
+write prompt to live lead stdin
+process/app crashes before marking runtime_delivered
+```
+
+After restart, the app cannot know whether the lead received the stdin prompt.
+
+So the internal delivery ledger needs:
+
+```ts
+type MessengerInternalDeliveryStatus =
+ | "accepted_local"
+ | "internal_message_persisted"
+ | "runtime_send_pending"
+ | "runtime_send_in_flight"
+ | "runtime_delivered"
+ | "runtime_acceptance_unknown"
+ | "saved_for_later"
+ | "failed_terminal";
+```
+
+Policy:
+
+- If the crash happens before runtime boundary, retry is safe.
+- If the crash happens after entering `runtime_send_in_flight`, automatic retry is not always safe.
+- Use deterministic `internalMessageId` and idempotency instructions, but do not pretend they are a hard exactly-once guarantee.
+- For live lead stdin, stale `runtime_send_in_flight` should become `runtime_acceptance_unknown`, not automatic resend.
+- For durable inbox file delivery before runtime relay, retry is safer because the inbox row has a deterministic message id.
+
+Top 3 policies:
+
+1. Mark stale live-runtime in-flight as `runtime_acceptance_unknown` and require user/recovery action - π― 8 π‘οΈ 9 π§ 6, approx 900-1800 LOC.
+ - Safest.
+ - Rare ambiguity can be surfaced in the connector UI.
+
+2. Auto-retry live-runtime in-flight with same `MessageId` and "do not duplicate" prompt - π― 6 π‘οΈ 6 π§ 4, approx 500-1100 LOC.
+ - More convenient.
+ - Can duplicate lead work or answers.
+
+3. Always write to lead inbox and never send direct stdin - π― 7 π‘οΈ 7 π§ 5, approx 800-1600 LOC.
+ - More durable source.
+ - Existing lead relay still ultimately crosses stdin and can duplicate after crash if unread is not marked read.
+
+Recommendation:
+
+```text
+Use option 1 for live lead delivery.
+Use deterministic inbox rows for offline/teammate delivery.
+```
+
+## 3. `user_sent` Source Is Probably Correct, But Needs Origin Ledger
+
+Telegram inbound from the app user is still user-originated. If the lead creates a task from that message, `task_create_from_message` should probably work.
+
+Therefore this is a subtle decision:
+
+```text
+source: "user_sent"
+origin ledger: provider_user / telegram route id / provider message key
+```
+
+Do not rely only on a new `source: "messenger_inbound"` because existing task tools accept `user_sent` as user-originated provenance.
+
+Top 3 source/origin options:
+
+1. Store Telegram inbound as `source: "user_sent"` plus durable `MessengerOriginLink` - π― 8 π‘οΈ 8 π§ 5, approx 700-1500 LOC.
+ - Preserves task provenance behavior.
+ - Projection can skip by origin link, not only source.
+
+2. Add `source: "messenger_inbound"` everywhere - π― 7 π‘οΈ 8 π§ 6, approx 900-2000 LOC.
+ - Clearer connector semantics.
+ - Breaks or complicates task_create_from_message eligibility unless task tools are updated.
+
+3. Use `source: "inbox"` for all messenger inbound - π― 4 π‘οΈ 5 π§ 3, approx 300-900 LOC.
+ - Misrepresents user-originated messages.
+ - Weak provenance for lead instructions and task creation.
+
+Recommendation:
+
+```text
+Use option 1.
+Add connector origin markers outside InboxMessage.source.
+```
+
+Suggested origin link:
+
+```ts
+type MessengerOriginLink = {
+ internalMessageId: string;
+ provider: "telegram";
+ accountBindingId: string;
+ routeId: string;
+ routeGeneration: number;
+ providerMessageKey: string;
+ origin: "provider_user";
+ createdAt: string;
+};
+```
+
+Projection must check this link so user-originated Telegram messages do not echo back to Telegram.
+
+## 4. Lead Reply Capture Needs Single-Turn Semantics
+
+Existing `leadRelayCapture` is useful but not sufficient:
+
+- It is in-memory.
+- It captures plain assistant text for a batch of lead inbox messages.
+- It has no provider message key.
+- It times out after 15 seconds.
+- It is designed around inbox relay, not provider route proof.
+
+Messenger needs a single-turn collector:
+
+```ts
+type MessengerReplyCollector = {
+ begin(input: {
+ internalTurnId: string;
+ teamIdentityId: string;
+ teamName: string;
+ routeId: string;
+ inboundInternalMessageId: string;
+ expectedRecipient: "user";
+ startedAt: string;
+ timeoutMs: number;
+ }): Promise;
+
+ observeInternalMessage(message: InboxMessage): Promise;
+ complete(input: { internalTurnId: string; reason: string }): Promise;
+};
+```
+
+Reply proof order:
+
+```text
+1. SendMessage(to="user", relayOfMessageId=)
+2. SendMessage(to="user") during active collector window
+3. Plain lead text during active collector window, if no SendMessage was captured
+4. No reply, task-only action, or tool-only action
+```
+
+Top 3 reply capture strategies:
+
+1. Dedicated single-turn collector with explicit `relayOfMessageId` preference and plain-text fallback - π― 8 π‘οΈ 8 π§ 7, approx 1500-3200 LOC.
+ - Best UX and correctness balance.
+ - Handles lead natural text.
+ - Needs careful tests around overlapping turns.
+
+2. Require explicit `SendMessage(to=user, relayOfMessageId=...)` for Telegram replies - π― 8 π‘οΈ 9 π§ 5, approx 900-1800 LOC.
+ - Cleaner proof.
+ - Lead may fail to use tool, causing "no answer" despite visible plain text.
+
+3. Poll `TeamMessageFeedService` for any new lead message after inbound timestamp - π― 5 π‘οΈ 5 π§ 4, approx 600-1400 LOC.
+ - Too heuristic.
+ - Can pick unrelated lead thoughts or another user's turn.
+
+Recommendation:
+
+```text
+Use option 1.
+For retries, ask explicitly for SendMessage with relayOfMessageId.
+```
+
+## 5. Overlapping Telegram Turns Need A Per-Team Queue
+
+If two Telegram messages arrive quickly in the same topic, a natural lead reply can be ambiguous.
+
+Top 3 concurrency models:
+
+1. Per-route serial queue for lead-directed Telegram turns - π― 8 π‘οΈ 9 π§ 6, approx 900-1800 LOC.
+ - Prevents plain-text reply ambiguity.
+ - Simple mental model.
+ - May delay bursts.
+
+2. Allow parallel turns but require explicit `relayOfMessageId` for reply correlation - π― 7 π‘οΈ 8 π§ 7, approx 1300-2800 LOC.
+ - More throughput.
+ - More pressure on lead/tool behavior.
+
+3. Free parallel processing and timestamp heuristics - π― 4 π‘οΈ 4 π§ 4, approx 500-1200 LOC.
+ - Will misroute under load.
+
+Recommendation:
+
+```text
+Use option 1 for lead-directed turns in MVP.
+Teammate replies can be parallel only when each target runtime has explicit delivery ledger support.
+```
+
+Queue key:
+
+```text
+provider + accountBindingId + routeId + routeGeneration + targetKind
+```
+
+For targetKind:
+
+```text
+lead
+teammate:
+```
+
+## 6. Projection Must Not Use UI Feed As Authority
+
+`TeamMessageFeedService` is a normalized UI feed. It is useful for rendering, but not authoritative for external delivery.
+
+Reasons:
+
+- It merges different stores.
+- It dedupes and prefers one copy.
+- It has a 5 second cache.
+- It attaches session ids heuristically.
+- It computes `feedRevision` from normalized content.
+- Renderer filtering hides messages for UI reasons.
+- `sentMessages.json` trims to 200 messages.
+
+Projection to Telegram should use:
+
+```text
+durable raw sources
+ProviderMessageLink
+MessengerOriginLink
+MessengerProjectionLedger
+Team lifecycle/identity registry
+```
+
+Projection source adapters:
+
+```ts
+type MessengerProjectionSource =
+ | { kind: "sent_messages"; teamName: string; message: InboxMessage }
+ | { kind: "user_inbox"; teamName: string; message: InboxMessage }
+ | { kind: "runtime_delivery"; teamName: string; message: InboxMessage; journalId?: string };
+```
+
+Projection eligibility:
+
+```text
+project:
+ lead/team member message to user
+ teammate runtime delivery to user
+ explicit SendMessage(to=user)
+
+skip:
+ user_sent
+ provider-originated MessengerOriginLink
+ task_comment_notification
+ slash_command_result unless explicitly user-visible
+ lead thoughts with no to=user unless captured by active MessengerReplyCollector
+ relay duplicates with relayOfMessageId already projected
+ cross_team_sent unless the user asked to mirror cross-team flows later
+```
+
+## 7. Teammate-To-User Projection Is Real But Needs Better Attribution
+
+The user wanted messages from teammates to show in Telegram too. This is real, but attribution is tricky.
+
+Observed paths:
+
+- Teammate replies can land in `inboxes/user.json`.
+- OpenCode runtime delivery can write user-directed messages into `sentMessages.json` with `from: envelope.fromMemberName`, `to: "user"`, `source: "lead_process"`.
+- Source alone is not enough to distinguish lead vs teammate.
+
+Projection attribution should use:
+
+```text
+message.from
+team roster
+lead name
+runtime delivery journal if present
+ProviderMessageLink target
+memberRouteGeneration
+```
+
+Display prefix policy:
+
+```text
+Lead:
+ "Lead: "
+
+Teammate:
+ ": "
+
+Unknown member:
+ "Team: "
+ attach internal diagnostics only, not visible warning
+```
+
+Do not create separate Telegram topics per teammate in MVP. One team topic with author prefix is still the right model.
+
+## 8. Loop Prevention Needs Two Ledgers
+
+One ledger is not enough.
+
+Needed:
+
+```text
+MessengerOriginLink:
+ provider -> internal message
+ prevents echoing provider-originated user messages back to provider
+
+MessengerProjectionLedger:
+ internal message -> provider outbox
+ prevents sending the same internal reply multiple times
+```
+
+Projection ledger shape:
+
+```ts
+type MessengerProjectionRecord = {
+ projectionId: string;
+ internalMessageId: string;
+ routeId: string;
+ routeGeneration: number;
+ provider: "telegram";
+ status:
+ | "eligible"
+ | "skipped"
+ | "outbox_enqueued"
+ | "sent"
+ | "acceptance_unknown"
+ | "failed_terminal";
+ skipReason?: string;
+ providerMessageKey?: string;
+ createdAt: string;
+ updatedAt: string;
+};
+```
+
+Critical invariant:
+
+```text
+One internal message id can map to at most one provider outbox item per routeGeneration.
+```
+
+If the same message appears through live cache and durable file, the projection id must remain the same.
+
+## 9. Attachment And Media Should Be A Later Slice
+
+This is still lower confidence and should not block text MVP.
+
+Top 3 media strategies:
+
+1. Text-first MVP, summarize unsupported attachments with local notice - π― 9 π‘οΈ 8 π§ 3, approx 300-800 LOC.
+ - Avoids provider file privacy and download complexity.
+
+2. Telegram inbound file download into local attachment store - π― 7 π‘οΈ 7 π§ 7, approx 1800-3600 LOC.
+ - Useful.
+ - Needs size limits, retention, malware-safe handling, and privacy copy.
+
+3. Full bidirectional media sync in MVP - π― 5 π‘οΈ 6 π§ 9, approx 3500-7000 LOC.
+ - Too much scope.
+
+Recommendation:
+
+```text
+Use option 1 for MVP.
+Design ports so media can be added later.
+```
+
+## 10. Revised Internal Architecture Additions
+
+Add these core/application concepts:
+
+```text
+MessengerInternalTurnLedger
+MessengerInternalDeliveryPolicy
+MessengerRuntimeAcceptancePolicy
+MessengerReplyCollector
+MessengerProjectionLedger
+MessengerProjectionSourceReader
+MessengerProjectionPolicy
+MessengerLoopPreventionPolicy
+MessengerRouteQueue
+```
+
+Use existing local patterns:
+
+- OpenCode prompt delivery ledger is the closest reference for delivery state.
+- Runtime delivery journal is the closest reference for destination verification.
+- `VersionedJsonStore` remains the recommended store mechanism.
+- `TeamInboxWriter` is safe as an adapter for inbox persistence.
+
+Do not reuse directly:
+
+- `leadRelayCapture` as the main messenger reply collector.
+- renderer `filterTeamMessages()` as projection policy.
+- `feedRevision` as outbox cursor.
+- `sentMessages.json` as long-term message link storage.
+
+## 11. Current Lowest-Confidence Map
+
+1. Cross-client Telegram topic UX - π― 5 π‘οΈ 8 π§ 6.
+ - Still needs live probe.
+ - Now isolated by capability proof and fallback.
+
+2. Live lead stdin acceptance ambiguity - π― 6 π‘οΈ 8 π§ 7.
+ - Newly elevated risk.
+ - Needs `runtime_acceptance_unknown` just like Telegram outbound.
+
+3. Plain lead reply correlation - π― 6 π‘οΈ 8 π§ 7.
+ - Existing app supports visible lead text, but provider correlation needs single-turn collector.
+
+4. Projection correctness for teammate-to-user messages - π― 7 π‘οΈ 8 π§ 7.
+ - Feasible.
+ - Needs durable source reader and attribution policy.
+
+5. Stable team/member identity - π― 6 π‘οΈ 8 π§ 6.
+ - Pass 27 recommendation still stands.
+
+6. Outbound Telegram `acceptance_unknown` UX - π― 7 π‘οΈ 9 π§ 6.
+ - Technical state is clear.
+ - UI wording still needs product work.
+
+## 12. Revised Next Slice
+
+Before UI, implement/test in this order:
+
+1. Internal turn ledger and per-route queue - π― 9 π‘οΈ 9 π§ 7, approx 1800-3600 LOC.
+2. Reply collector with explicit `relayOfMessageId` and plain-text fallback - π― 8 π‘οΈ 8 π§ 7, approx 1500-3200 LOC.
+3. Projection source reader and projection ledger - π― 9 π‘οΈ 9 π§ 6, approx 1500-3000 LOC.
+4. Team/member identity registry from pass 27 - π― 9 π‘οΈ 9 π§ 6, approx 1000-2200 LOC.
+5. Telegram topic live probe - π― 9 π‘οΈ 9 π§ 5, approx 700-1500 LOC.
+
+This gives us a feature that can survive crashes and delayed replies before any polished setup wizard exists.
diff --git a/eslint.config.js b/eslint.config.js
index e207d1da..1fe2a49c 100644
--- a/eslint.config.js
+++ b/eslint.config.js
@@ -459,6 +459,35 @@ export default defineConfig([
},
},
+ {
+ name: 'electron-main-safe-renderer-send-guard',
+ files: ['src/main/**/*.ts'],
+ ignores: ['src/main/utils/safeWebContentsSend.ts'],
+ rules: {
+ 'no-restricted-syntax': [
+ 'error',
+ {
+ selector:
+ "CallExpression[callee.type='MemberExpression'][callee.property.name='send'][callee.object.type='MemberExpression'][callee.object.property.name='webContents']",
+ message:
+ 'Use safeSendToRenderer(...) instead of direct webContents.send(...) in the main process.',
+ },
+ {
+ selector:
+ "CallExpression[callee.type='MemberExpression'][callee.property.name='send'][callee.object.type='MemberExpression'][callee.object.property.name='sender']",
+ message:
+ 'Use safeSendToRenderer(BrowserWindow.fromWebContents(event.sender), ...) instead of direct event.sender.send(...) in the main process.',
+ },
+ {
+ selector:
+ "CallExpression[callee.type='MemberExpression'][callee.property.name='send'][callee.object.name='contents']",
+ message:
+ 'Use safeSendToRenderer(...) instead of aliasing webContents and calling contents.send(...) in the main process.',
+ },
+ ],
+ },
+ },
+
{
name: 'team-transcript-project-resolver-sonar-override',
files: ['src/main/services/team/TeamTranscriptProjectResolver.ts'],
diff --git a/mcp-server/src/agent-teams-controller.d.ts b/mcp-server/src/agent-teams-controller.d.ts
index 9382d425..011c692f 100644
--- a/mcp-server/src/agent-teams-controller.d.ts
+++ b/mcp-server/src/agent-teams-controller.d.ts
@@ -2,6 +2,7 @@ declare module 'agent-teams-controller' {
export interface ControllerContextOptions {
teamName: string;
claudeDir?: string;
+ allowUserMessageSender?: boolean;
}
export interface ControllerTaskApi {
diff --git a/mcp-server/src/controller.ts b/mcp-server/src/controller.ts
index cbe3e96c..72c8d6b4 100644
--- a/mcp-server/src/controller.ts
+++ b/mcp-server/src/controller.ts
@@ -23,5 +23,6 @@ export function getController(teamName: string, claudeDir?: string) {
return createController({
teamName,
...(resolvedClaudeDir ? { claudeDir: resolvedClaudeDir } : {}),
+ allowUserMessageSender: false,
});
}
diff --git a/mcp-server/src/tools/messageTools.ts b/mcp-server/src/tools/messageTools.ts
index 3982bb6f..2c63b023 100644
--- a/mcp-server/src/tools/messageTools.ts
+++ b/mcp-server/src/tools/messageTools.ts
@@ -14,12 +14,12 @@ export function registerMessageTools(server: Pick) {
server.addTool({
name: 'message_send',
description:
- 'Send a visible team/user message into team inbox. OpenCode teammates should use this for normal replies to the human user, lead, or same-team teammates. When replying to an app-delivered OpenCode runtime message, include source="runtime_delivery" and relayOfMessageId with the inbound app messageId. When to is "user", from is required and must be your configured teammate name. Do not invent placeholder task refs. If the message is not about a real board task, omit # task labels; never use #00000000.',
+ 'Send a visible team/user message into team inbox. OpenCode teammates should use this for normal replies to the human user, lead, or same-team teammates. from is required and must be your configured teammate name; user is reserved for app-owned writes. When replying to an app-delivered OpenCode runtime message, include source="runtime_delivery" and relayOfMessageId with the inbound app messageId. Do not invent placeholder task refs. If the message is not about a real board task, omit # task labels; never use #00000000.',
parameters: z.object({
...toolContextSchema,
to: z.string().min(1),
text: z.string().min(1),
- from: z.string().optional(),
+ from: z.string().min(1),
summary: z.string().optional(),
source: z.string().optional(),
relayOfMessageId: z.string().optional(),
diff --git a/mcp-server/src/tools/taskTools.ts b/mcp-server/src/tools/taskTools.ts
index 0785923d..675117f1 100644
--- a/mcp-server/src/tools/taskTools.ts
+++ b/mcp-server/src/tools/taskTools.ts
@@ -436,12 +436,13 @@ export function registerTaskTools(server: Pick) {
server.addTool({
name: 'task_add_comment',
- description: 'Add task comment',
+ description:
+ 'Add task comment. from is required and must be your configured teammate name; user/system are reserved for app-owned writes.',
parameters: z.object({
...toolContextSchema,
taskId: z.string().min(1),
text: z.string().min(1),
- from: z.string().optional(),
+ from: z.string().min(1),
}),
execute: async ({ teamName, claudeDir, taskId, text, from }) => {
assertConfiguredTeam(teamName, claudeDir);
diff --git a/mcp-server/test/tools.test.ts b/mcp-server/test/tools.test.ts
index fdae26fd..26a16407 100644
--- a/mcp-server/test/tools.test.ts
+++ b/mcp-server/test/tools.test.ts
@@ -1353,6 +1353,7 @@ describe('agent-teams-mcp tools', () => {
members: [
{ name: 'lead', role: 'team-lead' },
{ name: 'alice', role: 'developer' },
+ { name: 'bob', role: 'reviewer' },
],
});
diff --git a/package.json b/package.json
index c8ec837c..ffb89ac9 100644
--- a/package.json
+++ b/package.json
@@ -25,7 +25,7 @@
"opencode:prove-team-provisioning": "node ./scripts/prove-opencode-team-provisioning.mjs",
"team:prove-launch-matrix": "pnpm exec vitest run --maxWorkers 1 --minWorkers 1 test/main/services/team/TeamAgentLaunchMatrix.safe-e2e.test.ts",
"prebuild": "tsx scripts/fetch-pricing-data.ts && pnpm --filter agent-teams-controller build && pnpm --filter agent-teams-mcp build",
- "build": "electron-vite build",
+ "build": "node --max-old-space-size=8192 ./node_modules/electron-vite/bin/electron-vite.js build",
"dist": "electron-builder --mac --win --linux",
"dist:mac": "electron-builder --mac",
"dist:mac:arm64": "electron-builder --mac --arm64",
diff --git a/packages/agent-graph/src/canvas/draw-agents.ts b/packages/agent-graph/src/canvas/draw-agents.ts
index e530b971..a14dbcd2 100644
--- a/packages/agent-graph/src/canvas/draw-agents.ts
+++ b/packages/agent-graph/src/canvas/draw-agents.ts
@@ -14,7 +14,7 @@ import {
MIN_VISIBLE_OPACITY,
} from '../constants/canvas-constants';
import { drawHexagon } from './draw-misc';
-import { getAgentGlowSprite, ensureHex, hexWithAlpha } from './render-cache';
+import { getAgentGlowSprite, hexWithAlpha } from './render-cache';
/**
* Draw all member/lead nodes on the canvas.
@@ -128,7 +128,6 @@ export function drawAgents(
y,
r,
labelText,
- color,
node.runtimeLabel,
node.launchStatusLabel,
node.launchVisualState
@@ -655,7 +654,7 @@ function drawAvatar(
isLead: boolean,
avatarUrl?: string
): void {
- const avatarR = r * 0.6;
+ const avatarR = r * AGENT_DRAW.avatarRadiusScale;
// Try to draw avatar image
if (avatarUrl) {
@@ -688,17 +687,15 @@ function drawLabel(
y: number,
r: number,
label: string,
- color: string,
runtimeLabel?: string,
launchStatusLabel?: string,
launchVisualState?: GraphNode['launchVisualState']
): void {
const labelY = y + r + AGENT_DRAW.labelYOffset;
- ctx.font = '9px monospace';
+ ctx.font = 'bold 10px monospace';
ctx.textAlign = 'center';
ctx.textBaseline = 'top';
- ctx.fillStyle = color;
- ctx.fillText(label, x, labelY);
+ drawLabelText(ctx, label, x, labelY, '#e8f8ff', 12);
const trimmedRuntimeLabel = runtimeLabel?.trim();
const trimmedLaunchStatusLabel = launchStatusLabel?.trim();
@@ -706,21 +703,68 @@ function drawLabel(
return;
}
- let nextLineY = labelY + 10;
+ let nextLineY = labelY + 11;
if (trimmedRuntimeLabel) {
ctx.font = '8px monospace';
- ctx.fillStyle = hexWithAlpha(ensureHex(color), 0.72);
- ctx.fillText(truncateSubLabel(ctx, trimmedRuntimeLabel, r), x, nextLineY);
+ drawLabelText(ctx, truncateSubLabel(ctx, trimmedRuntimeLabel, r), x, nextLineY, '#b9d7f2', 10);
nextLineY += 10;
}
if (trimmedLaunchStatusLabel) {
ctx.font = '7px monospace';
- ctx.fillStyle = getLaunchStatusColor(launchVisualState);
- ctx.fillText(truncateSubLabel(ctx, trimmedLaunchStatusLabel, r), x, nextLineY);
+ drawLabelText(
+ ctx,
+ truncateSubLabel(ctx, trimmedLaunchStatusLabel, r),
+ x,
+ nextLineY,
+ getLaunchStatusColor(launchVisualState),
+ 9
+ );
}
}
+function drawLabelText(
+ ctx: CanvasRenderingContext2D,
+ text: string,
+ x: number,
+ y: number,
+ fillStyle: string,
+ lineHeight: number
+): void {
+ const textWidth = ctx.measureText(text).width;
+ const paddingX = 5;
+ const paddingY = 1.5;
+
+ ctx.save();
+ ctx.globalAlpha = Math.max(ctx.globalAlpha, 0.88);
+ ctx.beginPath();
+ ctx.roundRect(
+ x - textWidth / 2 - paddingX,
+ y - paddingY,
+ textWidth + paddingX * 2,
+ lineHeight,
+ 4
+ );
+ ctx.fillStyle = 'rgba(2, 6, 23, 0.78)';
+ ctx.fill();
+ ctx.strokeStyle = 'rgba(148, 213, 255, 0.18)';
+ ctx.lineWidth = 1;
+ ctx.stroke();
+
+ ctx.fillStyle = fillStyle;
+ drawTextWithHalo(ctx, text, x, y);
+ ctx.restore();
+}
+
+function drawTextWithHalo(ctx: CanvasRenderingContext2D, text: string, x: number, y: number): void {
+ ctx.save();
+ ctx.lineWidth = 4;
+ ctx.strokeStyle = 'rgba(0, 0, 0, 0.96)';
+ ctx.strokeText(text, x, y);
+ ctx.restore();
+ ctx.fillText(text, x, y);
+}
+
function truncateSubLabel(ctx: CanvasRenderingContext2D, label: string, r: number): string {
const maxWidth = Math.max(132, r * AGENT_DRAW.labelWidthMultiplier * 2);
if (ctx.measureText(label).width <= maxWidth) return label;
diff --git a/packages/agent-graph/src/constants/canvas-constants.ts b/packages/agent-graph/src/constants/canvas-constants.ts
index 30f6363f..90c576a7 100644
--- a/packages/agent-graph/src/constants/canvas-constants.ts
+++ b/packages/agent-graph/src/constants/canvas-constants.ts
@@ -58,9 +58,9 @@ export const FORCE = {
export const NODE = {
/** Lead agent radius */
- radiusLead: 32,
+ radiusLead: 38,
/** Team member radius */
- radiusMember: 24,
+ radiusMember: 30,
/** Process node radius */
radiusProcess: 14,
/** Cross-team ghost node radius */
@@ -110,6 +110,7 @@ export const AGENT_DRAW = {
sparkScale: 0.45,
sparkViewBox: 256,
subIconScale: 0.45,
+ avatarRadiusScale: 0.74,
} as const;
// βββ Context ring (lead node only) βββββββββββββββββββββββββββββββββββββββββ
diff --git a/runtime.lock.json b/runtime.lock.json
index e1bc58d2..11995845 100644
--- a/runtime.lock.json
+++ b/runtime.lock.json
@@ -1,27 +1,27 @@
{
- "version": "0.0.10",
- "sourceRef": "v0.0.10",
+ "version": "0.0.12",
+ "sourceRef": "v0.0.12",
"sourceRepository": "777genius/agent_teams_orchestrator",
"releaseRepository": "777genius/claude_agent_teams_ui",
"releaseTag": "v1.2.0",
"assets": {
"darwin-arm64": {
- "file": "agent-teams-runtime-darwin-arm64-v0.0.10.tar.gz",
+ "file": "agent-teams-runtime-darwin-arm64-v0.0.12.tar.gz",
"archiveKind": "tar.gz",
"binaryName": "claude-multimodel"
},
"darwin-x64": {
- "file": "agent-teams-runtime-darwin-x64-v0.0.10.tar.gz",
+ "file": "agent-teams-runtime-darwin-x64-v0.0.12.tar.gz",
"archiveKind": "tar.gz",
"binaryName": "claude-multimodel"
},
"linux-x64": {
- "file": "agent-teams-runtime-linux-x64-v0.0.10.tar.gz",
+ "file": "agent-teams-runtime-linux-x64-v0.0.12.tar.gz",
"archiveKind": "tar.gz",
"binaryName": "claude-multimodel"
},
"win32-x64": {
- "file": "agent-teams-runtime-win32-x64-v0.0.10.zip",
+ "file": "agent-teams-runtime-win32-x64-v0.0.12.zip",
"archiveKind": "zip",
"binaryName": "claude-multimodel.exe"
}
diff --git a/src/features/agent-graph/renderer/adapters/TeamGraphAdapter.ts b/src/features/agent-graph/renderer/adapters/TeamGraphAdapter.ts
index 8c19acca..eefda424 100644
--- a/src/features/agent-graph/renderer/adapters/TeamGraphAdapter.ts
+++ b/src/features/agent-graph/renderer/adapters/TeamGraphAdapter.ts
@@ -415,6 +415,7 @@ export class TeamGraphAdapter {
): void {
const percent = leadContext?.contextUsedPercent;
const leadMember = data.members.find((member) => member.name === leadName);
+ const isTeamVisualOnline = data.isAlive || isTeamProvisioning;
const activeTool = TeamGraphAdapter.#selectVisibleTool(
activeTools?.[leadName],
finishedVisible?.[leadName]
@@ -437,7 +438,7 @@ export class TeamGraphAdapter {
})
: null;
const leadState =
- leadActivity === 'offline'
+ !isTeamVisualOnline || leadActivity === 'offline'
? 'terminated'
: leadActivity === 'idle'
? 'idle'
@@ -445,7 +446,7 @@ export class TeamGraphAdapter {
? 'tool_calling'
: 'active';
const leadException =
- leadActivity === 'offline'
+ !isTeamVisualOnline || leadActivity === 'offline'
? { exceptionTone: 'error' as const, exceptionLabel: 'offline' }
: pendingApproval
? { exceptionTone: 'warning' as const, exceptionLabel: 'awaiting approval' }
@@ -455,7 +456,7 @@ export class TeamGraphAdapter {
kind: 'lead',
label: data.config.name || teamName,
state: leadState,
- color: data.config.color ?? undefined,
+ color: isTeamVisualOnline ? (data.config.color ?? undefined) : undefined,
runtimeLabel: TeamGraphAdapter.#getRuntimeLabel(
leadMember?.providerId,
leadMember?.model,
@@ -465,8 +466,8 @@ export class TeamGraphAdapter {
launchStatusLabel: leadLaunchPresentation?.launchStatusLabel ?? undefined,
contextUsage: percent != null ? Math.max(0, Math.min(1, percent / 100)) : undefined,
avatarUrl: leadMember
- ? resolveMemberAvatarUrl(leadMember, avatarMap, 64)
- : agentAvatarUrl(leadName, 64),
+ ? resolveMemberAvatarUrl(leadMember, avatarMap, 96)
+ : agentAvatarUrl(leadName, 96),
pendingApproval,
activeTool: activeTool
? {
@@ -516,6 +517,7 @@ export class TeamGraphAdapter {
if (member.removedAt) continue;
if (isLeadMember(member)) continue;
+ const isTeamVisualOnline = data.isAlive || isTeamProvisioning;
const memberId =
memberNodeIdByAlias.get(member.name) ?? buildGraphMemberNodeIdForMember(teamName, member);
const spawn = spawnStatuses?.[member.name];
@@ -546,20 +548,26 @@ export class TeamGraphAdapter {
id: memberId,
kind: 'member',
label: member.name,
- state: hasRunningTool
- ? 'tool_calling'
- : TeamGraphAdapter.#mapMemberStatus(member.status, spawn),
- color: member.color ?? undefined,
+ state: !isTeamVisualOnline
+ ? 'terminated'
+ : hasRunningTool
+ ? 'tool_calling'
+ : TeamGraphAdapter.#mapMemberStatus(member.status, spawn),
+ color: isTeamVisualOnline ? (member.color ?? undefined) : undefined,
role: member.role ?? undefined,
runtimeLabel: TeamGraphAdapter.#getRuntimeLabel(
member.providerId,
member.model,
member.effort
),
- spawnStatus: spawn?.status,
- launchVisualState: launchPresentation.launchVisualState ?? undefined,
- launchStatusLabel: launchPresentation.launchStatusLabel ?? undefined,
- avatarUrl: resolveMemberAvatarUrl(member, avatarMap, 64),
+ spawnStatus: isTeamVisualOnline ? spawn?.status : undefined,
+ launchVisualState: isTeamVisualOnline
+ ? (launchPresentation.launchVisualState ?? undefined)
+ : undefined,
+ launchStatusLabel: isTeamVisualOnline
+ ? (launchPresentation.launchStatusLabel ?? undefined)
+ : undefined,
+ avatarUrl: resolveMemberAvatarUrl(member, avatarMap, 96),
currentTaskId: member.currentTaskId ?? undefined,
currentTaskSubject: member.currentTaskId
? data.tasks.find((t) => t.id === member.currentTaskId)?.subject
diff --git a/src/features/codex-account/contracts/dto.ts b/src/features/codex-account/contracts/dto.ts
index 27e45e94..341ab757 100644
--- a/src/features/codex-account/contracts/dto.ts
+++ b/src/features/codex-account/contracts/dto.ts
@@ -64,6 +64,11 @@ export interface CodexLoginStateDto {
startedAt: string | null;
}
+export interface CodexRuntimeContextDto {
+ binaryPath: string | null;
+ codexHome: string | null;
+}
+
export interface CodexAccountSnapshotDto {
preferredAuthMode: CodexAccountAuthMode;
effectiveAuthMode: CodexAccountEffectiveAuthMode;
@@ -77,6 +82,7 @@ export interface CodexAccountSnapshotDto {
requiresOpenaiAuth: boolean | null;
localAccountArtifactsPresent?: boolean;
localActiveChatgptAccountPresent?: boolean;
+ runtimeContext?: CodexRuntimeContextDto;
login: CodexLoginStateDto;
rateLimits: CodexRateLimitSnapshotDto | null;
updatedAt: string;
diff --git a/src/features/codex-account/main/composition/createCodexAccountFeature.ts b/src/features/codex-account/main/composition/createCodexAccountFeature.ts
index 8e95422a..9e5a54b6 100644
--- a/src/features/codex-account/main/composition/createCodexAccountFeature.ts
+++ b/src/features/codex-account/main/composition/createCodexAccountFeature.ts
@@ -48,6 +48,16 @@ interface CodexLastKnownRateLimits {
observedAt: number;
}
+interface CodexRuntimeContext {
+ binaryPath: string | null;
+ codexHome: string | null;
+}
+
+interface CodexLastKnownRuntimeContext {
+ payload: CodexRuntimeContext;
+ observedAt: number;
+}
+
interface CodexSnapshotRefreshOptions {
includeRateLimits: boolean;
forceRefreshToken: boolean;
@@ -130,6 +140,16 @@ function asRateLimits(
};
}
+function createRuntimeContext(
+ binaryPath: string | null | undefined,
+ codexHome: string | null | undefined
+): CodexRuntimeContext {
+ return {
+ binaryPath: binaryPath?.trim() || null,
+ codexHome: codexHome?.trim() || null,
+ };
+}
+
function getPreferredAuthMode(configManager: {
getConfig: () => {
providerConnections: {
@@ -236,6 +256,7 @@ class CodexAccountFeatureFacadeImpl implements CodexAccountFeatureFacade {
private pendingRefreshOptions: CodexSnapshotRefreshOptions | null = null;
private lastKnownAccount: CodexLastKnownAccount | null = null;
private lastKnownRateLimits: CodexLastKnownRateLimits | null = null;
+ private lastKnownRuntimeContext: CodexLastKnownRuntimeContext | null = null;
private mutationQueue: Promise = Promise.resolve();
private mutationQueueRelease: (() => void) | null = null;
private activeMutationCount = 0;
@@ -372,6 +393,7 @@ class CodexAccountFeatureFacadeImpl implements CodexAccountFeatureFacade {
this.pendingRefreshOptions = null;
this.lastKnownAccount = null;
this.lastKnownRateLimits = null;
+ this.lastKnownRuntimeContext = null;
this.activeMutationCount = 0;
if (this.mutationQueueRelease) {
this.mutationQueueRelease();
@@ -441,6 +463,7 @@ class CodexAccountFeatureFacadeImpl implements CodexAccountFeatureFacade {
let appServerStatusMessage: string | null = null;
let accountPayload = this.lastKnownAccount?.payload ?? null;
let requiresOpenaiAuth: boolean | null = accountPayload?.requiresOpenaiAuth ?? null;
+ let runtimeContext = createRuntimeContext(binaryPath, null);
try {
const accountResult = await this.appServerClient.readAccount({
@@ -448,6 +471,13 @@ class CodexAccountFeatureFacadeImpl implements CodexAccountFeatureFacade {
env,
refreshToken: options?.forceRefreshToken ?? false,
});
+ runtimeContext = createRuntimeContext(binaryPath, accountResult.initialize.codexHome);
+ if (runtimeContext.codexHome) {
+ this.lastKnownRuntimeContext = {
+ payload: runtimeContext,
+ observedAt: now,
+ };
+ }
const canReuseLastKnownManagedAccount =
options?.forceRefreshToken !== true &&
localActiveChatgptAccountPresent &&
@@ -483,6 +513,14 @@ class CodexAccountFeatureFacadeImpl implements CodexAccountFeatureFacade {
accountPayload = this.lastKnownAccount.payload;
requiresOpenaiAuth = this.lastKnownAccount.payload.requiresOpenaiAuth;
}
+
+ if (
+ this.lastKnownRuntimeContext &&
+ now - this.lastKnownRuntimeContext.observedAt <= LAST_KNOWN_GOOD_MANAGED_ACCOUNT_TTL_MS &&
+ this.lastKnownRuntimeContext.payload.binaryPath === binaryPath
+ ) {
+ runtimeContext = this.lastKnownRuntimeContext.payload;
+ }
}
let rateLimits: CodexRateLimitSnapshotDto | null = null;
@@ -542,6 +580,7 @@ class CodexAccountFeatureFacadeImpl implements CodexAccountFeatureFacade {
requiresOpenaiAuth,
localAccountArtifactsPresent,
localActiveChatgptAccountPresent,
+ runtimeContext,
login,
rateLimits,
updatedAt: new Date(now).toISOString(),
diff --git a/src/features/codex-model-catalog/core/domain/__tests__/codexModelCatalogFallback.test.ts b/src/features/codex-model-catalog/core/domain/__tests__/codexModelCatalogFallback.test.ts
new file mode 100644
index 00000000..7867e98d
--- /dev/null
+++ b/src/features/codex-model-catalog/core/domain/__tests__/codexModelCatalogFallback.test.ts
@@ -0,0 +1,12 @@
+import { describe, expect, it } from 'vitest';
+
+import { createStaticCodexModelCatalogModels } from '../codexModelCatalogFallback';
+
+describe('createStaticCodexModelCatalogModels', () => {
+ it('includes GPT-5.5 without changing the default from GPT-5.4', () => {
+ const models = createStaticCodexModelCatalogModels();
+
+ expect(models.map((model) => model.launchModel)).toContain('gpt-5.5');
+ expect(models.find((model) => model.isDefault)?.launchModel).toBe('gpt-5.4');
+ });
+});
diff --git a/src/features/codex-model-catalog/core/domain/codexModelCatalogFallback.ts b/src/features/codex-model-catalog/core/domain/codexModelCatalogFallback.ts
index 5f9c724c..aac4d20c 100644
--- a/src/features/codex-model-catalog/core/domain/codexModelCatalogFallback.ts
+++ b/src/features/codex-model-catalog/core/domain/codexModelCatalogFallback.ts
@@ -36,6 +36,11 @@ export function createStaticCodexModelCatalogModels(): CliProviderModelCatalogIt
badgeLabel: '5.4',
isDefault: true,
}),
+ createFallbackModel({
+ id: 'gpt-5.5',
+ displayName: 'GPT-5.5',
+ badgeLabel: '5.5',
+ }),
createFallbackModel({
id: 'gpt-5.4-mini',
displayName: 'GPT-5.4 Mini',
diff --git a/src/features/recent-projects/main/adapters/output/sources/CodexSessionFileRecentProjectsSourceAdapter.ts b/src/features/recent-projects/main/adapters/output/sources/CodexSessionFileRecentProjectsSourceAdapter.ts
new file mode 100644
index 00000000..7f1b517e
--- /dev/null
+++ b/src/features/recent-projects/main/adapters/output/sources/CodexSessionFileRecentProjectsSourceAdapter.ts
@@ -0,0 +1,287 @@
+import { createReadStream } from 'node:fs';
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import readline from 'node:readline';
+
+import { normalizeIdentityPath } from '@features/recent-projects/main/infrastructure/identity/normalizeIdentityPath';
+import { isEphemeralProjectPath } from '@shared/utils/ephemeralProjectPath';
+
+import type { LoggerPort } from '@features/recent-projects/core/application/ports/LoggerPort';
+import type {
+ RecentProjectsSourcePort,
+ RecentProjectsSourceResult,
+} from '@features/recent-projects/core/application/ports/RecentProjectsSourcePort';
+import type { RecentProjectCandidate } from '@features/recent-projects/core/domain/models/RecentProjectCandidate';
+import type { RecentProjectIdentityResolver } from '@features/recent-projects/main/infrastructure/identity/RecentProjectIdentityResolver';
+import type { ServiceContext } from '@main/services';
+
+const CODEX_SESSION_FILE_PARSE_LIMIT = 500;
+const CODEX_PROJECT_CANDIDATE_LIMIT = 40;
+const CODEX_SESSION_FILE_SOURCE_TIMEOUT_MS = 3_500;
+const CODEX_SESSION_FILE_READ_BATCH_SIZE = 24;
+
+interface CodexSessionFileEntry {
+ filePath: string;
+ mtimeMs: number;
+}
+
+interface CodexSessionEvent {
+ timestamp?: unknown;
+ payload?: {
+ cwd?: unknown;
+ source?: unknown;
+ timestamp?: unknown;
+ git?: {
+ branch?: unknown;
+ } | null;
+ };
+}
+
+interface CodexSessionProjectSnapshot {
+ cwd: string;
+ source: unknown;
+ lastActivityAt: number;
+ branchName?: string;
+}
+
+function isInteractiveSource(source: unknown): boolean {
+ return source === 'vscode' || source === 'cli';
+}
+
+function normalizeTimestamp(value: unknown): number {
+ if (typeof value === 'number' && Number.isFinite(value)) {
+ return value < 1_000_000_000_000 ? value * 1000 : value;
+ }
+
+ if (typeof value === 'string' && value.trim()) {
+ const parsed = Date.parse(value);
+ return Number.isNaN(parsed) ? 0 : parsed;
+ }
+
+ return 0;
+}
+
+function getCodexHome(codexHome?: string): string {
+ return codexHome?.trim() || process.env.CODEX_HOME?.trim() || path.join(os.homedir(), '.codex');
+}
+
+async function readFirstLine(filePath: string): Promise {
+ const stream = createReadStream(filePath, { encoding: 'utf8' });
+ const lines = readline.createInterface({
+ input: stream,
+ crlfDelay: Infinity,
+ });
+
+ try {
+ for await (const line of lines) {
+ return line;
+ }
+ return null;
+ } catch {
+ return null;
+ } finally {
+ lines.close();
+ stream.destroy();
+ }
+}
+
+async function listJsonlFiles(root: string, maxDepth: number): Promise {
+ async function walk(directory: string, depth: number): Promise {
+ let entries;
+ try {
+ entries = await fs.readdir(directory, { withFileTypes: true, encoding: 'utf8' });
+ } catch {
+ return [];
+ }
+
+ const files = await Promise.all(
+ entries.map(async (entry): Promise => {
+ const entryPath = path.join(directory, entry.name);
+ if (entry.isDirectory()) {
+ return depth < maxDepth ? walk(entryPath, depth + 1) : [];
+ }
+
+ if (!entry.isFile() || !entry.name.endsWith('.jsonl')) {
+ return [];
+ }
+
+ try {
+ const stats = await fs.stat(entryPath);
+ return [
+ {
+ filePath: entryPath,
+ mtimeMs: stats.mtimeMs,
+ },
+ ];
+ } catch {
+ return [];
+ }
+ })
+ );
+
+ return files.flat();
+ }
+
+ return walk(root, 0);
+}
+
+function parseSessionSnapshot(
+ firstLine: string,
+ mtimeMs: number
+): CodexSessionProjectSnapshot | null {
+ let event: CodexSessionEvent;
+ try {
+ event = JSON.parse(firstLine) as CodexSessionEvent;
+ } catch {
+ return null;
+ }
+
+ const cwd = typeof event.payload?.cwd === 'string' ? event.payload.cwd.trim() : '';
+ if (!cwd || !isInteractiveSource(event.payload?.source) || isEphemeralProjectPath(cwd)) {
+ return null;
+ }
+
+ const timestamp =
+ mtimeMs || normalizeTimestamp(event.payload?.timestamp) || normalizeTimestamp(event.timestamp);
+ const branchName =
+ typeof event.payload?.git?.branch === 'string' ? event.payload.git.branch.trim() : '';
+
+ return {
+ cwd,
+ source: event.payload?.source,
+ lastActivityAt: timestamp,
+ branchName: branchName || undefined,
+ };
+}
+
+export class CodexSessionFileRecentProjectsSourceAdapter implements RecentProjectsSourcePort {
+ readonly sourceId = 'codex-session-files';
+ readonly timeoutMs = CODEX_SESSION_FILE_SOURCE_TIMEOUT_MS;
+ readonly #codexHome: string;
+
+ constructor(
+ private readonly deps: {
+ getActiveContext: () => ServiceContext;
+ getLocalContext: () => ServiceContext | undefined;
+ identityResolver: RecentProjectIdentityResolver;
+ logger: LoggerPort;
+ codexHome?: string;
+ }
+ ) {
+ this.#codexHome = getCodexHome(deps.codexHome);
+ }
+
+ async list(): Promise {
+ const activeContext = this.deps.getActiveContext();
+ const localContext = this.deps.getLocalContext();
+
+ if (activeContext.type !== 'local' || activeContext.id !== localContext?.id) {
+ return {
+ candidates: [],
+ degraded: false,
+ };
+ }
+
+ try {
+ const snapshots = await this.#listRecentSessionSnapshots();
+ const candidates = await Promise.all(
+ snapshots.map((snapshot) => this.#toCandidate(snapshot))
+ );
+
+ const validCandidates = candidates.filter(
+ (candidate): candidate is RecentProjectCandidate => candidate !== null
+ );
+
+ this.deps.logger.info('codex session-file recent-projects source loaded', {
+ count: validCandidates.length,
+ codexHome: this.#codexHome,
+ });
+
+ return {
+ candidates: validCandidates,
+ degraded: false,
+ };
+ } catch (error) {
+ this.deps.logger.warn('codex session-file recent-projects source failed', {
+ error: error instanceof Error ? error.message : String(error),
+ });
+
+ return {
+ candidates: [],
+ degraded: true,
+ };
+ }
+ }
+
+ async #listRecentSessionSnapshots(): Promise {
+ const files = [
+ ...(await listJsonlFiles(path.join(this.#codexHome, 'sessions'), 4)),
+ ...(await listJsonlFiles(path.join(this.#codexHome, 'archived_sessions'), 1)),
+ ].sort((left, right) => right.mtimeMs - left.mtimeMs);
+
+ const snapshotsByCwd = new Map();
+
+ const candidateFiles = files.slice(0, CODEX_SESSION_FILE_PARSE_LIMIT);
+
+ for (
+ let offset = 0;
+ offset < candidateFiles.length && snapshotsByCwd.size < CODEX_PROJECT_CANDIDATE_LIMIT;
+ offset += CODEX_SESSION_FILE_READ_BATCH_SIZE
+ ) {
+ const batch = candidateFiles.slice(offset, offset + CODEX_SESSION_FILE_READ_BATCH_SIZE);
+ const firstLines = await Promise.all(
+ batch.map(async (file) => ({
+ file,
+ firstLine: await readFirstLine(file.filePath),
+ }))
+ );
+
+ for (const { file, firstLine } of firstLines) {
+ if (!firstLine) {
+ continue;
+ }
+
+ const snapshot = parseSessionSnapshot(firstLine, file.mtimeMs);
+ if (!snapshot) {
+ continue;
+ }
+
+ const previous = snapshotsByCwd.get(snapshot.cwd);
+ if (!previous || snapshot.lastActivityAt > previous.lastActivityAt) {
+ snapshotsByCwd.set(snapshot.cwd, snapshot);
+ }
+
+ if (snapshotsByCwd.size >= CODEX_PROJECT_CANDIDATE_LIMIT) {
+ break;
+ }
+ }
+ }
+
+ return Array.from(snapshotsByCwd.values())
+ .sort((left, right) => right.lastActivityAt - left.lastActivityAt)
+ .slice(0, CODEX_PROJECT_CANDIDATE_LIMIT);
+ }
+
+ async #toCandidate(
+ snapshot: CodexSessionProjectSnapshot
+ ): Promise {
+ const identity = await this.deps.identityResolver.resolve(snapshot.cwd);
+ const displayName = identity?.name ?? path.basename(snapshot.cwd) ?? snapshot.cwd;
+
+ return {
+ identity: identity?.id ?? `path:${normalizeIdentityPath(snapshot.cwd)}`,
+ displayName,
+ primaryPath: snapshot.cwd,
+ associatedPaths: [snapshot.cwd],
+ lastActivityAt: snapshot.lastActivityAt,
+ providerIds: ['codex'],
+ sourceKind: 'codex',
+ openTarget: {
+ type: 'synthetic-path',
+ path: snapshot.cwd,
+ },
+ branchName: snapshot.branchName,
+ };
+ }
+}
diff --git a/src/features/recent-projects/main/composition/createRecentProjectsFeature.ts b/src/features/recent-projects/main/composition/createRecentProjectsFeature.ts
index b0f36022..c85173d0 100644
--- a/src/features/recent-projects/main/composition/createRecentProjectsFeature.ts
+++ b/src/features/recent-projects/main/composition/createRecentProjectsFeature.ts
@@ -2,17 +2,12 @@ import {
type DashboardRecentProjectsPayload,
normalizeDashboardRecentProjectsPayload,
} from '@features/recent-projects/contracts';
-import {
- CodexBinaryResolver,
- JsonRpcStdioClient,
-} from '@main/services/infrastructure/codexAppServer';
import { ListDashboardRecentProjectsUseCase } from '../../core/application/use-cases/ListDashboardRecentProjectsUseCase';
import { DashboardRecentProjectsPresenter } from '../adapters/output/presenters/DashboardRecentProjectsPresenter';
import { ClaudeRecentProjectsSourceAdapter } from '../adapters/output/sources/ClaudeRecentProjectsSourceAdapter';
-import { CodexRecentProjectsSourceAdapter } from '../adapters/output/sources/CodexRecentProjectsSourceAdapter';
+import { CodexSessionFileRecentProjectsSourceAdapter } from '../adapters/output/sources/CodexSessionFileRecentProjectsSourceAdapter';
import { InMemoryRecentProjectsCache } from '../infrastructure/cache/InMemoryRecentProjectsCache';
-import { CodexAppServerClient } from '../infrastructure/codex/CodexAppServerClient';
import { RecentProjectIdentityResolver } from '../infrastructure/identity/RecentProjectIdentityResolver';
import type { ClockPort } from '../../core/application/ports/ClockPort';
@@ -31,16 +26,12 @@ export function createRecentProjectsFeature(deps: {
const cache = new InMemoryRecentProjectsCache();
const presenter = new DashboardRecentProjectsPresenter();
const clock: ClockPort = { now: () => Date.now() };
- const jsonRpcStdioClient = new JsonRpcStdioClient(deps.logger);
- const codexAppServerClient = new CodexAppServerClient(jsonRpcStdioClient);
const identityResolver = new RecentProjectIdentityResolver();
const sources = [
new ClaudeRecentProjectsSourceAdapter(deps.getActiveContext, deps.logger),
- new CodexRecentProjectsSourceAdapter({
+ new CodexSessionFileRecentProjectsSourceAdapter({
getActiveContext: deps.getActiveContext,
getLocalContext: deps.getLocalContext,
- resolveBinary: () => CodexBinaryResolver.resolve(),
- appServerClient: codexAppServerClient,
identityResolver,
logger: deps.logger,
}),
diff --git a/src/features/runtime-provider-management/contracts/api.ts b/src/features/runtime-provider-management/contracts/api.ts
index e25f8917..eea72627 100644
--- a/src/features/runtime-provider-management/contracts/api.ts
+++ b/src/features/runtime-provider-management/contracts/api.ts
@@ -4,11 +4,11 @@ import type {
RuntimeProviderManagementDirectoryResponse,
RuntimeProviderManagementForgetInput,
RuntimeProviderManagementLoadDirectoryInput,
+ RuntimeProviderManagementLoadModelsInput,
RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadViewInput,
- RuntimeProviderManagementLoadModelsInput,
- RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementModelsResponse,
+ RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementProviderResponse,
RuntimeProviderManagementSetDefaultModelInput,
RuntimeProviderManagementSetupFormResponse,
diff --git a/src/features/runtime-provider-management/core/application/runtimeProviderManagementUseCases.ts b/src/features/runtime-provider-management/core/application/runtimeProviderManagementUseCases.ts
index bad1c703..6eddf5ec 100644
--- a/src/features/runtime-provider-management/core/application/runtimeProviderManagementUseCases.ts
+++ b/src/features/runtime-provider-management/core/application/runtimeProviderManagementUseCases.ts
@@ -5,11 +5,11 @@ import type {
RuntimeProviderManagementDirectoryResponse,
RuntimeProviderManagementForgetInput,
RuntimeProviderManagementLoadDirectoryInput,
- RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadModelsInput,
+ RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadViewInput,
- RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementModelsResponse,
+ RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementProviderResponse,
RuntimeProviderManagementSetDefaultModelInput,
RuntimeProviderManagementSetupFormResponse,
diff --git a/src/features/runtime-provider-management/main/adapters/input/registerRuntimeProviderManagementIpc.ts b/src/features/runtime-provider-management/main/adapters/input/registerRuntimeProviderManagementIpc.ts
index bc52cc00..0dbd5713 100644
--- a/src/features/runtime-provider-management/main/adapters/input/registerRuntimeProviderManagementIpc.ts
+++ b/src/features/runtime-provider-management/main/adapters/input/registerRuntimeProviderManagementIpc.ts
@@ -18,11 +18,11 @@ import type {
RuntimeProviderManagementDirectoryResponse,
RuntimeProviderManagementForgetInput,
RuntimeProviderManagementLoadDirectoryInput,
- RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadModelsInput,
+ RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadViewInput,
- RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementModelsResponse,
+ RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementProviderResponse,
RuntimeProviderManagementSetDefaultModelInput,
RuntimeProviderManagementSetupFormResponse,
diff --git a/src/features/runtime-provider-management/main/composition/createRuntimeProviderManagementFeature.ts b/src/features/runtime-provider-management/main/composition/createRuntimeProviderManagementFeature.ts
index 02eda5a0..050ef2b3 100644
--- a/src/features/runtime-provider-management/main/composition/createRuntimeProviderManagementFeature.ts
+++ b/src/features/runtime-provider-management/main/composition/createRuntimeProviderManagementFeature.ts
@@ -8,11 +8,11 @@ import type {
RuntimeProviderManagementDirectoryResponse,
RuntimeProviderManagementForgetInput,
RuntimeProviderManagementLoadDirectoryInput,
- RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadModelsInput,
+ RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadViewInput,
- RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementModelsResponse,
+ RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementProviderResponse,
RuntimeProviderManagementSetDefaultModelInput,
RuntimeProviderManagementSetupFormResponse,
diff --git a/src/features/runtime-provider-management/main/infrastructure/AgentTeamsRuntimeProviderManagementCliClient.ts b/src/features/runtime-provider-management/main/infrastructure/AgentTeamsRuntimeProviderManagementCliClient.ts
index 175f5989..85f0a39d 100644
--- a/src/features/runtime-provider-management/main/infrastructure/AgentTeamsRuntimeProviderManagementCliClient.ts
+++ b/src/features/runtime-provider-management/main/infrastructure/AgentTeamsRuntimeProviderManagementCliClient.ts
@@ -11,8 +11,8 @@ import type {
RuntimeProviderManagementErrorDto,
RuntimeProviderManagementForgetInput,
RuntimeProviderManagementLoadDirectoryInput,
- RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadModelsInput,
+ RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadViewInput,
RuntimeProviderManagementModelsResponse,
RuntimeProviderManagementModelTestResponse,
diff --git a/src/features/runtime-provider-management/preload/createRuntimeProviderManagementBridge.ts b/src/features/runtime-provider-management/preload/createRuntimeProviderManagementBridge.ts
index 9bc0c4ac..a8a6ec9b 100644
--- a/src/features/runtime-provider-management/preload/createRuntimeProviderManagementBridge.ts
+++ b/src/features/runtime-provider-management/preload/createRuntimeProviderManagementBridge.ts
@@ -17,11 +17,11 @@ import type {
RuntimeProviderManagementDirectoryResponse,
RuntimeProviderManagementForgetInput,
RuntimeProviderManagementLoadDirectoryInput,
- RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadModelsInput,
+ RuntimeProviderManagementLoadSetupFormInput,
RuntimeProviderManagementLoadViewInput,
- RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementModelsResponse,
+ RuntimeProviderManagementModelTestResponse,
RuntimeProviderManagementProviderResponse,
RuntimeProviderManagementSetDefaultModelInput,
RuntimeProviderManagementSetupFormResponse,
diff --git a/src/features/runtime-provider-management/renderer/ui/RuntimeProviderManagementPanelView.tsx b/src/features/runtime-provider-management/renderer/ui/RuntimeProviderManagementPanelView.tsx
index 7f1bf6a6..2f094e24 100644
--- a/src/features/runtime-provider-management/renderer/ui/RuntimeProviderManagementPanelView.tsx
+++ b/src/features/runtime-provider-management/renderer/ui/RuntimeProviderManagementPanelView.tsx
@@ -77,7 +77,7 @@ interface ProviderRowProps {
readonly actions: RuntimeProviderManagementActions;
}
-const DIRECTORY_FILTERS: Array<{ id: RuntimeProviderDirectoryFilterDto; label: string }> = [
+const DIRECTORY_FILTERS: { id: RuntimeProviderDirectoryFilterDto; label: string }[] = [
{ id: 'all', label: 'All' },
{ id: 'connectable', label: 'Connectable' },
{ id: 'connected', label: 'Connected' },
diff --git a/src/features/runtime-provider-management/renderer/ui/providerBrandIcons.tsx b/src/features/runtime-provider-management/renderer/ui/providerBrandIcons.tsx
index 25f6678e..3bbda2e2 100644
--- a/src/features/runtime-provider-management/renderer/ui/providerBrandIcons.tsx
+++ b/src/features/runtime-provider-management/renderer/ui/providerBrandIcons.tsx
@@ -2,10 +2,10 @@ import { useEffect, useState } from 'react';
import type { CSSProperties, JSX } from 'react';
-type ProviderBrand = {
+interface ProviderBrand {
providerId: string;
displayName: string;
-};
+}
interface SvgPath {
d: string;
diff --git a/src/features/team-runtime-lanes/core/domain/buildMixedPersistedLaunchSnapshot.ts b/src/features/team-runtime-lanes/core/domain/buildMixedPersistedLaunchSnapshot.ts
index bb429c5d..ffbe971d 100644
--- a/src/features/team-runtime-lanes/core/domain/buildMixedPersistedLaunchSnapshot.ts
+++ b/src/features/team-runtime-lanes/core/domain/buildMixedPersistedLaunchSnapshot.ts
@@ -146,6 +146,16 @@ function createPrimaryLaneMemberState(params: {
const runtime = params.status;
const strongRuntimeAlive = preservesStrongRuntimeAlive(runtime ?? {});
const sources = runtime ? createSourcesFromStatus(runtime) : undefined;
+ const launchState =
+ runtime?.launchState ??
+ deriveMemberLaunchState({
+ hardFailure: runtime?.hardFailure,
+ bootstrapConfirmed: runtime?.bootstrapConfirmed,
+ runtimeAlive: strongRuntimeAlive,
+ agentToolAccepted: runtime?.agentToolAccepted,
+ pendingPermissionRequestIds: runtime?.pendingPermissionRequestIds,
+ });
+ const hardFailure = runtime?.hardFailure === true || launchState === 'failed_to_start';
const base: PersistedTeamLaunchMemberState = {
name: params.member.name.trim(),
providerId,
@@ -173,20 +183,12 @@ function createPrimaryLaneMemberState(params: {
providerId === params.leadDefaults.providerId
? (params.leadDefaults.launchIdentity ?? undefined)
: undefined,
- launchState:
- runtime?.launchState ??
- deriveMemberLaunchState({
- hardFailure: runtime?.hardFailure,
- bootstrapConfirmed: runtime?.bootstrapConfirmed,
- runtimeAlive: strongRuntimeAlive,
- agentToolAccepted: runtime?.agentToolAccepted,
- pendingPermissionRequestIds: runtime?.pendingPermissionRequestIds,
- }),
+ launchState,
agentToolAccepted: runtime?.agentToolAccepted === true,
runtimeAlive: strongRuntimeAlive,
bootstrapConfirmed: runtime?.bootstrapConfirmed === true,
- hardFailure: runtime?.hardFailure === true || runtime?.launchState === 'failed_to_start',
- hardFailureReason: runtime?.hardFailureReason ?? runtime?.error,
+ hardFailure,
+ hardFailureReason: hardFailure ? (runtime?.hardFailureReason ?? runtime?.error) : undefined,
pendingPermissionRequestIds: runtime?.pendingPermissionRequestIds?.length
? [...new Set(runtime.pendingPermissionRequestIds)]
: undefined,
@@ -212,7 +214,6 @@ function createSecondaryLaneMemberState(
normalizeOptionalTeamProviderId(params.member.providerId) ?? params.leadDefaults.providerId;
const evidence = params.evidence;
const strongRuntimeAlive = preservesStrongRuntimeAlive(evidence ?? {});
- const hardFailureReason = evidence?.hardFailureReason;
const launchState =
evidence?.launchState ??
deriveMemberLaunchState({
@@ -222,6 +223,8 @@ function createSecondaryLaneMemberState(
agentToolAccepted: evidence?.agentToolAccepted,
pendingPermissionRequestIds: evidence?.pendingPermissionRequestIds,
});
+ const hardFailure = evidence?.hardFailure === true || launchState === 'failed_to_start';
+ const hardFailureReason = hardFailure ? evidence?.hardFailureReason : undefined;
const base: PersistedTeamLaunchMemberState = {
name: params.member.name.trim(),
providerId,
@@ -249,7 +252,7 @@ function createSecondaryLaneMemberState(
agentToolAccepted: evidence?.agentToolAccepted === true,
runtimeAlive: strongRuntimeAlive,
bootstrapConfirmed: evidence?.bootstrapConfirmed === true,
- hardFailure: evidence?.hardFailure === true || launchState === 'failed_to_start',
+ hardFailure,
hardFailureReason,
pendingPermissionRequestIds: evidence?.pendingPermissionRequestIds?.length
? [...new Set(evidence.pendingPermissionRequestIds)]
diff --git a/src/features/team-runtime-lanes/main/composition/__tests__/createTeamRuntimeLaneCoordinator.test.ts b/src/features/team-runtime-lanes/main/composition/__tests__/createTeamRuntimeLaneCoordinator.test.ts
index 7ddbc914..a5875ba9 100644
--- a/src/features/team-runtime-lanes/main/composition/__tests__/createTeamRuntimeLaneCoordinator.test.ts
+++ b/src/features/team-runtime-lanes/main/composition/__tests__/createTeamRuntimeLaneCoordinator.test.ts
@@ -47,4 +47,49 @@ describe('createTeamRuntimeLaneCoordinator', () => {
})
).toThrow('Mixed teams with OpenCode side lanes require the OpenCode runtime adapter');
});
+
+ it('drops stale hard-failure reasons when secondary OpenCode evidence later confirms alive', () => {
+ const coordinator = createTeamRuntimeLaneCoordinator();
+
+ const snapshot = coordinator.buildAggregateLaunchSnapshot({
+ teamName: 'mixed-team',
+ launchPhase: 'active',
+ leadDefaults: {
+ providerId: 'codex',
+ },
+ primaryMembers: [],
+ primaryStatuses: {},
+ secondaryMembers: [
+ {
+ laneId: 'secondary:opencode:jack',
+ member: {
+ name: 'jack',
+ providerId: 'opencode',
+ model: 'qwen/qwen3-coder',
+ },
+ leadDefaults: {
+ providerId: 'codex',
+ },
+ evidence: {
+ launchState: 'confirmed_alive',
+ agentToolAccepted: true,
+ runtimeAlive: true,
+ bootstrapConfirmed: true,
+ hardFailure: false,
+ hardFailureReason: 'OpenCode bridge reported member launch failure',
+ diagnostics: ['OpenCode runtime bootstrap check-in accepted'],
+ },
+ },
+ ],
+ });
+
+ expect(snapshot.members.jack).toMatchObject({
+ launchState: 'confirmed_alive',
+ hardFailure: false,
+ hardFailureReason: undefined,
+ });
+ expect(snapshot.members.jack.diagnostics).not.toContain(
+ 'hard failure reason: OpenCode bridge reported member launch failure'
+ );
+ });
});
diff --git a/src/features/tmux-installer/main/composition/runtimeSupport.ts b/src/features/tmux-installer/main/composition/runtimeSupport.ts
index 0ae0c94e..08c4c859 100644
--- a/src/features/tmux-installer/main/composition/runtimeSupport.ts
+++ b/src/features/tmux-installer/main/composition/runtimeSupport.ts
@@ -40,6 +40,13 @@ export async function listRuntimeProcessesForCurrentTmuxPlatform(): Promise<
return runtimeCommandExecutor.listRuntimeProcesses();
}
+export async function sendKeysToTmuxPaneForCurrentPlatform(
+ paneId: string,
+ command: string
+): Promise {
+ await runtimeCommandExecutor.sendKeysToPane(paneId, command);
+}
+
export function killTmuxPaneForCurrentPlatformSync(paneId: string): void {
runtimeCommandExecutor.killPaneSync(paneId);
invalidateTmuxRuntimeStatusCache();
diff --git a/src/features/tmux-installer/main/index.ts b/src/features/tmux-installer/main/index.ts
index d18d99ea..9dbef51e 100644
--- a/src/features/tmux-installer/main/index.ts
+++ b/src/features/tmux-installer/main/index.ts
@@ -12,6 +12,7 @@ export {
listRuntimeProcessesForCurrentTmuxPlatform,
listTmuxPanePidsForCurrentPlatform,
listTmuxPaneRuntimeInfoForCurrentPlatform,
+ sendKeysToTmuxPaneForCurrentPlatform,
} from './composition/runtimeSupport';
export type {
RuntimeProcessTableRow,
diff --git a/src/features/tmux-installer/main/infrastructure/runtime/TmuxPlatformCommandExecutor.ts b/src/features/tmux-installer/main/infrastructure/runtime/TmuxPlatformCommandExecutor.ts
index 0500d252..d5e434a7 100644
--- a/src/features/tmux-installer/main/infrastructure/runtime/TmuxPlatformCommandExecutor.ts
+++ b/src/features/tmux-installer/main/infrastructure/runtime/TmuxPlatformCommandExecutor.ts
@@ -1,4 +1,7 @@
import { execFile, execFileSync } from 'node:child_process';
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
import { buildEnrichedEnv } from '@main/utils/cliEnv';
import { resolveInteractiveShellEnv } from '@main/utils/shellEnv';
@@ -19,6 +22,7 @@ export interface TmuxPaneRuntimeInfo {
currentPath?: string;
sessionName?: string;
windowName?: string;
+ socketName?: string;
}
export interface RuntimeProcessTableRow {
@@ -61,16 +65,17 @@ export class TmuxPlatformCommandExecutor {
this.#packageManagerResolver = packageManagerResolver;
}
- async execTmux(args: string[], timeout = 5_000): Promise {
+ async execTmux(args: string[], timeout = 5_000, socketName?: string): Promise {
+ const effectiveArgs = socketName ? ['-L', socketName, ...args] : args;
if (process.platform === 'win32') {
- return this.#wslService.execTmux(args, null, timeout);
+ return this.#wslService.execTmux(effectiveArgs, null, timeout);
}
await resolveInteractiveShellEnv();
const env = buildEnrichedEnv();
const executable = await this.#resolveNativeTmuxExecutable(env);
return new Promise((resolve) => {
- execFile(executable, args, { env, timeout }, (error, stdout, stderr) => {
+ execFile(executable, effectiveArgs, { env, timeout }, (error, stdout, stderr) => {
const errorCode =
typeof error === 'object' && error !== null && 'code' in error
? (error as NodeJS.ErrnoException).code
@@ -85,10 +90,16 @@ export class TmuxPlatformCommandExecutor {
}
async killPane(paneId: string): Promise {
- const result = await this.execTmux(['kill-pane', '-t', paneId], 3_000);
- if (result.exitCode !== 0) {
- throw new Error(result.stderr || `Failed to kill tmux pane ${paneId}`);
+ const candidates = await this.#getTmuxSocketCandidates();
+ let lastError = '';
+ for (const socketName of candidates) {
+ const result = await this.execTmux(['kill-pane', '-t', paneId], 3_000, socketName);
+ if (result.exitCode === 0) {
+ return;
+ }
+ lastError = result.stderr || `Failed to kill tmux pane ${paneId}`;
}
+ throw new Error(lastError || `Failed to kill tmux pane ${paneId}`);
}
async listPaneRuntimeInfo(paneIds: readonly string[]): Promise