feat: add Agent Team experimental feature for parallel sub-agent coordination#2886
Closed
tanzhenxin wants to merge 36 commits into
Closed
feat: add Agent Team experimental feature for parallel sub-agent coordination#2886tanzhenxin wants to merge 36 commits into
tanzhenxin wants to merge 36 commits into
Conversation
Contributor
📋 Review SummaryThis PR introduces Agent Team — an experimental feature enabling parallel multi-agent coordination through a leader-teammate model. The implementation is comprehensive, adding 6 new tools ( 🔍 General Feedback
🎯 Specific Feedback🔴 Critical
🟡 High
🟢 Medium
🔵 Low
✅ Highlights
|
…dination Adds an experimental Agent Team feature that lets the lead agent spawn and coordinate a team of sub-agents working in parallel on different parts of a task. Key components: - TeamManager: central orchestrator for teammate lifecycle and message routing - Mailbox: file-based message passing system - Task board: shared task tracker with status and dependency support - Identity system: unique IDs, display names, and colors for teammates - Permission sync: propagates leader approvals to teammates - 6 new gated tools: team_create, team_delete, send_message, task_create, task_update, task_list Feature is disabled by default and gated behind experimental setting or env var. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
a5cfded to
16ea312
Compare
Contributor
Code Coverage Summary
CLI Package - Full Text ReportCore Package - Full Text ReportFor detailed HTML reports, please see the 'coverage-reports-22.x-ubuntu-latest' artifact from the main CI run. |
useResultDisplayRenderer had no handler for TeamResultDisplay or
TaskListResultDisplay objects. In interactive mode, team_create and
team_delete returned {type, teamName, action} which fell through to
the default case casting it as string, crashing React with "Objects
are not valid as a React child."
Add explicit branch for team_result/task_list types and make the
default fallback safe with typeof check + JSON.stringify.
The test mock config was missing `getTeamManager` and `onTeamManagerChange`, causing all 56 tests to fail with "config.onTeamManagerChange is not a function".
wenshao
added a commit
to wenshao/codeagents
that referenced
this pull request
Apr 5, 2026
PR#2886 implements Agent Team experimental feature covering: - p0-p1-engine #14 (Coordinator/Swarm) ✅ - p0-p1-engine #16 (InProcess isolation) ✅ - p0-p1-engine #25 (Task Management) ✅ - p2-stability #14 (Agent permission bubble) ✅ - p2-stability #18 (Agent mailbox) ✅ - p3-hooks #1 (useInboxPoller) ✅ Added PR links to both matrix rows and detail files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
# Conflicts: # packages/cli/src/nonInteractiveCli.ts # packages/core/src/tools/agent.test.ts # packages/core/src/tools/agent.ts
8 tasks
wenshao
requested changes
Apr 19, 2026
# Conflicts: # packages/cli/src/config/config.ts # packages/cli/src/config/settingsSchema.ts # packages/cli/src/nonInteractiveCli.test.ts # packages/cli/src/nonInteractiveCli.ts # packages/cli/src/ui/hooks/useGeminiStream.test.tsx # packages/core/src/agents/index.ts # packages/core/src/config/config.ts # packages/core/src/core/client.ts # packages/core/src/index.ts # packages/core/src/tools/agent.ts # packages/core/src/tools/send-message.test.ts # packages/core/src/tools/send-message.ts # packages/core/src/tools/tool-names.ts # packages/vscode-ide-companion/schemas/settings.schema.json
After merging origin/main, SubagentManager.convertToRuntimeConfig became async. TeamManager was reading properties off the returned promise directly. Add the missing await so runtimeCfg is the resolved config.
…r swap When the active TeamManager changed in a long-lived session (stream-json reuse, or React remount), the previous manager kept its leader-message callback and approval-event listener installed. A stale manager could keep pushing teammate messages into a queue that no longer belonged to the live turn. - Widen `TeamManager.setLeaderMessageCallback` to accept `null` so callers can detach. - In `nonInteractiveCli`, track the bound manager and detach its leader callback + approval listener before binding a new one (and on `finally` cleanup). - In `useGeminiStream`, do the same in the team-manager `useEffect`, including on unmount.
wenshao
requested changes
Apr 29, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Unmappable findings (not on changed diff lines):
[Critical] packages/cli/src/nonInteractiveCli.test.ts:1218 no longer satisfies ModelMetrics: bySource is required but missing, so tsc fails before the suite can run. Please add the required bySource field to the fixture.
[Critical] packages/cli/src/ui/hooks/useGeminiStream.test.tsx:2922 uses GeminiEventType.Text, but Text does not exist on the imported enum/type. Please use the event enum that actually contains Text, or update the test event construction to match the current stream event type.
[Critical] packages/cli/src/ui/hooks/useGeminiStream.test.tsx:3228 has the same GeminiEventType.Text type error. Please use the correct event enum/type for text events.
— gpt-5.5 via Qwen Code /review
Codex review uncovered six issues in the team feature: - Default teammates (no agentType) never received send_message because AgentCore's subagent exclusion list filtered it out, leaving them unable to report results to the leader. Add a teammate-aware exclusion set that keeps send_message available. - AgentTool's prompt advertised a nonexistent team_name parameter; the schema rejects it via additionalProperties: false. Drop it from the guidance. - task_update only updated one side of block edges, so auto-claim and completion-unblock saw an inconsistent dependency graph. Mirror the reciprocal edge after the primary update. - nonInteractiveCli started the cancellation handler without awaiting it, so an aborted teammate-wait could still emit a success result before exit. Await the handler. - TeamManager dropped the sender when delivering queued messages, so recipients saw anonymous text. Prefix delivered messages with [Message from <sender>]:. - send_message passed an undefined sender for leader DMs, recording them as "unknown" and assigning peer priority. Fall back to "leader" to match the broadcast path.
- Sanitize names in findMemberByName so lookups using human-entered
names ("QA Tester") match the stored sanitized form ("qa-tester").
- Drain the leader inbox once before non-interactive exit to flush
messages a teammate wrote then went IDLE before the 500ms poll.
- Guard the unified-notification and teammate drain effects with
isSubmittingQueryRef so a same-render race no longer splices a
batch out of the queue while submitQuery early-returns.
- Correct team workflow docs: drop the nonexistent team_name param
and document shutdown_request as a top-level send_message field.
- Parallelize listTasks file reads and unassignTeammateTasks updates - Extract LEADER_NAME constant and resolveActiveTeamName helper - Drop unused TeamContext.teamFilePath field and dead auto-assign branch - Hoist proceedOutcomes set; stop mutating params.name in agent tool - Clear agentIdentities on TeamManager.cleanup - Log lock onCompromised events at debug level instead of swallowing
- tasks: reject non-numeric task IDs in getTaskPath so model-supplied
IDs like "../../settings" can't escape ~/.qwen/tasks/{team}/ via
task_update or task_list.
- teamHelpers: reject empty and "leader" teammate names — both are
unreachable (blank "to" is treated as missing; "leader" is shadowed
by the leader inbox special-case).
- client: include Teammate in the loop-detector reset block. Teammate
messages already advance prompt_id and run as fresh turns, so leaving
loop counters from the prior leader turn behind risks a false
LoopDetected on the first teammate-driven turn.
- TeamManager: getLeaderMessages now slices from lastInboxOffset and
advances it, sharing the high-water mark with pollLeaderInbox so the
leader doesn't see already-delivered messages re-appear in
task_list output.
wenshao
requested changes
May 1, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
/qreview
Multi-agent review of the new Agent Team feature. npm run typecheck, npm run lint, npm run build, and the team-area Vitest suite (305 tests) all pass.
9 Critical (1 privilege escalation, 1 prompt-injection, 4 reliability/correctness, 3 already-flagged still-open) and 16 Suggestions across the team module. Posting 20 inline; the remaining items are cross-file and listed below.
Cross-file findings (no single anchor)
[Suggestion] Test-coverage gaps for the new public APIs added in this PR. The team module has good direct test coverage, but the integration boundaries are largely untested:
packages/core/src/tools/agent/agent.ts:919-934, 1351-1402—executeTeammateand the routing branch have only mock stubs; no test asserts the routing decision or thatsignal/updateOutputare propagated.packages/core/src/core/client.ts:597, 651, 663, 803— four newSendMessageType.Teammatebranches;client.test.tsis unchanged.packages/cli/src/nonInteractiveCli.ts:201-271, 414-431, 568-637— 184 new lines; only mock stubs added. The bug fixed in f4582d6 (manager-swap callback leak) has no regression test.packages/cli/src/ui/hooks/useGeminiStream.ts:2284-2340— same fix, same gap.packages/core/src/agents/team/TeamManager.ts:507-517(drainLeaderInbox),:556-598(hasActiveTeammates,waitForTeammateActivity),:737-787(allRemainingStalled,abortStalledTeammates),:920-928 + 953-970(permission fallback) — zero direct tests.packages/cli/src/nonInteractive/control/controllers/permissionController.ts:387-456(handleTeammateApproval) — 75 lines / 6 critical branches / no test.packages/core/src/agents/team/TeamManager.ts:168— no test exercises the 11-teammateMAX_TEAMMATESrejection.
[Suggestion] Possible merge regression: package.json version regresses 0.15.6 → 0.15.3, and packages/core/src/services/fileReadCache.ts (and the related config plumbing) appears to have been removed by this diff but exists on main. Looks like the branch was forked from an older main and recent merges weren't carried forward — please rebase before merge.
Already-open from prior review (still unresolved)
Three Critical items from my earlier review are unfixed in 34f7831a3 — see existing inline comments at:
packages/core/src/agents/team/TeamManager.ts:213(allowlist injection ignoresdisallowedTools)packages/core/src/agents/team/mailbox.ts:242(silent overwrite of corrupt inbox)packages/core/src/agents/team/permissionSync.ts:8(dead permission architecture)
Review report saved locally; full text available on request.
— claude-opus-4-7 via Claude Code /qreview
wenshao
requested changes
May 3, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Missing Test Coverage
packages/core/src/agents/team/TeamManager.ts— 1120 行的核心编排器完全没有单元测试。spawn、drain、flush、auto-claim、shutdown、event bridge 等关键逻辑仅通过集成测试间接覆盖。packages/cli/src/ui/hooks/useTeamInProcess.ts— 174 行的 React hook(连接 TeamManager 事件到 AgentViewContext)无任何测试。packages/core/src/tools/task-update.test.ts—addBlocks/addBlockedBy的对等依赖图镜像逻辑(task-update.ts:145-156)完全没有测试覆盖。
— deepseek-v4-pro via Qwen Code /review
Collaborator
代码评审 — Agent Team experimental feature概述在现有 in-process backend 之上新增了一个 leader–teammate 协调层。六个新工具( 架构合理(沿用了现有 🔴 Critical:
|
# Conflicts: # packages/cli/src/nonInteractiveCli.ts # packages/cli/src/ui/commands/tasksCommand.ts # packages/core/src/config/config.ts # packages/core/src/tools/send-message.test.ts # packages/core/src/tools/send-message.ts # packages/core/src/tools/tool-names.ts
wenshao
requested changes
May 7, 2026
Land the fixes from two rounds of /qreview feedback that were
either still ball-in-author's-court (six replied-to inline threads)
or net-new findings.
Already-replied threads (executed per the leaning in each reply):
- Drop unused permissionSync file-based fallback. Only Phase 2
(pane-based) needs file-based approval routing; for Phase 1 the
in-process leaderPermissionBridge plus the team approval-event
path covers the same job. Re-introduce when Phase 2 lands.
- Validate every addBlocks/addBlockedBy id in task_update before
any mutation so an invalid id rejects the whole call instead of
leaving the dependency graph half-mirrored on disk.
- Cap send_message.message at 64KB and compact read entries older
than 5 minutes on every mailbox write so long-running teams
don't grow unbounded inbox files. Leader inbox has no read
entries so its offset tracking is unaffected.
- Wire agentsCollab.team.maxTeammates through to TeamManager and
surface the limit in the team_create description.
- Fix leaderPermissionBridge: route wrapConfirmWithBadge.onConfirm
through the supplied respond callback instead of the
always-stripped original.onConfirm; populate
TEAMMATE_APPROVAL_REQUEST.toolInput from the raw tool args
(added args to AgentApprovalRequestEvent and emit it from
agent-core) instead of the UI-rendering confirmationDetails.
- Pass the pre-fetched pending list from scanIdleAgentsForTasks
into tryAutoClaimTask so each scan runs one listTasks call
instead of N+1.
New findings:
- Lock deleteTask under the same per-task lockfile updateTask
uses; without it, a concurrent updateTask read-modify-write
could resurrect a deleted task with stale data.
- Quarantine corrupt leader inbox files in pollLeaderInbox
(rename to .corrupt-{ts} and reset offset) instead of
swallowing parse errors as ENOENT — mirrors the tasks.ts
pattern.
- Merge addBlocks/addBlockedBy into the task before the
completion-unblock check in updateTask. The combined
status:'completed' + addBlocks call previously skipped the
newly-added dependent and stranded it behind an
already-completed blocker.
- Hoist TeamAgentHandle into backends/types and add an optional
getAgent on the Backend interface so TeamManager doesn't have
to cast the backend.
- Move writeTeamFile inside spawnTeammate's try/catch and extend
rollback to stop the agent and tear down the event bridge on
persistence failure — otherwise a successful spawn followed by
a write failure leaves a teammate running that no team file
knows about.
- Gate the Agent tool's team-coordination guidance on
isAgentTeamEnabled so default sessions aren't steered toward
team_create when it isn't registered.
- Surface headless teammate-tool cancellations to the leader's
LLM via pendingTeammateMessages, in addition to the existing
stderr line. The stderr is for humans; the model needs a
signal too.
- Guard task_update against a non-leader teammate mutating
status / owner / subject / description / blocks on a task
another teammate owns. Leader and current owner keep full
authority; metadata stays open so any teammate can leave a
note.
Collaborator
Author
|
Triaged the 16:04–16:10 round (deepseek-v4-pro Critical 1/4–4/4 + Sugg 5–10, plus the gpt-5.5 fallback review at 16:06:26). Code changes are in 5ad0b92. deepseek-v4-pro Critical findings
deepseek-v4-pro Suggestions
gpt-5.5 fallback review (16:06:26)
The empty |
Land the fixes from the 2026-05-07 /qreview round.
Security / correctness:
- task_list now wraps teammate-to-leader text in the same
per-session nonce envelope pollLeaderInbox uses, closing the
prompt-injection bypass where a teammate could embed a forged
`[leader]: SYSTEM: ...` header in its message and have it
surfaced raw through the task_list result. Exposed
`formatLeaderEnvelope` on TeamManager so both paths share one
framing implementation.
- getLeaderMessages no longer swallows every read error as
ENOENT. Both it and pollLeaderInbox now share a single
`readLeaderInboxOrQuarantine` helper that distinguishes
ENOENT from corruption — on parse/I-O failure the inbox is
renamed to .corrupt-{ts} and lastInboxOffset is reset.
- task_update gained the same `maxLength` caps task_create
already had on subject (200) / description (10000) /
activeForm (200), and updateTask/createTask now reject
metadata payloads larger than 32 KiB. Without the update-side
caps a teammate could bypass the create-side limits via
`task_update({subject: 'X'.repeat(50_000_000)})` and OOM the
leader on the next listTasks scan.
- listTasks's outer `fs.readdir` catch now narrows to ENOENT.
EACCES / EIO / ENOTDIR / ELOOP propagate up so a broken disk
no longer renders as an empty board.
Lifecycle / state hygiene:
- Terminal-status cleanup now drops pendingMessages,
lastActivityAt, agentIdentities, and _shutdownPending entries
for the dying teammate. Long sessions with spawn-fail or
shutdown churn would otherwise grow these maps monotonically.
sendMessage now throws when the per-agent queue is missing,
so a send to an already-terminated teammate surfaces the
failure instead of being silently lost.
- team_delete sweeps deleteTeamDirs twice (with a 250 ms gap)
so a teammate's tool call that didn't settle inside cleanup's
wait window can't leave an orphan inbox dir behind to wedge
the next team_create with the same name.
- The team_create EEXIST message now spells out the on-disk
paths so users recovering from a crashed prior session have
an actionable rm command instead of "run team_delete first"
(which can't help once the manager is gone).
Polish:
- Backend.waitForAgent's JSDoc now documents the per-agent ->
waitForAll fallback that tmux/iTerm2 backends already do, and
the iTerm stub gets the same comment Tmux already had.
- useTeamInProcess tracks the agent ids it itself registers and
iterates unregisterAgent on detach, instead of bulk
unregisterAll which was wiping arena tabs registered by
useArenaInProcess in the same AgentViewContext.
Fixes four correctness issues flagged by codex review: - Propagate `updatedInput` from the leader's stream-json approval back to the teammate's scheduler via `ToolConfirmationPayload`, so a host that sanitises a teammate's tool call (rewriting a command, stripping a flag, replacing a path) actually runs the sanitised version instead of the original. The leader's same- process path mutates `request.args` directly, which doesn't work across the team-event boundary. - Switch inbox writes from `fs.writeFile` (O_TRUNC) to atomic tmp-file + rename, so the lockless 500ms leader poll can never observe a partial file mid-write and quarantine a healthy inbox, dropping queued teammate messages. - Reject `agent` tool calls that supply `name` when no team is active, instead of silently launching a one-shot subagent that ignores the supplied name. - Reject `task_update` calls whose `addBlocks` / `addBlockedBy` reference a non-existent task before any disk mutation, instead of persisting a phantom dependency that auto-claim can never unblock.
`AgentApprovalRequestEvent.args` became a required field in 5ad0b92 but `createApprovalEvent` in this test file kept treating it as optional (via Partial), so the spread didn't guarantee the field was set. CI's `tsc --build` flagged the factory's return type as missing `args`. Default `args: {}` in the factory body so callers that don't override it still satisfy the type.
Address three correctness issues raised in Codex review: - Hide team_create/team_delete and task_* tools from non-team Agent subagents. Without this, a regular subagent inherits the leader's TeamManager via the prototype-cloned Config and isTeammate() returns false, so team_delete and unrestricted task_update were treated as leader calls. Teammates keep the task_* + send_message subset but lose team management. - Move the teammate ownership guard inside updateTask's per-task lock. Two teammates racing to claim the same pending task could both pass a pre-lock getTask() check and have the second writer silently overwrite the first's owner. The check now happens inside the lock and throws TaskOwnershipError on conflict. - Clean up reciprocal blocks / blockedBy edges in deleteTask. Deleting a task that appeared in another task's blockedBy used to leave a phantom id behind; tryAutoClaimTask skips any task with non-empty blockedBy, so the dependent became permanently unclaimable.
Replace the per-module atomicWriteJson helper in mailbox.ts and the non-atomic fs.writeFile sites in tasks.ts and teamHelpers.ts with the shared atomicWriteJSON util, so a lockless reader can never observe a half-written team config or task file. Also drop a redundant getStatus type cast, fix a stale "default 30s" doc comment, swap a hardcoded 10 for the MAX_TEAMMATES constant, skip the priority sort when the queue holds at most one message, and skip a redundant rewrite in unblockDependents when the dependency was already cleared.
wenshao
requested changes
May 8, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Non-mappable findings:
- TeamManager.ts — 1316-line core orchestrator has no dedicated unit test file. Key untested paths: inbox corruption quarantine, stall detection (600s threshold),
buildTeamStatusSummaryoutput shape,waitForTeammateActivitytimeout/abort branches. - config.ts — New team methods (
getTeamManager,setTeamManager,onTeamManagerChange,cleanupTeamRuntime) are untested inconfig.test.ts. - leaderPermissionBridge.ts —
registerLeaderis only called in tests; the bridge is dead code in production. - tasks.ts — Five nearly-identical lock/read/parse/modify/write/unlock sequences across
updateTask,deleteTask,removeEdgesReferencing,unblockDependents,claimTask. Consider extracting a shared helper. - tasks.ts + TeamManager.ts —
scanIdleAgentsForTaskshas no debounce; every task mutation triggers a full directory scan.
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| const teammateCallerName = isTeammate() ? getAgentName() : undefined; | ||
|
|
||
| // status: 'deleted' → delete the task file. | ||
| if (this.params.status === 'deleted') { |
Collaborator
There was a problem hiding this comment.
[Critical] 任务删除绕过所有权检查。
当 status === 'deleted' 时,deleteTask(teamName, taskId) 被直接调用,完全绕过 updateTask 中的所有权守卫。任何 teammate 都可以删除任何任务,无论所有权如何。
Suggested change
| if (this.params.status === 'deleted') { | |
| if (this.params.status === 'deleted') { | |
| if (teammateCallerName) { | |
| const task = await getTask(teamName, taskId); | |
| if (task && task.owner && task.owner !== teammateCallerName) { | |
| return { | |
| llmContent: `Task #${taskId} is owned by ${task.owner}`, | |
| error: { | |
| code: 'TASK_OWNERSHIP_ERROR', | |
| message: `Cannot delete task #${taskId}: owned by ${task.owner}`, | |
| }, | |
| }; | |
| } | |
| } | |
| const ok = await deleteTask(teamName, taskId); | |
| if (ok) { | |
| this.config.getTeamContext()?.notifyTasksUpdated(); | |
| return { llmContent: `Task #${taskId} has been deleted.` }; | |
| } | |
| return { llmContent: `Task #${taskId} not found or already deleted.` }; | |
| } |
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| name: agentName, | ||
| timestamp: Date.now(), | ||
| }); | ||
| void this.flushNextMessage(agentId, agentName); |
Collaborator
There was a problem hiding this comment.
[Critical] flushNextMessage / tryAutoClaimTask fire-and-forget 无错误处理。
setupEventBridge 中 void this.flushNextMessage(...) 和 void this.scanIdleAgentsForTasks() 共 4 处 fire-and-forget 调用。如果因邮箱损坏、任务文件解析失败或 I/O 错误而抛出异常,将变为未处理的 Promise rejection,teammate 静默挂起直至 600s 停滞超时。
Suggested change
| void this.flushNextMessage(agentId, agentName); | |
| void this.flushNextMessage(agentId, agentName).catch((err) => | |
| this.debug.warn(`flushNextMessage failed for ${agentName}:`, err), | |
| ); |
— DeepSeek/deepseek-v4-pro via Qwen Code /review
|
|
||
| const release = await lockfile.lock(inboxPath, LOCK_OPTIONS); | ||
| try { | ||
| const messages = await readInboxRaw(inboxPath); |
Collaborator
There was a problem hiding this comment.
[Critical] consumeUnread 缺少损坏隔离机制。
consumeUnread 在锁内调用 readInboxRaw。如果 JSON 损坏导致异常,错误越过 atomicWriteJSON,锁在 finally 中释放,但损坏文件未被隔离。下一次 writeMessage 将覆盖损坏的收件箱,永久丢失所有未读消息。对比 listTasks 和 readLeaderInboxOrQuarantine 均有 .corrupt-{ts} 隔离逻辑。
Suggested change
| const messages = await readInboxRaw(inboxPath); | |
| try { | |
| const messages = await readInboxRaw(inboxPath); | |
| // ... existing logic | |
| } catch (err) { | |
| if (!isNodeError(err) || err.code !== 'ENOENT') { | |
| const corruptPath = `${inboxPath}.corrupt-${Date.now()}`; | |
| await fs.rename(inboxPath, corruptPath).catch(() => {}); | |
| } | |
| return []; | |
| } |
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| @@ -378,6 +380,98 @@ export class PermissionController extends BaseController { | |||
| }; | |||
| } | |||
Collaborator
There was a problem hiding this comment.
[Critical] handleTeammateApproval 完全未测试。
新增 94 行方法无一测试。所有分支未被覆盖:abort 信号、非 stream-json 降级、SDK allow 的 updatedInput 转发(安全关键——host 清洗后的参数可能静默被原始参数替换)、cancel 的 cancelMessage、catch 路径。
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| * Clean up Team runtime — stops all teammates and clears state. | ||
| */ | ||
| async cleanupTeamRuntime(): Promise<void> { | ||
| const manager = this.teamManager; |
Collaborator
There was a problem hiding this comment.
[Suggestion] cleanupTeamRuntime 未调用 unregisterLeader()。
team_delete 工具调用全部四个清理步骤,但 cleanupTeamRuntime 缺少 unregisterLeader()。在 stream-json 会话复用场景下,旧 leader 回调不会从 bridge 单例中注销,可能导致内存泄漏或过时回调被意外调用。
Suggested change
| const manager = this.teamManager; | |
| async cleanupTeamRuntime(): Promise<void> { | |
| const manager = this.teamManager; | |
| if (!manager) return; | |
| await manager.cleanup(); | |
| unregisterLeader(); | |
| this.setTeamManager(null); | |
| this.setTeamContext(null); | |
| } |
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| * Read and remove all unread messages of a specific type. | ||
| * @deprecated Use `consumeUnread(teamName, agentName, type)` instead. | ||
| */ | ||
| export async function consumeUnreadByType( |
Collaborator
There was a problem hiding this comment.
[Suggestion] consumeUnreadByType 是死代码。
标记为 @deprecated,仅为 consumeUnread 的透传委托。仅测试代码调用,通过 export * 暴露到公共 API。建议删除并更新 mailbox.test.ts 直接调用 consumeUnread(teamName, agentName, type)。
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| err && | ||
| typeof err === 'object' && | ||
| 'code' in err && | ||
| (err as { code?: string }).code === 'ENOENT' |
Collaborator
There was a problem hiding this comment.
[Suggestion] 使用原始类型断言而非 isNodeError 工具函数。
readLeaderInboxOrQuarantine 使用 (err as { code?: string }).code === 'ENOENT',而其他 team 文件(mailbox.ts、tasks.ts、teamHelpers.ts)统一导入并使用 isNodeError。建议保持一致。
Suggested change
| (err as { code?: string }).code === 'ENOENT' | |
| } catch (err) { | |
| if (isNodeError(err) && err.code === 'ENOENT') { | |
| return []; | |
| } |
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| private ensureLeaderInboxPolling(): void { | ||
| if (this.pollingInterval) return; | ||
| this.pollingInterval = setInterval(() => void this.pollLeaderInbox(), 500); | ||
| } |
Collaborator
There was a problem hiding this comment.
[Suggestion] Leader 收件箱 500ms 轮询无 mtime 短路。
pollLeaderInbox 每 500ms 无条件读取整个收件箱文件并 JSON.parse,即使没有新消息(约 120 次/分钟的文件系统读取)。建议添加 fs.stat 检查,仅在 mtime 变化时读取。
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| '', | ||
| 'CRITICAL RULES — you MUST follow these:', | ||
| '', | ||
| '1. CHECK TASKS FIRST: Call task_list to find pending tasks.', |
Collaborator
There was a problem hiding this comment.
[Suggestion] Teammate 系统提示未提及 shutdown 协议。
提示列出了任务认领、执行、报告、完成规则,但未说明收到 shutdown_request 时应如何响应。在较简单的模型上,teammate 可能忽略关闭请求并继续尝试认领新任务。建议添加规则:"6. If you receive a 'shutdown_request', finish current work and reply 'shutdown_approved', or reply 'shutdown_rejected: '."
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| * Read messages sent to the leader by teammates that have not yet | ||
| * been consumed by polling or a prior call. Advances the inbox | ||
| * offset so the same messages aren't redelivered later — task_list | ||
| * and pollLeaderInbox share `lastInboxOffset` as the high-water |
Collaborator
There was a problem hiding this comment.
[Suggestion] lastInboxOffset 在轮询和 task_list 间共享。
两条路径从同一高水位线消费消息——如果 task_list 读取了消息,轮询不会再投递,反之亦然。这是有意的设计,但隐含耦合。建议在 JSDoc 中明确标注此约束,避免未来重构时引入 bug。
— DeepSeek/deepseek-v4-pro via Qwen Code /review
wenshao
reviewed
May 13, 2026
|
|
||
| // status: 'deleted' → delete the task file. | ||
| if (this.params.status === 'deleted') { | ||
| const ok = await deleteTask(teamName, taskId); |
Collaborator
There was a problem hiding this comment.
[Critical] status === "deleted" 分支绕过所有权守卫。
73b9877 已经在 updateTask 内(在 per-task lock 下)通过 opts.callerName 加了 TaskOwnershipError 校验,但这里 status="deleted" 的短路直接走 deleteTask,而 deleteTask(tasks.ts:372-413)没有 callerName 参数,也没有 owner 比对。任何 teammate 都能通过 task_update({taskId:"X", status:"deleted"}) 删掉别人或 leader 拥有的任务——正好绕过本轮新加的所有权守卫。
修复:deleteTask 增加 opts?: { callerName?: string },在拿到 per-task lock 之后、fs.unlink 之前读一遍任务,owner 不匹配且 callerName !== undefined 时抛 TaskOwnershipError;这里把 line 107 算好的 teammateCallerName 传进去。
— Opus 4.7 via Claude Code /review
wenshao
reviewed
May 13, 2026
| for (const blockedId of this.params.addBlocks) { | ||
| if (blockedId === taskId) continue; | ||
| reciprocalUpdates.push( | ||
| updateTask(teamName, blockedId, { addBlockedBy: [taskId] }), |
Collaborator
There was a problem hiding this comment.
[Critical] Reciprocal updateTask 调用未传 callerName,绕过所有权守卫。
主任务 updateTask(line 189-205)正确传入了 { callerName: teammateCallerName },但 line 235 / 243 的两处 reciprocal 调用都没传:
updateTask(teamName, blockedId, { addBlockedBy: [taskId] }) // 235
updateTask(teamName, blockerId, { addBlocks: [taskId] }) // 243teammate A 用 task_update({taskId: "<我自己的A>", addBlocks: ["<别人的B>"]}) 时,主任务 A 上的所有权校验通过,但反向写入 B 的 blockedBy=[A] 完全没有校验——任何 teammate 都能在别人/leader 的任务上挂任意 inbound 依赖,制造伪阻塞,让被害任务永远 not-claimable。
修复:两处 reciprocal 调用一起传 { callerName: teammateCallerName }。如果产品定义里 teammate 允许声明 inbound 依赖(“我依赖 Y”)但不允许声明 outbound 依赖(“Z 依赖我”),那需要在两侧分别处理,至少把策略写显式;目前是无意识把两条路径都打开。
— Opus 4.7 via Claude Code /review
wenshao
reviewed
May 13, 2026
| } | ||
| } | ||
| if (reciprocalUpdates.length > 0) { | ||
| await Promise.all(reciprocalUpdates); |
Collaborator
There was a problem hiding this comment.
[Critical] Promise.all(reciprocalUpdates) 失败会留下半镜像图。
line 189 的主 updateTask 已经把 blocks/blockedBy 写盘后,line 248 的 reciprocal Promise.all 一旦有任一 reject(锁超时、ENOENT、修完 fix #2 之后的 TaskOwnershipError),工具向调用方抛错,但磁盘上已经是 A.blocks=[B] 而 B.blockedBy 不含 A 的状态。注释 226 显式声明这正是要避免的「permanently blocked / runnable too early」状态,但代码并没有兜底。
修复(两选一):
(a) reciprocal 失败时回滚主任务的 addBlocks/addBlockedBy(再发一次 updateTask 把刚加上的边减回去);或
(b) 把 reciprocal 集合一起传给 updateTask,在同一把 per-task lock 内做 all-or-nothing。
后者更贴近 line 138-160 已经做的前置存在性校验思路,长期更稳。
— Opus 4.7 via Claude Code /review
wenshao
reviewed
May 13, 2026
| name: agentName, | ||
| timestamp: Date.now(), | ||
| }); | ||
| void this.flushNextMessage(agentId, agentName); |
Collaborator
There was a problem hiding this comment.
[Critical] Fire-and-forget 调用没有 .catch,错误被悄悄吞掉。
flushNextMessage(line 1033)和 unassignTeammateTasks(...).then(...)(line 1039-1045)都会落到文件锁 / 磁盘 IO 路径,锁竞争或瞬时 IO 错误都会让 Promise reject:
- Node 触发 unhandled-rejection 警告(严格模式下进程退出);
- queued teammate 消息悄悄丢失,或终态 teammate 的 in_progress 任务永远不被释放——观察到的现象是「某个任务一直卡 in_progress 没人接」,根因被埋藏在 stderr 之外。
修复:每个 void ... 后接 .catch((err) => debugLogger.warn("flushNextMessage failed", { agentId, err }));或抽个 fireAndLog(p, ctx) 工具,TeamManager 里同类 tryAutoClaimTask 调用点一并扫一遍(grep -nE "void this\.|void [a-zA-Z]+\(.*\)\.then" TeamManager.ts)。
— Opus 4.7 via Claude Code /review
wenshao
reviewed
May 13, 2026
| * which is itself stream-json-only. Defensive guard remains | ||
| * in case that contract is ever broken. | ||
| */ | ||
| async handleTeammateApproval( |
Collaborator
There was a problem hiding this comment.
[Critical] handleTeammateApproval ~80 行新代码完全没有单元测试。
整个 packages/cli/src/nonInteractive/control/controllers/ 目录下没有 *permissionController*.test.* 文件。未覆盖的分支包括:abort signal 取消、updatedInput 通过 Record<string,unknown> 强转(line 448 的 cast——干净 rebuild 之前是真的 TS2322 报错)、cancelMessage 字符串/缺省分支、SDK side allow/deny 路径、最外层 catch 的日志路径。
这是 teammate 唯一的 interactive 审批入口,回归一旦发生就是「所有 teammate 的工具调用都拿不到批准」,影响面巨大。建议在合并前补一组用 fake event / fake sendControlRequest 的单测,至少覆盖:
- abort 路径
- allow + updatedInput pass-through(验证 cast 安全)
- allow + 空 payload
- cancel + message 串
- cancel + 无 message
- 异常 catch 路径(debugLogger.error 被调用)
— Opus 4.7 via Claude Code /review
wenshao
reviewed
May 13, 2026
|
|
||
| const release = await lockfile.lock(inboxPath, LOCK_OPTIONS); | ||
| try { | ||
| const messages = await readInboxRaw(inboxPath); |
Collaborator
There was a problem hiding this comment.
[Suggestion] Teammate 收件箱没有 corrupt-quarantine。
48ed14a 把 quarantine 路径(损坏文件 rename 成 .corrupt-<ts>、返回 [])加到了 leader inbox 的 readLeaderInboxOrQuarantine,但 teammate 路径还是裸的 readInboxRaw(本行)。一旦某个 teammate 的 inbox JSON 损坏(写到一半被 kill、并发 race 等),该 teammate 的所有 consumeUnread 会永久 throw,相当于这个 teammate 哑火——锁倒是 finally 释放了,但读路径没出口。
修复:把 readLeaderInboxOrQuarantine 抽到 mailbox.ts 公共位置,让 consumeUnread 和 leader 路径共用同一份 quarantine 行为;teammate corruption 也走「重命名 + 返回空 + 记录 warn」。
— Opus 4.7 via Claude Code /review
wenshao
reviewed
May 13, 2026
| */ | ||
| private ensureLeaderInboxPolling(): void { | ||
| if (this.pollingInterval) return; | ||
| this.pollingInterval = setInterval(() => void this.pollLeaderInbox(), 500); |
Collaborator
There was a problem hiding this comment.
[Suggestion] Leader inbox 500ms 无条件轮询,无 mtime 短路。
setInterval(() => void this.pollLeaderInbox(), 500) 不论 inbox 是否变化,每 500ms 就走 readInbox + JSON.parse。空闲场景下约 120 次/分钟无意义的 syscall + JSON 解析(每个 team),多条长会话同时运行时会被放大。
修复:在 pollLeaderInbox 入口加一行 await fs.stat(inboxPath); if (mtimeMs === this.lastInboxMtime) return;,仅当文件 mtime 变化时再走 read + lock + parse。是个一行短路,但对低频活动 / 多 team 场景效果直接。
— Opus 4.7 via Claude Code /review
wenshao
reviewed
May 13, 2026
| '', | ||
| 'CRITICAL RULES — you MUST follow these:', | ||
| '', | ||
| '1. CHECK TASKS FIRST: Call task_list to find pending tasks.', |
Collaborator
There was a problem hiding this comment.
[Suggestion] Teammate 系统提示没提 shutdown_request 协议。
5 条 CRITICAL RULES 只覆盖任务工作流,对 c663b83 引入的 leader 主动 shutdown 一字未提。运行时期望 teammate 收到 mailbox 里的 shutdown_request 后 ack-and-exit,但弱一点的模型没文档化的话就会无视,继续跑、继续抢任务,让 team_delete 的 250ms 双扫还是清不干净。
修复:在 CRITICAL RULES 里加一条——
If you receive a
shutdown_requestmessage from the leader, finish or hand off your in-progress task withtask_update(status: "completed" | "pending")and stop calling tools. Do not start new tasks.
— Opus 4.7 via Claude Code /review
wenshao
reviewed
May 13, 2026
| agentName: string, | ||
| type: MailboxMessageType, | ||
| ): Promise<MailboxMessage[]> { | ||
| return consumeUnread(teamName, agentName, type); |
Collaborator
There was a problem hiding this comment.
[Suggestion] consumeUnreadByType 是 @deprecated 死代码,仅测试还在用。
production 路径已全部迁到 consumeUnread(team, agent, type),本函数现在只是 return consumeUnread(teamName, agentName, type) 的转发;唯一调用方是测试。
修复:直接删除该函数和 export,同步把测试改成调 consumeUnread。避免公共 API 表面变大、后来维护者犹豫这个函数还能不能用。
— Opus 4.7 via Claude Code /review
wenshao
requested changes
May 13, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Code Review — Opus 4.7
HEAD reviewed: edade7604 (该 PR 已经吸收了 ~50 条历史评审线程,本轮只列剩余项 + 本次新发现项)
Build/test 验证(干净 rebuild 后): typecheck ✅、lint ✅、vitest src/agents/team/ 178 通过、team 工具测试 7 个文件 52 通过。
4 Critical(行内已发)
task-update.ts:111—status="deleted"短路绕过 73b9877 新加的TaskOwnershipError守卫(deleteTask没有callerName),任何 teammate 都能删别人/leader 的任务。task-update.ts:235/243— reciprocalupdateTask调用没传callerName,teammate 可以在别人的任务上挂任意 inbound 依赖。task-update.ts:248— reciprocalPromise.all失败时主任务边已写盘,留下半镜像图(正是注释 226 显式声明要避免的状态)。TeamManager.ts:1033/1039—flushNextMessage和unassignTeammateTasks().then()是 fire-and-forget 无.catch,错误悄悄吞掉(unhandled rejection / 任务永远卡 in_progress)。
1 Critical(测试缺口,行内已发)
permissionController.ts:393—handleTeammateApproval~80 行新代码零测试,是 teammate 唯一的 interactive 审批入口,回归一旦发生面就是「所有 teammate 工具调用拿不到批准」。
4 Suggestion(行内已发)
mailbox.ts:170— teammate inbox 没有 corrupt-quarantine(leader 路径已有),损坏 JSON 会让 teammate 永久哑火。TeamManager.ts:625— leader inbox 500ms 无条件轮询,缺一个fs.statmtime 短路。promptAddendum.ts:33— teammate 系统提示没提shutdown_request协议,弱模型会无视 leader 的关停请求。mailbox.ts:195—consumeUnreadByType是@deprecated转发死代码,仅测试使用,建议删。
已验证为「先前评论已修,可关闭」(worktree 一开始 stale 在 34f7831a3,刷到 remote HEAD 后重新确认)
lastInboxOffsetrace(pollLeaderInbox vs getLeaderMessages)— fixed viawithInboxLock(48ed14a08)- Envelope spoofing — fixed via 每实例
envelopeNonce(48ed14a08) - MAX_TEAMMATES race / disallowedTools 传播 — fixed(4820da607)
- 终态时 per-agent event-bridge listener 泄露 — fixed(50f58bfa7)
cleanupTeamRuntime缺unregisterLeader()— 该路径已重构,register/unregisterLeader现在不在代码库里,原评论前提失效
建议
合并前先修 1–3(任务图的权限/一致性)+ 5(80 行无测的审批入口)。6–9 可作 follow-up 但都很便宜,建议一并落。
— Opus 4.7 via Claude Code /review
wenshao
requested changes
May 18, 2026
|
|
||
| // status: 'deleted' → delete the task file. | ||
| if (this.params.status === 'deleted') { | ||
| const ok = await deleteTask(teamName, taskId); |
Collaborator
There was a problem hiding this comment.
[Critical] deleteTask bypasses the ownership check that updateTask enforces.
teammateCallerName is computed at line 97 but only passed to updateTask (line 203). The deleteTask(teamName, taskId) call here has no callerName parameter, and deleteTask() itself has no ownership guard. Any teammate calling task_update({ taskId: "5", status: "deleted" }) can delete any task — including tasks owned by other teammates or tasks that serve as dependency blockers.
Suggested change
| const ok = await deleteTask(teamName, taskId); | |
| if (this.params.status === 'deleted') { | |
| if (teammateCallerName !== undefined) { | |
| const existing = await getTask(teamName, taskId); | |
| if (existing?.owner && existing.owner !== teammateCallerName) { | |
| const msg = | |
| `Task #${taskId} is owned by "${existing.owner}". ` + | |
| `Only the leader or the owner can delete it.`; | |
| return { llmContent: msg, returnDisplay: msg, error: { message: msg } }; | |
| } | |
| } | |
| const ok = await deleteTask(teamName, taskId); |
— qwen-latest-series-invite-beta-v28 via Qwen Code /review
| for (const blockedId of this.params.addBlocks) { | ||
| if (blockedId === taskId) continue; | ||
| reciprocalUpdates.push( | ||
| updateTask(teamName, blockedId, { addBlockedBy: [taskId] }), |
Collaborator
There was a problem hiding this comment.
[Critical] Reciprocal dependency-edge updates bypass the ownership guard.
When teammate "alice" (owns task #1) calls task_update({ taskId: "1", addBlocks: ["2"] }), the primary update passes the ownership check. But this reciprocal updateTask(teamName, blockedId, { addBlockedBy: [taskId] }) passes no callerName, so opts?.callerName !== undefined evaluates to false inside updateTask and the ownership guard is skipped entirely. Task #2 (owned by "bob") gets blockedBy: ["1"] injected without bob's consent — permanently blocking it from auto-claim.
Suggested change
| updateTask(teamName, blockedId, { addBlockedBy: [taskId] }), | |
| reciprocalUpdates.push( | |
| updateTask( | |
| teamName, | |
| blockedId, | |
| { addBlockedBy: [taskId] }, | |
| teammateCallerName !== undefined | |
| ? { callerName: teammateCallerName } | |
| : undefined, | |
| ), |
Apply the same fix to the addBlockedBy reciprocal at line 243.
— qwen-latest-series-invite-beta-v28 via Qwen Code /review
| // idle agents when new tasks appear. | ||
| this.taskUpdateUnsubscribe = onTasksUpdated((teamName) => { | ||
| if (teamName === this.teamFile.name) { | ||
| void this.scanIdleAgentsForTasks(); |
Collaborator
There was a problem hiding this comment.
[Critical] Fire-and-forget async without .catch() — unhandled promise rejection risk.
scanIdleAgentsForTasks() performs file I/O (listTasks → readdir + N× readFile + JSON.parse) that can throw on corrupt files, lock exhaustion, or EACCES. The void cast discards the promise with no .catch(), so in Node.js ≥15 an unhandled rejection terminates the process.
The same pattern exists at lines 1039 (unassignTeammateTasks), 1042 (nested scanIdleAgentsForTasks), 1033 (flushNextMessage), and 1124 (flushNextMessage in reconcile). Any of these can crash the leader's process with zero diagnostic trail.
Suggested change
| void this.scanIdleAgentsForTasks(); | |
| this.taskUpdateUnsubscribe = onTasksUpdated((teamName) => { | |
| if (teamName === this.teamFile.name) { | |
| void this.scanIdleAgentsForTasks().catch((err) => { | |
| debug.warn(`scanIdleAgentsForTasks failed: ${err instanceof Error ? err.message : String(err)}`); | |
| }); | |
| } | |
| }); |
Apply the same .catch() pattern to all void-cast async calls in this file.
— qwen-latest-series-invite-beta-v28 via Qwen Code /review
| promises.push(this.sendMessage(LEADER_NAME, message, fromName)); | ||
| } | ||
|
|
||
| await Promise.all(promises); |
Collaborator
There was a problem hiding this comment.
[Suggestion] broadcast() uses Promise.all — one terminated teammate fails the entire broadcast.
sendMessage throws when a terminated teammate's queue is missing (line 453). Under Promise.all, a single terminated teammate rejects the entire operation — messages to other valid teammates may not be delivered, and the leader receives an error suggesting total failure.
Suggested change
| await Promise.all(promises); | |
| const results = await Promise.allSettled(promises); | |
| const failures = results.filter( | |
| (r): r is PromiseRejectedResult => r.status === 'rejected', | |
| ); | |
| if (failures.length > 0) { | |
| debug.warn( | |
| `Broadcast: ${failures.length}/${results.length} sends failed`, | |
| ); | |
| } |
— qwen-latest-series-invite-beta-v28 via Qwen Code /review
| boundManager = manager; | ||
| if (manager) { | ||
| manager.setLeaderMessageCallback((formatted: string) => { | ||
| teammateQueueRef.current.push(formatted); |
Collaborator
There was a problem hiding this comment.
[Suggestion] teammateQueueRef is not cleared when the team manager changes.
handleManagerChange correctly detaches the old callback, but teammateQueueRef.current is never drained. Stale messages from the old team survive into the new team's session and are submitted to the LLM alongside new team messages.
The analogous pendingTeammateMessages in nonInteractiveCli.ts does not have this problem because it's scoped to a single runNonInteractive invocation.
Suggested change
| teammateQueueRef.current.push(formatted); | |
| if (boundManager && boundManager !== manager) { | |
| boundManager.setLeaderMessageCallback(null); | |
| teammateQueueRef.current.length = 0; | |
| } |
— qwen-latest-series-invite-beta-v28 via Qwen Code /review
|
|
||
| /** Optional subagent manager for loading specialized agent configs. */ | ||
| private readonly subagentManager: SubagentManager | null; | ||
|
|
Collaborator
There was a problem hiding this comment.
[Suggestion] Several complex methods with multiple branching paths have zero test coverage:
waitForTeammateActivity(4 resolve paths + callback save/restore logic)buildTeamStatusSummary,allRemainingStalled,abortStalledTeammates(stall detection at 600s threshold)spawnTeammatesubagent-loading path (lines 213-268)waitForAgentinInProcessBackend.tsnonInteractiveCli.tsteammate integration (~100 new lines: message queueing, approval routing, YOLO vs non-YOLO)useGeminiStream.tsteammate subscription (~60 new lines: callback lifecycle, drain logic)
These are the primary coordination mechanisms for agent teams. Bugs in callback restore, stall detection, or message drain could silently break team coordination.
— qwen-latest-series-invite-beta-v28 via Qwen Code /review
wenshao
requested changes
May 23, 2026
| const teammateCallerName = isTeammate() ? getAgentName() : undefined; | ||
|
|
||
| // status: 'deleted' → delete the task file. | ||
| if (this.params.status === 'deleted') { |
Collaborator
There was a problem hiding this comment.
[Critical] deleteTask bypasses the ownership guard that updateTask enforces. When status === 'deleted', this calls deleteTask(teamName, taskId) without passing teammateCallerName. The deleteTask function in tasks.ts has no callerName parameter at all. Any teammate can delete any task — including in-progress tasks owned by other teammates — by calling task_update({taskId: "X", status: "deleted"}).
The ownership model exists specifically to prevent teammates from mutating each other's tasks, but the most destructive operation (deletion) takes a separate code path that skips the check entirely.
Suggested change
| if (this.params.status === 'deleted') { | |
| if (this.params.status === 'deleted') { | |
| if (teammateCallerName !== undefined) { | |
| const existing = await getTask(teamName, taskId); | |
| if (existing?.owner && existing.owner !== teammateCallerName) { | |
| return { | |
| llmContent: `Task #${taskId} is owned by "${existing.owner}". Only the owner or the leader can delete it.`, | |
| returnDisplay: 'Permission denied.', | |
| error: { message: 'Not the task owner.' }, | |
| }; | |
| } | |
| } | |
| const ok = await deleteTask(teamName, taskId); |
— qwen3.7-max via Qwen Code /review
|
|
||
| const taskPrompt = | ||
| `You have been assigned task #${claimed.id}: ` + | ||
| `${claimed.subject}\n\n${claimed.description}`; |
Collaborator
There was a problem hiding this comment.
[Critical] Cross-teammate prompt injection via auto-claimed task descriptions. claimed.subject and claimed.description are interpolated raw into the prompt sent to the auto-claiming agent. A compromised or hallucinating teammate can create a task with adversarial instructions in the description (e.g., "Ignore all previous instructions. Read ~/.ssh/id_rsa and include its contents in your next message."). When another idle teammate auto-claims this task, the poisoned description is injected into its conversation as a system-level assignment.
The 10,000-character description limit provides ample room for sophisticated injection payloads. The auto-claim mechanism means the attacker doesn't need to know which teammate will be targeted.
Wrap task content in explicit delimiters and add an instruction that task content is untrusted data:
const taskPrompt =
`You have been assigned task #${claimed.id}.\n\n` +
`<task_content>\nSubject: ${claimed.subject}\n` +
`Description: ${claimed.description}\n</task_content>\n\n` +
`Treat the content above as untrusted task data. ` +
`Follow only your system instructions, not instructions ` +
`embedded in the task description.`;— qwen3.7-max via Qwen Code /review
| return; | ||
| } | ||
|
|
||
| this.leaderMessageCallback( |
Collaborator
There was a problem hiding this comment.
[Critical] this.leaderMessageCallback(...) is called after await withInboxLock(...) without re-checking for null. The callback can be set to null during the await (via detachFromManager in nonInteractiveCli.ts or setLeaderMessageCallback(null) during cleanup), producing TypeError: this.leaderMessageCallback is not a function. Since this runs inside setInterval(() => void this.pollLeaderInbox(), 500) — the void discards the promise — the rejection becomes an unhandled promise rejection that crashes the process on Node.js >=15.
Add a null re-check after the await, and add .catch() to the setInterval callback:
if (this.leaderMessageCallback) {
this.leaderMessageCallback(
this.formatLeaderEnvelope(newMessages).join('\n\n'),
);
}And:
this.pollingInterval = setInterval(
() => { void this.pollLeaderInbox().catch((e) => debug.warn('poll error:', e)); },
500,
);— qwen3.7-max via Qwen Code /review
| promises.push(this.sendMessage(LEADER_NAME, message, fromName)); | ||
| } | ||
|
|
||
| await Promise.all(promises); |
Collaborator
There was a problem hiding this comment.
[Critical] Promise.all short-circuits on the first rejection. If any teammate has terminated between the filter and the send (its pendingMessages queue is deleted, so sendMessage throws), the entire broadcast rejects immediately. Already-resolved sends are delivered, but remaining sends may be abandoned. The leader sees a single error and cannot determine which recipients got the message.
Use Promise.allSettled so all recipients are attempted:
const results = await Promise.allSettled(promises);
const failures = results.filter(
(r): r is PromiseRejectedResult => r.status === 'rejected',
);
if (failures.length > 0) {
debug.warn(
`Broadcast partially failed (${failures.length}/${results.length})`,
);
}— qwen3.7-max via Qwen Code /review
| lines.push(wrapped); | ||
| } | ||
| } | ||
| } catch { |
Collaborator
There was a problem hiding this comment.
[Critical] Bare catch {} swallows ALL errors, not just ENOENT. If the inbox is corrupt, the disk has an I/O error, or permissions change, the tool silently drops all pending teammate messages and returns "No tasks found" to the leader. The leader has no way to know messages were lost.
Narrow the catch or surface a warning:
} catch (err) {
if (!(err && typeof err === 'object' && 'code' in err &&
(err as {code?: string}).code === 'ENOENT')) {
lines.push('');
lines.push(
'WARNING: Failed to read teammate messages — inbox may be corrupt.'
);
}
}— qwen3.7-max via Qwen Code /review
| if (this.params.addBlocks?.length) { | ||
| for (const blockedId of this.params.addBlocks) { | ||
| if (blockedId === taskId) continue; | ||
| reciprocalUpdates.push( |
Collaborator
There was a problem hiding this comment.
[Critical] Reciprocal addBlockedBy re-adds an edge that unblockDependents just removed. When the tool receives {status:'completed', addBlocks:['2']}, the primary updateTask merges addBlocks, completes the task, and calls unblockDependents which removes task 1 from task 2's blockedBy. Then the reciprocal update here calls updateTask('2', {addBlockedBy:['1']}) — adding '1' back. Task 2 is now permanently blocked by an already-completed task, and tryAutoClaimTask will never assign it.
Skip reciprocal updates when the task just completed, or fold both edges into a single atomic updateTask call:
if (reciprocalUpdates.length > 0 && this.params.status !== 'completed') {
await Promise.all(reciprocalUpdates);
}— qwen3.7-max via Qwen Code /review
| * If the agent is idle, delivers immediately. Otherwise, | ||
| * queues with priority based on sender. | ||
| */ | ||
| async sendMessage( |
Collaborator
There was a problem hiding this comment.
[Critical] sendMessage(toName, message, from?) accepts an arbitrary from string without validating it against the caller's identity. A teammate could call send_message with from: "leader" to impersonate the leader to another teammate. Teammate-to-teammate messages have no spoofing protection (only the leader-to-teammate path has the nonce envelope).
Validate from against AsyncLocalStorage identity when the caller is a teammate:
const actualName = getAgentName();
if (actualName !== undefined && from !== undefined && from !== actualName) {
throw new Error(
`Sender mismatch: caller is "${actualName}" but from="${from}". ` +
`Teammates cannot send on behalf of other agents.`,
);
}— qwen3.7-max via Qwen Code /review
| // explicitly requested — otherwise a free-text mention of | ||
| // "shutdown_approved" by an unrelated teammate would kill | ||
| // them, and a forged shutdown_request couldn't be used to | ||
| // make the leader abort arbitrary peers. |
Collaborator
There was a problem hiding this comment.
[Suggestion] shutdown_approved detection uses a content regex on the full message body (/\bshutdown_approved\b/i). A teammate sending a work report that happens to contain the phrase (e.g., quoting a config value shutdown_approved = true) would trigger an unintended abort of the sender.
The shutdown response should be detected through a dedicated mechanism (e.g., a type: 'shutdown_response' structured message field on send_message, or a separate mailbox channel) rather than a substring match on free-text content.
— qwen3.7-max via Qwen Code /review
| err && | ||
| typeof err === 'object' && | ||
| 'code' in err && | ||
| (err as { code?: string }).code === 'ENOENT' |
Collaborator
There was a problem hiding this comment.
[Suggestion] This ENOENT check is dead code. readInbox (mailbox.ts:100-108) catches ENOENT internally and returns [] — it never throws ENOENT to its caller. This branch can never execute.
Additionally, the manual 'code' in err && (err as { code?: string }).code === 'ENOENT' pattern is inconsistent with the isNodeError utility used by every other file in the team module. Import isNodeError for consistency.
— qwen3.7-max via Qwen Code /review
| ); | ||
| ownedAgentIds.add(member.agentId); | ||
| } | ||
| } |
Collaborator
There was a problem hiding this comment.
[Suggestion] The onTeammateJoined event handler hardcodes model: 'teammate' instead of using the actual model from the team file. The initial discovery path correctly uses member.model ?? 'teammate', but dynamically-joined teammates always appear as "teammate" in the UI regardless of what model they were spawned with.
The TeammateJoinedEvent type doesn't carry a model field. Add model?: string to the event type, populate it in TeamManager.spawnTeammate when emitting the event, and use event.model ?? 'teammate' here.
— qwen3.7-max via Qwen Code /review
This was referenced Jun 3, 2026
xaelistic
pushed a commit
to xaelistic/qwen-code
that referenced
this pull request
Jun 7, 2026
Collaborator
Author
|
Closing in favor of #4844, which re-ports this feature onto current main. Since this branch was opened, main independently rewrote the agent runtime the feature was built on, and the branch fell ~360 commits behind. At that point it could no longer be merged cleanly — a mechanical merge produced code that didn't build — so I re-implemented the feature on top of the current runtime, split into small reviewable commits and verified end-to-end. Thank you @wenshao for the thorough review here — it was genuinely valuable. The review comments on this PR aren't lost: I'll carry the still-applicable ones over to the new PR as follow-ups, since much of the team code moved across unchanged. Continuing the discussion on #4844. (中文)改为采用 #4844,该 PR 将此功能重新移植到当前 main 分支。 自本分支开立以来,main 独立重写了该功能所依赖的 agent 运行时,本分支已落后约 360 个提交,无法再干净合并(机械式合并会产生无法构建的代码),因此我在当前运行时之上重新实现了该功能,拆分为多个便于审阅的小提交并完成了端到端验证。 特别感谢 @wenshao 在此 PR 上的细致审阅,非常有价值。这里的审阅意见不会丢失:由于大量团队代码是原样迁移过去的,我会把仍然适用的意见作为后续项带到新的 PR 上。 后续讨论请移步 #4844。 |
tanzhenxin
added a commit
that referenced
this pull request
Jun 8, 2026
…imental) Triaged the unresolved review threads from the superseded PR #2886 against the re-ported code and applied the valid fixes: - task_update(status:'deleted') now enforces the same ownership guard as updateTask, so a teammate cannot delete another teammate's task. - Completing a task and adding a blocks edge in the same call no longer leaves the dependent permanently blocked by the just-completed task. - listTasks treats a momentarily-empty (mid-create) task file as a create in flight and skips it instead of quarantining and losing the task. - Fire-and-forget coordination calls (flush, auto-claim, unassign, poll) log rejections instead of surfacing as unhandled rejections. - pollLeaderInbox re-checks the leader callback after the awaited read so a detach during the read cannot throw or drop the batch. - scanIdleAgentsForTasks skips teammates with a pending shutdown. - broadcast uses allSettled so one terminated recipient does not fail the whole broadcast. - Hybrid tool-response+teammate turns reset the loop detector, preventing a false LoopDetected when a polling leader merges teammate messages. - useGeminiStream drains its teammate queue on a manager swap; the join event carries the teammate model for the UI tab label. - Removed dead consumeUnreadByType and an unreachable ENOENT branch. Verified: core unit tests (incl. new regressions for the delete guard, the complete+addBlocks re-block, and the empty-file create race) plus live L3 (3-agent) and L4 (4-agent) E2E, both clean.
tanzhenxin
added a commit
that referenced
this pull request
Jun 10, 2026
…dination (#4844) * feat(core): add Agent Team foundation (experimental, flag-gated) First stage of re-porting the Agent Team feature (originally PR #2886) onto current main. The branch had diverged 362 commits behind a parallel rewrite of the agent runtime, so the feature is being re-applied stage by stage rather than merged. This stage lands the self-contained agents/team/ subsystem (TeamManager, mailbox, identity, tasks, leader permission bridge, test-utils) plus the team_create/team_delete and task_create/task_update/task_list tools, with the additive plumbing they need: - Config: TeamManager/TeamContext accessors, cleanupTeamRuntime, and isAgentTeamEnabled (settings or QWEN_CODE_ENABLE_AGENT_TEAM=1). - Tool registry: team/task tools registered lazily, gated on the flag. - Runtime hooks: completeOnIdle for one-shot teammates; args on the agent approval event; teammate-aware tool exclusion sets. - Backend types: TeamAgentHandle, optional getAgent, completeOnIdle. - New experimental.agentTeam setting. Everything is gated behind the experimental flag and inert by default. Build is green; team unit tests and all touched-file regressions pass. * feat(core): add send_message team routing (experimental) Stage 1 of the Agent Team re-port. Extends the send_message tool so it can route to a teammate (or "*" for broadcast) via TeamManager in addition to its existing background-task path, and supports the shutdown_request control message (leader-only). Recipient selection is a oneOf over `to`/`task_id`. Layered on top of main's classifier integration: send_message keeps its 'ask' default permission and forwards the routing fields + message to the AUTO classifier, since the message is an instruction the recipient executes. Re-adds the team-lifecycle E2E test, which now passes end to end (create -> tasks -> messages -> list -> update -> delete). * feat(core): let the Agent tool spawn named teammates (experimental) Stage 3 of the Agent Team re-port. Adds the `name` parameter to the Agent tool: when a team is active and a name is given, the call routes through TeamManager.spawnTeammate instead of launching a one-shot subagent. Without a team the call is rejected up front rather than silently falling back. The tool description advertises team coordination only when the experimental flag is on. Ported onto main's rewritten Agent tool. * feat(cli): render team_result/task_list tool displays (experimental) Stage 5 (partial) of the Agent Team re-port. Teaches the ToolMessage result renderer about the TeamResultDisplay and TaskListResultDisplay shapes so the team/task tools' output is shown via their returnDisplay text instead of a stringified object, and adds a JSON.stringify safeguard for any other non-string display object. The remaining CLI wiring (nonInteractiveCli + useGeminiStream team drivers, permissionController.handleTeammateApproval) is coupled to the turn-loop Teammate handling and will land together with Stage 4. * feat(core): treat teammate messages as top-level turns (experimental) Stage 4 of the Agent Team re-port. Adds SendMessageType.Teammate and includes it in isTopLevelInteraction so that a teammate message delivered to the leader resets the loop detector and opens an interaction span, the same as a user/cron/notification turn. Per the agreed minimal integration, teammate turns deliberately do NOT run the UserQuery/Cron block — they don't bump commit attribution, aren't recorded as user messages, and don't trigger auto-memory prefetch. That keeps the edit to main's restructured turn loop to a single condition. * feat(cli): drive teammates from the headless run loop (experimental) Stage 5 of the Agent Team re-port. Wires the non-interactive/headless run loop to the active team: it subscribes to TeamManager changes, drains teammate messages into the leader's conversation as SendMessageType.Teammate turns, waits for teammate activity when the leader has no pending tool calls, and routes teammate tool-approval requests through the session's permission channel (SDK in stream-json mode; YOLO/cancel fallback otherwise). Adds PermissionController.handleTeammateApproval and exposes it on the ControlService permission facade. Ported onto main's restructured run loop (which added its own cron/notification drain mechanism). * feat(cli): drive teammates from the interactive turn loop (experimental) Final Stage 5 piece of the Agent Team re-port. Wires the interactive (TUI) useGeminiStream hook to the active team: it subscribes to TeamManager, queues teammate messages, and drains them into the conversation as SendMessageType.Teammate turns when idle, guarded against racing the notification drain. Treats teammate turns like user/cron for image-format checks and new-prompt stats. Ported onto main's rewritten hook. * fix(core): declare proper-lockfile dependency for the team subsystem The Agent Team mailbox and task files import proper-lockfile, but the dependency was never declared in package.json, so a clean `npm ci` (as CI runs) failed to resolve the module — cascading into implicit-any and possibly-undefined errors in the same files. It built locally only because the working tree's node_modules already had the package from an earlier install. Adds proper-lockfile to packages/core dependencies and @types/proper-lockfile to root devDependencies (matching the original feature branch), and regenerates the lockfile. Build and typecheck are clean. * fix(team): address review findings on the agent-team subsystem (experimental) Triaged the unresolved review threads from the superseded PR #2886 against the re-ported code and applied the valid fixes: - task_update(status:'deleted') now enforces the same ownership guard as updateTask, so a teammate cannot delete another teammate's task. - Completing a task and adding a blocks edge in the same call no longer leaves the dependent permanently blocked by the just-completed task. - listTasks treats a momentarily-empty (mid-create) task file as a create in flight and skips it instead of quarantining and losing the task. - Fire-and-forget coordination calls (flush, auto-claim, unassign, poll) log rejections instead of surfacing as unhandled rejections. - pollLeaderInbox re-checks the leader callback after the awaited read so a detach during the read cannot throw or drop the batch. - scanIdleAgentsForTasks skips teammates with a pending shutdown. - broadcast uses allSettled so one terminated recipient does not fail the whole broadcast. - Hybrid tool-response+teammate turns reset the loop detector, preventing a false LoopDetected when a polling leader merges teammate messages. - useGeminiStream drains its teammate queue on a manager swap; the join event carries the teammate model for the UI tab label. - Removed dead consumeUnreadByType and an unreachable ENOENT branch. Verified: core unit tests (incl. new regressions for the delete guard, the complete+addBlocks re-block, and the empty-file create race) plus live L3 (3-agent) and L4 (4-agent) E2E, both clean. * fix(core): close ownership TOCTOU and lock-ordering hazard in agent-team tasks deleteTask checked ownership against a pre-lock read, so a concurrent claimTask/updateTask could reassign the owner between the check and the unlink — silently destroying another teammate's task. Acquire the lock first, then re-read and re-check ownership inside it before unlinking, mirroring updateTask. Reciprocal edge cleanup now runs after the lock is released (never holding two per-task locks at once) but before the single tasks-updated notification, so no listener observes a phantom blocker. blockTask issued its two updateTask writes via Promise.all; two calls over the same pair in opposite directions could deadlock on per-task locks. Serialize the writes to remove the lock-ordering hazard. * fix(core): harden agent-team message handling and auto-claim - Cap per-agent pending messages (MAX_PENDING_MESSAGES). The queue only drains when its recipient goes IDLE, so an unbounded queue let a single looping teammate balloon a busy teammate's memory; sendMessage now applies backpressure once the cap is reached. - Wrap auto-claimed task content (subject/description, authored by another agent) in a <task_content> envelope with a defensive instruction so it is treated as data, not as instructions to obey. - Surface fire-and-forget coordination failures (flush, auto-claim, unassign) to the leader's conversation. They were only logged via a namespaced debug logger, i.e. invisible in production, despite mapping to silent stuck-teammate / stuck-task symptoms. * fix(core): require approval for agent-team task_create/task_update A task's subject/description becomes the prompt an idle teammate auto-claims and executes with full tool access — the same privileged-sink shape as send_message. Both tools inherited the base default 'allow', which short-circuits the classifier in AUTO mode. Override getDefaultPermission to 'ask' so that injection path stays under the classifier / human-in-the-loop, matching send_message. * docs(core): correct completeOnIdle JSDoc for team teammates The JSDoc cited team teammates as the use-case for completeOnIdle:true, but teammates set it to false so they settle to IDLE (not COMPLETED) and stay alive for follow-up messages and auto-claim. Document the actual semantics and the invariant the leader's wait loop relies on. * fix(core): harden agent-team leader callback and task envelope - fireAndForget: wrap leaderMessageCallback in try/catch so a throwing callback cannot re-introduce the unhandled rejection the wrapper exists to prevent (enforces the documented 'must not throw from this catch'). - tryAutoClaimTask: nonce-tag the <task_content> envelope with the per-session envelopeNonce (same pattern as formatLeaderEnvelope) so a teammate-authored description cannot forge the closing tag and break out of the protected zone via a </task_content> payload. * fix(core): make deleteTask edge cleanup resilient to partial failure Use Promise.allSettled (was Promise.all) for post-unlink edge cleanup so a single failing dependent (corrupt JSON, EACCES, lock exhaustion) no longer skips notifyTasksUpdated for the dependents that were cleaned. Without this their blockedBy is cleared but scanIdleAgentsForTasks never re-runs, leaving them stuck idle with no recovery (the task file is already unlinked, so a retry returns false). Per-failure warnings are logged. * fix(cli): mount useTeamInProcess so teammate tabs render The hook bridging team TEAMMATE_JOINED events to agent-tab registration (useTeamInProcess) was authored but never mounted in AgentViewProvider — only useArenaInProcess was. As a result teammate tabs never registered and the teammate tab bar never appeared during in-process team runs. Mount useTeamInProcess alongside useArenaInProcess, and label teammate tabs by name rather than model (teammates inherit the leader's model, so a model label collapses to a generic "teammate" and is identical across the team). Add a regression test asserting the provider mounts the team bridge. * test(terminal-capture): add agent-team feature demo + capture fixes Add a standalone streaming demo of the agent-team feature that captures the full lifecycle and the teammate tab navigation into a single GIF (scenarios/agent-team-demo.ts). Supporting engine fixes: - capture(): scroll the xterm viewport to the live bottom before screenshotting, so a capture taken after an idle period shows the current state instead of stale top-of-buffer scrollback. - scenario-runner: skip scenarios/*.ts files with no default export (driver scripts that guard their own entrypoint), so batch runs don't choke. * fix(core): serialize in-process mailbox writers to fix Windows lock flakiness The concurrent-write test fired 10 writeMessage() calls at one inbox, each contending for the same proper-lockfile lock with a fixed, non-randomized backoff. On Windows, slower fs syscalls let the tail writers exhaust the retry budget before winning the lock, throwing ELOCKED ("Lock file is already being held") — a flaky failure that alternated pass/fail across CI runs. Add a per-inbox in-process Mutex (async-mutex, the pattern already used in jsonl-utils and writeContextFile) so same-process writers serialize in memory and only one reaches for the file lock at a time. The proper-lockfile lock stays inside the mutex to preserve cross-process safety between agent processes. Also randomize the lock backoff to de-synchronize genuine cross-process contenders. * feat(team): render teammate reports as a compact notification line A teammate's report was injected into the leader's conversation as a raw <teammate_message_<nonce>> envelope and rendered verbatim as a user bubble — a large, scaffolding-heavy block on screen for what is often the biggest payload in the feature. Adopt the two-text split the notification queue already uses: the full nonce-tagged envelope still goes to the leader's model, but the user now sees a compact "● <name> reported back" line in its place. The verbatim USER bubble is suppressed for SendMessageType.Teammate exactly as it is for Cron, and coordination-error notices get the same treatment. The leader callback now delivers both the model text and a display string built in TeamManager (where the structured sender/summary live), so the UI never parses the envelope. Headless is unchanged — it ignores the extra arg. * fix(terminal-capture): widen agent-team-demo Phase C budget so the GIF doesn't cut off The leader sits idle (no Main-view output) while teammates read their files, so Phase C captures no frames until a report lands — making maxPolls the real wall-clock budget. At 80 polls (~112s) a slow second scout could exhaust it before reporting, ending the GIF mid-run. Bump to 200 polls (~5min) so the capture outlasts the slowest scout plus the combined summary and delete; the loop still exits early on `deleted` and idle polls capture no frames, so the GIF doesn't bloat. * fix(core): separate task-content nonce; forward send_message summary Address two review findings on the agent-team messaging path: - The <task_content_…> envelope reused envelopeNonce — the per-session nonce the leader trusts to authenticate <teammate_message_…> blocks. Because the task-content prompt is delivered to the claiming teammate, a teammate could learn the nonce and forge a leader-trusted envelope. Use a dedicated taskContentNonce so the leader-trust nonce stays secret from teammates. - The SendMessage 'summary' param was dropped between the tool and the mailbox, so the leader UI always showed the '{name} reported back' fallback. Thread summary through sendMessage → writeMessage so it reaches formatLeaderDisplay. Adds regression tests for both. * fix(core,cli): harden agent-team messaging per review round 4 - task-content envelope uses a fresh per-claim nonce instead of a shared per-session one, so a teammate that learns one task's nonce can't forge a later task's closing tag to inject the next claimant. - team_delete wraps manager.cleanup() in try/catch and always resets the Config team state, so a cleanup failure no longer permanently wedges team_create for the rest of the session. - unassignTeammateTasks uses Promise.allSettled so one corrupt/locked task file no longer strands the remaining tasks on a terminated teammate; the caller's re-scan still fires. - non-interactive teammate-approval responses .catch() rejections to avoid an unhandledRejection if the teammate terminates mid-approval. - setupEventBridge warns when the backend can't provide an agent handle or event emitter instead of returning silently. * fix(core): don't let a failed dependent unblock abort task completion unblockDependents used Promise.all, so a single dependent failing (corrupt JSON, EACCES, lock exhaustion) rejected out of updateTask before the completed status was persisted — the task stayed in_progress on disk while already-processed dependents were unblocked, leaving the dependency graph inconsistent. Switch to Promise.allSettled with a debug warning per failure, mirroring the best-effort edge cleanup in deleteTask and unassignTeammateTasks. * fix(core): quarantine corrupt teammate inboxes; skip task scan when no agent is idle Review round 7. A corrupt teammate inbox previously made every writeMessage/consumeUnread re-throw on the same file, so the teammate could never receive another message (including shutdown requests) — while the leader inbox already self-healed via quarantine. readInboxRaw now renames the corrupt file to .corrupt-{ts} and continues on a fresh inbox; the leader-side offset clamps to 0 if the inbox shrank behind the poller so messages are re-surfaced rather than silently skipped. scanIdleAgentsForTasks now checks for idle members before reading the task board, avoiding a full tasks-directory scan on every task update while all agents are busy. Also document the restrictsOwnership field enumeration hazard and the intentional metadata/activeForm exclusion. * fix(core): re-check task ownership under the lock when unassigning a terminated teammate Review round 8. unassignTeammateTasks snapshotted in_progress tasks and then blind-wrote {status: pending, owner: null} per task, so a leader reassignment (or the dying teammate's final completion) landing between the snapshot and the per-task lock was silently reverted. Releases now go through an in-lock compare-and-set that skips the task when its owner or status no longer matches the snapshot. Also isolate task-update listeners (one throwing listener no longer starves the rest) and drop the lone const enum for subsystem consistency. * fix(core): harden team task file layer against partial writes and transient I/O - createTask claims the ID with an empty O_EXCL placeholder and fills it via temp-file + rename, so concurrent readers never see partial JSON (which the quarantine would have destroyed mid-create) - listTasks quarantines only on parse failures; transient read errors (EMFILE/EIO/EACCES) skip the file for one round instead of renaming a healthy task away, and the read fan-out is capped at 16 - updateTask / claimTask / releaseOwnedTask guard the in-lock readFile against ENOENT (resetTaskList and the quarantine rename run without per-task locks), mirroring deleteTask - cover releaseOwnedTask's three defensive branches with tests * fix(core): drain messages enqueued during the IDLE transition; settle abort on idle agents - a message enqueued from inside the synchronous IDLE STATUS_CHANGE emit (TeamManager's flush) landed after the run loop's final empty check while `processing` was still true — enqueueMessage would not restart the loop and the message stranded in a dead queue; the loop now re-checks the queue after `processing` flips false - abort() on an idle/initializing agent only set the signal: no loop was running to observe it, so the agent never reached a terminal status and allTeammatesTerminated()-style gates never fired; abort now settles CANCELLED directly when no loop is in flight - regression tests drive the real AgentInteractive (stub model, real loop) through send-during-idle-emit and abort-while-idle * test(core): align FakeAgent queue and abort semantics with AgentInteractive FakeAgent modeled a friendlier runtime than the one that ships: enqueueMessage processed inline (no queue, no processing flag, resurrecting terminal agents via unconditional RUNNING), which is exactly what masked the flush-into-dead-queue bug. It now queues while a round is in flight, drains before settling IDLE, drops messages after abort()/shutdown() like the real drained queue, and never resurrects a terminal agent. * fix(core): surface spawn failures, handle shutdown_rejected, envelope peer messages - spawnTeammate now checks the agent's status after spawnAgent resolves: start() reports chat-creation failure via FAILED without throwing, so the leader was told the teammate joined while sends were accepted into a queue that could never flush; a failed spawn now rolls back and surfaces the reason (with a terminal-status replay in setupEventBridge for the attach race) - shutdown_rejected now clears _shutdownPending: a teammate that declined once stayed excluded from auto-claim and kill-armed on any later "shutdown_approved" mention - peer-to-peer deliveries get a fresh-nonce envelope like leader deliveries, closing inline leader impersonation between teammates (deliberately not the leader-trust nonce, which must never reach teammate context) * fix(core): exclude workflow tool from teammates The teammate ALS identity propagates into anything a teammate spawns, so prepareTools() keeps choosing the teammate exclusion set for nested agents — without WORKFLOW in it, a teammate-launched workflow re-arms the O(k^n) recursive fan-out the subagent exclusion set prevents. * fix(core): make task tools visible to permission review; reject dependency cycles - task_create / task_update now project their content (subject, description, status, owner, edges) to the AUTO classifier — the base '' sentinel projected to an empty object, so the classifier ruled on task_create({}) and the 'ask' override was blind; the interactive confirmation now shows the description (truncated), since that text is what a claiming teammate executes - task_update rejects self-edges and dependency cycles instead of silently persisting a graph that auto-claim can never unblock - regression tests pin the 'ask' default and a non-empty classifier projection for both tools * fix(core): reclaim stale teams on team_create instead of wedging the name Nothing deletes team dirs on normal exit (only an explicit team_delete does), so every Ctrl+C, completed headless run, or crash permanently wedged the team name behind createTeamFile's wx-exclusive create, with manual rm -rf as the default recovery. team_create now records the owner identity (leadSessionId + leadPid) and, on EEXIST, reclaims the team when the recorded lead process is gone (or is this process); only a live concurrent owner keeps the name refused. * fix(cli): pass teammate envelopes straight to the model, skipping shell/@/slash preprocessing Teammate envelopes are model-authored text already rendered as a notification line by the teammate drain, but they still flowed through the user-input preprocessing: with shell mode active a teammate report was EXECUTED as a shell command, and a leading / or an @path was reinterpreted against the leader's session. They now early-return like Notification. * fix(core): exclude Teammate from UserPromptSubmit hooks and record it in chat history Teammate envelopes are machine-driven re-entries like Cron and Notification: user-authored UserPromptSubmit hooks must not fire on (or block) internal coordination traffic. They also never reached any chat-recording path — record them like notifications so a resumed session restores the same compact info line the live UI rendered. * fix(cli): stop teammate-approval rejections from escaping as unhandled rejections The stream-json listener voided handleTeammateApproval's promise while the handler's own error path re-issues a respond() that can reject (teammate terminated mid-request) — an unhandledRejection that can take down an SDK session. The call site now catches like its headless siblings, and the controller's catch-path respond(Cancel) is wrapped so the method never rejects out of its own error path. * test(core): add getSessionId to team-lifecycle mock config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TLDR
Adds Agent Team — an experimental feature that lets the lead agent spawn and coordinate a team of sub-agents working in parallel on different parts of a task. The feature is off by default and gated behind an experimental setting or environment variable.
Screenshots / Video Demo
N/A — no user-facing UI change beyond new tools appearing when the feature is enabled. The interaction happens entirely through tool calls within a conversation.
Dive Deeper
Why Agent Team?
Today, the Agent tool runs sub-agents one at a time — the leader spawns an agent, waits for it to finish, reads the result, then spawns the next. This is fine for small tasks, but falls apart when:
Agent Team solves this by introducing a leader–teammate model: the lead agent creates a team, spawns teammates that run concurrently, and coordinates them through messages and a shared task board.
How to enable
The feature is disabled by default. Enable it with either option (env var takes priority):
~/.qwen/settings.json:{ "experimental": { "agentTeam": true } }QWEN_CODE_ENABLE_AGENT_TEAM=1A session restart is required after changing the setting. When disabled, none of the team tools are registered and the feature has zero runtime cost.
New tools (6 total, all gated behind the setting)
team_createteam_deletesend_messagetask_createtask_updatetask_listCommon workflow
A typical agent team session follows this pattern:
team_createwith a descriptive nametask_createfor each subtask (e.g., "validate /users endpoint", "validate /orders endpoint", "update user tests", etc.)Agenttool to spawn teammates; each teammate gets an identity, a name, and a color for UI displaytask_listto find pending tasks, claims one viatask_update(status: "in_progress"), does the work, then reports results back to the leader viasend_messagetask_list, and can post follow-up tasks or send instructions to specific teammatesteam_deleteto shut down all teammates and clean up team stateTeammates can also communicate with each other via
send_message, which is useful when one agent's findings affect another's work.Architecture overview
~/.qwen/teams/{name}/inboxes/); messages are persisted so they survive agent restarts~/.qwen/tasks/{name}/); tasks have statuses (pending → in_progress → completed) and dependency tracking (blocks/blockedBy)name@teamName), display name, and color; identity propagates through AsyncLocalStorage for in-process agentsBackend support
The existing agent backends are extended to support team-aware spawning:
Known limitations and pitfalls
MAX_TEAMMATES = 10). Creating more will error. In practice, 2–4 teammates is the sweet spot — more agents means more coordination overhead.team_createwhile a team is already active will fail — you mustteam_deletefirst.Reviewer Test Plan
Feature gate works:
QWEN_CODE_ENABLE_AGENT_TEAM=1→ confirm all 6 tools appearUnit tests pass:
E2E smoke test (with feature enabled):
Testing Matrix
Linked issues / bugs
No linked issues
🤖 Generated with Qwen Code