feat: Agent Teams improvements - SSE fix, team state parsing, and permission handling#295
Closed
0x7551 wants to merge 49 commits intotiann:mainfrom
Closed
feat: Agent Teams improvements - SSE fix, team state parsing, and permission handling#2950x7551 wants to merge 49 commits intotiann:mainfrom
0x7551 wants to merge 49 commits intotiann:mainfrom
Conversation
- Add Agent tool handling (Claude Code's primary tool for spawning teammates) - Keep Task tool with team_name as legacy fallback - Extend TeamMember schema: description, isolation, runInBackground, agentId - Add completed/error member status - Add Agent tool to knownTools display and getToolName mapping - Redesign TeamPanel: member cards with badges, task progress bar, message timeline with timestamps, activity pulse indicator - Add 8 new test cases for Agent extraction and member properties
…tivity - Replace Hono's streamSSE (TransformStream/pull model) with direct push-based ReadableStream to eliminate buffering delays in Bun - Add X-Accel-Buffering: no header for reverse proxy compatibility - Make team member cards clickable/expandable to show per-agent activity - Extract teammate activities from conversation messages (Agent tool calls) - Pass conversation messages to TeamPanel for real-time activity display
- Add TeamPermission schema to shared types - Parse <teammate-message> permission_request from conversation messages in hub/sync/teams.ts (handles both user and agent-wrapped formats) - Display pending permissions in TeamPanel member cards with badge and auto-expand, with Allow/Deny buttons - Show toast notification in main session when new teammate permission requests arrive - Approval sends a user message to the session for the team lead to process
- Add lastOutput/lastOutputAt to TeamMember schema - Extend teammate-message parsing to handle all types: - permission_request → pendingPermissions (existing) - idle_notification → update member status to idle - plain text/markdown → store as member lastOutput - structured messages with summary/content → store as lastOutput - TeamPanel MemberCard prioritizes real-time lastOutput from TeamState over activity extraction from conversation messages
…stOutput in TeamPanel
…ssages - TeamPanel now calls api.approvePermission/denyPermission using toolUseId - Falls back to text message if API call fails - Added toolUseId field to TeamPermission schema - Hub permission routes update teamState.pendingPermissions status after approval/denial - Added updateTeamState method to SyncEngine/SessionCache
…m agents - Bridge agentState.requests to teamState.pendingPermissions in update-state handler so TeamPanel shows permission cards for in-process teammate agents - Auto-resolve teamState permissions when agentState.requests entries are finalized - Only treat Agent tool calls with team_name as team member spawns, preventing Explore/Plan agents from appearing as team members
… fallback Sub-agent permissions are handled by Claude Code's internal teammate messaging and don't appear in agentState.requests. When the API can't find a requestId in agentState.requests, fall back to checking teamState.pendingPermissions and relay the decision as a user message.
Use min(40vh, 300px) cap and overscroll-contain for better mobile UX.
When a teammate's tool call arrives via canCallTool but doesn't appear in the parent's toolCalls list, generate a synthetic ID instead of throwing. This allows the permission to be registered in agentState.requests and resolved via the standard RPC path, fixing the deadlock where teammate permissions could never be approved.
…roval Teammate permissions get registered with two different IDs: - "perm-..." from SDK teammate messages (extractTeamStateFromMessageContent) - "subagent_..." from agentState.requests (syncAgentPermissionsToTeamState) When the web UI approves using the "perm-..." ID, the hub can't find it in agentState.requests and falls back to text messages, which never resolve the pending permission Promise — causing the agent to hang. Fix: - syncAgentPermissionsToTeamState: update existing teammate message entry's toolUseId to point to agentState.requests key instead of creating a duplicate entry - permissions.ts approve/deny: resolve the correct agentState.requests key via teamState.pendingPermissions.toolUseId before attempting RPC
CLI is running official Claude Code 2.1.74, local CLI changes are not deployed. Revert to main branch state to keep the diff clean for PR.
- Remove diagnostic console.log statements from sessionHandlers and teams - Extract resolveAgentRequestId helper to eliminate duplicated logic in approve/deny routes - Fix test: Agent without team_name should not be extracted as team member
When a sub-agent (e.g. Explore) needs tool permission, its tool_use blocks aren't in the parent's message stream, so resolveToolCallId fails. Instead of throwing (which prevents the permission from ever reaching agentState.requests and the web UI), generate a synthetic ID so the request flows through normally.
Teammate permissions arrive via <teammate-message> and only exist in teamState.pendingPermissions — they never appear in agentState.requests. The old auto-approve code checked agentState.requests, so it never fired. Now auto-approve happens in the add-message handler when new pendingPermissions are parsed from teammate messages. Also remove the text message fallback from the permissions route — it was unreachable.
Sub-agent/teammate tool calls don't appear in parent's message stream, so resolveToolCallId always fails. Previously this created a synthetic pending request that nobody could resolve (deadlock). Now auto-approve these calls since the parent already authorized running the sub-agent.
The SDK handles teammate permissions internally via permissionMode, NOT through the parent's canCallTool callback. Set permissionMode to 'bypassPermissions' so the SDK auto-approves teammate tool calls. Main agent permissions are unaffected — canCallTool uses its own permissionMode from the web UI (controlled by handleModeChange), not the SDK's permissionMode setting.
Local mode spawns claude without --permission-prompt-tool stdio, so there's no canCallTool callback and no way to approve permissions from the web UI. Without --permission-mode bypassPermissions, teammate/subagent tool calls block waiting for terminal input that never comes (no interactive terminal in HAPI).
With --dangerously-skip-permissions, all tool calls are auto-approved. Add deny rules in hook settings to block destructive commands like rm -rf, sudo rm, git push --force, mkfs, dd, etc. Deny rules are enforced even in bypassPermissions mode per Claude Code docs.
Teammate permission_request messages are part of Claude's internal team protocol. They are resolved by the team lead agent via SendMessage, not through external RPC approval. Remove: - pendingPermissions parsing from teammate messages (teams.ts) - syncAgentPermissionsToTeamState bridge function - hub auto-approve RPC attempts - team permission RPC paths in permissions routes This eliminates the broken approve/deny UI cards for teammate permissions.
…teams # Conflicts: # hub/src/socket/handlers/cli/sessionHandlers.ts # web/src/components/AssistantChat/HappyComposer.tsx
…onal array index type
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Findings
- [Major]
cli/package.json版本号回退到0.16.0(可选依赖同步回退)。已发布过0.16.1时会阻断发布/升级路径。证据cli/package.json:3
Suggested fix:
{
"version": "0.16.1",
"optionalDependencies": {
"@twsxtd/hapi-darwin-arm64": "0.16.1",
"@twsxtd/hapi-darwin-x64": "0.16.1",
"@twsxtd/hapi-linux-arm64": "0.16.1",
"@twsxtd/hapi-linux-x64": "0.16.1",
"@twsxtd/hapi-win32-x64": "0.16.1"
}
}- [Major] 权限兜底按
tool名称匹配,存在多个同名请求时可能批准错请求(常见Bash/Write)。证据hub/src/web/routes/permissions.ts:87-90
Suggested fix:
const matches = Object.entries(requests ?? {}).filter(([_, req]) =>
isObject(req) && req.tool === teamPerm.toolName
)
if (matches.length == 1) {
return { agentRequestId: matches[0][0], teamPerm }
}
return { agentRequestId: null, teamPerm }Summary
Review mode: initial
- 2 个主要问题:版本回退发布阻塞风险;权限兜底可能审批错请求。
Testing
- Not run (automation). 建议:为
resolveAgentRequestId多同名请求添加单测。
cli/package.json
Outdated
| { | ||
| "name": "@twsxtd/hapi", | ||
| "version": "0.16.1", | ||
| "version": "0.16.0", |
There was a problem hiding this comment.
[MAJOR] 版本号回退到 0.16.0(可选依赖同步回退)会阻断已发布 0.16.1 的发布/升级路径。
Suggested fix:
{
"version": "0.16.1",
"optionalDependencies": {
"@twsxtd/hapi-darwin-arm64": "0.16.1",
"@twsxtd/hapi-darwin-x64": "0.16.1",
"@twsxtd/hapi-linux-arm64": "0.16.1",
"@twsxtd/hapi-linux-x64": "0.16.1",
"@twsxtd/hapi-win32-x64": "0.16.1"
}
}| } | ||
| // Last resort: find by tool name match in agentState.requests | ||
| for (const [key, req] of Object.entries(requests ?? {})) { | ||
| if (isObject(req) && req.tool === teamPerm.toolName) { |
There was a problem hiding this comment.
[MAJOR] 兜底按 tool 名称匹配会在存在多个同名请求时批准错请求(常见 Bash/Write)。
Suggested fix:
const matches = Object.entries(requests ?? {}).filter(([_, req]) =>
isObject(req) && req.tool === teamPerm.toolName
)
if (matches.length == 1) {
return { agentRequestId: matches[0][0], teamPerm }
}
return { agentRequestId: null, teamPerm }- Remove deleted ModelMode import from sessionHandlers.ts - Fix array index type error in permissions.ts using TeamPermission - Restore upstream package.json version (0.16.1) - Remove extra blank line
# Conflicts: # hub/src/web/routes/permissions.ts
| // Use 'bypassPermissions' so the SDK auto-approves teammate/sub-agent | ||
| // permissions internally. Main agent permissions are still gated by | ||
| // canCallTool (which ignores this mode and uses its own approval flow). | ||
| permissionMode: 'bypassPermissions', |
There was a problem hiding this comment.
[MAJOR] 远程模式强制 bypassPermissions,忽略用户选择的权限模式。主代理可能不再触发审批。证据 cli/src/claude/claudeRemote.ts:117-120。
建议修改:
permissionMode: initial.mode.permissionMode ?? 'default',| // and in remote mode there's no reliable path to relay permission | ||
| // responses back to the sub-agent's internal permission handler. | ||
| logger.debug(`Auto-approving sub-agent tool: ${toolName}`); | ||
| return { behavior: 'allow', updatedInput: input as Record<string, unknown> }; |
There was a problem hiding this comment.
[MAJOR] toolCallId 无法解析时直接放行全部工具调用;任何匹配失败都会绕过审批,不限子代理。证据 cli/src/claude/utils/permissionHandler.ts:304-314。
建议修改:
if (!toolCallId) {
await delay(1000);
toolCallId = this.resolveToolCallId(toolName, input);
if (!toolCallId) {
if (this.permissionMode === 'bypassPermissions') {
logger.debug(`Auto-approving sub-agent tool: ${toolName}`);
return { behavior: 'allow', updatedInput: input as Record<string, unknown> };
}
throw new Error(`Could not resolve tool call ID for ${toolName}`);
}
}
0x7551
commented
Mar 17, 2026
Contributor
Author
0x7551
left a comment
0x7551
left a comment
There was a problem hiding this comment.
Re: Bot Review Findings
1. cli/package.json version regression → Fixed
Already resolved in commit ffa11a6.
2. Permission bypass & auto-approve safety
These changes are intentional for Agent Teams support. The security model has multiple layers:
-
--dangerously-skip-permissionsbypasses Claude's interactive terminal prompts (which block forever in headless/remote mode), but deny rules are still enforced — seegenerateHookSettings.tswhich blocksrm -rf,sudo,git push --force,chmod 777, etc. -
permissionMode: 'bypassPermissions'in remote mode — the SDK's built-in permission mode is bypassed, but main-agent permissions are still gated bycanCallTool()which has its own approval flow (web UI). -
Auto-approve on toolCallId miss — sub-agent/teammate tool calls don't appear in the parent's
toolCallsmap, so lookup always fails. The parent already authorized spawning the sub-agent; blocking here would deadlock the teammate. The deny-list safety net still applies.
TL;DR: Terminal permission prompts → bypassed (headless). Deny rules → still enforced. Web UI approval → still works for main agent. This is a deliberate trade-off to unblock Agent Teams without losing the safety net.
0x7551
commented
Mar 17, 2026
Contributor
Author
0x7551
left a comment
0x7551
left a comment
There was a problem hiding this comment.
Correction to my previous comment:
The "web UI approval still works for main agent" part was inaccurate. With --dangerously-skip-permissions (local) and permissionMode: 'bypassPermissions' (remote), Claude's permission system is fully bypassed — including any web UI approval flow.
The actual safety net is a single layer: deny rules in generateHookSettings.ts. These are enforced even under --dangerously-skip-permissions and block dangerous patterns like rm -rf, sudo, git push --force, etc.
This is a known trade-off for Agent Teams — without bypassing permissions, subagent/teammate tool calls deadlock waiting for terminal input that never comes. The deny-list is the guardrail.
Contributor
Author
|
Rebased onto latest upstream/main and squashed into a single commit. See replacement PR. |
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
功能描述
基于 #258 的 Agent Teams 功能进行修复和增强,改善团队协作的稳定性和用户体验。
主要改动
SSE 延迟修复 (Hub)
streamSSE(基于 TransformStream/pull 模式)为直接 push-basedReadableStream,消除 Bun 下的缓冲延迟团队状态解析增强 (Hub)
<teammate-message>解析,支持 idle_notification、shutdown_response 等协议消息runInBackground、isolation等参数agent:name@team后缀规范化团队成员权限处理 (CLI + Hub)
permission_request是 Claude 内部团队协议的一部分,由 team lead agent 通过 SendMessage 内部处理,而非外部 RPC 审批--dangerously-skip-permissions避免终端权限提示阻塞(HAPI 无交互终端)Web UI 增强
其他修复
resolveAgentRequestId处理 ID 解析测试
影响范围
via HAPI