fix(e2e): clean secret proof timeouts

vincentkoc · vincentkoc · commit 01124cfca90e · 2026-06-01T08:30:17.000+02:00
diff --git a/scripts/e2e/secret-provider-integrations.mjs b/scripts/e2e/secret-provider-integrations.mjs
@@ -223,31 +223,66 @@ function runCommand(command, args, options = {}) {
   return new Promise((resolve, reject) => {
     const child = childProcess.spawn(command, args, {
       cwd: options.cwd ?? process.cwd(),
+      detached: options.detached ?? process.platform !== "win32",
       env: options.env ?? process.env,
       shell: options.shell,
       stdio: options.stdio ?? ["pipe", "pipe", "pipe"],
       windowsVerbatimArguments: options.windowsVerbatimArguments,
     });
     const stdout = createOutputCapture("stdout");
     const stderr = createOutputCapture("stderr");
+    let timedOut = false;
+    let killTimer;
     const timer = setTimeout(() => {
-      child.kill("SIGTERM");
-      setTimeout(() => child.kill("SIGKILL"), 1000).unref();
-      reject(new Error(scrub(`command timed out: ${command} ${args.join(" ")}`)));
+      timedOut = true;
+      terminateProcessTree(child, "SIGTERM");
+      killTimer = setTimeout(() => terminateProcessTree(child, "SIGKILL"), 1000);
+      killTimer.unref();
     }, timeoutMs);
-    child.stdout.on("data", (chunk) => {
+    child.stdout?.on("data", (chunk) => {
       stdout.append(chunk);
     });
-    child.stderr.on("data", (chunk) => {
+    child.stderr?.on("data", (chunk) => {
       stderr.append(chunk);
     });
+    const parentSignalHandlers = new Map();
+    const removeParentSignalHandlers = () => {
+      for (const [signal, handler] of parentSignalHandlers) {
+        process.off(signal, handler);
+      }
+      parentSignalHandlers.clear();
+    };
+    if (process.platform !== "win32" && child.pid) {
+      for (const signal of ["SIGHUP", "SIGINT", "SIGTERM"]) {
+        const handler = () => {
+          terminateProcessTree(child, signal);
+          removeParentSignalHandlers();
+          process.kill(process.pid, signal);
+        };
+        parentSignalHandlers.set(signal, handler);
+        process.once(signal, handler);
+      }
+    }
     child.on("error", (error) => {
       clearTimeout(timer);
+      if (killTimer) {
+        clearTimeout(killTimer);
+      }
+      removeParentSignalHandlers();
       reject(error instanceof Error ? error : new Error(formatErrorMessage(error)));
     });
     child.on("close", (code, signal) => {
       clearTimeout(timer);
+      if (killTimer) {
+        clearTimeout(killTimer);
+      }
+      removeParentSignalHandlers();
       const result = { code: code ?? 0, signal, stdout: stdout.text(), stderr: stderr.text() };
+      if (timedOut) {
+        terminateProcessTree(child, "SIGKILL");
+        reject(new Error(scrub(`command timed out: ${command} ${args.join(" ")}`)));
+        return;
+      }
       if (result.code !== 0 && options.allowFailure !== true) {
         reject(
           new Error(
diff --git a/test/scripts/secret-provider-integrations.test.ts b/test/scripts/secret-provider-integrations.test.ts
@@ -199,6 +199,48 @@ describe("secret provider integration proof harness", () => {
     }
   });
 
+  it.runIf(process.platform !== "win32")(
+    "kills timed-out command process groups",
+    async () => {
+      const root = makeTempDir();
+      const markerPath = path.join(root, "command-descendant-marker.txt");
+      const scriptPath = path.join(root, "spawn-descendant.mjs");
+      const descendantScript = [
+        "import fs from 'node:fs';",
+        `fs.appendFileSync(${JSON.stringify(markerPath)}, "x");`,
+        "process.on('SIGTERM', () => {});",
+        `setInterval(() => fs.appendFileSync(${JSON.stringify(markerPath)}, "x"), 20);`,
+      ].join("\n");
+      fs.writeFileSync(
+        scriptPath,
+        [
+          "import childProcess from 'node:child_process';",
+          "import { setTimeout as delay } from 'node:timers/promises';",
+          `childProcess.spawn(process.execPath, ["--input-type=module", "--eval", ${JSON.stringify(
+            descendantScript,
+          )}], { stdio: "ignore" });`,
+          "process.on('SIGTERM', () => process.exit(0));",
+          "await delay(60_000);",
+          "",
+        ].join("\n"),
+      );
+      const proof = await import(`${pathToFileURL(proofScriptPath).href}?case=timeout-${Date.now()}`);
+
+      await expect(
+        proof.runCommand(process.execPath, [scriptPath], {
+          timeoutMs: 150,
+        }),
+      ).rejects.toThrow(/command timed out/u);
+
+      const sizeAfterReturn = fs.existsSync(markerPath) ? fs.statSync(markerPath).size : 0;
+      await new Promise((resolve) => {
+        setTimeout(resolve, 250);
+      });
+      const sizeAfterWait = fs.existsSync(markerPath) ? fs.statSync(markerPath).size : 0;
+      expect(sizeAfterWait).toBe(sizeAfterReturn);
+    },
+  );
+
   it("detects startup secret leaks after the retained output cap", () => {
     const root = makeTempDir();
     const fakeOpenClaw = writeLeakingStartupOpenClaw(root);
