Process supervisor: graceful signal escalation and drain timeout for exec tool

[kagura-agent]

Problem

When the exec tool times out (either overall-timeout or no-output-timeout), the process supervisor sends an immediate SIGKILL (supervisor.ts#L163):

cancelAdapter = (_reason: TerminationReason) => {
    if (settled) return;
    adapter.kill("SIGKILL");
};

This means:

1. Processes cannot clean up — temp files, partial writes, network connections are abandoned
2. No escalation path — SIGTERM (graceful shutdown request) is never attempted
3. On POSIX, if the process tree does not exit promptly after SIGKILL (zombie processes, kernel-level hangs), adapter.wait() relies solely on the close event with no independent drain timeout. The 4-second FORCE_KILL_WAIT_FALLBACK_MS fallback only activates on Windows.

Observed impact

Subagent processes (Claude Code, coding agents) that time out lose any in-progress state. Processes that spawn their own children and set up signal handlers for graceful shutdown never get the chance to use them.

Proposed fix: two-phase signal escalation + drain timeout

Phase 1 — Graceful shutdown (SIGTERM + grace period)

cancelAdapter = (reason: TerminationReason) => {
    if (settled) return;
    adapter.kill("SIGTERM");  // Ask nicely first
    forceKillTimer = setTimeout(() => {
        if (!settled) {
            adapter.kill("SIGKILL");  // Force after grace period
        }
    }, GRACEFUL_SHUTDOWN_MS); // e.g. 5000ms
};

Phase 2 — Independent drain timeout

After SIGKILL, add a POSIX drain timeout (not just Windows) to prevent wait() from hanging indefinitely:

const DRAIN_TIMEOUT_MS = 10_000; // after SIGKILL, max wait for close event

// In the kill() path, after SIGKILL:
scheduleForceKillWaitFallback("SIGKILL"); // Already exists for Windows
// Extend to all platforms, not just Windows

The existing FORCE_KILL_WAIT_FALLBACK_MS (4000ms, Windows-only) could be unified into a cross-platform drain timeout.

Optional: pipe close watchdog

When cancellation is requested, explicitly close stdout/stderr pipes to unblock any blocked readers before sending the kill signal:

cancelAdapter = (reason: TerminationReason) => {
    if (settled) return;
    // Close pipes first — unblocks any blocked stdout/stderr handlers
    adapter.stdin?.destroy();
    adapter.kill("SIGTERM");
    // ... escalation timer ...
};

Prior art

• multica docs(bird): update skill for v0.7.0 commands #947: Implemented a three-layer defense (pipe close → drain timeout → context-aware select) across all 4 agent backends after observing daemon stall from a hung Claude Code process. PR
• Go exec.Cmd.WaitDelay: Go 1.20+ added WaitDelay as a built-in mechanism for exactly this pattern — close pipes after process exit, force-kill after delay

Scope

• src/process/supervisor/supervisor.ts — signal escalation in cancelAdapter
• src/process/supervisor/adapters/child.ts — cross-platform drain timeout (extend FORCE_KILL_WAIT_FALLBACK_MS to POSIX)
• Tests for: SIGTERM → SIGKILL escalation, drain timeout on POSIX, pipe close unblocking

[Lwt0371]

Windows SIGKILL issue still present in 2026.4.14. The exec tool works with ools.exec.security: full, but all openclaw CLI commands (gateway status, sessions list, update check, etc.) are still getting killed immediately on Windows. Is this PR #66399 still being worked on? Any ETA for a fix?

[kagura-agent]

Thanks for the report @Lwt0371. This issue is still open and relevant — I filed it but haven't had bandwidth to work on a PR for it yet. The Windows SIGKILL behavior is tricky since Node.js on Windows doesn't support SIGTERM the same way. If you're blocked, the tools.exec.security: full workaround is the best option for now. Happy to collaborate if you want to take a crack at a fix!

[Johannes0402]

Real-world impact: 30+ isolated cron jobs hitting SIGKILL daily

We run a production Spiriators setup with 6 specialist agents and 30+ cron jobs, all running as sessionTarget: "isolated". The SIGKILL bug affects us every day.

Our setup

Agents (OpenClaw v2026.4.24):

Agent	Model	Role
telegram-chat	glm-5.1:cloud	Main (Echo) — persistent session
story-writer	qwen3.5:397b-cloud	Blogs, WhatsApp content
researcher	glm-5.1:cloud	Research, SEO
coder	kimi-k2.6:cloud	Code, deploy
social-media	qwen3.5:397b-cloud	Social posts
astro	qwen3.5:397b-cloud	Astro forecasts

Cron jobs: 30+ daily, all sessionTarget: "isolated", including:

• Blog pipeline (SEO brief → Luna writes → upload → deploy)
• WhatsApp daily posts (Whapi API + xAI image generation)
• Crypto monitoring (5 separate crons)
• Daily briefs, email checks, health monitors
• Weekly social media generation

All isolated crons invoke agents via openclaw agent --agent <id> --message "..." --timeout <seconds>, which spawns a new process under the supervisor.

How SIGKILL hits us

When an isolated agent session exceeds its timeout, the supervisor sends SIGKILL immediately (no SIGTERM first). This causes:

1. Session lock cascade (BUG: Agent session lock not released after crash/SIGKILL — blocks all subsequent runs #70004) — releaseAllLocksSync() never runs because SIGKILL is not in CLEANUP_SIGNALS (session-write-lock.ts:38). Lock files persist, blocking ALL subsequent agent runs until manually cleaned with rm -f ~/.openclaw/agents/*/sessions/*.lock.

2. Lost work — In-progress blog content, social media posts, crypto analysis — all abandoned mid-execution. No graceful shutdown, no cleanup, no state preservation.

3. Research agent timeout — Our researcher agent was SIGKILL'd during a deep research task yesterday. The entire session was lost.

Relevant config

// All our crons use isolated sessions:
{ "sessionTarget": "isolated", "payload": { "kind": "agentTurn", "timeoutSeconds": 300 } }

// Only the main telegram-chat agent is persistent (bound via channel routing):
{ "agentId": "telegram-chat", "match": { "channel": "telegram", "peer": { "kind": "direct", "id": "2077431888" } } }

What #66399 would fix for us

Proposed fix	Our impact
SIGTERM before SIGKILL (5s grace)	Session locks get cleaned up, in-progress work can drain
POSIX drain timeout (not just Windows)	No more hung processes on macOS
Pipe close before kill	Blocked stdout/stderr readers get unblocked

Related issues we filed or tracked

• BUG: Supervisor sends SIGKILL instead of SIGTERM for long-running agents — causes session lock cascade #70026 — Our original SIGKILL bug report (closed as duplicate of this issue)
• BUG: Agent session lock not released after crash/SIGKILL — blocks all subsequent runs #70004 — Session lock cascade (closed — workaround in 2026.4.24, but root cause is here)
• fix(agents): send SIGTERM instead of SIGKILL to allow lock cleanup (#70026) #70094 — PR with SIGTERM fix (closed without merge — 599 lines, 23 files, too broad)
• [Bug]: openclaw-agent ignores SIGTERM under cron, accumulates hung process chains and exhausts host RAM/swap #71710 — New: agent ignores SIGTERM even when sent (RAM exhaustion from accumulated processes)

Key observation

#71710 reveals that even if #66399's proposed SIGTERM escalation is implemented, agents may ignore SIGTERM and continue running. This means the two-phase fix (SIGTERM → grace period → SIGKILL) needs to also ensure:

• The agent process actually handles SIGTERM and exits within the grace window
• Or the supervisor has a hard kill guarantee after the grace period

Both #66399 and #71710 need to be addressed together for a complete fix.

Current workaround: We limit all cron timeouts to 500s and manually clean lock files. Not ideal for a production system running 30+ automated tasks daily.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main and v2026.5.18 still route supervisor timeout/cancel through adapter.kill("SIGKILL"), and the child adapter still immediately calls child.kill("SIGKILL") in that branch, so the direct child does not get the requested graceful cleanup window.

Reproducibility: yes. at source level. Exec and CLI timeouts feed supervisor.spawn, timeout/manual cancellation routes through requestCancel, and current tests still assert SIGKILL on those paths.

Next step
Queue a focused fix PR: the current and shipped cancellation path is source-proven, the issue is canonical for this cluster, and the likely files plus regression tests are clear.

Review details

Best possible solution:

Implement a focused supervisor cancellation policy that sends SIGTERM first, schedules an unref'ed SIGKILL escalation, preserves child/PTY wait fallback behavior, and adds regression coverage for timeout and manual-cancel paths.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Exec and CLI timeouts feed supervisor.spawn, timeout/manual cancellation routes through requestCancel, and current tests still assert SIGKILL on those paths.

Is this the best way to solve the issue?

Yes. A bounded SIGTERM-first policy with SIGKILL fallback is the narrow maintainable fix; the prior SIGTERM-only PR was not the best solution because it could leave the supervisor waiting forever.

Label justifications:

• P1: The issue affects real exec and agent workflows, with user reports of daily production timeouts, lost work, and blocked follow-up runs.
• impact:data-loss: The report and follow-up comments describe abandoned in-progress agent work and partial writes when processes are hard-killed.
• impact:session-state: The hard-kill path is tied to session lock cleanup failures and stale session state in related reports.
• impact:crash-loop: The requested drain timeout and escalation behavior target hung or forcibly terminated child processes that can block runtime availability.

Acceptance criteria:

• node scripts/run-vitest.mjs src/process/supervisor/supervisor.test.ts src/process/supervisor/adapters/child.test.ts src/process/supervisor/adapters/pty.test.ts src/process/kill-tree.test.ts
• node scripts/run-vitest.mjs src/agents/bash-tools.exec-runtime.test.ts src/agents/bash-tools.exec-runtime.pty-fallback.test.ts src/agents/cli-runner.reliability.test.ts src/agents/bash-tools.process.supervisor.test.ts
• node scripts/crabbox-wrapper.mjs run --shell -- "pnpm check:changed"

What I checked:

• current-supervisor-cancel-path: requestCancel invokes cancelAdapter, and cancelAdapter still calls adapter.kill("SIGKILL") for timeout and manual cancellation paths. (src/process/supervisor/supervisor.ts:109, 3d96111a5afe)
• child-adapter-hard-kill-branch: The child adapter's default/SIGKILL branch calls killProcessTree(...) but then immediately calls child.kill("SIGKILL"), which defeats a meaningful grace window for the direct child process. (src/process/supervisor/adapters/child.ts:362, 3d96111a5afe)
• tests-still-assert-sigkill: Supervisor tests still expect SIGKILL for no-output timeout, scoped replacement cancellation, and overall timeout behavior. (src/process/supervisor/supervisor.test.ts:140, 3d96111a5afe)
• exec-tool-timeout-caller: The exec runtime computes the tool timeout and passes it to supervisor.spawn, so exec tool timeouts exercise the same supervisor cancellation path. (src/agents/bash-tools.exec-runtime.ts:722, 3d96111a5afe)
• cli-agent-timeout-caller: CLI agent execution passes timeoutMs and noOutputTimeoutMs into supervisor.spawn, matching the reported agent-process impact. (src/agents/cli-runner/execute.ts:544, 3d96111a5afe)
• shipped-release-behavior: Latest release tag v2026.5.18 contains the same cancelAdapter SIGKILL call and child-adapter immediate child.kill("SIGKILL") branch, so this is not only a current-main regression state. (src/process/supervisor/supervisor.ts:168, 50a2481652b6)

Likely related people:

• joshavant: Current blame for the central supervisor and adapter files points at commit e996159, which reintroduced the present copies of these process-supervisor files. (role: recent current-main contributor; confidence: medium; commits: e99615973810; files: src/process/supervisor/supervisor.ts, src/process/supervisor/adapters/child.ts, src/process/supervisor/adapters/pty.ts)
• onutc: Commit cd44a0d introduced the process supervisor and adapter surface where cancellation currently funnels through the hard-kill adapter API. (role: introduced supervisor surface; confidence: high; commits: cd44a0d01e9f; files: src/process/supervisor/supervisor.ts, src/process/supervisor/adapters/child.ts, src/process/supervisor/adapters/pty.ts)
• gumadeiras: Commit 6a37eca added forced-kill wait fallback behavior in the child adapter, directly overlapping the requested bounded drain behavior. (role: adjacent wait-fallback contributor; confidence: medium; commits: 6a37ecad8230; files: src/process/supervisor/adapters/child.ts, src/process/supervisor/adapters/child.test.ts)
• sauerdaniel: Commit 20957ef added graceful process-tree termination with SIGTERM before SIGKILL, which is the helper a focused fix should preserve or align with. (role: adjacent process-tree contributor; confidence: medium; commits: 20957efa4674; files: src/process/kill-tree.ts)
• steipete: Shortlog over the process supervisor and kill-tree files is dominated by Peter Steinberger, including service-managed child behavior that a fix must preserve. (role: recent area contributor; confidence: medium; commits: e20f44509924, c035c5c0d235; files: src/process/supervisor/adapters/child.ts, src/process/kill-tree.ts)

Remaining risk / open question:

• A fix must preserve the service-managed detached:false guard; an incorrect process-group kill can terminate the gateway's own process group.
• The related agent-side SIGTERM responsiveness problem at [Bug]: openclaw-agent ignores SIGTERM under cron, accumulates hung process chains and exhausts host RAM/swap #71710 may still need separate work even after supervisor escalation is fixed.
• This review did not run a live process repro; the keep-open decision is based on current source, shipped release source, tests, and related GitHub discussion.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 3d96111a5afe.

[Johannes0402]

Proposed minimal fix: 3-line change to cancelAdapter + SIGKILL fallback

Summary

The cancelAdapter in supervisor.ts unconditionally sends SIGKILL, bypassing all cleanup handlers including session lock release. A minimal 3-line change enables graceful SIGTERM-first escalation using the existing kill(signal) adapter method that already supports arbitrary signals, plus a setTimeout fallback to SIGKILL after 5 seconds.

This is a 25-line PR vs the previous PR #70094 which was 599 lines across 23 files and was closed without merge.

Root cause (single line)

// supervisor.ts:596 — THE BUG
cancelAdapter = (_reason) => {
    if (settled) return;
    adapter.kill("SIGKILL");  // ← No graceful shutdown possible
};

SIGKILL cannot be caught, so releaseAllLocksSync() in session-write-lock.ts:38 never runs. Session lock files persist, blocking all subsequent agent runs (#70004).

Proposed fix

// supervisor.ts — replace cancelAdapter
cancelAdapter = (_reason) => {
    if (settled) return;
    adapter.kill("SIGTERM");                                    // Graceful shutdown first
    setTimeout(() => {
        if (!settled) adapter.kill("SIGKILL");                   // Force kill after grace period
    }, 5000);                                                    // 5s grace (within kill-tree's 3-60s range)
};

Why this works

1. adapter.kill("SIGTERM") is already supported. The child adapter's kill() method (supervisor compiled line 237) handles arbitrary signals:

const kill = (signal) => {
    if (signal === undefined || signal === "SIGKILL") {
        killProcessTree(pid);      // existing graceful tree kill
        child.kill("SIGKILL");
        scheduleForceKillWaitFallback("SIGKILL");
        return;
    }
    child.kill(signal);            // ← SIGTERM reaches here
};

2. killProcessTree already implements two-phase shutdown. The kill-tree.ts module sends SIGTERM to the process group, waits 3s (default), then SIGKILL. This is already in the codebase — it just isn't called from cancelAdapter.

3. SIGTERM triggers cleanup. session-write-lock.ts:38 registers handlers for SIGINT, SIGTERM, SIGQUIT, SIGABRT. Sending SIGTERM allows releaseAllLocksSync() to run, preventing the session lock cascade (BUG: Agent session lock not released after crash/SIGKILL — blocks all subsequent runs #70004).

4. [Bug]: openclaw-agent ignores SIGTERM under cron, accumulates hung process chains and exhausts host RAM/swap #71710 (agent ignores SIGTERM) is mitigated. If the agent doesn't respond to SIGTERM within 5s, the setTimeout fallback sends SIGKILL. The difference: session locks are already cleaned up because SIGTERM triggered the handler during the grace window.

Estimated PR size

File	Change	Lines
supervisor.ts	Replace cancelAdapter with SIGTERM + SIGKILL fallback	~5
supervisor.test.ts	Add test: SIGTERM sent first, SIGKILL after grace period	~20
Total		~25

Compare: PR #70094 was 599 lines, 23 files. This is a focused, minimal change.

What about the settled guard in the timeout callback?

The if (!settled) check in the setTimeout callback ensures that if the process exits cleanly after SIGTERM (settling the wait promise and setting settled = true), the SIGKILL fallback is a no-op. This is safe because:

• settled is set to true by settleWait() which is called on process exit
• adapter.kill() on an already-exited process is a no-op (try/catch in the kill method)
• The timer is .unref()'d by the existing dispose() pattern, so it doesn't keep the event loop alive

Test plan

1. Graceful exit: Agent times out → receives SIGTERM → cleanup runs → exits within 5s → no SIGKILL needed
2. Stuck agent: Agent times out → receives SIGTERM → ignores it → SIGKILL after 5s → session locks already released by SIGTERM handler
3. No regression: Existing tests that expect SIGKILL should be updated to expect SIGTERM first, then SIGKILL. The behavioral contract changes from "immediate SIGKILL" to "SIGTERM then SIGKILL after grace period".

Real-world impact

We run 30+ daily cron jobs as sessionTarget: "isolated" across 6 agents. Every SIGKILL:

• Abandons in-progress work (blog content, crypto analysis, social posts)
• Leaves session lock files that block subsequent runs until manual cleanup
• Forces us to keep timeouts under 500s and manually rm -f ~/.openclaw/agents/*/sessions/*.lock

Even our coder agent was SIGKILL'd twice in 30 seconds while trying to analyze this very bug — the irony is not lost on us.

Related issues

• Process supervisor: graceful signal escalation and drain timeout for exec tool #66399 — canonical issue (this proposed fix addresses it)
• BUG: Supervisor sends SIGKILL instead of SIGTERM for long-running agents — causes session lock cascade #70026 — our original bug report (closed as duplicate of Process supervisor: graceful signal escalation and drain timeout for exec tool #66399)
• BUG: Agent session lock not released after crash/SIGKILL — blocks all subsequent runs #70004 — session lock cascade (resolved by SIGTERM triggering cleanup)
• fix(agents): send SIGTERM instead of SIGKILL to allow lock cleanup (#70026) #70094 — previous PR (closed without merge, too broad)
• [Bug]: openclaw-agent ignores SIGTERM under cron, accumulates hung process chains and exhausts host RAM/swap #71710 — agent ignores SIGTERM (mitigated by SIGKILL fallback after grace period)

---

Reported by: Johannes Huijbregts (via Echo assistant)
Date: 2026-04-27