fix(cli): stop leaking temporary gpg agents

saltbo · saltbo · commit 07e98b3dfb8f · 2026-04-14T11:11:06.000-04:00
diff --git a/packages/cli/src/daemon/dispatcher.ts b/packages/cli/src/daemon/dispatcher.ts
@@ -84,6 +84,12 @@ export function setupGnupgHome(armoredPrivateKey: string): string {
 
 export function cleanupGnupgHome(gnupgHome: string | null): void {
   if (!gnupgHome) return;
+  execBoundary("gpg-kill-agent", () =>
+    execFileSync("gpgconf", ["--kill", "gpg-agent"], {
+      env: { ...process.env, GNUPGHOME: gnupgHome },
+      stdio: "pipe",
+    }),
+  );
   fsSync("rm-gnupghome", () => rmSync(gnupgHome, { recursive: true, force: true }));
 }
 
diff --git a/tests/dispatcher-gpg-cleanup.test.ts b/tests/dispatcher-gpg-cleanup.test.ts
@@ -0,0 +1,53 @@
+// @vitest-environment node
+
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const execFileSyncMock = vi.fn();
+const rmSyncMock = vi.fn();
+
+vi.mock("node:child_process", () => ({
+  execFileSync: execFileSyncMock,
+}));
+
+vi.mock("node:fs", async () => {
+  const actual = await vi.importActual<typeof import("node:fs")>("node:fs");
+  return {
+    ...actual,
+    rmSync: rmSyncMock,
+  };
+});
+
+describe("cleanupGnupgHome", () => {
+  beforeEach(() => {
+    execFileSyncMock.mockReset();
+    rmSyncMock.mockReset();
+    vi.resetModules();
+  });
+
+  it("kills the gpg-agent for the temp GNUPGHOME before removing the directory", async () => {
+    const { cleanupGnupgHome } = await import("../packages/cli/src/daemon/dispatcher.js");
+    const gnupgHome = "/tmp/ak-gpg-test";
+
+    cleanupGnupgHome(gnupgHome);
+
+    expect(execFileSyncMock).toHaveBeenCalledWith(
+      "gpgconf",
+      ["--kill", "gpg-agent"],
+      expect.objectContaining({
+        stdio: "pipe",
+        env: expect.objectContaining({ GNUPGHOME: gnupgHome }),
+      }),
+    );
+    expect(rmSyncMock).toHaveBeenCalledWith(gnupgHome, { recursive: true, force: true });
+    expect(execFileSyncMock.mock.invocationCallOrder[0]).toBeLessThan(rmSyncMock.mock.invocationCallOrder[0]);
+  });
+
+  it("does nothing when GNUPGHOME is null", async () => {
+    const { cleanupGnupgHome } = await import("../packages/cli/src/daemon/dispatcher.js");
+
+    cleanupGnupgHome(null);
+
+    expect(execFileSyncMock).not.toHaveBeenCalled();
+    expect(rmSyncMock).not.toHaveBeenCalled();
+  });
+});
