fix: SIGKILL orphan group and clean up dead process workers on unexpected exit

Olivier Bonnaure · claude · Olivier Bonnaure · commit c2746dcf4587 · 2026-04-01T15:13:55.000+02:00
Two fixes for surviving worker processes killing replacements:

1. Process exit monitor: when a process dies unexpectedly, kill its
   entire process group before failover. The main process is dead but
   workers (--workers N) may survive and interfere with replacements.

2. Orphan cleanup: always SIGKILL the orphan's process group after
   the port is free, instead of only when the port is still in use.
   Workers may have released the port but still be running shutdown
   handlers that kill the new process via shared app directory state.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/app/deployment.rs b/src/app/deployment.rs
@@ -448,20 +448,18 @@ impl DeploymentManager {
                     }
                 }
 
-                if self.check_port_in_use(port).await {
-                    let _ = tokio::process::Command::new("kill")
-                        .arg("-9")
-                        .arg("--")
-                        .arg(&pgid)
-                        .output()
-                        .await;
-                }
+                // Always SIGKILL the orphan group after port is free —
+                // the main process may have released the port but worker
+                // children can still be alive running shutdown handlers
+                // that interfere with the replacement process.
+                let _ = tokio::process::Command::new("kill")
+                    .arg("-9")
+                    .arg("--")
+                    .arg(&pgid)
+                    .output()
+                    .await;
 
-                // Wait for the orphan's entire process GROUP to fully
-                // exit, not just the main PID. With workers, the main
-                // process dies quickly but children may still be running
-                // their shutdown handlers (e.g. cleaning up PID/lock
-                // files) which can kill the replacement process.
+                // Wait for the entire process group to be gone
                 for _ in 0..20 {
                     sleep(Duration::from_millis(100)).await;
                     let alive = tokio::process::Command::new("kill")
diff --git a/src/app/mod.rs b/src/app/mod.rs
@@ -1517,6 +1517,12 @@ impl AppManager {
                 };
 
                 if should_failover {
+                    // Kill the dead process's entire group to clean up
+                    // any surviving worker processes. The main process is
+                    // dead but workers (started via --workers N) may still
+                    // be running and could interfere with the replacement.
+                    kill_process_group(exit.pid).await;
+
                     // Clear the dead PID so health checks and routing
                     // know this slot is gone
                     {
