Fix owned process handle audit regressions by brickfrog · Pull Request #574 · brickfrog/choir

brickfrog · 2026-06-13T00:35:30Z

What this PR does:

Adds pgid_is_alive(pgid) in src/sys using kill(-pgid, 0), treating EPERM as alive and pgid <= 1 as false.
Switches recovery liveness to probe the recorded process group rather than the group leader pid.
Keeps interpret_kill_agent defaults pure/inert and has dispatch inject real pgroup kill/pidfile deletion.
Extends hermetic /tmp native pgroup coverage for leader-exited/descendant-alive.

Audit citations:

Closes audit finding 1 from PR Replace /proc process-table scanning with owned process-group handles in kill_agent #573 task contract: remove_pid_file default called @sys.delete_file_sync directly from src/tools/shutdown.mbt instead of using dispatch-injected deletion.
Closes audit finding 2 from PR Replace /proc process-table scanning with owned process-group handles in kill_agent #573 task contract: exec recovery liveness probed a recorded process-group id with pid_is_alive / kill(pgid, 0), missing live descendants after the leader exits.
Closes audit finding 3 from PR Replace /proc process-table scanning with owned process-group handles in kill_agent #573 task contract: pgroup tests only covered the leader-alive happy path.

Verification:

moon test --target native
moon build src/bin/choir_lint --target native && _build/native/debug/build/src/bin/choir_lint/choir_lint.exe
! grep -rn "list_pids_with_cwd_prefix|mcp_stdio_pids|read_proc_process_table_entries|process_table_ppid_from_proc_stat|ProcessTableEntry" src/
! grep -rn "choir_list_pids_with_cwd_prefix" src/sys/stub.c

Note: no .choir/audit-receipts directory was present in this leaf worktree, so the audit references cite the PR #573 task contract text.

Verification

Generated by Choir from commands executed in the leaf workspace.

Total tests: 2008, passed: 2008, failed: 0.

moon build src/bin/choir_lint --target native && _build/native/debug/build/src/bin/choir_lint/choir_lint.exe
- exit: 0
- head: fe1f87f
- output tail:

Finished. moon: no work to do

brickfrog added 2 commits June 12, 2026 19:32

test: cover pgid liveness recovery audit fixes

b2d7d90

fix: probe recorded process groups for recovery

fe1f87f

brickfrog merged commit 1bcc9f3 into feature/owned-process-handles Jun 13, 2026
1 check passed

brickfrog mentioned this pull request Jun 13, 2026

feat: kill agents via owned process-group handles, delete /proc scans #575

Merged

brickfrog deleted the feature/owned-process-handles.audit-fixes2-1781309936825-3356972-0 branch June 13, 2026 10:45