proc-janitor 0.4.0

Automatic orphan process cleaner daemon for macOS/Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355

use anyhow::Result;
use regex::Regex;
use serde::Serialize;
use std::collections::HashMap;
use std::time::Instant;
use sysinfo::{ProcessRefreshKind, RefreshKind, System};

use crate::config::Config;

/// Detect if we're running inside a container.
/// In containers, all processes have PPID=1 which would cause false positives.
fn detect_container_environment() -> bool {
    // Check for Docker
    if std::path::Path::new("/.dockerenv").exists() {
        return true;
    }
    // Check for common container cgroup indicators
    if let Ok(cgroup) = std::fs::read_to_string("/proc/1/cgroup") {
        if cgroup.contains("docker") || cgroup.contains("kubepods") || cgroup.contains("containerd")
        {
            return true;
        }
    }
    // Check for container environment variables
    if std::env::var("KUBERNETES_SERVICE_HOST").is_ok() {
        return true;
    }
    false
}

/// Represents an orphaned process detected by the scanner
#[derive(Debug, Clone, Serialize)]
pub struct OrphanProcess {
    pub pid: u32,
    pub name: String,
    pub cmdline: String,
    #[serde(skip)]
    pub first_seen: Instant,
    pub start_time: u64, // Process start time for identity verification
}

/// Result of a scan operation (detection only, no killing)
#[derive(Debug, Serialize)]
pub struct ScanResult {
    pub orphans: Vec<OrphanProcess>,
    pub orphan_count: usize,
}

/// Scanner tracks and identifies orphaned processes
pub struct Scanner {
    config: Config,
    tracked: HashMap<u32, OrphanProcess>,
    target_patterns: Vec<Regex>,
    whitelist_patterns: Vec<Regex>,
}

impl Scanner {
    /// Create a new Scanner with the given configuration
    pub fn new(config: Config) -> Result<Self> {
        // Pre-compile regex patterns
        let target_patterns = config
            .targets
            .iter()
            .map(|p| Regex::new(p))
            .collect::<std::result::Result<Vec<_>, _>>()
            .map_err(|e| anyhow::anyhow!("Invalid target regex pattern in configuration: {e}"))?;

        let whitelist_patterns = config
            .whitelist
            .iter()
            .map(|p| Regex::new(p))
            .collect::<std::result::Result<Vec<_>, _>>()
            .map_err(|e| {
                anyhow::anyhow!("Invalid whitelist regex pattern in configuration: {e}")
            })?;

        if target_patterns.is_empty() {
            tracing::warn!(
                "No target patterns configured. Scanner will not detect any orphaned processes. \
                            Run 'proc-janitor config init' to set up target patterns."
            );
        }

        if detect_container_environment() {
            tracing::warn!(
                "Container environment detected. All processes may appear as orphans (PPID=1). \
                 proc-janitor may not work correctly inside containers."
            );
        }

        Ok(Self {
            config,
            tracked: HashMap::new(),
            target_patterns,
            whitelist_patterns,
        })
    }

    /// Scan the process table and return orphaned processes that exceed grace period.
    /// Includes orphan roots (PPID=1) and their descendant processes that match targets.
    pub fn scan(&mut self) -> Result<Vec<OrphanProcess>> {
        let mut sys = System::new_with_specifics(
            RefreshKind::new().with_processes(ProcessRefreshKind::everything()),
        );
        sys.refresh_processes(sysinfo::ProcessesToUpdate::All);

        let now = Instant::now();
        let mut current_orphans = Vec::new();
        let mut current_pids = std::collections::HashSet::new();

        // Phase 1: Build parent→children map
        let mut children_map: HashMap<u32, Vec<u32>> = HashMap::new();
        for (pid, process) in sys.processes() {
            let pid_u32 = pid.as_u32();
            current_pids.insert(pid_u32);
            if let Some(ppid) = process.parent() {
                children_map.entry(ppid.as_u32()).or_default().push(pid_u32);
            }
        }

        // Phase 2: Find orphan target roots (PPID=1 + matches target + not whitelisted)
        // and expand to include all their descendants
        let mut orphan_tree_pids = std::collections::HashSet::new();
        for (pid, process) in sys.processes() {
            if !is_orphan(process) {
                continue;
            }
            let cmdline = get_cmdline(process);
            if cmdline.is_empty() {
                continue;
            }
            if !self.matches_target(&cmdline) {
                continue;
            }
            if self.is_whitelisted(&cmdline) {
                continue;
            }
            let pid_u32 = pid.as_u32();
            orphan_tree_pids.insert(pid_u32);
            collect_descendants(pid_u32, &children_map, &mut orphan_tree_pids);
        }

        // Phase 3: Collect all cleanable processes from orphan trees
        for (pid, process) in sys.processes() {
            let pid_u32 = pid.as_u32();

            if !orphan_tree_pids.contains(&pid_u32) {
                continue;
            }

            let cmdline = get_cmdline(process);
            if cmdline.is_empty() {
                continue;
            }

            // Descendants must also match target patterns (don't kill unrelated children)
            if !self.matches_target(&cmdline) {
                continue;
            }
            if self.is_whitelisted(&cmdline) {
                continue;
            }

            // Track this process
            let orphan = self
                .tracked
                .entry(pid_u32)
                .or_insert_with(|| OrphanProcess {
                    pid: pid_u32,
                    name: process.name().to_string_lossy().to_string(),
                    cmdline: cmdline.clone(),
                    first_seen: now,
                    start_time: process.start_time(),
                });

            // Check if grace period has elapsed
            let elapsed = now.duration_since(orphan.first_seen);
            if elapsed.as_secs() >= self.config.grace_period {
                current_orphans.push(orphan.clone());
            }
        }

        // Remove processes that are no longer running
        self.tracked.retain(|pid, _| current_pids.contains(pid));

        Ok(current_orphans)
    }

    /// Check if the command line matches any of the target patterns
    fn matches_target(&self, cmdline: &str) -> bool {
        self.target_patterns.iter().any(|re| re.is_match(cmdline))
    }

    /// Check if the command line is whitelisted
    fn is_whitelisted(&self, cmdline: &str) -> bool {
        self.whitelist_patterns
            .iter()
            .any(|re| re.is_match(cmdline))
    }
}

/// Extract command line from a process as a single string
fn get_cmdline(process: &sysinfo::Process) -> String {
    process
        .cmd()
        .iter()
        .map(|s| s.to_string_lossy().to_string())
        .collect::<Vec<String>>()
        .join(" ")
}

/// Recursively collect all descendant PIDs of a given process
fn collect_descendants(
    pid: u32,
    children_map: &HashMap<u32, Vec<u32>>,
    result: &mut std::collections::HashSet<u32>,
) {
    if let Some(children) = children_map.get(&pid) {
        for &child in children {
            if result.insert(child) {
                collect_descendants(child, children_map, result);
            }
        }
    }
}

/// Check if a process is orphaned (PPID=1, reparented to init/launchd).
///
/// Note: In containers (Docker, etc.), all processes have PPID=1 since PID 1
/// is the container's init process. Running proc-janitor inside a container
/// would incorrectly flag all processes as orphans.
fn is_orphan(process: &sysinfo::Process) -> bool {
    process.parent().map(|p| p.as_u32()) == Some(1)
}

/// Public function for CLI scan command (creates a fresh Scanner each call).
/// Detection only — does not kill any processes.
pub fn scan() -> Result<ScanResult> {
    let mut config = Config::load()?;
    // CLI scan should show results immediately without grace period.
    // Grace period is only meaningful for the daemon which persists Scanner state.
    config.grace_period = 0;
    let mut scanner = Scanner::new(config)?;
    scan_with_scanner(&mut scanner)
}

/// Scan using an existing Scanner instance, preserving tracked state across calls.
/// This is used by the daemon to maintain grace_period tracking between scan cycles.
/// Detection only — does not kill any processes.
pub fn scan_with_scanner(scanner: &mut Scanner) -> Result<ScanResult> {
    let orphans = scanner.scan()?;
    let orphan_count = orphans.len();

    Ok(ScanResult {
        orphans,
        orphan_count,
    })
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_container_detection_on_host() {
        // On a normal macOS/Linux host, this should return false
        // (unless you're actually running tests in a container)
        let result = detect_container_environment();
        // We can't assert false because CI might run in containers
        // Just verify it doesn't panic
        let _ = result;
    }

    #[test]
    fn test_is_orphan_check() {
        // Just verify the function exists and can be compiled
        // Actual orphan detection requires a real Process object
        // which we can't easily mock
    }

    #[test]
    fn test_scanner_new_with_empty_targets() {
        let config = Config {
            scan_interval: 5,
            grace_period: 30,
            sigterm_timeout: 5,
            targets: vec![],
            whitelist: vec![],
            logging: crate::config::LoggingConfig {
                enabled: false,
                path: "/tmp/test".to_string(),
                retention_days: 7,
            },
        };
        let scanner = Scanner::new(config);
        assert!(scanner.is_ok());
    }

    #[test]
    fn test_scanner_new_with_invalid_regex() {
        let config = Config {
            scan_interval: 5,
            grace_period: 30,
            sigterm_timeout: 5,
            targets: vec!["[invalid".to_string()],
            whitelist: vec![],
            logging: crate::config::LoggingConfig {
                enabled: false,
                path: "/tmp/test".to_string(),
                retention_days: 7,
            },
        };
        let scanner = Scanner::new(config);
        assert!(scanner.is_err());
    }

    #[test]
    fn test_scanner_matches_target() {
        let config = Config {
            scan_interval: 5,
            grace_period: 30,
            sigterm_timeout: 5,
            targets: vec!["node.*claude".to_string(), "python".to_string()],
            whitelist: vec!["node.*server".to_string()],
            logging: crate::config::LoggingConfig {
                enabled: false,
                path: "/tmp/test".to_string(),
                retention_days: 7,
            },
        };
        let scanner = Scanner::new(config).unwrap();
        assert!(scanner.matches_target("node --experimental-vm-modules claude"));
        assert!(scanner.matches_target("python script.py"));
        assert!(!scanner.matches_target("cargo build"));
    }

    #[test]
    fn test_scanner_whitelist() {
        let config = Config {
            scan_interval: 5,
            grace_period: 30,
            sigterm_timeout: 5,
            targets: vec!["node".to_string()],
            whitelist: vec!["node.*server".to_string()],
            logging: crate::config::LoggingConfig {
                enabled: false,
                path: "/tmp/test".to_string(),
                retention_days: 7,
            },
        };
        let scanner = Scanner::new(config).unwrap();
        assert!(scanner.is_whitelisted("node express-server"));
        assert!(!scanner.is_whitelisted("node claude-mcp"));
    }
}