sqlite_graphrag/signals.rs
1//! Cross-platform signal handling: SIGINT, SIGTERM, SIGHUP.
2
3use std::sync::atomic::Ordering;
4
5/// Registers the global shutdown handler for Ctrl+C / SIGTERM / SIGHUP.
6///
7/// First signal: sets [`SHUTDOWN`](crate::SHUTDOWN) flag, cancels the global
8/// cancellation token and emits a best-effort notice on stderr.
9///
10/// Second signal: calls [`std::process::exit(130)`] for immediate termination
11/// following Unix convention (128 + SIGINT=2) — with ZERO I/O on that path.
12///
13/// # G42/S8 — panic-free by contract
14///
15/// The pre-v1.0.79 handler used `eprintln!` (second signal) and
16/// `tracing::warn!` (first signal). When the parent shell dies the CLI is
17/// reparented to PID 1 and stderr becomes a CLOSED pipe; `eprintln!` then
18/// panics with `BrokenPipe`, which under `panic = "abort"` becomes the
19/// SIGABRT observed on the "ctrl-c" thread (G42/C2 crash report). This
20/// handler therefore:
21/// - writes the first-signal notice with `writeln!` and IGNORES any I/O
22/// error (`let _ =`), never panicking;
23/// - performs NO I/O at all on the forced-exit path.
24///
25/// BrokenPipe on stdout/stderr elsewhere is handled by resetting SIGPIPE
26/// to its default disposition in `main` (clean exit 141, Unix convention).
27pub fn register_shutdown_handler() {
28 // SIGINT: ctrlc crate (cross-platform, the only signal that works on
29 // both Unix and Windows without a tokio runtime).
30 if let Err(e) = ctrlc::set_handler(move || {
31 handle_first_signal("SIGINT", 2);
32 }) {
33 tracing::warn!(target: "signals", error = %e, "SIGINT handler registration failed");
34 }
35
36 // SIGTERM + SIGHUP: signal-hook (Unix only; Windows uses TerminateProcess
37 // for SIGTERM equivalents and has no SIGHUP).
38 #[cfg(unix)]
39 {
40 use std::sync::mpsc;
41 let (tx, rx) = mpsc::channel::<i32>();
42
43 let mut signals = match signal_hook::iterator::Signals::new([
44 signal_hook::consts::SIGTERM,
45 signal_hook::consts::SIGHUP,
46 ]) {
47 Ok(s) => s,
48 Err(e) => {
49 tracing::warn!(target: "signals", error = %e, "SIGTERM/SIGHUP handler registration failed");
50 return;
51 }
52 };
53
54 // Detached thread: lives until process exit. The kernel kills it
55 // automatically on process termination. We do NOT join it because
56 // that would require the CLI to wait for an indeterminate signal.
57 std::thread::Builder::new()
58 .name("sqlite-graphrag-sigterm".into())
59 .spawn(move || {
60 for sig in signals.forever() {
61 if tx.send(sig).is_err() {
62 break;
63 }
64 }
65 })
66 .inspect_err(|e| tracing::warn!(target: "signals", error = %e, "SIGTERM/SIGHUP handler thread spawn failed"))
67 .ok();
68
69 // Drain thread: blocks on the channel and calls the same handler
70 // used by the SIGINT path. Synchronous main() can't await this,
71 // but the channel is bounded so a 100ms wait is fine.
72 std::thread::Builder::new()
73 .name("sqlite-graphrag-sigterm-drain".into())
74 .spawn(move || {
75 while let Ok(sig) = rx.recv() {
76 let (name, number) = match sig {
77 libc::SIGTERM => ("SIGTERM", 15u8),
78 libc::SIGHUP => ("SIGHUP", 1u8),
79 _ => continue,
80 };
81 handle_first_signal(name, number);
82 }
83 })
84 .inspect_err(|e| tracing::warn!(target: "signals", error = %e, "SIGTERM drain thread spawn failed"))
85 .ok();
86 }
87}
88
89/// First-signal handler shared by both SIGINT (via crate) and
90/// SIGTERM/SIGHUP (via signal-hook).
91///
92/// Idempotent: only the first invocation does work. The Ctrl+C handler is
93/// synchronous (no tokio runtime is built in the LLM-only main path).
94/// The SIGTERM/SIGHUP task is async but the underlying work is atomic via
95/// the fetch_add pattern.
96fn handle_first_signal(signal_name: &'static str, signal_number: u8) {
97 let prev = crate::SIGNAL_COUNT.fetch_add(1, Ordering::AcqRel);
98 if prev != 0 {
99 // Second signal: forced shutdown, NO I/O (G42/S8).
100 std::process::exit(130);
101 }
102 crate::SHUTDOWN.store(true, Ordering::Release);
103 crate::SIGNAL_NUMBER.store(signal_number, Ordering::Release);
104 crate::cancel_token().cancel();
105
106 // Best-effort stderr notice: closed pipe must NEVER abort (G42/S8).
107 use std::io::Write;
108 let _ = writeln!(
109 std::io::stderr(),
110 "shutdown signal received ({signal_name}); finishing current operation gracefully"
111 );
112
113 // GAP-002 (v1.0.82): emit JSON envelope to stdout before exit so that
114 // piped consumers receive a parseable error with `code: 19`
115 // (SHUTDOWN_EXIT_CODE) instead of an empty stdout that triggers
116 // a parse error. Best-effort: if stdout is closed, writeln fails
117 // silently.
118 let envelope = format!(
119 "{{\"error\":true,\"code\":19,\"message\":\"shutdown signal received; operation cancelled by {signal_name}\",\"signal\":\"{signal_name}\",\"graceful\":true}}"
120 );
121 let mut stdout = std::io::stdout().lock();
122 let _ = writeln!(stdout, "{envelope}");
123 let _ = stdout.flush();
124}
125
126#[cfg(test)]
127mod tests {
128 /// G42/S8 regression guard: the SHARED `handle_first_signal` function
129 /// (called by both the SIGINT ctrlc closure and the SIGTERM/SIGHUP
130 /// signal-hook drain) must not contain `eprintln!` or `tracing::warn!`
131 /// — both can panic (and abort under `panic = "abort"`) when stderr
132 /// is a closed pipe in an orphaned process.
133 #[test]
134 fn handler_source_has_no_panicking_io() {
135 let source = include_str!("signals.rs");
136 // The shared first-signal body starts at `fn handle_first_signal`
137 // and ends at the closing brace of the function. We locate the
138 // start of the next free-standing function or the test module
139 // as the boundary.
140 let body_start = source
141 .find("fn handle_first_signal(")
142 .expect("handle_first_signal must exist");
143 let after_body = source[body_start..]
144 .find("\nfn ")
145 .or_else(|| source[body_start..].find("\n#[cfg(test)]"))
146 .expect("body boundary not found");
147 let body = &source[body_start..body_start + after_body];
148 assert!(
149 !body.contains("eprintln!"),
150 "handle_first_signal must not use eprintln! (BrokenPipe panic, G42/C2)"
151 );
152 assert!(
153 !body.contains("tracing::"),
154 "handle_first_signal must not use tracing (stderr I/O can panic, G42/C2)"
155 );
156 assert!(
157 body.contains("let _ = writeln!"),
158 "first-signal notice must be a best-effort write"
159 );
160 assert!(
161 body.contains("std::process::exit(130)"),
162 "forced-exit path must remain in the shared handler"
163 );
164 }
165
166 /// GAP-002 (v1.0.82) regression guard: the JSON envelope must use
167 /// the deterministic SHUTDOWN_EXIT_CODE (19) so LLM agents can
168 /// branch on a single code regardless of the triggering signal.
169 #[test]
170 fn envelope_uses_shutdown_exit_code() {
171 let source = include_str!("signals.rs");
172 // The envelope format string contains "code":19.
173 assert!(
174 source.contains("\\\"code\\\":19"),
175 "shutdown envelope must embed SHUTDOWN_EXIT_CODE = 19"
176 );
177 }
178
179 /// GAP-002 (v1.0.82) regression guard: `AppError::Shutdown` is the
180 /// canonical error variant for shutdown. Constants and i18n are
181 /// wired in lock-step — if SHUTDOWN_EXIT_CODE drifts away from 19,
182 /// this test fails.
183 #[test]
184 fn shutdown_exit_code_is_19() {
185 use crate::constants::SHUTDOWN_EXIT_CODE;
186 assert_eq!(SHUTDOWN_EXIT_CODE, 19);
187 }
188}