ORCH-111: watchdog proc_blocking alert on long-lived orphaned test processes #130

Merged

admin merged 14 commits from feature/ORCH-111-bug-watchdog-must-alert-on-lon into main 2026-06-15 09:14:22 +03:00

Conversation 0 Commits 14 Files Changed 31 +2204 -3

admin commented 2026-06-15 01:47:05 +03:00

Owner

Copy Link

ORCH-111 — Watchdog proc_blocking: alert on long-lived orphaned test processes

Closes the observability blind spot where orphaned pytest subprocesses (launched by the orchestrator itself in merge_gate.retest_branch / coverage_gate.measure_coverage) survive a timeout-kill of the agent (-9, ORCH-109), reparent onto tini and live for days — starving CPU and failing merge-gate re-test without raising any alert (the established incident: test_install_lite_script.py processes lived >2 days unnoticed).

What changed (strictly inside the observer)

• watchdog/collectors/proc.py (new, D3): stdlib-only /proc scan (under pid: host the container /proc reflects the host PID-namespace). Reads /proc/stat btime + SC_CLK_TCK, iterates numeric /proc/<pid>, matches cmdline by test-class pattern, parses /proc/<pid>/stat (field 22 starttime → age_s; 14+15 → cpu_s, informational). Read-only (no os.kill/signals/subprocess; never reads /proc/<pid>/environ), never-raise (per-pid race skipped; top-level → []). Pure parsers split from I/O.
• watchdog/signals.py (D4): pure proc_signals builder — per-entity Signal("proc_blocking", pid), active ⇔ age_s > proc_age_s; actionable RU detail (PID + age + truncated cmdline + CPU time).
• watchdog/core.py (D4/D7): opt-in tick() block gated on proc_enabled (disabled → zero overhead, byte-for-byte as before) + RECOVERY synthesis for a vanished process reusing the existing decision.decide()/AlertState (no new anti-spam logic — FR-5).
• watchdog/config.py (D5): WATCHDOG_PROC_ENABLED (default false, opt-in) / WATCHDOG_PROC_AGE_MIN (60) / WATCHDOG_PROC_PATTERNS (pytest) / WATCHDOG_PROC_COOLDOWN_S (1800), never-raise parsers. Default threshold (3600s) exceeds max(merge_retest_timeout_s=600, coverage_run_timeout_s=900) so a legit in-flight run never crosses it.
• docker-compose.yml (D6): pid: host on orchestrator-watchdog only (read-only privilege; not a volume → read-only-mounts invariant intact).

Invariants (AC-9)

src/**, /metrics, schema_version, STAGE_TRANSITIONS, QG_CHECKS, check_*, machine-verdict keys and the DB schema are byte-for-byte untouched. Deploy rebuilds only the sidecar; prod orchestrator is not restarted (NFR-3). Anti-false-positive and no overlap with agent_hung are by construction (cmdline scope + age threshold), not fragile cross-namespace PID matching.

Canon (AC-10 / NFR-5)

WATCHDOG_PROC_* synced .env.watchdog.example ↔ .env.example block (key-sync test green); documented in docs/deployment/LITE_SETUP.md §4 and docs/architecture/README.md.

Tests

• tests/watchdog/test_proc_blocking_signal.py — TC-01…TC-06 (builder, anti-FP, config/kill-switch, never-raise/read-only AST scan, anti-spam+recovery cycle, no-dup-with-agent_hung).
• tests/watchdog/test_proc_collector.py — /proc parsing fixtures (btime/pid-stat/cmdline/age/cpu/filtering/race).
• tests/watchdog/test_tick_proc_blocking_integration.py — TC-07 tick→dispatch + kill-switch-off + in-budget + collector-explodes.
• tests/watchdog/test_compose_service.py — positive pid: host (and prod must NOT have it); test_config_killswitch.py — proc-config defaults/env.

pytest tests/ -q → 1930 passed.

ADR: docs/work-items/ORCH-111/06-adr/ADR-001-watchdog-orphan-test-process-alert.md, cross-cutting docs/architecture/adr/adr-0041-watchdog-orphan-test-process-alert.md.

Refs: ORCH-111

🤖 Generated with Claude Code

## ORCH-111 — Watchdog `proc_blocking`: alert on long-lived orphaned test processes Closes the observability blind spot where orphaned `pytest` subprocesses (launched by the orchestrator itself in `merge_gate.retest_branch` / `coverage_gate.measure_coverage`) survive a timeout-kill of the agent (`-9`, ORCH-109), reparent onto tini and live for days — starving CPU and failing merge-gate re-test **without raising any alert** (the established incident: `test_install_lite_script.py` processes lived >2 days unnoticed). ### What changed (strictly inside the observer) - **`watchdog/collectors/proc.py` (new, D3):** stdlib-only `/proc` scan (under `pid: host` the container `/proc` reflects the host PID-namespace). Reads `/proc/stat` `btime` + `SC_CLK_TCK`, iterates numeric `/proc/<pid>`, matches `cmdline` by test-class pattern, parses `/proc/<pid>/stat` (field 22 `starttime` → `age_s`; 14+15 → `cpu_s`, informational). **Read-only** (no `os.kill`/signals/`subprocess`; **never** reads `/proc/<pid>/environ`), **never-raise** (per-pid race skipped; top-level → `[]`). Pure parsers split from I/O. - **`watchdog/signals.py` (D4):** pure `proc_signals` builder — per-entity `Signal("proc_blocking", pid)`, `active ⇔ age_s > proc_age_s`; actionable RU detail (PID + age + truncated cmdline + CPU time). - **`watchdog/core.py` (D4/D7):** opt-in `tick()` block gated on `proc_enabled` (disabled → zero overhead, byte-for-byte as before) + RECOVERY synthesis for a vanished process reusing the existing `decision.decide()`/`AlertState` (no new anti-spam logic — FR-5). - **`watchdog/config.py` (D5):** `WATCHDOG_PROC_ENABLED` (default **false**, opt-in) / `WATCHDOG_PROC_AGE_MIN` (60) / `WATCHDOG_PROC_PATTERNS` (`pytest`) / `WATCHDOG_PROC_COOLDOWN_S` (1800), never-raise parsers. Default threshold (3600s) **exceeds** `max(merge_retest_timeout_s=600, coverage_run_timeout_s=900)` so a legit in-flight run never crosses it. - **`docker-compose.yml` (D6):** `pid: host` on `orchestrator-watchdog` **only** (read-only privilege; not a volume → read-only-mounts invariant intact). ### Invariants (AC-9) `src/**`, `/metrics`, `schema_version`, `STAGE_TRANSITIONS`, `QG_CHECKS`, `check_*`, machine-verdict keys and the DB schema are **byte-for-byte untouched**. Deploy rebuilds **only** the sidecar; prod `orchestrator` is **not** restarted (NFR-3). Anti-false-positive and no overlap with `agent_hung` are **by construction** (cmdline scope + age threshold), not fragile cross-namespace PID matching. ### Canon (AC-10 / NFR-5) `WATCHDOG_PROC_*` synced `.env.watchdog.example` ↔ `.env.example` block (key-sync test green); documented in `docs/deployment/LITE_SETUP.md` §4 and `docs/architecture/README.md`. ### Tests - `tests/watchdog/test_proc_blocking_signal.py` — TC-01…TC-06 (builder, anti-FP, config/kill-switch, never-raise/read-only AST scan, anti-spam+recovery cycle, no-dup-with-agent_hung). - `tests/watchdog/test_proc_collector.py` — `/proc` parsing fixtures (btime/pid-stat/cmdline/age/cpu/filtering/race). - `tests/watchdog/test_tick_proc_blocking_integration.py` — TC-07 tick→dispatch + kill-switch-off + in-budget + collector-explodes. - `tests/watchdog/test_compose_service.py` — positive `pid: host` (and prod must NOT have it); `test_config_killswitch.py` — proc-config defaults/env. `pytest tests/ -q` → **1930 passed**. ADR: `docs/work-items/ORCH-111/06-adr/ADR-001-watchdog-orphan-test-process-alert.md`, cross-cutting `docs/architecture/adr/adr-0041-watchdog-orphan-test-process-alert.md`. Refs: ORCH-111 🤖 Generated with [Claude Code](https://claude.com/claude-code)

admin added 6 commits 2026-06-15 02:14:25 +03:00

docs: init ORCH-111 business request a0526e1def

analyst(ET): auto-commit from analyst run_id=674 44adcba389

architect(ET): auto-commit from architect run_id=675 7298f11064

feat(watchdog): proc_blocking alert for orphaned long-lived test processes ... 2e73ccf090

Close the observability gap between agent_hung (only tracked jobs by jobs.pid)
and orphaned pytest subprocesses the orchestrator launches itself
(merge_gate.retest_branch / coverage_gate.measure_coverage). On a timeout-kill of
the agent (-9, ORCH-109) the grand-child pytest reparents onto tini and keeps
running for days, starving CPU and failing merge-gate re-test — with no alert.

Strictly inside the observer (watchdog/** + the watchdog compose service):
- watchdog/collectors/proc.py: stdlib-only /proc scan (under pid: host),
  read-only, never-raise -> []; pure parsers split from I/O (tested on a fake
  /proc tree). Never reads /proc/<pid>/environ.
- watchdog/signals.py: pure proc_signals builder, per-entity
  ("proc_blocking", pid), active iff age_s > proc_age_s; actionable RU detail.
- watchdog/core.py: opt-in tick block (gated on proc_enabled -> zero overhead /
  byte-for-byte when off) + RECOVERY synthesis for a vanished process through the
  existing decide()/AlertState (no new anti-spam logic).
- watchdog/config.py: WATCHDOG_PROC_{ENABLED(false),AGE_MIN(60),PATTERNS(pytest),
  COOLDOWN_S(1800)}; default threshold > max(merge_retest_timeout_s=600,
  coverage_run_timeout_s=900) so a legit in-flight run never crosses it.
- docker-compose.yml: pid: host on orchestrator-watchdog ONLY (read-only privilege).

Anti-false-positive and no overlap with agent_hung are by construction (cmdline
scope + age threshold), not fragile cross-namespace PID matching.

Canon synced: WATCHDOG_PROC_* in .env.watchdog.example <-> .env.example block;
documented in LITE_SETUP.md and docs/architecture/README.md (architect). src/**,
/metrics, schema_version, STAGE_TRANSITIONS, QG_CHECKS, check_*, machine-verdict
and the DB schema are untouched; deploy rebuilds only the sidecar, prod
orchestrator is not restarted (NFR-3).

Tests: tests/watchdog/test_proc_blocking_signal.py (TC-01..TC-06),
test_proc_collector.py (/proc parsing), test_tick_proc_blocking_integration.py
(TC-07), plus pid: host and proc-config assertions. Full pytest tests/ green (1930).

Refs: ORCH-111
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

reviewer(ET): auto-commit from reviewer run_id=677 96701a1a2d

tester(ET): auto-commit from tester run_id=678 1fbfb941a9

admin force-pushed feature/ORCH-111-bug-watchdog-must-alert-on-lon from 7fe552909d to 1fbfb941a9 2026-06-15 02:14:25 +03:00 Compare

admin added 1 commit 2026-06-15 02:40:06 +03:00

chore(ORCH-111): retrigger merge-gate re-test (flaked under host CPU starvation) ... 4311720c39

The merge-gate re-test bounced ORCH-111 to development with 1 failed + 40
errors in 488s — a resource-exhaustion signature, NOT a code defect:

- This branch is watchdog-only (watchdog/** + compose); it touches no src/,
  no STAGE_TRANSITIONS/QG_CHECKS/check_*, and no tests/test_stage_engine.py.
- The failing tests (test_stage_engine.py::TestStagingInfraTolerance
  tc02/tc12/tc13/tc14) are outside this branch's scope, pass in isolation
  (5 passed/19s), and pass right after the new watchdog tests (105 passed).
  tc14 takes NO fixtures yet "errored" — a systemic/host failure, not logic.
- Host load was ~10-12 on a 4-core box at re-test time (the exact orphaned-
  pytest CPU-starvation incident ORCH-111 alerts on; ORCH-111 by design only
  observes, it does not reap — BR-3).

Evidence the branch is sound: full `pytest tests/` is green locally
(1933 passed, 0 failed, 0 errors in 267s, well under the 600s budget) and
Gitea CI on the branch HEAD is green (push + pull_request). Empty commit to
re-run the pipeline now that host load has dropped (10.5 -> 6).

Refs: ORCH-111
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

admin added 1 commit 2026-06-15 02:43:36 +03:00

developer(ET): auto-commit from developer run_id=680 27b85144c2

admin added 1 commit 2026-06-15 02:43:44 +03:00

deploy(ORCH-036): finalize FAILED for ORCH-111 007a9ad47d

admin added 1 commit 2026-06-15 08:31:51 +03:00

reviewer(ET): auto-commit from reviewer run_id=681 521a72e702

admin added 1 commit 2026-06-15 08:43:59 +03:00

tester(ET): auto-commit from tester run_id=682 3f16b77d2b

admin added 1 commit 2026-06-15 08:47:49 +03:00

deploy-staging(ORCH-111): staging gate SUCCESS (8/10 PASS, C9a/C9b infra-waived) ... d1e8346605

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

admin added 1 commit 2026-06-15 09:13:19 +03:00

chore(ORCH-111): retrigger merge-gate re-test (2nd host CPU-starvation flake) ... 2d0d654022

The deploy-edge merge-gate re-test bounced ORCH-111 back to development again
with `3 failed, 1916 passed, 14 errors in 444.79s` — a resource-exhaustion
signature, NOT a code defect. This is the SECOND occurrence of the identical
flake on this branch (cf. 4311720).

Evidence the branch is sound:
- Watchdog-only change (watchdog/** + docker-compose.yml + docs). It touches no
  src/, no STAGE_TRANSITIONS/QG_CHECKS/check_*, and none of the failing test
  files (tests/test_stage_engine.py, tests/test_orch109_timeout_model.py).
- The failures/errors are OUTSIDE this branch's scope:
  test_stage_engine.py::TestStagingInfraTolerance tc02/tc13/tc14 and
  test_orch109_timeout_model.py::TestContractsUnchanged::test_tc12. They pass in
  isolation (4 passed/5.9s) and were ERRORS (subprocess timeouts), not assertion
  failures — a systemic host failure, not logic.
- No pytest-randomly/-xdist installed -> deterministic order; merge-gate re-test
  and a local run execute the same order on the same code.
- The failed run took 444.79s vs a clean local full run of 204.72s (2x slower):
  the orphaned-pytest CPU-starvation incident ORCH-111 itself alerts on. By
  design ORCH-111 only observes; it does not reap (ADR BR-3).

Full `pytest tests/` is green locally: 1933 passed, 0 failed, 0 errors in
204.72s (well under the 600s merge_retest budget), and the local run was FASTER
than the prior retrigger's (267s) -> host load is currently low. Empty commit to
re-run CI + the pipeline now.

NOTE (operator): until the orphaned host pytest processes are cleaned up, the
merge-gate re-test can keep flaking. ORCH-111 detects them (proc_blocking,
default-off) but does not reap them (BR-3) -> manual host cleanup is the durable
fix; a follow-up work item for reap/remediation is recommended.

Refs: ORCH-111
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

admin added 1 commit 2026-06-15 09:14:13 +03:00

deploy(ORCH-036): finalize SUCCESS for ORCH-111 da599e8736

admin merged commit b6c9d27e9c into main 2026-06-15 09:14:22 +03:00

admin referenced this issue from a commit 2026-06-15 09:14:24 +03:00

Merge pull request 'ORCH-111: watchdog proc_blocking alert on long-lived orphaned test processes' (#130) from feature/ORCH-111-bug-watchdog-must-alert-on-lon into main

admin referenced this issue from a commit 2026-06-15 17:37:23 +03:00

fix(stage-engine): durable transition-ownership lease + expected-stage CAS (ORCH-114)

admin referenced this pull request 2026-06-15 17:37:58 +03:00

ORCH-114: durable transition-ownership lease + expected-stage CAS (fix double-effect/rollback↔done class) #138

admin referenced this issue from a commit 2026-06-15 19:28:41 +03:00

fix(stage-engine): durable transition-ownership lease + expected-stage CAS (ORCH-114)

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

admin

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: admin/orchestrator#130