fix: Harden workspace cleanup lifecycle

Treat inaccessible PIDs as live, require daemon instance identity before
live-owner cleanup, and make force-stop verify the current registry entry
before signaling or unregistering daemon files.

Move MCP startup cleanup off the stdio critical path and report embedded
shutdown cleanup errors as failures. Normalize unstable Swift Testing
snapshot progress while preserving stable failure summaries.

Co-Authored-By: OpenAI Codex <noreply@openai.com>

Author: cameroncooke

src/cli/__tests__/daemon-control-race.test.ts

@@ -0,0 +1,93 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import type { DaemonRegistryEntry } from '../../daemon/daemon-registry.ts';
+
+const originalEntry: DaemonRegistryEntry = {
+  workspaceKey: 'workspace-a',
+  workspaceRoot: '/workspaces/workspace-a',
+  socketPath: '/tmp/xcodebuildmcp-daemon.sock',
+  pid: 123_456,
+  startedAt: '2026-05-05T00:00:00.000Z',
+  enabledWorkflows: ['build'],
+  version: '1.0.0',
+  instanceId: 'daemon-instance-a',
+};
+
+const changedEntry: DaemonRegistryEntry = {
+  ...originalEntry,
+  instanceId: 'daemon-instance-b',
+};
+
+const registryMocks = vi.hoisted(() => ({
+  cleanupWorkspaceDaemonFiles: vi.fn(),
+  findDaemonRegistryEntryBySocketPath: vi.fn(),
+  isPidAlive: vi.fn(),
+  readDaemonRegistryEntry: vi.fn(),
+  release: vi.fn(),
+}));
+
+vi.mock('../../daemon/daemon-registry.ts', () => ({
+  acquireDaemonRegistryMutationLock: vi.fn(() => ({
+    workspaceKey: 'workspace-a',
+    release: registryMocks.release,
+  })),
+  cleanupWorkspaceDaemonFiles: registryMocks.cleanupWorkspaceDaemonFiles,
+  findDaemonRegistryEntryBySocketPath: registryMocks.findDaemonRegistryEntryBySocketPath,
+  readDaemonRegistryEntry: registryMocks.readDaemonRegistryEntry,
+}));
+
+vi.mock('../../utils/process-liveness.ts', () => ({
+  isPidAlive: registryMocks.isPidAlive,
+}));
+
+import { forceStopDaemon } from '../daemon-control.ts';
+
+describe('daemon control force-stop registry races', () => {
+  beforeEach(() => {
+    registryMocks.cleanupWorkspaceDaemonFiles.mockReset();
+    registryMocks.findDaemonRegistryEntryBySocketPath.mockReset();
+    registryMocks.isPidAlive.mockReset();
+    registryMocks.readDaemonRegistryEntry.mockReset();
+    registryMocks.release.mockReset();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it('sends the initial signal before releasing the registry mutation lock', async () => {
+    registryMocks.findDaemonRegistryEntryBySocketPath.mockReturnValue(originalEntry);
+    registryMocks.readDaemonRegistryEntry.mockReturnValue(originalEntry);
+    registryMocks.isPidAlive.mockReturnValue(false);
+    const kill = vi.spyOn(process, 'kill').mockImplementation(() => {
+      expect(registryMocks.release).not.toHaveBeenCalled();
+      return true;
+    });
+
+    await forceStopDaemon(originalEntry.socketPath);
+
+    expect(kill).toHaveBeenCalledWith(originalEntry.pid, 'SIGTERM');
+    expect(registryMocks.release).toHaveBeenCalledOnce();
+    expect(registryMocks.cleanupWorkspaceDaemonFiles).toHaveBeenCalledWith(
+      originalEntry.workspaceKey,
+      {
+        pid: originalEntry.pid,
+        socketPath: originalEntry.socketPath,
+        instanceId: originalEntry.instanceId,
+      },
+    );
+  });
+
+  it('does not signal when daemon metadata changes before the initial signal', async () => {
+    registryMocks.findDaemonRegistryEntryBySocketPath.mockReturnValue(originalEntry);
+    registryMocks.readDaemonRegistryEntry.mockReturnValue(changedEntry);
+    const kill = vi.spyOn(process, 'kill').mockImplementation(() => true);
+
+    await expect(forceStopDaemon(originalEntry.socketPath)).rejects.toThrow(
+      'daemon registry metadata changed',
+    );
+
+    expect(kill).not.toHaveBeenCalled();
+    expect(registryMocks.cleanupWorkspaceDaemonFiles).not.toHaveBeenCalled();
+    expect(registryMocks.release).toHaveBeenCalledOnce();
+  });
+});

src/cli/__tests__/daemon-control.test.ts

@@ -0,0 +1,150 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import * as path from 'node:path';
+import { forceStopDaemon } from '../daemon-control.ts';
+import {
+  readDaemonRegistryEntry,
+  type DaemonRegistryEntry,
+  writeDaemonRegistryEntry,
+} from '../../daemon/daemon-registry.ts';
+import {
+  daemonDirForWorkspaceKey,
+  setDaemonRunDirOverrideForTests,
+} from '../../daemon/socket-path.ts';
+import { setXcodeBuildMCPAppDirOverrideForTests } from '../../utils/log-paths.ts';
+
+const daemonPid = 123_456;
+
+function createMissingPidError(): NodeJS.ErrnoException {
+  const error = new Error('no such process') as NodeJS.ErrnoException;
+  error.code = 'ESRCH';
+  return error;
+}
+
+function createEntry(overrides: Partial<DaemonRegistryEntry> = {}): DaemonRegistryEntry {
+  const workspaceKey = overrides.workspaceKey ?? 'workspace-a';
+  return {
+    workspaceKey,
+    workspaceRoot: `/workspaces/${workspaceKey}`,
+    socketPath: path.join(daemonDirForWorkspaceKey(workspaceKey), 'd.sock'),
+    pid: daemonPid,
+    startedAt: '2026-05-05T00:00:00.000Z',
+    enabledWorkflows: ['build'],
+    version: '1.0.0',
+    instanceId: 'daemon-instance-a',
+    ...overrides,
+  };
+}
+
+describe('daemon control', () => {
+  let appDir: string;
+  let daemonRunDir: string;
+
+  beforeEach(() => {
+    appDir = mkdtempSync(path.join(tmpdir(), 'xcodebuildmcp-daemon-control-app-'));
+    daemonRunDir = mkdtempSync(path.join(tmpdir(), 'xcodebuildmcp-daemon-control-run-'));
+    setXcodeBuildMCPAppDirOverrideForTests(appDir);
+    setDaemonRunDirOverrideForTests(daemonRunDir);
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.restoreAllMocks();
+    setXcodeBuildMCPAppDirOverrideForTests(null);
+    setDaemonRunDirOverrideForTests(null);
+    rmSync(appDir, { recursive: true, force: true });
+    rmSync(daemonRunDir, { recursive: true, force: true });
+  });
+
+  it('does not unlink sockets without registry metadata', async () => {
+    const socketPath = path.join(daemonRunDir, 'missing-registry.sock');
+    mkdirSync(path.dirname(socketPath), { recursive: true, mode: 0o700 });
+    writeFileSync(socketPath, 'socket placeholder');
+
+    await expect(forceStopDaemon(socketPath)).rejects.toThrow('registry metadata is missing');
+
+    expect(existsSync(socketPath)).toBe(true);
+  });
+
+  it('unregisters daemon files only after SIGTERM stops the process', async () => {
+    const entry = createEntry();
+    writeDaemonRegistryEntry(entry);
+    mkdirSync(path.dirname(entry.socketPath), { recursive: true, mode: 0o700 });
+    writeFileSync(entry.socketPath, 'socket placeholder');
+    let alive = true;
+    const kill = vi.spyOn(process, 'kill').mockImplementation(((
+      _pid: number,
+      signal?: string | number,
+    ) => {
+      if (signal === 0) {
+        if (alive) {
+          return true;
+        }
+        throw createMissingPidError();
+      }
+      if (signal === 'SIGTERM') {
+        alive = false;
+      }
+      return true;
+    }) as typeof process.kill);
+
+    await forceStopDaemon(entry.socketPath);
+
+    expect(kill).toHaveBeenCalledWith(entry.pid, 'SIGTERM');
+    expect(readDaemonRegistryEntry(entry.workspaceKey)).toBeNull();
+    expect(existsSync(entry.socketPath)).toBe(false);
+  });
+
+  it('uses SIGKILL when the process stays alive after SIGTERM', async () => {
+    vi.useFakeTimers();
+    const entry = createEntry();
+    writeDaemonRegistryEntry(entry);
+    mkdirSync(path.dirname(entry.socketPath), { recursive: true, mode: 0o700 });
+    writeFileSync(entry.socketPath, 'socket placeholder');
+    let alive = true;
+    const kill = vi.spyOn(process, 'kill').mockImplementation(((
+      _pid: number,
+      signal?: string | number,
+    ) => {
+      if (signal === 0) {
+        if (alive) {
+          return true;
+        }
+        throw createMissingPidError();
+      }
+      if (signal === 'SIGKILL') {
+        alive = false;
+      }
+      return true;
+    }) as typeof process.kill);
+
+    const stopped = forceStopDaemon(entry.socketPath);
+    await vi.advanceTimersByTimeAsync(1500);
+    await stopped;
+
+    expect(kill).toHaveBeenCalledWith(entry.pid, 'SIGTERM');
+    expect(kill).toHaveBeenCalledWith(entry.pid, 'SIGKILL');
+    expect(readDaemonRegistryEntry(entry.workspaceKey)).toBeNull();
+    expect(existsSync(entry.socketPath)).toBe(false);
+  });
+
+  it('preserves registry metadata and socket when the process remains alive', async () => {
+    vi.useFakeTimers();
+    const entry = createEntry();
+    writeDaemonRegistryEntry(entry);
+    mkdirSync(path.dirname(entry.socketPath), { recursive: true, mode: 0o700 });
+    writeFileSync(entry.socketPath, 'socket placeholder');
+    vi.spyOn(process, 'kill').mockImplementation((() => true) as typeof process.kill);
+
+    const stopped = forceStopDaemon(entry.socketPath);
+    const stoppedExpectation = expect(stopped).rejects.toThrow(
+      `Daemon PID ${entry.pid} did not exit after SIGKILL`,
+    );
+    await vi.advanceTimersByTimeAsync(3000);
+
+    await stoppedExpectation;
+    expect(readDaemonRegistryEntry(entry.workspaceKey)).toEqual(entry);
+    expect(existsSync(entry.socketPath)).toBe(true);
+  });
+});

src/cli/daemon-control.ts

@@ -1,12 +1,16 @@
 import { spawn } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
 import { dirname, resolve } from 'node:path';
-import { existsSync, unlinkSync } from 'node:fs';
+import { existsSync } from 'node:fs';
 import { DaemonClient, DaemonVersionMismatchError } from './daemon-client.ts';
 import {
+  acquireDaemonRegistryMutationLock,
   cleanupWorkspaceDaemonFiles,
   findDaemonRegistryEntryBySocketPath,
+  readDaemonRegistryEntry,
+  type DaemonRegistryEntry,
 } from '../daemon/daemon-registry.ts';
+import { isPidAlive } from '../utils/process-liveness.ts';
 
 /**
  * Default timeout for daemon startup in milliseconds.
@@ -18,6 +22,50 @@ export const DEFAULT_DAEMON_STARTUP_TIMEOUT_MS = 5000;
  */
 export const DEFAULT_POLL_INTERVAL_MS = 100;
 
+const FORCE_STOP_SIGNAL_TIMEOUT_MS = 1500;
+const FORCE_STOP_POLL_INTERVAL_MS = 50;
+
+async function waitForPidExit(pid: number, timeoutMs: number): Promise<boolean> {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    if (!isPidAlive(pid)) {
+      return true;
+    }
+    await new Promise((resolveDelay) => setTimeout(resolveDelay, FORCE_STOP_POLL_INTERVAL_MS));
+  }
+  return !isPidAlive(pid);
+}
+
+function validateCurrentRegistryEntry(
+  expectedEntry: DaemonRegistryEntry,
+  currentEntry: DaemonRegistryEntry | null,
+  socketPath: string,
+): void {
+  const matchesExpectedEntry =
+    currentEntry !== null &&
+    currentEntry.workspaceKey === expectedEntry.workspaceKey &&
+    currentEntry.socketPath === expectedEntry.socketPath &&
+    currentEntry.pid === expectedEntry.pid &&
+    currentEntry.instanceId === expectedEntry.instanceId;
+
+  if (!matchesExpectedEntry) {
+    throw new Error(`Cannot force-stop daemon at ${socketPath}: daemon registry metadata changed`);
+  }
+}
+
+function signalDaemonPid(pid: number, signal: NodeJS.Signals): boolean {
+  try {
+    process.kill(pid, signal);
+    return true;
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code === 'ESRCH') {
+      return false;
+    }
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Failed to send ${signal} to daemon PID ${pid}: ${message}`);
+  }
+}
+
 /**
  * Get the path to the daemon executable.
  */
@@ -36,35 +84,40 @@ export function getDaemonExecutablePath(): string {
 
 /**
  * Force-stop a daemon that cannot be stopped gracefully (e.g. protocol version mismatch).
- * Derives the workspace key from the socket path, reads the registry for the PID,
- * sends SIGTERM, and removes the stale socket.
+ * Uses registry ownership metadata to stop the process before unregistering daemon files.
  */
 export async function forceStopDaemon(socketPath: string): Promise<void> {
   const entry = findDaemonRegistryEntryBySocketPath(socketPath);
-  if (entry?.pid) {
-    try {
-      process.kill(entry.pid, 'SIGTERM');
-    } catch {
-      // Process may already be gone.
-    }
-    // Brief wait for the process to exit.
-    await new Promise((resolve) => setTimeout(resolve, 500));
+  if (!entry) {
+    throw new Error(
+      `Cannot force-stop daemon at ${socketPath}: daemon registry metadata is missing`,
+    );
   }
-  if (entry) {
-    cleanupWorkspaceDaemonFiles(entry.workspaceKey, {
-      pid: entry.pid,
-      socketPath,
-      allowLiveOwner: true,
-    });
-  } else {
-    // Registry entry missing; cannot derive workspace key from socket path alone.
-    // Clean up the socket file directly.
-    try {
-      unlinkSync(socketPath);
-    } catch {
-      // Socket may already be gone.
+
+  const lock = acquireDaemonRegistryMutationLock(entry.workspaceKey);
+  if (!lock) {
+    throw new Error(`Unable to acquire daemon registry lock for ${entry.workspaceKey}`);
+  }
+
+  let termSent: boolean;
+  try {
+    validateCurrentRegistryEntry(entry, readDaemonRegistryEntry(entry.workspaceKey), socketPath);
+    termSent = signalDaemonPid(entry.pid, 'SIGTERM');
+  } finally {
+    lock.release();
+  }
+  if (termSent && !(await waitForPidExit(entry.pid, FORCE_STOP_SIGNAL_TIMEOUT_MS))) {
+    const killSent = signalDaemonPid(entry.pid, 'SIGKILL');
+    if (killSent && !(await waitForPidExit(entry.pid, FORCE_STOP_SIGNAL_TIMEOUT_MS))) {
+      throw new Error(`Daemon PID ${entry.pid} did not exit after SIGKILL`);
     }
   }
+
+  cleanupWorkspaceDaemonFiles(entry.workspaceKey, {
+    pid: entry.pid,
+    socketPath,
+    instanceId: entry.instanceId,
+  });
 }
 
 export interface StartDaemonBackgroundOptions {