Problem
MQDB agent and cluster processes have no registered signal handlers for SIGINT/SIGTERM. The default handler kills the process immediately, skipping graceful shutdown.
This also means temp files created by the env var inline content feature (/tmp/mqdb-env-secrets-{PID}/) persist after process exit. On Docker this is irrelevant (ephemeral filesystem), but on bare metal, secrets (passwd, JWT keys, QUIC certs) sit in /tmp with 0o600 permissions until reboot.
Current state
MqdbAgent and ClusteredAgent both have internal shutdown_tx broadcast channels and graceful shutdown logic (awaiting spawned tasks)- The shutdown path only runs if
broker.run() returns normally — signals bypass it entirely
- The only signal handler in the codebase is in
crud.rs for the watch command
- Temp secret files use PID-scoped directories and 0o600 permissions (low risk, but not zero)
Proposed fix
Register tokio::signal::ctrl_c() + unix SIGTERM handler in both cmd_agent_start and cmd_cluster_start. On signal:
- Send shutdown via the existing
shutdown_tx channel
- Await graceful task completion (already implemented)
- Remove the PID-scoped temp directory (
/tmp/mqdb-env-secrets-{PID}/)
This solves both graceful shutdown and temp file cleanup in one change.
Files involved
crates/mqdb-cli/src/commands/agent.rs — cmd_agent_startcrates/mqdb-cli/src/commands/cluster.rs — cmd_cluster_startcrates/mqdb-cli/src/commands/env_secret.rs — add cleanup() functioncrates/mqdb-agent/src/agent/mod.rs — expose shutdown() for external callerscrates/mqdb-cluster/src/cluster_agent/mod.rs — expose shutdown() for external callers
Problem
MQDB agent and cluster processes have no registered signal handlers for SIGINT/SIGTERM. The default handler kills the process immediately, skipping graceful shutdown.
This also means temp files created by the env var inline content feature (
/tmp/mqdb-env-secrets-{PID}/) persist after process exit. On Docker this is irrelevant (ephemeral filesystem), but on bare metal, secrets (passwd, JWT keys, QUIC certs) sit in/tmpwith 0o600 permissions until reboot.Current state
MqdbAgentandClusteredAgentboth have internalshutdown_txbroadcast channels and graceful shutdown logic (awaiting spawned tasks)broker.run()returns normally — signals bypass it entirelycrud.rsfor thewatchcommandProposed fix
Register
tokio::signal::ctrl_c()+ unix SIGTERM handler in bothcmd_agent_startandcmd_cluster_start. On signal:shutdown_txchannel/tmp/mqdb-env-secrets-{PID}/)This solves both graceful shutdown and temp file cleanup in one change.
Files involved
crates/mqdb-cli/src/commands/agent.rs—cmd_agent_startcrates/mqdb-cli/src/commands/cluster.rs—cmd_cluster_startcrates/mqdb-cli/src/commands/env_secret.rs— addcleanup()functioncrates/mqdb-agent/src/agent/mod.rs— exposeshutdown()for external callerscrates/mqdb-cluster/src/cluster_agent/mod.rs— exposeshutdown()for external callers