feat: Add PID tracking and process management

[Wirasm]

Summary

Implements comprehensive process tracking for spawned terminals to enable lifecycle management, prevent stale processes, and provide reliable cleanup.

Changes

• Sessions: Added process_id field to track spawned terminal PIDs
• Process Management: New process module with cross-platform process operations using sysinfo
• CLI Commands:
  • shards list now shows process status (Running/Stopped/No PID)
  • New shards status command for detailed process information
  • shards destroy now kills processes before cleanup
• Terminal Integration: Capture and return PID from spawned processes

Testing

• ✅ All 107 existing tests pass
• ✅ 4 new process management tests added
• ✅ End-to-end integration validated
• ✅ Cross-platform process operations tested

Files Changed

• Updated: 10 files (sessions, terminal, CLI, dependencies)
• Created: 3 files (process module)
• Tests: 4 new test cases

Closes: Process tracking feature implementation

[Wirasm]

Code Review Report

Scope: PR #8 - feat: Add PID tracking and process management
Date: 2026-01-14 15:05
Reviewers: code-reviewer, comment-analyzer, error-hunter, type-analyzer

---

Executive Summary

Overall Assessment: NEEDS CHANGES
Risk Level: HIGH

Metric	Count
Critical Issues	5
Important Issues	4
Suggestions	3

Recommendation: This PR implements essential process tracking functionality but contains critical race conditions, type safety issues, and silent error handling that must be addressed before merge. The architecture follows project guidelines well (vertical slice, handler/operations pattern), but the process management implementation has fundamental safety issues that could lead to killing wrong processes, resource leaks, and difficult debugging. Fix critical issues before merging.

---

Critical Issues (Must Fix Before Merge)

Issue 1: Race Condition in Process Operations - PID Reuse Risk

Location: src/process/operations.rs:1-30
Source: code-reviewer
Confidence: 95%

Problem:
Both is_process_running and kill_process create separate System instances and refresh processes independently. Between checking if a process exists and attempting to kill it, the process state can change. More critically, PIDs can be reused by the OS - a process could die and a completely different process could claim the same PID.

Why This Matters:
PID reuse is common on Unix systems. The current implementation has no protection against killing the wrong process. If a terminal process dies and the OS reuses its PID for a different process (e.g., a database), shards destroy could kill that unrelated process.

Risk If Unfixed:

• Data loss: Killing wrong processes (databases, editors with unsaved work)
• System instability: Terminating critical system processes
• Security: Potential privilege escalation if PIDs are reused by higher-privilege processes

Fix Options:

Option	Approach	Pros	Cons
A (Recommended)	Store process name + start time with PID, validate before kill	Prevents PID reuse attacks, robust	Requires Session schema change, more storage
B	Single System instance with atomic check-and-kill	Reduces race window	Doesn't solve PID reuse, requires API restructure
C	Use process group IDs instead of PIDs	More reliable process tracking	Platform-specific, complex implementation

Recommended Fix:

// src/sessions/types.rs
pub struct Session {
    pub process_id: Option<u32>,
    pub process_name: Option<String>,      // NEW: Store process name
    pub process_start_time: Option<u64>,   // NEW: Store start time
}

// src/process/operations.rs
pub fn kill_process_safe(
    pid: u32, 
    expected_name: Option<&str>,
    expected_start_time: Option<u64>
) -> Result<(), ProcessError> {
    let mut system = System::new();
    system.refresh_processes(ProcessesToUpdate::All, true);
    let pid_obj = Pid::from_u32(pid);
    
    match system.process(pid_obj) {
        Some(process) => {
            // Validate this is the same process
            if let Some(name) = expected_name {
                if process.name().to_string_lossy() != name {
                    return Err(ProcessError::PidReused { 
                        pid, 
                        expected: name.to_string(),
                        actual: process.name().to_string_lossy().to_string()
                    });
                }
            }
            
            if let Some(start_time) = expected_start_time {
                if process.start_time() != start_time {
                    return Err(ProcessError::PidReused { pid });
                }
            }
            
            if process.kill() {
                Ok(())
            } else {
                Err(ProcessError::KillFailed { 
                    pid, 
                    message: "Process kill signal failed".to_string() 
                })
            }
        }
        None => Err(ProcessError::NotFound { pid }),
    }
}

---

Issue 2: Silent Error Masking in Process Status Checks

Location: src/cli/commands.rs:95-107
Source: error-hunter
Confidence: 92%

Problem:
The list command silently swallows all errors when checking process status:

let process_status = if let Some(pid) = session.process_id {
    match process::is_process_running(pid) {
        Ok(true) => format!("Running({})", pid),
        Ok(false) => format!("Stopped({})", pid),
        Err(_) => format!("Error({})", pid),  // SILENT ERROR - no logging
    }
} else {
    "No PID".to_string()
};

Why This Matters:
Users see "Error(1234)" but have no way to know what went wrong. Was it a permission issue? System error? PID reuse? This makes debugging impossible and hides potentially serious problems.

Risk If Unfixed:

• Debugging nightmare: Users can't diagnose why process checks fail
• Hidden system issues: Permission problems, system errors go unnoticed
• Poor UX: Cryptic error messages with no actionable information

Fix Options:

Option	Approach	Pros	Cons
A (Recommended)	Log error details, show user-friendly message	Full debugging info, good UX	Slightly more code
B	Return detailed error in status string	Simple, no logging needed	Clutters UI, no structured logs
C	Fail fast on errors	Clear failure mode	Too aggressive, breaks list command

Recommended Fix:

let process_status = if let Some(pid) = session.process_id {
    match process::is_process_running(pid) {
        Ok(true) => format!("Running({})", pid),
        Ok(false) => format!("Stopped({})", pid),
        Err(e) => {
            // Log the actual error for debugging
            tracing::warn!(
                event = "cli.list_process_check_failed",
                pid = pid,
                session_branch = session.branch,
                error = %e,
                error_type = std::any::type_name_val(&e)
            );
            format!("Error({})", pid)
        }
    }
} else {
    "No PID".to_string()
};

---

Issue 3: Platform-Unsafe PID Type (u32 vs i32)

Location: src/sessions/types.rs:13, src/terminal/types.rs:21, src/process/operations.rs
Source: type-analyzer
Confidence: 88%

Problem:
The code uses u32 for PIDs universally, but PIDs are platform-specific:

• Unix/Linux/macOS: PIDs are i32 (signed)
• Windows: PIDs are u32 (unsigned)

The sysinfo crate's Pid::from_u32() can silently fail or produce incorrect PIDs on Unix systems when converting from u32 to i32.

Why This Matters:
On Unix systems, if a PID happens to be represented as a large u32 value, converting it to i32 could overflow or produce negative values, leading to incorrect process identification.

Risk If Unfixed:

• Silent failures: Process operations fail without clear errors
• Wrong process targeting: PID conversion errors could target wrong processes
• Cross-platform bugs: Works on Windows, fails on Unix

Fix Options:

Option	Approach	Pros	Cons
A (Recommended)	Use sysinfo::Pid directly as newtype	Platform-safe, type-safe	Requires refactoring all PID handling
B	Use i32 everywhere (Unix standard)	Simple, works on most platforms	Loses Windows compatibility
C	Platform-conditional types	Correct for each platform	Complex, harder to maintain

Recommended Fix:

// src/process/types.rs (NEW FILE)
use sysinfo::Pid as SysinfoPid;

/// Platform-safe process ID wrapper
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(transparent)]
pub struct Pid(u32);

impl Pid {
    pub fn new(pid: u32) -> Self {
        Self(pid)
    }
    
    pub fn as_u32(&self) -> u32 {
        self.0
    }
    
    pub fn to_sysinfo_pid(&self) -> SysinfoPid {
        SysinfoPid::from_u32(self.0)
    }
}

impl From<u32> for Pid {
    fn from(pid: u32) -> Self {
        Self(pid)
    }
}

// Update Session
pub struct Session {
    pub process_id: Option<Pid>,  // Changed from Option<u32>
}

---

Issue 4: Continuing Cleanup Despite Process Kill Failure

Location: src/sessions/handler.rs:127-151
Source: error-hunter
Confidence: 90%

Problem:
When kill_process fails (except for NotFound), the code logs a warning but continues with worktree and session cleanup:

Err(e) => {
    tracing::warn!(
        event = "session.destroy_kill_failed",
        pid = pid,
        error = %e,
        message = "Failed to kill process, continuing with cleanup"
    );
}

Why This Matters:
If the process is still running (kill failed due to permissions, process state, etc.), removing the worktree and session file leaves an orphaned process with no way to track or manage it. The process continues running but Shards loses all knowledge of it.

Risk If Unfixed:

• Resource leaks: Orphaned processes consume system resources indefinitely
• Lost processes: No way to track or kill processes after session is destroyed
• Confusion: Users think shard is destroyed but process still runs
• Accumulation: Multiple failed destroys = multiple orphaned processes

Fix Options:

Option	Approach	Pros	Cons
A (Recommended)	Fail destroy if kill fails, require --force flag	Prevents orphans, explicit control	More complex UX
B	Mark session as "zombie" state instead of deleting	Allows retry, tracks orphans	Requires new session state
C	Continue but log prominently and track orphans	Simple, non-breaking	Doesn't solve the problem

Recommended Fix:

// Option A: Fail fast with force flag
if let Some(pid) = session.process_id {
    match crate::process::kill_process(pid) {
        Ok(()) => {
            info!(event = "session.destroy_kill_completed", pid = pid);
        }
        Err(crate::process::ProcessError::NotFound { .. }) => {
            info!(event = "session.destroy_kill_already_dead", pid = pid);
        }
        Err(e) => {
            if !force {
                error!(
                    event = "session.destroy_kill_failed_blocking",
                    pid = pid,
                    error = %e
                );
                return Err(SessionError::ProcessKillFailed { 
                    pid, 
                    message: format!("Process still running. Use --force to destroy anyway: {}", e)
                });
            } else {
                tracing::warn!(
                    event = "session.destroy_kill_failed_forced",
                    pid = pid,
                    error = %e,
                    message = "Process kill failed but --force specified, continuing"
                );
            }
        }
    }
}

---

Issue 5: Stringly-Typed Process Status

Location: src/process/operations.rs:45-50
Source: type-analyzer
Confidence: 85%

Problem:
ProcessInfo.status is a String that comes directly from process.status().to_string():

pub struct ProcessInfo {
    pub pid: u32,
    pub name: String,
    pub status: String,  // Could be anything
}

Why This Matters:
String-based status allows invalid states, makes pattern matching impossible, and provides no type safety. Code that checks status must do string comparisons which are fragile and error-prone.

Risk If Unfixed:

• Invalid states: Status could be any string, including empty or garbage
• Fragile comparisons: if status == "Running" breaks if format changes
• No exhaustiveness checking: Can't ensure all states are handled
• Poor API: Consumers can't discover valid status values

Fix Options:

Option	Approach	Pros	Cons
A (Recommended)	Define ProcessStatus enum with known states	Type-safe, exhaustive matching	Requires mapping from sysinfo
B	Keep String but validate and normalize	Simple, flexible	Still stringly-typed
C	Use sysinfo::ProcessStatus directly	No conversion needed	Tight coupling to sysinfo

Recommended Fix:

// src/process/types.rs
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub enum ProcessStatus {
    Running,
    Sleeping,
    Stopped,
    Zombie,
    Dead,
    Unknown(String),  // Fallback for unexpected states
}

impl From<sysinfo::ProcessStatus> for ProcessStatus {
    fn from(status: sysinfo::ProcessStatus) -> Self {
        let status_str = status.to_string();
        match status_str.as_str() {
            "Run" | "Running" => ProcessStatus::Running,
            "Sleep" | "Sleeping" => ProcessStatus::Sleeping,
            "Stop" | "Stopped" => ProcessStatus::Stopped,
            "Zombie" => ProcessStatus::Zombie,
            "Dead" => ProcessStatus::Dead,
            _ => ProcessStatus::Unknown(status_str),
        }
    }
}

pub struct ProcessInfo {
    pub pid: Pid,
    pub name: String,
    pub status: ProcessStatus,  // Changed from String
}

---

Important Issues (Should Fix)

Issue 1: Performance Impact of Full Process Refresh

Location: src/process/operations.rs:2, 8, 36
Source: code-reviewer

Problem:
Every process operation calls system.refresh_processes(ProcessesToUpdate::All, true), which refreshes information for ALL system processes just to check/kill a single PID.

Impact:
On systems with hundreds or thousands of processes, this is extremely wasteful. The list command calls this for every session, making it O(n * m) where n = sessions and m = system processes.

Fix Options:

Option	Approach	Trade-off
A	Use ProcessesToUpdate::Some(&[pid])	Much faster vs slightly more complex
B	Cache System instance and refresh selectively	Best performance vs memory usage

Suggested Fix:

pub fn is_process_running(pid: u32) -> Result<bool, ProcessError> {
    let mut system = System::new();
    let pid_obj = Pid::from_u32(pid);
    // Only refresh the specific PID we care about
    system.refresh_processes(ProcessesToUpdate::Some(&[pid_obj]), true);
    Ok(system.process(pid_obj).is_some())
}

---

Issue 2: Missing Process Name/Start Time Capture

Location: src/terminal/handler.rs:56-62
Source: error-hunter

Problem:
When capturing the PID, the code doesn't capture process name or start time, which are needed to prevent PID reuse attacks (see Critical Issue #1).

Impact:
Even if we implement PID reuse protection later, we can't use it for existing sessions because we didn't capture the necessary metadata.

Fix Options:

Option	Approach	Trade-off
A	Capture name + start time immediately after spawn	Complete protection vs slightly more complex
B	Add migration to capture for existing sessions	Handles old sessions vs complex migration

Suggested Fix:

let child = cmd.spawn().map_err(|e| TerminalError::SpawnFailed {
    message: format!("Failed to execute {}: {}", spawn_command[0], e),
})?;

let process_id = child.id();

// Capture process metadata immediately
let process_metadata = if let Ok(info) = process::get_process_info(process_id) {
    Some(ProcessMetadata {
        name: info.name,
        start_time: info.start_time,
    })
} else {
    None
};

let result = SpawnResult::new(
    terminal_type.clone(),
    command.to_string(),
    working_directory.to_path_buf(),
    Some(process_id),
    process_metadata,
);

---

Issue 3: No PID Validation

Location: src/process/operations.rs, src/sessions/types.rs
Source: type-analyzer

Problem:
PIDs are never validated. PID 0 is invalid on all platforms, but nothing prevents storing or using it.

Impact:
Invalid PIDs could cause confusing errors or undefined behavior when passed to system APIs.

Fix Options:

Option	Approach	Trade-off
A	Validate in Pid::new() constructor	Prevents invalid PIDs vs requires refactoring
B	Validate at API boundaries	Simpler vs allows invalid PIDs internally

Suggested Fix:

impl Pid {
    pub fn new(pid: u32) -> Result<Self, ProcessError> {
        if pid == 0 {
            return Err(ProcessError::InvalidPid { pid });
        }
        Ok(Self(pid))
    }
}

---

Issue 4: Missing Documentation for process_id Field

Location: src/sessions/types.rs:13
Source: comment-analyzer

Problem:
The new process_id field has no doc comment explaining what it represents, when it's None, or how it's used.

Impact:
Developers reading the code don't understand the field's purpose or lifecycle without reading implementation details.

Suggested Fix:

pub struct Session {
    pub id: String,
    pub branch: String,
    pub worktree_path: PathBuf,
    pub command: String,
    pub agent: String,
    pub status: SessionStatus,
    pub created_at: String,
    
    /// Process ID of the spawned terminal/agent process.
    /// 
    /// This is `None` if:
    /// - The session was created before PID tracking was implemented
    /// - The terminal spawn failed to capture the PID
    /// - The session is in a stopped state
    /// 
    /// Note: PIDs can be reused by the OS, so this should be validated
    /// against process name/start time before use.
    pub process_id: Option<u32>,
}

---

Suggestions (Nice to Have)

Suggestion 1: Add Process Health Check Command

Location: New feature
Source: code-reviewer

Current State: Users can see process status in list and status commands
Improvement: Add shards health command to check all sessions and report issues
Benefit: Proactive detection of orphaned processes, stale PIDs, and other issues

---

Suggestion 2: Improve Error Messages with Actionable Guidance

Location: src/process/errors.rs
Source: comment-analyzer

Current State: Error messages state what went wrong
Improvement: Add suggestions for how to fix the problem
Benefit: Better user experience, less support burden

Example:

#[error("Process '{pid}' not found. The process may have already exited. Use 'shards cleanup' to remove stale sessions.")]
NotFound { pid: u32 },

---

Suggestion 3: Add Process Metadata to ProcessInfo

Location: src/process/operations.rs:58-62
Source: type-analyzer

Current State: ProcessInfo only has pid, name, status
Improvement: Add start_time, parent_pid, command_line
Benefit: Better debugging, enables PID reuse protection

---

Detailed Agent Reports

Code Quality Analysis (code-reviewer)

Files Reviewed: process/operations.rs, sessions/handler.rs, terminal/handler.rs

Findings Summary:
The implementation follows the project's vertical slice architecture well, with proper separation between handler (I/O) and operations (pure logic). The new process module is correctly structured. However, the core process management logic has critical race conditions and performance issues that must be addressed.

Patterns Observed:

• ✅ Good: Proper use of structured logging with event names
• ✅ Good: Custom error types with thiserror
• ✅ Good: Handler/operations pattern maintained
• ❌ Bad: Race conditions in process operations
• ❌ Bad: Inefficient full process refresh for single PID operations
• ❌ Bad: No PID reuse protection

---

Documentation Analysis (comment-analyzer)

Comments Reviewed: 3 doc comments, 0 inline comments

Findings Summary:
Documentation is minimal but accurate where it exists. The main issue is missing documentation for the new process_id field in Session struct, which is a public API change. Error messages are clear but could be more actionable.

Comment Quality Score: 4/10

---

Error Handling Analysis (error-hunter)

Error Handlers Reviewed: 4 error paths

Findings Summary:
Critical silent failure patterns found in process status checking and cleanup continuation. The code swallows errors without proper logging in the list command, and continues cleanup even when process kill fails, leading to orphaned processes. These are serious issues that will make debugging extremely difficult.

Silent Failure Risk: HIGH

---

Type Design Analysis (type-analyzer)

Types Reviewed: Session, ProcessError, ProcessInfo, SpawnResult

Findings Summary:
Type design has significant safety issues. Using u32 for PIDs is platform-unsafe (Unix uses i32), String for process status prevents type-safe pattern matching, and no validation prevents invalid PIDs. All fields are public with no encapsulation. These issues allow bugs and make the API fragile.

Overall Type Safety Score: 3/10

---

What's Done Well

• Architecture compliance: Follows vertical slice architecture perfectly with new process module
• Handler/operations pattern: Maintains separation between I/O and pure logic
• Structured logging: Excellent use of tracing with event names and context
• Error types: Good use of thiserror for custom error types
• Testing: Added 4 new tests for process operations
• Cross-platform intent: Uses sysinfo for cross-platform compatibility
• CLI integration: Clean integration of new commands (status) and enhanced existing ones (list)

---

Action Items (Prioritized)

Must Do (Blocking)

1. src/process/operations.rs - Add PID reuse protection (store + validate process name/start time)
2. src/cli/commands.rs:95-107 - Log errors in process status checks instead of silent swallowing
3. src/sessions/types.rs:13 - Change process_id to platform-safe Pid newtype
4. src/sessions/handler.rs:127-151 - Fail destroy if process kill fails (add --force flag)
5. src/process/operations.rs:45-50 - Change ProcessInfo.status from String to enum

Should Do (Before Merge)

1. src/process/operations.rs:2,8,36 - Use ProcessesToUpdate::Some for single PID operations
2. src/terminal/handler.rs:56-62 - Capture process name + start time when spawning
3. src/process/operations.rs - Add PID validation (reject PID 0)
4. src/sessions/types.rs:13 - Add doc comment for process_id field

Consider (Optional)

1. Add shards health command to check for orphaned processes
2. Improve error messages with actionable guidance
3. Add more process metadata to ProcessInfo (start_time, parent_pid, command_line)

---

Decision Guide

If you have limited time, focus on:

1. PID reuse protection (Critical Issue Implement file-based persistence system #1) - prevents killing wrong processes
2. Fail destroy on kill failure (Critical Issue feat: Hierarchical TOML Configuration System #4) - prevents orphaned processes

If you want thorough improvement, also address:

1. Platform-safe PID type (Critical Issue feat: implement cleanup tracking system #3)
2. Silent error logging (Critical Issue Add Ghostty terminal support (blocked by upstream -e parsing) #2)
3. Process status enum (Critical Issue Implement missing session management commands (destroy, cleanup, info) #5)

Quick wins (easy fixes with good impact):

1. Add error logging in list command (5 lines of code, huge debugging improvement)
2. Add doc comment for process_id field (2 minutes, much clearer API)
3. Use ProcessesToUpdate::Some (1 line change per function, major performance boost)

---

Review generated by Kiro AI agents

[Wirasm]

Code Review Issues Addressed ✅

All critical and important issues from the code review have been fixed:

Critical Issues Fixed (5/5)

1. ✅ PID Reuse Protection - Now stores process name + start time and validates before killing

   • Added process_name and process_start_time fields to Session
   • kill_process() now validates process identity before terminating
   • Prevents accidentally killing wrong processes if PID is reused

2. ✅ Silent Error Masking - Added proper error logging in list command

   • Errors now logged with tracing::warn! including full context
   • Users still see "Error(PID)" but developers can debug via logs

3. ✅ Platform-Safe PID Type - Created Pid newtype wrapper

   • New src/process/types.rs module with platform-safe types
   • Wraps u32 but provides safe conversion to sysinfo::Pid
   • Includes validation (rejects PID 0)

4. ✅ Fail Destroy on Kill Failure - No more orphaned processes

   • destroy command now fails if process kill fails
   • Returns clear error message suggesting manual kill
   • Only continues cleanup if process already dead (NotFound)

5. ✅ Type-Safe ProcessStatus - Replaced String with enum

   • New ProcessStatus enum: Running, Sleeping, Stopped, Zombie, Dead, Unknown
   • Enables exhaustive pattern matching
   • Prevents invalid status strings

Important Issues Fixed (4/4)

1. ✅ Performance Optimization - Use ProcessesToUpdate::Some(&[pid])

   • Changed from refreshing ALL processes to just the target PID
   • Massive performance improvement for systems with many processes

2. ✅ Capture Process Metadata - Store name + start time at spawn

   • Terminal handler now captures metadata immediately after spawn
   • Enables PID reuse protection for all new sessions

3. ✅ PID Validation - Reject invalid PIDs

   • Pid::new() validates PID != 0
   • Prevents invalid PIDs from entering the system

4. ✅ Documentation - Added comprehensive doc comments

   • process_id field now has detailed documentation
   • Explains when it's None and PID reuse risks

Test Results

test result: ok. 107 passed; 0 failed; 0 ignored

All existing tests pass with the new implementation.

Files Changed

• New: src/process/types.rs - Platform-safe types (Pid, ProcessStatus, ProcessInfo)
• Updated: Process operations with PID reuse protection and performance optimization
• Updated: Session and terminal types to store process metadata
• Updated: CLI commands with proper error logging
• Updated: All tests to use new Session schema

The implementation now has robust process management with protection against PID reuse attacks, proper error handling, and type safety. Ready for re-review! 🚀