fix: memory leaks

[NathanFlurry]

Summary

A memory-leak audit of agent-os + secure-exec surfaced 20 confirmed leaks. This PR fixes the 7 that live in agent-os (the secure-exec findings are a separate repo → follow-up PR). All seven were re-verified still-present on current main before fixing.

Common root cause: tracking maps / spawned tasks are populated on create/spawn but released only on an explicit teardown call that may never happen (or never at all), so they grow unbounded with ordinary process / session / VM churn over a long-running sidecar. Each fix frees on every termination path and ships a reproducing test (fails pre-fix, passes post-fix).

Fixes

ID	File	Leak → Fix
H6	packages/core/src/sidecar/rpc-client.ts	trackedProcesses/trackedProcessesById + onStdout/onStderr listener sets never cleared → cleared in finishProcess() (the single exit chokepoint) and in dispose()
M8	packages/core/src/sidecar/rpc-client.ts	signalStates never deleted (sibling signalRefreshes was) → delete on process_exited, clear in dispose()
H7	packages/core/src/layers.ts (+ localMounts in rpc-client)	in-memory LayerStore had no disposal; sealed layers retained full FilesystemSnapshotExport → add LayerStore.dispose() to clear the map; drop the filesystem payload at seal time; clear localMounts in dispose()
H5	packages/core/src/agent-os.ts	_processes map deleted on no path; dispose() cleared _shells/_acpTerminals but not _processes → delete after the exit handler, clear in dispose()
H3	crates/client/src/process.rs, agent_os.rs	per-process output-callback tasks held the broadcast Sender and awaited a Closed that never fired → store the JoinHandles on ProcessEntry, and drain+abort the registry in shutdown() (drops the retained senders so the channel closes)
M7	crates/client/src/agent_os.rs	ACP event-pump task spawned without storing its JoinHandle; shutdown() never aborted it → store the handle, abort it in shutdown() (mirrors pending_shell_exits)
H4	crates/agentos-sidecar/src/acp_extension.rs	AcpSessionRecord removed only by explicit close_session() → evict on adapter process-exit, clear the map in on_dispose(), cap stdout_buffer, and add cleanup_sessions_for_connection()

Note on H4 (partial)

The strongest real-time path — client disconnect without close_session — can't be fully closed from inside the crate: the pinned secure-exec host (v0.3.1) exposes no per-connection teardown callback to extensions. Shipped here: process-exit eviction (fires on agent exit), on_dispose clear-all (fires on extension teardown), and an always-on stdout_buffer cap. cleanup_sessions_for_connection() is implemented and test-covered, ready to wire when secure-exec adds the hook.

Trust model

All seven are reachable through ordinary guest execution / session / VM / process churn — in-scope under the sidecar↔executor boundary; none require malicious client config.

Testing

• cargo test -p agentos-client — 2 new leak tests (registry drained + tasks aborted; tracked handle aborted) ✅
• cargo test -p agentos-sidecar acp_extension — 3 new tests (connection-teardown eviction, stdout cap, adapter-exit detection) ✅
• vitest core leak suites — 6 tests across the 3 new files ✅
• Gate: cargo build (both crates), tsc --noEmit, and sibling layers.test.ts regression all green.

🤖 Generated with Claude Code

[NathanFlurry]

Ran a multi-agent self-review over the diff (5 reviewers: Rust client, Rust sidecar/H4, TS process maps, TS layers, test quality). Fixes applied in this push:

• Blocker (TS): finishProcess() was releasing process tracking synchronously, which defeated drainTrailingProcessOutput() and dropped trailing guest output (notably on the snapshot-fallback fast-exit path). Release is now deferred until the drain window closes (releaseProcessTrackingAfterDrain), keeping the entry + listeners alive for late process_output events.
• M8 completeness: moved the signalStates/signalRefreshes deletes out of the process_exited branch into the single finishProcess chokepoint, so non-process_exited exit paths (pump-error, background-error, snapshot-fallback) also release them.
• H4 robustness: the adapter-exit error producer now embeds ADAPTER_EXITED_ERROR_MARKER directly, so the eviction predicate can't silently regress if the message wording changes.
• Tests strengthened: added a test for the wired on_dispose() session clear; coupled the adapter-exit predicate test to the real producer string; added a multibyte-UTF-8 cap_stdout_buffer case; asserted M7 pump-handle None→Some→None wiring and H3 output_tasks capture; made the layer-store seal test prove the payload moved into the snapshot rather than asserting only the validity guard.

Reviewers judged the layers fix and the Rust client drain/abort logic sound. Two acknowledged limitations remain documented in the PR: H4's connection-disconnect path needs a per-connection teardown hook from secure-exec (separate repo), and a couple of unit tests can't reach a live transport.

Gate: cargo test -p agentos-client (47) + -p agentos-sidecar acp_extension (19) + core vitest leak suites (8) all green; tsc --noEmit clean.

[railway-app]

🚅 Deployed to the agentos-pr-1535 environment in agentos

Service	Status	Web	Updated (UTC)
agentos	✅ Success (View Logs)	Web	Jun 25, 2026 at 11:09 pm

---

🚅 Deployed to the agentos-pr-1535 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
agent-os	😴 Sleeping (View Logs)		Jun 25, 2026 at 11:18 pm