Summary

Describe the problem and fix in 2–5 bullets:

• Problem: soft restart paths can leave a previously-launched browser process alive, so a later restart can inherit a stale proc.killed=true state and skip real shutdown work.
• Why it matters: stale browser processes can conflict with fresh restarts and lead to unreliable CDP behavior after restart.
• What changed: hardened stopOpenClawChrome() to key shutdown on exitCode (actual process exit) instead of proc.killed (signal attempt flag), and to continue TERM/KILL escalation when killed===true but the process is still running.
• What did NOT change (scope boundary): no changes to browser launch flags, profile selection, or gateway restart orchestration logic.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Bug: Soft restart (SIGUSR1) does not kill previously-launched browser processes, causing port conflicts #32458
• Related #

User-visible / Behavior Changes

• Browser teardown during restart is more reliable when prior stop attempts already marked proc.killed=true but the process has not actually exited.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS/Linux (unit-level validation)
• Runtime/container: Node + Vitest
• Model/provider: N/A
• Integration/channel (if any): Browser control / CDP
• Relevant config (redacted): default browser control settings

Steps

1. Start browser control and launch a local browser profile.
2. Trigger stop/restart sequences where process signaling may set proc.killed=true before actual process exit.
3. Observe teardown behavior for subsequent stop attempts.

Expected

• Stop logic should only no-op when process already exited (exitCode !== null).
• Stop should continue TERM/KILL escalation when process is still running even if proc.killed === true.

Actual

• Previous logic returned early when proc.killed === true, which can skip shutdown work for still-running processes.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: pnpm vitest run src/browser/chrome.test.ts passes with updated stop semantics and new regression case.
• Edge cases checked: already-exited process no-op, CDP-down fast return, CDP-still-reachable SIGKILL escalation, and killed=true + exitCode=null retry path.
• What you did not verify: full live SIGUSR1 restart on an external host with real Chrome process table inspection.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit Browser: harden SIGUSR1 chrome shutdown.
• Files/config to restore: src/browser/chrome.ts, src/browser/chrome.test.ts.
• Known bad symptoms reviewers should watch for: browser process not receiving SIGTERM/SIGKILL in tests or unexpected stop-time hangs.

Risks and Mitigations

• Risk: stricter reliance on exitCode could behave differently on unusual process wrappers.
  • Mitigation: retained existing CDP reachability checks and SIGKILL fallback; added regression coverage for the key stale-killed state.