Install claude-build-tool-runaway-guard.sh as a 10-min root cron, kill…
Decision
Install claude-build-tool-runaway-guard.sh as a 10-min root cron, killing biome|tsc|eslint|prettier|webpack|vite|esbuild|rollup|next-build child processes of Claude sessions when pcpu≥50% AND elapsed≥20min, SIGTERM→5s→SIGKILL, Telegram alert on kill, silent heartbeat on healthy. Complements (does not replace) claude-session-runaway-guard.sh which targets CLI processes only. Registered in hooks-registry.md; root-cause + prevention pointer recorded in error-playbook.md [05-May-2026].
Rationale
Today’s incident (118+101 min CPU burned by two stacked biomes after a stale biome.json missed node_modules/** ignore) proves the existing CLI-level runaway guard has a child-process blind spot. AND-gated thresholds (cpu+age both required) keep false-positive risk low: a 20-min sustained 50%+ CPU build does not happen on legitimate CC-spawned builds on this VPS — typical full build <5 min. Pattern covers the observed JS/TS build-tool surface; review annually as new tools (turbopack/swc/oxlint) enter the stack. Kill semantics are conservative (graceful TERM with 5s grace before KILL). Reversibility: trivial — single line in root crontab + script in /home/claude/.claude/crons/. Premortem identified pattern-coverage drift as the top residual risk; mitigated by clear pattern variable + annual review cadence registered with the rest of the self-maintenance triad.
Alternatives Rejected
Outcome
Pending