Keep claude-build-tool-runaway-guard.sh installed as L2 defense (10-mi…
Decision
Keep claude-build-tool-runaway-guard.sh installed as L2 defense (10-min root cron, AND-gated 50% CPU + 20-min age, SIGTERM→5s→SIGKILL on biome|tsc|eslint|prettier|webpack|vite|esbuild|rollup|next-build owned by user claude). Layered with L1 (correct biome.json/eslint config in each repo) and L3 (existing claude-session-runaway-guard.sh + vps-health-watchdog.sh). Documented in hooks-registry.md cron table and error-playbook.md [05-May-2026] biome runaway. Annual regex review to track new build tools (turbopack/swc/oxlint).
Rationale
Reasoning chain: first_principles_decomposition surfaced 3 irreducible layers — L1 config-correctness (drift-fragile), L2 process-level kill (this cron), L3 VPS-systemic guard (alert-only, fires after damage). Today’s incident proved L1+L3 together leave a 100+ min damage window — only L2 closes it. Live evidence (reliability 0.95): healthy biome runs in 59 ms vs stuck 100+ min — a 1976× delta means the AND-gated 50%+/20-min threshold cannot trigger on legitimate builds on this VPS. Premortem identified 8 failure modes; the only material residual is regex coverage drift as new build tools (turbopack/swc/oxlint) enter the stack — mitigated by annual review and a clear single-line pattern variable. Bias scan returned 0 biases. Reversibility: trivial — remove one crontab line and the script.
Alternatives Rejected
Outcome
Pending