fix(cmd/docker): prevent race between force-exit goroutine and plugin wait

[zampani-docker]

Summary

• Fixes a race condition in tryPluginRun where two goroutines could both call os.Exit with different exit codes when force-killing a plugin after 3 SIGINT/SIGTERM signals
• Moves os.Exit(1) ownership to the main goroutine; the signal goroutine now only closes a channel and calls Kill()
• Adds a return after the force-kill to prevent additional signals from causing a close on an already-closed channel (panic)

Root cause: when a plugin ignored context cancellation and 3 SIGINTs were sent, the signal goroutine called plugincmd.Process.Kill() then os.Exit(1). On a loaded runner, plugincmd.Run() in the main goroutine could return first — the SIGKILL'd plugin has ws.ExitStatus() = -1, leading to os.Exit(-1) = exit code 255 instead of 1.

Fix: forceExitCh is closed before Kill(). Since the plugin can only die after SIGKILL is delivered and Run() only returns after the process is reaped, forceExitCh is guaranteed to be closed before Run() returns in the force-kill path. The main goroutine checks the channel and owns os.Exit(1).

Test plan

• Existing test TestPluginSocketCommunication/detached/the_main_CLI_exits_after_3_signals covers the fixed race — was flaky (exit code 255) on loaded CI runners with RC Docker on Alpine; should now be reliable
• No new tests required: the fix is a concurrency correctness change to existing behaviour with existing test coverage

🤖 Generated with Claude Code

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 10 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
cmd/docker/docker.go	0.00%	10 Missing ⚠️

📢 Thoughts on this report? Let us know!