github · Mossaka · Mar 19, 2026 · Mar 19, 2026
diff --git a/containers/api-proxy/Dockerfile b/containers/api-proxy/Dockerfile
@@ -30,6 +30,5 @@ USER apiproxy
 # 10004 - OpenCode API proxy (routes to Anthropic)
 EXPOSE 10000 10001 10002 10004
 
-# Redirect stdout/stderr to log file for persistence
-# Use shell form to enable redirection and tee for both file and console
-CMD node server.js 2>&1 | tee -a /var/log/api-proxy/api-proxy.log
+# Use exec form so node is PID 1 and receives SIGTERM directly
+CMD ["node", "server.js"]
diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
@@ -538,6 +538,12 @@ describe('docker-manager', () => {
       expect(squid.ports).toContain('3128:3128');
     });
 
+    it('should set stop_grace_period on squid service', () => {
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
+      const squid = result.services['squid-proxy'] as any;
+      expect(squid.stop_grace_period).toBe('2s');
+    });
+
     it('should inject squid config via base64 env var when content is provided', () => {
       const squidConfig = 'http_port 3128\nacl allowed_domains dstdomain .github.qkg1.top\n';
       const result = generateDockerCompose(mockConfig, mockNetworkConfig, undefined, squidConfig);
@@ -1789,6 +1795,13 @@ describe('docker-manager', () => {
         expect(proxy.security_opt).toContain('no-new-privileges:true');
       });
 
+      it('should set stop_grace_period on api-proxy service', () => {
+        const configWithProxy = { ...mockConfig, enableApiProxy: true, openaiApiKey: 'sk-test-key' };
+        const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
+        const proxy = result.services['api-proxy'] as any;
+        expect(proxy.stop_grace_period).toBe('2s');
+      });
+
       it('should set resource limits', () => {
         const configWithProxy = { ...mockConfig, enableApiProxy: true, openaiApiKey: 'sk-test-key' };
         const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);

diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -325,6 +325,7 @@ export function generateDockerCompose(
       'AUDIT_WRITE',  // No audit log writing
       'SETFCAP',      // No setting file capabilities
     ],
+    stop_grace_period: '2s',
   };
 
   // Inject squid.conf via environment variable instead of bind mount.
@@ -1238,6 +1239,7 @@ export function generateDockerCompose(
       memswap_limit: '512m',
       pids_limit: 100,
       cpu_shares: 512,
+      stop_grace_period: '2s',
     };
 
     // Use GHCR image or build locally

diff --git a/src/squid-config.test.ts b/src/squid-config.test.ts
@@ -568,6 +568,15 @@ describe('generateSquidConfig', () => {
       const result = generateSquidConfig(config);
       expect(result).toContain('pconn_timeout 2 minutes');
     });
+
+    it('should include shutdown_lifetime 0 for fast shutdown', () => {
+      const config: SquidConfig = {
+        domains: ['example.com'],
+        port: defaultPort,
+      };
+      const result = generateSquidConfig(config);
+      expect(result).toContain('shutdown_lifetime 0 seconds');
+    });
   });
 
   describe('Real-world Domain Patterns', () => {

diff --git a/src/squid-config.ts b/src/squid-config.ts
@@ -606,6 +606,10 @@ client_lifetime 8 hours
 # Critical for SSE where server sends but client doesn't respond
 half_closed_clients on
 
+# shutdown_lifetime: Time to wait for active connections during shutdown
+# Set to 0 because this is an ephemeral proxy — no connection draining needed
+shutdown_lifetime 0 seconds
+
 # Debugging (can be enabled for troubleshooting)
 # debug_options ALL,1 33,2
 `;