From b3c30bcc51bc41feb58bf88c54a0fdd792fcc0c0 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Thu, 8 Jan 2026 06:23:57 +0900
Subject: [PATCH] internal/pkg: set container WaitDelay

This prevents a container from blocking forever after context is canceled.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/pkg/exec.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/internal/pkg/exec.go b/internal/pkg/exec.go
index c61ddc1..de29ff5 100644
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -8,6 +8,7 @@ import (
 	"runtime"
 	"slices"
 	"syscall"
+	"time"
 
 	"hakurei.app/container"
 	"hakurei.app/container/check"
@@ -186,6 +187,11 @@ func (a *execArtifact) Cure(c *CureContext) (err error) {
 	return a.cure(c, false)
 }
 
+const (
+	// execWaitDelay is passed through to [container.Params].
+	execWaitDelay = 15 * time.Second
+)
+
 // cure is like Cure but allows optional host net namespace. This is used for
 // the [KnownChecksum] variant where networking is allowed.
 func (a *execArtifact) cure(c *CureContext, hostNet bool) (err error) {
@@ -272,6 +278,7 @@ func (a *execArtifact) cure(c *CureContext, hostNet bool) (err error) {
 
 	z := container.New(ctx, a.msg)
 	z.ForwardCancel = true
+	z.WaitDelay = execWaitDelay
 	z.SeccompPresets |= std.PresetStrict
 	z.ParentPerm = 0700
 	z.HostNet = hostNet