From d6422039917124e36befbf6078c288b312edf097 Mon Sep 17 00:00:00 2001
From: Kjell Tore Guttormsen <ktg@humanize.no>
Date: Fri, 10 Apr 2026 14:11:31 +0200
Subject: [PATCH] fix(scanners): use process.exitCode instead of process.exit()
 after stdout.write

process.exit() terminates before pipe buffers drain, truncating output
at 64KB when piped through another Node.js process on macOS. Affects
scan-orchestrator (SARIF output) and supply-chain-recheck-cli.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 plugins/llm-security/scanners/scan-orchestrator.mjs      | 9 +++++----
 .../llm-security/scanners/supply-chain-recheck-cli.mjs   | 6 +++---
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/plugins/llm-security/scanners/scan-orchestrator.mjs b/plugins/llm-security/scanners/scan-orchestrator.mjs
index 8a1edc3..c4028e7 100644
--- a/plugins/llm-security/scanners/scan-orchestrator.mjs
+++ b/plugins/llm-security/scanners/scan-orchestrator.mjs
@@ -271,10 +271,11 @@ async function main() {
     `[deep-scan] Duration: ${totalDuration}ms\n`
   );
 
-  // Exit code based on verdict
-  if (agg.verdict === 'BLOCK') process.exit(2);
-  if (agg.verdict === 'WARNING') process.exit(1);
-  process.exit(0);
+  // Exit code based on verdict — use exitCode instead of exit() to allow
+  // stdout pipe buffers to drain fully (process.exit() truncates >64KB on macOS)
+  if (agg.verdict === 'BLOCK') process.exitCode = 2;
+  else if (agg.verdict === 'WARNING') process.exitCode = 1;
+  else process.exitCode = 0;
 }
 
 main().catch(err => {
diff --git a/plugins/llm-security/scanners/supply-chain-recheck-cli.mjs b/plugins/llm-security/scanners/supply-chain-recheck-cli.mjs
index 2c11baf..676d73c 100644
--- a/plugins/llm-security/scanners/supply-chain-recheck-cli.mjs
+++ b/plugins/llm-security/scanners/supply-chain-recheck-cli.mjs
@@ -32,6 +32,6 @@ result.aggregate = { risk_score: score, verdict: verd };
 
 process.stdout.write(JSON.stringify(result, null, 2) + '\n');
 
-if (verd === 'BLOCK') process.exit(2);
-if (verd === 'WARNING') process.exit(1);
-process.exit(0);
+if (verd === 'BLOCK') process.exitCode = 2;
+else if (verd === 'WARNING') process.exitCode = 1;
+else process.exitCode = 0;