RFC: review the Kanban — multi-profile collaboration board (PR #16100)

[teknium1]

UPDATE — Apr 28, 2026 — This RFC is now tracking the implemented PR. Current status, review history, and all bug/fix summaries live on PR #16100: #16100

Since this RFC was filed:

• Moved from a cron-driven dispatcher to a real long-lived daemon (hermes kanban daemon) with a systemd unit. Cron was burning LLM tokens per tick.
• Runs as first-class — one row per attempt; preserves full retry history with structured summary + metadata handoff. (Ported from @vulcan-artivus's review.)
• Dashboard plugin with drag-drop board, Run History, Worker Log panel, live WebSocket updates, and per-task event attribution.
• Four audit passes + external review by @erosika + full battle-test suite — 15 bugs found and fixed across the cycle. tests/stress/ exercises real multi-process concurrency, real subprocess E2E, property fuzzing (~40k randomized ops, 9 invariants), and scale benchmarks at 10k tasks.
• Tutorial + 10 dashboard screenshots walking the four user stories: website/docs/user-guide/features/kanban-tutorial.md.
• 182/182 main kanban test suite green.

Comments on this issue remain open for v2 design input (workflow templates, structured comments as multi-peer session substrate, skill-aware routing). PR #16100 is the merge-tracking location.

---

Request for review: Kanban — durable multi-profile collaboration board

PR: #16100
Design spec: docs/hermes-kanban-v1-spec.pdf (committed in the PR, 14 sections + diagrams + bibliography)
Design discussion: Nous Discord thread, April 25–26 2026 (contributors credited at bottom)

Kanban is a new durable, SQLite-backed task board shared across all Hermes profiles on a host. Tasks carry an assignee (a profile name), optional dependency links, a workspace kind (scratch / worktree / dir:<path>), and an optional tenant namespace. A cron-driven dispatcher atomically claims ready tasks and spawns the assigned profile as its own OS process — no in-process subagent swarms. The /kanban slash command works in both CLI and all gateway platforms (same COMMAND_REGISTRY pipe).

Before we merge, we'd like eyes on it from anyone who runs multiple profiles, has opinions on agent coordination primitives, or plans to use this for non-coding workloads (research, ops, digital twins, fleet work). The PR is substantial (~2900 LOC including tests, spec, skills, and docs) and introduces a new top-level concept users will need to reason about alongside delegate_task.

The shape at a glance

• Board: ~/.hermes/kanban.db, WAL-mode SQLite, profile-agnostic. Four tables (tasks, task_links, task_comments, task_events) + six indexes.
• Status machine: todo → ready → running → done (plus blocked and archived side branches). Only one role may transition each status; eliminates write contention.
• Atomic claim: compare-and-swap UPDATE ... WHERE status='ready' AND claim_lock IS NULL inside BEGIN IMMEDIATE. Proven-serial under SQLite's WAL; the test suite includes a concurrent-thread race where exactly one of 8 claimers wins.
• Dispatcher: hermes kanban dispatch — reclaims stale running tasks (15-min claim TTL), promotes todo → ready when all parents done, atomically claims, spawns hermes -p <profile> chat -q "work kanban task <id>" with HERMES_KANBAN_TASK / HERMES_KANBAN_WORKSPACE / HERMES_TENANT env vars set, redirects output to ~/.hermes/kanban/logs/<id>.log.
• Workspace kinds:
  • scratch (default) — fresh tmp dir per task, GC'd on archive.
  • worktree — git worktree under .worktrees/<id>/ for coding tasks.
  • dir:<path> — existing shared directory (Obsidian vault, mail ops dir, per-account folder).
• Tenant column: one nullable string; one specialist fleet can serve many business contexts (--tenant business-a) with data isolation by workspace path + memory key prefix.
• Zero changes to run_agent.py. No new core tools. No tool-schema bloat on any API call.

CLI / gateway surface

Fifteen verbs, all available as both hermes kanban <verb> and /kanban <verb>:

init · create · list · show · assign · link · unlink · claim ·
comment · complete · block · unblock · archive · tail · dispatch · context · gc

The slash command bypasses the running-agent guard in the gateway — /kanban unblock can free a stuck worker while the main agent is mid-conversation. Board writes don't touch agent state.

Skills shipped alongside

• kanban-worker — how a profile claims context, does work in its workspace, blocks on ambiguity, completes with a result, delegates follow-ups.
• kanban-orchestrator — "you are a dispatcher, not a worker" template with anti-temptation rules and a standard specialist roster (researcher, writer, analyst, backend-eng, reviewer, ops).

Why not just delegate_task?

These look similar and they are not the same primitive. The one-sentence distinction: delegate_task is a function call; Kanban is a durable work queue where every handoff is a row any profile (or human) can read and edit. The full 12-dimension comparison table is in §6 of the spec.

They coexist. A kanban worker may call delegate_task internally for reasoning within its own run. The single test: does this handoff need to outlive a single API loop and be visible to others?

Use delegate_task for short, self-contained reasoning subtasks the parent agent wants an answer to before continuing — seconds-to-minutes, no human in the loop, result goes back into parent's context.

Use Kanban for work that crosses agent boundaries, needs to survive restarts, might need human input, might be picked up by a different role (engineer → reviewer → engineer), or needs to be discoverable after the fact.

What we'd especially like feedback on

1. The delegate_task / Kanban boundary. Is the "does this handoff need to outlive a single API loop" test clear enough? Should the spec land a doc page explicitly titled "when to use which"? Are there workloads you can't tell which side of the line they fall on?

2. Eight collaboration patterns. Spec §5 names P1 Fan-out, P2 Pipeline, P3 Voting/quorum, P4 Long-running journal, P5 Human-in-the-loop triage, P6 @mention delegation, P7 Thread-scoped workspace, P8 Fleet farming. P6 and P8 are the only patterns that require infra beyond the base primitives (P6 is a parser hook; P8 is a dispatch-fleet helper). Is the set right? Missing any obvious shapes?

3. Workspace kinds. Three: scratch, worktree, dir:<path>. Research / ops / digital-twin use cases all work with the default scratch; coding uses worktree; long-running journals and per-subject fleets use dir:. Is the kind vocabulary right, or should we flatten it (e.g., always dir:; scratch is just an auto-allocated path)?

4. Tenant as one nullable column. Design choice: tenants are namespaces, not entity types. One researcher profile serves multiple businesses via --tenant business-a. Is this enough for people actually running multi-business setups (cc @sudo_relax from the design thread), or does it need more — per-tenant access control, cross-tenant task linking, tenant-scoped profile definitions?

5. Dispatcher cadence. Runs via cron, default 60 seconds. Cheap "mini dispatch" (recompute ready) also runs on every hermes kanban list invocation to keep laptop-sleep-wake cases responsive. Too aggressive? Too conservative? Worth a dedicated long-lived ticker process instead?

6. Claim TTL. Default 15 minutes before a claim is considered stale and reclaimed. Workers that know they'll run longer should call heartbeat_claim() periodically. Is 15m the right default, or should it scale with profile (e.g., 60m for backend-eng, 5m for researcher)?

7. terminal-based spawn, output to log file. dispatch_once uses subprocess.Popen with start_new_session=True and redirects output to ~/.hermes/kanban/logs/<id>.log. No stdin. Acceptable, or do we need more — PID recording on the task row? Structured log format? Live-streaming output back to the dispatcher's gateway session?

8. Orchestrator profile design. The kanban-orchestrator skill plus a recommendation to restrict toolsets to [kanban, gateway, memory] is the proposed fix for the "orchestrator does the work itself" failure mode raised by @sudo_relax. Is this enough, or do we need kernel-level enforcement (a "router-only" profile flag that the dispatcher honors)?

9. Running-agent guard bypass. /kanban is in the bypass list (same tier as /background). Mutations are allowed mid-run because the board is profile-agnostic and doesn't touch the running agent's state. Worth a stricter rule — mutations gated, reads allowed?

10. What's left out. Deliberately not in v1: per-tenant access control, cross-tenant links, tenant-scoped profile definitions, round-robin worker pools, auto-assignment ("any idle profile claims it"), smart routing, per-agent budgets, approval gates, fleet dashboards, org-chart types. All user-space (plugins or profile conventions). If any of these feel like they belong in the kernel, say so now.

11. Bugs, edge cases, race conditions — the usual. The concurrent-claim race is tested; the stale-claim recovery is tested; cycle detection in link_tasks is tested (caught a bug during implementation — direction of graph walk). What else should be in the test matrix?

What Kanban does NOT do (intentionally)

• Does not run workers in-process — every worker is a full OS process with its own HERMES_HOME. No SDK-lifecycle fragility (the NanoClaw failure class).
• Does not auto-assign, auto-route, or auto-escalate. All those are user-space profile behaviors.
• Does not delete anything automatically. Archive only; gc removes scratch workspace dirs for archived tasks.
• Does not modify run_agent.py, model_tools.py, or any tool schema.
• Does not invalidate the main session's prompt cache. The board is external to any agent's context.
• Does not cross tenants with task links (v1 limitation; noted in spec §7).

How to try it locally

gh pr checkout 16100
hermes kanban init
hermes kanban create "research AI funding" --assignee researcher
hermes kanban list
hermes kanban dispatch --dry-run
# Then for real:
hermes kanban dispatch

The two skills (kanban-worker + kanban-orchestrator) are in skills/devops/ and load like any other skill.

For a full worked example, see spec §5 (research triage), §6 (the 8 patterns), and §9 (50-account fleet example).

Related systems & design input

The design synthesizes three existing systems plus one April-2026 release:

• Cline Kanban — board + linked tasks + ephemeral worktrees shape. We adopted.
• Paperclip — atomic task checkout + persistent agent identity. Mapped onto Hermes profiles.
• NanoClaw Agent Swarms — the negative lesson: in-process SDK subagent swarms are fragile to upstream lifecycle semantics. We explicitly reject.
• Google Gemini Enterprise Agent Designer + CLI Subagents (April 2026) — portable subagent-as-file artifacts (we'll match in a follow-up hermes profile export), and @name delegation syntax (implemented as P6).

Community design input from the Nous Discord design thread, credited in the PR body: @Teknium, waxhy, A Real Icehole, Keimpe, LLM.STORE, caco, hunter_cat, djm, ionmanden, psbd, Aiz, Rikllo, sudo_relax, neo2k8.

Timing

Happy to let this sit for review. The PR is standing — not merged pending design approval. If something needs to change before we ship, flag it on the PR directly. Higher-level design concerns (primitives, scope boundaries, naming) go here on the RFC.

Thanks in advance for the eyes.

[teknium1]

Update — PR has moved well past the v1 kernel

When this RFC was filed the PR was a ~1,700-LOC kernel: SQLite schema, claim CAS, dispatcher, CLI, slash wiring. It's now ~8,500 LOC across four logical layers. What's on the branch today:

1. Kernel (unchanged intent, hardened in flight)

hermes_cli/kanban_db.py now includes:

• New columns: idempotency_key, spawn_failures, worker_pid, last_spawn_error (all gated by _migrate_add_optional_columns so legacy DBs upgrade cleanly).
• New table: kanban_notify_subs — gateway source (platform + chat + thread) → task, with a per-sub cursor into task_events.
• New status: triage — a parking column for rough ideas a specifier promotes to todo. recompute_ready only scans todo, so triage tasks are naturally isolated from the dispatcher pipeline.
• Idempotent create: create_task(idempotency_key=…) returns the existing non-archived task id instead of creating a duplicate.

2. Dispatcher is now a real daemon

The RFC's "runs via cron every 60 s" was wrong twice over: hermes cron runs LLM prompts (so every tick would cost tokens), and cron jobs can't handle the coordination the dispatcher needs. Shipped:

• hermes kanban daemon — long-lived loop, signal-clean shutdown via threading.Event, foreground-safe.
• plugins/kanban/systemd/hermes-kanban-dispatcher.service — user-service template.
• hermes kanban init prints the setup hint so the board isn't silently inert.
• Spawn-failure circuit breaker: after N consecutive spawn_failed events on the same task, auto-block with the last error as the reason. No more thrashing forever on tasks whose profile is missing or whose workspace can't mount.
• Crash detection independent of claim TTL: spawn now returns the child's PID; detect_crashed_workers() reclaims tasks whose PID has died without waiting the full 15 min.
• Log rotation at 2 MiB, one generation kept — per-task disk usage bounded at ~4 MiB.

3. Dashboard plugin (new surface, plugins/kanban/)

The Discord thread kept circling back to "how do humans actually see this thing." Answer: a bundled dashboard plugin that hermes dashboard picks up automatically. Not a core feature — uses the same plugin contract documented in Extending the Dashboard.

• Board — Linear / Fusion-style columns (triage → todo → ready → running → blocked → done, archived via toggle). Coloured status dots, column counts.
• Cards — id, title, priority, tenant, assignee, comment / link counts, progress pill (N/M children done), staleness colour (per-status thresholds), "created N ago", checkbox.
• Drag-drop — HTML5 on desktop + pointer-based touch fallback on tablets. Destructive drops (done, archived, blocked) prompt for confirmation.
• Multi-select + bulk action bar — shift/ctrl-click or checkbox, then batch status / archive / reassign (profile dropdown + unassign). Per-id partial failures surfaced without aborting the rest.
• Inline create per column with parent-task dropdown over every existing task.
• Drawer on card click: editable title / assignee / priority / description (the description is markdown-rendered by a tiny XSS-safe renderer, every substitution runs on HTML-escaped input, http(s)/mailto links only). Dependency editor with chips + add-parent / add-child dropdowns (cycle attempts rejected server-side). Status action row, comment thread with Enter-to-submit, last 20 events, Worker log panel that auto-loads the last 100 KB of the worker's stdout/stderr. Escape closes.
• Live updates via WebSocket tailing task_events. Debounced reload, exponential-backoff reconnect (capped at 30 s), React ErrorBoundary on the whole page.
• Toolbar — search, tenant, assignee, show-archived, lanes-by-profile, Nudge dispatcher, refresh.
• Stats HUD endpoint — GET /api/plugins/kanban/stats powers a "is this specialist overloaded?" check for router profiles and the dashboard.
• Security — documented: plugin REST is unauthenticated by dashboard design (localhost bind); WebSocket additionally requires the ephemeral session token as ?token=… (constant-time compare via hmac.compare_digest). Don't run --host 0.0.0.0 on a shared host.

4. Gateway closes the loop

A user creating a task via /kanban create in Telegram / Discord / Slack used to get a "Created t_abc" reply and then silence forever. Now:

• A new background watcher (GatewayRunner._kanban_notifier_watcher) polls kanban_notify_subs every 5 s and pushes one message per terminal event (completed, blocked, spawn_auto_blocked, crashed) to each subscribed chat. completed events include the first line of the worker's --result.
• /kanban create in the gateway auto-subscribes the originating chat (platform + chat_id + thread_id).
• Subscriptions auto-remove when the task reaches done / archived.
• Explicit CLI / REST surface exposed for cross-chat notifications: hermes kanban notify-subscribe / notify-list / notify-unsubscribe.

5. CLI surface (15 → 24 verbs)

New: daemon, watch (live task_events stream with --assignee / --tenant / --kinds filters), stats, log, notify-subscribe / notify-list / notify-unsubscribe. Existing verbs now accept multiple ids: complete, unblock, archive all take id1 id2 …; block takes --ids for sibling blocks. create gains --idempotency-key. dispatch gains --failure-limit. gc gains --event-retention-days / --log-retention-days.

6. Tests — 234 / 234 passing

tests/hermes_cli/test_kanban_db.py                 — 42 tests   (schema + CAS atomicity)
tests/hermes_cli/test_kanban_cli.py                — 18 tests   (run_slash end-to-end)
tests/hermes_cli/test_kanban_core_functionality.py — 28 tests   (NEW)
tests/plugins/test_kanban_dashboard_plugin.py      — 30 tests   (NEW)
tests/hermes_cli/test_commands.py                  — 116 tests  (COMMAND_REGISTRY)

The new test_kanban_core_functionality.py covers: idempotency (same key returns existing, archived doesn't block, no-key never collides), circuit breaker (auto-block after N, success resets counter, workspace-resolution failures count), crash detection (_pid_alive helper, real Popen child, dispatcher reclaims), daemon (runs and stops cleanly, survives a tick exception), stats + task_age, notify subs CRUD + cursor advance, gc (events-only-for-terminal-tasks, old log files), log rotation + tail handling, bulk CLI verbs, run_slash parity (smoke-tests every one of the 23 registered verbs; none may raise or return empty string).

All pass under scripts/run_tests.sh (hermetic, 4 xdist workers, TZ=UTC, LANG=C.UTF-8). Live-HTTP smoke tests covered every new endpoint end-to-end.

7. Docs (website/docs/user-guide/features/kanban.md)

Rewritten to match shipped reality:

• Core concepts updated (triage, idempotency, dispatcher-as-daemon-not-cron, circuit breaker behaviour).
• Quick start swapped to daemon, with systemd setup path.
• New sections: idempotent create, bulk verbs, gateway notifications, dashboard (GUI) with full feature list + security model + dashboard.kanban config block, out-of-scope single-host note.
• CLI reference updated for every new verb and flag.

What's still out of scope (on purpose)

• Multi-host — kanban.db is local SQLite and crash detection assumes host-local PIDs. Explicitly documented now. Bridge via delegate_task or a message queue if you need cross-host.
• Smart routing / auto-assignment → a router profile, not a dispatcher feature.
• Per-agent budgets → a plugin that wraps spawn.
• Governance / approval gates → reuse tools/approval.py.
• Extra columns / org-chart / swim-lane reordering / real-time CRDT editing → user-space.

Review asks

1. Kernel concurrency correctness — BEGIN IMMEDIATE + CAS claim path is in kanban_db.py, test_kanban_db.py includes a multi-thread race test.
2. Dispatcher safety — circuit breaker limits, crash-detection host-local assumption, signal handling on non-main threads.
3. Gateway notifier — does a 5 s poll feel right, or should we hook directly into _append_event? (Chose polling for process-isolation: the gateway doesn't share its event loop with the dispatcher or with CLI writers.)
4. Dashboard security model — the plugin-auth-bypass is documented; the WS token compare is hmac.compare_digest. Good enough for localhost-default; call out anything else you want tightened.
5. Dashboard UX — staleness colouring tiers are hand-picked (running 10m/60m, ready 1h/24h, todo 7d/30d, blocked 1h/24h). Reasonable? Should they be config-driven?

PR title updated to feat(kanban): durable multi-profile collaboration board + dashboard GUI + dispatcher daemon to reflect the current surface.

[vulcan-artivus]

Strong RFC and the schema is clean. One critique on scope, then five concrete additions that I think need to land before this is the right primitive for non-fleet workloads.

The implicit assumption

The model — one assignee column, one status machine, one workspace per task — fits one workload very well: fleets of homogeneous specialists processing different subjects. The 50-account fleet, the researcher fleet, P8 fleet farming. When every worker does the same kind of work and only differs in what they're processing, this is the right shape.

It does not compose to heterogeneous role pipelines on the same artifact: PM triages → Engineer implements → Reviewer reviews → (review requests changes) → Engineer iterates → Reviewer re-reviews → PR opens → PM closes out. That's one piece of work, one codebase state, one set of changes — and three or four different profiles need to touch it in sequence (and often loop back).

In v1 today, modeling that pipeline forces one of:

• One row whose assignee mutates on every handoff (silent rewrite, no history of who did what)
• Multiple linked tasks, each with its own worktree/scratch (the reviewer can't inspect the engineer's actual changes; the worktree is gone or duplicated)
• Manual block + comment + unblock + assign glue every time the role rotates (lots of human ceremony for a routine transition)

The P2 Pipeline pattern in §5 acknowledges this exists but treats every step as a separate task. That works for sequential single-shot handoffs (research → write → analyze where each step's output is the input to the next). It does not work for iterative role rotation on a shared artifact, which is the dominant shape for any coding workflow more sophisticated than "fire-and-forget engineer."

Five additions

1. Stages as a first-class concept, distinct from status

Status is "where in lifecycle." Stage is "who is currently driving and what kind of work is happening here." They aren't the same thing once you have role rotation:

status: ready | running | done             ← lifecycle of a single attempt
stage:  triage | implement | review | ...  ← which role/profile is active

A task can be running at the review stage; the reviewer profile is the current driver. When the reviewer finishes and routes back to engineer, status returns to ready but stage is now implement again. Two orthogonal axes.

Concrete schema shape:

ALTER TABLE tasks ADD COLUMN stage TEXT;
-- assignee becomes derived: stage → role → assigned profile
-- (or a per-task override column if a specific profile is pinned)

2. Per-task workflow definitions with success/failure routing

The workflow itself should encode "review fails → back to implement." Otherwise the orchestrator profile has to remember to do it, the human has to do it, or the worker has to do it — all error-prone.

CREATE TABLE workflow_templates (
  id, name, project_or_namespace, ...
);

CREATE TABLE workflow_steps (
  id, template_id, step_key, name,
  role,                  -- maps to a profile via project config
  position,              -- ordering for the board
  success_step_key,      -- "where do I go on success"
  failure_step_key,      -- "where do I go on failure" (often loops backward)
  retry_limit
);

ALTER TABLE tasks ADD COLUMN workflow_template_id TEXT;
ALTER TABLE tasks ADD COLUMN current_step_key TEXT;

The dispatcher promotes a task by following success_step_key/failure_step_key instead of asking an orchestrator agent to decide. The kanban-orchestrator skill becomes mostly redundant — there's nothing for an LLM to be tempted to do itself when the workflow definition is the orchestrator.

This also answers Q8 ("router-only profile") more cleanly: routing is data on the workflow, not behavior we have to coerce out of an LLM with prompt rules.

3. Shared workspace across stages, not per-task

For coding workflows, the worktree IS the artifact. Engineer commits to it, reviewer pulls the same one to inspect actual diffs, PM reads it for close-out. Three roles, one worktree.

workspace_kind is fine as a vocabulary, but the binding needs to be at workflow level when stages share state:

-- Either: workspace lives on the task and persists across stages
-- (current shape, just don't allocate a new one per stage)

-- Or: workspace lives on the workflow run, with per-stage scratch dirs
-- under it for ephemeral side work
ALTER TABLE tasks ADD COLUMN workspace_path TEXT;  -- shared
-- per-stage scratch only when explicitly requested

Default behavior for worktree workspaces: allocated once at task creation, all stages see it. Default for scratch: per-stage if the workflow says so, otherwise shared.

4. Per-stage session journals on the task

Role N+1 needs to read what role N thought, not just what they committed. Comments don't quite cut it — comments are conversational; what the reviewer actually wants is "the engineer's structured handoff: here's what I changed, here's what I tested, here's the residual risk."

CREATE TABLE task_sessions (
  id, task_id, step_key,
  profile,
  started_at, ended_at,
  summary,           -- structured handoff written by the role on completion
  outcome,           -- "passed" | "failed" | "blocked"
  metadata_json      -- e.g. for engineer: {changed_files, tests_run, diff_summary}
                     --      for reviewer: {findings, blockers, approval}
);

This is closer to a proper handoff log than task_comments is. Comments stay for ad-hoc conversation; sessions are structured per-stage records that downstream roles can rely on.

5. Runs separate from tasks

A task that's been attempted 3 times needs run history, not just running → done. With role rotation it's worse — "the second engineer attempt got to review, the third merged" is a thing you absolutely need to see when something goes wrong in production a week later.

CREATE TABLE task_runs (
  id, task_id, step_key, profile,
  started_at, ended_at, status,
  claim_lock, lease_expires_at,        -- claim machinery moves here
  worker_pid, log_path,
  result_json, error
);

The claim CAS in §3 of the spec moves to task_runs (a new run is created on each claim, the task itself just tracks current_step_key and current_run_id). This also makes Q6 (claim TTL) cleaner — TTL is per-run, scaled by the role's expected runtime, not a global default.

Knock-on effects on the open questions

• Q1 boundary with delegate_task: stage-based workflow makes the boundary much easier to articulate. delegate_task = "I want a sub-answer in this run." Kanban = "this work has stages and the next stage might be a different role." The latter is an obvious need-Kanban signal that doesn't depend on durability arguments.
• Q3 workspace kinds: vocabulary stays, but binding moves to task-level (shared) by default for worktree.
• Q4 tenant column: still fine as one nullable string. Tenancy and stage are orthogonal.
• Q6 claim TTL: per-run, derived from the workflow step's retry_limit / expected duration, not a global 15m.
• Q8 router-only profile: mostly obsolete. The workflow template is the router. Orchestrator-as-profile becomes a fallback for genuinely ambiguous cases, not the default coordination mechanism.
• Q10 what's left out: "auto-assignment" is no longer user-space — it's "current stage = X → role = Y → resolve to profile". That should be in the kernel.

Suggestion

Land v1 as-shipped for the fleet-farming use case it does well, but gate v2 on the role-pipeline use case before it ossifies. The schema additions above are small (one column on tasks, three new tables) and each is independently useful. Ordering would be:

1. task_runs (separate run history) — also fixes Q6 cleanly
2. task_sessions (per-stage journal) — supersedes most uses of comments-as-handoff
3. workflow_templates + workflow_steps + tasks.current_step_key — the actual stage routing
4. Workspace sharing default for worktree kind

The current schema is forward-compatible with all of this — none of these additions invalidate v1 rows, they just add structure for tasks that opt into a workflow template.

[teknium1]

Update — Multica audit: four items ported, rest left

Researched Multica (https://github.com/multica-ai/multica, 21.8k stars). It's a Linear-style task tracker in Go + Next.js + Postgres + pgvector with a daemon that shells out to coding CLIs (Claude Code, Codex, OpenClaw, Hermes, etc.). Different architecture from ours — server-authoritative, multi-host, SaaS-shaped — but a few of its ideas are worth porting to our single-host SQLite kernel.

Ported (commit da7d09c):

• Per-task max-runtime. create --max-runtime 30m|2h|1d|<seconds>. enforce_max_runtime() runs every dispatch tick; SIGTERM → 5s grace → SIGKILL → task re-queued with a timed_out event. Multica has this per-agent at the daemon level; ours is per-task which is finer-grained. Blocks runaway workers eating API credits.
• Worker heartbeat. hermes kanban heartbeat <id> [--note "..."] emits a heartbeat event + touches last_heartbeat_at. Orthogonal signal to PID-based crash detection: a worker forking a long-lived subprocess can be alive in Python while the actual work is stuck. Skill updated to tell workers to heartbeat during long loops (training, encoding, crawls).
• Assignee enumeration. hermes kanban assignees and GET /assignees union ~/.hermes/profiles/* on disk with board-assigned names. hermes kanban init prints discovered profiles so new users see what's addressable. Multica auto-detects installed CLIs; ours enumerates profile directories — same UX goal, different mechanism.
• Event vocab cleanup. Agreed their names were clunky; picked cleaner ones for us:
  • Renames: ready → promoted, priority → reprioritized, spawn_auto_blocked → gave_up.
  • New: spawned (with pid), heartbeat, timed_out (with elapsed + limit).
  • Three clusters in the docs — Lifecycle, Edits, Worker telemetry — with payload shapes.
  • One-shot migration renames legacy rows in-place on init_db(); existing DBs upgrade on next open.

Not ported (deliberate):

• Postgres + pgvector for semantic skill search. Cool for their scale; conflicts with our "SQLite, zero cloud deps" kernel. Could revisit as an optional plugin if a user asks.
• Server + daemon cross-host model. Their daemon polls a remote server for work. Ours spawns locally from the SQLite DB. Single round-trip vs network hop per claim. We're single-host by design and the out-of-scope section documents that.
• Agents as first-class threaded-comment identities. Their schema distinguishes user vs agent rows. We keep the board profile-agnostic; assignees are just names. Different trade-off, we kept ours.
• Skills-lock.json from git sources. They distribute skills via git-tracked lock files. We already have our own skills system + plugin system, no need to ape theirs.

Test delta: +18 tests in tests/hermes_cli/test_kanban_core_functionality.py. Full kanban suite now 252/252 under scripts/run_tests.sh. Live-smoke confirmed POST /tasks {max_runtime_seconds: 7200} round-trips, /assignees returns the union, PATCH priority emits reprioritized events.

PR body updated with a new "Multica-inspired additions" section. Latest commit: da7d09c3b

[teknium1]

@vulcan-artivus — useful review, thanks. You called out the right thing: the fleet model fits independent tasks well, but breaks down on a shared artifact moving through roles. Landed your schema-affecting asks in v1 so the model doesn't ossify; deferred the workflow/routing surface to v2 with forward-compat hooks so it can land additively.

In v1 (shipped on #16100, commit 0146cb2):

1. Runs as first-class (your Update snapshot #5). New task_runs table, one row per attempt. Claim opens a run (pid, lock, heartbeat, max_runtime); terminal transitions close it with an outcome — completed / blocked / crashed / timed_out / spawn_failed / gave_up / reclaimed. tasks.current_run_id points at the active run. A retried task has N rows. Claim machinery moved off tasks onto runs. Legacy DBs: migration synthesizes a run for any task that's running pre-migration so upgrades are a no-op.

2. Structured handoffs (subsumes your Fix terminal interactivity #4 without a parallel task_sessions table). hermes kanban complete <id> --summary "..." --metadata '{"changed_files":[...], "tests_run": 14}'. Summary + metadata live on the closing run. build_worker_context rewritten: downstream children read the most-recent completed run's summary + metadata for each parent (falling back to task.result for legacy rows); retrying workers read prior attempts on their own task so they don't repeat a failed path. Your "reviewer writes findings, next reviewer reads them" flow works today via metadata: {"findings": [...]}.

3. Event attribution. task_events.run_id added. Claim/spawned/complete/block/crash/timeout/spawn_fail/gave_up/heartbeat are run-scoped; created/promoted/assigned/edited stay task-scoped. Dashboard and hermes kanban watch can group events by attempt.

4. Dashboard Run History. GET /tasks/:id carries runs[]. Drawer renders one coloured row per attempt with outcome, profile, elapsed, summary, error, metadata; collapses to the last three with +N earlier. New CLI verb hermes kanban runs <id> [--json] mirrors it.

5. Forward-compat for v2. Nullable tasks.workflow_template_id + tasks.current_step_key + task_runs.step_key. v1 dispatcher ignores them; v2 adds workflow_templates + workflow_steps and wires the dispatcher without another schema migration.

Explicitly not in v1:

Your #1 (workflow template DSL) and #2 (status-vs-stage routing) are a real design project — step definitions with success/failure transitions, human-intervention hooks, a dashboard editor, and a dispatcher that consults templates rather than round-robins assignees. Can't responsibly cram that into #16100 without shortcutting the design. Forward-compat columns above keep the door open for v2 to land additively.

Your #3 (shared workspace across stages) — runs on the same task already share a workspace via the workspace field on tasks. Cross-task workspace sharing is a workflow concern and tracks with #1/#2.

One data-model note on your task_sessions proposal: we considered it, but runs + metadata JSON cover the same territory with one join fewer. A stage's "findings" or "changed files" are per-attempt facts, so they belong on the run, not on a separate conversation record. If v2 needs something richer (long conversational transcripts, multi-worker threads on one step), we'd rather layer that on runs than introduce a parallel table.

Diff summary on the PR: 8 files, +1172/−47; 24 new tests (22 kernel + 2 dashboard), 269/269 kanban suite green. PR body has the full change list → #16100

Appreciate the review — the runs-as-first-class bit especially would have been a nasty retrofit if we'd shipped without it.

[teknium1]

◆ Audit pass complete — commits 8ef2ae6 + 1c78f66 on #16100

After runs-as-first-class shipped (0146cb2), did a full integration audit across kernel, dashboard plugin, gateway notifier, and CLI. Found five real bugs where structured runs got orphaned or the dashboard was a second-class citizen. All behavioral; no schema change.

The bugs:

1. archive_task orphaned runs. Archiving a claimed task left the task_runs row with ended_at=NULL forever and stranded tasks.current_run_id. Now closes the active run with outcome='reclaimed'.

2. Dashboard drag-drop off running orphaned runs. Yanking a worker back to the queue (running → ready) cleared claim_lock but left the run open. _set_status_direct now snapshots previous state, calls _end_run(outcome='reclaimed') when transitioning off running, and attaches the closing run_id to the emitted status event.

3. Dashboard PATCH dropped structured handoff. UpdateTaskBody accepted result but not summary or metadata — the dashboard "mark done" button was strictly weaker than hermes kanban complete. Now forwards both to the kernel, achieving full parity.

4. CLI bulk complete silently broadcast the same summary to N tasks. hermes kanban complete a b c --summary X used to attach the same handoff to every run. Refused with a clear stderr message. Bulk close without the flags still works for routine batch closes.

5. Gateway notifier used task.result instead of run.summary in the completion message — which defeated the entire point of having a run summary. Now: complete_task embeds the first-line summary (capped at 400 chars) into the completed event payload, and the notifier reads ev.payload["summary"] with task.result as a legacy fallback. No second SQL round-trip.

Invariant now enforced and documented: tasks.current_run_id IS NULL ⇔ the run row is in a terminal state. Holds across CLI (complete, block, archive), dashboard (drag-drop, PATCH, archive), dispatcher (crash detection, max-runtime watchdog, claim TTL reclaim), and notifier. No code path can leave current_run_id pointing at an open run or clear the pointer without closing the row.

Cleanup: stale spawn_auto_blocked docstring in the gateway notifier → gave_up / timed_out (code was already correct). _set_status_direct now also clears worker_pid on transitions off running (was leaving it set).

Diff: 7 files, +363/−36. New tests: 11 (8 kernel + core, 3 dashboard E2E through FastAPI TestClient). Suite: 164/164 kanban tests green. Live-smoke exercised all five fixed paths plus a re-claim-after-drag sequence.

Docs updated: runs section now covers PATCH parity, completed event payload shape, bulk-close guard, and the reclaimed-on-status-change invariant; event reference tables gained a Payload column.

Two items deferred (noted, not in this PR):

• _append_event auto-resolving run_id when the caller omits it. Every current call site passes it explicitly; low-value change.
• hermes_cli.main discards subcommand exit codes (args.func(args) without propagation). Pre-existing generic bug; tracked separately.

[erosika]

Hi @teknium1, thoughts & bugs !

Pre-merge bugs

unblock_task violates the runs invariant

hermes_cli/kanban_db.py:1236-1248 transitions blocked → ready without clearing current_run_id or closing the prior run. The PR's stated invariant — "tasks.current_run_id IS NULL ⇔ run row in terminal state" — is violated between unblock and the next claim. Eventually consistent (claim_task overwrites the pointer), but the window exists and the audit-pass docstring claims it doesn't.

Fix: call _end_run(outcome='reclaimed') and clear current_run_id inside the unblock transaction, mirroring the archive-from-running fix in commit 8ef2ae6.

Migration backfill race

:409-442 synthesizes run rows for in-flight tasks outside write_txn. A concurrent dispatcher between SELECT and INSERT can produce orphaned runs. Either wrap the loop in write_txn or filter WHERE current_run_id IS NULL in the INSERT to make it idempotent under concurrency.

Notifier subscription leak on non-done terminals

gateway/run.py:2322-2324 only unsubscribes when task.status in ("done", "archived"). Terminal kinds in the notifier include blocked, gave_up, crashed, timed_out — all emit one ping then strand the subscription forever. The cursor advances so events don't replay, but kanban_notify_subs accumulates dead rows.

Fix: unsubscribe on any terminal event kind, not just on terminal task status. Or add a sub-side TTL.

Notifier thrashes against dead chats

Same file, :2326-2330. If adapter.send raises (e.g., chat deleted), exception is caught, cursor not advanced, loop continues. Dead chats retry forever every 5 seconds.

Fix: per-sub error counter mirroring the spawn circuit breaker — after N consecutive send failures, drop the subscription with a notify_unsub_failed event.

recompute_ready full-scan starvation

:974-1003 scans all todo tasks in a single write transaction. At 10k todo tasks with parent graphs, the txn holds the write lock for seconds and starves claim CAS. Acceptable today, will bite long-running boards.

Fix (follow-up): dirty-set approach — only recompute children of tasks that just transitioned to done.

Daemon has no health telemetry

:1849-1990. If every spawn fails (broken venv, missing profiles, PATH drift), the per-task circuit breaker auto-blocks each one but the daemon runs silently. Operators have no signal that the system is broken.

Fix: structured warning when "ready queue non-empty AND zero spawns succeeded across N consecutive ticks." Cheap; high-value.

---

Thoughts on A2A — where this could go after merge

The Kanban primitives are coordination primitives. They model task handoff between profiles, not message-passing between agents. That's the right scope for v1, but several seams suggest where the next layer wants to go.

What's there already that points the right direction

• task_runs.profile records who worked on each attempt
• _profile_author() makes comments profile-aware
• kanban_notify_subs is a working subscription primitive (chat-only today)
• task_events.run_id attributes events per-attempt
• complete_task carries structured summary + metadata payloads

Three narrow gaps inside the v1 model

1. Cross-task role history in build_worker_context. The worker has its profile's SOUL.md / MEMORY.md loaded via HERMES_HOME, but the kanban layer never queries task_runs WHERE profile = task.assignee to surface "what have I (this profile) done before?" ~15 lines, no new dependencies, all existing data:

role_runs = conn.execute(
    "SELECT t.title, r.summary "
    "FROM task_runs r JOIN tasks t ON r.task_id = t.id "
    "WHERE r.profile = ? AND r.task_id != ? AND r.outcome = 'completed' "
    "ORDER BY r.ended_at DESC LIMIT 5",
    (task.assignee, task_id),
).fetchall()

2. Skill ↔ assignee validation. assignee is a free-form string. hermes kanban assignees enumerates profiles but doesn't surface their skills/. A router or specifier profile picking an assignee can't ask "who has the Postgres skill?" Adding skills to the assignee enumeration response unlocks routing-by-capability without changing the kernel.

3. Identity in notifier output. Terminal events fire "task 42 completed:

   " without echoing the profile that did the work. One-line template change to prefix with task.assignee (or the worker's role from SOUL.md if the dispatcher reads it).

Open question: structured comments as the multi-peer session substrate

task_comments today carry [author, body, timestamp] — flat. Adding lightweight structure alongside the freeform body turns the thread on a task into a proper multi-peer session:

• in_reply_to — links a comment to the comment it answers
• addressed_to — resolves @profile mentions to a delivery target
• kind — request / response / acknowledgment

Prose stays in body; structure rides alongside without disrupting the existing API. This is a small schema addition (~3 nullable columns on task_comments) but it's the difference between an event log and a conversation — which is what unlocks workloads the current handoff model can't express cleanly: questions back to the originator without blocking ("@Planner: should I include archived rows?"), peer review without parent-child task links, and downstream agents reading "why" alongside the structured summary / metadata they already get.

It also sets up the obvious next layer: with structured turns and task_runs.profile already attributing every action, an external memory/representation system can derive per-peer representations from the conversation rather than scraping a flat event log. Whether that layer is in-tree or pluggable is a separate decision.

If structured comments are in scope for a near-term v2, happy to sketch the schema diff. If they're explicitly out of scope, equally useful to know.

Where this connects to the pattern taxonomy

P6 (@mention delegation) and P7 (thread-scoped workspace) read more like mechanisms than collaboration patterns. P6 is how you enter Fan-out or Pipeline; P7 is a workspace-binding policy. Splitting the docs section into "patterns" + "mechanisms" sharpens the taxonomy. Once profile-as-subscriber lands, "subscription" joins "mention" and "thread-pin" as a third mechanism

[teknium1]

◆ Second deep-scan audit complete — commit e27c819 on #16100

First audit covered orphaned runs and dashboard parity. This one went wider: frontend rendering, WebSocket event plumbing, dataclass shape, never-claimed-task handling. Eight more issues; all behavioral, no schema change.

Kernel:

1. complete_task on a never-claimed ready task silently lost summary / metadata. The CLI printed "Completed tid" but the handoff went nowhere. Now synthesizes a zero-duration run (started_at == ended_at) when handoff data is present, so attempt history stays complete. Bare complete_task(tid) still creates no run (no spam).

2. block_task had the same bug for --reason. Same fix.

3. Event dataclass had no run_id field. list_events, unseen_events_for_sub, and the dashboard's _event_dict all SELECTed the column but stripped it on the way out — so the notifier and UI couldn't group events by attempt even though the kernel stored the attribution. Added run_id: Optional[int] to the dataclass; every read path surfaces it now.

4. claim_task now has defensive invariant recovery: if a task somehow reaches ready with current_run_id still pointing at an open run (which shouldn't happen, but belts-and-suspenders), the next claim closes the leaked run as reclaimed inside the same txn.

Dashboard:

5. WebSocket /events payload and GET /tasks/:id event arrays now carry run_id per event.

6. TaskDrawer was a snapshot-on-mount view — it didn't re-fetch when WS events for the currently-viewed task arrived. Now the Board maintains a per-task event counter (taskEventTick[taskId]), increments on every WS event, and passes the count as an eventTick prop; the drawer's useEffect depends on it. Background workers completing a task the user is viewing → drawer refreshes immediately.

7. Added CSS rule for .hermes-kanban-run--ended (fallback class the JS emits when outcome is unset). Cosmetic consistency.

CLI:

8. hermes kanban watch --kinds help listed the legacy event name spawn_auto_blocked. The kernel migration renames it to gave_up, so users typing the documented name got zero matches. Updated to the current lexicon.

Diff: 8 files, +303/−8. New tests: 7 (6 kernel, 1 dashboard). Suite: 171/171 kanban tests green. Live-smoke covered all six fixed code paths plus the claim-after-leak recovery sequence.

Docs updated: Runs section gained "Synthetic runs for never-claimed completions" and "Live drawer refresh" paragraphs; event reference table now explicitly notes which kinds have NULL vs populated run_id.

Status: PR is still standing — not merged. Ready for review.

[teknium1]

◆ Tutorial + dashboard screenshots shipped — commit 7206eed on #16100

New tutorial at website/docs/user-guide/features/kanban-tutorial.md. Walks the four user stories the system was designed for, each with real dashboard screenshots from a seeded scenario.

Story 1 — Solo dev shipping a feature. Parent→child deps, structured handoff on completion, drawer Run History rendering.

Story 2 — Fleet farming. Three assignee pools (translator, transcriber, copywriter) pulling independent content tasks in parallel. Lanes-by-profile grouping in the In Progress column, dispatcher daemon per assignee.

Story 3 — Role pipeline with retry. PM spec → eng implements → review blocks → eng retries → review approves. Two-run attempt history (blocked then completed) visible in the drawer with each run's summary and error. Downstream workers read parent summary + metadata automatically via build_worker_context.

Story 4 — Circuit breaker + crash recovery. Cursed deploy-bot task that can't spawn (missing AWS credentials): three consecutive spawn failures → one gave_up terminal run, exactly as designed. Plus an OOM-killed migration that crashed on attempt 1 and recovered on attempt 2 with a chunked strategy — both runs visible in history.

10 screenshots captured via headless chromium at 2x device scale, then repalettized (22 MB → 6.1 MB, no visible quality loss). Every image validates against website/static/; sidebar updated; reference page gets a top banner linking to the tutorial.

Ready for review. PR stays standing.