[Bug]: Kanban scratch workspace cleanup can delete real source directories

[nvt-pankajsharma]

This was generated by AI during triage.

Summary

Kanban task completion can delete a real user source directory when a board or task workspace points at an existing project folder but the task uses workspace_kind = scratch.

The worker documentation says scratch is disposable and gets garbage-collected. That behavior is expected. The safety problem is that Hermes currently allows a user-provided/default workdir outside Hermes-managed scratch space to be treated as scratch without warning or blocking, so a misconfiguration can turn normal task completion into data loss.

Impact

• Real source checkouts can be deleted if they are configured as a scratch workspace.
• Sibling workers spawned in the same workspace then fail with FileNotFoundError / os.getcwd() because their cwd has been removed.
• Task logs may not show an explicit rm -rf, making the root cause hard to diagnose.

Relevant Code Path

In hermes_cli/kanban_db.py, successful task completion calls workspace cleanup:

# complete_task(...)
_cleanup_workspace(conn, task_id)

Cleanup removes scratch workspaces:

if kind != "scratch" or not path:
    return

wp = Path(path)
if wp.is_dir():
    shutil.rmtree(wp, ignore_errors=True)

The task schema defaults to scratch:

workspace_kind TEXT NOT NULL DEFAULT 'scratch'

Reproduction Shape

1. Create or use a board whose default workdir points at an existing real source directory, for example:

hermes kanban boards set-default-workdir my-board /path/to/real/source

2. Create a kanban task without explicitly setting a persistent workspace kind such as dir:/path/to/real/source or worktree.
3. Dispatch and complete the task.
4. Completion cleanup treats /path/to/real/source as disposable scratch and may remove it.

Expected Behavior

Hermes should never silently delete a user source directory because it was assigned as a task workspace.

For non-Hermes-managed paths, Hermes should either:

• reject workspace_kind = scratch, or
• require explicit confirmation, or
• coerce/direct users to dir:<absolute-path> or worktree.

Scratch cleanup should only delete directories Hermes itself created under a known Hermes scratch root, such as:

~/.hermes/kanban/workspaces/...

Actual Behavior

If a task has:

workspace_kind = scratch
workspace_path = /path/to/real/source

then successful task completion can call:

shutil.rmtree("/path/to/real/source", ignore_errors=True)

Suggested Fix

Add guardrails before shutil.rmtree():

• Only delete scratch workspaces under the configured Hermes kanban workspaces root.
• Refuse to delete paths containing .git or obvious source-control metadata.
• Refuse to delete paths outside ~/.hermes/kanban/workspaces unless they carry a Hermes-owned marker file.
• Log a warning/error when scratch cleanup is rejected.
• Consider making board default_workdir imply persistent dir:<path> semantics rather than scratch semantics.
• Consider warning in boards set-default-workdir if the target exists and is outside Hermes-managed workspace storage.

Regression Tests

Please add tests for:

• Hermes-created scratch workspace under kanban workspaces root is cleaned up.
• Existing user source directory outside the scratch root is not removed.
• Any path containing .git is not removed by scratch cleanup.
• Board default_workdir cannot accidentally become destructively cleanup-eligible by default.

Severity

P0 / critical because the failure mode is data loss. There is a workaround (dir:<path> or worktree), but the current configuration path is too easy to misuse and the result is severe.

[hanzckernel]

Additional real-world repro / impact note from v0.14.0:

I hit the same root cause in a multi-worker Kanban board where the board metadata had:

default_workdir=/private/tmp/watched-reassess-now-2026-05

Several tasks were created without an explicit --workspace dir:<path>. They therefore inherited that default path as workspace_path while still keeping workspace_kind=scratch. The resulting task rows looked like:

workspace_kind=scratch
workspace_path=/private/tmp/watched-reassess-now-2026-05

Multiple workers and a local watcher/fan-in process used that same directory. When one scratch task completed, _cleanup_workspace() treated the shared default_workdir as disposable scratch and removed the whole directory. The board DB remained healthy and diagnostics stayed at 0, but the watcher failed with FileNotFoundError because its cwd had been deleted.

This makes the failure look like a watcher/worker crash even though the real trigger is scratch cleanup deleting a shared/default workdir.

Local mitigation was to recreate fan-in/review tasks with:

workspace_kind=dir
workspace_path=~/.hermes/workspaces/<board>

and to run watchers from a stable cwd outside /private/tmp.

This seems to confirm that a fix should not only guard real source directories, but also prevent any user-supplied/default_workdir path from being rmtree'd merely because the task row still says workspace_kind=scratch.

[mtorto2]

I hit this in a real local setup on macOS and wanted to add a concrete field report plus one source-side hardening suggestion.

Observed shape:

• A board had default_workdir set to a real source checkout.
• A task was created with workspace_kind='scratch' while inheriting that real checkout as workspace_path.
• The task was marked done from the dashboard, which routed through complete_task().
• complete_task() immediately called _cleanup_workspace().
• Because the row was still scratch, cleanup treated the real checkout as disposable and removed it.

This matches the issue description closely. In my local DB the completion timestamp and the source-tree disappearance lined up within seconds, and the task row retained the dangerous state afterward:

status=done
workspace_kind=scratch
workspace_path=<real source checkout>

I agree that the containment guard before shutil.rmtree() is the critical data-loss fix. I would also recommend closing the bad state at creation time:

if workspace_path is None:
    board_default = read_board_metadata(board_slug).get("default_workdir")
    if board_default:
        workspace_path = str(board_default)
        if workspace_kind == "scratch":
            workspace_kind = "dir"

Rationale: a board default_workdir is durable project state, not a Hermes-created disposable scratch dir. Even with the cleanup guard, leaving these tasks labeled scratch means completion logs a refusal and the task metadata remains semantically misleading.

I pushed a small fork branch with that creation-time behavior plus a focused regression test, if it is useful to fold into one of the open PRs:

https://github.com/mtorto2/hermes-agent/tree/fix/kanban-scratch-workspace-guard

[bthekraken]

Third independent report in 36 hours on v0.14.0 (2026.5.16). My case adds one new data point: hermes auto-set default_workdir to a real source directory without the user ever configuring it — the prior reports describe users explicitly setting it, but in my flow it was the agent's own decision.

Setup

• macOS, Hermes v0.14.0 (2026.5.16), Python 3.11.15
• User had ~3 prior hermes sessions, no kanban boards created before today
• User instruction (verbatim from .hermes_history): "go ahead and start making kanban boards, and go ahead and search linear for any tasks that you think should be migrated over... we got CV-ops, Ember Labs Ops, Ember Labs Clients, Personal stuff, Tethered (...), and the trading stuff..."
• No default_workdir was specified by the user, in the request or in any config they touched.

What hermes did

Created a trading-bot board with this board.json (~/.hermes/kanban/boards/trading-bot/board.json):

{
  "slug": "trading-bot",
  "name": "AI Trading Bot",
  "default_workdir": "/Users/<user>/Claude New/managed-agents/personal",
  ...
}

The user's home is /Users/<user>/ and Claude New/ is the user's entire active work tree (multiple project repos, ~8 GB, 250k+ files). Hermes chose a path two levels inside that tree as the kanban scratch root.

Two tasks were created from the conversation:

id          | status   | workspace_kind | workspace_path
t_bb3b2fd4  | blocked  | scratch        | /Users/<user>/Claude New/managed-agents/personal
t_137e4451  | done     | scratch        | /Users/<user>/Claude New/managed-agents/personal

Same anti-pattern as #28818: auto-set default_workdir → inherited as workspace_path → still labeled scratch → eligible for _cleanup_workspace() rmtree.

Timeline (from ~/.hermes/logs/agent.log)

• 10:17:24 — kanban_complete tool call starts
• 10:17:39 — kanban_complete returns after 15.52s
• 10:17:42 — subprocess (pytest discovery) verifies lab dir alive (lab exists: hermes_leverage_lab_v0)
• 10:17:47 — same subprocess command starts returning [Errno 2] No such file or directory
• 10:20:09 — agent itself logs LocalEnvironment cwd ... is missing on disk; falling back to '/Users/<user>'

Blast radius — notably wider than workspace_path

• Pre-incident: /Users/<user>/Claude New/ had ~78 top-level items, 8.1 GB, 251,547 files
• Post-incident: only an empty managed-agents/ directory remained (recreated at 10:22)

The wipe was much wider than the recorded workspace_path = .../managed-agents/personal. Sibling project directories (cv-dashboard/, ember-labs/, complete-vapors/, etc., all unrelated to the trading-bot board) were all gone too. Either the cleanup walked uphill from managed-agents/personal/ past managed-agents/ to Claude New/, or a separate cleanup ran against a parent. The prior reports don't mention this broader fallout — worth confirming whether _cleanup_workspace() has any parent-traversal in its current form.

Recovery

Restored via tmutil restore from a Time Machine snapshot taken ~50 min before the wipe. 8.1 GB / 251,547 files restored in 2:06. The user had no other backups.

Local mitigation

Added a zsh function that always launches hermes from a dedicated scratch dir:

hermes() {
  (cd \"\$HOME/hermes-scratch\" && command hermes \"\$@\")
}

This bounds the blast radius of cwd-relative scratch path selection, but won't help users who haven't read this thread. Strongly second the suggestion in this issue and in #30151 about a hard ~/.hermes/workspaces/ containment guard before any shutil.rmtree() in _cleanup_workspace(). Auto-chosen default_workdir paths that land outside that containment dir should be rejected at board-creation time, not at task-completion time when it's too late.

Happy to share the full agent.log excerpt covering 10:15–10:21, the kanban DB dump, and the verbatim .hermes_history if useful — kept brief here.