Dispatcher resilience: deterministic spawn-crash loop, transient SQLite I/O latches dispatch off, archived-parent silently promotes children

[skowalik]

Summary

Running v0.14.0 (commit ba9964ff0, 2026-05-21) on macOS, single-host install with a multi-profile kanban setup. A transient outbound-network blip on the host triggered a cascade that surfaced three independent dispatcher/runtime resilience gaps. None caused data loss (DB integrity stayed ok throughout), but each turns a recoverable hiccup into a state that needs manual intervention. Filing together because they share a theme: the dispatcher/runtime doesn't degrade gracefully from transient or deterministic failures.

Environment: Hermes Agent v0.14.0 / commit ba9964ff0, Python 3.11, macOS, gateway as launchd service with embedded 60s-tick dispatcher, multiple profiles (each with its own skills), SQLite kanban board in WAL mode.

---

Bug 1 — Deterministic spawn-time crash loops forever (circuit breaker doesn't trip on spawn failure)

What happened: A task was pinned to a skill (skills column / --skill) that its assigned profile did not have. Every dispatch tick spawned a worker that died immediately at startup with:

Error: Unknown skill(s): atlas-email-intake-poller

The dispatcher re-spawned it every 60s tick. It accumulated ~1,500 crashed runs in task_runs before being found and manually archived.

Why it matters: This is a deterministic failure — the worker fails identically on every spawn, before doing any work. Retrying can never succeed. The consecutive_failures / DEFAULT_FAILURE_LIMIT circuit breaker (and the auto_blocked path in the dispatcher) exists, but it did not stop this loop — dispatcher output showed spawned=1 crashed=1 auto_blocked=1 promoted=1 repeating indefinitely, i.e. the task was being auto-blocked yet re-promoted and re-spawned each tick.

Expected: After N consecutive spawn-time crashes (e.g. the existing failure limit), the task should be set to blocked (with last_failure_error populated) and stop being re-spawned — not cycle block→promote→spawn→crash forever. A deterministic spawn-time crash (skill missing, bad config) should trip the breaker at least as readily as a runtime timeout does.

Repro:

1. Create a skill that exists only in profile A.
2. Create a kanban task assigned to profile B, pinned to that skill (--skill <name>).
3. Start the gateway; watch the dispatcher spawn+crash the task every tick without ever latching it off.

---

Bug 2 — A single transient SQLite I/O error permanently disables board dispatch until manual gateway restart

What happened: During the network blip (heavy concurrent access, ~4MB -wal mid-write), a momentary I/O error occurred:

sqlite3.OperationalError: disk I/O error
ERROR kanban dispatcher: board default database /…/kanban.db is not a valid SQLite
  database; disabling dispatch for this board until the file changes or the
  gateway restarts.

The DB was not corrupt — PRAGMA integrity_check returned ok, header was valid, all tables readable, disk had 379GB free, and a separate read-only handle kept serving fine. But the dispatcher latched the "disabled" state and stayed disabled even after the file was healthy again, requiring a manual hermes gateway restart to resume.

(Source: gateway/run.py:5182 — "disabling dispatch for this board until the file changes or the gateway restarts.")

Why it matters: Permanently disabling a board on a single transient I/O error means a momentary disk/FS hiccup silently halts all automation until a human notices and restarts. Disabling on genuine corruption is reasonable; latching forever on a transient error is not.

Expected: On the next tick after a disable, cheaply re-validate (e.g. PRAGMA quick_check or a trivial read) and auto-re-enable if it passes — only stay disabled if the DB is actually persistently bad. At minimum, retry-with-backoff rather than latch-until-restart.

---

Bug 3 — Archiving a parent task silently promotes its children (treats archive as success)

What happened / found in code: Child-task promotion treats an archived parent the same as a done parent:

# hermes_cli/kanban_db.py ~line 2131
if all(p["status"] in ("done", "archived") for p in parents):
    # promote child to ready

Why it matters: Archiving is used to cancel/retire a task (e.g. we archived a crash-looping task whose work was moot). But because archived counts as a satisfied dependency, archiving a parent silently advances its children as if the parent had succeeded. A user cancelling a broken/abandoned parent would not expect its dependents to suddenly become ready and run on the assumption the parent's output exists. This can launch downstream work whose precondition was never actually met.

Expected: Distinguish "parent completed successfully (done)" from "parent was cancelled/retired (archived)" for promotion purposes. An archived parent should likely block its children (or require explicit re-parenting), not auto-promote them. At minimum this should be documented and configurable.

---

Why these are grouped

All three are "transient or deterministic failure → unrecoverable/unexpected state without human intervention":

• Bug 1: deterministic crash → infinite retry (should latch off).
• Bug 2: transient I/O → permanent disable (should auto-recover).
• Bug 3: cancellation (archive) → silent promotion (should not treat cancel as success).

Happy to provide full gateway logs, the task_runs history (~1,500 crashed rows for the looping task), or test against a patch. Thanks for the framework — multi-profile + kanban dispatch is genuinely great to build on.

[alt-glitch]

Bug 1 (spawn-crash loop / circuit breaker defeat) is closely related to #29732 which fixes the recompute_ready vacuous-truth all([])==True promoting parentless blocked tasks. Also related to #29328 (sticky gave_up events). Bugs 2 and 3 (SQLite I/O latch, archived-parent promotion) appear novel.

[skowalik]

Thanks for the fast triage — and for the #29732 / #29328 pointers.

On Bug 1: it's in the same symptom family as #29732 (blocked task gets re-promoted → crash-loops), but I want to flag a difference so the fix scope is clear. The looping task in my case did have a parent (1 parent link — its trigger task), so it isn't the parentless all([]) == True vacuous-promotion path that #29732 targets. The driver here was a deterministic spawn-time crash: the task was pinned to a skill its assigned profile didn't have (Unknown skill(s): …), so every spawned worker died at startup, and the dispatcher cycled auto_blocked → re-promoted → spawned → crashed each tick (~1,500 crashed runs). So #29732 may not cover this case on its own — the breaker needs to trip on a deterministic spawn-time failure for a task with satisfied parents, not only on the empty-parents promotion bug. (Possibly #29328's "keep gave_up tasks blocked" is the closer mechanism — if a task that's been given up on stops being re-promoted, that would stop this loop too.)

Glad Bugs 2 and 3 look novel — happy to help on either:

• Bug 2 (transient SQLite I/O latches dispatch off): I have the gateway logs from the event, and the DB passed PRAGMA integrity_check immediately after, so it's a clean repro of "transient error → permanent disable until manual restart." Can share logs or test a re-validate-on-next-tick patch.
• Bug 3 (archived parent promotes children): straightforward — the all(p["status"] in ("done", "archived") …) check treats a cancelled/retired parent as a satisfied dependency. Happy to test a fix that distinguishes done from archived for promotion.

Let me know if you'd like the full logs or want these split into separate issues for tracking.

[vice-magus-faolan]

I hit another repro for Bug 1 that seems to confirm this is broader than the parentless all([]) == True promotion case.

In my case, the looping task did have a parent, but it still got stuck in a repeated:

crash/protocol-violation -> gave_up -> promoted -> respawn

cycle.

What I observed:

• hundreds of repeated runs before intervention
• hundreds of immediate gave_up -> promoted transitions in the event history
• mixed deterministic failure modes, including:
  • worker exits with nonzero status
  • worker recorded as not alive
  • clean worker exit without kanban_complete / kanban_block (protocol violation)

I also checked the gave_up payloads directly, and they showed the circuit breaker was firing, with fields like:

• failures: 1
• effective_limit: 1
• trigger_outcome: crashed

So this did not look like “failure wasn’t noticed.” It looked like the task was correctly marked gave_up, but then still got promoted back to runnable state and re-spawned.

That suggests the underlying issue is: once a task reaches gave_up, it should not be auto-promoted back into the dispatch loop without an explicit unblock, even when the task is parented.

So from my repro, #29732 seems related, but #29328 looks like the more directly relevant fix for the broader gave_up re-promotion loop.