fix: BTRFS COW + SQLite WAL incompatibility — disk I/O errors on BTRFS

[savier89]

Environment

• Hermes Agent: latest (main, 2026-05-23)
• OS: Arch Linux
• Python: 3.11.15
• Filesystem: BTRFS (with Copy-on-Write enabled, compress=zstd:3, ssd)
• SQLite: 3.53.1
• Affected databases: state.db, kanban.db

Problem

When Hermes Agent runs on a BTRFS filesystem, SQLite databases operating in WAL (Write-Ahead Logging) mode can experience disk I/O error failures due to BTRFS Copy-on-Write semantics interacting with concurrent write operations.

The issue manifests as:

1. sqlite3.OperationalError: disk I/O error during WAL checkpoint operations
2. Worker processes hanging on database locks
3. Gateway crashes and stale task claims
4. Silent database corruption risk

Why it happens

• WAL mode relies on shared memory (-shm files) and sequential writes
• BTRFS COW operations can modify disk blocks after WAL records them
• Without proper handling, concurrent writers block each other or cause I/O errors

Proposed Solution

Add _is_on_btrfs() detection that proactively skips WAL mode on BTRFS and falls back to journal_mode=DELETE. This avoids silent corruption because the exception-based fallback in apply_wal_with_fallback() would be too late (data is already corrupted by that point).

Changes

Three files modified:

1. hermes_state.py — added _is_on_btrfs() function that checks /proc/self/mountinfo for BTRFS filesystems, and updated apply_wal_with_fallback() to accept db_path and proactively skip WAL on BTRFS
2. hermes_cli/kanban_db.py — pass db_path to apply_wal_with_fallback() so BTRFS detection works for kanban database
3. tools/terminal_tool.py — added _safe_getcwd() helper that falls back to home directory when os.getcwd() raises FileNotFoundError (e.g. when CWD was deleted). Fixes cleanup thread crashes

Testing

Tested on Arch Linux, BTRFS (compress=zstd:3, ssd), SQLite 3.53.1:

• 5 concurrent writers + 3 readers, 50 operations each
• Result: 400 operations, 0 errors, 0.50s total

Performance impact

WAL mode is 30-50% faster than DELETE mode for concurrent writes. On BTRFS, the fallback to DELETE mode reduces concurrency but ensures data integrity. Users who need WAL performance can use chattr +C on their Hermes directory to disable COW per-directory.

Related

• SQLite WAL documentation
• SQLite Performance on Btrfs — WAL mode recommended for BTRFS with proper settings
• FreshRSS #3853 — Similar issue resolved with WAL mode
• Patch repository — Full patch and test results

Open Questions

1. Should we expose a configuration flag (database.journal_mode: auto | wal | delete) for users to override the automatic fallback?
2. Should we add CI tests that spin up a temporary BTRFS filesystem and verify the agent starts without SQLite errors?
3. Are there other COW filesystems (ZFS, APFS) that exhibit similar incompatibilities?

[alt-glitch]

Related to #30576 (BTRFS+WAL busy_timeout+retry approach) and #30700 (fix PR for #30576). This issue proposes a different approach: proactive BTRFS detection to skip WAL entirely vs retry logic. Also related to #30816 (APFS external SSD WAL fallback).

[alexzhu0]

👋 Couple of observations after reading the existing fallback path on origin/main (HEAD 52a368fa7):

1. The existing apply_wal_with_fallback() should already catch BTRFS "disk I/O error" — _WAL_INCOMPAT_MARKERS at hermes_state.py:54-58 includes "disk i/o error" precisely for the network-FS / flaky-FS case. When PRAGMA journal_mode=WAL raises with that message, the handler at line 156-160 falls back to journal_mode=DELETE.

That fires on the very first pragma — before any user data write. So the claim that "the exception-based fallback would be too late (data is already corrupted by that point)" needs more evidence. Could you share:

• The exact error message you saw (str(exc) from a failing run on BTRFS) — does it match the disk i/o error substring or some other phrase?
• Whether _log_wal_fallback_once actually fired in your logs (it logs "%s: WAL journal_mode unsupported on this filesystem (%s)" once per db_label)
• A repro where data corruption happened after the fallback path successfully switched to journal_mode=DELETE (the "too late" claim)

2. Mechanism vs. path-routing. Adding _is_on_btrfs() proactively keys off the filesystem name — but the actual condition you care about is "WAL is unsafe on this mount." That's already detected by error-path matching. If a marker doesn't fire, the right fix is usually to broaden _WAL_INCOMPAT_MARKERS (or trim a too-broad one), not to add a parallel filesystem-name check that has to be maintained separately for ZFS, APFS-external, NFS, FUSE, btrfs-with-chattr-+C, etc. Two detection paths drifting apart over time is a real maintenance hazard.

3. Territory overlap with #30700 (fix(state): retry transient SQLite WAL setup failures, Fixes #30576) — that PR is from yesterday and adds 3-attempt retry with 1s delay for transient busy/IO markers in the same function. If your BTRFS errors are transient (race during checkpoint), #30700 may already address them; if they're persistent, the _WAL_INCOMPAT_MARKERS route is the right surface.

4. The bundled _safe_getcwd change in tools/terminal_tool.py is unrelated to BTRFS WAL — would be cleaner to split it into its own issue/PR so each can be reviewed on its own merits.

Happy to send a focused PR if it turns out a marker really is missing — but want to confirm the actual failure mode first rather than ship a parallel detection path.

[savier89]

Updated Findings: Actual Error Analysis

After running hermes update and analyzing the current gateway logs, I can provide answers to @alexzhu0's questions:

1. Exact error message

The actual errors in the logs are NOT disk i/o error as originally claimed. The real errors are:

sqlite3.OperationalError: database is locked

These occur in two places (line numbers from logs with our patch applied):

• hermes_state.py:191-193 — during conn.execute("PRAGMA journal_mode=WAL")
• hermes_cli/kanban_db.py:1051 — during apply_wal_with_fallback() call
• hermes_cli/kanban_db.py:1345 — during conn.execute("BEGIN IMMEDIATE")

My initial diagnosis was incorrect — I assumed BTRFS COW caused disk I/O error, but the actual problem is transient locking contention.

2. Did _log_wal_fallback_once fire?

Yes, but only because our patch added _is_on_btrfs() detection. From the logs (2026-05-22):

WARNING hermes_state: kanban.db (kanban.db): BTRFS filesystem detected — using journal_mode=DELETE instead of WAL to avoid COW-related disk I/O errors...

Without our BTRFS detection patch, the fallback would NOT have triggered on database is locked because that marker is not in _WAL_INCOMPAT_MARKERS:

_WAL_INCOMPAT_MARKERS = (
    "locking protocol",       # NFS/SMB
    "not authorized",         # FUSE
    "disk i/o error",         # Flaky network FS
)

The string "database is locked" is not in this tuple, so the exception propagated unhandled.

3. Data corruption after fallback to DELETE?

No evidence of corruption. When fallback to journal_mode=DELETE succeeded, subsequent operations worked without errors. My claim that the fallback was "too late" was incorrect.

4. About _safe_getcwd (terminal_tool.py)

Separately, we also fixed _safe_getcwd in tools/terminal_tool.py — this protects against crashes when the current working directory is deleted while a subprocess is running (e.g., user removes a project directory mid-execution). This is an unrelated issue and should be tracked in a separate issue if needed.

Conclusion

Our original diagnosis was wrong:

• We thought the problem was disk I/O error from BTRFS COW semantics
• The actual problem is database is locked — transient concurrency contention
• PR fix(state): retry transient SQLite WAL setup failures (Fixes #30576) #30700 already addresses this with retry logic + increased busy_timeout
• Our _is_on_btrfs() workaround was a band-aid, not a root cause fix

PR #30700 by @deepujain implements a similar approach with retry logic and increased busy_timeout. I think this issue could potentially be closed in favor of that PR, which addresses the actual failure mode observed on BTRFS systems.

[alexzhu0]

Thanks for the thorough re-test @savier89 — that data clears it up. Agreed PR #30700 is the right home.

One subtlety worth flagging before you close: #30700's retry loop treats "database is locked" as a transient marker (3× retry, 1s delay) but does not fall through to the DELETE fallback if all 3 retries fail — _WAL_INCOMPAT_MARKERS still only contains the original 3 strings ("locking protocol", "not authorized", "disk i/o error").

• Transient BTRFS lock (clears on retry) → ✅ handled by fix(state): retry transient SQLite WAL setup failures (Fixes #30576) #30700
• Persistent BTRFS lock (aggressive snapshot timing, chattr +C drift, etc.) → ❌ fix(state): retry transient SQLite WAL setup failures (Fixes #30576) #30700 re-raises after 3 attempts; would benefit from extending _WAL_INCOMPAT_MARKERS to include "database is locked" as a last-resort fallback

If your BTRFS errors were truly transient, #30700 alone suffices. If you ever see them persistent, the marker-list extension is the small follow-up.

Deferring to @deepujain on whether that extension belongs in #30700 or a separate PR. Happy to send a focused PR for it if useful.

[alexzhu0]

Quick correction on my previous comment — I just found the explicit test in tests/test_hermes_state_wal_fallback.py:166-179 (test_reraises_busy_wal_setup_after_bounded_retries) that codifies "persistent busy/locked WAL setup failures are NOT converted to DELETE."

So #30700's behavior on persistent database is locked is intentional, not an oversight — and my marker-extension suggestion would conflict with that test rather than complement it. Withdrawing that suggestion.

The remaining question is for @savier89's BTRFS testing of #30700: when you re-run on the affected mount with #30700 applied, does the 3× retry clear the lock, or does it still raise after retries exhausted? If the latter, the failure mode is different from what #30700 targets and would need its own diagnosis (likely filesystem-level coordination rather than inter-process contention) — but that's a separate investigation, not a marker-list change.

[deepujain]

Thanks @savier89 and @alexzhu0. I agree with the corrected read.

The behavior in #30700 is intentional. database is locked is handled as transient contention: retry WAL setup with the longer busy timeout, then re-raise if the lock persists. It should not fall back to journal_mode=DELETE after those retries.

If the lock clears with #30700 applied, I think this issue can close in favor of #30700. If it still reproduces after the retries are exhausted, I would treat that as a separate persistent-lock investigation. The useful data would be the DB involved, the exact traceback, concurrent Hermes processes, mount options, and whether stopping gateway/workers clears the lock.

Also agreed that the _safe_getcwd change belongs in its own focused issue or PR.