kanban.db index corruption after frequent gateway restarts — dispatcher disables board permanently

[pbwheel]

Summary

The kanban dispatcher's SQLite database (~/.hermes/kanban.db) suffers repeated index corruption after frequent gateway restarts (SIGTERM). Once corrupted, the dispatcher permanently disables itself for the board until the file changes or the gateway restarts — but even after restart it detects the same fingerprint and stays disabled because the file size/mtime change is too subtle for the recovery heuristic.

Environment

• Hermes Agent v0.14.0 (2026.5.16)
• macOS (APFS sealed volume, journaled)
• kanban.db uses WAL mode

Reproduction

1. Run gateway with kanban dispatch enabled (kanban.dispatch_in_gateway: true)
2. Restart gateway frequently (e.g., during development: hermes gateway restart multiple times within minutes)
3. At some point release_stale_claims() hits sqlite3.OperationalError: disk I/O error during dispatch
4. This causes an incomplete WAL checkpoint, leaving indices out of sync with the table data
5. On next tick, connect() raises sqlite3.DatabaseError: database disk image is malformed
6. Dispatcher disables the board. Recovery attempt on next tick sees the same (path, mtime, size) fingerprint and stays disabled

Evidence

Corruption pattern (integrity check)

wrong # of entries in index idx_events_run
wrong # of entries in index idx_events_task
wrong # of entries in index idx_runs_status
wrong # of entries in index idx_runs_task
wrong # of entries in index idx_tasks_status
wrong # of entries in index idx_tasks_assignee_status
row 120 missing from index idx_events_run
... (90+ missing index entries across 6 indices)

Gateway log timeline

18:54:53 kanban dispatcher [default]: spawned=1 reclaimed=0 ...
18:55:53 kanban dispatcher: tick failed on board default
  -> sqlite3.OperationalError: disk I/O error (in release_stale_claims)
18:55:53+ kanban notifier tick failed: cannot rollback - no transaction is active (repeated)
18:56:54 kanban dispatcher: board default database ... is not a valid SQLite database; disabling dispatch
18:57:54 kanban dispatcher: board default database changed; retrying dispatch
18:57:54 kanban dispatcher: board default database ... is not a valid SQLite database; disabling dispatch

The second restart attempt already detects a file change but still fails. The .dump + rebuild was required to fix the indices.

Manual recovery that worked

sqlite3 kanban.db '.dump' > dump.sql
sqlite3 kanban.db.new < dump.sql
mv kanban.db.new kanban.db
# integrity_check: ok

This happened twice on 5/22 and 5/23 with identical symptoms.

Root Cause Analysis

The corruption chain:

1. Frequent SIGTERM -> gateway doesn't always complete WAL checkpoint before exit
2. APFS + WAL edge case -> disk I/O error during a read query on partially-checkpointed WAL
3. Index/table desync -> indices become stale relative to table data
4. _is_corrupt_board_db_error() catches DatabaseError -> disables the board correctly
5. Recovery heuristic is fragile -> fingerprint is (path, mtime_ns, size). After a dump/rebuild the file does change, but simply restarting the gateway after the corrupt write doesn't change the fingerprint enough (file size may be identical)

Suggested Fixes

1. Auto-repair on corruption detection (recommended)

When _is_corrupt_board_db_error() fires in _tick_once_for_board(), instead of permanently disabling the board, attempt a self-heal:

• Try REINDEX first (fast, handles most index-only corruption)
• If that fails, fall back to .dump + rebuild (handles deeper page-level corruption)
• If repair succeeds, retry dispatch; if it fails, then disable the board

2. Periodic WAL checkpoint

Add a periodic PRAGMA wal_checkpoint(TRUNCATE) in the dispatcher tick (e.g., every N ticks or every M minutes) to keep the WAL file small and reduce the window for corruption on unclean shutdown.

3. Improve recovery fingerprint heuristic

The current disabled_corrupt_boards recovery only retries when (path, mtime_ns, size) changes. Consider also tracking a generation counter that increments on any gateway restart, so a restart always gets at least one retry attempt before permanently disabling.

4. Add PRAGMA journal_mode=TRUNCATE fallback

For systems where WAL is problematic, allow configuring journal_mode per-board. WAL is preferred for concurrent read/write but TRUNCATE is more resilient to unclean shutdowns.

[alt-glitch]

Related to the kanban DB corruption cluster: #26479 (canonical — dispatcher should handle corrupt DB gracefully), #30687 (corruption + empty top-level → silent data loss), #30445 (multi-gateway concurrent access corruption), #30896 (rapid spawn-crash loop corrupts B-tree).

Fix PRs in flight: #30392 (reject truncated SQLite boards before WAL setup), #30410 (self-heal schema drift + rate-limit tick errors).

[haozhongweng]

+1 hit this on macOS 15.7.5 (APFS) running Hermes a few minutes ago. Reproducer is slightly different from OP's "frequent gateway restarts" — corruption appeared without any restart, just from sustained dispatcher load on a multi-assignee board. Restarts only made it worse afterwards. Posting in case the reproducer helps narrow down which write path is the trigger.

Reproducer (no restart needed)

1. Created a board dev-team with 5 profiles (supervisor / architect / backend / qa / doc), each their own assignee
2. Filed 1 root task that the supervisor task spawned 5 child tasks for
3. Dispatcher (dispatch_interval_seconds: 60, embedded in gateway) cycled through them serially, spawning one subprocess per tick
4. After the 2nd successful spawn (architect → backend), the next tick raised sqlite3.OperationalError: disk I/O error inside release_stale_claims() — same line as OP (kanban_db.py:2539)
5. Errors then repeated every tick for 4+ minutes
6. I ran hermes gateway restart — that did unwedge it once (next tick spawned QA successfully)
7. ~2 minutes later, same error returned. Restarted again, same one-tick reprieve, then re-wedged
8. Final state: database disk image is malformed. Hermes auto-backed up to kanban.db.corrupt.<timestamp>.bak — but the backup itself is also malformed (sqlite3 .tables errors out on the bak too). Multiple .bak files written in the same minute, all unreadable.

So what OP observed as a restart-triggered failure mode looks like it can also originate from a single uninterrupted dispatch loop, with restarts just making the recovery worse.

Diff vs OP's report

	OP (#30908)	Me
Trigger	Frequent gateway restarts	Sustained dispatch, no restart
Boards affected	default	Custom board dev-team
Recovery on restart	Stays disabled (fingerprint heuristic)	Recovers for exactly 1 tick, then re-corrupts
Backup file	(not mentioned)	Auto-backup is also malformed
Workspace impact	(not mentioned)	All scratch workspaces GC'd before downstream tasks could read upstream artifacts

Gateway log (relevant excerpt)

00:22:36 kanban dispatcher [dev-team]: spawned=1 reclaimed=0 ...   # supervisor
00:25:36 kanban dispatcher [dev-team]: spawned=1 ...               # architect
00:26:37 ERROR tick failed on board dev-team
  sqlite3.OperationalError: disk I/O error
    File ".../hermes_cli/kanban_db.py", line 5162, in dispatch_once
      result.reclaimed = release_stale_claims(conn)
    File ".../hermes_cli/kanban_db.py", line 2539, in release_stale_claims
      stale = conn.execute(...
00:27:37 ERROR (same)
00:28:37 ERROR (same)
00:29:37 ERROR (same)
[gateway restart]
00:29:57 kanban dispatcher [dev-team]: spawned=1 ...               # qa (recovered)
00:33:47 kanban dispatcher [dev-team]: spawned=1 ...               # doc
[no more spawn entries — wedged again]
[gateway restart]
[final state] database disk image is malformed (DB unrecoverable + bak files corrupt)

Two extra suggestions on top of OP's

1. Validate the auto-backup before rotating in the new fingerprint. Right now Hermes preserves the corrupt DB to .bak but in my case the .bak was also unreadable, so even a manual recovery via .dump from the backup is impossible. Running PRAGMA integrity_check against the bak before declaring it "preserved" would let Hermes retry the snapshot from a still-good page or surface a clearer error.

2. Single-board lock contention is enough to trigger this. No multi-gateway, no multi-process kanban CLI from the user side — just the embedded dispatcher + one spawned worker subprocess at a time. So if the working theory is "concurrent SQLite access" (Kanban DB corruption risk from multi-gateway concurrent SQLite access #30445), the spawned worker subprocesses opening the same DB while the dispatcher is mid-tick is enough to hit this on APFS. Worth checking whether the dispatcher releases its connection before spawning, or whether it holds a write transaction across the spawn.

Happy to share the corrupt .bak files if useful for repro.

Workaround I'm using now

• Don't restart gateway when "disk I/O error" appears — it doesn't help long-term and burns one of the recovery attempts
• Bumped kanban.dispatch_interval_seconds to reduce write frequency
• Created tasks with --workspace dir:/abs/path instead of scratch so worker output survives even if the DB has to be rebuilt

Hermes Agent v0.14.x, macOS 15.7.5, APFS journaled, Python 3.11, dispatcher embedded in gateway via launchd.