[Bug]: kanban.db corruption when multiple profile gateways share the same board DB

[ParsifalC]

Description

When multiple Hermes profile gateways (e.g., --profile bingge, --profile pixiel, --profile mafei) run concurrently and share the same kanban board DB (~/.hermes/kanban.db), the SQLite database becomes corrupted. The corruption specifically affects the kanban_notify_subs table indexes.

This is not a false positive from PRAGMA integrity_check — the indexes genuinely become inconsistent with the table data.

Environment

• macOS (APFS filesystem)
• SQLite 3.51.0
• Hermes Agent (latest main branch)
• 4 gateway processes: default + 3 named profiles, all sharing kanban.db by design

Root Cause Analysis

Architecture

• kanban_home() intentionally resolves to ~/.hermes/ for all profiles (by design, per the docstring: "The kanban board is shared across profiles")
• Each profile gateway runs its own dispatcher, which opens independent SQLite connections
• CLI commands (hermes kanban create/complete/block/link) also open new connections

The Race

Multiple processes concurrently execute BEGIN IMMEDIATE write transactions against the same DB. While SQLite WAL mode supports concurrent readers + single writer per connection, concurrent WAL checkpoints from separate processes can corrupt the main DB file.

Evidence

1. 4 gateway processes had open file descriptors on kanban.db at time of corruption
2. Last events before corruption show rapid concurrent activity from different profile dispatchers:
   • bingge gateway: completed Sprint 3 PRD (13:04:34)
   • pixiel gateway: spawned Sprint 3 design task (13:04:36)
   • mafei gateway: protocol_violation → gave_up → re-spawned Sprint 2 (13:05:04)
3. Corruption was in kanban_notify_subs indexes (idx_notify_task + sqlite_autoindex_kanban_notify_subs_1)
4. PRAGMA integrity_check returned:

   Tree 10 page 10: btreeInitPage() returns error code 11
   wrong # of entries in index idx_notify_task
   wrong # of entries in index sqlite_autoindex_kanban_notify_subs_1
   

Steps to Reproduce

1. Start 3+ profile gateways: hermes --profile X gateway run --replace
2. Run kanban operations that trigger concurrent writes (task create + claim + notify-subscribe)
3. Observe corruption after ~30-60 minutes of active use

Suggested Fixes

Short-term

Add a file-level advisory lock (fcntl.flock) around all kanban write operations in kanban_db.py. The existing BEGIN IMMEDIATE handles SQLite-level serialization, but doesn't protect against concurrent WAL checkpoints from separate processes.

Medium-term

Serialize kanban writes through a single writer process/thread. Each gateway could send write requests to a central kanban writer instead of opening independent connections.

Long-term

Consider PostgreSQL as an optional backend for multi-profile setups. SQLite's WAL mode has documented limitations with concurrent writers from separate processes.

Workaround

Currently working around by:

1. Monitoring for corruption via PRAGMA integrity_check
2. Recovering from .recover.*.sql dumps when corruption is detected
3. Restarting all gateways after recovery

This is fragile — the recovery SQL can be stale, losing recent task state.

[alt-glitch]

Likely duplicate of #30445 (multi-gateway concurrent SQLite access corruption). Also part of the kanban corruption cluster rooted at #26479. See also #30896 (rapid spawn-crash variant) and #30908 (index corruption after gateway restarts). The specific scenario of multiple profile gateways sharing kanban.db with concurrent WAL checkpoints is exactly #30445.

[ParsifalC]

Workaround: Single-Dispatcher Configuration

Found a config-level workaround that eliminates concurrent kanban.db writes without code changes:

Problem

Each profile gateway runs its own kanban dispatcher → 4 processes writing to the same SQLite file → concurrent WAL checkpoint corruption.

Solution

Disable the dispatcher in all profile gateways except the coordinator:

# Default profile (coordinator) — keeps dispatcher ON
# ~/.hermes/config.yaml
kanban:
  dispatch_in_gateway: true

# All other profiles — disable dispatcher
# ~/.hermes/profiles/<name>/config.yaml
kanban:
  dispatch_in_gateway: false

This ensures only ONE process (the coordinator's gateway) writes to kanban.db. The coordinator's dispatcher still spawns workers for all profiles via hermes -p <assignee> chat -q ..., so task execution continues normally.

What changes

• Before: 4 gateways × 4 dispatchers × 4 SQLite connections = concurrent write corruption
• After: 1 gateway × 1 dispatcher × 1 SQLite connection = no concurrency issue

What doesn't change

• Workers still run under their assigned profile (bingge/pixiel/mafei)
• Workers still use kanban_complete/kanban_block tools (these are sequential within a single worker)
• Task notifications still go to the correct profile's chat channels
• The coordinator dispatcher handles all claim/complete/notify/promote operations

Limitation

All kanban dispatch is now bottlenecked through one gateway. If the coordinator gateway goes down, no tasks get dispatched until it restarts. For most setups this is acceptable — the coordinator is already a critical path.

Verification

# Confirm only one process holds kanban.db
lsof ~/.hermes/kanban.db | wc -l  # Should be 2-3 (one gateway + maybe a CLI command)

# Confirm config
for p in bingge pixiel mafei; do
  grep dispatch_in_gateway ~/.hermes/profiles/$p/config.yaml
done
# All should show: dispatch_in_gateway: false

[teknium1]

Fixed on main. Closing with credit.

Your diagnosis was right on target. The "4 gateways concurrently executing WAL checkpoints from separate processes" race you described had a specific upstream cause that's now fixed:

Root cause: every kb.connect() was re-running PRAGMA journal_mode=WAL, even on an existing WAL-mode DB. SQLite treats that as a fresh-setup call and unlinks/recreates the -wal and -shm sidecars on every connect. With 4 profile gateways concurrently opening connections, the unlink-recreate race against any other process's active WAL write was the mechanism producing the btreeInitPage() returns error code 11 + wrong # of entries in index ... pattern in kanban_notify_subs (and any other index that happened to get crossed during a checkpoint).

Fix: commit dc98314fb ("fix(kanban): skip redundant WAL pragma on already-WAL connections") by @steveonjava. apply_wal_with_fallback() in hermes_state.py now does a read-only PRAGMA journal_mode probe FIRST and short-circuits if the DB is already WAL:

# Read-only probe — no flock, no checkpoint, no WAL/SHM unlink.
# Skipping the set-pragma prevents WAL-init from unlinking files
# other connections hold open.
current_mode = conn.execute("PRAGMA journal_mode").fetchone()
if current_mode and current_mode[0] == "wal":
    return "wal"

So the multi-gateway concurrent-open path no longer triggers WAL sidecar churn. The intentional shared-DB design (kanban_home() resolving to ~/.hermes/ for all profiles) is preserved.

Supporting defenses also landed for the index-corruption surface:

• PRAGMA cell_size_check=ON + PRAGMA secure_delete=ON + PRAGMA synchronous=FULL + PRAGMA wal_autocheckpoint=100 — commit 6416dd518. Surfaces corrupt cells as read errors instead of silent wrong-data returns; tightens checkpoint cadence.
• Post-commit page_count invariant in write_txn — commit 99c19eb2f. Catches a torn page write at the source instead of letting it propagate to next-read index inconsistency.
• Quarantine retry timer — commit c94ad8981 (@donovan-yohan). If a board IS marked corrupt by one gateway, it's not permanently latched — 5-minute retry so transient races resolve themselves.

Credit:

• @steveonjava — diagnosed the WAL re-init race (the actual root cause for this cluster, originally consolidated in fix(kanban): batch-salvage 8 SQLite corruption hardening fixes (closes #31158, refs #29610) #32857)
• @donovan-yohan — quarantine retry timer
• @ParsifalC — clean evidence (4-gateway lsof, exact index names, precise timeline correlating concurrent writes to corruption window)

If you can still reproduce kanban_notify_subs index corruption under multi-profile gateway load on current main, please reopen with the gateway-by-gateway timeline and integrity_check output — the WAL-sidecar-unlink race is closed at its source, so a recurrence would be a different mechanism worth tracking.