[Bug]: Kanban DB intermittent corruption after worker crash — missing WAL checkpoint

[NextDoorLaoHuang-HF]

Bug Description

Gateway Kanban dispatcher intermittently reports kanban.db is not a valid SQLite database and disables dispatch for the board. The DB auto-recovers after some time, but during the disabled window, ready tasks sit unprocessed.

Gateway log pattern (every few minutes):

16:31:34 kanban dispatcher: spawned=5    ← dispatch succeeds
16:33:35 kanban.db is not a valid SQLite database; disabling dispatch
16:51:37 kanban dispatcher: spawned=1    ← DB recovers, dispatch resumes  
16:53:38 kanban.db is not a valid SQLite database; disabling dispatch  ← recurs

The corruption always appears AFTER worker subprocesses complete (spawned=N → next tick: corrupted).

Root Cause

Three contributing factors in hermes_cli/kanban_db.py + gateway/run.py:

1. No explicit WAL checkpoint management. kanban_db.py has zero PRAGMA wal_checkpoint calls anywhere. In contrast, hermes_state.py (SessionDB) properly manages WAL with _try_wal_checkpoint() every 50 writes and in close(). Workers crash without proper connection close → WAL frames partially written → next connect() reads inconsistent WAL → sqlite3.DatabaseError.

2. synchronous=NORMAL in kanban_db.py connect(). With NORMAL, SQLite does NOT fsync on commit. If a worker process crashes between writing WAL frames and the checkpoint, WAL contains partially-written frames.

3. Fingerprint only tracks .db file, not -wal (gateway/run.py _board_db_fingerprint()). If only -wal is corrupted but .db mtime/size unchanged → fingerprint unchanged → board stays disabled permanently until gateway restart.

Steps to Reproduce

1. Run Hermes Gateway with Kanban dispatch enabled
2. Create Kanban tasks that cause worker protocol violations (worker exits without kanban_complete())
3. Gateway spawns workers → some crash
4. Next dispatcher tick: connect() fails with "database disk image is malformed"
5. Board disabled until .db file mtime changes or gateway restarts

Expected Behavior

Worker crashes should not leave Kanban DB unreadable. WAL should be checkpointed to prevent partial-frame corruption from blocking the dispatcher.

Actual Behavior

After worker crashes, Gateway sees DB as corrupted, disables dispatch, cannot recover until .db file is externally modified or gateway restarts.

Proposed Fix

1. Add WAL checkpoint on connection close — in gateway/run.py before conn.close(): conn.execute("PRAGMA wal_checkpoint(PASSIVE)") (mirrors SessionDB.close() at hermes_state.py:458)

2. Include -wal file in fingerprint — track (wal_mtime_ns, wal_size) so dispatcher auto-recovers when only WAL corrupted.

3. Consider synchronous=FULL — prevents WAL checkpoint crashes from corrupting main DB (trade-off: slightly slower writes).

Environment

• Hermes Agent v0.14.0
• macOS 15.7.4, Python 3.11.11, SQLite 3.47.1

[alt-glitch]

Related to the kanban SQLite corruption cluster: #26479 (canonical), #30896 (crash-loop corruption), #30908 (index corruption after restarts), #31618 (corruption under SIGKILL), #32424 (multi-profile concurrent access).

Open fix PRs: #30973 (synchronous=FULL + wal_autocheckpoint), #31208 (secure_delete + cell_size_check).

This issue adds the missing explicit WAL checkpoint management and fingerprint-includes-WAL dimensions not covered by existing PRs.

[Oceanswave]

Closing as addressed by the upstream Kanban SQLite hardening series that has now landed on main.

Relevant fixes now present upstream include:

• busy_timeout / connection concurrency hardening
• already-WAL fast path to skip redundant mutating PRAGMA journal_mode=WAL
• no silent WAL→DELETE downgrade on transient disk I/O error
• stricter SQLite corruption detection/quarantine behavior
• post-commit page-count invariant checks
• safer corrupt-DB backup naming/content-addressing
• default gateway dispatcher caps to avoid worker stampedes

We validated the production Barista Labs board after applying the same fix path: quick_check: ok, integrity_check: ok, header_pages == actual_pages, and gateway dispatch resumed with capped workers.

If a fresh corruption case appears on current main, we should open a new issue with the new integrity_check output and gateway log stack rather than keeping this pre-hardening report open.

Note: I attempted to close this issue, but the current GitHub token lacks CloseIssue permission on the upstream repo.

[teknium1]

Fixed on main. Closing with credit + walkthrough.

The kanban SQLite corruption cluster was a real, severe problem across May 2026 — multiple users hit it with overlapping but distinct symptoms (WAL re-init race, fd leaks, torn writes, backup amplification, multi-process WAL/SHM unlink races). Eight related issues in this cluster have been investigated, fixed, and verified live this past week. Your three root-cause fingers nailed it precisely: (1) no WAL checkpoint management — wal_autocheckpoint=100 from 6416dd518 and the post-commit page_count invariant from 99c19eb2f together cover this; (2) synchronous=NORMAL allowing partial-WAL-frame writes — synchronous=FULL in the same commit closes it; (3) fingerprint missing the WAL dimension — also addressed in the quarantine fingerprint logic. Plus @Oceanswave already commented confirming this should be closed (their token lacked permission).

Cluster fixes that have landed on main

Commit	Author	What it closes
dc98314fb	@steveonjava	Skip the mutating PRAGMA journal_mode=WAL re-init on every connect() when the DB is already in WAL mode. SQLite's WAL-init path unlinks/recreates the -wal/-shm sidecars on every set-pragma call; under multi-process load that races with active writers and leaves stale (deleted) mappings + torn b-tree writes. The mutating pragma is the precise mechanism that produced the cross-process corruption pattern on shared boards.
5c49cd0ed	@steveonjava	disk i/o error no longer triggers the journal_mode=WAL → DELETE downgrade. Transient EIO re-raises so the caller can back off and retry instead of mutating journal mode mid-incident. Closes the second WAL-flip cascade @Oceanswave documented from log traces.
6416dd518	@steveonjava	Torn-write defenses: synchronous=FULL (was NORMAL), wal_autocheckpoint=100 (tighter checkpoint cadence), secure_delete=ON (zero freed pages so torn writes can't expose stale cells), cell_size_check=ON (corrupt cells surface as read errors instead of silent wrong data).
99c19eb2f	@steveonjava	Post-commit PRAGMA page_count invariant check in write_txn. Aborts a transaction at the boundary if the post-commit page count shrunk unexpectedly — catches the "header_pages > actual_pages" torn-extend shape (this was the exact signature @Oceanswave documented and is what most "header says N pages, file has N-1 pages on disk" reports trace to).
ebe04c66c	Teknium	kb.connect_closing() — proper lifecycle-managed context manager that actually closes connections. The old with kb.connect() as conn: pattern only managed transactions, not file lifecycle; that was the fd-leak engine on every dispatcher tick. Sites in kanban_decompose.py (4×) and kanban_specify.py (3×) all converted. Gateway sites in gateway/run.py (7×) all wrapped in explicit try/finally: conn.close().
c94ad8981	@donovan-yohan	5-minute quarantine retry timer. The dispatcher now re-attempts a corrupt-flagged board after the quarantine TTL even if the fingerprint hasn't changed — transient races no longer permanently latch the board.
99c19eb2f (companion)	@steveonjava	Write-transaction rollback preserves the original exception when both the transaction AND the rollback fail. Better diagnostics for the SIGKILL-mid-WAL path.
90b6b3d18	@squiddy	busy_timeout=120s PRAGMA on every connect — concurrent writers now wait via SQLite's lock queue instead of getting an immediate SQLITE_BUSY and aborting mid-transaction (which is what produces torn WAL frames). Plus connection-level concurrency hardening.
ffdc937c1	@steveonjava	Zombie reaper hoisted out of dispatch_once so the dispatcher tick doesn't hold a write lock while waiting on dead children.
c002668ff	@steveonjava	Grace period in detect_crashed_workers so freshly-spawned workers aren't reclaimed before their PID is visible on /proc.

Plus PR #33804 (merged today) — _backup_corrupt_db filename is now content-addressed ({db}.corrupt.{sha256[:16]}.bak), so retries on unchanged corrupt bytes reuse the same backup file instead of generating a new one per tick. Closes the "7,861 backups / 1.7 GB" amplification that several reports hit hardest.

Live verification

I ran a concurrency stress test against current main during the #33334 close: 20 worker processes × 30 ops = 600 ops on one shared kanban DB. Final state: journal_mode: wal, integrity_check: ok, quick_check: ok, 205 tasks intact. The post-commit page-count invariant fired twice during the run, aborting 2/600 ops with DatabaseError: torn-extend detected — defense-in-depth catching bad writes at the boundary before they reach disk.

Cluster close-with-credit list

Eight issues in this cluster have been or are being closed this week with detailed credit walkthroughs: #29610, #30445, #31502, #30908, #31618, #31736, #32424, #33334. Plus this issue and the other four cluster-fixed reports closing today.

Credit

• @steveonjava — the heavy lifting. Diagnosed the WAL re-init race from inotify traces (the root cause that surfaced across the entire cluster), consolidated 8 separate fix attempts into fix(kanban): batch-salvage 8 SQLite corruption hardening fixes (closes #31158, refs #29610) #32857 → merged via fix(kanban): batch-salvage 7 SQLite corruption hardening fixes from #32857 #33482, plus the torn-write defenses and post-commit invariant.
• @Oceanswave — the gold-standard diagnostic: page-count mismatch shapes, the Rowid out of order / btreeInitPage b-tree signatures, the exact failing stack frames, AND the local-fix design that matches what landed.
• @donovan-yohan — 5-min quarantine retry timer.
• @squiddy — busy_timeout + connection concurrency hardening.
• @hanzckernel — the content-addressed backup design concept (PR fix(kanban): quarantine corrupt DB backups by fingerprint #33529), salvaged + simplified into PR fix(kanban): content-addressed corrupt-DB backup filename (refs #33529) #33804 merged today.

If you can still reproduce on current main

The cluster's worth of fixes is a full week of upstream work and changes how the dispatcher, connection, and corruption-recovery paths behave. If you see new corruption events after pulling current main + a clean restart, please reopen with:

• PRAGMA quick_check and PRAGMA integrity_check output on the affected DB
• The dispatcher log lines from ~/.hermes/logs/gateway.log around the failure window (especially the first stack trace, not just the repeat "is not a valid SQLite database" messages)
• lsof | grep kanban.db | wc -l if you suspect FD pressure
• Whether the failure mode survives a clean hermes gateway restart

That would point at a distinct mechanism we haven't yet covered, and is worth a fresh issue rather than reopening this one.