Kanban dispatcher writes a new .corrupt.bak on every tick after corruption (7,861 backups / 1.7 GB over 37h)

[Hewg74]

Bug: KanbanDbCorruptError backup writes a new .bak on every dispatcher tick → runaway disk usage

Hermes version: v2026.5.16-881-g186bf25cb (HEAD as of 2026-05-24)
Profile: non-default profile (sophia)
Symptom: 7,862 .corrupt.*.bak files (1.7 GB) accumulated in a single per-profile kanban board directory over ~37 hours, with no built-in pruning.

What happened

A board's kanban.db became corrupt at a specific point in time:

sqlite3.OperationalError: disk I/O error

(later re-classified by the newer guard as database disk image is malformed)

After the corruption, gateway/run.py:_tick_once_for_board() calls _kb.connect(board=slug) every minute, which calls _guard_existing_db_is_healthy() (hermes_cli/kanban_db.py:1132). The guard correctly refuses to open the corrupt DB and raises KanbanDbCorruptError — but it also writes a NEW .corrupt.*.bak of the same corrupt file on every tick.

Over ~37 hours and across periods of high-retry activity (with .1.bak, .2.bak, .3.bak suffixes from sub-second retries), this accumulated 7,861 backup files at ~224 KB each = ~1.7 GB, all bit-identical (or near-identical) copies of the same corrupt source.

The directory just before cleanup:

$ ls /home/.../kanban/boards/<slug>/ | wc -l
7861   # all kanban.db.corrupt.<timestamp>.bak files

$ du -sh /home/.../kanban/boards/<slug>/
1.7G

Filename pattern with sub-second collision suffixes:

kanban.db.corrupt.20260525_190559.1.bak
kanban.db.corrupt.20260525_190559.2.bak
kanban.db.corrupt.20260525_190559.3.bak
kanban.db.corrupt.20260525_190604.bak
kanban.db.corrupt.20260525_190609.bak
... (~3.5 backups/min average, peaking higher)

Each backup is essentially a clone of the same bytes — the source corrupt DB doesn't change between dispatcher ticks (no successful writes possible), so the backups are duplicative.

Expected behavior

When the guard detects a corrupt DB:

• Back it up once (first detection) as kanban.db.corrupt.<timestamp>.bak
• On subsequent ticks, skip the backup write if the corrupt source file's mtime/size/sha256 matches the last .bak
• Optionally: cap total .bak files in the dir to N (e.g., 5) with FIFO eviction

This bounds disk impact and stops the runaway.

Suggested fix sketch (in _guard_existing_db_is_healthy)

def _guard_existing_db_is_healthy(path):
    # ... existing corruption check ...
    if corrupt:
        # Find most recent existing .bak
        existing_baks = sorted(glob(f"{path}.corrupt.*.bak"))
        latest_bak = existing_baks[-1] if existing_baks else None

        # Skip if corrupt source hasn't changed since last backup
        if latest_bak and _file_signatures_match(path, latest_bak):
            raise KanbanDbCorruptError(path, latest_bak, reason)

        # Otherwise back up fresh
        new_bak = f"{path}.corrupt.{timestamp()}.bak"
        shutil.copy2(path, new_bak)

        # Optional: FIFO eviction
        if len(existing_baks) >= MAX_CORRUPT_BAKS:
            os.remove(existing_baks[0])

        raise KanbanDbCorruptError(path, new_bak, reason)

Where _file_signatures_match could compare (st_size, st_mtime_ns) for cheapness, or sha256 for correctness.

Workaround used

Used Hermes' own kanban boards delete <slug> (default = archive) to remove the corrupt board, followed by kanban boards create <slug> to recreate fresh. Worked cleanly. The destructive cleanup of the 7,861 stale .bak files happened as a side effect of the boards delete action since the entire board dir is removed.

Root cause of the original corruption

Unknown. We never identified the trigger. The first OperationalError: disk I/O error fired at 2026-05-25 14:59:13 UTC and journalctl for the surrounding 10-minute window showed no kernel events, no disk pressure, no OOM, no apt activity, no fail2ban — nothing systemic. Disk had 36 GB free throughout. Both kanban DBs passed PRAGMA integrity_check at the time on a different (non-active) path; the corruption was confined to one nested per-board DB.

The corruption may correlate with concurrent Honcho/compression refactoring that occurred ~2-3 hours earlier (visible from backup filenames in the profile's migration scripts dir), but this is circumstantial.

This bug report focuses only on the unbounded-backup behavior, not the underlying corruption cause.

Why this matters

A bot with an active kanban board can silently consume gigabytes of disk over days without operator intervention, with no notification mechanism beyond raw journal log spam. The runaway behavior turned a small 104 KB corruption into a 1.7 GB problem, and would have continued indefinitely without manual cleanup.

Reproducibility

Difficult to repro the corruption itself, but the runaway-backup behavior is trivial to repro:

1. Run any Hermes profile with kanban enabled.
2. Corrupt the per-board kanban.db (e.g., truncate to 64 bytes, overwrite a random middle page).
3. Restart the gateway.
4. Wait. Watch ls | wc -l in the board dir grow.

Environment

• Hermes Agent: v2026.5.16-881-g186bf25cb
• OS: Ubuntu (Hetzner VPS)
• Python: 3.x via ~/.hermes/hermes-agent/venv
• Profile setup: non-default profile (sophia) at ~/.hermes/profiles/sophia/, alongside default profile at ~/.hermes/
• Service: per-profile systemd unit (hermes-gateway-sophia.service)

[BlakeB254]

Adding a worse-than-original-report data point: we hit this on a 4-board CDX deployment on Hermes v0.14.0 → HEAD-of-main (108 commits after release) with 7 gateway profiles. Single ~12-minute corruption burst spawned 88,500 .corrupt.<ts>.bak files totalling ~395 GB across 4 boards simultaneously. Disk was at 78% used before cleanup, would have saturated within a couple more incidents.

Apparent root cause (combined with #32749 / #33169): the failure_limit: 2 retry path runs against the original corrupt source file each time, so each per-board failure produces a fresh snapshot rather than reusing the prior one. With 7 concurrent gateway dispatchers each hitting failure_limit on the same DB, we saw kanban.db.corrupt.<ts>.bak, .1.bak, .2.bak, … .7.bak per second.

A second, related issue we hit while recovering: rebuilt DBs via sqlite3 .dump come back in journal_mode=rollback (default), not WAL. Hermes's design expects WAL for the multi-gateway dispatcher race; our first recovery pass re-corrupted within minutes because we forgot to set WAL. Recovery only stuck the second time when we explicitly ran PRAGMA journal_mode=WAL on the rebuilt DBs before swapping in.

Recovery recipe that worked (in case it helps other users hitting this before the fix lands):

# Per corrupt board:
sqlite3 $BOARD/kanban.db ".dump" > /tmp/dump.sql
sed -E 's/^INSERT INTO/INSERT OR IGNORE INTO/; s/^ROLLBACK; -- due to errors/COMMIT;/' \
  /tmp/dump.sql > /tmp/dump_patched.sql
sqlite3 $BOARD/kanban.db.recovered < /tmp/dump_patched.sql
sqlite3 $BOARD/kanban.db.recovered "PRAGMA journal_mode=WAL"   # <-- CRITICAL
sqlite3 $BOARD/kanban.db.recovered "PRAGMA integrity_check"
mv $BOARD/kanban.db $BOARD/kanban.db.preupgrade.bak
mv $BOARD/kanban.db.recovered $BOARD/kanban.db
# Then: systemctl --user restart hermes-gateway-*

For us this salvaged 1,860 tasks across 3 of 4 boards (4th had truly malformed disk image past .dump tolerance — re-init via hermes kanban --board <name> init).

Two test cases that would have caught both bugs:

1. Corrupt a board DB; tick the dispatcher 100×; assert backup file count ≤ 1.
2. After sqlite3 .recover or .dump rebuild, assert PRAGMA journal_mode = wal.

Happy to file a separate WAL-restoration issue if useful, or fold into this thread.

[teknium1]

Fixed on main. Closing with credit + walkthrough.

The kanban SQLite corruption cluster was a real, severe problem across May 2026 — multiple users hit it with overlapping but distinct symptoms (WAL re-init race, fd leaks, torn writes, backup amplification, multi-process WAL/SHM unlink races). Eight related issues in this cluster have been investigated, fixed, and verified live this past week. Your specific case (7,861 backups / 1.7 GB over 37h) and @BlakeB254's worse case (88,500 / 395 GB across 4 boards in 12 min) are exactly the failure mode PR #33804 (merged today) fixes. The new _backup_corrupt_db derives the backup filename from sha256(db)[:16], so retries on unchanged corrupt bytes reuse the same backup file. 10 retries on a 100KB DB → 1 backup, not 11. Bounded by the number of distinct corrupt-state fingerprints, which is small even in a fan-out incident.

Cluster fixes that have landed on main

Commit	Author	What it closes
dc98314fb	@steveonjava	Skip the mutating PRAGMA journal_mode=WAL re-init on every connect() when the DB is already in WAL mode. SQLite's WAL-init path unlinks/recreates the -wal/-shm sidecars on every set-pragma call; under multi-process load that races with active writers and leaves stale (deleted) mappings + torn b-tree writes. The mutating pragma is the precise mechanism that produced the cross-process corruption pattern on shared boards.
5c49cd0ed	@steveonjava	disk i/o error no longer triggers the journal_mode=WAL → DELETE downgrade. Transient EIO re-raises so the caller can back off and retry instead of mutating journal mode mid-incident. Closes the second WAL-flip cascade @Oceanswave documented from log traces.
6416dd518	@steveonjava	Torn-write defenses: synchronous=FULL (was NORMAL), wal_autocheckpoint=100 (tighter checkpoint cadence), secure_delete=ON (zero freed pages so torn writes can't expose stale cells), cell_size_check=ON (corrupt cells surface as read errors instead of silent wrong data).
99c19eb2f	@steveonjava	Post-commit PRAGMA page_count invariant check in write_txn. Aborts a transaction at the boundary if the post-commit page count shrunk unexpectedly — catches the "header_pages > actual_pages" torn-extend shape (this was the exact signature @Oceanswave documented and is what most "header says N pages, file has N-1 pages on disk" reports trace to).
ebe04c66c	Teknium	kb.connect_closing() — proper lifecycle-managed context manager that actually closes connections. The old with kb.connect() as conn: pattern only managed transactions, not file lifecycle; that was the fd-leak engine on every dispatcher tick. Sites in kanban_decompose.py (4×) and kanban_specify.py (3×) all converted. Gateway sites in gateway/run.py (7×) all wrapped in explicit try/finally: conn.close().
c94ad8981	@donovan-yohan	5-minute quarantine retry timer. The dispatcher now re-attempts a corrupt-flagged board after the quarantine TTL even if the fingerprint hasn't changed — transient races no longer permanently latch the board.
99c19eb2f (companion)	@steveonjava	Write-transaction rollback preserves the original exception when both the transaction AND the rollback fail. Better diagnostics for the SIGKILL-mid-WAL path.
90b6b3d18	@squiddy	busy_timeout=120s PRAGMA on every connect — concurrent writers now wait via SQLite's lock queue instead of getting an immediate SQLITE_BUSY and aborting mid-transaction (which is what produces torn WAL frames). Plus connection-level concurrency hardening.
ffdc937c1	@steveonjava	Zombie reaper hoisted out of dispatch_once so the dispatcher tick doesn't hold a write lock while waiting on dead children.
c002668ff	@steveonjava	Grace period in detect_crashed_workers so freshly-spawned workers aren't reclaimed before their PID is visible on /proc.

Plus PR #33804 (merged today) — _backup_corrupt_db filename is now content-addressed ({db}.corrupt.{sha256[:16]}.bak), so retries on unchanged corrupt bytes reuse the same backup file instead of generating a new one per tick. Closes the "7,861 backups / 1.7 GB" amplification that several reports hit hardest.

Live verification

I ran a concurrency stress test against current main during the #33334 close: 20 worker processes × 30 ops = 600 ops on one shared kanban DB. Final state: journal_mode: wal, integrity_check: ok, quick_check: ok, 205 tasks intact. The post-commit page-count invariant fired twice during the run, aborting 2/600 ops with DatabaseError: torn-extend detected — defense-in-depth catching bad writes at the boundary before they reach disk.

Live-verified: 10 retries on an unchanged corrupt DB now produce 1 backup (was 11 backups, 1144 KB vs 104 KB on a 104KB source). Mutating the corrupt bytes correctly produces a separate backup with a different fingerprint, so distinct corruption incidents are still preserved. Cleanup of the existing .corrupt.*.bak accumulation on your system is manual — find /home/.../kanban/boards/<slug>/ -name 'kanban.db.corrupt.*.bak' -mtime +1 -delete is a reasonable one-shot.

Cluster close-with-credit list

Eight issues in this cluster have been or are being closed this week with detailed credit walkthroughs: #29610, #30445, #31502, #30908, #31618, #31736, #32424, #33334. Plus this issue and the other four cluster-fixed reports closing today.

Credit

• @steveonjava — the heavy lifting. Diagnosed the WAL re-init race from inotify traces (the root cause that surfaced across the entire cluster), consolidated 8 separate fix attempts into fix(kanban): batch-salvage 8 SQLite corruption hardening fixes (closes #31158, refs #29610) #32857 → merged via fix(kanban): batch-salvage 7 SQLite corruption hardening fixes from #32857 #33482, plus the torn-write defenses and post-commit invariant.
• @Oceanswave — the gold-standard diagnostic: page-count mismatch shapes, the Rowid out of order / btreeInitPage b-tree signatures, the exact failing stack frames, AND the local-fix design that matches what landed.
• @donovan-yohan — 5-min quarantine retry timer.
• @squiddy — busy_timeout + connection concurrency hardening.
• @hanzckernel — the content-addressed backup design concept (PR fix(kanban): quarantine corrupt DB backups by fingerprint #33529), salvaged + simplified into PR fix(kanban): content-addressed corrupt-DB backup filename (refs #33529) #33804 merged today.

If you can still reproduce on current main

The cluster's worth of fixes is a full week of upstream work and changes how the dispatcher, connection, and corruption-recovery paths behave. If you see new corruption events after pulling current main + a clean restart, please reopen with:

• PRAGMA quick_check and PRAGMA integrity_check output on the affected DB
• The dispatcher log lines from ~/.hermes/logs/gateway.log around the failure window (especially the first stack trace, not just the repeat "is not a valid SQLite database" messages)
• lsof | grep kanban.db | wc -l if you suspect FD pressure
• Whether the failure mode survives a clean hermes gateway restart

That would point at a distinct mechanism we haven't yet covered, and is worth a fresh issue rather than reopening this one.