[Bug] Kanban DB corruption when gateway and dashboard open the same board DB concurrently (WAL mode)

[baofuen]

Summary

When both hermes-gateway and hermes-dashboard systemd services are running, the SQLite kanban DB (kanban.db) for a board quickly becomes corrupted with integrity-check errors like wrong # of entries in index idx_events_run. The root cause is that two independent processes open the same SQLite DB in WAL mode without any file locking or access serialization.

Environment

• Hermes Agent: v0.13.0
• OS: CentOS 7 (kernel 3.10, glibc 2.17)
• SQLite: 3.50.4 (bundled in venv)
• Setup: systemd services — hermes-gateway.service + hermes-dashboard.service (PartOf)
• Board: wurenji (but any shared board is affected)

Steps to Reproduce

1. Enable both gateway and dashboard as systemd services pointing to the same ~/.hermes directory.
2. Have at least one active kanban board (e.g., wurenji) with tasks.
3. Wait for the gateway kanban dispatcher tick (60s interval) to overlap with dashboard API requests that read the same board.
4. Within minutes to hours, kanban_db.connect() raises KanbanDbCorruptError.

Observed Behavior

Gateway logs:

ERROR gateway.run: kanban dispatcher: tick failed on board wurenji
hermes_cli.kanban_db.KanbanDbCorruptError:
  Refusing to open corrupt kanban DB at .../wurenji/kanban.db:
  integrity_check returned 'wrong # of entries in index idx_events_run'

Dashboard logs (500 Internal Server Error):

starlette.exceptions.HTTPException: 500 — the same KanbanDbCorruptError propagates to the web API

In our environment the board directory accumulated 300+ corrupt backup files (kanban.db.corrupt.*.bak) in under 30 minutes because both services kept retrying and re-corrupting the DB.

Root Cause Analysis

1. hermes_cli/kanban_db.py connect() opens the DB in journal_mode=WAL.
2. Both gateway and dashboard processes call connect(board=slug) independently.
3. When one process triggers a WAL checkpoint or toggles journal_mode, the other process can be mid-transaction, leaving the DB file and -shm / -wal files in an inconsistent state.
4. kanban_db.py only performs post-hoc validation (_guard_existing_db_is_healthy). It detects corruption but does not prevent it.

Suggested Fixes

1. Single-writer architecture: Let gateway own the kanban DB exclusively. dashboard should read board state via an in-memory cache or an HTTP/internal API provided by gateway, not by opening the SQLite file directly.
2. File locking: If direct DB access from both processes is required, use fcntl.flock or SQLite’s built-in busy_timeout + locking_mode to serialize open/close operations.
3. Auto-recovery: When KanbanDbCorruptError is detected, automatically perform iterdump → rebuild instead of requiring manual service stop + python script.
4. Separate DB paths: As a short-term workaround, allow dashboard to use a read-only replica or a separate DB path so the two processes never share the same -wal / -shm files.

Workaround (manual recovery)

sudo systemctl stop hermes-dashboard hermes-gateway
cd ~/.hermes/kanban/boards/<board>
# Use venv Python (newer sqlite3) to dump & reload
python -c "
import sqlite3, os
src = 'kanban.db'
conn = sqlite3.connect(src)
conn.execute('PRAGMA journal_mode=DELETE')
conn.execute('PRAGMA wal_checkpoint(TRUNCATE)')
with open('dump.sql','w') as f:
    for line in conn.iterdump(): f.write(line+'\n')
conn.close()
conn = sqlite3.connect('kanban.db.new')
with open('dump.sql') as f: conn.executescript(f.read())
conn.execute('PRAGMA journal_mode=WAL')
conn.close()
"
mv kanban.db kanban.db.corrupt.$(date +%Y%m%d_%H%M%S).bak
mv kanban.db.new kanban.db
sudo systemctl start hermes-gateway
sudo systemctl start hermes-dashboard

Related

• fix(gateway): close kanban DB connection after dispatch tick #33113 — fix(gateway): close kanban DB connection after dispatch tick
• [Bug] Kanban plugin: kanban.db file descriptor leak — gateway crashes after ~4 days #33159 — [Bug] Kanban plugin: kanban.db file descriptor leak

This issue is a code-level design/architecture bug, not an OS or SQLite bug.

[alt-glitch]

Duplicate of #32424 — same root cause: multi-process concurrent SQLite WAL access to shared kanban.db causes corruption. Part of kanban corruption cluster rooted at #26479. Related PRs: #32449 (singleton pooled connection), #32532 (busy_timeout PRAGMA), #32094 (quarantine hardening).

[Oceanswave]

Closing as addressed by the upstream Kanban SQLite hardening series that has now landed on main.

Relevant fixes now present upstream include:

• busy_timeout / connection concurrency hardening
• already-WAL fast path to skip redundant mutating PRAGMA journal_mode=WAL
• no silent WAL→DELETE downgrade on transient disk I/O error
• stricter SQLite corruption detection/quarantine behavior
• post-commit page-count invariant checks
• safer corrupt-DB backup naming/content-addressing
• default gateway dispatcher caps to avoid worker stampedes

We validated the production Barista Labs board after applying the same fix path: quick_check: ok, integrity_check: ok, header_pages == actual_pages, and gateway dispatch resumed with capped workers.

If a fresh corruption case appears on current main, we should open a new issue with the new integrity_check output and gateway log stack rather than keeping this pre-hardening report open.

Note: I attempted to close this issue, but the current GitHub token lacks CloseIssue permission on the upstream repo.

[reefmind]

Closing as resolved by merged PR(s): #33412.

[teknium1]

Closing as a resolved duplicate of #32424 (kanban corruption cluster, root #26479).

The multi-process WAL concurrency hardening has landed on main. Verified in hermes_cli/kanban_db.py:

• busy_timeout PRAGMA on connect to serialize concurrent open/transactions
• already-WAL fast path (skips redundant mutating PRAGMA journal_mode=WAL)
• content-addressed corrupt-DB quarantine — fixes the kanban.db.corrupt.*.bak storm by deduping identical corrupt bytes
• post-commit header page_count vs actual-file-pages invariant check
• stricter corruption detection/quarantine behavior

Dispatch-side recovery is covered by #33412 (retry corrupt-board dispatch after quarantine), merged on main.

Thanks @baofuen for the detailed root-cause writeup and recovery script — and to @Oceanswave / @reefmind for the close-out notes (the issue stayed open only because the bot tokens lacked CloseIssue permission).

If a fresh corruption case appears on current main, please open a new issue with the new integrity_check output and gateway log stack rather than reopening this pre-hardening report.