fix(kanban): harden SQLite against torn-write corruption (secure_delete + cell_size_check + synchronous=FULL)

[steveonjava]

What does this PR do?

This PR adds three SQLite PRAGMA settings to the kanban database connect() function to protect against data corruption from torn writes and power loss:

• PRAGMA secure_delete=ON — zeros freed pages on disk so stale data can't resurface if a later write leaves the page incomplete
• PRAGMA cell_size_check=ON — catches corrupt cells as errors at read time instead of silently returning wrong data
• PRAGMA synchronous=FULL — requires full fsync before checkpoint, narrowing the window where a crash between WAL commit and main-db write could corrupt a b-tree page header

These are set on every connection. secure_delete also persists to the DB header on fresh DBs, so the protection survives process restarts.

About disclosure: This is a data integrity fix, not a security vulnerability under the project's SECURITY.md §3.2. Database hardening is explicitly welcome as a public PR here — it doesn't cross OS-level isolation boundaries and doesn't fall under the in-scope categories. No private disclosure needed.

Related Issues

This PR addresses one piece of a broader cluster of open kanban-DB-corruption reports:

• Refs Kanban DB corruption risk from multi-gateway concurrent SQLite access #30445 (kanban DB corruption risk from multi-gateway concurrent SQLite access)
• Refs [Bug]: Kanban: rapid worker spawn-crash loop (sub-2s/crash) corrupts board SQLite B-tree before failure_limit trips #30896 (kanban: rapid worker spawn-crash loop corrupts board SQLite B-tree)
• Refs kanban.db index corruption after frequent gateway restarts — dispatcher disables board permanently #30908 (kanban.db index corruption after frequent gateway restarts)

The three pragma changes here are defense-in-depth at the page layer; they do not fix the dispatcher-level write amplification or the gateway-restart latch in those issues but they reduce blast radius when those scenarios fire.

Related PRs

• Refs fix: harden kanban sqlite durability #30645 (synchronous=FULL only) — this PR's synchronous=FULL change overlaps; the additional secure_delete and cell_size_check pragmas are unique to this PR. Up to maintainers which to land.
• Refs fix(state): add PRAGMA synchronous=FULL + TRUNCATE checkpoint to prevent WAL corruption #30654 (state.db: synchronous=FULL + TRUNCATE checkpoint) — sibling DB, same pragma philosophy. Complementary.
• Refs fix(state): retry transient SQLite WAL setup failures (Fixes #30576) #30700 (state.db: retry transient SQLite WAL setup failures, Fixes Fix: SQLite WAL + BTRFS COW compatibility — busy_timeout + retry logic #30576) — adjacent error-recovery angle on the sibling DB.
• Refs fix: harden kanban sqlite corruption handling #30969 (DB-backed dispatcher leases, fail-closed corrupt-DB backup, reconcile-completions safeguards) — same area of kanban_db.py, complementary scope (this PR is page-layer hardening; fix: harden kanban sqlite corruption handling #30969 is dispatcher-layer hardening + recovery). The two PRs may merge-conflict on kanban_db.py but address different failure modes.
• Refs feat(kanban): opt-in HERMES_KANBAN_SYNCHRONOUS_MODE for synchronous=FULL durability hardening #30973 (synchronous=FULL + wal_autocheckpoint for a different root cause) — wal_autocheckpoint is orthogonal; not included here.

Refreshed prior-art snapshot at packaging time (2026-05-23 17:30 PT); these references reflect upstream state at PR open.

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• Add PRAGMA secure_delete=ON to connect() with a comment explaining why (Bug E forensics: torn-write signature, stale-cell-content exposure)
• Add PRAGMA cell_size_check=ON to connect()
• Change PRAGMA synchronous=NORMAL to PRAGMA synchronous=FULL
• Four new tests in tests/hermes_cli/test_kanban_db.py:
  • test_connect_sets_secure_delete_on
  • test_connect_sets_cell_size_check_on
  • test_connect_sets_synchronous_full
  • test_connect_pragmas_applied_on_reconnect

How to Test

Run the kanban DB tests:

scripts/run_tests.sh tests/hermes_cli/test_kanban_db.py -q

All four new tests pass, confirming each pragma is set on fresh and reconnected connections. Full test suite also passes (no behavior changes).

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes)
• I've tested on my platform

[JoshBolding]

I hit a very similar Kanban DB corruption path on WSL after a local worker retry-storm while the local model endpoint was unavailable. The synchronous=FULL part of this PR matches the local patch that stabilized my install.

One extra setting that helped in my local patch was:

conn.execute("PRAGMA journal_size_limit=8388608")
That was meant to keep a retry-storm from letting the WAL grow huge between checkpoints. Not sure if you want that in this PR or as a separate follow-up, but this PR is aligned with the failure mode I saw.

[steveonjava]

Thanks for sharing your reproduction on WSL, @JoshBolding. The synchronous=FULL part of this PR is what actually protects against the corruption pattern you saw, so on its own it should stabilize your install. The journal_size_limit=8388608 setting in your local patch is harmless but does not do what its name suggests: it only takes effect when SQLite runs a TRUNCATE checkpoint, which the default wal_autocheckpoint path never does, so the WAL was already bounded around 4 MiB by wal_autocheckpoint=1000 regardless of the limit. I confirmed it with a 200k-insert retry-storm reproducer: max WAL is 3.95 MiB with or without the pragma set.

[JoshBolding]

That makes sense, thanks for checking it with a reproducer. I had assumed journal_size_limit was helping bound the retry-storm case, but if the default WAL autocheckpoint already keeps it around ~4 MiB and the setting only matters for TRUNCATE checkpoints, then I agree it is not necessary for this fix.

The important part for my case was avoiding the corruption pattern under WSL, so synchronous=FULL covering that is exactly what I was hoping for. Appreciate you digging into it.

[steveonjava]

Bundled into #32857 for batch review. This draft remains open as a cherry-pick fallback if maintainers prefer surgical landing.

[kshitijk4poor]

Merged via #33482 (commit 6416dd5). Authorship preserved.