L0&j UdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZmZddlmZmZddlmZddlmZmZmZddlmZejeZ hd Z!d d hZ"hd Z#e$d eDZ%e j&dkZ'dZ(dZ)dddZ*dZ+dZ,ddZ-ddZ.dZ/dZ0dZ1dZ2dZ3dZ4edd Z5d!e6d"<ej7dd%Z8ej9d&Z:dd(Z;dd*Z<dd+Z=dd,Z>dd-Z?dd.Z@dd0ZAddd2ZBddd4ZCddd5ZDddd6ZEddd7ZFddd9ZGddd:ZHddd;ZIdd<ZJddd>ZKddddddd?ddGZLddddddHddIZMdJdKddNZNdJdOddQZOeGdRdSZPeGdTdUZQeGdVdWZReGdXdYZSeGdZd[ZTd\ZUeVZWd]e6d^<e jXZYd_ZZd`Z[ddaZ\dddZ]ej7ddeZ^ddiZ_ddjZ`GdkdleaZbddnZcddoZd dddpddrZeej7 dddpddsZf dddpddtZgddyZhddzZid{d|d}d~dZjddZkddZlddZmej7ddZnddZoddZpddZqddddddddddddddddd dddddZrddZsddZtdddddddddZude6d<dddddddddd ddZvddZwddZxddZyddZzddZ{ddZ|dd„Z}ddĄZ~ddƄZddddǜdd̈́ZddτZdd҄ZddӄZddՄZ ddd֜ddۄZdddddܜddZddZddddddZddZ dddZdddddZdddddZdddddZddddZdddddZdddddZddZej9dZddZGddeZddddddddZddZddZddZddZdZd Zdd Zdd Zdd Zdd ZdddddZdddddZddddddZddZdddddddZddJddd Zdd!Zdd"Zdd#Zddpdd%Zdd'Zddddd(Zd)ZeZd*Zd+ZdZej9d,ejZdZd-Zd.Zej9d/ejZeGd0d1Zd2ZdZiZd3e6d4<dd7Zdd9Zdd;Zdd<Zdddd?Zddd@ddBZddddCZdZdddDddFZĐddHZŐddIZdddddJddNZddOddPZȐddQZɐddRZeZːddSZ̐ddTZ͐ddUZdddddedddddV dd[Zϐd+d\dd`ZАdddcZѐddfZefddiZӐd djZԐd dkZՐd dlZ֐d dmZאd doZؐddpZِddqZڐd drZېddtZܐddvZddpddxZސdydedddzdd}Zߐdd~ZddZddZddZddddddZ dddZddddZdddddZdddddZddddZddddZddddZdddd dZddpddZdddd!dZd dZd"dZdJdddd#dZd$dZd%dZddZd&dZdS('u SQLite-backed Kanban board for multi-profile, multi-project collaboration. In a fresh install the board lives at ``/kanban.db`` where ```` is the **shared Hermes root** (the parent of any active profile). Profiles intentionally collapse onto a shared board: it IS the cross-profile coordination primitive. A worker spawned with ``hermes -p `` joins the same board as the dispatcher that claimed the task. The same applies to ``/kanban/workspaces/`` and ``/kanban/logs/``. **Multiple boards (projects):** users can create additional boards to separate unrelated streams of work (e.g. one per project / repo / domain). Each board is a directory under ``/kanban/boards//`` with its own ``kanban.db``, ``workspaces/``, and ``logs/``. All boards share the profile's Hermes home but are otherwise isolated: a worker spawned for a task on board ``atm10-server`` sees only that board's tasks, cannot enumerate other boards, and its dispatcher ticks don't touch other boards' DBs. The first (and for single-project users, only) board is ``default``. For back-compat its on-disk DB is ``/kanban.db`` (not ``boards/default/kanban.db``), so installs that predate the boards feature keep working with zero migration. See :func:`kanban_db_path`. Board resolution order (highest precedence first, all optional): * ``board=`` argument passed directly to :func:`connect` / :func:`init_db` (explicit — used by the CLI ``--board`` flag and the dashboard ``?board=...`` query param). * ``HERMES_KANBAN_BOARD`` env var (used by the dispatcher to pin workers to the board their task lives on — workers cannot see other boards). * ``HERMES_KANBAN_DB`` env var (pins the DB file path directly — legacy override still honoured; highest precedence when the file path itself is what the caller wants to force). * ``/kanban/current`` — a one-line text file holding the slug of the "currently selected" board. Written by ``hermes kanban boards switch ``. When absent, the active board is ``default``. In standard installs ```` is ``~/.hermes``. In Docker / custom deployments where ``HERMES_HOME`` points outside ``~/.hermes`` (e.g. ``/opt/hermes``), ```` is ``HERMES_HOME``. Legacy env-var overrides still work: * ``HERMES_KANBAN_DB`` — pin the database file path directly. * ``HERMES_KANBAN_WORKSPACES_ROOT`` — pin the workspaces root directly. * ``HERMES_KANBAN_HOME`` — pin the umbrella root that anchors kanban paths. Useful for tests and unusual deployments. The dispatcher injects ``HERMES_KANBAN_DB``, ``HERMES_KANBAN_WORKSPACES_ROOT``, and ``HERMES_KANBAN_BOARD`` into worker subprocess env so workers converge on the exact DB the dispatcher used to claim their task — even under unusual symlink or Docker layouts. Schema is intentionally small: tasks, task_links, task_comments, task_events. The ``workspace_kind`` field decouples coordination from git worktrees so that research / ops / digital-twin workloads work alongside coding workloads. See ``docs/hermes-kanban-v1-spec.pdf`` for the full design specification. Concurrency strategy: WAL mode + ``BEGIN IMMEDIATE`` for write transactions + compare-and-swap (CAS) updates on ``tasks.status`` and ``tasks.claim_lock``. SQLite serializes writers via its WAL lock, so at most one claimer can win any given task. Losers observe zero affected rows and move on -- no retry loops, no distributed-lock machinery. The CAS coordination is **per-board** — each board is a separate DB, so multi-board installs get the same atomicity guarantees without any new locking. ) annotationsN) ContextVarToken) dataclassfieldPath)AnyIterableOptional)get_toolset_names> donetodoreadyreviewtriageblockedrunningarchived scheduledrr>dirscratchworktreec#>K|]}|VdSN)casefold).0names 9/home/ubuntu/.hermes/hermes-agent/hermes_cli/kanban_db.py r gs*PPD PPPPPPwin32ii ttl_seconds Optional[int]returnintc |tdt|Stjdd}|r+ t|}n#t $rd}YnwxYw|dkr|StS)a5Return the effective claim TTL, honoring the kanban env override. Explicit call-site values win. Otherwise a positive integer from ``HERMES_KANBAN_CLAIM_TTL_SECONDS`` overrides the built-in default. Invalid or non-positive env values fall back silently so existing installs keep working. NHERMES_KANBAN_CLAIM_TTL_SECONDSr)maxr&osenvirongetstrip ValueErrorDEFAULT_CLAIM_TTL_SECONDS)r#rawparseds r_resolve_claim_ttl_secondsr4}s1c+&&''' *..:B ? ? E E G GC  XXFF   FFF  A::M $$sA%% A43A4Kctjdd}|r+ t |}n#t $rd}YnwxYw|dkr|St S)a-Return the crash-detection grace period in seconds. Reads ``HERMES_KANBAN_CRASH_GRACE_SECONDS`` from the environment; falls back to ``DEFAULT_CRASH_GRACE_SECONDS`` when absent, empty, non-integer, or negative. A value of 0 restores immediate-reclaim behaviour (useful for tests). !HERMES_KANBAN_CRASH_GRACE_SECONDSr*r)r,r-r.r/r&r0DEFAULT_CRASH_GRACE_SECONDSr2r3s r_resolve_crash_grace_secondsr<sx *..Temporarily pin the active board for the current context only.N)rEsetreset)rFtokens rscoped_current_boardrLs^ 7::4@@E- %%e,,,,,%%e,,,,s >Az^[a-z0-9][a-z0-9\-_]{0,63}$ Optional[str]c|dSt|}|sdSt|st d|d|S)z>Lowercase + strip a slug; validate; return ``None`` for empty.Nzinvalid board slug zc: must be 1-64 chars, lowercase alphanumerics / hyphens / underscores, not starting with '-' or '_')rGr/lower_BOARD_SLUG_REmatchr0)rFss r_normalize_board_slugrSs |t D !!A t    " "  S$ S S S    Hr!r ctjdd}|r!t |Sddlm}|S)aReturn the shared Hermes root that anchors the kanban board. Resolution order: 1. ``HERMES_KANBAN_HOME`` env var when set and non-empty (explicit override for tests and unusual deployments). 2. ``get_default_hermes_root()``, which already returns ```` when ``HERMES_HOME`` is ``/profiles/``, and returns ``HERMES_HOME`` directly for Docker / custom deployments. The kanban board is shared across profiles **by design** (see the module docstring). Resolving the kanban paths through the active profile's ``HERMES_HOME`` would silently fork the board per profile, which breaks the dispatcher / worker handoff. HERMES_KANBAN_HOMEr*rget_default_hermes_root)r,r-r.r/r expanduserhermes_constantsrW)overriderWs r kanban_homer[sg z~~2B77==??H+H~~((***888888 " " $ $$r!c*tdz dz S)uaReturn ``/kanban/boards`` — the parent of non-default board dirs. ``default`` is intentionally NOT under this directory — its DB lives at ``/kanban.db`` for back-compat with pre-boards installs. This function returns the directory where *additional* named boards live, used by :func:`list_boards` to enumerate them. kanbanboardsr[r!r boards_rootras ==8 #h ..r!c*tdz dz S)zReturn the path to ``/kanban/current``. One-line text file written by ``hermes kanban boards switch `` to persist the user's board selection across CLI invocations. Absent by default (meaning: active board is ``default``). r]currentr_r`r!rcurrent_board_pathrd*s ==8 #i //r!ctpd}|r4 t|}|rt |r|Sn#t $rYnwxYwt jdd}|r4 t|}|rt |r|Sn#t $rYnwxYw t}| r^| d}|r4 t|}|rt |r|Sn#t $rYnwxYwn#t$rYnwxYwtS)u`Return the active board slug, honouring the resolution chain. Order (highest precedence first): 1. ``HERMES_KANBAN_BOARD`` env var (set by the dispatcher on worker spawn, or manually for ad-hoc overrides). 2. ``/kanban/current`` on disk (set by ``hermes kanban boards switch``), but only when that board still exists. 3. ``DEFAULT_BOARD`` (``"default"``). A malformed or stale slug at any step falls through to the next layer with a best-effort warning — the dispatcher must never crash because a user hand-edited a file or removed a board directory. r*HERMES_KANBAN_BOARDutf-8encoding) rEr.r/rS board_existsr0r,r-rdexists read_textOSError DEFAULT_BOARD)scopednormedenvfvals rget_current_boardrt4s&))++1r 8 8 : :F  *622F ,v..      D  *... 3 3 9 9 ; ;C  *3//F ,v..      D     88:: ++w+//5577C 2377F&,v"6"6&% !D      sZ!A A! A!!B<< C C  A E!D=<E= E E E  E EEct|}|stdt}|jdd||dzd|S)uKPersist ``slug`` as the active board. Returns the file written. Writes ``/kanban/current``. The caller should validate the slug exists first (via :func:`board_exists`) — this function does not — so that ``hermes kanban boards switch `` returns an error instead of silently pointing at nothing. board slug is requiredTparentsexist_ok rgrh)rSr0rdparentmkdir write_text)rFrppaths rset_current_boardrdsm#4 ( (F 31222   DKdT222OOFTMGO444 Kr!Nonecj tdS#t$rYdSwxYw)zLRemove ``/kanban/current`` so the active board reverts to ``default``.N)rdunlinkFileNotFoundErrorr`r!rclear_current_boardrusG ##%%%%%      s $ 22boardcPt|pt}t|z S)uReturn the on-disk directory for ``board``. ``default`` is ``/kanban/boards/default/`` **for metadata only** (board.json + workspaces/ + logs/). Its DB file stays at ``/kanban.db`` for back-compat — see :func:`kanban_db_path`. All other boards live at ``/kanban/boards//`` with everything inside that directory including the ``kanban.db``. )rSrnrarrFs r board_dirr}s% ! ' ' 8=D ==4 r!boolct|pt}|tkrdSt|}|dz p|dz S)uReturn True if the board has persisted metadata or a DB on disk. ``default`` is considered to always exist — its DB is created on first :func:`connect` and there's no way for it to be missing in a configuration where the kanban feature is usable at all. T board.json kanban.db)rSrnrrk)rrFds rrjrjs] ! ' ' 8=D }t$A  $ $ & & D1{?*B*B*D*DDr!cFtjdd}|r!t |St |}|t}|tkrtdz St|dz S)u^Return the path to the ``kanban.db`` for ``board``. Resolution (highest precedence first): 1. ``HERMES_KANBAN_DB`` env var — pins the path directly. Honoured for back-compat and for the dispatcher→worker handoff (defense in depth: dispatcher injects this into worker env so workers are immune to any path-resolution disagreement). 2. When ``board`` arg is None, the active board from :func:`get_current_board` is used. 3. Board ``default`` → ``/kanban.db`` (back-compat path). Other boards → ``/kanban/boards//kanban.db``. HERMES_KANBAN_DBr*Nr r,r-r.r/r rXrSrtrnr[rrrZrFs rkanban_db_pathrsz~~0"55;;==H+H~~((***  ' 'D | "" }}}{** T??[ ((r!cLtjdd}|r!t |St |}|t}|tkrtdz dz St|dz S)uReturn the directory under which ``scratch`` workspaces are created. Anchored per-board so workspaces don't leak between projects. ``HERMES_KANBAN_WORKSPACES_ROOT`` pins the path directly (highest precedence) — the dispatcher injects this into worker env. ``default`` keeps the legacy path ``/kanban/workspaces/`` so that existing scratch workspaces from before the boards feature are preserved. Other boards use ``/kanban/boards//workspaces/``. HERMES_KANBAN_WORKSPACES_ROOTr*Nr] workspacesrrs rworkspaces_rootrsz~~=rBBHHJJH+H~~((***  ' 'D | "" }}}x',66 T??\ ))r!cLtjdd}|r!t |St |}|t}|tkrtdz dz St|dz S)uOReturn the directory under which task file attachments are stored. Mirrors :func:`worker_logs_dir` / :func:`workspaces_root`: anchored per-board so attachments don't leak between projects. Each task gets its own ``/.../attachments//`` subdirectory. ``HERMES_KANBAN_ATTACHMENTS_ROOT`` pins the path directly (highest precedence) for tests and unusual deployments. ``default`` uses ``/kanban/attachments/``; other boards use ``/kanban/boards//attachments/``. Workers (which run with full file-tool access) read attached files by the absolute path surfaced in :func:`build_worker_context`. On the local terminal backend — the default for kanban — that path resolves directly. Remote backends (Docker/Modal) need this directory mounted; see the kanban docs. HERMES_KANBAN_ATTACHMENTS_ROOTr*Nr] attachmentsrrs rattachments_rootrs&z~~>CCIIKKH+H~~((***  ' 'D | "" }}}x'-77 T??] **r!task_idc(t||z S)z?Return the per-task attachment directory ``//``.r)rrrs rtask_attachments_dirrs % ( ( (7 22r!ct|}|t}|tkrtdz dz St |dz S)uDReturn the directory under which per-task worker logs are written. ``default`` keeps the legacy path ``/kanban/logs/``. Other boards use ``/kanban/boards//logs/``. Logs follow the board — makes ``hermes kanban log`` unambiguous even when multiple boards have tasks with the same id. Nr]logs)rSrtrnr[rrs rworker_logs_dirrsQ ! ' 'D | "" }}}x'&00 T??V ##r!cRt|pt}t|dz S)zReturn the path to ``board.json`` for ``board``. Stores display metadata (display name, description, icon, color, created_at). The on-disk slug is the canonical identity; this file is purely for presentation in the CLI / dashboard. r)rSrnrrs rboard_metadata_pathrs' ! ' ' 8=D T??\ ))r!cdd|dddDp|S)uTurn a slug into a reasonable default display name. ``atm10-server`` → ``Atm10 Server``. Users can override via ``board.json`` but the default should look presentable in the dashboard without any follow-up editing.  c3BK|]}||VdSr) capitalize)rparts rr z._default_board_display_name.. s2\\$W[\DOO%%\\\\\\r!_-)joinreplacesplit)rFs r_default_board_display_namersG 88\\$,,sC2H2H2N2Ns2S2S\\\ \ \ d`ddr!dictc t|pt}|t|ddddddd} t|}|rWt j|d}t|tr||d<| |n#tt j f$rYnwxYwtt||d<|S) u8Return ``board.json`` contents (or synthesized defaults). Never raises — a missing / malformed ``board.json`` falls back to a synthesised entry so the dashboard always has something to render. Includes the canonical ``slug`` and ``db_path`` so the caller doesn't need to reconstruct them. r*NF)rFr descriptioniconcolordefault_workdir created_atrrgrhrFdb_path)rSrnrrrkjsonloadsrl isinstancerupdatermJSONDecodeErrorrGr)rrFmetapr2s rread_board_metadatars ! ' ' 8=D+D11  D   % % 88:: !*Q[['[::;;C#t$$ !#F  C   T) *     ...//DO KsA:B++CC)rrrrrrrrrrrOptional[bool]rct|pt}t|}|dd|3t |pt ||d<|t ||d<|t ||d<|t ||d<|t||d<||rt |nd|d<|d s#ttj |d <t|} | j d d | tj|d d dzdt t#||d<|S)zCreate / update ``board.json`` for ``board``. Preserves any existing fields not mentioned in the call. Sets ``created_at`` on first write. Returns the resulting metadata dict. rNrrrrrrrTrwF)indent ensure_asciirzrgrh)rSrnrpoprGr/rrr.r&timerr{r|r}rdumpsr) rrrrrrrrFrr~s rwrite_board_metadatar2s ! ' ' 8=D t $ $D HHY 4yy((M,G,M,MV !+..] 4yyV  E W >>Z":I"S#o"6"6"6t  88L ! !. --\ t $ $DKdT222OO 4666=...//DO Kr!rrrrrct|}|stdt||||||}t||S)u Create a new board directory + DB + metadata. Idempotent. Returns the resulting metadata. Raises :class:`ValueError` for a malformed slug; returns the existing metadata (not an error) if the board already exists — matching ``mkdir -p`` semantics. rvrr)rSr0rinit_db)rFrrrrrrprs r create_boardr^sf#4 ( (F 31222   '    D & Kr!T)include_archivedr list[dict]cg}t}|tt|tt }|rt|dD]}|s|j } t|}n#t$rY;wxYw|r||vrF|dz }|dz }|s|syt|} | dr|s|| |||S)aEnumerate all boards that exist on disk. Always includes ``default`` (even when the ``boards/default/`` metadata dir doesn't exist, because its DB is at the legacy path). Other boards are discovered by scanning ``boards/`` for subdirectories that either contain a ``kanban.db`` or a ``board.json``. Returns a list of metadata dicts, sorted with ``default`` first and the rest alphabetically. c4|jSr)rrO)rs rzlist_boards..s!&,,..r!keyrrr)rIappendrrnaddrais_dirsortediterdirrrSr0rkr.) rentriesseenrootchildrFrphas_dbhas_metars r list_boardsr}syGUUD NN&}55666HH] ==D {{}}DLLNN0H0HIII  E<<>> :D .t44     Vt^^k)1133F ,4466H h &v..Dxx ## ,<  NN4 HHV     Ns7C CC)archiverc>t|}|std|tkrtdt|}|std|dt |krt tt|dz |rtdz }| ddttj}||d |z }d }|r&||d |d |z }|d z }|&|||d t|d Sd dl}|j||ddd S)uRemove or archive a board. ``archive=True`` (default) moves the board's directory to ``/kanban/boards/_archived/-/`` so the data is recoverable. ``archive=False`` deletes the directory outright. The ``default`` board cannot be removed — raises :class:`ValueError`. Returns a summary dict describing what happened (``{"slug", "action", "new_path"}``). rvz%the 'default' board cannot be removedzboard z does not existr _archivedTrwrr(r)rFactionnew_pathrNdeletedr*)rSr0rnrrkrtr_INITIALIZED_PATHSdiscardrGresolverar|r&rrenameshutilrmtree) rFrrpr archive_roottstargetsuffixrs r remove_boardrs#4 ( (F 31222 @AAA&A 88::=;&;;;<<<f$$ sA O#<#<#>#>??@@@E"}}{2 4$777   6 0 0B 0 00mmoo !v$=$=$=$=V$=$==F aKFmmoo  *#f++NNN  a)DDDr!ceZdZUdZded<ded<ded<ded<ded<d ed <ded <d ed <d ed<d ed<ded<ded<ded<d ed<ded<dZded<dZded<dZded<dZd ed<dZ d ed<dZ ded<dZ d ed<dZ d ed<dZ d ed<dZded <dZded!<dZd"ed#<dZded$<dZd ed%<d&Zd'ed(<dZd ed)<dZded*<ed0d/ZdS)1Taskz1In-memory view of a row from the ``tasks`` table.rGidtitlerMbodyassigneestatusr&priority created_byrr$ started_at completed_atworkspace_kindworkspace_path claim_lock claim_expirestenantN branch_nameresultidempotency_keyrconsecutive_failures worker_pidlast_failure_errormax_runtime_secondslast_heartbeat_atcurrent_run_idworkflow_template_idcurrent_step_keyzOptional[list]skillsmodel_override max_retriesFr goal_modegoal_max_turns session_idrow sqlite3.Rowr%'Task'c t|}d}d|vrW|drO tj|d}t |t r d|D}n#t $rd}YnwxYw|d&id|dd|dd|dd|dd|dd|dd |d d |d d |d d |d d |d d|ddd|vr|dndd|dd|ddd|vr|dnddd|vr|dnddd|vr|dnddd|vr|dn d|vr|dnddd|vr|dnddd|vr|dn d|vr|dnddd|vr|dnddd|vr|dnddd|vr|dnddd|vr|dnddd|vr|dndd|d d |vr|d r|d ndd!d!|vr|d!ndd"d"|vr|d"rt|d"nd#d$d$|vr|d$r|d$ndd%d%|vr|d%ndS)'Nr c0g|]}|t|Sr`)rG)rrRs r z!Task.from_row...s##@#@#@qa#@CFF#@#@#@r!rrrrrrrrrrrrrrrrrrrspawn_failuresrrrlast_spawn_errorrrr r r r rrFrrr`)rIkeysrrrlist Exceptionr)clsrr skills_valuer3s rfrom_rowz Task.from_row%s5388::'+ t  H  $CM22fd++A#@#@F#@#@#@L $ $ $#  $s> > > 4yy> g,,> V> __ > x== > __ > <((> <((> <((> ^,,> /00> /00> / <((> o..> %-$4$43x==$!> "%-$4$43x==$#> $7H46O6OC 122UY%> (0F/M/M*++ 0@4/G/Gc*++Q3> 6-9D,@,@s<((d7> :.BT-I-I())1Ct1K1Kc,--QU?> D/Dt.K.K)**QUE> J-@4,G,G'((TK> P*:T)A)A$%%tQ> V0F/M/M*++SWW> \,>+E+E&''4]> `  b5E4L4LQTUeQf4L3/00lpc> f'4t&;&;M""g> l+6*=*=#kBR*=S%&&&X]m> r*:T)A)AcJZF[)A$%%aes> x&2T%9%9L!!ty> > s;A-- A<;A<)rrr%r)__name__ __module__ __qualname____doc____annotations__rrrrrrrrr r r r r rrrr classmethodrr`r!rrrs;; GGGJJJKKKMMMOOO!!!!    !%K%%%% F    %)O))))!"!!!! $J$$$$)-,,,,)-----'+++++$(N((((*.....&***** "F!!!!$(N(((("&K%%%%I%)N(((( !%J$$$$I I I [I I I r!rceZdZUdZded<ded<ded<ded<ded <ded <d ed <d ed <d ed<d ed<ded<d ed<ded<ded<ded<ded<eddZdS)RunurIn-memory view of a ``task_runs`` row. A run is one attempt to execute a task — created on claim, closed on complete/block/crash/timeout/spawn_failure/reclaim. Multiple runs per task when retries happen. Carries the claim machinery, PID, heartbeat, and the structured handoff summary that downstream workers read via ``build_worker_context``. r&rrGrrMprofilestep_keyrrr$rrrrrended_atoutcomesummaryOptional[dict]metadataerrorrrr%'Run'c  |drtj|dnd}n#t$rd}YnwxYw|didt|dd|dd|dd|dd|dd|dd|dd |d d |d d |d d t|d d |d t|d ndd|dd|dd|d|dS)Nr.rrr(r)rrrrrrrr*r+r,r/r`)rrrr&)rrrs rrz Run.from_rows 25j/K4:c*o...tDD   DDD s   3t9~~~  NN  NN __  x==  <((  o.. <(( !$$9 : : ""566 3|,--- /2*o.Ic#j/***t  NN  NN T g,,!  s $' 66N)rrr%r0)r r!r"r#r$r%rr`r!rr'r'rs GGGLLLKKK    &&&&$$$$OOO   [   r!r'cBeZdZUded<ded<ded<ded<ded<dS) Commentr&rrGrauthorrrN)r r!r"r$r`r!rr3r3s= GGGLLLKKK IIIOOOOOr!r3cdeZdZUdZded<ded<ded<ded<ded <ded <ded <ded <d S) Attachmentz -- to the worker, overriding the profile's default model. NULL = use -- the profile default. model_override TEXT, -- Per-task override for the consecutive-failure circuit breaker. -- The value is the failure count at which the breaker trips — e.g. -- ``max_retries=1`` blocks on the first failure. NULL (the common -- case) falls through to the dispatcher-level ``kanban.failure_limit`` -- config and then ``DEFAULT_FAILURE_LIMIT``. max_retries INTEGER, -- When 1, the dispatched worker runs in a Ralph-style goal loop: an -- auxiliary judge re-evaluates the worker's response against the -- card title/body after each turn and feeds a continuation prompt -- back into the SAME session until the judge agrees the work is done -- or ``goal_max_turns`` is exhausted. NULL/0 = classic single-shot -- worker (the default). goal_mode INTEGER NOT NULL DEFAULT 0, -- Goal-loop turn budget for ``goal_mode`` workers. NULL = use the -- goals-engine default. goal_max_turns INTEGER, -- Originating chat/agent session id when the task was created from -- inside an agent loop that propagated ``HERMES_SESSION_ID``. NULL -- for tasks created from the CLI, dashboard, or any path that doesn't -- set the env var. Indexed so per-session list queries stay cheap on -- larger boards. session_id TEXT ); CREATE TABLE IF NOT EXISTS task_links ( parent_id TEXT NOT NULL, child_id TEXT NOT NULL, PRIMARY KEY (parent_id, child_id) ); CREATE TABLE IF NOT EXISTS task_comments ( id INTEGER PRIMARY KEY AUTOINCREMENT, task_id TEXT NOT NULL, author TEXT NOT NULL, body TEXT NOT NULL, created_at INTEGER NOT NULL ); CREATE TABLE IF NOT EXISTS task_events ( id INTEGER PRIMARY KEY AUTOINCREMENT, task_id TEXT NOT NULL, run_id INTEGER, kind TEXT NOT NULL, payload TEXT, created_at INTEGER NOT NULL ); -- Historical attempt record. Each time the dispatcher claims a task, a -- new row is created here; claim state, PID, heartbeat, runtime cap, -- and structured summary all live on the run, not the task. Multiple -- rows per task id when the task was retried after crash/timeout/block. -- v2 of the kanban schema will use ``step_key`` to drive per-stage -- workflow routing; in v1 the column is nullable and unused (kernel -- ignores it). CREATE TABLE IF NOT EXISTS task_runs ( id INTEGER PRIMARY KEY AUTOINCREMENT, task_id TEXT NOT NULL, profile TEXT, step_key TEXT, status TEXT NOT NULL, -- status: running | done | blocked | crashed | timed_out | failed | released claim_lock TEXT, claim_expires INTEGER, worker_pid INTEGER, max_runtime_seconds INTEGER, last_heartbeat_at INTEGER, started_at INTEGER NOT NULL, ended_at INTEGER, outcome TEXT, -- outcome: completed | blocked | crashed | timed_out | spawn_failed | -- gave_up | reclaimed | (null while still running) summary TEXT, metadata TEXT, error TEXT ); -- Files attached to a task (PDFs, images, source documents). The blob -- lives on disk under ``attachments_root(board)//``; -- this row carries metadata + the absolute ``stored_path`` so the -- dashboard can list/download and ``build_worker_context`` can surface -- the absolute path to the worker (which has full file-tool access). See -- #35338. CREATE TABLE IF NOT EXISTS task_attachments ( id INTEGER PRIMARY KEY AUTOINCREMENT, task_id TEXT NOT NULL, filename TEXT NOT NULL, stored_path TEXT NOT NULL, content_type TEXT, size INTEGER NOT NULL DEFAULT 0, uploaded_by TEXT, created_at INTEGER NOT NULL ); -- Subscription from a gateway source (platform + chat + thread) to a -- task. The gateway's kanban-notifier watcher tails task_events and -- pushes ``completed`` / ``blocked`` / ``spawn_auto_blocked`` events to -- the original requester so human-in-the-loop workflows close the loop. CREATE TABLE IF NOT EXISTS kanban_notify_subs ( task_id TEXT NOT NULL, platform TEXT NOT NULL, chat_id TEXT NOT NULL, thread_id TEXT NOT NULL DEFAULT '', user_id TEXT, notifier_profile TEXT, created_at INTEGER NOT NULL, last_event_id INTEGER NOT NULL DEFAULT 0, PRIMARY KEY (task_id, platform, chat_id, thread_id) ); CREATE INDEX IF NOT EXISTS idx_tasks_assignee_status ON tasks(assignee, status); CREATE INDEX IF NOT EXISTS idx_tasks_status ON tasks(status); CREATE INDEX IF NOT EXISTS idx_links_child ON task_links(child_id); CREATE INDEX IF NOT EXISTS idx_links_parent ON task_links(parent_id); CREATE INDEX IF NOT EXISTS idx_comments_task ON task_comments(task_id, created_at); CREATE INDEX IF NOT EXISTS idx_events_task ON task_events(task_id, created_at); CREATE INDEX IF NOT EXISTS idx_runs_task ON task_runs(task_id, started_at); CREATE INDEX IF NOT EXISTS idx_runs_status ON task_runs(status); CREATE INDEX IF NOT EXISTS idx_attachments_task ON task_attachments(task_id, created_at); CREATE INDEX IF NOT EXISTS idx_notify_task ON kanban_notify_subs(task_id); zset[str]rsSQLite format 3ictjdd}|r+ t |}n#t $rd}YnwxYw|dkr|St S)a%Return the SQLite busy timeout for Kanban connections. Kanban is the shared cross-profile dispatch bus, so worker stampedes are expected. A long busy timeout lets SQLite serialize writers via WAL rather than surfacing transient ``database is locked`` failures during bursts. HERMES_KANBAN_BUSY_TIMEOUT_MSr*r)r,r-r.r/r&r0DEFAULT_BUSY_TIMEOUT_MSr;s r_resolve_busy_timeout_msrDsx *..8" = = C C E EC  XXFF   FFF  A::M ""r=r~sqlite3.Connectionct}tjt|d|dz }|d||S)z=Open a Kanban SQLite connection with consistent lock waiting.Ng@@)isolation_leveltimeoutzPRAGMA busy_timeout=)rDsqlite3connectrGexecute)r~busy_timeout_msconns r_sqlite_connectrNsY.00O ? D &(   D LL999::: Kr!c#K|jdd||jdz}|d} t rYddl}|dt|d}t|d}|| |d n1ddl }| | |j dV t rYddl}|dt|d}t|d }|| |d n1ddl }| | |j |dS#|wxYw# t rYddl}|dt|d}t|d }|| |d n1ddl }| | |j |w#|wxYwxYw) aSerialize first-connect WAL/schema/integrity setup across processes. ``_INIT_LOCK`` only protects threads inside one Python process. During a dispatcher burst, many worker processes can all hit a fresh/legacy board at once and each process has an empty ``_INITIALIZED_PATHS`` cache. This file lock keeps header validation, integrity probing, WAL activation, and additive migrations single-file/single-writer across the whole host while leaving normal post-init DB usage concurrent under SQLite WAL. Trwz .init.lockza+brNlockingLK_LOCKr(LK_UNLCK)r{r| with_nameropen _IS_WINDOWSmsvcrtseekgetattrfilenofcntlflockLOCK_EXLOCK_UNclose)r~ lock_pathhandlerVrP lock_moderZ unlock_modes r_cross_process_init_lockrcs: KdT222ty<788I ^^E " "F   8 MMM KKNNNfi00G 22I GFMMOOY 2 2 2 2 LLL KK  7 7 7   <  A!&)44%fj99  a8888  FMMOOU];;; LLNNNNNFLLNNNN  <  A!&)44%fj99  a8888  FMMOOU];;; LLNNNNFLLNNNNs3BF((BFF%(I)*BI;I)I&&I)databytesoffsetct||dzkrdS||}||dz}||dz}t||dz|dzd}|dvo|dko|dvod |cxkod kncS) z9Return True for a TLS record header at ``data[offset:]``.Fr(rbig>>rr(rririH)lenr& from_bytes)rdrfr9majorminorlengths r_looks_like_tls_record_atrus 4yy6A:utQ%G%GED "4 + +ED   <  < < <'+CRCy}}S'9'9 < <  sF 1 11BA9- B9A==BA=B BBc$eZdZdZd fd ZxZS) KanbanDbCorruptErroraRaised when an existing kanban DB file fails integrity checks. Fail-closed guard against silent recreation of a corrupt board file, which would otherwise destroy the user's tasks. Carries both the original path and the timestamped backup we made before refusing. rr backup_pathOptional[Path]reasonrGc ||_||_||_|t|nd}t d|d|d|ddS)Nzz&Refusing to open corrupt kanban DB at : z . Original preserved; backup at .)rrrrGsuper__init__)selfrrr backup_str __class__s rrzKanbanDbCorruptError.__init__ s & )4)@S%%%FW   ;W ; ; ; ;-7 ; ; ;     r!)rr rrrrGr r!r"r#r __classcell__rs@rrrsG          r!rrc* |}|j}|j}tj} |d5 t fddD]}|| dddn #1swxYwYn#t$rYdSwxYw| dd}||d|dz }|j|krdS| s( tj ||n#t$rYdSwxYwdD]}}|||zz } | j|ks| s*||j|zz } | j|ks| rW tj | | n#t$rYzwxYw|S) u{Copy a corrupt DB (and its WAL/SHM sidecars) to a content-addressed backup. The backup filename is deterministic in the main DB's sha256, so repeated quarantines of the same corrupt bytes (gateway restarts, dispatcher retries, multi-profile fleets all hitting the same shared DB) reuse one backup instead of amplifying disk usage by N. If the corrupt bytes actually change between attempts — e.g. a partial repair or further damage — the fingerprint changes and a separate backup is preserved. Returns the backup path of the main DB file, or ``None`` if the copy itself failed (the caller still raises loudly in that case). Writes are confined to the original DB's parent directory. The backup basename is derived purely from ``path.name`` and a content hash, never from caller-supplied directory segments — no traversal is possible. rwc.dS)Ni)r|)r`srrz$_backup_corrupt_db..1sfkk+&>&>r!r!Nz .corrupt.z.bak)z-walz-shm) rr{rhashlibsha256rTiterrrm hexdigestrkrcopy2) r~resolvedr{ base_namedigestchunkrK candidatersidecarsidecar_backupr`s @r_backup_corrupt_dbrs@(||~~H _F I ^  F ]]4  %F>>>>DD % % e$$$$ % % % % % % % % % % % % % % % % tt     ss #EI;;;;;;I6!!t       L9 - - - -   44 "  I./ >V # #7>>+;+; # 9>F#:;  F * *n.C.C.E.E *   L. 1 1 1 1    D  sYB ,B: BB  B B B B B ,D DD-F FFc |}n#t$rYdSwxYw |r|jdkrdSn#t$rYdSwxYwt |t vrdSd} t|} |d }| n#| wxYw|r |dpd dkrd|r|dnd}n0#tj $rtj$r}d|}Yd}~nd}~wwxYw|dSt|}t!|||) uRun ``PRAGMA integrity_check`` on an existing non-empty DB file. Opens the probe in read/write mode so SQLite can recover or checkpoint a healthy WAL/hot-journal DB before we declare it corrupt. If the file is malformed, copy it (and any WAL/SHM sidecars) to a timestamped backup and raise :class:`KanbanDbCorruptError` so callers cannot silently recreate the schema on top of a damaged DB. Transient lock/busy errors (``sqlite3.OperationalError``) are NOT treated as corruption; they propagate raw so the caller sees a normal lock failure and no spurious ``.corrupt`` backup is made. No-op for missing files, zero-byte files (treated as fresh), and paths already proven healthy this process (cache hit). Path-trust note: ``path`` arrives via :func:`connect`, which itself resolves it from an explicit ``db_path`` argument, the :func:`kanban_db_path` env-var chain, or the kanban-home default — all sources Hermes treats as user-controlled-but-trusted on the user's own machine. We additionally resolve the path here and confine all filesystem writes to its parent directory so any accidental ``..`` segments are collapsed before any I/O happens. NrzPRAGMA integrity_checkr*okzintegrity_check returned zzsqlite refused to open file: )rrmrkrzr{rGrrNrKfetchoner^rOrIOperationalErrorrrr)r~rrproberexcbackups r_guard_existing_db_is_healthyrMs6<<>>    HMMOO$;q$@$@ F%A  8}}*** F 7)) -- 899BBDDC KKMMMMEKKMMMM Ss1v|**,,44R31NQJRRF  #  7776667 ~  ) )F x 8 88sM %%1A A+*A+ D 'CD C++4D E >EE rrc||}nt|}|jddt|5t |t |t |}t|} tj |_ t5ddl m}||d|jd |d |d |d |d |d|t"v}|rC|t&t)|t"|dddn #1swxYwYn##t,$r|wxYwdddn #1swxYwY|S)uOpen (and initialize if needed) the kanban DB. WAL mode is enabled on every connection; it's a no-op after the first time but keeps the code robust if the DB file is ever re-created. The first connection to a given path auto-runs :func:`init_db` so fresh installs and test harnesses that construct `connect()` directly don't have to remember a separate init step. Subsequent connections skip the schema check via a module-level path cache. Path resolution: * ``db_path`` explicit → used as-is (legacy callers, tests). * ``board`` explicit → resolves to that board's DB. * Neither → :func:`kanban_db_path` resolves via ``HERMES_KANBAN_DB`` env → ``HERMES_KANBAN_BOARD`` env → ``/kanban/current`` → ``default``. NrTrwr)apply_wal_with_fallbackz kanban.db ())db_labelzPRAGMA synchronous=FULLzPRAGMA wal_autocheckpoint=100zPRAGMA foreign_keys=ONzPRAGMA secure_delete=ONzPRAGMA cell_size_check=ON)rr{r|rcrrrGrrNrIRow row_factory _INIT_LOCK hermes_staterrrKr executescript SCHEMA_SQL_migrate_add_optional_columnsrrr^)rrr~rrMr needs_inits rrJrJsk.E***KdT222 !$ ' '-- %%% &d+++t||~~&&t$$# &{D  5 5A@@@@@''7QTY7Q7Q7QRRRR 6777 <=== 5666 6777 8999%-?? 5 &&z2221$777&**8444= 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5>    JJLLL  W---------------\ KsPAGF)CF = F F FF FG F55GG Gc#Kt||} |V |dS#t$rYdSwxYw# |w#t$rYwwxYwxYw)uOpen a kanban DB connection and guarantee it is closed on exit. Use this instead of ``with kb.connect() as conn:`` — sqlite3's built-in connection context manager only commits/rollbacks the transaction; it does NOT close the file descriptor. In long-lived processes (gateway, dashboard) that route every kanban operation through ``connect()`` (e.g. ``run_slash`` dispatching ``/kanban …`` commands, ``decompose_task_endpoint`` calling ``kanban_decompose.decompose_task``), the unclosed connections accumulate as open FDs to ``kanban.db`` and ``kanban.db-wal``. After enough operations the process hits the kernel FD limit and dies with ``[Errno 24] Too many open files``. See #33159 for the production incident. The ``connect()`` function itself remains unchanged so callers that intentionally manage the connection lifetime (tests, long-lived callers) continue to work. )rrN)rJr^r)rrrMs rconnect_closingrs2 7% 0 0 0D   JJLLLLL    DD   JJLLLL    D s;A0 >>A(AA( A%"A($A%%A(c||}nt|}|jddt|}t 5t |dddn #1swxYwYtj t|5 dddn #1swxYwY|S)uCreate the schema if it doesn't exist; return the path used. Kept as a public entry point so CLI ``hermes kanban init`` and the daemon have something explicit to call. Unlike :func:`connect`'s first-time auto-init (which caches by path), ``init_db`` always re-runs the migration pass. Callers that know the on-disk schema may have drifted — tests that write legacy event kinds directly, external tools that upgrade an old DB file — can call this to force re-migration. NrTrw) rr{r|rGrrrr contextlibclosingrJ)rrr~rs rrrs6E***KdT2224<<>>""H --""8,,,---------------  GDMM * *                  Ks$BBB-B;;B?B?rMtablecolumnddlc |d|d|dS#tj$r/}dt|vrYd}~dSd}~wwxYw)a8Run ``ALTER TABLE ADD COLUMN ``, idempotent across races. Returns ``True`` when the column was actually added by this call. Swallows ``duplicate column name`` errors so a concurrent connection that ran the same migration first does not crash the dispatcher tick (issue #21708). ALTER TABLE z ADD COLUMN Tzduplicate column nameNF)rKrIrrGrO)rMrrrrs r_add_column_if_missingrs| }|D]}|d?pt t j} |d@|dA|dB|dC|dD|d|d|d| f} |dE| j|dAf} | jdFkr;|dGt t j| jf d7d7d7n #1swxYwYdH} | D]\} }|dI|| ft|d7S)JzAdd columns that were introduced after v1 release to legacy DBs. Called by ``init_db`` so opening an old DB is always safe. ch|] }|d Srr`rrs r z0_migrate_add_optional_columns..- L L LCCK L L Lr!zPRAGMA table_info(tasks)rtasksz tenant TEXTrz result TEXTrzbranch_name TEXTrzidempotency_key TEXTch|] }|d Srr`rs rrz0_migrate_add_optional_columns..Arr!rz/consecutive_failures INTEGER NOT NULL DEFAULT 0rzCUPDATE tasks SET consecutive_failures = COALESCE(spawn_failures, 0)rzworker_pid INTEGERrzlast_failure_error TEXTrz6UPDATE tasks SET last_failure_error = last_spawn_errorrzmax_runtime_seconds INTEGERrzlast_heartbeat_at INTEGERr zcurrent_run_id INTEGERr zworkflow_template_id TEXTr zcurrent_step_key TEXTr z skills TEXTrzmax_retries INTEGERr z0ALTER TABLE tasks ADD COLUMN model_override TEXTrz$goal_mode INTEGER NOT NULL DEFAULT 0rzgoal_max_turns INTEGERrzsession_id TEXTz.sUUUss6{UUUr!zPRAGMA table_info(task_events)r@ task_eventszrun_id INTEGERzDCREATE INDEX IF NOT EXISTS idx_events_run ON task_events(run_id, id)zOSELECT name FROM sqlite_master WHERE type='table' AND name='kanban_notify_subs'Nch|] }|d Srr`rs rrz0_migrate_add_optional_columns..s)   CK   r!z%PRAGMA table_info(kanban_notify_subs)notifier_profilekanban_notify_subsznotifier_profile TEXTzFSELECT name FROM sqlite_master WHERE type='table' AND name='task_runs'zSELECT id, assignee, claim_lock, claim_expires, worker_pid, max_runtime_seconds, last_heartbeat_at, started_at FROM tasks WHERE status = 'running' AND current_run_id IS NULLraV INSERT INTO task_runs ( task_id, profile, status, claim_lock, claim_expires, worker_pid, max_runtime_seconds, last_heartbeat_at, started_at ) VALUES (?, ?, 'running', ?, ?, ?, ?, ?, ?) rrrrzKUPDATE tasks SET current_run_id = ? WHERE id = ? AND current_run_id IS NULLr(z_UPDATE task_runs SET status = 'reclaimed', outcome = 'reclaimed', ended_at = ? WHERE id = ?))rpromoted)r reprioritized)spawn_auto_blockedgave_upz.UPDATE task_events SET kind = ? WHERE kind = ?) rKrr write_txnfetchallr&r lastrowidrowcount_rebuild_drifted_tables)rMcolsaddedev_colsnotify_table_exists notify_cols runs_existinflightrstartedcurupd_EVENT_RENAMESoldnews rrr(s M L4<<0J#K#K L L LDttWh FFFttWh FFFD  tWm=OPPP$$ ',.D    M L4<<0J#K#K L L LDT))&   " =     %-- LLU   4tWlNOOO  LL % ,,Yhjj  #'<<0W#X#X    [ 0 0 "*,>@W   PhjjJ* t__) ) ||F hjj   " " l+?s49;;/?/?llD 3z?C 4EO,c,.?12C8K4L *ll>]CI. <1$$LL'TY[[))3=9 ;" ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ^N #  S < #J    D!!!!!s(DP;;P?P?)zCREATE TABLE task_events ( id INTEGER PRIMARY KEY AUTOINCREMENT, task_id TEXT NOT NULL, run_id INTEGER, kind TEXT NOT NULL, payload TEXT, created_at INTEGER NOT NULL))z@CREATE INDEX idx_events_task ON task_events(task_id, created_at)z6CREATE INDEX idx_events_run ON task_events(run_id, id))zCREATE TABLE task_comments ( id INTEGER PRIMARY KEY AUTOINCREMENT, task_id TEXT NOT NULL, author TEXT NOT NULL, body TEXT NOT NULL, created_at INTEGER NOT NULL))zDCREATE INDEX idx_comments_task ON task_comments(task_id, created_at))abCREATE TABLE task_runs ( id INTEGER PRIMARY KEY AUTOINCREMENT, task_id TEXT NOT NULL, profile TEXT, step_key TEXT, status TEXT NOT NULL, claim_lock TEXT, claim_expires INTEGER, worker_pid INTEGER, max_runtime_seconds INTEGER, last_heartbeat_at INTEGER, started_at INTEGER NOT NULL, ended_at INTEGER, outcome TEXT, summary TEXT, metadata TEXT, error TEXT))ztd|Dd}|duo|dpdd kStd |Dd}|dS|dpdd ko|d  S) zGTrue when ``table`` still carries the legacy (pre-AUTOINCREMENT) shape.PRAGMA table_info(rFrc32K|]}|ddk|VdS)r last_event_idNr`rcs rr z%_table_has_drifted..Qs0DD!qyO'C'CA'C'C'C'CDDr!Ntyper*INTEGERc32K|]}|ddk|VdS)rrNr`rs rr z%_table_has_drifted..Ts088ai4&7&71&7&7&7&788r!pk)rKrnextupper)rMrinfoleiid_cols r_table_has_driftedrKs <<5U555 6 6 ? ? A AD u $$$DDtDDDdKK$KCK$52#<#<#>#>)#KK 88d888$ ? ?F ~u%2,,..);Lt MMr!c  fdtD}|sdSd |D]i}t|\}}dd|dD}td|d|d |d |d d|dD |d krF fd |D}d|}d|d|d|d|d nE fd|D}d|}d|d|d|d|d d|d |D]}|kddS#t $r. dn#t j$rYnwxYwwxYw)u Rebuild any kanban table whose column types drifted from SCHEMA_SQL. Old boards crash the gateway notifier (``int(None)`` on a NULL id in ``unseen_events_for_sub``) and never match the ``id > cursor`` filter, so every kanban notification is silently lost (#35096). Each affected table is rebuilt with the standard SQLite pattern — CREATE new → INSERT shared columns → DROP old → RENAME — recreating its indexes too (DROP TABLE takes them down). The legacy TEXT ids are dropped (they aren't valid integers); AUTOINCREMENT assigns fresh ones and ``last_event_id`` cursors reset to 0, so the first post-migration tick replays a task's event history once — the safe failure mode for a feature that was already fully broken. The whole pass runs in one transaction so an interruption can't leave a table half-renamed, and under ``connect()``'s init locks so nothing races it. Idempotent: a correctly-typed DB skips every table and returns without opening a transaction. c4g|]}t||Sr`)r)rtrMs rrz+_rebuild_drifted_tables..ls)HHHQ,>tQ,G,GHqHHHr!NBEGIN IMMEDIATEcg|] }|d Srr`rs rrz+_rebuild_drifted_tables..tWWWa& WWWr!rrz7kanban migration: rebuilding %s to match current schemarz RENAME TO _legacych|] }|d Srr`rs rrz*_rebuild_drifted_tables..xrr!rc(g|]}|v|dk |S)rr`rrnew_colss rrz+_rebuild_drifted_tables..{s+XXXh1CWCW!CWCWCWr!, z INSERT INTO  (z, last_event_id) SELECT z3, COALESCE(CAST(last_event_id AS INTEGER), 0) FROM c(g|]}|v|dk |Srr`rs rrz+_rebuild_drifted_tables..s&MMMh199!999r!z ) SELECT z FROM z DROP TABLE COMMITROLLBACK)_REBUILD_SPECSrK_logrrrrIr) rMdriftedr create_sql index_sqlsold_colssharedcols_csv index_sqlrs ` @rrrZs$IHHH.HHHG LL"###" ( (E%3E%: "J WW4<<8UU8U8U8U+V+VWWWH IIOQV W W W LLHHH%HHH I I I LL $ $ $WW4<<8UU8U8U8U+V+VWWWH,,,XXXXXXXX99V,, +5++H++&++!+++NMMMXMMM99V,, =5==H==&==.3=== LL5u555 6 6 6' ( (  Y'''' ( X   LL $ $ $ $'    D  s0FF44 G,?GG,G'$G,&G''G,c |d}|dS|d}|sdS|}|dd}tj|}t |d5}|d|d}dddn #1swxYwYt|dkrdSt |d }|dkrdS||z} | |kr*tj d |d |d | d || z d|d|d dS#tj $rt$rYdSwxYw)zRead the SQLite header page_count and compare against actual file size. Raises sqlite3.DatabaseError if the file is shorter than the header claims (torn-extend corruption). zPRAGMA database_listNrzPRAGMA page_sizerrwrorjz-torn-extend detected: page count mismatch on z: header claims z pages, file has z pages (missing z pages, file_size=z , page_size=r)rKrr,r~getsizerTrWr|rpr&rqrIrr) rMrpath_strr~ page_size file_sizerr header_bytesheader_page_count actual_pagess r_check_file_length_invariantrs  ll122;;== ; Fq6  FLL!344==??B GOOD)) $   % FF2JJJ66!99L % % % % % % % % % % % % % % % |  q FNN<??  ! ! F I- + + +'AAA!2AA(AA. <AA' AA5> AAA  , +        sL)E EAE+C ECECE.!E5EE%$E%c#K|d |V|dt|dS#t$r. |dn#tj$rYnwxYwwxYw)aContext manager for an IMMEDIATE write transaction. Use for any multi-statement write (creating a task + link, claiming a task + recording an event, etc.). A claim CAS inside this context is atomic -- at most one concurrent writer can succeed. The explicit ROLLBACK on exception is wrapped in try/except so that a SQLite auto-rollback (which leaves no active transaction) does not shadow the original exception with a spurious rollback error. rrrN)rKrrrIr)rMs rrrs LL"###+  X %T*****   LL $ $ $ $'    D   s/A A;A$#A;$A63A;5A66A;c0dtjdzS)aGenerate a short, URL-safe task id. 4 hex bytes = ~4.3B possibilities. At 10k tasks the collision probability is ~1.2e-5; at 100k it's ~1.2e-3. Previously we used 2 hex bytes (65k possibilities) which hit the birthday paradox hard: ~5% collision probability at 1k tasks, ~50% at 10k. Callers that care about idempotency should pass ``idempotency_key`` to :func:`create_task` rather than rely on id uniqueness. t_ro)secrets token_hexr`r!r _new_task_idr!s '#A&& &&r!cddl} |pd}n#t$rd}YnwxYw|dtjS)z:Return a ``host:pid`` string that identifies this claimer.rNunknown:)socket gethostnamerr,getpid)r%hosts r _claimer_idr)sfMMM!!##0y  " "RY[[ " ""s  ,,rc,|dSddlm}||S)zHLowercase-assignee normalization for Kanban rows (dashboard/CLI parity).Nrnormalize_profile_name)hermes_cli.profilesr,)rr,s r_canonical_assigneer.s0t:::::: ! !( + ++r!rr`F)rrrrrrrrrxrrrr rrrinitial_statusrrrrrrrrrrrx Iterable[str]rrrr Optional[Iterable[str]]rrrr/rc> t|}|r|std|tvr$tdt t|t vr'tdt t d||#t |pd}|r|dkrtdtd| D} d}|g}t}g}|D]}|st |}|s)d |vrtd |d | tvr| |q||vrv| || ||rKd d |D}t|dkrdnd}t|d|d|}| r3|d| f}|r|dSt#t%j}|K|dvrG|r|n t'}t)|} | d}!|!rt |!}t-dD]m}"t/}# t1|5|dkr.Ds',,!!,A,,,,,,r!,z!skill name cannot contain comma: zA (pass a list of separate names instead of a comma-joined string)rc34K|]}t|VdSr)repr)rns rr zcreate_task..hs(>>1tAww>>>>>>r!r(zis a toolset namezare toolset namesrz, not skill name(s). Put toolsets in the assignee profile's `toolsets:` config instead of per-task skills. Skills are named skill bundles (e.g. `kanban-worker`, `blogwatcher`); toolsets are runtime capabilities (e.g. `web`, `browser`, `terminal`).zhSELECT id FROM tasks WHERE idempotency_key = ? AND status != 'archived' ORDER BY created_at DESC LIMIT 1r>rrrrrzunknown parent task(s): rrz&SELECT status FROM tasks WHERE id IN (?rc3.K|]}|ddkVdS)rrNr`rrs rr zcreate_task..s+CCq{f4CCCCCCr!ra INSERT INTO tasks ( id, title, body, assignee, status, priority, created_by, created_at, workspace_kind, workspace_path, branch_name, tenant, idempotency_key, max_runtime_seconds, skills, max_retries, goal_mode, goal_max_turns, session_id ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) rDINSERT OR IGNORE INTO task_links (parent_id, child_id) VALUES (?, ?)created)rrrxrrr r unreachable)$r.r/r0VALID_INITIAL_STATUSESrVALID_WORKSPACE_KINDSrGtuplerIrKNOWN_TOOLSET_NAMESrrrrprKrr&rrtrr.ranger!r_find_missing_parentsranyrr _append_eventrrrIIntegrityError RuntimeError)(rMrrrrrrrrrrxrrrr rrrr/rr skills_listcleanedr toolset_typosrRrquotednounrnow board_slug board_meta board_defaultattemptr task_statusmissingrowspids( r create_taskrXs`#8,,H . .,---333 MV4J-K-K M M   222 &V4I-J-J & &! & &   +&&,,..6$ N~33LMMM,,w,,,,,G(,K  $&  ! !A q66<<>>D d{{ XXXX}}"555$$T***t|| HHTNNN NN4  YY>> >>>>>F*-m*<*<*A*A&&GZDDDDDDD  ll /    (**  t9  dikk  C.4G"G"G#?ADE#  #(**  CCdCCCCC1*0KZgZ3D'BBGZ()XDIIgDVDV)X)XYYY    # "&&#'4G4S/000Y]3>3J ;///PT,7,CK(((&-A/=/IN+++t"'>#CLL^g$,"-#'=="('27B"L${"3"3"3%))__%<   KR R R R R R R R R R R R R R R fNNN%   !|| H   } % %%s73S3HS$ S3$S( (S3+S( ,S33T  T  list[str]ct|}|sgSddt|z}|d|d|}d|Dfd|DS)Nr5r9"SELECT id FROM tasks WHERE id IN (rch|] }|d Srr`r;s rrz(_find_missing_parents..s%%%1qw%%%r!cg|]}|v| Sr`r`)rrpresents rrz)_find_missing_parents..s# 3 3 3!!7"2"2A"2"2"2r!)rrrprKr)rMrx placeholdersrVr^s @rrErEs7mmG  88C#g,,.//L <<<\<<<  hjj &%%%%G 3 3 3 3w 3 3 33r!Optional[Task]c|d|f}|rt|ndS)Nz SELECT * FROM tasks WHERE id = ?)rKrrrrMrrs rget_taskrc s@ ,,9G: F F O O Q QC!$ .4==   $.r!zcreated_at ASC, id ASCzcreated_at DESC, id DESCzpriority DESC, created_at ASCzpriority ASC, created_at ASCzstatus ASC, created_at ASCzassignee ASC, created_at ASCztitle ASC, id ASCz+started_at DESC NULLS LAST, created_at DESC)r>z created-descrz priority-descrrrupdateddict[str, str]VALID_SORT_ORDERS) rrrrrlimitorder_byr r rrgrhr r  list[Task]c ~d} g} |'| dz } | t||G|tvr$tdt t| dz } | ||| dz } | ||| dz } | ||| dz } | || | dz } | | |s |d kr| d z } |y|}|tvr6td t t| d t|z } n| d z } |r| dt|z } | | |  } d| DS)NzSELECT * FROM tasks WHERE 1=1z AND assignee = ?zstatus must be one of z AND status = ?z AND tenant = ?z AND session_id = ?z AND workflow_template_id = ?z AND current_step_key = ?rz AND status != 'archived'zorder_by must be one of z ORDER BY z' ORDER BY priority DESC, created_at ASCz LIMIT cBg|]}t|Sr`)rrr;s rrzlist_tasks..E s$ + + +DMM!   + + +r!) rr.VALID_STATUSESr0rr/rOrfrr&rKr) rMrrrrrrgrhr r queryparamsrVs r list_tasksro s  ,EF $$ )(33444   ' 'Nf^6L6LNNOO O "" f  "" f && j!!!' 00 *+++# ,, &''' -* 4 4 ,,>>##))++ , , ,M62C2H2H2J2J+K+KMM  ;/9;;; :: ( '3u::''' <<v & & / / 1 1D + +d + + ++r!r(ct|}t|5|d|f}|s ddddS|d|ddkrt d|d|d |kr|d ||fn|d ||ft ||d d |i dddd S#1swxYwYdS)zAssign or reassign a task. Returns True on success. Refuses to reassign a task that's currently running (claim_lock set). Reassign after the current run completes if needed. z;SELECT status, claim_lock, assignee FROM tasks WHERE id = ?NFrrrzcannot reassign zS: currently running (claimed). Wait for completion or reclaim the stale lock first.rz_UPDATE tasks SET assignee = ?, consecutive_failures = 0, last_failure_error = NULL WHERE id = ?z*UPDATE tasks SET assignee = ? WHERE id = ?assignedT)r.rrKrrIrG)rMrr(rs r assign_taskrrH s "'**G 4ll IG:  (**    |  (S]i-G-GG7GGG  z?g % % LL9'"     LLEQXGY Z Z ZdGZ*g1FGGG/s-CA9CC#&C# parent_idchild_idc 2||krtdt|5t|||g}|r%tdd|t |||rtd|d|d|d||f|d|fd }|d kr|d |ft||d ||d ddddS#1swxYwYdS)Nza task cannot depend on itselfzunknown task(s): rzlinking z -> z would create a cycler=%SELECT status FROM tasks WHERE id = ?rrBUPDATE tasks SET status = 'todo' WHERE id = ? AND status = 'ready'linkedr{r)r0rrEr _would_cyclerKrrG)rMrsrtrU parent_statuss r link_tasksr|m sH9::: 4  'y(.CDD  GE71C1CEEFF F i 2 2 I9II(III  R  !    3i\  (**X  F " " LLT      (H 8 4 4   +                  sCD  DDc,t}|g}|r|}||krdS||vr#|||d|f}|d|D|dS)zReturn True if adding parent->child creates a cycle. A cycle exists iff ``parent_id`` is already a descendant of ``child_id`` via existing parent->child links. We walk downward from ``child_id`` and check whether we reach ``parent_id``. Tz3SELECT child_id FROM task_links WHERE parent_id = ?c3&K|] }|dV dS)rtNr`r;s rr z_would_cycle.. s&11qQz]111111r!F)rIrrrKrextend)rMrsrtrstacknoderVs rrzrz s 55D JE  2yy{{ 9  4 4<<  || AD7  (**   11D111111  2 5r!c t|5|d||f}|jrt||d||d|jdk}dddn #1swxYwY|rt ||S)Nz;DELETE FROM task_links WHERE parent_id = ? AND child_id = ?unlinkedryr)rrKrrGrecompute_ready)rMrsrtrremoveds r unlink_tasksr s 4 # #ll I  !   <  h $x88   ," # # # # # # # # # # # # # # #  NsAAA #A cl|d|f}d|DS)NFSELECT parent_id FROM task_links WHERE child_id = ? ORDER BY parent_idcg|] }|d Srsr`r;s rrzparent_ids.. s ) ) )qAkN ) ) )r!rKrrMrrVs r parent_idsr sA <<P    hjj  * )D ) ) ))r!cl|d|f}d|DS)NzESELECT child_id FROM task_links WHERE parent_id = ? ORDER BY child_idcg|] }|d S)rtr`r;s rrzchild_ids.. s ( ( (aAjM ( ( (r!rrs r child_idsr sA <<O    hjj  ) (4 ( ( ((r!list[tuple[str, Optional[str]]]cl|d|f}d|DS)zDReturn ``(parent_id, result)`` for every done parent of ``task_id``.z SELECT t.id AS id, t.result AS result FROM tasks t JOIN task_links l ON l.parent_id = t.id WHERE l.child_id = ? AND t.status = 'done' ORDER BY t.completed_at ASC c.g|]}|d|dfS)rrr`r;s rrz"parent_results.. s% 1 1 1qQtWak " 1 1 1r!rrs rparent_resultsr sE <<     hjj  2 1D 1 1 11r!r4c |r|std|r|stdttj}t |5|d|fstd||d||||f}t||d|t|dt|j pdcdddS#1swxYwYdS) Nzcomment body is requiredzcomment author is required SELECT 1 FROM tasks WHERE id = ? unknown task QINSERT INTO task_comments (task_id, author, body, created_at) VALUES (?, ?, ?, ?) commented)r4rpr) r/r0r&rrrKrrGrpr)rMrr4rrOrs r add_commentr s} 5tzz||53444 775666 dikk  C 4 ' '|| .   (** 86W6677 7ll " fllnndjjllC 8   dG[VCPTII2V2VWWW3=%A&& ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' 's:B1D88D<?D< list[Comment]cl|d|f}d|DS)NzESELECT * FROM task_comments WHERE task_id = ? ORDER BY created_at ASCc rg|]4}t|d|d|d|d|d5S)rrr4rr)rrr4rr)r3r;s rrz!list_comments.. s\     wiLX;6       r!rrs r list_commentsr sN <<O    hjj       r!)r9r:r;r7r8r9r:r;c |r|std|r|stdttj}t |5|d|fstd||d||||t|||f}t||d|t||dt|jpdcd d d S#1swxYwYd S) a Record a file attachment for a task. Returns the new attachment id. The caller is responsible for writing the blob to ``stored_path`` first (under :func:`task_attachments_dir`); this only persists the metadata row and appends an ``attached`` event. zattachment filename is requiredz"attachment stored_path is requiredrrzINSERT INTO task_attachments (task_id, filename, stored_path, content_type, size, uploaded_by, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)attached)r7r:byrN) r/r0r&rrrKrrGr) rMrr7r8r9r:r;rOrs radd_attachmentr s <8>>++<:;;; ?k//11?=>>> dikk  C 4''|| .   (** 86W6677 7ll +  D         !))3t99K P P    3=%A&&3''''''''''''''''''s:CE  E E list[Attachment]cl|d|f}d|DS)NzPSELECT * FROM task_attachments WHERE task_id = ? ORDER BY created_at ASC, id ASCc g|]K}t|d|d|d|d|d|dpd|d|d LS) rrr7r8r9r:rr;rrrr7r8r9r:r;r)r6r;s rrz$list_attachments..; sx     wiLz]-(>*6a-(    r!rrs rlist_attachmentsr6 sN <<Z    hjj       r! attachment_idOptional[Attachment]c |d|f}|dSt|d|d|d|d|d|dpd|d |d  S) Nz+SELECT * FROM task_attachments WHERE id = ?rrr7r8r9r:rr;rr)rKrr6)rMrr<s rget_attachmentrJ s 5 7G  hjj yt  T7) :m$~& vY^!m$\?    r!ct|5t||}| ddddS|d|ft||jdd|jidddn #1swxYwY t |j}|r| n#t$rYnwxYw|S)a Delete an attachment row and its on-disk blob. Returns the removed row. Returns ``None`` when no row matched. The blob is removed best-effort (a missing file is not an error); the metadata row is the source of truth for whether an attachment "exists". Nz)DELETE FROM task_attachments WHERE id = ?attachment_removedr7) rrrKrGrr7r r8is_filerrm)rMrattrs rdelete_attachmentr\ s: 4  T=11 ;         @=BRSSS #+3j#,5O                    ! ! 99;;  HHJJJ      Js(A25A22A69A6>rr@rrr>r?rr@) rKrrrrrr=rr&)rMrrVoutr<r?s r list_eventsrt s <<U    hjj  C    23I,Hdj9...DGG   GGG  T7) vY\?,4,@,@Qx[E\AhK(((bf      Js$A A%$A%r@r>r?r-r@cttj}|rtj|dnd}|d|||||fdS)a2Record an event row. Called from within an already-open txn. ``run_id`` is optional: pass the current run id so UIs can group events by attempt. For events that aren't scoped to a single run (task created/edited/archived, dependency promotion) leave it None and the row carries NULL. FrNz[INSERT INTO task_events (task_id, run_id, kind, payload, created_at) VALUES (?, ?, ?, ?, ?))r&rrrrK)rMrr>r?r@rOpls rrGrG sh dikk  C4; EG% 0 0 0 0BLL ! &$C(r!)r,r/r.rr+r,r/r.c vttj}|d|f}|r|dsdSt|d} |d|p|||||rt j|dnd|| f|d|f| S)aClose the currently-active run for ``task_id`` and clear the pointer. ``outcome`` is the semantic result (completed / blocked / crashed / timed_out / spawn_failed / gave_up / reclaimed). ``status`` is the run-row status (usually just ``outcome``, but callers can pass it explicitly). Returns the closed run_id or ``None`` if no active run existed (e.g. a CLI user calling ``hermes kanban complete`` on a task that was never claimed). -SELECT current_run_id FROM tasks WHERE id = ?r Na UPDATE task_runs SET status = ?, outcome = ?, summary = ?, error = ?, metadata = ?, ended_at = ?, claim_lock = NULL, claim_expires = NULL, worker_pid = NULL WHERE id = ? AND ended_at IS NULL Frz3UPDATE tasks SET current_run_id = NULL WHERE id = ?)r&rrKrrr) rMrr+r,r/r.rrOrr@s r_end_runr s& dikk  C ,,7'  hjj c*+t %& ' 'FLL   g   8@ JDJxe 4 4 4 4d   2 LL=z Mr!c|d|f}|r|drt|dndS)Nrr )rKrr&rbs r_current_run_idr sS ,,7'  hjj*- P5E1F P3s#$ % % %DPr!)r,r/r.c`ttj}|d|f}|r|dnd}|r|dnd} |d||| |||||rt j|dnd||f } t| jpdS) aInsert a zero-duration, already-closed run row. Used when a terminal transition happens on a task that was never claimed (CLI user calling ``hermes kanban complete --summary X``, or dashboard "mark done" on a ready task). Without this, the handoff fields (summary / metadata / error) would be silently dropped: ``_end_run`` is a no-op because there's no current run. The synthetic run has ``started_at == ended_at == now`` so it shows up in attempt history as "instant" and doesn't skew elapsed stats. Caller is responsible for leaving ``current_run_id`` NULL (or for clearing it elsewhere in the same txn) since this function does NOT touch the tasks row. z9SELECT assignee, current_step_key FROM tasks WHERE id = ?rNr z INSERT INTO task_runs ( task_id, profile, step_key, status, outcome, summary, error, metadata, started_at, ended_at ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) Frr)r&rrKrrrr) rMrr+r,r/r.rOtrowr(r)rs r_synthesize_ended_runr s0 dikk  C <<C    hjj #'0d:DG+/9t&''TH ,,  Wh W U8@ JDJxe 4 4 4 4d     C" s}! " ""r!c|d|f}t|o |ddkS)uReturn True when ``task_id`` is sticky-blocked by an explicit worker/operator ``kanban_block`` call (#28712). A ``blocked`` status can come from two very different sources: * **Worker- or operator-initiated** — a worker called ``kanban_block(reason="review-required: ...")`` (or somebody ran ``hermes kanban block ``). This is a deliberate handoff that should stay blocked until an operator unblocks it. The block tool emits a ``"blocked"`` event row in ``task_events``. * **Circuit-breaker** — ``_record_task_failure`` tripped after repeated crashes / spawn failures / timeouts. This emits ``"gave_up"``, *not* ``"blocked"``, and is meant to recover automatically once the underlying conditions change (e.g. parents finish, transient infra error clears). The cheapest signal that distinguishes the two is the most recent ``"blocked"`` / ``"unblocked"`` event for the task. If the most recent one is ``"blocked"`` (or there is a ``"blocked"`` event and no ``"unblocked"`` event has fired since), the task is sticky and ``recompute_ready`` must *not* auto-promote it. Returns ``False`` when there is no such event at all (e.g. the task was set to ``status='blocked'`` by the circuit breaker or by direct DB manipulation) — preserves the pre-#28712 auto-recover semantics for that path. zlSELECT kind FROM task_events WHERE task_id = ? AND kind IN ('blocked', 'unblocked') ORDER BY id DESC LIMIT 1r>r)rKrrrbs r_has_sticky_blockr sM: ,, #     hjj  99 1V 11r! failure_limitc|t}d}t|5|d}|D]}|d}|d}|dkrt ||r)|d|f}t d|Dr|dkr^t |d pd}|d } | t | nt |} || kr|d |fn|d |ft||d d|dz } dddn #1swxYwY|S)u Promote ``todo`` tasks to ``ready`` when all parents are ``done`` or ``archived``. Returns the number of tasks promoted. Safe to call inside or outside an existing transaction; it opens its own IMMEDIATE txn. ``blocked`` tasks are also considered for promotion (so a task blocked purely by a parent dependency unblocks itself when the parent completes), *except* in two cases: 1. The most recent block event was a worker-initiated ``kanban_block`` — those stay blocked until an explicit ``kanban_unblock`` (#28712). 2. The task's ``consecutive_failures`` has reached the effective failure limit. This prevents infinite retry loops when a task repeatedly exhausts its iteration budget: without this guard the counter would reset on every recovery cycle and the circuit breaker could never trip (#35072). The effective failure limit resolves in the same order as the circuit breaker in ``_record_task_failure`` so the two never disagree about when a task is permanently blocked: 1. per-task ``max_retries`` if set 2. caller-supplied ``failure_limit`` (the dispatcher passes the ``kanban.failure_limit`` config value through ``dispatch_once``) 3. ``DEFAULT_FAILURE_LIMIT`` NrzcSELECT id, status, consecutive_failures, max_retries FROM tasks WHERE status IN ('todo', 'blocked')rrrzYSELECT t.status FROM tasks t JOIN task_links l ON l.parent_id = t.id WHERE l.child_id = ?c3*K|]}|ddvVdS)rrrNr`r4s rr z"recompute_ready..w s,HH11X;"66HHHHHHr!rrzEUPDATE tasks SET status = 'ready' WHERE id = ? AND status = 'blocked'zBUPDATE tasks SET status = 'ready' WHERE id = ? AND status = 'todo'rr()DEFAULT_FAILURE_LIMITrrKrrallr&rG) rMrr todo_rowsrr cur_statusrxfailures task_limiteffective_limits rrrA s>- H 411LL =   (** , , C$iGXJY&&+#C!DDH!$]!3J+5+AJ //$ ?22 LL>  LL\ dGZ>>>A Y,  111111111111111d OsD(EEE)r#claimerrc ttj}|p t}|t|z}t |5|d|f}|r9|d|ft||dddi ddddS|d|f}|r3|dr+|d |t|df|d ||||f} | jd kr ddddS|d |f} |d || r| dnd| r| dnd||| r| dnd|f} | j } |d| |ft||d||| d| t||cdddS#1swxYwYdS)zAtomically transition ``ready -> running``. Returns the claimed ``Task`` on success, ``None`` if the task was already claimed (or is not in ``ready`` status). zSELECT 1 FROM task_links l JOIN tasks p ON p.id = l.parent_id WHERE l.child_id = ? AND p.status NOT IN ('done', 'archived') LIMIT 1rwclaim_rejectedrparents_not_doneNzBSELECT current_run_id FROM tasks WHERE id = ? AND status = 'ready'r av UPDATE task_runs SET status = 'reclaimed', outcome = 'reclaimed', summary = COALESCE(summary, 'invariant recovery on re-claim'), ended_at = ?, claim_lock = NULL, claim_expires = NULL, worker_pid = NULL WHERE id = ? AND ended_at IS NULL a? UPDATE tasks SET status = 'running', claim_lock = ?, claim_expires = ?, started_at = COALESCE(started_at, ?) WHERE id = ? AND status = 'ready' AND claim_lock IS NULL r(NSELECT assignee, max_runtime_seconds, current_step_key FROM tasks WHERE id = ? INSERT INTO task_runs ( task_id, profile, step_key, status, claim_lock, claim_expires, max_runtime_seconds, started_at ) VALUES (?, ?, ?, 'running', ?, ?, ?, ?) rr r0UPDATE tasks SET current_run_id = ? WHERE id = ?claimed)lockexpiresr@r) r&rr)r4rrKrrGrrrc) rMrr#rrOrrundonestalerrrun_curr@s r claim_taskr sN dikk  C  #kmmD.{;;;G 4`'`' TJ   (**    LL4     g/-.   3`'`'`'`'`'`'`'`'< P J   (**   U+,  LLc% 01223   ll 7C )    <1  y`'`'`'`'`'`'`'`'~|| & J   (** ,, $(2Z  d,0:'((d/3=*++   $" > W      '9g @ @    g&&A`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'s!AG?7BG?B*G??HHc ttj}|p t}|t|z}t |5|d||||f}|jdkr ddddS|d|f}|d||r|dnd|r|dnd|||r|dnd|f} | j} |d | |ft||d ||| d d | t||cdddS#1swxYwYdS)uAtomically transition ``review -> running``. Returns the claimed ``Task`` on success, ``None`` if the task was already claimed (or is not in ``review`` status). Unlike ``claim_task`` (which handles ``ready -> running``), this does NOT check parent dependencies — the task already passed that gate on its original ``todo -> ready -> running`` transition. Creates a new run entry so the review agent's lifecycle is tracked independently from the original worker run. a@ UPDATE tasks SET status = 'running', claim_lock = ?, claim_expires = ?, started_at = COALESCE(started_at, ?) WHERE id = ? AND status = 'review' AND claim_lock IS NULL r(Nrrrr rrrr)rrr@ source_statusr) r&rr)r4rrKrrrrGrc) rMrr#rrOrrrrrr@s rclaim_review_taskr s & dikk  C  #kmmD.{;;;G 42'2'll 7C )    <1  2'2'2'2'2'2'2'2' || & J   (** ,, $(2Z  d,0:'((d/3=*++   $" > W      '9g& ( (     g&&e2'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2's'D>B+D>>EEcttjt|z}|p t}t |5|d|||f}|jdkr8t||}||d||f ddddS ddddS#1swxYwYdS)zExtend a running claim. Returns True if we still own it. Workers that know they'll exceed 15 minutes should call this every few minutes to keep ownership. zYUPDATE tasks SET claim_expires = ? WHERE id = ? AND status = 'running' AND claim_lock = ?r(N3UPDATE task_runs SET claim_expires = ? WHERE id = ?TF)r&rr4r)rrKrr)rMrr#rrrrr@s rheartbeat_claimrY s=$)++!;K!H!HHG  #kmmD 4ll E gt $   <1  $T733F! If%sAB;-B;;B?B? signal_fncttj}d}tdddd}|d|f}|D]}|dpd}||}|d} | duo|t| z tk} |r4|d r+t|d r| s|tz} t|5|d | |d |d|f} | j dkr dddt||d } | |d | | ft||d d dt|d |dt|d| |dt|dndd| dddn #1swxYwYt|d |d|}t|5|d|d |d|f} | j dkr dddt||d ddd|d|} |d|d t|d ndt|d|dt|dnd||t!| d}||t||d d|| |dz }dddn #1swxYwY|S)uhReset any ``running`` task whose claim has expired. A stale-by-TTL claim whose host-local worker PID is still alive is *extended* (with a ``claim_extended`` event) instead of being reclaimed. Reclaiming a live worker mid-flight produces the spawn- then-immediately-reclaim loop seen on slow models that spend longer than ``DEFAULT_CLAIM_TTL_SECONDS`` inside a single tool-free LLM call (#23025): no tool calls means no ``kanban_heartbeat``, even though the subprocess is healthy. Backstop (#29747 gap 3): if the worker's PID is still alive but its ``last_heartbeat_at`` is stale by more than ``DEFAULT_CLAIM_HEARTBEAT_MAX_STALE_SECONDS`` (1h), the worker has been making no observable progress and we reclaim anyway — even if ``_pid_alive`` is still true. This catches the wedged-in-a-logic-loop case where the process is technically running but accomplishing nothing. ``_touch_activity`` (run_agent.py) bridges chunk-level liveness into ``last_heartbeat_at`` via #31752, so any genuinely active worker keeps its heartbeat fresh as a side effect of normal API traffic. ``enforce_max_runtime`` and ``detect_crashed_workers`` remain the upper bounds for genuinely wedged or dead workers. Returns the number of stale claims actually reclaimed (live-pid extensions don't count). Safe to call often. rr$r(zSELECT id, claim_lock, worker_pid, claim_expires, last_heartbeat_at FROM tasks WHERE status = 'running' AND claim_expires IS NOT NULL AND claim_expires < ?rr*rNrzUPDATE tasks SET claim_expires = ? WHERE id = ? AND status = 'running' AND claim_lock IS ? AND claim_expires IS NOT NULL AND claim_expires < ?rrclaim_extended pid_aliver)rrrclaim_expires_wasclaim_expires_nowrrrzUPDATE tasks SET status = 'ready', claim_lock = NULL, claim_expires = NULL, worker_pid = NULL WHERE id = ? AND status = 'running' AND claim_lock IS ? AND claim_expires IS NOT NULL AND claim_expires < ? reclaimedz stale_lock=r+rr/r.) stale_lockrrrrO host_localheartbeat_stale)r&rr)rrKrr})DEFAULT_CLAIM_HEARTBEAT_MAX_STALE_SECONDS _pid_aliver4rrrrG_terminate_reclaimed_workerrrr)rMrrOr host_prefixrrrrhbr new_expiresrr@ terminationr?s rrelease_stale_claimsrx s< dikk  CI ]]((a003666K LL "     hjj  ^^< &B__[11 $ % dN Ls2ww"KK  ( L!( 3|,--( $ (   : < <D <1$$       )s4y99%LLM$f-#d)%5"-&)#l*;&<&<&),&7-0_1E-F-F-8 ##67C $7 8999!%  "#               B 1  s<0I   t__% % ,,FTC -s3 C|q  % % % % % % % c$i#K7C $577$ F",/<(4L)***:>!$S%9!:!:./;/0111AE(#'#8#8G NN; ' ' ' c$i     NIK% % % % % % % % % % % % % % % L s23G,BG,,G0 3G0 &2L3%CL33L7 :L7 )rrrc 8|d|f}|sdS|ddkr |ddS|d}t|d||}t|5|d ||f}|jd kr ddddSt ||d d |rd |nd ||}d||d} | |t||d | |dddn #1swxYwYt||dS)a!Operator-driven reclaim: release the claim and reset to ``ready``. Unlike :func:`release_stale_claims` which only acts on tasks whose ``claim_expires`` has passed, this function reclaims immediately regardless of TTL. Intended for the dashboard/CLI recovery flow when an operator wants to abort a running worker without waiting for the TTL to expire (e.g. after seeing a hallucination warning). Returns True if a reclaim happened, False if the task isn't in a reclaimable state (not running, or doesn't exist). z=SELECT status, claim_lock, worker_pid FROM tasks WHERE id = ?FrrrNrrzUPDATE tasks SET status = 'ready', claim_lock = NULL, claim_expires = NULL, worker_pid = NULL WHERE id = ? AND status IN ('running', 'ready', 'blocked') AND claim_lock IS ?r(rzmanual_reclaim: zmanual_reclaim lock=rT)manualr prev_lockr) rKrrrrrrrG_clear_failure_counter) rMrrrrrrrr@r?s r reclaim_taskr s$ ,,G    hjj u 8} !!c,&7&?uL!I- L9 K 4  ll "i    <1           ' /58+6+++7I77    "   {### ';     3               D4))) 4s3%C?%AC??DD) reclaim_firstrrct|rt|||pd t|||S#t$rYdSwxYw)a Reassign a task, optionally reclaiming a stuck running worker first. This is the recovery path for "this profile's model is broken, try a different one". If ``reclaim_first`` is True, any active claim is released (via :func:`reclaim_task`) before the reassign happens; otherwise the function refuses to reassign a currently-running task and returns False (caller can retry with ``reclaim_first=True``). Returns True if the reassign landed. ``profile`` may be ``None`` to unassign entirely. reassign)rF)rrrrI)rMrr(rrs r reassign_taskrG sb&AT76+?Z@@@@4'222 uus ) 77completing_task_id claimed_idstuple[list[str], list[str]]ctd|pgD}|sggfSt}g}|D]0}||vr*||||1|d|f}|g|fS|d}ddgt |z} |d| dt|} d | D} tt||} g} g}|D]}| |}|||/|r||kr| |M||kr| |i|| vr| |||| |fS) uPartition ``claimed_ids`` into (verified, phantom). A card is "verified" iff a row exists in ``tasks`` AND at least one of the following holds: * ``created_by`` matches the completing task's ``assignee`` profile (the common case: worker A spawns a card via ``kanban_create``, which stamps ``created_by=A``). * ``created_by`` matches the completing task's id (edge case where a worker passed its own task id as the ``created_by`` value). * The card is linked as a ``task_links.child`` of the completing task — i.e. the worker explicitly called ``kanban_create`` with ``parents=[]``. This accepts cards created through the dashboard/CLI by a different principal but then attached to the completing task by the worker. ``phantom`` returns ids that either don't exist at all, or exist but don't satisfy any of the three trust conditions. The caller decides what to do with each bucket; this helper never mutates. cg|]D}t|#t|ESr`)rGr/)rxs rrz)_verify_created_cards.. s9MMM!c!ffllnnMs1vv||~~MMMr!'SELECT assignee FROM tasks WHERE id = ?Nrr5r9z.SELECT id, created_by FROM tasks WHERE id IN (rc,i|]}|d|dS)rrr`r;s r z)_verify_created_cards.. s" 4 4 4!QtWa o 4 4 4r!) rIrrrKrrrprBrrr.)rMrrrrorderedcidrcompleting_assigneer_rVfoundlinked_childrenverifiedphantomrs r_verify_created_cardsrf s 2NM (9rMMMG 2v UUDG   d?? HHSMMM NN3    ,,14F3H  hjj {7{j/88SECLL011L <<HHHH g  hjj  5 4t 4 4 4E!$Id4F$G$G H HOHG   YYs^^   NN3      :1D#D#D OOC - - - OOC O # # OOC NN3     W r!z\bt_[a-f0-9]{8,}\btextc|sgSt|}|sgSt}g}|D]0}||vr*||||1ddgt |z}|d|dt| }d|Dfd|DS)ueRegex-scan free-form text for ``t_`` references; return the ones that don't exist in ``tasks``. Used as a non-blocking advisory check on completion summaries. An empty return means "no suspicious references found" — either the text had no IDs at all, or every ID it mentioned resolves to a real task. Duplicates are deduped. r5r9r[rch|] }|d Srr`r;s rrz._scan_prose_for_phantom_ids.. s&&&A$&&&r!cg|]}|v| Sr`r`)rmexistings rrz/_scan_prose_for_phantom_ids.. s# 3 3 3!(!2!2A!2!2!2r!) _TASK_ID_PROSE_REfindallrIrrrrprKrBr) rMrmatchesruniquerr_rVrs @r_scan_prose_for_phantom_idsr s  ''--G  UUDF  D== HHQKKK MM!   88SECKK/00L <<<\<<< f   hjj '&&&&H 3 3 3 3v 3 3 33r!c$eZdZdZdfd ZxZS)HallucinatedCardsErroraORaised by ``complete_task`` when ``created_cards`` contains ids that don't exist or weren't created by the completing worker. The phantom list is attached as ``.phantom`` for callers that want structured access. Kept as ``ValueError`` subclass so existing tool-error handlers treat it as a recoverable user error. rrYrrGct||_||_tdd|dS)Nz`completion blocked: claimed created_cards that do not exist or were not created by this worker: r)rrrrrr)rrrrs rrzHallucinatedCardsError.__init__ s_G}} "4  H3799W3E3E H H     r!)rrYrrGrrs@rrr sG          r!r)rr,r. created_cardsexpected_run_idrrr c ttj}|rt|||\}|rt|5t ||d||s|r8|p|pddddndddddn #1swxYwYt||ngt|5||d|||f} n'|d|||t|f} | j d kr dddd St||d d ||n|| } | |s|s|rt||d ||n||} ||n|pd} | r4| dddnd} |rt|nd| pdd} r| d<t|trD|d} t| t t"frd| D}|r|| d<t ||d | | dddn #1swxYwYdt'd||g}|r^t)||}fd|D}|r>t|5t ||d|dd| dddn #1swxYwYt+||t-|t/||dS)uTransition ``running|ready -> done`` and record ``result``. Accepts a task that is merely ``ready`` too, so a manual CLI completion (``hermes kanban complete ``) works without requiring a claim/start/complete sequence. ``summary`` and ``metadata`` are stored on the closing run (if any) and surfaced to downstream children via :func:`build_worker_context`. When ``summary`` is omitted we fall back to ``result`` so single-run callers do not have to pass both. ``metadata`` is a free-form dict (e.g. ``{"changed_files": [...], "tests_run": [...]}``) — workers are encouraged to use it for structured handoff facts. ``created_cards`` is an optional list of task ids the completing worker claims to have created. Each id is verified against ``tasks.created_by``. If any id is phantom (does not exist or was not created by this worker's assignee profile), completion is blocked with a ``HallucinatedCardsError`` and a ``completion_blocked_hallucination`` event is emitted so the rejected attempt is auditable. When all ids verify, they are recorded on the ``completed`` event payload. After a successful completion, ``summary`` and ``result`` are scanned for prose references like ``t_deadbeefcafe`` that do not resolve. Any suspected phantom references are recorded as a ``suspected_hallucinated_references`` event. This pass is advisory and never blocks. completion_blocked_hallucinationr*rN) phantom_cardsverified_cardssummary_previewa UPDATE tasks SET status = 'done', result = ?, completed_at = ?, claim_lock = NULL, claim_expires= NULL, worker_pid = NULL WHERE id = ? AND status IN ('running', 'ready', 'blocked') a UPDATE tasks SET status = 'done', result = ?, completed_at = ?, claim_lock = NULL, claim_expires= NULL, worker_pid = NULL WHERE id = ? AND status IN ('running', 'ready', 'blocked') AND current_run_id = ? r(F completedr)r+rr,r.r+r,r.) result_lenr,r% artifactscg|]Y}t|tt|8t|ZSr`)rrGr/r4s rrz!complete_task..usb%%%'(Jq#.s+PPPa1Cw>(>f>*g##*#6F! F")!4gg&GR AKSZ%%''2244Q7==QS )/6#f+++Q!)T# #   A2@ . / h % % G#<< 44L,u 66 G%%,8%%%!%G5F%k2 ';     [Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q lw&78899I24CC QPPP<PPP  4  '#F(4"6"                4)))DtW%%% 4s? AB((B,/B,AI2DII I$KK K rcN |d}n#t$rYdSwxYwg}tjdd}|rZ |t|dn#t$rYnwxYw t}n#t$rd}YnwxYw| ||dz dz dn#t$rYnwxYw |dz dz d}n#t$rd}YnwxYw| t| }n#t$rg}YnwxYw|D]f} | sn#t$rY%wxYw ||dz dW#t$rYcwxYw|D]2}||kr | |rd S##t$rY/wxYwdS) u Return True iff *p* is a strict descendant of a kanban-managed scratch root. A managed root is exclusively a ``workspaces/`` directory — never the broader kanban home, a board root, or sibling subtrees like ``logs/`` or ``boards//`` itself. Allowed roots: * ``HERMES_KANBAN_WORKSPACES_ROOT`` when set (worker-side override injected by the dispatcher). * ``/kanban/workspaces`` — legacy default-board scratch root. * ``/kanban/boards//workspaces`` for each board slug that currently exists on disk. The check requires strict descendancy: a path equal to one of these roots is NOT managed (deleting the workspaces root would wipe every task's scratch dir at once), and a path that resolves to `` /kanban`` itself, ``/kanban/logs``, or ``/kanban/boards/`` is rejected because those subtrees hold Hermes' own DB, metadata, and logs, not task workspaces. Used by :func:`_cleanup_workspace` to refuse to ``shutil.rmtree`` paths outside Hermes-managed storage. A board ``default_workdir`` pointing at a real source tree can otherwise pair with ``workspace_kind='scratch'`` and cause task completion to delete user data (#28818). F)strictrr*Nr]rr^T)rrmr,r-r.r/rr rXr[rrris_relative_tor0) rp_absrootsrZhome boards_parentrentryrs r_is_managed_scratch_pathrDs2  '' uuEz~~=rBBHHJJH  LLh2244<>! !HLL%,"6!?!?u!?!M!MNNNNH D==  ##D)) tt     H  5s ''!AB** B76B7;C CC /D DD!D>> E  E !E55 FF F"" F/.F/3,G  G-,G-<H H"!H"c |d|f}|sdS|d}|d}|dks|st||dS|d|f}|rtd||dSddl}t |}|rYt|r.|j |d td |nt d ||t||t||dS#t$rYdSwxYw) uZRemove a task's scratch workspace dir and kill its stale tmux session. Called from :func:`complete_task` after the DB transaction commits. Best-effort — any error is swallowed so cleanup never blocks task completion. Only ``scratch`` workspaces are removed; ``worktree`` and ``dir`` workspaces are intentionally preserved. =SELECT workspace_kind, workspace_path FROM tasks WHERE id = ?NrrrSELECT 1 FROM task_links l JOIN tasks t ON t.id = l.child_id WHERE l.parent_id = ? AND t.status NOT IN ('done', 'archived', 'failed', 'cancelled') LIMIT 1z[Deferring scratch workspace cleanup for task %s: active children still need workspace at %srT ignore_errorszRemoved scratch workspace: %szRefusing to remove out-of-scratch workspace for task %s: %s (workspace_kind='scratch' but path is outside any kanban-managed workspaces root)) rKr_try_cleanup_parent_workspacesr debugrr rrDrwarning_cleanup_worker_tmuxr)rMrrr>r~_active_childrenrwps rr5r5s: ll K J   (**   F!"23!"23 9  D  +4 9 9 9 F << J   (**    JJ=    F $ZZ 99;;  (++  b5555 :B???? 6R  T7+++ 'tW55555      s$+E(EAE"B E EEc6 |d|f}|D]\}|d|f}|r|ddks|dsD|d|f}|rpddl}t |d}|r=t |r.|j|d t d ||dS#t$rYdSwxYw) aMClean up parent scratch workspaces now that *task_id* completed. When a parent task's cleanup was deferred because it had active children, this function is called after each child completes. If all children of a parent are now done/archived/failed/cancelled, the parent's scratch workspace is removed (#33774). z3SELECT parent_id FROM task_links WHERE child_id = ?rFrrrrGrNTrHz9Deferred cleanup: removed parent %s scratch workspace: %s) rKrrrr rrDrr rKr)rMrrxrsractiverrOs rrJrJ4so ,, A J   (** $ g gLY,,O hjj  #./9<B99 CCz.scratch_tip_shownuscratch workspaces are ephemeral — they're deleted when the task completes. Use --workspace worktree: (git worktree) or --workspace dir:/abs/path (existing dir) to preserve worker output.c.ttz S)z A2& A>2A66A>9A6:A>=B> B B B  BB.)r,r.c 2||n|}t|5|d|f}|r |ddkr ddddS|d||f|d|f}|rt|dnd}|t ||d || }nF|d ||f|,|d t j|d |f|r4|dddnd} t||dddg|dgngz|rt|nd| pdd|dddn #1swxYwYdS)z?Backfill the user-visible result for an already completed task.NrvrrFz(UPDATE tasks SET result = ? WHERE id = ?z SELECT id FROM task_runs WHERE task_id = ? AND outcome = 'completed' ORDER BY COALESCE(ended_at, started_at, 0) DESC, id DESC LIMIT 1 rr'r(z-UPDATE task_runs SET summary = ? WHERE id = ?z.UPDATE task_runs SET metadata = ? WHERE id = ?rrr)r*editedrr,r.)fieldsr*r,rT) rrKrr&rrrr/r3rGrp) rMrrr,r.handoff_summaryrrWr@r6s redit_completed_task_resultrls{")!4gg&O 45 5 ll 3gZ  (**  c(mv-- 5 5 5 5 5 5 5 5 6 W    ll J    (** $'0SYD >*g#'! FF LL? &)   # DZu===vF  'O ! ! # # . . 0 0 3DSD 9 9$&   '8y)'/'; ||E.4:c&kkk%-    U5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 l 4s9F D$F  FF)rr ct|5||d|f}n%|d|t|f}|jdkr ddddSt ||dd|}||rt ||d|}t ||dd |i|  dddd S#1swxYwYdS) z"Transition ``running -> blocked``.Na6 UPDATE tasks SET status = 'blocked', claim_lock = NULL, claim_expires= NULL, worker_pid = NULL WHERE id = ? AND status IN ('running', 'ready') a` UPDATE tasks SET status = 'blocked', claim_lock = NULL, claim_expires= NULL, worker_pid = NULL WHERE id = ? AND status IN ('running', 'ready') AND current_run_id = ? r(Frr+rr,r+r,rrT)rrKr&rrrrG)rMrrr rr@s r block_taskrpsr 4,,  ",,   CC,, #o../  C <1  ;,,,,,,,,< 'i    >f>*g!F dGY60B6RRRRY,,,,,,,,,,,,,,,,,,sA B8)AB88B<?B<)rforcedry_runactorrqrrtuple[bool, Optional[str]]c 0|d|f}|dd|dfS|d}|dvr dd|d|d fS|sR|d |f}d |D} | rdd d | dfS|rdSt |5|d|f} | jdkrdd|dfcdddSt ||d|||ddddn #1swxYwYdS)a Manually promote a `todo` or `blocked` task to `ready`. Mirrors the automatic promotion done by ``recompute_ready`` but drives it from a deliberate operator action with an audit-trail entry. Refuses to promote if any parent dep is not in a terminal state (`done`/`archived`) unless ``force=True``. Does NOT change assignee or claim state. Returns ``(True, None)`` on success and ``(False, reason)`` if refused. ``dry_run=True`` validates the promotion would succeed without mutating state. rvNFtask z not foundr)rrz is z-; promote only applies to 'todo' or 'blocked'z_SELECT t.id, t.status FROM tasks t JOIN task_links l ON l.parent_id = t.id WHERE l.child_id = ?c2g|]}|ddv |dS)rrrr`r4s rrz promote_task..os6   {"666 dG666r!z!unsatisfied parent dependencies: rz (use --force to override))TNzPUPDATE tasks SET status = 'ready' WHERE id = ? AND status IN ('todo', 'blocked')r(z status changed during promotionpromoted_manual)rsrforced)rKrrrrrrG) rMrrsrrqrrrrrx unsatisfiedrs r promote_taskr{Hs(& ,,/'  hjj {1g11111XJ,,, #G # # # # #  ,, #J   (**    $     F99[))FFF  z 4   ll = J   <1  K'KKKK             v ? ?                     :s2*D )D  DDc Lttj}t|5|d|f}|r3|dr+|d|t|df|d|f}|rdnd}|d||f}|jdkr d d d d St ||d |dkrd |ind  d d d d S#1swxYwYd S)uTransition ``blocked``/``scheduled`` -> ready or todo. Defensively closes any stale ``current_run_id`` pointer before flipping status. In the common path (``block_task`` closed the run already) this is a no-op. If a future or external write left the pointer dangling, the leaked run is closed as ``reclaimed`` inside the same txn so the runs invariant (``current_run_id IS NULL`` ⇔ run row in terminal state) holds for the rest of this function's lifetime. zTSELECT current_run_id FROM tasks WHERE id = ? AND status IN ('blocked', 'scheduled')r au UPDATE task_runs SET status = 'reclaimed', outcome = 'reclaimed', summary = COALESCE(summary, 'invariant recovery on unblock'), ended_at = ?, claim_lock = NULL, claim_expires = NULL, worker_pid = NULL WHERE id = ? AND ended_at IS NULL zqSELECT 1 FROM task_links l JOIN tasks p ON p.id = l.parent_id WHERE l.child_id = ? AND p.status != 'done' LIMIT 1rrzUPDATE tasks SET status = ?, current_run_id = NULL, consecutive_failures = 0, last_failure_error = NULL WHERE id = ? AND status IN ('blocked', 'scheduled')r(NF unblockedrT)r&rrrKrrrG)rMrrOrundone_parents new_statusrs r unblock_taskrs dikk  C 4** b J   (**   U+,  LLc% 01223   " BJ   (**  .:VV7 ll B !    <1  K********L  ';&0G&;&;Xz " "   U******************sB2D/DD D)rrrr4c v|#|stdt|}t|5|d|f}| ddddSdg}g}g} |q||dpdkrQ|d||| d|O|pd|d pdkr?|d ||| d |M||d pdkr?|d ||| d |||d d|dt|} | j dkr ddddS| ry|rw|rc|d||dd| zdzttj ft||d| rd| inddddn #1swxYwYt|dS)uDFlesh out a triage task and promote it to ``todo``. Atomically updates ``title`` / ``body`` / ``assignee`` (when provided) and transitions ``status: triage -> todo`` in a single write txn. Returns False when the task is missing or not in the ``triage`` column — callers should surface that as "nothing to specify" rather than an error. ``todo`` (not ``ready``) is the correct landing column: ``recompute_ready`` promotes parent-free / parent-done todos to ``ready`` on the next dispatcher tick, which keeps the normal parent-gating behaviour intact for specified tasks that happen to have open parents. ``author`` is recorded on an audit comment only when at least one of ``title`` / ``body`` / ``assignee`` actually changed — avoids noisy comment spam for status-only promotions. Nztitle cannot be blankzJSELECT title, body, assignee FROM tasks WHERE id = ? AND status = 'triage'Fstatus = 'todo'rr*z title = ?rzbody = ?r assignee = ?UPDATE tasks SET rz# WHERE id = ? AND status = 'triage'r(ruSpecified — updated z and promoted to todo. specifiedchanged_fieldsT)r/r0r.rrKrrrrBrr&rrGr) rMrrrrr4rsetsrnrrs rspecify_triage_taskrsa2 0111"8,,H 45 5 << X J   (**    5 5 5 5 5 5 5 5 --$&  8G3D3J!K!K KK $ $ $ MM%++-- ( ( (  ! !' * * *  &1A1GR H H KK # # # MM$     ! !& ) ) )  H*1E1M$N$N KK ' ' ' MM( # # #  ! !* - - - gll 2 $ 2 2 2 &MM   <1  ;5 5 5 5 5 5 5 5 <  f   LL&LLNN,ii//0./ $$        2@ J ~ . .d    a5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 vD 4s -J>E5JBJJ#&J#)r4 auto_promote root_assigneechildrenrOptional[list[str]]c $|sdS|t|}t|D] \}}t|tst d|d|d}t|t r|st d|d|dpg} t| tst d|d| D]_} t| tr| dks| t|krt d|d | d | |krt d|d `"dgt|z$d tt|D} t|D]J\} } | dpgD]-}| | | $| xxd z cc<.K$fdtt|D}d}|rW| }|d z }| |D]3}$|xxd zcc<$|dkr| |4|W|t|krt dttj}g}t|5|d|f}| ddddS|ddkr ddddS|d}|dpd}|d}t|D]\}}t%}|d}|d}t|d}|dp|}|dr|d}n ||kr|}nd}|d||t|t r|nd||||||pdf t'||d|pd|d| |t|D]\\}}|dpgD]?}||}||} |d|| ft'|| d|| d@]|D]}!|d|!|fd g}"g}#|*|" d!|# ||# ||d"d#|"d$t+|#|rY|rE|d%||d&d#|zd'z|ft'||d(||d)dddn #1swxYwY|rt-||S)*u<Fan a triage task out into child tasks and promote the root to ``todo``. The root task stays alive and becomes the parent of every child — when all children reach ``done``, the root promotes to ``ready`` and its assignee (typically the orchestrator profile) wakes back up to judge completion or spawn more work. ``children`` is a list of dicts, each shaped like:: { "title": "...", "body": "...", # optional "assignee": "profile-name", # optional, None -> default fallback "parents": [0, 2], # indices into this same children list } Returns the list of created child task ids (in input order) on success. Returns ``None`` when: - The root task does not exist - The root task is not in ``triage`` - A cycle would result (caller built a bad graph) Validation of titles/assignees happens inside the same write_txn as the inserts so a malformed entry aborts the whole decomposition cleanly (no orphan children). Nzchild[z] is not a dictrz].title is requiredrxz].parents must be a listrz ].parents[z$] is not a valid index into childrenz ] cannot list itself as a parentcg|]}gSr`r`rrs rrz)decompose_triage_task..bs>>>AR>>>r!r(c,g|]}|dk|S)rr`)r_i_in_degs rrz)decompose_triage_task..gs' D D DR72;!3C3Cb3C3C3Cr!z6cyclic dependency detected in decomposed children listzQSELECT id, status, tenant, workspace_kind, workspace_path FROM tasks WHERE id = ?rrrrrrrrzINSERT INTO tasks (id, title, body, assignee, status, workspace_kind, workspace_path, tenant, created_at, created_by) VALUES (?, ?, ?, ?, 'todo', ?, ?, ?, ?, ?) decomposerr>)rfrom_decompose_ofr=rxryrrrrz WHERE id = ?rzDecomposed into z,. Root will wake when all children complete. decomposed)rr)r. enumeraterrr0r.rGr/rr&rprDrrrrrKrr!rGrrBr)%rMrrrr4ridxrr parents_idxr_adjr_c_p_queue_seen_node_nbrOrroot_rowr root_ws_kind root_ws_pathnew_idrr child_ws_kind child_ws_pathp_idxrsrtr rrnrs% @rdecompose_triage_taskr!sF t +M::  ))QQ U%&& <:c:::;; ; '""%%% @U[[]] @>c>>>?? ?ii **0b +t,, ECcCCCDD D Q QAa%% Q!s8}}2D2D SSSSASSSCxx !O#!O!O!OPPP  QcCMM!G>>s8}})=)=>>>DH%%B66)$$*  B HOOB    BKKK1 KKKK E D D D5X// D D DF E #   ; # #C CLLLA LLLs|q   c""" # H QRRR dikk  CI 4x x << & J   (**   x x x x x x x x  H  ) )x x x x x x x x (#  01>Y  01 $H--& %& %JC!^^F'N((**E99V$$D*599Z+@+@AAH "II&677G $) (H(8<< "  C LL g    ""  $ KK ' ' ' MM- ( ( ( g > $ > > > &MM    fllnn  LL&LLNN&ii **+DE      '<&!.     ex x x x x x x x x x x x x x x ~ s1-W + W J:W  WWc"t|5|d|f}|jdkr ddddSt||ddd}t ||dd|dddn #1swxYwYt |d S) NzUPDATE tasks SET status = 'archived', claim_lock = NULL, claim_expires = NULL, worker_pid = NULL WHERE id = ? AND status != 'archived'r(Frz#task archived with run still activernrrT)rrKrrrGr)rMrrr@s r archive_taskrs( 4FFll 4J    <1  FFFFFFFF ' 9    dGZfEEEE#FFFFFFFFFFFFFFF*D 4s$A5(A55A9<A9c t|5|d|f}|r |ddkr ddddS|d||f|d|f|d|f|d |f|d |f|d |f}|jd kcdddS#1swxYwYdS) aPermanently remove an already-archived task and its related rows. Safety guard: only archived tasks can be deleted. Active / blocked / done tasks must be explicitly archived first so accidental data loss requires a second deliberate action. rvrrNF:DELETE FROM task_links WHERE parent_id = ? OR child_id = ?+DELETE FROM task_comments WHERE task_id = ?)DELETE FROM task_events WHERE task_id = ?'DELETE FROM task_runs WHERE task_id = ?0DELETE FROM kanban_notify_subs WHERE task_id = ?DELETE FROM tasks WHERE id = ?r()rrKrr)rMrrrs rdelete_archived_taskrs 4!!ll 3 J   (**  c(mz11 !!!!!!!! H g     BWJOOO @7*MMM > KKK G'TTTll;gZHH|q !!!!!!!!!!!!!!!!!!!s9C8BC88C<?C<ct|5|d|f}|jdkr ddddS|d||f|d|f|d|f|d|f|d |fdddn #1swxYwYt|d S) afHard-delete a task and cascade to all related rows. Because the schema does not use ``ON DELETE CASCADE`` foreign keys, we explicitly delete from child tables first, then the task row. This keeps the operation atomic (single ``write_txn``). Returns ``True`` if the task existed and was deleted, ``False`` if the task was not found. rr(NFrrrrrT)rrKrr)rMrrs r delete_taskr4s[ 4UUll;gZHH <1  UUUUUUUU QT[]dSefff BWJOOO @7*MMM > KKK G'TTTUUUUUUUUUUUUUUUD 4s$CA4CCCtaskc|jpd}|dkr|jr[t|j}|s t d|jd|jdnt||jz }|dd|S|dkr|jst d|jd t|j}|s t d|jd|jd |dd|S|d kr|jstj d z |jz St|j}|s t d|jd |jd|St d|)uResolve (and create if needed) the workspace for a task. - ``scratch``: a fresh dir under ``/workspaces//``, where ```` is the active board's root. The path is the same for the dispatcher and every profile worker, so handoff is path-stable. - ``dir:``: the path stored in ``workspace_path``. Created if missing. MUST be absolute — relative paths are rejected to prevent confused-deputy traversal where ``../../../tmp/attacker`` resolves against the dispatcher's CWD instead of a meaningful root. Users who want a kanban-root-relative workspace should compute the absolute path themselves. - ``worktree``: a git worktree at ``workspace_path``. Not created automatically in v1 -- the kanban-worker skill documents ``git worktree add`` as a worker-side step. Returns the intended path. Persist the resolved path back to the task row via ``set_workspace_path`` so subsequent runs reuse the same directory. rrvz! has non-absolute workspace_path z"; workspace paths must be absoluterTrwrz- has workspace_kind=dir but no workspace_pathzR; use an absolute path (relative paths are ambiguous against the dispatcher's CWD)rz .worktreesz has non-absolute worktree path z; use an absolute pathzunknown workspace_kind: ) rrr rX is_absoluter0rrr|cwd)rrr>rs rresolve_workspacerOsG(   +)D y   7T())4466A==??  QDGQQ*QQQ   e,,,tw6A t,,, u}}" NNNN  $ % % 0 0 2 2}} OOO&OOO  t,,, z" 78:: ,tw6 6 $ % % 0 0 2 2}} AAA&AAA  666 7 77r! Path | strct|5|dt||fddddS#1swxYwYdS)Nz0UPDATE tasks SET workspace_path = ? WHERE id = ?)rrKrG)rMrr~s rset_workspace_pathrs 4   > YY                      s&AA Act|5|g}d}|'|dz }|t||||}|jdkr ddddSt ||dd|}||rt ||d|}t||dd |i|  dddd S#1swxYwYdS) a+Park a task in ``scheduled`` so it is waiting on time, not human input. ``scheduled`` tasks are intentionally not dispatchable; an external cron, human action, or automation can later call ``unblock_task`` to re-gate them to ``ready`` (or ``todo`` if parents are still incomplete). a' UPDATE tasks SET status = 'scheduled', claim_lock = NULL, claim_expires= NULL, worker_pid = NULL WHERE id = ? AND status IN ('todo', 'ready', 'running', 'blocked') Nz AND current_run_id = ?r(FrrnrorrT)rrr&rKrrrrG)rMrrr rnsqlrr@s r schedule_taskrsj 4$I   & , ,C MM#o.. / / /ll3'' <1  !" '     >f>*g#F dG[8V2DVTTTT;sAB=.AB==CCri r(z\b(quota|rate[\s_\-]?limit|429|403|auth\w*|unauthorized|forbidden|billing|subscription|access[\s_]denied|permission[\s_]denied|invalid[\s_]api[\s_]key)\bi,iQz-https?://github\.com/[^/\s]+/[^/\s]+/pull/\d+ceZdZUdZdZded<dZded<eeZ ded< eeZ d ed < eeZ d ed < eeZ d ed < eeZ d ed< eeZd ed< eeZd ed< eeZd ed< eeZd ed< eeZded< eeZd ed<dS)DispatchResultz&Outcome of a single ``dispatch`` pass.rr&rr)default_factoryzlist[tuple[str, str, str]]spawnedrYskipped_unassignedauto_assigned_defaultskipped_nonspawnablezlist[tuple[str, str, int]]skipped_per_profile_cappedcrashed auto_blocked timed_outrzlist[tuple[str, str]]respawn_guarded rate_limitedN)r r!r"r#rr$rrrrrrrrrrrrrrr`r!rrrs00IH*/%*E*E*EGEEEEB$)E$$?$?$?????L',uT'B'B'BBBBB5 ',eD&A&A&AAAAAJ >CUSW=X=X=XXXXX"t444G4444B#eD999L9999E 5666I6666BuT222E22222-2U4-H-H-HOHHHH< $eD999L9999JJr!riXz'dict[int, tuple[int, float]]'_recent_worker_exitsrW raw_statuscn|r|dkrdStj}t||ftt|<tttdzkrM|t z fdtDD]}t|dtttkrdttd}|dt|dzD]"\}}t|d!dSdS)zRecord a reaped child's exit status for later classification. Called from the reap loop in ``dispatch_once``. Safe to call many times; duplicate pids overwrite (pids can cycle, latest wins). rNrc,g|]\}\}}|k|Sr`r`)rr_srcutoffs rrz'_record_worker_exit..Os&TTT:1gr1VQr!c|ddS)Nr(r`)kvs rrz%_record_worker_exit..TsbeAhr!r) rr&rrp_RECENT_WORKER_EXITS_MAX_RECENT_WORKER_EXIT_TTL_SECONDSitemsrr)rWrrO_pidr rrs @r_record_worker_exitrBs; #(( )++C&)*oos%;S"   #;q#@@@66TTTT)=)C)C)E)ETTT 1 1D $ $T4 0 0 0 0   #;;;-3355;N;NOOO2W!223 1 1GD! $ $T4 0 0 0 0 <; 1 1r!'tuple[str, Optional[int]]'cdtt|}|dS|\}} tj|r/tj|}|dkrdS|t krd|fSd|fStj|rdtj|fSn#t$rYnwxYwdS)uClassify a recently-reaped worker by pid. Returns ``(kind, code)`` where ``kind`` is one of: * ``"clean_exit"`` — ``WIFEXITED`` with ``WEXITSTATUS == 0``. When the task is still ``running`` in the DB, this is a protocol violation (worker exited without calling ``kanban_complete`` / ``kanban_block``) and should be auto-blocked immediately — retrying will just loop. * ``"rate_limited"`` — ``WIFEXITED`` with status ``KANBAN_RATE_LIMIT_EXIT_CODE``. The worker bailed because the provider rate-limited / exhausted quota, NOT because the task failed. ``detect_crashed_workers`` releases the task back to ``ready`` without counting a failure, so a long quota window can't trip the breaker. * ``"nonzero_exit"`` — ``WIFEXITED`` with non-zero status. Real error. * ``"signaled"`` — ``WIFSIGNALED`` (OOM killer, SIGKILL, etc). Real crash. * ``"unknown"`` — pid was not in the reap registry (either reaped by something else, or died between reap tick and liveness check). Fall back to existing crashed-counter behavior. ``code`` is the exit status (for ``clean_exit`` / ``rate_limited`` / ``nonzero_exit``) or the signal number (for ``signaled``), or ``None`` for ``unknown``. N)r#Nr) clean_exitrr nonzero_exitsignaled) rr.r&r, WIFEXITED WEXITSTATUSKANBAN_RATE_LIMIT_EXIT_CODE WIFSIGNALEDWTERMSIGr)rWrCr2rcodes r_classify_worker_exitrYs0 ! $ $SXX . .E }  FC  <   *>#&&Dqyy((222&--"D) ) >#   2 C 0 01 1 2       s#.B "B 1B 5)B B-,B- 'list[int]'cg}tjdkrt tjdtj\}}n#t$rYn1wxYw|dkrn&t ||||an#t$rYnwxYw|S)zReap all zombie children of this process without blocking. Returns the list of reaped PIDs. Safe to call when there are no children (returns []). No-op on Windows. ntTr9r)r,rwaitpidWNOHANGChildProcessErrorrrr)reapedrWrs rreap_worker_zombiesrs F w$  #"$*R"<"/status`` and treat ``State: Z`` as dead. On macOS we ask ``ps`` for the BSD ``stat`` field and treat values containing ``Z`` as dead. rF) _pid_existslinuxz/proc/z/statusr<rgrhzState:Zr$r(Ndarwinpsz-ozstat=-pT)rXstderrrrHcheckr*)gateway.statusrr&sysplatformrTr}rrPermissionErrorrmrVrWrGPIPEDEVNULL returncoderXr/SubprocessError TimeoutError)rWrrrlineprocs rrrs>. #((u****** ;s3xx u |w 0s3xx000#HHH ADx00$**S!"4"4Q"777#(                          "?G<    D    ! ! >tWdCCMM:!!) D!##ut{(b//1111u23\B    D  4sZ#C9B4 C%B4( C4B88C;B8<CCC.AE(E((FFrdict[str, Any]c0ddl}|rt|ndddddd}|r|dks|s|Stdddd}t ||s|Sd|d<||n"t td r tjnd}||Sd|d < |t||j n#ttf$r|cYSwxYwtd D].}t|s d|d <|cStjd /t|rO t!|d|j }|t||d|d<n#ttf$r|cYSwxYwt| |d <|S)z limit rRrr)rWr)r/r+ release_claimend_runevent_payload_extra)r r&rr)rrKrr}r r,rr r rmrDrrrXrrrrGr_record_task_failure)rMrr rrOrrVrrelapsedrWtidkilledrrrrr?r@s renforce_max_runtimer Fs"MMMI dikk  C ]]((a003666K << )  hjj MM< &B{++  C 34555 S2344 4 4 #l#$$$i%1yyr6** 4BGG    S&.))))&0    2YY  !#E 3# &vy&.IIHDh'''!FF*G4Dt__ & &,,6 C|q  '*7||%(-B)C%D%D%  "#' _S\\__SEZA[=\=\___$  #{GF  %%%1 & & & & & & & & & & & & & & &< <1   c[W[[SAV=W9X9X[[[##,/F$C$C      s7D++D?>D? $F..GGB/JJ J )stale_timeout_secondsrr!c @|dkrgSttj}tdddd}g}|d}|D]}|d |t|dz }||kr+|d} | |t| z nd} | | t krW|d} |d } |d pd } t| | | }t|5|d | f}|j dkr dddt|| t| nd| t| nd|| rt| ndd}| |t|| dd| dt| dnddt|dz|}t|| d||| | dddn #1swxYwY|S)uReclaim ``running`` tasks that show no progress (heartbeat) within the staleness window. A task is considered stale when BOTH of these hold: 1. It has been running for longer than ``stale_timeout_seconds`` (measured from the active run's ``started_at``, falling back to ``tasks.started_at`` on older runs). 2. Its ``last_heartbeat_at`` is older than ``_STALE_HEARTBEAT_GAP_SECONDS`` (or NULL — never sent a heartbeat). On reclaim the task is reset to ``ready``, the run is closed with ``outcome='stale'``, and the host-local worker (if still running) is terminated. Only considers ``status='running'`` tasks. Blocked tasks are never candidates. Returns the list of reclaimed task IDs. ``stale_timeout_seconds=0`` disables the check entirely (returns ``[]`` immediately). ``signal_fn`` is a test hook; defaults to ``os.kill`` on POSIX. rr$r(zSELECT t.id, t.worker_pid, t.last_heartbeat_at, t.claim_lock, COALESCE(r.started_at, t.started_at) AS active_started_at FROM tasks t LEFT JOIN task_runs r ON r.id = t.current_run_id WHERE t.status = 'running'rNrrrrr*rr)rrheartbeat_age_secondstimeout_secondsrWrzno heartbeat for zs zno heartbeat everz after z s runningrr)r&rr)rrKr_STALE_HEARTBEAT_GAP_SECONDSrrrrrrGr)rMr!rrOrrrVrrlast_hbhb_agerWrrrrr?r@s rdetect_stale_runningr(s8!!  dikk  C ]]((a003666KI << %   hjj  <"<" " # + C 34555 * * * )*)0)<#G $$$  &+G"G"G ,$i< &B2    t__% "% ",,6 C|q  % "% "% "% "% "% "% "$'w<<$+$7CLLLT$*#5CKKK4#8#&0s3xxxD  G NN; ' ' 'c)8F 7777,5c'll555 6 !   F c7GF       S ! ! !K% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "b s$HCHH H error_textctjdd|dd}tjdd|}|S)zNormalize an error message for grouping identical failures. Strips host-specific details (PIDs, timestamps) so that errors with the same root cause produce the same fingerprint. z \bpid \d+\bzpid NNPz \b\d{10,}\bz)resubrOr/)r)fps r_error_fingerprintr/5sL CRC 9 9B  + +B 88::    r!c g}g}g}t|5|d}tdddd}|D] }|dpd}||s#d|vr|dnd}|)t} tj|z | krnt|d rt|d } t| \} } d } | d krd }d }d}| |d| d}nd| dkrd }d } d| d}d}| |d| d}nEd }| dkr d| d| }n| dkr d| d| }nd| d}d}| |dd}| | dkr | |d<| |d<|d|df}|j dkr| rdnd}t||d|||t|}t||d||| | rC|d!|dd"|df||d||d||d| |d||f" dddn #1swxYwYg}|ri}|D]3\}}}}}t#|}||ddz||<4|D]k\}} }}}t#|}| o||dd#k}t'|||d|s|rdndd d | |d$}|r||l|t(_|t(_|S)%uReclaim ``running`` tasks whose worker PID is no longer alive. Appends a ``crashed`` event and drops the task back to ``ready``. Different from ``release_stale_claims``: this checks liveness immediately rather than waiting for the claim TTL. Only considers tasks claimed by *this host* — PIDs from other hosts are meaningless here. The host-local check is enough because ``_default_spawn`` always runs the worker on the same host as the dispatcher (the whole design is single-host). When the reap registry shows the worker exited cleanly (rc=0) but the task was still ``running`` in the DB, treat it as a protocol violation (worker answered conversationally without calling ``kanban_complete`` / ``kanban_block``) and trip the circuit breaker on the first occurrence — retrying a worker whose CLI keeps returning 0 without a terminal transition just loops forever. When the reap registry shows the worker exited with the rate-limit sentinel (``KANBAN_RATE_LIMIT_EXIT_CODE``), the worker bailed on a provider quota wall, NOT a task failure. Such tasks are released back to ``ready`` WITHOUT counting a failure (so a long quota window can't trip the breaker) and stamped with a quota-blocker error so ``check_respawn_guard`` defers their respawn until the window clears. The ids are returned via the ``_last_rate_limited`` function attribute (the public return stays the crashed-only ``list[str]``). zlSELECT id, worker_pid, claim_lock, started_at FROM tasks WHERE status = 'running' AND worker_pid IS NOT NULLr$r(rrr*rNrFrTucworker exited cleanly (rc=0) without calling kanban_complete or kanban_block — protocol violationprotocol_violation)rWr exit_coderzpid uI exited rate-limited (quota wall) — requeued without counting a failurerz exited with code rz killed by signal z not aliver)rWrr# exit_kindr2zUPDATE tasks SET status = 'ready', claim_lock = NULL, claim_expires = NULL, worker_pid = NULL WHERE id = ? AND status = 'running'rrrz4UPDATE tasks SET last_failure_error = ? WHERE id = ?ri)r/r+rrrr)rrKrr)rr}rr<rrr&rrrrrGrr/r.rdetect_crashed_workers_last_auto_blocked_last_rate_limited)rMrr crash_detailsrVrrrrgracerWr>rrate_limited_exitr1r) event_kind event_payloadr _run_outcomer@r _fp_countsrerr_textr.rr is_systemictrippeds rr5r5@s68G L <>M 4qq|| B   (** %,,S!44Q7::: k k C|$*D??;// /;chhjj.H.H\**dJ%4669;;+e33#l+,, c,'((C.s33JD$ % |## &*"M2 "<0!%!! ''&+"$(!;3;;;, "<0!%!! &+">))!E!E!Et!E!EJJZ''!E!E!Et!E!EJJ!7!7!7!7J& (+L8I J J # (9(915M+.15M+.,,6T C |q  2CQ~~ !#d)($!-00  #d)Z!! % LLN#DSD)3t95!''D 2222NN3t9---!((TC\):+Z9Qk  qqqqqqqqqqqqqqqx!L)%' $1 7 7 Aq!Q#H--B'^^B22Q6JrNNAN ) ) =Cg1:#J//B&&/NN2q))Q. +c !$6P+PaaD#,/G$D$DG )##C((( 1=-1=- NsI7JJ!J)rrrrrrrc |t}d}t|5|d|f} |  ddddSt | ddz} | d} d| vr| dnd} | t | } d}nt |} d }| | kr|r"|d | |dd |fn!|d | |dd |fd}|r"t ||d d |dd | || |d}| | ||dd |d}|r||t||d ||d}n|r"|d| |dd |fn!|d| |dd |f|r>t |||||dd d| i}t||||dd | d|dddn #1swxYwY|S)u=Record a non-success outcome (spawn_failed / crashed / timed_out) and maybe trip the circuit breaker. Unified replacement for the old spawn-only ``_record_spawn_failure``. Every path that ends a task with a non-success outcome funnels through here so the ``consecutive_failures`` counter and the auto-block threshold stay consistent. Returns True when the task was auto-blocked (counter reached ``failure_limit``), False when it was just updated in place. Modes: * ``release_claim=True, end_run=True`` — spawn-failure path. Caller has a running task with an open run; this transitions it back to ``ready`` (or ``blocked`` when the breaker trips), releases the claim, and closes the run with ``outcome=``. * ``release_claim=False, end_run=False`` — timeout/crash path. Caller has ALREADY flipped the task to ``ready`` and closed the run with the appropriate outcome. This just increments the counter; if the breaker trips, the task is re-transitioned ``ready → blocked`` and a ``gave_up`` event is emitted. ``event_payload_extra`` merges into the ``gave_up`` event payload when the breaker trips, so callers can include outcome-specific context (e.g. pid on crash, elapsed on timeout). Resolution order for the effective threshold: 1. per-task ``max_retries`` if set (nothing else overrides) 2. caller-supplied ``failure_limit`` (gateway passes the config value from ``kanban.failure_limit``; tests pass fixed values) 3. ``DEFAULT_FAILURE_LIMIT`` NFzHSELECT consecutive_failures, status, max_retries FROM tasks WHERE id = ?rr(rrr dispatcherzUPDATE tasks SET status = 'blocked', claim_lock = NULL, claim_expires = NULL, worker_pid = NULL, consecutive_failures = ?, last_failure_error = ? WHERE id = ? AND status IN ('running', 'ready')r4zUPDATE tasks SET status = 'blocked', consecutive_failures = ?, last_failure_error = ? WHERE id = ? AND status IN ('ready', 'running')r)rtrigger_outcomer limit_sourcer)rrrEr/rDrTzUPDATE tasks SET status = 'ready', claim_lock = NULL, claim_expires = NULL, worker_pid = NULL, consecutive_failures = ?, last_failure_error = ? WHERE id = ? AND status = 'running'zNUPDATE tasks SET consecutive_failures = ?, last_failure_error = ? WHERE id = ?r)r/r) rrrKrr&rrrrG)rMrr/r+rrrrrrrr task_overriderrEr@r?s rrrsZ- G 4eell &(/z   (**  ; eeeeeeees1233a7] #0388::"="=C  4   $!-00O!LL!-00O'L  & &  FuTcT{G4  FuTcT{G4  F !'%i+$,+2+:(4    %#2 ,tt#* G# 42333 gy'&    GG  :uTcT{G4  :uTcT{G4  !'#G+((3  '7#DSDkx@@!CeeeeeeeeeeeeeeeN Ns-G:FG::G>G>rc .t|||d|ddS)N spawn_failedT)r+rrr)r)rMrr/rs r_record_spawn_failurerJs.  gu#    r!c Tt|5|dt||ft||}|%|dt||ft ||ddt|i|ddddS#1swxYwYdS)zRecord the spawned child's pid + emit a ``spawned`` event. The event's payload carries the pid so a human reading ``hermes kanban tail`` can correlate log lines with OS-level traces without opening the drawer. z,UPDATE tasks SET worker_pid = ? WHERE id = ?Nz0UPDATE task_runs SET worker_pid = ? WHERE id = ?rrWr)rrKr&rrG)rMrrWr@s r_set_worker_pidrLs 4 R R : XXw    !w//   LLBS6"    dGYC0A&QQQQ R R R R R R R R R R R R R R R R R RsBBB!$B!ct|5|d|fddddS#1swxYwYdS)uReset the unified consecutive-failures counter. Called from ``complete_task`` on successful completion — a fresh success means the task + profile combination is working and any past failures are history. NOT called on spawn success anymore: a successful spawn proves the worker could start but says nothing about whether the run will succeed, so we need to let timeouts and crashes accumulate across spawn boundaries. zQUPDATE tasks SET consecutive_failures = 0, last_failure_error = NULL WHERE id = ?N)rrK)rMrs rrrs 4    5 J                     s 599c|d|f}|dSttj}t }|d|f}|8|ddkr,|dkrdS|d}||t|z |krdSdS|d }|rt |rd S|tz }|d ||frd S|tz } |d || f D]-} | dr#t| drdS.dS)u3 Return a guard reason if ``task_id`` should NOT be re-spawned, else None. Called per ready task in ``dispatch_once`` before any claim attempt. Returning a reason defers the spawn this tick; the task stays in ``ready`` and gets another chance on the next dispatcher tick. Checks in priority order: ``"rate_limit_cooldown"`` The task's most recent run ended with the ``rate_limited`` outcome (a worker bailed on a provider quota wall via the EX_TEMPFAIL sentinel) within ``_resolve_rate_limit_cooldown_seconds()``. The quota almost certainly hasn't reset yet, so defer the respawn until the cooldown elapses — then allow a cheap probe. This is checked BEFORE ``blocker_auth`` because the rate-limit requeue stamps a quota-flavored ``last_failure_error`` that would otherwise match the auth-blocker regex and park the task forever (the rate-limit path never increments ``consecutive_failures``, so the breaker can't free it). Once the cooldown elapses the task falls through and respawns. ``"blocker_auth"`` The task's last failure error matches a quota / authentication pattern. Retrying immediately is unlikely to help (rate limits reset on a timer; auth needs human action), so we defer to the next tick. The existing ``consecutive_failures`` counter still trips the auto-block circuit breaker after ``failure_limit`` consecutive failures, so a persistent auth error eventually blocks via the normal path — but a transient 429 gets a few ticks of recovery first. ``"recent_success"`` A completed run exists within ``_RESPAWN_GUARD_SUCCESS_WINDOW`` seconds. Useful work already succeeded for this task; wait for human review rather than immediately re-spawning. ``"active_pr"`` A GitHub PR URL appears in a recent task comment (within ``_RESPAWN_GUARD_PR_WINDOW`` seconds). A prior worker already opened a PR; re-spawning risks a duplicate PR on the same task. Stale / dead claim locks are NOT a guard reason — they are handled by ``release_stale_claims`` and ``detect_crashed_workers`` which reset the task to ``ready`` only after verifying the lock is genuinely dead (no live PID on this host). z1SELECT last_failure_error FROM tasks WHERE id = ?NzqSELECT outcome, ended_at FROM task_runs WHERE task_id = ? AND ended_at IS NOT NULL ORDER BY ended_at DESC LIMIT 1r+rrr*rate_limit_cooldownr blocker_authzVSELECT id FROM task_runs WHERE task_id = ? AND outcome = 'completed' AND ended_at >= ?recent_successzDSELECT body FROM task_comments WHERE task_id = ? AND created_at >= ?r active_pr) rKrr&rrA_RESPAWN_BLOCKER_REsearch_RESPAWN_GUARD_SUCCESS_WINDOW_RESPAWN_GUARD_PR_WINDOWr_RESPAWN_GUARD_PR_URL_RE) rMrrrO rl_cooldown latest_runr*errr pr_cutoffrs rcheck_respawn_guardr\s\ ,,;    hjj {t dikk  C788K )   hjj   y !^ 3 3 !  4j)  S3x==%8K$G$G(( t " #C "))#..~0 0F || H &hjj   ..I \\N )hjj V9 1886CC ;; 4r!c|d}|sdS ddlm}n#t$rYdSwxYw|D]}||drdSdS)uReturn True iff there is at least one ready+assigned+unclaimed task whose assignee maps to a real Hermes profile. Used by the gateway- and CLI-embedded dispatchers' health telemetry to decide whether ``0 spawned`` is a "stuck" condition (real spawnable work waiting) or a "correctly idle" condition (only control-plane lanes like ``orion-cc`` / ``orion-research`` waiting on terminals that pull tasks via ``claim_task`` directly). Falls back to "any ready+assigned" if ``profile_exists`` is not importable (e.g. partial install) — preserves the old behavior so the warning still fires in degraded environments. znSELECT DISTINCT assignee FROM tasks WHERE status = 'ready' AND assignee IS NOT NULL AND claim_lock IS NULLFrprofile_existsTrrKrr-r_rrMrVr_rs rhas_spawnable_readyrbPs << %  hjj  u6666666 tt >#j/ * * 44  54 AAc|d}|sdS ddlm}n#t$rYdSwxYw|D]}||drdSdS)u*Return True iff there is at least one review+assigned+unclaimed task whose assignee maps to a real Hermes profile. Mirror of :func:`has_spawnable_ready` for the review column — used by the health telemetry to decide whether the dispatcher should have spawned a review agent. zoSELECT DISTINCT assignee FROM tasks WHERE status = 'review' AND assignee IS NOT NULL AND claim_lock IS NULLFrr^Trr`ras rhas_spawnable_reviewreps << %  hjj  u6666666 tt >#j/ * * 44  5rc) spawn_fnr#rr max_spawnmax_in_progressrr!rdefault_assigneemax_in_progress_per_profilergrhrirjc tt} t|| _t ||| _t || _tt dg} | r| j | tt dg} | r| j | t|| _ t||| _d}|:t!|dd}|d}|F|rD|dd}||kr| S||z }|||kr|}d}t)| t r| dkr| nd}i}|6|d D] }t!|d ||d <!| pd pd}d }|r2 ddlm}t1||}n#t2$rd}YnwxYw|D]}| ||z|krn|d }|s|r|r|s t5|5|d||dft7||dd|dddddn #1swxYwYnT#t2$rGt8d||dd| j|dYwxYw|}| j |dn"| j|d ddlm}n#t2$rd}YnwxYw|-||s"| j!|df|A|"|d}||kr%| j#|d||ftI||d}|g| j%|d|f|sAt5|5t7||ddd|idddn #1swxYwY(|rE| j&|d|d f||r|"|ddz||<otO||d|}| tQ||}nT#t2$rG} tS||j*d| |}!|!r| j |j*Yd} ~ d} ~ wwxYwtW||j*tY|t[||j*|j.||nt^}" ddl0}# |#1|"}$d|$j2vr|"|tY||}%n|"|tY|}%n0#tfthf$r|"|tY|}%YnwxYw|%r#tk||j*t!|%| j&|j*|j6pd tY|f|dz }|-|j6r&|"|j6ddz||j6<V#t2$rQ} tS||j*tY| |}!|!r| j |j*Yd} ~ d} ~ wwxYw|d}&|&D]}| ||z|krn|d s!| j|d: ddlm}n#t2$rd}YnwxYw|2||d s!| j!|d|r*| j&|d|d d fto||d|}| tQ||}nT#t2$rG} tS||j*d| |}!|!r| j |j*Yd} ~ .d} ~ wwxYwtW||j*tY|t[||j*|j.dg|_8||nt^}" ddl0}# |#1|"}$d|$j2vr|"|tY||}%n|"|tY|}%n0#tfthf$r|"|tY|}%YnwxYw|%r#tk||j*t!|%| j&|j*|j6pd tY|f|dz }s#t2$rQ} tS||j*tY| |}!|!r| j |j*Yd} ~ d} ~ wwxYw| S) uRun one dispatcher tick. Steps: 1. Reclaim stale running tasks (TTL expired). 2. Reclaim stale running tasks (no recent heartbeat). 3. Reclaim crashed running tasks (host-local PID no longer alive). 3. Promote todo -> ready where all parents are done. 4. For each ready task with an assignee, atomically claim and call ``spawn_fn(task, workspace_path, board) -> Optional[int]``. The return value (if any) is recorded as ``worker_pid`` so subsequent ticks can detect crashes before the TTL expires. Spawn failures are counted per-task. After ``failure_limit`` consecutive failures the task is auto-blocked with the last error as its reason — prevents the dispatcher from thrashing forever on an unfixable task. ``max_spawn`` is a **live concurrency cap**, not a per-tick spawn budget: it counts tasks already in ``status='running'`` plus this tick's spawns against the limit. So ``max_spawn=4`` means "at most 4 workers running at any time across the whole board" — matching the gateway's stated intent ("limit concurrent kanban tasks"). With a per-tick interpretation a 60-second tick interval could grow concurrency by N every minute on a busy board and accumulate without bound. ``spawn_fn`` defaults to ``_default_spawn``. Tests pass a stub. ``board`` pins workspace/log/db resolution for this tick to a specific board. When omitted, the current-board resolution chain is used. )r!r6r7rGrNz3SELECT COUNT(*) FROM tasks WHERE status = 'running'zsSELECT id, assignee FROM tasks WHERE status = 'ready' AND claim_lock IS NULL ORDER BY priority DESC, created_at ASCzmSELECT assignee, COUNT(*) AS n FROM tasks WHERE status = 'running' AND assignee IS NOT NULL GROUP BY assigneer8rr*Fr^TzRUPDATE tasks SET assignee = ? WHERE id = ? AND (assignee IS NULL OR assignee = '')rrqzkanban.default_assignee)rr2z?kanban dispatch: failed to apply default_assignee=%r to task %s)exc_inforrr()r#rz workspace: rztSELECT id, assignee FROM tasks WHERE status = 'review' AND claim_lock IS NULL ORDER BY priority DESC, created_at ASCz sdlc-review)9rrrrr(rr5rrXrrrr rrrr&rKrrrr/r-r_rrrrGr rKrrrrr.rr\rrrrrJrrrGrgr_default_spawninspectr parameters TypeErrorr0rLrrr )'rMrfr#rrrgrhrr!rrirjr_crash_auto_blocked_crash_rate_limited running_count ready_rows in_progress remainingr_per_profile_cap_per_profile_runningprow_default_assignee_default_assignee_resolved_per row_assigneer_rc guard_reasonr workspacerauto_spawnrnsigrW review_rowss' r dispatch_oncers X   F+D11F' $9FL,D11FN" 4b8""#6777" 4b8""#6777*400F%d-HHHFOM LLE  hjj    1hjj "z"ll A  (**Q  / ) )M#k1   I 5 5!IG .44 '! + +32 ,.#LL    D DD 69c^^ j!1 2 2*/R6688@D!& . . A A A A A A)-cc2C.D.D)E)E & & . . . *. & & &  .i7i7  ]W%< %I%I E: * ! %? !!&t__   LL!J!2CI > * $c$i0A.G!"!"               %!!! )-s4y4# 188TCCC ! 1 ,33CI>>>>)00T;;; " : : : : : : : " " "!NNN "  %nn\.J.J %  ' . .s4y 9 9 9   '*..|Q??G***188Y g6+4T;;  #  " ) )3t9l*C D D D t__!c$i):!<0    N ! !3t9lB"? @ @ @  + +(,,\1==A%\2 T3t9+FFF ?  )'???II   (gj"5"5"5+D 7#**7:666 HHHH  4S^^<<<gj'2HIII%1~% 7 NNN 6''//cn,, &#i..FFFCC &#i..99Cz* 6 6 6fWc)nn55 6 <gj#c((;;; N ! !7:w/?/E2s9~~"V W W W qLG +0@+(,,W-=qAAAE%W%56 7 7 7(gj#c((+D 7#**7:666  7",, 1hjj  ;7;7  ]W%< %I%I E:   % , ,SY 7 7 7  " : : : : : : : " " "!NNN "  %nnS_.M.M %  ' . .s4y 9 9 9    N ! !3t9c*or"B C C C #D#d)MMM ?  )'???II   (gj"5"5"5+D 7#**7:666 HHHH  4S^^<<<gj'2HIII (%1~ 7 NNN 6''//cn,, &#i..FFFCC &#i..99Cz* 6 6 6fWc)nn55 6 <gj#c((;;; N ! !7:w/?/E2s9~~"V W W W qLGG 7 7 7(gj#c((+D 7#**7:666  7 Ms-H-- H<;H<$K3:J9- K9J= =KJ= KALLM&& M54M55QQ #Q S T0)f?*d,)f+d,,A#f g,Ag''g,minimumvaluer rcj t|}n#ttf$r|cYSwxYw||kr|n|Sr)r&rpr0)rrCrr3s r _positive_intrsQU z "w&&66G3s (( kanban_cfgtuple[int, int]c0|9 ddlm}|dpi}n#t$ri}YnwxYwt |pidt d}t |pidt d}||fS) a,Return ``(rotate_bytes, backup_count)`` for worker log rotation. Defaults preserve the historical behavior: rotate at 2 MiB and keep one backup generation (``.log.1``). Operators with long-running workers can raise either value from ``config.yaml`` without changing dispatcher code. Nr) load_configr]worker_log_rotate_bytesr(rworker_log_backup_count)hermes_cli.configrr.rrDEFAULT_LOG_ROTATE_BYTESDEFAULT_LOG_BACKUP_COUNT)rr max_bytes backup_counts rworker_log_rotation_configrs  5 5 5 5 5 5%+--++H55;JJ   JJJ   r899 I !  r899 L l ""s %* 99log_path generationcB||jd|zS)Nr) with_suffixr)rrs r_rotated_log_pathr2s&   2Bj2B2B B C CCr!rrc |sdS|j|krdSt|td}|dkr|dSt ||} |r|n#t$rYnwxYwt|dz ddD]^}t ||}|s' | t ||dzO#t$rY[wxYw| t |ddS#t$rYdSwxYw)aRotate ```` when it exceeds ``max_bytes``. ``backup_count=1`` preserves the legacy single-generation behavior: ```` moves to ``.1`` and any previous ``.1`` is replaced. Higher values shift older generations up to ``backup_count``. Nrrr(r9) rkrzr{rrrrrmrDr)rrroldestrsrcs r_rotate_worker_logr6s     F ==?? "i / / F$  $   1   OO    F"8\:: }}      D  q 0!R88  J#Hj99C::<<   ,XzA~FFGGGG    )(A6677777      siE E 1E *E ;(B$#E $ B1.E 0B11>E 0&DE  D$!E #D$$&E EEc tjddgS)z3Return the interpreter-bound Hermes CLI invocation.-mzhermes_cli.main)r executabler`r!r_module_hermes_argvras ND"3 44r!ctj|}tj|r|ntj|S)z>Return an absolute filesystem path for a resolved Hermes shim.)r,r~rXisabsabspath)r~expandeds r_absolute_hermes_pathrisBw!!$''Hw}}X.. M88BGOOH4M4MMr!cLtj|}|dpptj|pQt tj|p%d|vp!t tjd|S)zDReturn true when a command override is an explicit path, not a name.~\z ^[A-Za-z]:) r,r~rXr}rrdirnamer,rQ)rrs r_looks_like_pathrosw!!%((HC   3 7== " " 3 )) * * 3 8  3 11 2 2 r!cP|dS)zEReturn true for Windows shell/batch shims that should not be argv[0].)z.cmdz.bat)rOendswithras r_is_windows_batch_shimr{s ::<< !1 2 22r!commandctr%tjdrgStjdpd}d|dD}fd|DS)z:Return executable names to try for an unqualified command.r(PATHEXTz.COM;.EXE;.BAT;.CMDcg|]}||Sr`r`)rexts rrz&_path_search_names..s 1 1 1CS 1C 1 1 1r!;cg|]}|zSr`r`)rrrs rrz&_path_search_names..s * * *cGcM * * *r!)rUr,r~splitextr-r.r)rr2extss` r_path_search_namesrs "'**733A6y *.. # # <'> 1 1 1D * * * *T * * **r!ctjdd}|tjD]}|r|dkr tj|}t|D]n}tj||}tj |sBtstj |tj r|ccSodS)aZResolve a bare command from PATH without implicit current-dir search. ``shutil.which`` follows platform search behavior. On Windows that can include the current directory before PATH for bare names, which is not a safe dispatcher primitive. This resolver only considers explicit PATH entries and skips empty / ``.`` entries. PATHr*rN) r,r-r.rpathsepr~rXrrisfilerUaccessX_OK)rpath_envraw_dir directoryrrs r_safe_which_no_cwdrsz~~fb))H>>"*-- ! ! 'S.. G&&w// &w// ! !D Y55I7>>),,  !bi 27;; !       !  ! 4r!cjtrt|rtSt|gS)a4Return argv for a resolved Hermes executable path. Windows batch shims (`.cmd` / `.bat`) are not safe as argv[0] for worker launches because the argument vector includes task-derived values. Prefer the interpreter-bound module form whenever the resolved executable is only a shell shim. )rUrrrras r_hermes_path_argvrs9%-d33%"$$$ !$ ' ' ((r!cddl}tjdd}|rLt |rt |St|}|rt |StStrtdn|j d}|rt |StS)uResolve the ``hermes`` invocation as argv parts for ``Popen``. Tries in order: 1. ``$HERMES_BIN`` — explicit operator override. Path-like values are normalized to absolute paths; bare command names keep normal PATH semantics and never prefer a same-directory file before ``PATH``. 2. ``shutil.which("hermes")`` — the console-script shim, normalized to an absolute path. On Windows, ``which`` can return a relative ``.\hermes.CMD`` when the current directory is on ``PATH``; directly launching batch shims is also unsafe with task-derived argv. The dispatcher therefore falls back to the interpreter-bound module form for implicit ``.cmd`` / ``.bat`` shims. 3. ``sys.executable -m hermes_cli.main`` — fallback for setups where Hermes is launched from a venv and the ``hermes`` shim is not on the dispatcher's ``$PATH`` (cron, systemd ``User=`` services, launchd jobs, detached processes, etc.). Goes through the running interpreter so the result is independent of ``$PATH``. Mirrors ``gateway.run._resolve_hermes_bin`` for the same reason. Kept local (not imported from gateway) because ``hermes_cli`` sits below ``gateway`` in the dependency order. rN HERMES_BINr*hermes) rr,r-r.r/rrrrrUwhich)renv_binresolved_env_bin hermes_bins r_resolve_hermes_argvrs0MMMjnn\2..4466G% G $ $ .$W-- --g66  7$%566 6"$$$1<X#H---,&,xBXBXJ- ,,,   r! hermes_homecPddlm}|r ||n|dz }|dz }|sdS|dz dz dz rd S |d D]}|rd Sn#t $rYnwxYwdS) uTrue if the bundled ``kanban-worker`` skill resolves for the home the spawned worker will run under. The dispatcher injects ``--skills kanban-worker`` into every worker. When the worker activates a profile (``hermes -p ``), its ``SKILLS_DIR`` becomes ``/skills`` — which on many profiles does NOT contain the bundled skill (it ships in the *default* root home, not every profile-scoped skills dir). Preloading a missing skill is fatal at CLI startup (``ValueError: Unknown skill(s): kanban-worker``), aborting the worker before the agent loop runs. Gate the flag on actual resolvability; the kanban lifecycle contract is still injected via ``KANBAN_GUIDANCE``, so omitting the flag only drops the supplementary pattern library. rrz.hermesr Fdevops kanban-workerzSKILL.mdTzkanban-worker/SKILL.md)pathlibr rArrrglobrm)r_Pathbase skills_rootskill_mds r_kanban_worker_skill_availablers&%%%%%"- L55   5::<<)3KD/K     u h0:=FFHHt #))*BCC  H!! tt        5s&,BB B#"B#current_timeoutcd|dS t|}n#ttf$rYdSwxYw|dkrdStd|tz } |r.tt |nd}n#ttf$rd}YnwxYw||krdSt |S)akReturn a worker-scoped TERMINAL_TIMEOUT override, if needed. Kanban's ``max_runtime_seconds`` bounds the whole worker attempt. The terminal tool has its own default timeout via ``TERMINAL_TIMEOUT``; when the worker runtime is longer, raise only the child process default so a long command is not killed by the generic terminal default first. Nrr()r&rpr0r+%KANBAN_TERMINAL_TIMEOUT_GRACE_SECONDSrGr/)rrruntimedesiredrs r_worker_terminal_timeout_envrs"t)** z "tt!||t!WDDEEG8GN3s?++1133444Q z "7t w<<s++2BBBrc ddl}|jstd|jdddlm}||j}d|j}t tj}ddlm } |||d<n#t$rYnwxYw|j r |j |d <|j|d <||d <|j r |j |d <|j t|j |d <|jr |j|d<|jr0d|d<|j$tt%|j|d<t'|j|d} | | |d<t'|j|d} | | |d<tt-||d<tt/||d<t1|p t3} | |d<||d<gt5d|d} t7|dr| ddg|jr)|jD]!} | r| dkr| d| g"|jr| d|jg| dd|gt?|}| d d !||jd"z }tC\}}tE|||tG|d#} |j$| tj%&|r|nd|j'||j(|d tRr|j*nd$}n1#t$r$|+tYd%wxYw|j-S)&a|Fire-and-forget ``hermes -p chat -q ...`` subprocess. Returns the spawned child's PID so the dispatcher can detect crashes before the claim TTL expires. The child's completion is still observed via the ``complete`` / ``block`` transitions the worker writes itself; the PID check is a safety net for crashes, OOM kills, and Ctrl+C. ``board`` pins the child's kanban context to that board: the child's ``HERMES_KANBAN_DB`` / ``HERMES_KANBAN_BOARD`` / workspaces_root env vars all resolve to the same board the dispatcher claimed the task from. Workers cannot accidentally see other boards. rNrvz has no assigneer+zwork kanban task )resolve_profile_env HERMES_HOME HERMES_TENANTHERMES_KANBAN_TASKHERMES_KANBAN_WORKSPACEHERMES_KANBAN_BRANCHHERMES_KANBAN_RUN_IDHERMES_KANBAN_CLAIM_LOCKrUHERMES_KANBAN_GOAL_MODEHERMES_KANBAN_GOAL_MAX_TURNSTERMINAL_TIMEOUTTERMINAL_MAX_FOREGROUND_TIMEOUTrrrrfHERMES_PROFILErz--accept-hooksz--skillsrrchatz-qTrw.logab)rstdinrXrrqstart_new_session creationflagszv`hermes` executable not found on PATH. Install Hermes Agent or activate its venv before running the kanban dispatcher.).rVrr0rr-r,rr,r-rrrrr rGrrrr&rrr.rrrSrtrrrr r rr|rrrTPopenr~isdirrSTDOUTrUCREATE_NO_WINDOWr^rIrW)rrrrVr, profile_argpromptrqrterminal_timeoutforeground_timeoutresolved_boardcmdsklog_dirr rotate_bytesrlog_frs rrmrms|$ =<::::;;;::::::((77K * * *F rz  C877777 00==M       {+#{O $C%.C!" 7&*&6 "# &&)$*=&>&> "# :*./ &' ~P), %&   *25c$:M6N6N2O2OC. /3   "###"2 5   122%1C -.".u"="="=>>C+.U/K/K/K+L+LC'(+511H5F5H5HN!/C (C          C.&cggm&<&<==2 J0111 {-+ - -B -bO++ J+,,, 0 D$-.///JJ fE***G MM$M...DG))))H!;!=!=L,x|<<< 4 E z W]]955? 4$$"9DK*55!          ^     8Os$A33 B?BAM.NgN@)intervalrgr stop_eventon_tickrfloatcddl}ddl}|jfd}|j|jurGdD]D}t ||d} | / || |-#t tf$rY@wxYwEs tj t5} t| ||} dddn #1swxYwY| || n#t$rYnwxYwn(#t$rddl} | YnwxYw|dSdS)aORun the dispatcher in a loop until interrupted. Calls :func:`dispatch_once` every ``interval`` seconds. Exits cleanly on SIGINT / SIGTERM so ``hermes kanban daemon`` is systemd-friendly. ``stop_event`` (a :class:`threading.Event`) and ``on_tick`` (a callable receiving the :class:`DispatchResult`) are test hooks. rNc0dSrr.)_signum_framers r_handlezrun_daemon.._handlesr!)SIGINTr )rgr)rH)r  threadingr=current_thread main_threadrXr0rmis_setrrrJrr traceback print_excwait) rrgrrrr r r sig_namerrMresrs ` r run_daemonrs2MMM$Y_&&   y!!%:Y%:%<%<<<-  H&(D11CMM#w////"G,D !!* "#GII.. $#'"/                "GCLLLL D " " "        ! ! ! ! ! " )))#!!*****slA--BB D:C DCD C!D' C32D3 D=D?DD"D)(D)c t||}|std|tfdNd}g}|d |jd |j|d |d |jpd |d|j|jr|d|j|d|j d|j pd|j t|j tjd}|ptjd}|d|j d|r|d|d|jr|d|j|d |jrl|jrS|d|||jt&|d t)||}|r|d|d|D]n}|jrt-d|jdzdznd} | rd| d nd } |jr d|jnd } |d!|jd"| | d#|jd"o|d d$t5||D} t7| t8kr-t7| t8z } | t8 d}| dz}nd} | }d}|r|d%| r4|d&| d'| dkrdnd d(t7|d)t;|D]e\}}||z}t=jd*t=j |j!}|j"pd+}|j#p|j}|d,|d-|d.|d|d/ |j$r<|j$r#|||j$|j%r?|j%r&|d0||j%|j&rP tOj(|j&d1d23}|d4||d"n#tR$rYnwxYw|d g|*d5|f+}d6|D}|rd1}|D]}t||}|r |jd7kr!d8t5||D}|,d9d2:|r|dnd}|s|d;d2}|d<|g}|D|j$r=|j$r$|||j$n@|j-r$|||j-n|d=|W|j&rP tOj(|j&d1d23}|d4||d"n#tR$rYnwxYw|.||d |jr|*d>|j|f+}|r|d?|j|D]}t=jd*t=j t_|d@}|dApd 0} | r| dddBndC}!|dD|dEd-|dFd.|dG|!|d tc||}"t7|"tdkr(t7|"tdz }#|"td d}$nd}#|"}$|$r|dH|#r4|d&|#dI|#dkrdnd d(t7|$d)|$D]}%t=jd*t=j |%j3}|%j4pd 5d"d }&|dJ|&dK|dL|||%jtl|d dM7|8dMzS)Oa2Return the full text a worker should read to understand its task. Order: 1. Task title (mandatory). 2. Task body (optional opening post, capped at 8 KB). 3. Prior attempts on THIS task (most recent ``_CTX_MAX_PRIOR_ATTEMPTS`` shown; older attempts collapsed into a one-line summary). Each attempt's ``summary`` / ``error`` / ``metadata`` capped at ``_CTX_MAX_FIELD_BYTES`` each. 4. Structured handoff results of every done parent task. Prefers ``run.summary`` / ``run.metadata`` when the parent was executed via a run; falls back to ``task.result`` for older data. Same per-field cap. 5. Cross-task role history for the assignee (most recent 5 completed runs on other tasks). 6. Comment thread (most recent ``_CTX_MAX_COMMENTS`` shown, older collapsed). All caps exist so worker prompts stay bounded even on pathological boards (retry-heavy tasks, comment storms). The per-field char cap prevents a single 1 MB summary from dominating context. rrRrMrgr&r%rGc|sdS|}t||kr|S|d|dt||z dzS)z;Truncate a string to `limit` chars with a visible ellipsis.r*Nu… [truncated, z chars omitted])r/rp)rRrgs r_capz"build_worker_context.._capsY 2 GGII q66U??H%yMc!ffunMMMMMr!z# Kanban task rr*z Assignee: z (unassigned)z Status: z Tenant: z Workspace: z @ z (unresolved)Nrz Max runtime: zTerminal timeout: z Branch: z## Bodyz## Attachmentsz`Files attached to this task. Read them with the file/terminal tools at the absolute paths below:r(iirrz KBz- ``u → `c g|] }|j | Sr)r*r;s rrz(build_worker_context..YsOOOq 8N8N8N8Nr!z## Prior attempts on this taskz_(z earlier attemptz omitted; showing most recent z)_z%Y-%m-%d %H:%Mz (unknown)z ### Attempt u — rrz _error_: FT)r sort_keysz _metadata_: `rcg|] }|d Srr`r;s rrz(build_worker_context..s666Q!K.666r!rc(g|]}|jdk |S)r')r+r;s rrz(build_worker_context..s$PPP!qyK7O7OA7O7O7Or!c|jSr)r)r<s rrz&build_worker_context..sALr!)rreversez## Parent task resultsz### z(no result recorded)zSELECT t.id, t.title, r.summary, r.ended_at FROM task_runs r JOIN tasks t ON r.task_id = t.id WHERE r.profile = ? AND r.task_id != ? AND r.outcome = 'completed' ORDER BY r.ended_at DESC LIMIT 5z## Recent work by @r*r,r#z (no summary)z- rrz): z## Comment threadz earlier commentzcomment from worker `z` at r$rz)rRrMrgr&r%rG)9rcr0_CTX_MAX_FIELD_BYTESrrrrrrrrrrr,r-r.rrr/_CTX_MAX_BODY_BYTESrr:r+r9r7r8 list_runsrp_CTX_MAX_PRIOR_ATTEMPTSrrstrftime localtimerr(r+r,r/r.rrrrKrsortrrr&r3r_CTX_MAX_COMMENTSrr4r_CTX_MAX_COMMENT_BYTESrrstrip)'rMrrrlinesreffective_terminal_timeoutrrsize_kbsize_strctype all_prioromittedshownfirst_shown_idxrfrWrrr(r+meta_str parent_rowsr wrote_headerrWptruns body_lines role_rowsrrRfirst all_comments omitted_cshown_cr safe_authors' rbuild_worker_contextr>s . D' " "D 4222333,@NNNNNE LL9$'99TZ99::: LL LL?dm=~??@@@ LL+dk++,,, {1 /$+//000 LL^t2^^t7J7\n^^___ +7  $ JNN- . .  &6%[HZ9[9[" @T%=@@@AAA % M LLK.HKKK L L L 6 4$"244555 LL yTY__&& Y TT$)%899::: R#411K  %&&&  1    Y YC;>8Jc!cho$6777G,3;(G((((H/2/?G+)+++RE LLWs|WWeWXWWS_WWW X X X X RPOIdG44OOOI 9~~///i..#::22334!A+  5666   LL?W??W\\ccr??03E ???   %U++  KFC!F*C/1O1OPPBk0[Gk/SZG LLMMM'MMWMMMMM N N N{ 0s{0022 0 TT#+..///y t}>> ? ? ?  R R]$dnSZ5I5I&J&J^)r0022==??&';!TcT ^ P#d)PP#g,PP"PPPPQQQQ LL    !w//L <,,, %%(99  11223  ()))   LLAYAAyA~~2AA03G AAA     A/ 1M1MNNB8>r223;;K LLHHH2HHH I I I LLaf&<== > > > LL     99U   " " $ $t ++s$7>S66 TT;>Z:: [[ci}|dD] }t|d||d<!i}|dD]:}t|d||di|d<;|d}tt j}|r |d|t|dz nd}||||d S) zPer-status + per-assignee counts, plus the oldest ``ready`` age in seconds (the clearest staleness signal for a router or HUD). zRSELECT status, COUNT(*) AS n FROM tasks WHERE status != 'archived' GROUP BY statusr8rSELECT assignee, status, COUNT(*) AS n FROM tasks WHERE status != 'archived' AND assignee IS NOT NULL GROUP BY assignee, statusrz>SELECT MIN(created_at) AS ts FROM tasks WHERE status = 'ready'rN) by_status by_assigneeoldest_ready_age_secondsrO)rKr& setdefaultrr)rMrArrB oldest_rowrOoldest_ready_ages r board_statsrGs0!#I|| 511$'s3x== #h-  -/K|| $SS FIS]] s:33CMBBHhjj dikk  C  A$T*6 s:d#$$ $ $<@ "$4   r!c|dSt|tr|St|trt|St|}|sdS t|S#t $rYnwxYw ddlm}||dd}t| S#t tf$rYdSwxYw)zNormalise a timestamp to unix epoch seconds. Accepts ints (pass-through), numeric strings, and ISO-8601 strings. Returns ``None`` for ``None`` / empty values. Nr)datetimerz+00:00) rr&rrGr/r0rI fromisoformatr timestamprm)rsrRrIdts r _to_epochrMs   {t#s #u3xx CA t 1vv      %%%%%%  # #AIIc8$<$< = =2<<>>"""  tts%&A55 BBACC+*C+cttj}t|j}t|j}t|j}|||z nd}|||z nd}|||p|z nd}|||dS)zEReturn age metrics for a single task. All values are seconds or None.N)created_age_secondsstarted_age_secondstime_to_complete_seconds)r&rrMrrr)rrOrr_coage_since_createdage_since_startedtime_to_completes rtask_agerV$s dikk  C 4? # #B 4? # #B D% & &C$&Nb$&NbOrxR 10$4  r!) thread_iduser_idrrchat_idrWrXrc ttj}t|5|d||||pd|||f|r|d|||||pdfddddS#1swxYwYdS)zRegister a gateway source that wants terminal-state notifications for ``task_id``. Idempotent on (task, platform, chat, thread).z INSERT OR IGNORE INTO kanban_notify_subs (task_id, platform, chat_id, thread_id, user_id, notifier_profile, created_at) VALUES (?, ?, ?, ?, ?, ?, ?) r*a UPDATE kanban_notify_subs SET notifier_profile = ? WHERE task_id = ? AND platform = ? AND chat_id = ? AND thread_id = ? AND (notifier_profile IS NULL OR notifier_profile = '') N)r&rrrK)rMrrrYrWrXrrOs radd_notify_subr[:s dikk  C 4   hb'CSUX Y       LL "7HgyBO   s?A<<BBc|*|d|f}n'|d}d|DS)Nz2SELECT * FROM kanban_notify_subs WHERE task_id = ?z SELECT * FROM kanban_notify_subsc,g|]}t|Sr`)rr;s rrz$list_notify_subs..gs " " "DGG " " "r!rrs rlist_notify_subsr^^sf|| @7*  (** ||>??HHJJ " "T " " ""r!)rWct|5|d||||pdf}dddn #1swxYwY|jdkS)NzcDELETE FROM kanban_notify_subs WHERE task_id = ? AND platform = ? AND chat_id = ? AND thread_id = ?r*r)rrKr)rMrrrYrWrs rremove_notify_subr`js 4  ll A hb 9                  last_event_id`` are returned. The subscription's cursor is NOT advanced here; call :func:`advance_notify_cursor` after the gateway has successfully delivered the notifications. qSELECT last_event_id FROM kanban_notify_subs WHERE task_id = ? AND platform = ? AND chat_id = ? AND thread_id = ?r*Nrrz7SELECT * FROM task_events WHERE task_id = ? AND id > ? z AND kind IN (r5r9z) zORDER BY id ASCr?rrr>rr@r)rKrr&rrrprrrrrrr=rr+)rMrrrYrWrarcursor kind_listqrnrVrmax_idr<r?s runseen_events_for_subri{s ,, O (GY_"5  hjj   {"u _% & &F$.U $IAFO W?SXXcC NN&:;; ;d B BUW Y   !&)F! i   <<6 " " + + - -DC F  + + 23I,Hdj9...DGG   GGG  5w) 1V9,(0AFFHH(<(<8AXC( $$$^b      VS4\\** 3;s$D DDtuple[int, int, list[Event]]c t|5|d||||pdf}|ddgfcdddSt|d}t ||||||\}} | s||gfcdddS|dt|||||pdt|f||| fcdddS#1swxYwYdS)aAtomically claim unseen notification events for one subscription. Returns ``(old_cursor, new_cursor, events)``. When events are returned, ``kanban_notify_subs.last_event_id`` has already been advanced to ``new_cursor`` inside a ``BEGIN IMMEDIATE`` transaction. That makes the notifier's read/claim step single-owner across multiple gateway watcher processes pointed at the same board DB: concurrent watchers serialize on SQLite's writer lock, and only the first process sees and claims a given event range. Callers should send the claimed events, then either leave the cursor at ``new_cursor`` on success or call :func:`rewind_notify_cursor` if delivery failed before any terminal unsubscribe removed the row. rdr*Nrr)rrrYrWraUPDATE kanban_notify_subs SET last_event_id = ? WHERE task_id = ? AND platform = ? AND chat_id = ? AND thread_id = ? AND last_event_id = ?)rrKrr&ri) rMrrrYrWrar old_cursor new_cursoreventss rclaim_unseen_events_for_subrps. 4..ll S hb 9   (** ;a8........_-.. 2      F .z2-%........&  $__gx)/r3z?? [    :v-3..................s5C3C>  q Y[[- -FG __   yy{{ qvvxx0699 1     H  NsA B!! B.-B.c.t||dz S)uRReturn the path to a worker's log file. The file may not exist (task never spawned, or log already GC'd). When ``board`` is None, resolves via the active board (env var → current-board file → default). The dispatcher always passes the board explicitly to avoid any resolution ambiguity when multiple boards exist.rr)rrs rworker_log_pathr}>s#  ' ' 'W*:*:*: ::r!) tail_bytesrr~ct||}|sdS ||ddS|j}t |d5}||kr|||z |}|}| ds-||kr||| }dddn #1swxYwY| ddS#t$rYdSwxYw) zRead the worker log for ``task_id``. Returns None if the file doesn't exist. If ``tail_bytes`` is set, only the last N bytes are returned (useful for the dashboard drawer which shouldn't page megabytes).rNrgr)rierrorsrw )r) r}rkrlrzr{rTrWtellreadlinerr|decoderm) rr~rr~r:rrrpartialrds rread_worker_logrIsz 7% 0 0 0D ;;==t  >>79>EE Eyy{{" $   j  tj())) **,,''.."16688t3C3CFF5MMM6688D               {{79{555 tts<D6)D6+BD D6DD6DD66 EEc ddlm}|}|dz }n#t$rgcYSwxYwt}|r|d|r| t|D]H}|s|dz r||j In#t$rYnwxYwt|S)aReturn the set of assignee/profile names discovered on disk. Includes: - named profiles under ``/profiles//config.yaml`` - the implicit ``default`` profile when the default Hermes root exists Reads profile paths directly so this module has no import dependency on ``hermes_cli.profiles`` (which pulls in a large chunk of the CLI startup path). rrVprofilesrCz config.yaml) rYrWrrIrkrrrrrrrm)rW default_root profiles_dirnamesrCs rlist_profiles_on_diskrls:<<<<<<..00 #j0  eeE )  4 4 6 677 * *||~~M)2244*IIej)))  *     D  %==s ''6A*C!! C.-C.c`tti|dD]:}t|d|di|d<;t tz}fd|DS)aReturn every assignee name known to the board or on disk. Each entry is ``{"name": str, "on_disk": bool, "counts": {status: n}}``. A name is included when it's a configured profile on disk OR when any non-archived task has it as the assignee. Used by: - ``hermes kanban assignees`` for the terminal. - The dashboard assignee dropdown (so a fresh profile appears in the picker even before it's been given any task). - Router-profile heuristics ("who's overloaded?") without scanning the whole board. r@r8rrcHg|]}||v|idS))ron_diskcounts)r.)rrrrs rrz#known_assignees..sM     wjjr**     r!)rIrrKr&rDrr)rMrrrrs @@rknown_assigneesrs'))**G)+F|| $NN ADCH #j/2..s8}== 7S/// 0 0E          r!)include_active state_type state_namerrr list[Run]c&|du|duz rtd||dvrtdd}|g}|s|dz }||d|dz }|||d z }|||}d |DS) aReturn all runs for ``task_id`` in start order. ``include_active=True`` (default) includes the currently-running attempt if any. Set False to return only closed runs (useful for "how many prior attempts have there been?" checks). When ``state_type`` and ``state_name`` are set, restrict to rows where that column equals ``state_name`` (``state_type`` is ``status`` or ``outcome``). Both must be passed together. Nz:state_type and state_name must both be set or both omitted)rr+z(state_type must be 'status' or 'outcome'z)SELECT * FROM task_runs WHERE task_id = ?z AND ended_at IS NOT NULLz AND z = ?z ORDER BY started_at ASC, id ASCcBg|]}t|Sr`)r'rr;s rrzlist_runs..s" * * *CLLOO * * *r!)r0rrKr)rMrrrrrgrnrVs rr!r!s$ dzT12WUVVV 2 2 2GHH H3A F ) (( %Z % % %% j!!! ++A <<6 " " + + - -D * *T * * **r! Optional[Run]c|dt|f}|rt|ndS)Nz$SELECT * FROM task_runs WHERE id = ?)rKr&rr'r)rMr@rs rget_runrsL ,,.V  hjj!$ -3<<   -r!c|d|f}|rt|ndS)zDReturn the most recent run regardless of outcome (active or closed).zSSELECT * FROM task_runs WHERE task_id = ? ORDER BY started_at DESC, id DESC LIMIT 1N)rKrr'rrbs rrYrYsK ,, 4    hjj  !$ -3<<   -r!cl|d|f}|r|dndS)ubReturn the latest non-null ``task_runs.summary`` for ``task_id``. The kanban-worker skill writes its handoff to ``task_runs.summary`` via ``complete_task(summary=...)``; ``tasks.result`` is left empty unless the caller passes ``result=`` explicitly. Dashboards and CLI "show" views need this value to surface what a worker actually did — without it, ``tasks.result`` is NULL and the task looks like a no-op even when the run completed. Picks the most recent run by ``ended_at`` (falling back to ``id`` for ties or unfinished rows). Returns None if no run has a summary. zSELECT summary FROM task_runs WHERE task_id = ? AND summary IS NOT NULL AND summary != '' ORDER BY COALESCE(ended_at, started_at) DESC, id DESC LIMIT 1r,N)rKrrbs rlatest_summaryrsG ,, H     hjj  ! *3y>>d*r!task_idsct|}|siSdd|D}|d|d|}d|DS)uBatch-fetch latest non-null summaries for a list of task ids. Used by the dashboard board endpoint to attach ``latest_summary`` to every card in a single SQL query, avoiding the N+1 pattern of calling :func:`latest_summary` per task. Returns a dict mapping ``task_id`` → summary string, omitting tasks with no summary. Approach: a window function picks the newest non-null-summary row per ``task_id``; works against SQLite ≥ 3.25 (default on every supported platform). r5c3K|]}dVdS)r9Nr`rs rr z#latest_summaries..s"--AC------r!aD SELECT task_id, summary FROM ( SELECT task_id, summary, ROW_NUMBER() OVER ( PARTITION BY task_id ORDER BY COALESCE(ended_at, started_at) DESC, id DESC ) AS rn FROM task_runs WHERE task_id IN (zZ) AND summary IS NOT NULL AND summary != '' ) WHERE rn = 1 c,i|]}|d|dS)rr,r`r;s rrz$latest_summaries..!s" 5 5 51AiL!I, 5 5 5r!)rrrKr)rMridsr_rVs rlatest_summariesrs x..C  88-------L << !-    hjj  6 5 5 5 55r!r)r#r$r%r&)r%r&)rFrG)rFrMr%rM)r%r )r%rG)rFrGr%r )r%r)rrMr%r )rrMr%r)rrGrrMr%r )rFrGr%rG)rrMr%r)rrMrrMrrMrrMrrMrrrrMr%r)rFrGrrMrrMrrMrrMrrMr%r)rrr%r)rFrGrrr%r)r~r r%rE)r~r )rdrerfr&r%r)r~r r%r)r~r r%r)rrrrMr%rE)rrrrM)rrrrMr%r ) rMrErrGrrGrrGr%r)rMrEr%r)rMrErrGr%r)rMrE)rrMr%rM),rMrErrGrrMrrMrrMrrGrrMrrMrrMrr&rxr0rrrrMrr$r r1rr$rrrr$r/rGrrMrrMr%rG)rMrErxr0r%rY)rMrErrGr%r`)rMrErrMrrMrrMrrMrrrgr$rhrMr rMr rMr%ri)rMrErrGr(rMr%r)rMrErsrGrtrGr%r)rMrErsrGrtrGr%r)rMrErrGr%rY)rMrErrGr%r) rMrErrGr4rGrrGr%r&)rMrErrGr%r)rMrErrGr7rGr8rGr9rMr:r&r;rMr%r&)rMrErrGr%r)rMrErr&r%r)rMrErrGr%r) rMrErrGr>rGr?r-r@r$r%r)rMrErrGr+rGr,rMr/rMr.r-rrMr%r$)rMrErrGr%r$)rMrErrGr+rGr,rMr/rMr.r-r%r&)rMrErrGr%r)rMrErr&r%r&) rMrErrGr#r$rrMr%r`) rMrErrGr#r$rrMr%r)rMrEr%r&)rMrErrGrrMr%r) rMrErrGr(rMrrrrMr%r)rMrErrGrr0r%r)rMrErrGr%rY)rMrErrGrrMr,rMr.r-rr1r r$r%r)rr r%r)rMrErrGr%r)r%r)rMrErrGrrMr%r) rMrErrGrrGr,rMr.r-r%r) rMrErrGrrMr r$r%r)rMrErrGrsrGrrMrqrrrrr%rt)rMrErrGrrMrrMrrMr4rMr%r)rMrErrGrrMrrr4rMrrr%r)rrrrMr%r )rMrErrGr~rr%r)rWr&rr&r%r)rWr&r%r)r%r)rWr$r%r)rWr$rrMr%r) rMrErrGrrMr r$r%r)rMrEr%rY)rMrEr!r&r%rY)r)rGr%rG)rMrErrGr/rGr+rGrr&rrrrrr-r%r) rMrErrGr/rGrr&r%r)rMrErrGrWr&r%r)rMrErrGr%rM)rMrEr%r)rMrEr#r$rrrrgr$rhr$rr&r!r&rrMrirMrjr$r%r)rr rCr&rr&r%r&)rr-r%r)rr rr&r%r )rr rr&rr&r%r)r%rY)r~rGr%rG)rrGr%r)r~rGr%r)rrGr%rY)rrGr%rM)r~rGr%rY)rrMr%r)rr$rrMr%rM)rrrrGrrMr%r$)rrrgr$rr&r%r)rMrErrGr%rG)rMrEr%r)r%r$)rrr%r)rMrErrGrrGrYrGrWrMrXrMrrMr%r)rMrErrMr%r) rMrErrGrrGrYrGrWrMr%r)rMrErrGrrGrYrGrWrMrar1r%rb)rMrErrGrrGrYrGrWrMrar1r%rj)rMrErrGrrGrYrGrWrMrnr&r%r)rMrErrGrrGrYrGrWrMrsr&rmr&r%r)rMrErvr&r%r&)rvr&rrMr%r&)rrGr~r$rrMr%rM)rMrEr%r) rMrErrGrrrrMrrMr%r)rMrEr@r&r%r)rMrErrGr%r)rMrErr0r%re)r# __future__rrrrr,r,rrrIrVrr loggingr contextvarsrr dataclassesrrrr typingr r r toolsetsr getLoggerr r rlr@rA frozensetrCrrUr1rr4r:rr<rAr"r&rr r'rnrEr$contextmanagerrLcompilerPrSr[rardrtrrrrjrrrrrrrrrrrrrr'r3r6r=rrIrRLockrr~rCrDrNrcrurrIrrrrJrrrrr rrrrr!r)r.rXrErcrfrorrr|rzrrrrrrrrrrrrGrrrrrrrrrrrrrrr0rr;rDr5rJrMr[rfr\r^rbrgrlrpr{rrrrrrrrrrDEFAULT_SPAWN_FAILURE_LIMITrrr IGNORECASErSrUr@rVrWrrrrrrrrrrr r%r(r/r5rrJrLr_clear_spawn_failuresr\rbrerrrrrrrrrrrrrrrrmrr>rGrMrVr[r^r`rirprrrurxr{r}rrrr!rrYrrr`r!rrsDDDL#"""""    ))))))))((((((((**********&&&&&&w""nmm#Y/666iPP-1))))))X04,E,E,E,E,E,Ef R R R R R R R  R j 2 2 2 2 2 2 2  2 j             !!!!!!! !e X #suu$$$$ Y_   '!####$     ----`        F     <   &3333l79797979v#J JJJJJJZ " F# <&g"g"g"g"p  A))X N N N N9999x$ $ $ $ N ++++D ' ' ' '####,,,," $#$(!% %))-&*!%$(# $-m&m&m&m&m&m&` 4 4 4 4////(./3*. < % %    #  $""*.&*1,1,1,1,1,1,hJ    <.*****)))) 2 2 2 2&'''',6#'!%.'.'.'.'.'.'b($08#  ! :"# 666666rQQQQ"#0#0#0#0#0#0#n#2#2#2#2N48TTTTT~"&! o'o'o'o'o'o'l"&! H'H'H'H'H'H'^"&! DGGGGGG\! BBBBBBT  >HHHH\BJ4554444B     Z   ,!!#-1%)sssssstHHHHVB B B B J% % % % P    \2J6666      """"D"# @@@@@@N!%) 444444z!CCCCCCL5555x " XXXXXXB!\\\\\\~4!!!!46=A=8=8=8=8=8=8@    !%) ******h3+)+%!bj"M !%'*#!&2:4M  2J2J2J2J2J2J2J 2Jz#&7999991111.((((V.====H 555555x%) 000000lnnnnnnj $ "# ttttttnAAAAT*.WWWWWWB       RRRR*    &/rrrrj@8!%#%)4!"&*15CCCCCCL ?@444444#####6DDDD1( ( ( ( ( V5555NNNN    3333 ++++, ) ) ) )&!&!&!&!R    FD kkkkkkh#4  4*4*4*4*4*4*vZ,Z,Z,Z,B!!!!H88 $!&*!!!!!!J8< # # # # #$ $ . $%)......n $%)0.0.0.0.0.0.r $       . $ D