aiden-runtime 4.8.0 → 4.9.0

package/dist/core/v4/daemon/db/migrations.js

@@ -316,6 +316,170 @@ CREATE INDEX IF NOT EXISTS idx_recovery_reports_signature
 CREATE INDEX IF NOT EXISTS idx_recovery_reports_run
   ON recovery_reports(run_id);
 `;
+// v4.9.0 Slice 4 — daemon_incarnations table. Source of truth lives at
+// `core/v4/daemon/db/schema/v8.sql`; kept in sync via the migrations
+// test snapshot check. Distinct from the v1 `daemon_instances` table
+// (which keeps its random-UUID instance_id intact for existing
+// `evaluateBootState` / `reclaimStuckRuns` consumers); v8 introduces
+// the persistent daemon identity + per-boot incarnation correlation.
+const V8_SQL = `
+CREATE TABLE IF NOT EXISTS daemon_incarnations (
+  incarnation_id  TEXT    PRIMARY KEY,
+  daemon_id       TEXT    NOT NULL,
+  pid             INTEGER NOT NULL,
+  started_at      TEXT    NOT NULL,
+  ended_at        TEXT,
+  exit_reason     TEXT,
+  exit_code       INTEGER,
+  aiden_version   TEXT,
+  node_version    TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_incarnations_daemon
+  ON daemon_incarnations(daemon_id, started_at DESC);
+`;
+// v4.9.0 Slice 5 — durable run queue. Source of truth lives at
+// `core/v4/daemon/db/schema/v9.sql`; kept in sync via the migrations
+// test snapshot check.
+const V9_SQL = `
+CREATE TABLE IF NOT EXISTS run_attempts (
+  attempt_id     TEXT    PRIMARY KEY,
+  run_id         INTEGER NOT NULL,
+  attempt_number INTEGER NOT NULL,
+  incarnation_id TEXT    NOT NULL,
+  started_at     TEXT    NOT NULL,
+  ended_at       TEXT,
+  status         TEXT    NOT NULL,
+  finish_reason  TEXT,
+  error_class    TEXT,
+  error_message  TEXT,
+  FOREIGN KEY (run_id) REFERENCES runs(id) ON DELETE CASCADE
+);
+CREATE INDEX IF NOT EXISTS idx_run_attempts_run
+  ON run_attempts(run_id, attempt_number);
+CREATE INDEX IF NOT EXISTS idx_run_attempts_incarnation
+  ON run_attempts(incarnation_id);
+
+CREATE TABLE IF NOT EXISTS spans (
+  span_id        TEXT    PRIMARY KEY,
+  trace_id       TEXT    NOT NULL,
+  parent_span_id TEXT,
+  run_id         INTEGER,
+  attempt_id     TEXT,
+  incarnation_id TEXT    NOT NULL,
+  kind           TEXT    NOT NULL,
+  name           TEXT    NOT NULL,
+  started_at     TEXT    NOT NULL,
+  ended_at       TEXT,
+  status         TEXT,
+  attrs_json     TEXT,
+  error_class    TEXT,
+  error_message  TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_spans_trace  ON spans(trace_id, started_at);
+CREATE INDEX IF NOT EXISTS idx_spans_run    ON spans(run_id, started_at);
+CREATE INDEX IF NOT EXISTS idx_spans_parent ON spans(parent_span_id);
+
+CREATE TABLE IF NOT EXISTS run_idempotency_keys (
+  namespace        TEXT    NOT NULL,
+  key              TEXT    NOT NULL,
+  fingerprint      TEXT    NOT NULL,
+  run_id           INTEGER,
+  trigger_event_id INTEGER,
+  span_id          TEXT,
+  status           TEXT    NOT NULL,
+  created_at       TEXT    NOT NULL,
+  expires_at       TEXT,
+  result_ref       TEXT,
+  PRIMARY KEY (namespace, key)
+);
+CREATE INDEX IF NOT EXISTS idx_idempotency_expires
+  ON run_idempotency_keys(expires_at) WHERE expires_at IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_idempotency_run
+  ON run_idempotency_keys(run_id) WHERE run_id IS NOT NULL;
+`;
+// v4.9.0 Slice 7 — external trace adoption. Adds `external_trace_id`
+// to `spans` + `runs` for W3C traceparent adoption alongside Aiden's
+// typed `trc_<uuidv7>`. Source of truth: `db/schema/v10.sql`.
+const V10_SQL = `
+ALTER TABLE spans ADD COLUMN external_trace_id TEXT;
+ALTER TABLE runs  ADD COLUMN external_trace_id TEXT;
+CREATE INDEX IF NOT EXISTS idx_spans_external_trace
+  ON spans(external_trace_id) WHERE external_trace_id IS NOT NULL;
+`;
+// v4.9.0 Slice 12a — Hook system tables. Source of truth lives at
+// `core/v4/daemon/db/schema/v11.sql`.
+const V11_SQL = `
+CREATE TABLE IF NOT EXISTS hooks (
+  hook_id        TEXT    PRIMARY KEY,
+  name           TEXT    NOT NULL,
+  version        TEXT,
+  source         TEXT    NOT NULL,
+  runtime        TEXT    NOT NULL,
+  manifest_path  TEXT    NOT NULL,
+  code_hash      TEXT    NOT NULL,
+  enabled        INTEGER NOT NULL DEFAULT 0,
+  trust_state    TEXT    NOT NULL,
+  created_at     TEXT    NOT NULL,
+  updated_at     TEXT    NOT NULL,
+  UNIQUE(manifest_path)
+);
+CREATE TABLE IF NOT EXISTS hook_subscriptions (
+  subscription_id TEXT    PRIMARY KEY,
+  hook_id         TEXT    NOT NULL REFERENCES hooks(hook_id) ON DELETE CASCADE,
+  event           TEXT    NOT NULL,
+  matcher_json    TEXT,
+  authority       TEXT    NOT NULL,
+  mode            TEXT    NOT NULL,
+  priority        INTEGER NOT NULL DEFAULT 0,
+  timeout_ms      INTEGER NOT NULL,
+  on_error        TEXT    NOT NULL,
+  on_timeout      TEXT    NOT NULL,
+  enabled         INTEGER NOT NULL DEFAULT 1
+);
+CREATE INDEX IF NOT EXISTS idx_hook_subscriptions_event ON hook_subscriptions(event, enabled);
+CREATE TABLE IF NOT EXISTS hook_capability_grants (
+  grant_id     TEXT    PRIMARY KEY,
+  hook_id      TEXT    NOT NULL REFERENCES hooks(hook_id) ON DELETE CASCADE,
+  capability   TEXT    NOT NULL,
+  scope_json   TEXT    NOT NULL,
+  granted_by   TEXT,
+  granted_at   TEXT    NOT NULL,
+  revoked_at   TEXT
+);
+CREATE TABLE IF NOT EXISTS hook_executions (
+  hook_execution_id TEXT    PRIMARY KEY,
+  hook_id           TEXT    NOT NULL REFERENCES hooks(hook_id),
+  subscription_id   TEXT    REFERENCES hook_subscriptions(subscription_id),
+  event             TEXT    NOT NULL,
+  run_id            TEXT,
+  trace_id          TEXT,
+  span_id           TEXT,
+  parent_span_id    TEXT,
+  tool_call_id      TEXT,
+  status            TEXT    NOT NULL,
+  decision          TEXT,
+  elapsed_ms        INTEGER NOT NULL,
+  cpu_ms            INTEGER,
+  max_rss_kb        INTEGER,
+  exit_code         INTEGER,
+  payload_hash      TEXT,
+  response_hash     TEXT,
+  stdout_preview    TEXT,
+  stderr_preview    TEXT,
+  error_kind        TEXT,
+  error_message     TEXT,
+  started_at        TEXT    NOT NULL,
+  finished_at       TEXT    NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_hook_executions_run   ON hook_executions(run_id, started_at);
+CREATE INDEX IF NOT EXISTS idx_hook_executions_hook  ON hook_executions(hook_id, started_at);
+CREATE INDEX IF NOT EXISTS idx_hook_executions_event ON hook_executions(event, started_at);
+`;
+// v4.9.0 Slice 12b — auto-disable rail. Just an ADD COLUMN; full
+// rationale lives in `core/v4/daemon/db/schema/v12.sql`.
+const V12_SQL = `
+ALTER TABLE hooks ADD COLUMN consecutive_failures INTEGER NOT NULL DEFAULT 0;
+`;
 const MIGRATIONS = [
     { version: 1, name: 'phase 1 — daemon foundation', sql: V1_SQL },
     { version: 2, name: 'phase 2 — file watcher observations', sql: V2_SQL },
@@ -324,6 +488,11 @@ const MIGRATIONS = [
     { version: 5, name: 'phase 5b — scheduled workflows', sql: V5_SQL },
     { version: 6, name: 'v4.6 phase 1 — sub-agent lineage', sql: V6_SQL },
     { version: 7, name: 'v4.6 phase 3b — self-improvement loop', sql: V7_SQL },
+    { version: 8, name: 'v4.9 slice 4 — daemon identity + incarnations', sql: V8_SQL },
+    { version: 9, name: 'v4.9 slice 5 — durable run queue', sql: V9_SQL },
+    { version: 10, name: 'v4.9 slice 7 — external trace adoption', sql: V10_SQL },
+    { version: 11, name: 'v4.9 slice 12a — hook system', sql: V11_SQL },
+    { version: 12, name: 'v4.9 slice 12b — hook auto-disable counter', sql: V12_SQL },
 ];
 exports.LATEST_SCHEMA_VERSION = MIGRATIONS[MIGRATIONS.length - 1].version;
 function getCurrentVersion(db) {

package/dist/core/v4/daemon/idempotency/runIdempotencyStore.js

@@ -0,0 +1,128 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/daemon/idempotency/runIdempotencyStore.ts — v4.9.0 Slice 5.
+ *
+ * Durable ingress / write-side idempotency. Distinct from the v1
+ * `idempotency_keys` response-replay cache (which stores HTTP response
+ * bodies for exact-byte replay). This store tracks (namespace, key) →
+ * acceptance outcome so a duplicate webhook / email / file / API
+ * request never creates a second `runs` row.
+ *
+ * `acquire()` is the central primitive: atomic insert against the
+ * (namespace, key) PK. Three outcomes:
+ *
+ *   - 'accepted'           — fresh row inserted, caller proceeds with
+ *                            run/trigger creation.
+ *   - 'duplicate'          — row exists with the SAME fingerprint;
+ *                            caller should reuse the linked run/event id.
+ *   - 'rejected_conflict'  — row exists with a DIFFERENT fingerprint;
+ *                            caller is reusing a key for different work
+ *                            and should reject with a loud error.
+ *
+ * Call `link()` after the run/trigger row exists to back-fill the FKs.
+ * `complete()` patches the final result_ref (e.g. span_id of the
+ * outcome). `sweepExpired()` is the GC tick for keys with `expires_at`
+ * in the past.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fingerprintCanonical = fingerprintCanonical;
+exports.acquire = acquire;
+exports.link = link;
+exports.complete = complete;
+exports.sweepExpired = sweepExpired;
+exports.getKey = getKey;
+const node_crypto_1 = require("node:crypto");
+/**
+ * Canonical fingerprint helper — sort keys, stringify, SHA-256 hex.
+ * Drops `undefined` values to keep the hash stable across optional
+ * fields. Use this when the caller doesn't already have a domain-
+ * specific hash (e.g. webhook deliveries already compute one in
+ * `webhookIdempotency.ts`).
+ */
+function fingerprintCanonical(payload) {
+    const canon = canonicalise(payload);
+    return (0, node_crypto_1.createHash)('sha256').update(JSON.stringify(canon)).digest('hex');
+}
+function canonicalise(v) {
+    if (v === null || v === undefined)
+        return null;
+    if (Array.isArray(v))
+        return v.map(canonicalise);
+    if (typeof v === 'object') {
+        const out = {};
+        for (const k of Object.keys(v).sort()) {
+            const val = v[k];
+            if (val !== undefined)
+                out[k] = canonicalise(val);
+        }
+        return out;
+    }
+    return v;
+}
+/**
+ * Attempt to claim (namespace, key) for an incoming request. Atomic
+ * via INSERT OR IGNORE against the (namespace, key) PK + a follow-up
+ * SELECT for the existing row.
+ */
+function acquire(db, opts) {
+    const nowMs = (opts.now ?? Date.now)();
+    const nowIso = new Date(nowMs).toISOString();
+    const expires = opts.ttlMs ? new Date(nowMs + opts.ttlMs).toISOString() : null;
+    const result = db.prepare(`INSERT OR IGNORE INTO run_idempotency_keys
+       (namespace, key, fingerprint, status, created_at, expires_at)
+     VALUES (?, ?, ?, 'accepted', ?, ?)`).run(opts.namespace, opts.key, opts.fingerprint, nowIso, expires);
+    if (result.changes > 0) {
+        const row = readRow(db, opts.namespace, opts.key);
+        return { outcome: 'accepted', row };
+    }
+    // Collision — read existing and compare fingerprint.
+    const existing = readRow(db, opts.namespace, opts.key);
+    if (!existing) {
+        // Defensive: should not happen, the INSERT OR IGNORE only skips
+        // when the PK conflicts.
+        throw new Error('runIdempotencyStore.acquire: INSERT OR IGNORE skipped but no row found');
+    }
+    if (existing.fingerprint === opts.fingerprint) {
+        return { outcome: 'duplicate', existing };
+    }
+    return { outcome: 'rejected_conflict', existing };
+}
+/** Back-fill the run/trigger/span FKs once those rows exist. */
+function link(db, opts) {
+    db.prepare(`UPDATE run_idempotency_keys
+        SET run_id           = COALESCE(?, run_id),
+            trigger_event_id = COALESCE(?, trigger_event_id),
+            span_id          = COALESCE(?, span_id)
+      WHERE namespace = ? AND key = ?`).run(opts.runId ?? null, opts.triggerEventId ?? null, opts.spanId ?? null, opts.namespace, opts.key);
+}
+/**
+ * Patch the terminal status + optional result_ref. Caller picks the
+ * status: `'completed'` for success, `'failed'` for terminal failure.
+ */
+function complete(db, opts) {
+    db.prepare(`UPDATE run_idempotency_keys
+        SET status     = ?,
+            result_ref = COALESCE(?, result_ref)
+      WHERE namespace = ? AND key = ?`).run(opts.status, opts.resultRef ?? null, opts.namespace, opts.key);
+}
+/** Delete keys whose `expires_at` is in the past. Returns the count. */
+function sweepExpired(db, now) {
+    const nowIso = new Date(now ?? Date.now()).toISOString();
+    const r = db.prepare(`DELETE FROM run_idempotency_keys
+       WHERE expires_at IS NOT NULL AND expires_at < ?`).run(nowIso);
+    return { deleted: Number(r.changes ?? 0) };
+}
+/** Diagnostic — single-key lookup. */
+function getKey(db, namespace, key) {
+    return readRow(db, namespace, key);
+}
+function readRow(db, namespace, key) {
+    const r = db.prepare(`SELECT * FROM run_idempotency_keys WHERE namespace = ? AND key = ?`).get(namespace, key);
+    return r ?? null;
+}

package/dist/core/v4/daemon/incarnationStore.js

@@ -0,0 +1,47 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/daemon/incarnationStore.ts — v4.9.0 Slice 4.
+ *
+ * Thin DDL wrapper around the `daemon_incarnations` table (schema v8).
+ * Three operations:
+ *
+ *   1. `insertIncarnation()` — boot. Writes one row with `started_at`
+ *      = now ISO. Idempotent on PRIMARY KEY collision (safe re-call).
+ *   2. `markEnded()` — clean shutdown. Patches `ended_at`, `exit_reason`,
+ *      `exit_code` for this incarnation. No-op when the row is missing
+ *      (defensive — e.g. SQLite died before insert).
+ *   3. `lastForDaemon()` — diagnostic. Returns the most recent row for
+ *      a given daemon_id. Used by `aiden doctor`-style surfaces (not
+ *      wired in this slice).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.insertIncarnation = insertIncarnation;
+exports.markEnded = markEnded;
+exports.lastForDaemon = lastForDaemon;
+function insertIncarnation(db, opts) {
+    const started = opts.startedAt ?? new Date().toISOString();
+    db.prepare(`INSERT OR IGNORE INTO daemon_incarnations
+       (incarnation_id, daemon_id, pid, started_at, aiden_version, node_version)
+     VALUES (?, ?, ?, ?, ?, ?)`).run(opts.incarnationId, opts.daemonId, opts.pid, started, opts.aidenVersion, opts.nodeVersion);
+}
+function markEnded(db, opts) {
+    const ended = opts.endedAt ?? new Date().toISOString();
+    db.prepare(`UPDATE daemon_incarnations
+        SET ended_at    = COALESCE(ended_at, ?),
+            exit_reason = COALESCE(exit_reason, ?),
+            exit_code   = COALESCE(exit_code, ?)
+      WHERE incarnation_id = ?`).run(ended, opts.exitReason, opts.exitCode, opts.incarnationId);
+}
+function lastForDaemon(db, daemonId) {
+    const r = db.prepare(`SELECT * FROM daemon_incarnations
+      WHERE daemon_id = ?
+      ORDER BY started_at DESC
+      LIMIT 1`).get(daemonId);
+    return r ?? null;
+}

package/dist/core/v4/daemon/runs/attemptStore.js

@@ -0,0 +1,67 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/daemon/runs/attemptStore.ts — v4.9.0 Slice 5.
+ *
+ * One row per execution attempt of a run. `runs.id` (numeric, autoincrement)
+ * stays the canonical run identifier; `run_attempts.attempt_id`
+ * (`att_<uuidv7>`) is the per-try identifier. attempt_number is 1-indexed
+ * and stable per (run_id) — the store computes it via MAX+1 on insert.
+ *
+ * Slice 5 lands schema + writers. Retry-policy logic (which attempts
+ * get retried, with what cooldown) is deferred to Slice 6+.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAttempt = createAttempt;
+exports.completeAttempt = completeAttempt;
+exports.listAttemptsForRun = listAttemptsForRun;
+exports.getAttempt = getAttempt;
+const identity_1 = require("../../identity");
+/**
+ * Create a fresh attempt for the given run. `attempt_number` is derived
+ * by MAX+1 inside a transaction so concurrent creators don't collide.
+ * Returns the new attempt id.
+ */
+function createAttempt(db, opts) {
+    const attemptId = opts.attemptId ?? (0, identity_1.newAttemptId)();
+    const startedAt = opts.startedAt ?? new Date().toISOString();
+    const tx = db.transaction(() => {
+        const row = db.prepare(`SELECT COALESCE(MAX(attempt_number), 0) AS n FROM run_attempts WHERE run_id = ?`).get(opts.runId);
+        const nextNumber = row.n + 1;
+        db.prepare(`INSERT INTO run_attempts
+         (attempt_id, run_id, attempt_number, incarnation_id, started_at, status)
+       VALUES (?, ?, ?, ?, ?, 'running')`).run(attemptId, opts.runId, nextNumber, opts.incarnationId, startedAt);
+    });
+    tx();
+    return attemptId;
+}
+/**
+ * Patch an attempt with a terminal status. COALESCE-protected so the
+ * first-wins semantics match the Slice 4 incarnation pattern: if the
+ * attempt already has an `ended_at`, this call is a no-op for those
+ * fields (status update only applies to the in-flight case).
+ */
+function completeAttempt(db, opts) {
+    const endedAt = opts.endedAt ?? new Date().toISOString();
+    db.prepare(`UPDATE run_attempts
+        SET status        = ?,
+            ended_at      = COALESCE(ended_at, ?),
+            finish_reason = COALESCE(finish_reason, ?),
+            error_class   = COALESCE(error_class, ?),
+            error_message = COALESCE(error_message, ?)
+      WHERE attempt_id = ?`).run(opts.status, endedAt, opts.finishReason ?? null, opts.errorClass ?? null, opts.errorMessage ?? null, opts.attemptId);
+}
+/** List all attempts for a run in attempt-number order. */
+function listAttemptsForRun(db, runId) {
+    return db.prepare(`SELECT * FROM run_attempts WHERE run_id = ? ORDER BY attempt_number ASC`).all(runId);
+}
+/** Diagnostic — single-attempt lookup. */
+function getAttempt(db, attemptId) {
+    const r = db.prepare(`SELECT * FROM run_attempts WHERE attempt_id = ?`).get(attemptId);
+    return r ?? null;
+}

package/dist/core/v4/daemon/runs/reclaim.js

@@ -0,0 +1,88 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/daemon/runs/reclaim.ts — v4.9.0 Slice 3.
+ *
+ * Mark runs orphaned by a crashed daemon as `interrupted` so a follow-up
+ * boot (or a human looking at `aiden runs list`) sees an unambiguous
+ * post-mortem instead of an eternally-`running` row.
+ *
+ * Called from two sites:
+ *  1. Process-wide crash handlers (`uncaughtException` /
+ *     `unhandledRejection`) installed in `bootstrap.ts`. Before the
+ *     handler calls `process.exit(1)`, it reclaims this incarnation's
+ *     still-running rows. The DB connection is the same handle the
+ *     dispatcher used; the write is one statement so even a crashed
+ *     process can finish it.
+ *  2. Boot-time, against ANY non-current instance — defence in depth
+ *     for the case where `evaluateBootState` didn't sweep a row (e.g.
+ *     the prior crash happened after BootState ran but before the
+ *     run completed). Idempotent: a no-op when no rows match.
+ *
+ * Uses existing schema columns only — NO new tables, NO new RunStatus
+ * value. Sets `status='interrupted', finish_reason='daemon_crashed',
+ * resume_pending=1, resume_reason='daemon_crashed', completed_at=now`.
+ * Matches the semantics `evaluateBootState` uses for prior-instance
+ * crash recovery, so downstream consumers (`aiden runs list`, restart
+ * resume logic) see one consistent shape.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reclaimStuckRuns = reclaimStuckRuns;
+/**
+ * Reclaim stuck `runs.status='running'` rows. Returns the rows touched
+ * so the caller can emit `run_events` entries (skipped on the crash
+ * path — the inserts could themselves throw, and the UPDATE is the
+ * authoritative outcome).
+ */
+function reclaimStuckRuns(db, opts) {
+    const now = (opts.now ?? Date.now)();
+    // Phase 1 — select the candidate rows. We pull ids first so the
+    // caller can act on them (logging, event emission) without a second
+    // round-trip. Using a single WHERE clause keeps the index hit on
+    // idx_runs_active (`status IN ('queued','running')`).
+    let candidates;
+    if (opts.instanceId !== undefined) {
+        candidates = db.prepare(`SELECT id FROM runs WHERE status = 'running' AND instance_id = ?`).all(opts.instanceId);
+    }
+    else {
+        if (!opts.currentInstanceId) {
+            throw new Error('reclaimStuckRuns: currentInstanceId required when instanceId omitted');
+        }
+        candidates = db.prepare(`SELECT id FROM runs WHERE status = 'running' AND instance_id != ?`).all(opts.currentInstanceId);
+    }
+    if (candidates.length === 0) {
+        return { reclaimed: 0, runIds: [] };
+    }
+    // Phase 2 — single UPDATE for the matching predicate. We re-derive
+    // the WHERE from `opts` rather than passing ids inline (would blow
+    // past SQLite's bound-parameter cap on a pathologically large run
+    // table — unlikely, but cheap to avoid).
+    let updateResult;
+    if (opts.instanceId !== undefined) {
+        updateResult = db.prepare(`UPDATE runs
+          SET status         = 'interrupted',
+              finish_reason  = 'daemon_crashed',
+              completed_at   = ?,
+              resume_pending = 1,
+              resume_reason  = 'daemon_crashed'
+        WHERE status = 'running' AND instance_id = ?`).run(now, opts.instanceId);
+    }
+    else {
+        updateResult = db.prepare(`UPDATE runs
+          SET status         = 'interrupted',
+              finish_reason  = 'daemon_crashed',
+              completed_at   = ?,
+              resume_pending = 1,
+              resume_reason  = 'daemon_crashed'
+        WHERE status = 'running' AND instance_id != ?`).run(now, opts.currentInstanceId);
+    }
+    return {
+        reclaimed: Number(updateResult.changes ?? candidates.length),
+        runIds: candidates.map((c) => c.id),
+    };
+}

package/dist/core/v4/daemon/runs/retryPolicy.js

@@ -0,0 +1,73 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/daemon/runs/retryPolicy.ts — v4.9.0 Slice 8.
+ *
+ * Pure policy primitives — `shouldRetry` + `computeBackoffMs`. The
+ * orchestrator (`runWithRetry`) lives next door; this module is
+ * test-friendly with no side effects.
+ *
+ * Defaults chosen to match the implicit policy across the rest of
+ * v4: max 3 attempts, exponential backoff with full jitter capped
+ * at 30s. NetworkError / TimeoutError / ResourceExhausted are
+ * retryable; auth + permission + validation are terminal.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_RETRY_POLICY = void 0;
+exports.shouldRetry = shouldRetry;
+exports.computeBackoffMs = computeBackoffMs;
+exports.DEFAULT_RETRY_POLICY = {
+    maxAttempts: 3,
+    baseDelayMs: 1000,
+    maxDelayMs: 30000,
+    jitter: 'full',
+    retryableErrorClasses: ['NetworkError', 'TimeoutError', 'ResourceExhausted'],
+    nonRetryableErrorClasses: ['AuthError', 'PermissionDenied', 'ValidationError'],
+};
+/**
+ * Decide whether to retry given the error class + attempt number.
+ *
+ * Precedence:
+ *   1. attemptNumber >= maxAttempts  → false (cap reached)
+ *   2. nonRetryableErrorClasses hit  → false (terminal)
+ *   3. retryableErrorClasses hit     → true
+ *   4. unknown error class           → false (fail closed)
+ *
+ * Treating unknown errors as non-retryable matches Aiden's safety
+ * stance: a retry burst on an unknown failure can multiply damage.
+ */
+function shouldRetry(errorClass, attemptNumber, policy = exports.DEFAULT_RETRY_POLICY) {
+    if (attemptNumber >= policy.maxAttempts)
+        return false;
+    if (policy.nonRetryableErrorClasses.includes(errorClass))
+        return false;
+    if (policy.retryableErrorClasses.includes(errorClass))
+        return true;
+    return false;
+}
+/**
+ * Exponential backoff with optional jitter, capped at `maxDelayMs`.
+ *   attemptNumber=1 → base
+ *   attemptNumber=2 → base*2
+ *   attemptNumber=3 → base*4
+ * Jitter modes:
+ *   'none'  — exact value
+ *   'equal' — value/2 + random(0..value/2)
+ *   'full'  — random(0..value)
+ */
+function computeBackoffMs(attemptNumber, policy = exports.DEFAULT_RETRY_POLICY, rng = Math.random) {
+    if (attemptNumber < 1)
+        return 0;
+    const exp = policy.baseDelayMs * Math.pow(2, attemptNumber - 1);
+    const capped = Math.min(exp, policy.maxDelayMs);
+    switch (policy.jitter) {
+        case 'none': return capped;
+        case 'equal': return Math.floor(capped / 2 + rng() * (capped / 2));
+        case 'full': return Math.floor(rng() * capped);
+    }
+}

package/dist/core/v4/daemon/runs/runWithRetry.js

@@ -0,0 +1,80 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/daemon/runs/runWithRetry.ts — v4.9.0 Slice 8.
+ *
+ * Attempt orchestration on top of Slice 5's `run_attempts` table.
+ * Caller supplies an existing run row id + a `RetryPolicy`; this
+ * function creates one `run_attempts` row per attempt, runs `fn`
+ * inside an incrementing-attempt context, and on retryable error
+ * sleeps + tries again. On non-retryable error OR max-attempts cap,
+ * returns `'dead_letter'` so the caller can route to a poison queue.
+ *
+ * The "what's retryable" decision lives in `retryPolicy.ts` so the
+ * orchestrator stays small + testable.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runWithRetry = runWithRetry;
+const attemptStore_1 = require("./attemptStore");
+const retryPolicy_1 = require("./retryPolicy");
+function defaultSleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}
+/**
+ * Run `fn` with retry policy. Each attempt gets its own `run_attempts`
+ * row + an incremented `ctx.attempt` value visible to the callee.
+ */
+async function runWithRetry(db, ctx, opts, fn) {
+    const sleep = opts.sleep ?? defaultSleep;
+    let lastError = new Error('runWithRetry: no attempts made');
+    let attemptCount = 0;
+    for (let attemptNumber = 1; attemptNumber <= opts.policy.maxAttempts; attemptNumber += 1) {
+        attemptCount = attemptNumber;
+        const attemptId = (0, attemptStore_1.createAttempt)(db, {
+            runId: opts.runId,
+            incarnationId: opts.incarnationId,
+        });
+        const attemptCtx = { ...ctx, attempt: attemptNumber };
+        try {
+            const value = await fn(attemptCtx, attemptNumber);
+            (0, attemptStore_1.completeAttempt)(db, { attemptId, status: 'completed' });
+            return { outcome: 'completed', value, attempts: attemptNumber };
+        }
+        catch (err) {
+            const error = err instanceof Error ? err : new Error(String(err));
+            lastError = error;
+            const errorClass = error.name || 'Error';
+            const terminalStatus = 'failed';
+            (0, attemptStore_1.completeAttempt)(db, {
+                attemptId,
+                status: terminalStatus,
+                errorClass,
+                errorMessage: error.message,
+            });
+            // Three cases:
+            //   (a) Class is in nonRetryableErrorClasses     → dead_letter (terminal class)
+            //   (b) Class is in retryableErrorClasses        → retry IF cap not reached; else dead_letter (exhausted)
+            //   (c) Class is unknown                         → failed (caller introspects; no auto-retry)
+            const isNonRetryable = opts.policy.nonRetryableErrorClasses.includes(errorClass);
+            const isRetryable = opts.policy.retryableErrorClasses.includes(errorClass);
+            if (isNonRetryable) {
+                return { outcome: 'dead_letter', attempts: attemptNumber, lastError: error };
+            }
+            if (!isRetryable) {
+                return { outcome: 'failed', attempts: attemptNumber, lastError: error };
+            }
+            if (attemptNumber >= opts.policy.maxAttempts) {
+                return { outcome: 'dead_letter', attempts: attemptNumber, lastError: error };
+            }
+            // Retryable + cap not reached: back off and try again.
+            await sleep((0, retryPolicy_1.computeBackoffMs)(attemptNumber, opts.policy));
+        }
+    }
+    // Defensive fallback — loop exited without explicit return.
+    return { outcome: 'dead_letter', attempts: attemptCount, lastError };
+}