aiden-runtime 4.8.1 → 4.9.1

package/dist/core/v4/daemon/bootstrap.js

@@ -30,6 +30,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCurrentDaemonLogger = getCurrentDaemonLogger;
+exports.getCurrentDaemonId = getCurrentDaemonId;
+exports.getCurrentIncarnationId = getCurrentIncarnationId;
+exports.getCurrentDaemonDb = getCurrentDaemonDb;
 exports.bootstrapDaemon = bootstrapDaemon;
 exports._resetDaemonBootstrapForTests = _resetDaemonBootstrapForTests;
 exports.getDaemonHandle = getDaemonHandle;
@@ -70,6 +74,19 @@ const migration_1 = require("./cron/migration");
 const cronEmitter_1 = require("./cron/cronEmitter");
 const playwrightBridge_1 = require("../../playwrightBridge");
 const version_1 = require("../../version");
+// v4.9.0 Slice 3 — structured logger + crash recovery.
+const node_path_1 = __importDefault(require("node:path"));
+const logger_1 = require("../logger");
+const reclaim_1 = require("./runs/reclaim");
+// v4.9.0 Slice 8 — stuck-attempt watchdog ticker.
+const stuckAttemptWatchdog_1 = require("./runs/stuckAttemptWatchdog");
+// v4.9.0 Slice 4 — identity substrate + incarnations table.
+const identity_1 = require("../identity");
+const incarnationStore_1 = require("./incarnationStore");
+// v4.9.0 Slice 7 — static import. The lazy `require()` form here
+// silently failed under vite-node (CJS `.ts` resolution) and the
+// `/api/runs` route never mounted in tests.
+const runs_1 = require("./api/runs");
 const NOOP_HANDLE = Object.freeze({
     active: false,
     instanceId: null,
@@ -92,6 +109,100 @@ const NOOP_HANDLE = Object.freeze({
 });
 // Process-wide singleton — the second call returns the same handle.
 let _singleton = null;
+/**
+ * v4.9.0 Slice 4 — module-level holders for the persistent daemon
+ * identity (`dmn_...`) and the per-process incarnation (`inc_...`).
+ * Populated by `bootstrapDaemon()`. Readable by other modules (e.g.
+ * the logger sink) via `getCurrentDaemonId()` / `getCurrentIncarnationId()`
+ * so they can stamp every record with the identity pair without
+ * requiring an ambient ExecutionContext.
+ */
+let _currentDaemonId = null;
+let _currentIncarnationId = null;
+// v4.9.0 Slice 6 — module-level reference to the active daemon DB
+// handle. Cached after `openDaemonDb(dbPath)` returns so tool/LLM span
+// wrappers can pull it via `getCurrentDaemonDb()` without re-opening.
+let _currentDaemonDb = null;
+// v4.9.0 Slice 6 — and a reference to the daemon logger, for the
+// same reason: spans + log enrichments need a logger handle without
+// each cross-cutting site plumbing its own.
+let _currentDaemonLogger = null;
+/** v4.9.0 Slice 6 — read the daemon's structured Logger (or null). */
+function getCurrentDaemonLogger() { return _currentDaemonLogger; }
+/** v4.9.0 Slice 4 — read the persistent daemon id (`dmn_...`) or null. */
+function getCurrentDaemonId() { return _currentDaemonId; }
+/** v4.9.0 Slice 4 — read this boot's incarnation id (`inc_...`) or null. */
+function getCurrentIncarnationId() { return _currentIncarnationId; }
+/**
+ * v4.9.0 Slice 6 — read the active daemon DB handle, or null when
+ * AIDEN_DAEMON=0 / bootstrap hasn't run / bootstrap failed. Lets
+ * cross-cutting modules (tool dispatcher, agent loop) opt into
+ * span instrumentation without requiring CLI-level wiring. NOOP-safe:
+ * returns null silently when the daemon foundation isn't up.
+ */
+function getCurrentDaemonDb() {
+    return _currentDaemonDb;
+}
+/**
+ * v4.9.0 Slice 3 — track whether the process-wide crash handlers
+ * already wrapped this process. Reset by the test helper. The guard
+ * prevents duplicate handler chains when bootstrap runs twice (which
+ * the singleton normally prevents anyway, but tests sometimes punch
+ * through `_resetDaemonBootstrapForTests`).
+ */
+let _crashHandlersInstalled = false;
+/**
+ * v4.9.0 Slice 3 — build a structured daemon logger composed of:
+ *   stderr (human, warn+)  — visible to systemd / journalctl
+ *   file   (NDJSON)        — `<aidenRoot>/logs/daemon.log`, rotated at 5 MB
+ * Both sinks are wrapped in `RedactingSink` so secret-shaped tokens
+ * never reach disk or stderr. Level is `info` by default; the
+ * `AIDEN_DAEMON_LOG_LEVEL` env var promotes to `debug` for diagnostics.
+ */
+function buildDaemonLogger(logsDir) {
+    const envLvl = (process.env.AIDEN_DAEMON_LOG_LEVEL ?? '').toLowerCase();
+    const level = envLvl === 'debug' || envLvl === 'info' || envLvl === 'warn' || envLvl === 'error'
+        ? envLvl
+        : 'info';
+    return new logger_1.CoreLogger({
+        level,
+        sinks: [
+            // v4.9.0 Slice 6 — pretty stderr (short timestamp + dim runId
+            // last-8 suffix when ambient context is present). File sink
+            // stays NDJSON with full IDs for log aggregators.
+            new logger_1.RedactingSink(new logger_1.StderrSink({ minLevel: 'warn', pretty: true })),
+            new logger_1.RedactingSink(new logger_1.FileSink({ dir: logsDir, name: 'daemon', format: 'ndjson' })),
+        ],
+        // v4.9.0 Slice 4 — every daemon log line gets stamped with the
+        // identity pair (daemonId, incarnationId) plus any ambient
+        // ExecutionContext fields (runId, traceId, spanId, ...). Caller
+        // ctx wins on key collision. Provider is guarded against init-time
+        // calls (before the identity holders are populated) — returning
+        // `undefined` then is fine; the merge step skips it.
+        getContext: () => {
+            const out = {};
+            if (_currentDaemonId)
+                out.daemonId = _currentDaemonId;
+            if (_currentIncarnationId)
+                out.incarnationId = _currentIncarnationId;
+            const ctx = (0, identity_1.currentContext)();
+            if (ctx) {
+                out.runId = ctx.runId;
+                out.traceId = ctx.traceId;
+                out.spanId = ctx.spanId;
+                if (ctx.parentSpanId)
+                    out.parentSpanId = ctx.parentSpanId;
+                if (ctx.sessionId)
+                    out.sessionId = ctx.sessionId;
+                if (ctx.triggerId)
+                    out.triggerId = ctx.triggerId;
+                out.source = ctx.source;
+                out.attempt = ctx.attempt;
+            }
+            return Object.keys(out).length > 0 ? out : undefined;
+        },
+    });
+}
 /**
  * Initialize the daemon foundation IF AIDEN_DAEMON=1. Returns a
  * handle describing what was wired (or a NOOP_HANDLE when the
@@ -108,20 +219,29 @@ function bootstrapDaemon(opts = {}) {
     if (_singleton)
         return _singleton;
     const cfg = (0, daemonConfig_1.getDaemonConfig)();
+    if (!cfg.enabled) {
+        _singleton = NOOP_HANDLE;
+        return NOOP_HANDLE;
+    }
+    // v4.9.0 Slice 3 — promote startup logging to the structured pipeline
+    // BEFORE the first emit. Sub-modules receive the `log(level, msg)`
+    // shape they were built against; the adapter forwards to the
+    // CoreLogger which redacts before fan-out to stderr + file.
+    const aidenRootForLog = (0, paths_1.resolveAidenRoot)();
+    const daemonLogger = buildDaemonLogger(node_path_1.default.join(aidenRootForLog, 'logs'));
+    // v4.9.0 Slice 6 — stash for cross-cutting consumers (tool dispatcher
+    // span wrap, LLM call span wrap). NOOP-safe via `getCurrentDaemonLogger()`.
+    _currentDaemonLogger = daemonLogger;
     const log = opts.log ?? ((level, msg) => {
         if (level === 'error')
-            console.error(msg);
+            daemonLogger.error(msg);
         else if (level === 'warn')
-            console.warn(msg);
+            daemonLogger.warn(msg);
         else
-            console.log(msg);
+            daemonLogger.info(msg);
     });
-    if (!cfg.enabled) {
-        _singleton = NOOP_HANDLE;
-        return NOOP_HANDLE;
-    }
     try {
-        const aidenRoot = (0, paths_1.resolveAidenRoot)();
+        const aidenRoot = aidenRootForLog;
         const dbPath = (0, daemonConfig_2.daemonDbPath)(aidenRoot);
         const lockPath = (0, daemonConfig_2.daemonRuntimeLockPath)(aidenRoot);
         const markerPath = (0, daemonConfig_2.daemonCleanShutdownMarkerPath)(aidenRoot);
@@ -158,6 +278,8 @@ function bootstrapDaemon(opts = {}) {
                 (e instanceof Error ? e.message : String(e)));
         }
         const db = (0, connection_1.openDaemonDb)(dbPath);
+        // v4.9.0 Slice 6 — cache for cross-cutting consumers.
+        _currentDaemonDb = db;
         const tracker = (0, instanceTracker_1.createInstanceTracker)({ db, version: version_1.VERSION });
         tracker.start();
         // v4.6 Phase 3b — self-improvement loop singleton. Daemon-fired
@@ -200,8 +322,118 @@ function bootstrapDaemon(opts = {}) {
         if (boot.crashDetected) {
             log('warn', '[daemon] crash recovery: prior instance crashed; affected runs marked resume_pending=1');
         }
+        // v4.9.0 Slice 4 — establish persistent daemon identity + per-process
+        // incarnation. The daemon_id file is created on first boot at
+        // <aidenRoot>/daemon/daemon_id; subsequent boots load it. The
+        // incarnation row in daemon_incarnations gives every process a
+        // first-class lineage row so `aiden doctor`-style tooling can show
+        // "this daemon has booted N times across M crashes".
+        //
+        // Distinct from `tracker.instanceId`: the latter is a random UUID
+        // for the v1-era `daemon_instances` table that Slice 3's crash
+        // recovery still uses. We keep both alive; Slice 4 ADDS identity,
+        // doesn't replace.
+        try {
+            _currentDaemonId = (0, identity_1.loadOrCreateDaemonId)(aidenRoot);
+            _currentIncarnationId = (0, identity_1.newIncarnationId)();
+            (0, incarnationStore_1.insertIncarnation)(db, {
+                incarnationId: _currentIncarnationId,
+                daemonId: _currentDaemonId,
+                pid: process.pid,
+                aidenVersion: version_1.VERSION,
+                nodeVersion: process.version,
+            });
+            log('info', `[daemon] identity established daemon_id=${_currentDaemonId} ` +
+                `incarnation_id=${_currentIncarnationId}`);
+        }
+        catch (e) {
+            log('warn', `[daemon] identity init failed (non-fatal): ${e instanceof Error ? e.message : String(e)}`);
+            _currentDaemonId = null;
+            _currentIncarnationId = null;
+        }
+        // v4.9.0 Slice 3 — defence-in-depth: sweep any `running` rows owned
+        // by a non-current instance. `evaluateBootState` already covers the
+        // common case, but a row racing the crash window could slip past it.
+        // Idempotent: no-op when no rows match.
+        try {
+            const swept = (0, reclaim_1.reclaimStuckRuns)(db, { currentInstanceId: tracker.instanceId });
+            if (swept.reclaimed > 0) {
+                log('warn', `[daemon] startup reclaim swept ${swept.reclaimed} orphaned run(s) ` +
+                    `from prior incarnations: ids=[${swept.runIds.join(',')}]`);
+            }
+        }
+        catch (e) {
+            log('warn', `[daemon] startup reclaim failed (non-fatal): ${e instanceof Error ? e.message : String(e)}`);
+        }
+        // v4.9.0 Slice 3 — process-wide crash handlers. Either signal
+        // means "this daemon is about to die unexpectedly". Reclaim our
+        // still-`running` rows BEFORE the exit so a follow-up boot sees
+        // an unambiguous `interrupted` shape, then exit 1 so service
+        // managers (systemd / launchd) know to restart us.
+        //
+        // We install `process.on(...)` (not `.once`) so the handler covers
+        // the rare double-crash. The exit is guarded by a 100ms timeout so
+        // a flush of the file sink has a chance to land.
+        if (!_crashHandlersInstalled) {
+            _crashHandlersInstalled = true;
+            const crashedInstanceId = tracker.instanceId;
+            const reclaimAndExit = (eventName, reason) => {
+                try {
+                    const err = reason instanceof Error
+                        ? { type: reason.name, message: reason.message, stack: reason.stack }
+                        : { type: 'NonError', message: String(reason) };
+                    daemonLogger.error(`[daemon] ${eventName} — terminating after run reclaim`, {
+                        event: 'daemon.crashed',
+                        component: 'daemon.bootstrap',
+                        incarnationId: crashedInstanceId,
+                        error: err,
+                    });
+                }
+                catch { /* logging must not block the reclaim path */ }
+                try {
+                    const swept = (0, reclaim_1.reclaimStuckRuns)(db, { instanceId: crashedInstanceId });
+                    if (swept.reclaimed > 0) {
+                        try {
+                            daemonLogger.warn(`[daemon] crash-handler reclaim marked ${swept.reclaimed} run(s) interrupted`, { event: 'daemon.crash_reclaim', runIds: swept.runIds });
+                        }
+                        catch { /* noop */ }
+                    }
+                }
+                catch { /* never block exit on reclaim failure */ }
+                // v4.9.0 Slice 4 — flag the incarnation row as crashed before
+                // we exit. Best-effort; never blocks the exit path.
+                try {
+                    if (_currentIncarnationId) {
+                        (0, incarnationStore_1.markEnded)(db, {
+                            incarnationId: _currentIncarnationId,
+                            exitReason: 'crash',
+                            exitCode: 1,
+                        });
+                    }
+                }
+                catch { /* noop */ }
+                // 100ms grace for the file sink to flush before we tear down.
+                setTimeout(() => { try {
+                    process.exit(1);
+                }
+                catch { /* noop */ } }, 100);
+            };
+            process.on('uncaughtException', (err) => reclaimAndExit('uncaughtException', err));
+            process.on('unhandledRejection', (reason) => reclaimAndExit('unhandledRejection', reason));
+        }
         // Module singletons.
-        const triggerBus = (0, triggerBus_1.createTriggerBus)({ db });
+        // v4.9.0 Slice 5 — opt the trigger bus into the durable
+        // run-idempotency anchor. Every accepted trigger_event with a
+        // non-null idempotency_key now also writes a row to
+        // `run_idempotency_keys` in the same transaction.
+        const triggerBus = (0, triggerBus_1.createTriggerBus)({
+            db,
+            enableRunIdempotency: true,
+            onIdempotencyConflict: (info) => {
+                log('warn', `[trigger-bus] duplicate ingress namespace=trigger:${info.source} ` +
+                    `key=${info.key} — reusing existing run anchor`);
+            },
+        });
         const idempotencyStore = (0, idempotencyStore_1.createIdempotencyStore)({ db });
         const runStore = (0, runStore_1.createRunStore)({ db });
         const restartFailureCounter = (0, restartFailureCounter_1.createRestartFailureCounter)({ db, threshold: cfg.restartFailureThreshold });
@@ -249,6 +481,22 @@ function bootstrapDaemon(opts = {}) {
             resourceRegistry,
             log,
         });
+        // v4.9.0 Slice 5 — POST /api/runs durable ingress. Returns 202
+        // only after the trigger_event + run_idempotency_keys rows commit.
+        // Slice 7 also adopts inbound `traceparent` here.
+        try {
+            const ingressBindHost = process.env.AIDEN_DAEMON_BIND ?? '127.0.0.1';
+            (0, runs_1.mountRunsRoutes)({
+                app,
+                triggerBus,
+                log,
+                apiKeyRequired: ingressBindHost !== '127.0.0.1' && ingressBindHost !== 'localhost',
+            });
+            log('info', '[api/runs] POST /api/runs durable ingress mounted');
+        }
+        catch (e) {
+            log('error', `[api/runs] mount failed: ${e instanceof Error ? e.message : String(e)}`);
+        }
         // v4.5 Phase 3 — bind safety check. When AIDEN_DAEMON_BIND opts
         // into a non-loopback interface, require AIDEN_API_KEY + refuse
         // INSECURE_NO_AUTH webhook routes. Runs BEFORE the listener binds.
@@ -304,6 +552,69 @@ function bootstrapDaemon(opts = {}) {
         }, 24 * 60 * 60 * 1000);
         if (typeof retentionTimer.unref === 'function')
             retentionTimer.unref();
+        // v4.9.0 Slice 4 — wire the missing `triggerBus.reclaimExpired()`
+        // ticker. The function existed since v4.5 Phase 5a but had no call
+        // site; crashed-mid-claim trigger events were stuck in `'claimed'`
+        // because the claim picker only matches `status='pending'`. 30s
+        // cadence matches what the original `triggerBus.ts` header
+        // comment promised. Boot-time call covers the gap where a daemon
+        // crashed *after* a claim and a new daemon starts before any lease
+        // expires naturally.
+        try {
+            const swept = triggerBus.reclaimExpired();
+            if (swept.reclaimed > 0) {
+                log('warn', `[trigger-bus] boot reclaim returned ${swept.reclaimed} expired claim(s) to 'pending'`);
+            }
+        }
+        catch (e) {
+            log('warn', `[trigger-bus] boot reclaim failed (non-fatal): ${e instanceof Error ? e.message : String(e)}`);
+        }
+        const reclaimTimer = setInterval(() => {
+            try {
+                triggerBus.reclaimExpired();
+            }
+            catch { /* never let the sweep crash the daemon */ }
+        }, 30000);
+        if (typeof reclaimTimer.unref === 'function')
+            reclaimTimer.unref();
+        // v4.9.0 Slice 8 — stuck-attempt + orphan-span watchdog.
+        // Sweeps run_attempts (status='running', older than threshold,
+        // owned by non-current incarnation) and spans (open + non-current
+        // incarnation). Default cadence 5min; threshold 30min. Both
+        // configurable via env. unref'd so the ticker doesn't block exit.
+        const watchdogIntervalMs = (() => {
+            const raw = process.env.AIDEN_STUCK_ATTEMPT_CHECK_MS;
+            const n = raw ? Number.parseInt(raw, 10) : NaN;
+            return Number.isFinite(n) && n > 0 ? n : 5 * 60 * 1000;
+        })();
+        const watchdogThresholdMs = (() => {
+            const raw = process.env.AIDEN_STUCK_ATTEMPT_THRESHOLD_MS;
+            const n = raw ? Number.parseInt(raw, 10) : NaN;
+            return Number.isFinite(n) && n > 0 ? n : 30 * 60 * 1000;
+        })();
+        const runWatchdogSweep = () => {
+            try {
+                if (!_currentIncarnationId)
+                    return;
+                const r = (0, stuckAttemptWatchdog_1.sweepStuckAttempts)(db, {
+                    currentIncarnationId: _currentIncarnationId,
+                    thresholdMs: watchdogThresholdMs,
+                });
+                if (r.reclaimedAttempts > 0 || r.reclaimedSpans > 0) {
+                    log('warn', `[watchdog] swept stuck attempts=${r.reclaimedAttempts} ` +
+                        `orphan_spans=${r.reclaimedSpans}`);
+                }
+            }
+            catch (e) {
+                log('warn', `[watchdog] sweep failed (non-fatal): ${e instanceof Error ? e.message : String(e)}`);
+            }
+        };
+        // Boot-time sweep covers anything left over from a prior crash
+        // that evaluateBootState / reclaimStuckRuns didn't catch.
+        runWatchdogSweep();
+        const watchdogTimer = setInterval(runWatchdogSweep, watchdogIntervalMs);
+        if (typeof watchdogTimer.unref === 'function')
+            watchdogTimer.unref();
         // Drain context — same shape api/server.ts wires.
         const getDrainCtx = () => ({
             drainTimeoutMs: cfg.drainTimeoutMs,
@@ -346,7 +657,27 @@ function bootstrapDaemon(opts = {}) {
                     catch { /* noop */ }
                 }
             },
-            markShutdown: (reason, exitCode) => tracker.markShutdown(reason, exitCode),
+            markShutdown: (reason, exitCode) => {
+                tracker.markShutdown(reason, exitCode);
+                // v4.9.0 Slice 4 — patch the incarnation row alongside the
+                // legacy daemon_instances row. Map sigusr1_restart/replaced
+                // → 'clean' (graceful drain), keep sigterm/sigint/crash
+                // verbatim. Best-effort; never throws into the drain path.
+                try {
+                    if (_currentIncarnationId) {
+                        const incReason = reason === 'sigterm' ? 'sigterm' :
+                            reason === 'sigint' ? 'sigint' :
+                                reason === 'crash' ? 'crash' :
+                                    'clean';
+                        (0, incarnationStore_1.markEnded)(db, {
+                            incarnationId: _currentIncarnationId,
+                            exitReason: incReason,
+                            exitCode,
+                        });
+                    }
+                }
+                catch { /* drain path must never throw */ }
+            },
         });
         (0, signals_1.installDaemonSignalHandlers)({ getDrainContext: getDrainCtx });
         log('info', `[daemon] foundation initializing instance_id=${tracker.instanceId} db=${dbPath}`);
@@ -582,6 +913,16 @@ function bootstrapDaemon(opts = {}) {
 /** Test-only — clears the singleton so subsequent calls re-bootstrap. */
 function _resetDaemonBootstrapForTests() {
     _singleton = null;
+    // v4.9.0 Slice 3 — also rearm the crash-handler installer guard
+    // so a fresh bootstrap in the same test process can install its
+    // own handlers without tripping the once-per-process check.
+    _crashHandlersInstalled = false;
+    // v4.9.0 Slice 4 — clear identity holders too.
+    _currentDaemonId = null;
+    _currentIncarnationId = null;
+    // v4.9.0 Slice 6 — clear cross-cutting refs too.
+    _currentDaemonDb = null;
+    _currentDaemonLogger = null;
 }
 /** Diagnostic — returns the current handle (or null if not yet bootstrapped). */
 function getDaemonHandle() {
@@ -624,13 +965,27 @@ function installDaemonAgentBuilder(handle, agentBuilder, persistedDefaultModel,
     if (!handle.active || !handle.dispatcher || !handle.triggerBus || !handle.runStore) {
         return false;
     }
+    // v4.9.0 Slice 3 — fall back to the daemon's own structured logger
+    // (built lazily here in case the caller skipped passing one). When
+    // bootstrap already constructed a logger, the singleton's startup
+    // log path used the same composition.
+    const fallbackLogger = (() => {
+        try {
+            return buildDaemonLogger(node_path_1.default.join((0, paths_1.resolveAidenRoot)(), 'logs'));
+        }
+        catch {
+            return null;
+        }
+    })();
     const logFn = log ?? ((level, msg) => {
+        if (!fallbackLogger)
+            return;
         if (level === 'error')
-            console.error(msg);
+            fallbackLogger.error(msg);
         else if (level === 'warn')
-            console.warn(msg);
+            fallbackLogger.warn(msg);
         else
-            console.log(msg);
+            fallbackLogger.info(msg);
     });
     try {
         const realRunner = (0, dispatcher_1.createRealAgentRunner)({

package/dist/core/v4/daemon/db/migrations.js

@@ -316,6 +316,170 @@ CREATE INDEX IF NOT EXISTS idx_recovery_reports_signature
 CREATE INDEX IF NOT EXISTS idx_recovery_reports_run
   ON recovery_reports(run_id);
 `;
+// v4.9.0 Slice 4 — daemon_incarnations table. Source of truth lives at
+// `core/v4/daemon/db/schema/v8.sql`; kept in sync via the migrations
+// test snapshot check. Distinct from the v1 `daemon_instances` table
+// (which keeps its random-UUID instance_id intact for existing
+// `evaluateBootState` / `reclaimStuckRuns` consumers); v8 introduces
+// the persistent daemon identity + per-boot incarnation correlation.
+const V8_SQL = `
+CREATE TABLE IF NOT EXISTS daemon_incarnations (
+  incarnation_id  TEXT    PRIMARY KEY,
+  daemon_id       TEXT    NOT NULL,
+  pid             INTEGER NOT NULL,
+  started_at      TEXT    NOT NULL,
+  ended_at        TEXT,
+  exit_reason     TEXT,
+  exit_code       INTEGER,
+  aiden_version   TEXT,
+  node_version    TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_incarnations_daemon
+  ON daemon_incarnations(daemon_id, started_at DESC);
+`;
+// v4.9.0 Slice 5 — durable run queue. Source of truth lives at
+// `core/v4/daemon/db/schema/v9.sql`; kept in sync via the migrations
+// test snapshot check.
+const V9_SQL = `
+CREATE TABLE IF NOT EXISTS run_attempts (
+  attempt_id     TEXT    PRIMARY KEY,
+  run_id         INTEGER NOT NULL,
+  attempt_number INTEGER NOT NULL,
+  incarnation_id TEXT    NOT NULL,
+  started_at     TEXT    NOT NULL,
+  ended_at       TEXT,
+  status         TEXT    NOT NULL,
+  finish_reason  TEXT,
+  error_class    TEXT,
+  error_message  TEXT,
+  FOREIGN KEY (run_id) REFERENCES runs(id) ON DELETE CASCADE
+);
+CREATE INDEX IF NOT EXISTS idx_run_attempts_run
+  ON run_attempts(run_id, attempt_number);
+CREATE INDEX IF NOT EXISTS idx_run_attempts_incarnation
+  ON run_attempts(incarnation_id);
+
+CREATE TABLE IF NOT EXISTS spans (
+  span_id        TEXT    PRIMARY KEY,
+  trace_id       TEXT    NOT NULL,
+  parent_span_id TEXT,
+  run_id         INTEGER,
+  attempt_id     TEXT,
+  incarnation_id TEXT    NOT NULL,
+  kind           TEXT    NOT NULL,
+  name           TEXT    NOT NULL,
+  started_at     TEXT    NOT NULL,
+  ended_at       TEXT,
+  status         TEXT,
+  attrs_json     TEXT,
+  error_class    TEXT,
+  error_message  TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_spans_trace  ON spans(trace_id, started_at);
+CREATE INDEX IF NOT EXISTS idx_spans_run    ON spans(run_id, started_at);
+CREATE INDEX IF NOT EXISTS idx_spans_parent ON spans(parent_span_id);
+
+CREATE TABLE IF NOT EXISTS run_idempotency_keys (
+  namespace        TEXT    NOT NULL,
+  key              TEXT    NOT NULL,
+  fingerprint      TEXT    NOT NULL,
+  run_id           INTEGER,
+  trigger_event_id INTEGER,
+  span_id          TEXT,
+  status           TEXT    NOT NULL,
+  created_at       TEXT    NOT NULL,
+  expires_at       TEXT,
+  result_ref       TEXT,
+  PRIMARY KEY (namespace, key)
+);
+CREATE INDEX IF NOT EXISTS idx_idempotency_expires
+  ON run_idempotency_keys(expires_at) WHERE expires_at IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_idempotency_run
+  ON run_idempotency_keys(run_id) WHERE run_id IS NOT NULL;
+`;
+// v4.9.0 Slice 7 — external trace adoption. Adds `external_trace_id`
+// to `spans` + `runs` for W3C traceparent adoption alongside Aiden's
+// typed `trc_<uuidv7>`. Source of truth: `db/schema/v10.sql`.
+const V10_SQL = `
+ALTER TABLE spans ADD COLUMN external_trace_id TEXT;
+ALTER TABLE runs  ADD COLUMN external_trace_id TEXT;
+CREATE INDEX IF NOT EXISTS idx_spans_external_trace
+  ON spans(external_trace_id) WHERE external_trace_id IS NOT NULL;
+`;
+// v4.9.0 Slice 12a — Hook system tables. Source of truth lives at
+// `core/v4/daemon/db/schema/v11.sql`.
+const V11_SQL = `
+CREATE TABLE IF NOT EXISTS hooks (
+  hook_id        TEXT    PRIMARY KEY,
+  name           TEXT    NOT NULL,
+  version        TEXT,
+  source         TEXT    NOT NULL,
+  runtime        TEXT    NOT NULL,
+  manifest_path  TEXT    NOT NULL,
+  code_hash      TEXT    NOT NULL,
+  enabled        INTEGER NOT NULL DEFAULT 0,
+  trust_state    TEXT    NOT NULL,
+  created_at     TEXT    NOT NULL,
+  updated_at     TEXT    NOT NULL,
+  UNIQUE(manifest_path)
+);
+CREATE TABLE IF NOT EXISTS hook_subscriptions (
+  subscription_id TEXT    PRIMARY KEY,
+  hook_id         TEXT    NOT NULL REFERENCES hooks(hook_id) ON DELETE CASCADE,
+  event           TEXT    NOT NULL,
+  matcher_json    TEXT,
+  authority       TEXT    NOT NULL,
+  mode            TEXT    NOT NULL,
+  priority        INTEGER NOT NULL DEFAULT 0,
+  timeout_ms      INTEGER NOT NULL,
+  on_error        TEXT    NOT NULL,
+  on_timeout      TEXT    NOT NULL,
+  enabled         INTEGER NOT NULL DEFAULT 1
+);
+CREATE INDEX IF NOT EXISTS idx_hook_subscriptions_event ON hook_subscriptions(event, enabled);
+CREATE TABLE IF NOT EXISTS hook_capability_grants (
+  grant_id     TEXT    PRIMARY KEY,
+  hook_id      TEXT    NOT NULL REFERENCES hooks(hook_id) ON DELETE CASCADE,
+  capability   TEXT    NOT NULL,
+  scope_json   TEXT    NOT NULL,
+  granted_by   TEXT,
+  granted_at   TEXT    NOT NULL,
+  revoked_at   TEXT
+);
+CREATE TABLE IF NOT EXISTS hook_executions (
+  hook_execution_id TEXT    PRIMARY KEY,
+  hook_id           TEXT    NOT NULL REFERENCES hooks(hook_id),
+  subscription_id   TEXT    REFERENCES hook_subscriptions(subscription_id),
+  event             TEXT    NOT NULL,
+  run_id            TEXT,
+  trace_id          TEXT,
+  span_id           TEXT,
+  parent_span_id    TEXT,
+  tool_call_id      TEXT,
+  status            TEXT    NOT NULL,
+  decision          TEXT,
+  elapsed_ms        INTEGER NOT NULL,
+  cpu_ms            INTEGER,
+  max_rss_kb        INTEGER,
+  exit_code         INTEGER,
+  payload_hash      TEXT,
+  response_hash     TEXT,
+  stdout_preview    TEXT,
+  stderr_preview    TEXT,
+  error_kind        TEXT,
+  error_message     TEXT,
+  started_at        TEXT    NOT NULL,
+  finished_at       TEXT    NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_hook_executions_run   ON hook_executions(run_id, started_at);
+CREATE INDEX IF NOT EXISTS idx_hook_executions_hook  ON hook_executions(hook_id, started_at);
+CREATE INDEX IF NOT EXISTS idx_hook_executions_event ON hook_executions(event, started_at);
+`;
+// v4.9.0 Slice 12b — auto-disable rail. Just an ADD COLUMN; full
+// rationale lives in `core/v4/daemon/db/schema/v12.sql`.
+const V12_SQL = `
+ALTER TABLE hooks ADD COLUMN consecutive_failures INTEGER NOT NULL DEFAULT 0;
+`;
 const MIGRATIONS = [
     { version: 1, name: 'phase 1 — daemon foundation', sql: V1_SQL },
     { version: 2, name: 'phase 2 — file watcher observations', sql: V2_SQL },
@@ -324,6 +488,11 @@ const MIGRATIONS = [
     { version: 5, name: 'phase 5b — scheduled workflows', sql: V5_SQL },
     { version: 6, name: 'v4.6 phase 1 — sub-agent lineage', sql: V6_SQL },
     { version: 7, name: 'v4.6 phase 3b — self-improvement loop', sql: V7_SQL },
+    { version: 8, name: 'v4.9 slice 4 — daemon identity + incarnations', sql: V8_SQL },
+    { version: 9, name: 'v4.9 slice 5 — durable run queue', sql: V9_SQL },
+    { version: 10, name: 'v4.9 slice 7 — external trace adoption', sql: V10_SQL },
+    { version: 11, name: 'v4.9 slice 12a — hook system', sql: V11_SQL },
+    { version: 12, name: 'v4.9 slice 12b — hook auto-disable counter', sql: V12_SQL },
 ];
 exports.LATEST_SCHEMA_VERSION = MIGRATIONS[MIGRATIONS.length - 1].version;
 function getCurrentVersion(db) {