fix(store,index): auto-recover from SQLite database corruption

When SQLite reports "database disk image is malformed" or "disk I/O
error", the index is permanently broken until manually purged. Every
subsequent semantic_search call would fail with the same error because
touchChecked is never set and each retry hits the same corrupted file.

This change adds automatic recovery at two layers:

- store.New: if open/schema-setup fails with a corruption error, delete
  the DB file and its WAL/SHM sidecars and retry once from a clean state.
  In-memory databases are never deleted.

- Indexer.EnsureFresh / Index: if indexWithTree returns a corruption
  error mid-operation, log ERROR "corrupted database detected, rebuilding",
  call rebuildStore() (close → delete files → reopen), then retry with an
  empty stored hash so the fresh DB receives a full index pass.

Adds IsCorruptionErr(err) to the store package as the single source of
truth for what constitutes a SQLite corruption error.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: aeneasr

internal/index/index.go

@@ -87,6 +87,7 @@ type Indexer struct {
 	chunker        chunker.Chunker
 	maxChunkTokens int
 	logger         *slog.Logger
+	dsn            string // path to the SQLite database file; used for corruption recovery
 }
 
 // SetLogger attaches a logger to the indexer for structured diagnostic output.
@@ -107,9 +108,28 @@ func NewIndexer(dsn string, emb embedder.Embedder, maxChunkTokens int) (*Indexer
 		emb:            emb,
 		chunker:        chunker.NewMultiChunker(chunker.DefaultLanguages(maxChunkTokens)),
 		maxChunkTokens: maxChunkTokens,
+		dsn:            dsn,
 	}, nil
 }
 
+// rebuildStore closes the current store, deletes the database files, and
+// opens a fresh store. Must be called while holding idx.mu.Lock() or before
+// the Indexer is shared with other goroutines.
+func (idx *Indexer) rebuildStore() error {
+	_ = idx.store.Close()
+	if idx.dsn != "" && idx.dsn != ":memory:" {
+		for _, suffix := range []string{"", "-wal", "-shm"} {
+			_ = os.Remove(idx.dsn + suffix)
+		}
+	}
+	s, err := store.New(idx.dsn, idx.emb.Dimensions())
+	if err != nil {
+		return fmt.Errorf("open fresh store: %w", err)
+	}
+	idx.store = s
+	return nil
+}
+
 // Close closes the underlying store.
 func (idx *Indexer) Close() error {
 	return idx.store.Close()
@@ -146,7 +166,25 @@ func (idx *Indexer) Index(ctx context.Context, projectDir string, force bool, pr
 
 	stats, indexErr := idx.indexWithTree(ctx, projectDir, storedHash, force, curTree, progress)
 	if indexErr != nil {
-		return stats, indexErr
+		if !store.IsCorruptionErr(indexErr) {
+			return stats, indexErr
+		}
+		if idx.logger != nil {
+			idx.logger.Error("corrupted database detected during index, rebuilding",
+				"project", projectDir, "err", indexErr)
+		}
+		if rebuildErr := idx.rebuildStore(); rebuildErr != nil {
+			return Stats{}, fmt.Errorf("rebuild corrupted db: %w", rebuildErr)
+		}
+		// Retry with force=true so the fresh DB gets a full index pass.
+		stats, indexErr = idx.indexWithTree(ctx, projectDir, "", true, curTree, progress)
+		if indexErr != nil {
+			return stats, fmt.Errorf("reindex after rebuild: %w", indexErr)
+		}
+		stats.OldRootHash = storedHash
+		stats.NewRootHash = curTree.RootHash
+		stats.Reason = "rebuilt after corruption"
+		return stats, nil
 	}
 
 	if force {
@@ -191,7 +229,23 @@ func (idx *Indexer) EnsureFresh(ctx context.Context, projectDir string, progress
 
 	stats, err := idx.indexWithTree(ctx, projectDir, storedHash, false, curTree, progress)
 	if err != nil {
-		return false, stats, err
+		if !store.IsCorruptionErr(err) {
+			return false, stats, err
+		}
+		if idx.logger != nil {
+			idx.logger.Error("corrupted database detected during reindex, rebuilding",
+				"project", projectDir, "err", err)
+		}
+		if rebuildErr := idx.rebuildStore(); rebuildErr != nil {
+			return false, Stats{}, fmt.Errorf("rebuild corrupted db: %w", rebuildErr)
+		}
+		// Retry with empty storedHash so the fresh DB gets a full index pass.
+		stats, err = idx.indexWithTree(ctx, projectDir, "", false, curTree, progress)
+		if err != nil {
+			return false, stats, fmt.Errorf("reindex after rebuild: %w", err)
+		}
+		reason = "rebuilt after corruption"
+		storedHash = ""
 	}
 	stats.Reason = reason
 	stats.OldRootHash = storedHash

internal/store/store.go

@@ -18,6 +18,7 @@ package store
 import (
 	"database/sql"
 	"fmt"
+	"os"
 	"strings"
 
 	sqlite_vec "github.com/asg017/sqlite-vec-go-bindings/cgo"
@@ -30,6 +31,26 @@ func init() {
 	sqlite_vec.Auto()
 }
 
+// IsCorruptionErr reports whether err indicates SQLite database corruption.
+// These are the canonical SQLite error messages for an unrecoverable on-disk
+// data problem; the only safe recovery is to delete the database and rebuild.
+func IsCorruptionErr(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := err.Error()
+	return strings.Contains(msg, "database disk image is malformed") ||
+		strings.Contains(msg, "disk I/O error")
+}
+
+// deleteDBFiles removes the SQLite database file and its WAL/SHM sidecars.
+// Errors are silently ignored — the file may already be gone or unwritable.
+func deleteDBFiles(path string) {
+	for _, suffix := range []string{"", "-wal", "-shm"} {
+		_ = os.Remove(path + suffix)
+	}
+}
+
 // SearchResult represents a single result from a vector search.
 type SearchResult struct {
 	FilePath  string
@@ -56,7 +77,21 @@ type Store struct {
 // New opens (or creates) a SQLite database at dsn, enables WAL mode and
 // foreign keys, and creates the schema tables if they do not exist.
 // dimensions specifies the size of the embedding vectors.
+//
+// If the database file is corrupted (SQLite returns a corruption error during
+// open or schema setup), New deletes the file and its WAL/SHM sidecars and
+// retries once from a clean state. In-memory databases (dsn == ":memory:")
+// are never deleted.
 func New(dsn string, dimensions int) (*Store, error) {
+	s, err := openStore(dsn, dimensions)
+	if err != nil && IsCorruptionErr(err) && dsn != ":memory:" {
+		deleteDBFiles(dsn)
+		s, err = openStore(dsn, dimensions)
+	}
+	return s, err
+}
+
+func openStore(dsn string, dimensions int) (*Store, error) {
 	db, err := sql.Open("sqlite3", dsn)
 	if err != nil {
 		return nil, fmt.Errorf("open db: %w", err)