Bug: hermes profile install/update destructively replaces local skills despite distribution_owned flag

[Phantomthedog]

Bug Report: hermes profile install/update destructively replaces local profile skills despite distribution_owned flag

Description

Native hermes profile install and hermes profile update commands are unsafe for live profiles because the distribution_owned flag in the distribution manifest is ignored. The code path in profile_distribution.py (approximately lines 554–556) deletes existing local skill directories before copying distribution files, causing destructive replacement of live profile content regardless of whether the profile has locally-authored skills that should be preserved.

Observed Behavior

When running hermes profile install or hermes profile update on a live profile that has local skills not part of the distribution:

1. The tool deletes the target profile's skills/ directory
2. Copies distribution skills in
3. Any locally-installed/developed skills are lost

The distribution_owned flag (which should protect locally-owned assets from deletion) is present in the manifest schema but not enforced during the install/update operation.

Root Cause

profile_distribution.py performs a destructive sync rather than an additive merge. It treats the distribution as authoritative and the local state as replaceable, which is incorrect for live profiles that accumulate locally-authored skills (e.g., custom skills in skills/devops/, skills/review/, etc.).

Impact

• Data loss — locally installed skills destroyed on every profile update
• Broken workflow — users who maintain per-profile custom skills cannot safely use native install/update
• Workaround required — all convergence must use manual cp with backup, not the native tooling

Reproduction

1. Install a custom skill locally: ~/.hermes/profiles/worker/skills/devops/my-custom-skill/SKILL.md
2. Run hermes profile update worker
3. Observe: my-custom-skill/ is deleted, replaced only with distribution-bundled skills

Suggested Fix

Option A — Honor distribution_owned: Do not delete or overwrite skills that are marked as distribution_owned: false or skills that do not exist in the distribution manifest.

Option B — Additive merge: Change the install/update to add/update only distribution-managed files, leaving all other files intact. Delete only files whose distribution manifest explicitly marks them for removal.

Option C — Safe mode: Add a --safe or --additive flag that prevents any deletion, only adding missing files.

[mohsinzahid]

Still present at current main (e71d746) — confirmed with a minimal end-to-end repro (below). Two scope notes from digging into the mechanism:

• It's not only skills: user-added cron/ jobs are deleted the same way. _copy_dist_payload() rmtree+recopies every top-level directory the staged distribution ships — the distribution_owned manifest list isn't consulted by the copy step at all (DistributionManifest.owned_paths() has no caller on that path), so manifest-level protection can't help either.
• Both help texts promise the opposite: install --force says "Overwrite an existing profile of the same name (user data preserved)" and update says "Re-pull a distribution and apply updates (user data preserved)" — but "user data" in the implementation only covers the top-level USER_OWNED_EXCLUDE names (memories/, sessions/, .env, auth.json, …). Sharpest edge: hermes skills install writes into the active profile's skills/ tree, so one first-party command silently destroys what another first-party command installed.

Opened #44386 with a fix along this issue's Option B (additive merge — dist-shipped skill dirs still replace wholesale so files dropped or renamed by a new version don't linger) plus regression tests covering the skills/<category>/<custom-skill> layout from the repro here.

copy-paste repro (prints BUG on stock main, OK with #44386)

#!/usr/bin/env bash
set -euo pipefail
HERMES_CMD="${HERMES_CMD:-hermes}"
TMP=$(mktemp -d)
trap 'rm -rf "$TMP"' EXIT
export HERMES_HOME="$TMP/hermes-home"
mkdir -p "$HERMES_HOME"

DIST="$TMP/demo-dist"
mkdir -p "$DIST/skills/dist-skill"
cat > "$DIST/distribution.yaml" <<'EOF'
name: demodist
version: 0.1.0
description: minimal repro distribution
EOF
printf -- '---\nname: dist-skill\ndescription: shipped by the distribution\n---\n# dist skill\n' \
  > "$DIST/skills/dist-skill/SKILL.md"
printf 'soul\n' > "$DIST/SOUL.md"

$HERMES_CMD profile install "$DIST" --yes >/dev/null

PROFILE="$HERMES_HOME/profiles/demodist"
mkdir -p "$PROFILE/skills/my-skill"
printf -- '---\nname: my-skill\ndescription: added by the user\n---\n# my skill\n' \
  > "$PROFILE/skills/my-skill/SKILL.md"
echo "skills before reinstall: $(ls "$PROFILE/skills" | tr '\n' ' ')"

$HERMES_CMD profile install "$DIST" --yes --force >/dev/null

echo "skills after reinstall:  $(ls "$PROFILE/skills" | tr '\n' ' ')"
if [ -d "$PROFILE/skills/my-skill" ]; then
  echo "OK: user-added skill preserved"
else
  echo "BUG: user-added skill was DELETED"
fi