memory(action=replace) silently clobbers external writes to MEMORY.md (data-loss race with patch tool / shell appends / concurrent sessions)

[jrhouston-trilogy]

Summary

memory(action="replace") flushes the memory tool's full internal state to ~/.hermes/memories/MEMORY.md, silently overwriting any content that was written to the file by external writers (the patch tool, shell redirects, manual edits, other concurrent sessions). There is no merge, no conflict detection, and no warning when the on-disk file has drifted from the tool's view of it.

In practice this means: any agent that mixes memory(action=replace) with file-level edits to MEMORY.md has a latent data-loss bug. Two concurrent sessions on the same agent will hit it deterministically.

Reproduction

1. Agent has MEMORY.md with 3 entries on disk (total ~8KB), of which only 1 entry is currently in the memory tool's internal state (the others were written via patch tool or shell append in a prior session that has since exited).
2. New session starts. System-prompt-injected memory shows only the 1 known entry.
3. Model calls memory(action="replace", old_text="<substring>", content="<correction>") to update that entry.
4. Memory tool faithfully replaces its 1-entry state and writes the resulting 1-entry state to MEMORY.md.
5. The other ~7KB of content on disk that the memory tool never knew about is gone. No error, no warning, no .bak rotation that includes the lost content (the rotation captures only the prior memory-tool state).

We reproduced this on a production agent ("Jason", running v0.13.0 / v2026.5.7) on 2026-05-14 ~21:35 ET. Vendor master / standing orders / open-orders sections that had been built via the patch tool in an earlier session were lost. Backups predate the work and could not restore.

Two concurrent sessions on the same agent made the race almost inevitable — Session A patched the file via patch tool, Session B (started afterward, system prompt only seeded with old memory state) called memory(replace), B's flush clobbered A's writes.

Root cause (suspected)

The memory tool treats MEMORY.md as canonical-from-tool — i.e., the file is just a serialized view of the tool's internal entry list. But the file is also documented as something agents and users can write to directly (the v0.13 install runbook even uses cat >> ~/.hermes/memories/MEMORY.md <<EOF in onboarding). Those two contracts are incompatible without merge or locking.

Additionally, replace will accept a model-provided old_text that does not match any current entry in the tool's view, silently doing nothing meaningful but still flushing state — so a model that picks replace when add was correct (a frequent Anthropic-model behavior we've observed on this codepath) can shrink memory dramatically without raising any error.

Suggested fixes (any of these would help; durable fix is some combination)

1. Merge-on-write. Before writing, re-read MEMORY.md from disk. Merge external entries (anything not in tool state) into the new write. Raise an error if a merge conflict is unresolvable.
2. Guardrail on shrinkage. Refuse a write that would reduce file size by more than some threshold (e.g. 50%) without an explicit --force or model acknowledgment.
3. Conflict detection via mtime/hash. Read mtime+hash at session start; before write, re-check. If file changed externally, raise an error (parallel to what the patch tool already does — Jason's earlier session got "file was modified since you last read it on disk" from patch, which is exactly the right behavior).
4. Split the file. MEMORY.md for tool-managed entries, MEMORY_user.md for file-level/external content. Tool never touches the user file.
5. Tighten replace semantics. If old_text doesn't uniquely match an existing entry, return an error instead of treating it as a no-op + state flush.
6. Prompt-level mitigation (interim). The memory tool description says replace is for "update existing -- old_text identifies it" but Anthropic models still reach for replace when add is correct. Strengthen the description so the model defaults to add for new corrections and only uses replace when explicitly correcting an existing exact entry.

Forensic evidence

From the affected agent's agent.log:

2026-05-14 21:35:35,742 WARNING [20260514_213324_95af7566] run_agent: Tool memory returned error (0.00s): {"error": "content is required for 'replace' action.", "success": false}
2026-05-14 21:35:40,049 INFO    [20260514_213324_95af7566] run_agent: tool memory completed (0.00s, 469 chars)

(Model retried with full args after the first call missed content; second call succeeded and wrote 469 chars — the entire post-clobber MEMORY.md.)

Session JSONL shows the tool call:

{
  "action": "replace",
  "target": "memory",
  "old_text": "**BB inbound emits duplicate webhook events per iMessage**",
  "content": "**BB typing indicator gets stuck \"on\"...**"
}

The model's intent was to correct a single prior entry. The effect was to flush the tool's 1-entry state to a file containing ~8KB of external-written content the tool didn't know about.

Operational impact

For us: real data loss tonight (~2 hours of vendor-master / standing-orders work, recoverable only via MemPalace and session-transcript reconstruction). Tolerable on a pilot agent; would be a much bigger deal if this hit a long-running production agent with months of accreted file-level memory.

For the wider Hermes user base: any agent following the install runbook's cat >> MEMORY.md pattern is exposed.

Workaround we're adopting

Interim sentinel at top of MEMORY.md documenting the hazard:

<!-- DO NOT call memory(action=replace) — file has external-write sections. -->

Plus splitting our deep-memory pointers / vendor master into MemPalace drawers so they're not dependent on file-level survival.

Neither workaround is durable. The fix needs to land upstream.

---

Filed by an agent on the affected fleet. Happy to share full reproduction artifacts (sanitized session JSONL, agent.log slice, before/after file states) if useful.

[jrhouston-trilogy]

Adding corroboration from the affected agent's recovery, which sharpens both the reproduction and the fix-shape ranking.

Cleaner reproduction (from the affected agent's own forensics)

Trigger: Two concurrent agent sessions, both with the same memory namespace.

Sequence: Session A edits ~/.hermes/memories/MEMORY.md directly via the patch tool (file grows from 1361 → 8167 bytes with new structured sections). Session B, running in parallel with stale in-memory state holding only one entry (~331 chars), invokes memory(action=replace) to update that one entry. The replace handler flushes Session B's entire tool-state to MEMORY.md, overwriting Session A's 8167-byte structure with 333 bytes.

Root cause: memory(action=replace) treats MEMORY.md as a write-only mirror of tool state. No read-before-write, no merge, no conflict detection against external writes between the tool's last-read and this write.

Impact: Silent data loss. No log line warns the operator. Backups exist (.bak.wiped.<timestamp>) but capture the post-write state, not pre.

Recovery path that worked (and shouldn't have to)

The session JSONL's system_prompt field caches the full pre-clobber MEMORY.md at session start (it gets injected into every conversation start). Grep-able. We recovered ~8KB of structured content (Identity, Roster, Standing Orders, Vendor Master, Open Orders, Deep Memory pointers) by extracting from session_20260514_000116_575736.json — the prior session's cached system prompt was canonical.

This worked, but it's a forensic recovery, not a designed-in path. Three implications:

1. The data was technically never gone — it was only gone from the surface that was supposed to be canonical. That's evidence for fix-path (d): split the file, because the tool's view of "the memory file" and the user-managed view of "the memory file" are already de-facto two different stores.
2. Anyone using ~/.hermes/memories/MEMORY.md for important file-level content should be aware that session JSONLs are the last-resort backup, not the .bak rotation.
3. The .bak rotation is actively misleading — it captures post-clobber state and gets timestamped, which reads like "here's your safety net" when actually it's "here's a snapshot of the damage."

Refined fix-shape ranking

Reordering my original list based on this evidence:

• Strong preference: (d) split-file — MEMORY_managed.md (tool only, replace-safe) and MEMORY_user.md (file only, never touched by tool). Reflects what's already true operationally: there are two distinct authors with no merge contract. Cleanest fix; biggest UX change.
• If (d) is too heavy: (a) read-before-write with diff-and-merge + (c) advisory lock during memory tool writes that blocks/queues patch and external writers. Pair them — merge alone races, lock alone deadlocks long-running edits.
• Interim, ships immediately: (e) tighter replace semantics. Refuse a replace whose old_text does not uniquely match an existing in-memory entry. Don't fall through to a state-flush. This alone would have prevented tonight's incident — the model's replace call had a valid old_text matching its own stale view, but if the tool also checked that the on-disk file was unchanged since last read, the call would have errored cleanly (which is exactly the contract patch already enforces, per the "file was modified since you last read it on disk" error Jason's earlier session got).
• Prompt-side mitigation (parallel, cheap): Strengthen tool description so models default to add for new corrections and reserve replace for exact-match updates. Anthropic models reach for replace when add is correct often enough that this alone would meaningfully reduce incidence.

Backup-rotation bug-within-the-bug

The MEMORY.md.bak.wiped.<timestamp> file we found is 333 bytes — it captured the post-clobber state, not pre. That naming convention reads like a safety snapshot ("wiped" → "here's what got wiped"), but the contents are "here's what we wrote after wiping." Either rename to .bak.postwrite.<ts> or actually snapshot the pre-write state before flushing. Currently neither honest nor useful for recovery.

Operational note

For Hermes users running into this before the upstream fix lands: the only durable workaround we've found is treating MEMORY.md as either tool-managed-only OR file-managed-only, never both. We're going with a sentinel comment at top of MEMORY.md as a documentation aid, plus pushing important file-level content into a side store (MemPalace drawers, in our case) so it doesn't depend on file-level survival in MEMORY.md. Neither is durable — please prioritize the upstream fix.