fix(install): don't clobber venv hermes entry point via symlink

[huangsen365]

What does this PR do?

scripts/install.sh::setup_path writes the user-facing launcher via
cat > "$command_link_dir/hermes" <<EOF. If a prior setup-hermes.sh run
had created that path as ln -sf … venv/bin/hermes (which it does on line 335),
the redirect follows the symlink and truncates the venv entry point itself.
The shim's exec "$HERMES_BIN" "$@" then exec's the file it just rewrote → the
hermes command hangs forever in infinite recursion. Users hit this whenever
they run setup-hermes.sh and scripts/install.sh on the same machine.

Fix: rm -f "$command_link_dir/hermes" before the cat >, so any pre-existing
symlink is removed before the shim is written.

Related Issue

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)

Changes Made

• scripts/install.sh: add rm -f "$command_link_dir/hermes" before the launcher write in setup_path, with a comment explaining the symlink-clobber hazard.
• tests/test_install_sh_launcher_symlink_safe.py (new): two regression tests — a static check that rm -f precedes the cat >, plus an end-to-end filesystem simulation that creates the exact symlink layout and verifies the venv entry point is not truncated.

How to Test

Reproduce the bug on main:

tmp=$(mktemp -d) && mkdir -p "$tmp/venv/bin" "$tmp/link"
printf 'real entry point\n' > "$tmp/venv/bin/hermes"
ln -sf "$tmp/venv/bin/hermes" "$tmp/link/hermes"
HERMES_BIN="$tmp/venv/bin/hermes" command_link_dir="$tmp/link" \
  bash -c 'cat > "$command_link_dir/hermes" <<EOF
exec "\$HERMES_BIN" "\$@"
EOF'
cat "$tmp/venv/bin/hermes"   # sentinel is gone — venv binary was clobbered

On this branch, the new test demonstrates the fix:

pytest tests/test_install_sh_launcher_symlink_safe.py -v

Both tests pass; running the snippet above with rm -f "$command_link_dir/hermes" inserted leaves the sentinel intact.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix
• I've run pytest tests/test_install_sh_launcher_symlink_safe.py tests/test_install_sh_pythonpath_sanitization.py -v and all tests pass
• I've added tests for my changes
• I've tested on my platform: macOS 15 (Darwin 25.4.0)

Documentation & Housekeeping

• N/A — no doc surface affected
• N/A — no config keys changed
• N/A — no architecture change
• Cross-platform: fix is a portable rm -f and applies on every non-Windows install path
• N/A — no tool schemas changed

🤖 Generated with Claude Code

[alt-glitch]

Duplicate of #21513 (and related to #20747, #22472). Same fix: rm -f before the cat > heredoc in install.sh setup_path() to prevent shell redirection from following a pre-existing symlink into venv/bin/hermes.

[teknium1]

Closing as already fixed on main.

Triage notes (high confidence):
Main already has rm -f "$command_link_dir/hermes" at scripts/install.sh:1297 immediately preceding the cat > ... at line 1298 — the exact change this PR proposes.

If you still see this on the latest version, please reopen with reproduction steps.

(Bulk-closed during a CLI triage sweep.)