feat(agents): hermes home-normalization + system-scope gateway (closes #437)

[thinmintdev]

Runs Hermes entirely as the hal0 system user, out of root, on the normalized hermes default home, with the messaging gateway as a system-scope service.

What changed

• HERMES_HOME → /var/lib/hal0/.hermes everywhere (provisioner default, hal0-agent@hermes override.conf, installer script, both wrappers, personas/shim path refs).
• Gateway → system service, User=hal0 — _phase_gateway_secrets_wire writes the idempotent secrets drop-in to /etc/systemd/system/hermes-gateway.service.d/10-hal0-secrets.conf (survives hermes gateway install regenerating the main .service). No linger, no /root.
• Installer wires the gateway: install.sh now runs hermes gateway install --system --run-as-user hal0 + enable --now (HERMES_HOME unset so the generator bakes the .hermes default), so a fresh install boots with Telegram/Discord connected.
• Canonical CLI /usr/local/bin/hermes (no HERMES_HOME pin); hal0-hermes → back-compat symlink.
• Fixed HERMES_WEB_DIST to the real venv site-packages path (was crash-looping the dashboard with --skip-build).
• Reconciled the stale status() test against the W9 real-health contract (stub systemd/port probes + a live-unit guard test).
• Tests + docs (spec & plan under docs/internal/).

Live cutover

This box was cut over in-place 2026-06-03, preserving all state (37 sessions, kanban, memories): both services now run as hal0 on .hermes, telegram+discord connected, dashboard 200.

Follow-ups (tracked, not in this PR)

• A bootstrap test running as root can write a pytest-tmp EnvironmentFile into the real /etc/systemd/system/... (patches HERMES_SECRETS_ENV but not the dropin path) — test-isolation fix.
• Legacy /var/lib/hal0/agents/hermes retained pending an audit of AGENTS_ROOT-based code (budget/personas/restart).

Closes #437.