feat(hermesagent): replace shim+system-unit pattern with hermes-native user services

The previous approach used a /usr/bin/hermes shim to proxy commands from root
to the hermes user, and a hand-crafted system-level systemd unit for the
gateway. This worked for the default profile but broke down for named profiles:

- hermes profile create <name> generates an alias script in
  ~/.local/bin/<name> that calls hermes with -p <name>. These aliases live
  in the hermes user's PATH, not root's, so root could not invoke them.
- Maintaining parity would require per-profile shims, a watcher daemon to
  create/remove them, and system-unit mirrors for each profile gateway — all
  of which would need to stay in sync with hermes internals across updates.

New approach — work with hermes, not around it:

- loginctl enable-linger hermes: ensures the hermes user's systemd session
  starts at boot and persists without login. All user-unit gateways (default
  and per-profile) now survive reboots automatically.
- Gateway service management delegated entirely to hermes: 'hermes gateway
  install' / 'hermes setup' create and enable the user unit natively.
  The install script no longer pre-installs the gateway; hermes prompts the
  user to do so at the end of 'hermes setup'.
- hermes-dashboard.service remains a system unit (no native install command
  exists for it). Its After= no longer references hermes-gateway.service
  since there is no system-unit gateway to depend on.
- /usr/bin/hermes shim removed. Root is guided to 'su - hermes' via a two-
  line /etc/profile.d/hermes-hint.sh message on login, with a one-liner to
  make the switch automatic. Once logged in as hermes, all hermes commands,
  profile aliases, and gateway management work natively.
- update_script simplified: only hermes-dashboard (our unit) is stopped and
  restarted. hermes update --yes handles gateway service lifecycle itself.

install/hermesagent-install.sh

@@ -22,6 +22,7 @@ NODE_VERSION="22" setup_nodejs
 
 msg_info "Creating Hermes User"
 useradd -m -s /bin/bash hermes
+loginctl enable-linger hermes
 msg_ok "Created Hermes User"
 
 msg_info "Installing Hermes Agent"
@@ -60,38 +61,11 @@ chmod 750 /home/hermes
 chmod 700 /home/hermes/.hermes
 msg_ok "Configured API Server"
 
-msg_info "Creating Service"
-cat <<EOF >/etc/systemd/system/hermes-gateway.service
-[Unit]
-Description=Hermes Agent Gateway
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-User=hermes
-Group=hermes
-UMask=0077
-WorkingDirectory=/home/hermes
-ExecStart=/home/hermes/.local/bin/hermes gateway run --replace
-Environment="HERMES_HOME=/home/hermes/.hermes"
-Environment="HOME=/home/hermes"
-Restart=on-failure
-RestartSec=5
-ProtectProc=invisible
-ProcSubset=pid
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl enable -q --now hermes-gateway
-msg_ok "Created Service"
-
 msg_info "Creating Dashboard Service"
 cat <<EOF >/etc/systemd/system/hermes-dashboard.service
 [Unit]
 Description=Hermes Agent Web Dashboard
-After=network-online.target hermes-gateway.service
+After=network-online.target
 Wants=network-online.target
 
 [Service]
@@ -116,18 +90,14 @@ EOF
 systemctl enable -q --now hermes-dashboard
 msg_ok "Created Dashboard Service"
 
-msg_info "Creating Hermes Shim"
-cat <<'EOF' >/usr/bin/hermes
-#!/bin/bash
-cd /home/hermes
+msg_info "Configuring Login Guidance"
+cat <<'EOF' >/etc/profile.d/hermes-hint.sh
 if [[ "$(id -u)" -eq 0 ]]; then
-  exec runuser -u hermes -- /home/hermes/.local/bin/hermes "$@"
-else
-  exec /home/hermes/.local/bin/hermes "$@"
+  echo "  Run 'su - hermes' to manage Hermes Agent and profiles."
+  echo "  To auto-switch on login: echo 'exec su - hermes' >> /root/.bash_profile"
 fi
 EOF
-chmod +x /usr/bin/hermes
-msg_ok "Created Hermes Shim"
+msg_ok "Configured Login Guidance"
 
 motd_ssh
 customize