feat: add Hermes Agent LXC

Adds container scripts for Hermes Agent (Nous Research), a self-improving
AI agent with LLM provider integration, terminal execution, web browsing,
and multi-platform messaging support.

Files:
- ct/hermes-agent.sh
- install/hermes-agent-install.sh
- json/hermes-agent.json
- ct/headers/hermes-agent

Deviations from standard patterns (justified):

1. Uses upstream installer (curl-pipe) instead of fetch_and_deploy_gh_release:
   Hermes is a uv-managed Python application with complex dependency
   resolution, virtualenv management, and binary placement—not a single
   binary or tarball from GitHub Releases.

2. Dedicated 'hermes' service user (not running as root):
   The agent executes arbitrary terminal commands on behalf of the user.
   Running as root would give the AI unrestricted system access. This
   follows the protonmail-bridge service-user pattern for isolation.

3. Dashboard (port 9119) bound to localhost only, requiring SSH tunnel:
   The web UI provides admin access to an AI that can execute commands.
   SSH tunnel provides an authentication/authorization boundary.

4. /usr/bin/hermes shim script:
   The hermes CLI validates cwd permissions; running 'hermes' as root
   from /root fails. The shim cd's to /home/hermes and exec's as the
   hermes user via runuser.

5. setsid --wait wrapping of upstream installer:
   The upstream installer probes /dev/tty for interactive prompts even
   with --skip-setup; setsid detaches the controlling terminal.

ct/headers/hermes-agent

@@ -0,0 +1,6 @@
+    __  __                                 ___                    __
+   / / / /__  _________ ___  ___  _____   /   | ____ ____  ____  / /_
+  / /_/ / _ \/ ___/ __ `__ \/ _ \/ ___/  / /| |/ __ `/ _ \/ __ \/ __/
+ / __  /  __/ /  / / / / / /  __(__  )  / ___ / /_/ /  __/ / / / /_
+/_/ /_/\___/_/  /_/ /_/ /_/\___/____/  /_/  |_\__, /\___/_/ /_/\__/
+                                             /____/