feat(dingtalk): default registration source to HERMES with disclosure update

[meng93]

Summary

This PR implements the follow-up action outlined in #11574:

Follow-ups (post-merge)
@teknium1 to reach out to DingTalk-Real-AI via their Alibaba contact to register hermes as a sanctioned source token.
When sanctioned, flip REGISTRATION_SOURCE default from openClaw → hermes and remove the disclosure. The DINGTALK_REGISTRATION_SOURCE env var already exists as an escape hatch.

Now that the Hermes source token has been sanctioned, this PR flips the default registration source from openClaw to HERMES and updates the disclosure accordingly.

What Changed

• Switched DINGTALK_REGISTRATION_SOURCE default from openClaw to HERMES.
• Added source normalization logic so hermes (lowercase) is normalized to HERMES.
• Kept env-based override behavior intact for non-Hermes custom values.
• Updated user-facing authorization disclosure text to clarify:
  • the flow is initiated by Hermes, and
  • DingTalk may still show OpenClaw branding on the authorization page.
• Added/updated tests to verify:
  • init request uses {"source": "HERMES"} by default,
  • default source is HERMES,
  • lowercase env input (hermes) is normalized to HERMES.

Related: Additional Official Enhancements

This PR also pairs well with #12769, which brings proactive messaging, media pipeline, card throttle, and other official platform-level improvements to the DingTalk adapter.

Why

As noted in #11574, once DingTalk-Real-AI confirmed and sanctioned the Hermes source token via the Alibaba channel, the default should reflect the sanctioned identity. This eliminates user confusion around legacy OpenClaw branding while maintaining backward compatibility via the existing DINGTALK_REGISTRATION_SOURCE env var escape hatch.

Scope

Files changed:

• hermes_cli/dingtalk_auth.py
• tests/hermes_cli/test_dingtalk_auth.py

No functional changes outside DingTalk registration source handling and related messaging/tests.

Test Plan

• Run targeted unit tests: tests/hermes_cli/test_dingtalk_auth.py
• Verify no linter issues in touched files
• Confirm branch diff against main only includes DingTalk auth + tests

Risks / Notes

• This changes the default source identity used in /app/registration/init.
• Existing explicit DINGTALK_REGISTRATION_SOURCE overrides still work.
• UI text now reflects Hermes-led flow while acknowledging DingTalk-side OpenClaw branding.