nix: automatic lockfile fixing to keep main building with nix

[ethernet8023]

What does this PR do?

Adds tooling to keep nix builds working on main seamlessly.

Factors the npm-lockfile tooling shared between nix/tui.nix and nix/web.nix into a reusable
nix/lib.nix, and adds a CI lane that detects stale fetchNpmDeps hashes on PRs and lets a
maintainer apply the fix with one click.

Each npm-backed package (tui, web) now exposes passthru.npmLockfile = { attr; folder; nixFile; }, and a new top-level .#fix-lockfiles aggregates them into a single --check / --apply script.
Adding a third npm workspace is "callPackage + set passthru + add to the list" — no workflow
edits.

Type of Change

• ✨ New feature (non-breaking change that adds functionality)
• ♻️ Refactor (no behavior change)

Changes Made

• nix/lib.nix (new) — mkUpdateLockfileScript, mkNpmDevShellHook, mkFixLockfiles. The devshell
  hook now hashes package.json + package-lock.json in bash at shell-entry time and re-stamps after
  install so a lockfile npm rewrites still matches.
• nix/tui.nix, nix/web.nix — use the lib helpers; expose passthru.npmLockfile metadata.
• nix/packages.nix — wire hermesNpmLib; add packages.fix-lockfiles built from [ hermesTui
  hermesWeb ].
• nix/devShell.nix — include hermes-web so its devshell hook runs too.
• .github/workflows/nix-lockfile-check.yml (new) — on PR, nix run .#fix-lockfiles -- --check; if
  stale, post a sticky comment with a - [ ] **Apply lockfile fix** task-list checkbox plus a
  manual dispatch link.
• .github/workflows/nix-lockfile-fix.yml (new) — triggers on workflow_dispatch or
  issue_comment.edited when that checkbox flips; verifies the actor has write access via
  getCollaboratorPermissionLevel, resolves the PR head, runs --apply, commits, and pushes.

How to Test

1. nix flake check --no-build works
2. nix run .#fix-lockfiles -- --check exits 0 on a clean tree; exits 1 and prints a diff-style
   report if a lockfile hash is stale.
3. Hand-edit nix/web.nix to bogus hash = "", then nix run .#fix-lockfiles -- --apply rewrites the hash and re-verifies.
4. nix develop: .nix-stamps/hermes-tui and .nix-stamps/hermes-web are created/updated based on
   the bash-computed hash, re-run is a no-op when lockfiles haven't changed.
5. On a PR that dirties ui-tui/package-lock.json, the check workflow posts a sticky comment;
   ticking the checkbox triggers the fix workflow which pushes a fix(nix): refresh npm lockfile hashes commit to the PR branch.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: NixOS 26.05 (Yarara) x86_64