fix(runtime): resolve bare custom provider to loopback or CUSTOM_BASE_URL (#14676)

[georgex8001]

Summary

Fixes incorrect routing when the user explicitly selects the Custom provider (e.g. via /model) while model.provider in config.yaml still reflects a previous provider (e.g. openrouter). In that case, model.base_url was ignored unless provider: custom, so resolution fell through to OpenRouter with a local model id (see #14676).

Changes

• Trust model.base_url for bare custom when either:
  • model.provider is custom, or
  • the configured base_url host is loopback (localhost, 127.0.0.1, ::1, 0.0.0.0).
• Consult CUSTOM_BASE_URL before OpenRouter default URLs so users can pin a local endpoint without a named custom:* entry.
• Reject non-loopback model.base_url when provider is not custom, so a stale cloud URL cannot hijack a Custom session.

Tests

• tests/hermes_cli/test_runtime_provider_resolution.py: three regressions for loopback YAML + non-custom provider, CUSTOM_BASE_URL override, and non-loopback URL not trusted.

Fixes #14676

[teknium1]

Partial salvage: your runtime_provider.py commit (44e02f2) landed via #15103. The ACP/approval contextvar refactor commit (d9ef7a7) is a separate scope and is worth reviewing on its own — leaving this PR open for that piece. If you'd rather, we can drop the runtime commit from this branch (now duplicated on main) and leave just the ACP change, or close this and open a new PR for the ACP work. Your call.

[georgex8001]

Awesome, thanks for cherry-picking the runtime fix! I completely agree that the ACP contextvar refactor deserves its own isolated review scope.

To keep things completely clean and avoid any git rebase confusion, I will close this PR and open a fresh, dedicated PR targeting main containing solely the d9ef7a7 commit for the ACP concurrency fix. Give me a few minutes!