fix(nix): refresh hermes-web npm-deps hash

[ak2k]

Summary

The hash currently checked into nix/web.nix (sha256-AahWmJ9gDQ9pMPa1FYwUjYdO2mOi6JM9Mst27E0vp68=) doesn't match what fetchNpmDeps actually produces from web/package-lock.json. Builds on nixos-unstable-tracking consumers fail with:

error: hash mismatch in fixed-output derivation '.../npm-deps.drv':
         specified: sha256-AahWmJ9gDQ9pMPa1FYwUjYdO2mOi6JM9Mst27E0vp68=
            got:    sha256-+B2+Fe4djPzHHcUXRx+m0cuyaopAhW0PcHsMgYfV5VE=

The hash-refresh bot last ran at f62272b (Apr 28); since then the hash has drifted. This is the mechanical fix the bot would otherwise produce — recomputed via:

nix build .#web 2>&1 | grep got:

Reproduced on x86_64-linux against inputs.hermes-agent.inputs.nixpkgs (NixOS/nixpkgs@6201e203, the rev pinned in flake.lock), so this isn't a consumer-side nixpkgs drift.

Test plan

• nix build .#web succeeds with new hash
• hermes-agent default package builds end-to-end (since web is a build-time dep of the agent closure)

[OutThisLife]

Hey @ak2k — I missed this PR and opened a duplicate at #17174 a couple hours later. Sorry for the overlap.

Closing this in favor of #17174 because mine bundles a related script fix:

When I rebased my open PRs onto main, every one of them hit the same broken nix-lockfile-check that's now red here too. Root cause is independent of the hash: the fix-lockfiles script in nix/lib.nix falls over when GitHub's Magic Nix Cache rate-limits mid-run (HTTP 418 → some outputs of '/nix/store/...-npm-deps.drv' are not valid, so checking is not possible), because it can't extract a got: line and bails with build failed with no hash mismatch. So even with the correct hash committed, the auxiliary lint stays red whenever GH cache throttles — which is most runs right now.

#17174 ships:

1. The same hash refresh you have here (Aah… → +B2…).
2. A guard in fix-lockfiles that recognizes throttling/cache-disabled signatures and skips the entry with a warning instead of failing the lint. Real stale hashes still surface in the primary nix (ubuntu-latest) build, so coverage is preserved.

If you'd rather take the hash-only path through your branch and leave the script fix for later, happy to flip it the other way — just let me know. Otherwise I'll close this one out.