fix(docker): chown runtime node_modules trees to hermes user (#18800)

[nudiltoys-cmyk]

What does this PR do?

the container drops privileges to the hermes user (uid 10000) in entrypoint.sh, but /opt/hermes/ui-tui and /opt/hermes/node_modules are root-owned from build time. the TUI launcher's _tui_need_npm_install() check trips on every startup (see the existing npm_config_install_links=false comment in the Dockerfile) and runs npm install in /opt/hermes/ui-tui, which fails with EACCES and the Chat tab closes immediately as [session ended]

chown both runtime trees to hermes:hermes in the existing permissions block. /opt/hermes/web is build-time only (HERMES_WEB_DIST points at hermes_cli/web_dist for runtime) and is intentionally not chowned

Related Issue

Fixes #18800

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• Dockerfile: chained chown -R hermes:hermes /opt/hermes/ui-tui /opt/hermes/node_modules onto the existing chmod -R a+rX /opt/hermes RUN under the Permissions block, with a short comment explaining why /opt/hermes/web is excluded
• tests/tools/test_dockerfile_node_modules_perms.py: new contract test asserting both runtime trees are passed to a chown -R hermes:hermes command in the Dockerfile

How to Test

1. before the patch, build the image and exec into a running container as the hermes user, then run npm install in /opt/hermes/ui-tui — fails with EACCES on /opt/hermes/ui-tui/packages/hermes-ink/node_modules/@esbuild/aix-ppc64
2. with the patch applied, the same npm install succeeds
3. open the dashboard with HERMES_DASHBOARD_TUI=1 and click the Chat tab — input is accepted instead of closing as [session ended]
4. run python -m pytest tests/tools/test_dockerfile_node_modules_perms.py -q — passes against the patched Dockerfile, fails if either path is removed from the chown

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: Linux/amd64 via Docker

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

repro of the failure before the patch, from #18800:

npm ERR!   code: 'EACCES',
npm ERR!   syscall: 'mkdir',
npm ERR!   path: '/opt/hermes/ui-tui/packages/hermes-ink/node_modules/@esbuild/aix-ppc64'

after the patch, the same code path completes and the dashboard Chat tab is interactive

[nudiltoys-cmyk]

fwiw #20500 was filed today as a duplicate with the same root cause, and you tagged this PR as the fix. so leaving the chown patch as-is

happy to pick up vroomfondel's trigger-2 work from #18800 (the workspace link filter on _tui_need_npm_install's missing-check) as a separate PR if useful. that would stop the false-positive npm install firing on launch in the first place, with the chown here as the fallback if it ever fires anyway