fix(security): reduce unnecessary shell=True in subprocess calls

[teknium1]

Salvage of #6155 (@iuyup) onto current main.

Drops shell=True from two subprocess sites where the input isn't a user-authored shell snippet:

• Auto-detected whisper STT command (tools/transcription_tools.py) — args are already shlex.quote'd, so list mode is strictly safer. User templates via HERMES_LOCAL_STT_COMMAND still use shell mode (may contain pipes/redirects).
• Memory-plugin external_dependencies.check field (hermes_cli/memory_setup.py) — also adds check=True so the install hint actually fires (was previously dead code).

cli.py quick_commands keeps shell=True with a clarifying comment — that path is user-defined config, not agent-controlled.

Changes

• tools/transcription_tools.py: shell/list branching on env var presence
• hermes_cli/memory_setup.py: shlex.split + check=True
• cli.py: intent comment on quick_commands
• tests/tools/test_transcription_tools.py: new TestShellSafety class (3 tests)
• scripts/release.py: AUTHOR_MAP entry for contributor

Validation

Suite	Before	After
tests/tools/test_transcription_tools.py	92/92	95/95
tests/agent/test_memory_provider.py + test_hindsight_provider.py	158/158	158/158

Closes #6155.

Co-authored-by: iuyup 23yntong@stu.edu.cn

[github-actions]

🔎 Lint report: hermes/hermes-f85c5421 vs origin/main

ruff

Total: 0 on HEAD, 0 on base (➖ 0)

🆕 New issues: none

✅ Fixed issues: none

Unchanged: 0 pre-existing issues carried over.

ty (type checker)

Total: 8252 on HEAD, 8252 on base (➖ 0)

🆕 New issues (3):

Rule	Count
invalid-argument-type	3

First entries

run_agent.py:13591: [invalid-argument-type] invalid-argument-type: Argument to function `len` is incorrect: Expected `Sized`, found `(str & ~AlwaysFalsy) | (dict[Unknown | str, Unknown | str | dict[str, str]] & ~AlwaysFalsy) | (Any & ~AlwaysFalsy) | ... omitted 3 union elements`
run_agent.py:13588: [invalid-argument-type] invalid-argument-type: Argument to function `_is_oauth_token` is incorrect: Expected `str`, found `str | dict[Unknown | str, Unknown | str | dict[str, str]] | Any | ... omitted 3 union elements`
run_agent.py:7391: [invalid-argument-type] invalid-argument-type: Argument to function `build_anthropic_client` is incorrect: Expected `str`, found `str | dict[Unknown | str, Unknown | str | dict[str, str]] | Any | ... omitted 3 union elements`

✅ Fixed issues (3):

Rule	Count
invalid-argument-type	3

First entries

run_agent.py:13588: [invalid-argument-type] invalid-argument-type: Argument to function `_is_oauth_token` is incorrect: Expected `str`, found `str | dict[Unknown, Unknown] | Any | ... omitted 3 union elements`
run_agent.py:7391: [invalid-argument-type] invalid-argument-type: Argument to function `build_anthropic_client` is incorrect: Expected `str`, found `str | dict[Unknown, Unknown] | Any | ... omitted 3 union elements`
run_agent.py:13591: [invalid-argument-type] invalid-argument-type: Argument to function `len` is incorrect: Expected `Sized`, found `(str & ~AlwaysFalsy) | (dict[Unknown, Unknown] & ~AlwaysFalsy) | (Any & ~AlwaysFalsy) | ... omitted 3 union elements`

Unchanged: 4330 pre-existing issues carried over.

Diagnostics are surfaced as warnings — this check never fails the build.