fix(tools): surface dropped MEDIA attachments in send_message result

[konsisumer]

What does this PR do?

Fixes the Telegram MEDIA:<path> false-success in the send_message tool path. When a MEDIA directive resolves to a path outside the allowed media roots, filter_media_delivery_paths drops it (logging Skipping unsafe MEDIA directive path outside allowed roots), but the text portion still sends — so the tool returned an unqualified {"success": true} while the user received no attachment. The model/user had no signal that the attachment was silently dropped.

The fix records how many MEDIA paths the safety filter rejected and, when the send otherwise succeeds, appends a clear warnings entry to the result. The text still delivers (so it isn't a hard error), but the result no longer masquerades as a successful attachment delivery, and it tells the operator how to fix it (move the file under a Hermes media cache or add its directory to HERMES_MEDIA_ALLOW_DIRS).

Scope note: this addresses the false-success regression and adds regression coverage. The issue also asks for an operator-facing real-sendVoice/sendAudio smoke-test script and broader auditing of the gateway auto-delivery path — those are deferred to a follow-up, hence Refs rather than Fixes below.

Related Issue

Refs #32644

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• tools/send_message_tool.py: in _handle_send, capture the requested MEDIA count before filtering, compute how many paths the safety filter dropped, and append a warning to a successful result when any were dropped.
• tests/tools/test_send_message_tool.py: add test_dropped_media_surfaces_warning_not_clean_success (rejected archive path produces a warning) and test_safe_media_send_has_no_dropped_warning (an allowlisted path still delivers with no false-positive warning).

How to Test

1. With recency-trust disabled, send a Telegram message whose body contains [[audio_as_voice]] plus a MEDIA:<path> pointing outside the allowed media roots (e.g. an archived ~/.hermes/voice-episodes/.../teaser.ogg not on the allowlist).
2. Confirm the returned result is still success: true for the text but now carries a warnings entry stating the attachment was blocked and not delivered.
3. Add the archive directory to HERMES_MEDIA_ALLOW_DIRS (or move the file under a Hermes media cache) and resend; confirm the attachment is delivered and no dropped-media warning appears.
4. Run the regression tests: pytest tests/tools/test_send_message_tool.py -k "media or dropped or safe_media" -q.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/tools/test_send_message_tool.py -q and the relevant tests pass (24 passed)
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: macOS on darwin-arm64 (local)

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — change is pure Python string/count logic, scripts/check-windows-footguns.py clean

[alt-glitch]

Competing with #32054 and #31864 — all three surface rejected/dropped MEDIA paths in send_message results instead of silently dropping them. This PR is the most focused (send_message_tool.py only, 2 files). #32054 also covers base.py, run.py, scheduler.py, yuanbao, weixin. #31864 restructures filter_media_delivery_paths return type. All ref #32644.

[konsisumer]

Closing as a duplicate of my own #34178 — both open PRs target the same change. Keeping #34178; reopen this one if that PR stalls.

[konsisumer]

Heads-up: this PR and my own #34178 target the same change (self-duplicate). I'm keeping #34178 as the primary — please pick whichever you prefer and close the other. Leaving this one open for you to decide.