fix(cron): resolve BSM secrets in scheduler run_job (#33465)

[trac3r00]

Replaces bare dotenv.load_dotenv() with load_hermes_dotenv() from hermes_cli.env_loader in cron/scheduler.py so Bitwarden Secrets Manager (BSM) credentials are resolved for cron jobs.

Root cause: run_job loaded env via plain python-dotenv, skipping the _apply_external_secret_sources path entirely. Any cron job needing a BSM-managed key failed with HTTP 401.

What changed:

• cron/scheduler.py: 5-line bare dotenv block → single load_hermes_dotenv(hermes_home=_get_hermes_home()) call
• Tests: updated all 19 dotenv.load_dotenv mocks across test_scheduler.py, test_cron_profile.py", test_cron_workdir.pyto mockcron.scheduler.load_hermes_dotenv` instead
• Added test_cron_bsm_resolution.py regression test verifying the scheduler calls load_hermes_dotenv during run_job

Deduplication: _apply_external_secret_sources already guards by _APPLIED_HOMES (per commit de76f4d), so redundant BSM pulls on subsequent ticks are avoided.

Closes #33465

[liuhao1024]

I found one issue worth fixing before merge.

tests/cron/test_cron_bsm_resolution.py:27 — monkeypatch/import mismatch means the test doesn't actually verify BSM resolution.

The production code uses a local import inside _run_job_impl:

# cron/scheduler.py, inside _run_job_impl()
from hermes_cli.env_loader import load_hermes_dotenv
load_hermes_dotenv(hermes_home=_get_hermes_home())

But the test patches at the module level:

monkeypatch.setattr("cron.scheduler.load_hermes_dotenv", _fake_load_hermes_dotenv)

Because the import is local (inside the function body), Python resolves from hermes_cli.env_loader import load_hermes_dotenv at call time, reading directly from hermes_cli.env_loader — the module-level attribute set by monkeypatch is never consulted. The real load_hermes_dotenv runs instead of the fake.

The test passes by accident: the real function loads tmp_path/.env (which doesn't exist), so it's a no-op, and the assertion captured.get("called") is True silently fails... wait, it actually does fail. Let me re-check.

Actually, monkeypatch.setattr("cron.scheduler.load_hermes_dotenv", ...) sets cron.scheduler.load_hermes_dotenv as a module attribute. The local import from hermes_cli.env_loader import load_hermes_dotenv binds load_hermes_dotenv to a local variable inside the function. The module attribute is irrelevant — the local import shadows it.

The same pattern affects all test_scheduler.py patches — patch("cron.scheduler.load_hermes_dotenv") sets a module attribute that the local import never reads. These tests work because load_hermes_dotenv with an empty .env is a no-op, not because the mock intercepts it.

Suggested fix — either:

1. Patch the source module: monkeypatch.setattr("hermes_cli.env_loader.load_hermes_dotenv", _fake_load_hermes_dotenv) — this intercepts the import wherever it happens.

2. Or add a module-level import in cron/scheduler.py so the module attribute is actually used:

# At top of cron/scheduler.py
from hermes_cli.env_loader import load_hermes_dotenv

Then the patch("cron.scheduler.load_hermes_dotenv") pattern works because the local name load_hermes_dotenv is bound at import time to the module attribute.

Option (1) is the minimal change. Option (2) is more consistent with how test_scheduler.py patches other imports (like hermes_state.SessionDB).

[alt-glitch]

Competing fix for #33465. Also see PR #33479 (BSM-only fix) and PR #33527 (omnibus fix: BSM + ticker hardening + null-safe deliver). Maintainers should pick one.