fix(cron): use load_hermes_dotenv so BSM secrets resolve for cron jobs

[liuhao1024]

What does this PR do?

cron/scheduler.py uses bare dotenv.load_dotenv() to reload .env before each cron job. This skips the BSM (Bitwarden Secrets Manager) resolution that hermes_cli.env_loader.load_hermes_dotenv() provides, so any cron job that needs a BSM-managed credential (Discord token, provider key, etc.) sees the .env placeholder instead of the real value → HTTP 401.

Fix: Replace from dotenv import load_dotenv; load_dotenv(...) with from hermes_cli.env_loader import load_hermes_dotenv; load_hermes_dotenv(hermes_home=_get_hermes_home()). This matches the gateway's own .env loading behavior and activates BSM resolution for cron jobs.

Related Issue

Fixes #33465

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)

Changes Made

• cron/scheduler.py — Replace bare load_dotenv() with load_hermes_dotenv() in _run_job_impl() (~line 1470)
• tests/cron/test_scheduler.py — Update 16 mock patches from "dotenv.load_dotenv" to "hermes_cli.env_loader.load_hermes_dotenv"
• tests/cron/test_cron_profile.py — Update 2 monkeypatch.setattr calls and assertions for new function signature (hermes_home= keyword arg)
• tests/cron/test_cron_workdir.py — Update 1 monkeypatch.setattr call

How to Test

1. Run pytest tests/ -q — all tests should pass
2. Verify the specific scenario described above is resolved

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: macOS 26.4.1

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture and workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A

Code Intelligence

• Analyzed: cron/scheduler.py:_run_job_impl (called per cron job, .env reload at ~line 1470)
• Blast radius: LOW — single call site, isolated to cron job initialization
• Related patterns: hermes_cli.env_loader.load_hermes_dotenv used in gateway startup (cli.py, gateway/run.py)
• load_hermes_dotenv internally handles encoding fallback (_load_dotenv_with_fallback) and env file sanitization, so the explicit try/except UnicodeDecodeError is no longer needed

Checklist

• Focused on one root cause
• Regression tests updated
• No unrelated files changed
• Code Intelligence section included

[alt-glitch]

Competing with #33479 (BSM-only fix) and #33527 (omnibus: ticker + null-safe + BSM) — all fix #33465. Also related to closed #33667 (same approach by different author). This PR uses load_hermes_dotenv() matching the gateway pattern. Maintainer should pick one.