fix: support HERMES_UID=0 by skipping usermod and privilege drop

[x1am1]

Problem

HERMES_UID=0 is documented as a way to run the gateway as root, but it does not work. stage2-hook.sh runs usermod -u 0 hermes which fails silently with:

usermod: UID '0' already exists

because UID 0 is already assigned to root. The gateway continues running as uid 10000 (hermes), and files created by docker exec -u root operations remain root-owned, causing PermissionError on gateway.lock and errors.log → gateway restart loop.

Fix

Two files modified:

docker/stage2-hook.sh

• When HERMES_UID=0, skip usermod (would fail anyway)
• Set HERMES_RUN_AS_ROOT=1 in s6 container environment as a signal

docker/main-wrapper.sh

• Check HERMES_RUN_AS_ROOT flag
• When set, skip s6-setuidgid hermes privilege drop
• Gateway runs directly as root

Testing

Set HERMES_UID=0 and HERMES_GID=0 in docker-compose.yml:

environment:
  - HERMES_UID=0
  - HERMES_GID=0

After docker compose up -d:

• docker exec hermes-agent whoami should return root
• No PermissionError in gateway logs
• Files created by root operations are accessible

Related

Known issue documented in community skills:

HERMES_UID=0 does NOT work despite stage2-hook.sh source code suggesting it should. Tested and confirmed non-functional as of v0.15.1.

[alt-glitch]

⚠ Needs maintainer decision: This PR enables HERMES_UID=0 (run as root), but open PR #34119 explicitly blocks UID=0 via range validation (1000-65534) for security reasons. These two PRs are mutually exclusive.

Related: #32559, #34401, #34684