fix(honcho): harden self-hosted setup paths

[kshitijk4poor]

Summary

Salvage of #33954 (Erosika / Plastic Labs) onto current main. Authorship preserved (commit authored by Erosika <eri@plasticlabs.ai>). The original branch was CONFLICTING — the only conflict was tests/test_packaging_metadata.py, where the PR's pytest.importorskip("setuptools") is now redundant with #34851 (which declared setuptools in the dev extra), so that one-file change was dropped.

Self-hosted Honcho setup had four sharp edges, each tied to an open issue:

• /vN double-prefix → 404 (Bug: Honcho SDK double-prefixing causes 404 errors for self-hosted instances #20688): strip a trailing /vN version segment from any configured baseUrl before SDK init. The SDK's route builders always prepend their own version prefix, so a pasted /v3 double-prefixes regardless of host (loopback, LAN, Tailscale, custom domain, cloud). Auth-skipping (the local placeholder) stays loopback-only.
• No local auth prompt ([Feature]: Honcho local host support - JWT support #29885): add an optional local JWT/bearer token prompt in hermes honcho setup, stored under hosts.<host>.apiKey so get_honcho_client treats it as an explicit local-auth opt-in (cloud/hybrid switching unaffected).
• Dot-containing host keys rejected (_host_key() returns dot-separated form ("hermes.fundraising") that violates Honcho workspace ID regex #26459, Honcho memory plugin generates invalid workspace/peer IDs for profile names containing dots #30246): derive new profile host keys with underscores (hermes_<profile>), while still reading legacy hermes.<profile> host blocks via _host_block().
• World-readable secret config (fix(security): apply 0600 permissions on memory plugin config files containing API keys #32244): write memory-provider config files atomically with 0600 permissions, closing the chmod-after-write TOCTOU window. Implemented as a single shared-helper change — utils.atomic_json_write gains a mode= arg — so it lands across honcho/hindsight/mem0/supermemory uniformly.

Plus gateway cache-correctness (#33382):

• skip honcho.json parsing in gateway cache-busting when Honcho is not the active memory provider; memoize by honcho.json mtime when it is active (removes per-message disk I/O for non-Honcho users)
• bust the gateway agent cache on memory.provider change (the provider value gates whether honcho.json is parsed, but wasn't itself a cache-busting key)

And a fresh-install ergonomics fix:

• add a hermes memory setup <provider> one-liner. The per-provider hermes <provider> subcommand only registers once that provider is active, so on a fresh install hermes honcho setup doesn't exist yet (argparse rejects invalid choice: 'honcho'). hermes memory setup is always available and now takes an optional positional routing to the same wizard.

Closes #20688.
Closes #29885.
Closes #26459.
Closes #30246.
Closes #33382.
Closes #32244.

Core-file touches (justified)

This is a memory-plugin PR that touches a few core files; each is justified:

• utils.py — generic mode= arg on the shared atomic_json_write (one helper change vs. four per-provider copies).
• gateway/run.py — the from plugins.memory.honcho.client import ... import already exists on main; this PR doesn't add a new core→plugin dependency, it improves the existing one (gates the read behind provider == "honcho", memoizes by mtime, adds memory.provider cache key).
• hermes_cli/main.py / memory_setup.py — generic optional positional on memory setup, provider-agnostic.
• hermes_cli/profiles.py — dot→underscore host-key migration with legacy fallback.

Test plan

scripts/run_tests.sh tests/honcho_plugin/ tests/test_honcho_client_config.py \
  tests/gateway/test_agent_cache.py tests/hermes_cli/test_profiles.py \
  tests/hermes_cli/test_memory_setup_provider_arg.py \
  tests/plugins/memory/test_hindsight_provider.py tests/plugins/memory/test_mem0_v2.py \
  tests/plugins/memory/test_supermemory_provider.py

Result: 672 passed, 0 failed. New cache-busting behavior is explicitly tested (skip-when-not-honcho, read-only-when-honcho, memory.provider busts signature, mtime memoization). tests/hermes_cli/test_memory_setup_provider_arg.py adds 4 tests for the new routing.

E2E verified with real imports + isolated HERMES_HOME: 0600 perms on write and preserved on rewrite; profile_host_key dot-sanitization; _host_block legacy dot-form fallback; /vN stripping across loopback/Tailscale/LAN/cloud/no-version/mid-path-version; gateway cache-busting gate.

ruff + ty clean on changed files.

Credit

• Erosika (Plastic Labs) — fix(honcho): harden self-hosted setup paths #33954, the substantive work (commit authorship preserved).
• BROCCOLO1D — memory.provider cache-busting key adopted from fix(gateway): skip inactive honcho cache-bust reads #33535 (co-authored credit on the commit).

Supersedes #33954, #20720, #30180, #32244, #33535, and the self-hosted/safe-host-key portion of #26478.