fix(dashboard): don't force /opt/data files root for remote requests on host installs

[AIalliAI]

Summary

Fixes #44116

On a non-Docker host install, opening the dashboard Files tab from another machine on the LAN returned a 500:

{"detail":"Managed files root is unavailable: [Errno 13] Permission denied: '/opt/data'"}

_managed_files_policy treated any non-local request (remote client, or auth_required set) as a hosted deployment and locked the managed-files root to /opt/data — a path that only exists in the Docker/hosted filesystem layout.

Change

• The /opt/data lock now applies only when the install actually uses the hosted layout, detected via the existing _default_hermes_root_is_opt_data() check (HERMES_HOME resolving to /opt/data, which the official Docker setup sets).
• Remote and auth-gated requests on plain host installs keep a locked root — the dashboard user's home (locked_root=home, can_change_path=False) — so the previous confinement posture for non-local clients is preserved, just no longer pointing at a Docker-only path. Local requests keep the existing unlocked home policy.
• HERMES_DASHBOARD_FILES_ROOT continues to override everything, so the workaround from the issue keeps working.

Tests

Added to tests/hermes_cli/test_web_server_files.py:

• remote request on a host install (no HERMES_HOME) → policy locks to home, no 500
• auth_required=True on a host install → policy locks to home
• remote request with HERMES_HOME=/opt/data → still locked to /opt/data (hosted behavior unchanged)

pytest tests/hermes_cli/ -k web_server: 306 passed; the one failure (test_skills_list_without_profile_uses_dashboard_home) is a pre-existing test-ordering flake that also fails on unmodified main and passes in isolation.

🤖 Generated with Claude Code

[AIalliAI]

Requesting maintainer review — this is ready to land from my side. Standalone fork CI is pending first-run approval here; the rollup branch in #44061 carrying this session's batch is fully green on upstream CI (all test shards, typecheck, e2e).