Add Hermes Agent JWT CLI compatibility

[Mr-Lucky]

Summary

Add Hermes Agent JWT CLI compatibility for agentguard connect and agentguard subscribe, including Hermes runtime detection via HERMES_HOME / ~/.hermes while preserving existing OpenClaw behavior.

Type

• Bug fix
• New feature / detection rule
• Refactoring
• Documentation

Testing

• npm run build passes
• npm test passes (355 tests)
• Manually tested the change

Related Issues

Closes #

[github-actions]

AgentGuard PR Review

1. medium — src/cli.ts (Hermes detection / registration path, hunk around withDetectedAgentJwtHost and detectHermesRuntime)

   • What can go wrong: Hermes initialization is now detected from HERMES_HOME or ~/.hermes, but unlike the existing OpenClaw path there is no validation that the detected Hermes installation actually has the expected CLI/runtime state beyond config.yaml/directory existence. This can cause agentguard connect / subscribe to auto-attempt JWT registration in unrelated directories or stale home paths, leading to confusing failures and possible writes of agent credentials into the wrong config.
   • Fix: Require a more specific Hermes sentinel file or explicit initialized-state check before treating Hermes as JWT-capable, and only auto-detect when that check passes. Keep the “no-key” path gated by a strong initialization signal.

2. medium — src/cli.ts (error handling at connect / subscribe, hunk around isAgentJwtHostConfigured checks)

   • What can go wrong: The new logic broadens “JWT host configured” from OpenClaw-only to OpenClaw-or-Hermes, but the rejection messages for failed JWT registration still tell users to rerun agentguard connect --key <key> even when the failure happened during JWT registration. That can hide the real remediation and cause repeated failed retries in automation.
   • Fix: On 401/registration failures, distinguish API-key mode from JWT mode in the error path and message, and surface the actual agent host that failed registration so callers can repair the right installation.

3. low — src/cli.ts (detectHermesRuntime path check, hunk around existsSync(join(hermesHome, 'config.yaml')))

   • What can go wrong: If HERMES_HOME is set to a file path rather than a directory, existsSync(hermesHome) returns true and the code treats it as a valid Hermes runtime. That can incorrectly enable Hermes registration and save config state based on an invalid path.
   • Fix: Validate that HERMES_HOME points to a directory, and only consider it initialized when the expected Hermes config file exists under that directory.