Add generic dynamic bundle + cronjob governance, policy env parity, and two-tier probe contracts

[maniotrix]

Summary

• Introduce GenericDynamicBundle so generic Hermes tools (starting with cronjob → HERMES_CRONJOB) register semantic-only action IDs from IF_DYNAMIC_BUNDLE_MANIFEST at backend boot.
• Add cronjob to the governed catalog (mapper: generic), shipped policy/manifest/executor config, and adapter map_generic path.
• Centralize pack activation in load_and_activate_pack() so CLI start, integrate, and all policy * commands apply agent.json env (including manifest path) before policy validation — fixes policy reload hermes failing with “allowed action HERMES_CRONJOB has no registered ActionBundle”.
• Adopt a two-tier probe contract: native tools get gateway LLM E2E + live adapter/plugin probes; generic tools get live semantic smoke only (no gateway LLM / schema-probe requirements).
• Document the sync replacement model: no sync hermes CLI; dev hand-edits derived artifacts; test_actions_manifest.py golden test enforces parity.

Changes

Backend

• GenericDynamicBundle + manifest parser; wired into core.yaml [native, dynamic]
• Bundle-list-aware policy validation; unit tests in test_dynamic_bundle.py
• executor.yaml includes HERMES_CRONJOB

Hermes integration

• tools.yaml: cronjob (mapper: generic, HERMES_CRONJOB)
• generic_actions.manifest, agent.json, policy.yaml updated
• Adapter map_generic + unit test
• Governance README: dev vs user ownership, derived-artifacts workflow

CLI

• integration_pack.py: apply_agent_env, seed_hermes_runtime_governance, load_and_activate_pack*
• policy_manage.py and cli.py route through pack activation
• hermes_integrate.py / hermes_governance_contract.py: copy-only runtime seeding (never regenerate from yaml)

Tests

• Golden test: test_actions_manifest.py
• Policy env parity: test_policy_manage.py, test_integration_pack.py
• Two-tier coverage: test_governed_tool_coverage.py, gateway E2E skips cronjob LLM probes
• Toolsets live: schema probe + provider assert use native tier only (gateway_e2e_probe_tool_names)
• Live semantic: test_cronjob_semantic in adapter + plugin gate suites

Docs

• Integration guide, agent-tool-gating, state report, CLI/Hermes READMEs updated for manifest env, two surfaces, sync replacement

Test plan

• ./scripts/e2e.sh (unit + live adapter/plugin including test_cronjob_semantic)
• RUN_HERMES_GATEWAY_E2E=1 ./tests/scripts/test-hermes-gateway-e2e.sh (pass 1, 2a, 2b; cronjob = LIVE_SEMANTIC_ONLY)
• RUN_HERMES_GATEWAY_TOOLSETS=1 ./tests/scripts/test-hermes-gateway-toolsets.sh (schema probe fix for generic tools)
• uv run --package intentframe-integrations-cli python tests/intentframe_integrations/test_actions_manifest.py
• policy reload hermes smoke after integrate (no explicit IF_DYNAMIC_BUNDLE_MANIFEST export)