Govern governed execute_code and fix schema hooks without early model_tools import

[maniotrix]

Summary

• Add execute_code to the Hermes governed catalog (RUN_COMMAND via python -c …) with adapter mapper, probes, and gateway E2E coverage.
• Finalize governed tool schemas on registry.get_definitions and build_execute_code_schema instead of importing model_tools at plugin load (fixes read_terminal leaking into /v1/toolsets).
• Preserve unmapped Hermes tool args in intent hermes_args for validation; remove process from the governed catalog.

Changes

Governance & adapter

• execute_code in tools.yaml with mapper: execute_code and builtin_module: tools.code_execution_tool
• map_execute_code() encodes Python as python -c {shlex.quote(code)} for command_shield / AST analysis
• hermes_args_remainder() / _attach_hermes_args() on terminal, write_file, patch, execute_code mappers
• Drop governed process (Hermes background-process tool stays native/un gated)

Plugin schema finalization

• registry_hook.py: wrap registry.get_definitions to inject required reason
• tool_definitions_hook.py: wrap build_execute_code_schema for dynamic rebuild path
• Remove eager import model_tools during register() (avoids full discover_builtin_tools())

Tests & docs

• Gateway E2E + live adapter/plugin probes for execute_code (ALLOW + deterministic BLOCK via sudo)
• Unit tests: test_install_registry_hook_does_not_import_model_tools, schema hook coverage
• New doc: docs/hermes-governance-execute-code-and-schema-hooks.md; updates to integration guides and READMEs

Test plan

• RUN_HERMES_GATEWAY_TOOLSETS=1 ./tests/scripts/test-hermes-gateway-toolsets.sh
• HERMES_E2E_GOVERNED_TOOLS=execute_code RUN_HERMES_GATEWAY_E2E=1 ./tests/scripts/test-hermes-gateway-e2e.sh (pass 1, 2a, 2b)
• CI unit tests (pr.yml — adapter, governance, plugin, gateway contract tests)
• Optional: full catalog E2E RUN_HERMES_GATEWAY_E2E=1 ./tests/scripts/test-hermes-gateway-e2e.sh