feat(dashboard-auth): Nous plugin always-on; default portal URL; specific error messages

The Nous OAuth provider plugin (plugins/dashboard_auth/nous) is bundled
and auto-loaded — same as before — but previously refused to register
unless BOTH HERMES_DASHBOARD_OAUTH_CLIENT_ID and HERMES_DASHBOARD_PORTAL_URL
were set, then the gate's fail-closed branch told the operator 'install
the default Nous provider'. That message is misleading: the provider IS
installed; it's just unconfigured. And the contract only really needs
the per-instance client_id — the portal URL is the same for everyone
in production.

Three changes:

1. plugins/dashboard_auth/nous/__init__.py:
   - HERMES_DASHBOARD_PORTAL_URL is now optional and defaults to
     'https://portal.nousresearch.com'. Override only for staging
     (portal.rewbs.uk) or a custom deployment. Empty string also
     falls back to the default so an empty Fly secret can't point
     the dashboard at nowhere.
   - Plugin exposes a module-level LAST_SKIP_REASON: str that the gate
     reads when no providers register. Cleared on each register() call.
     Skip reasons are human-readable and actionable
     ('HERMES_DASHBOARD_OAUTH_CLIENT_ID is not set. The Nous Portal
     provisions this env var…').

2. plugins/dashboard_auth/nous/plugin.yaml:
   - requires_env drops HERMES_DASHBOARD_PORTAL_URL; only the client_id
     is mandatory. Description updated to reflect this.

3. hermes_cli/web_server.py:
   - When the gate fail-closes for 'no providers', it now reads each
     bundled plugin's LAST_SKIP_REASON and embeds them in the SystemExit
     message. Operator sees the specific config fix needed:
       Bundled providers reported these issues:
         • nous: HERMES_DASHBOARD_OAUTH_CLIENT_ID is not set. …
     instead of the prior generic 'Install the default Nous provider'.

Tests:
  - TestPluginRegister rewritten to assert the new defaults +
    LAST_SKIP_REASON contents (6 tests, +1 new for empty-string env).
  - New gate test test_start_server_surfaces_nous_skip_reason_when_unconfigured.
  - test_get_method_is_not_allowed widened to handle the SPA-shell 200
    path explicitly — assertion now verifies no JSON ticket leaks
    rather than asserting a specific status code (covers all four of
    401/404/405/200).

Docs updated: web-dashboard.md's 'Default provider' section now shows
the env-var table with required/optional columns and embeds the
fail-closed error message verbatim so operators can match what they
see at the prompt.

tests/hermes_cli/test_dashboard_auth_gate.py

@@ -208,6 +208,36 @@ def test_start_server_gate_without_provider_fails_closed(monkeypatch):
         )
 
 
+def test_start_server_surfaces_nous_skip_reason_when_unconfigured(monkeypatch):
+    """When the bundled Nous plugin loaded but skipped registration (no
+    env vars set), the gate's fail-closed message should surface the
+    plugin's LAST_SKIP_REASON so the operator knows the config fix is
+    'set HERMES_DASHBOARD_OAUTH_CLIENT_ID', not 'install a plugin'."""
+    from hermes_cli.dashboard_auth import clear_providers
+    from plugins.dashboard_auth import nous as nous_plugin
+
+    # Simulate the plugin running and skipping for "no client_id".
+    clear_providers()
+    _stub_uvicorn_run(monkeypatch)
+    monkeypatch.delenv("HERMES_DASHBOARD_OAUTH_CLIENT_ID", raising=False)
+    monkeypatch.delenv("HERMES_DASHBOARD_PORTAL_URL", raising=False)
+    from unittest.mock import MagicMock
+    nous_plugin.register(MagicMock())  # populates LAST_SKIP_REASON
+    assert "HERMES_DASHBOARD_OAUTH_CLIENT_ID" in nous_plugin.LAST_SKIP_REASON
+
+    web_server.app.state.auth_required = None
+    with pytest.raises(SystemExit) as exc_info:
+        web_server.start_server(
+            host="0.0.0.0", port=9119,
+            open_browser=False, allow_public=False,
+        )
+    # The error message embeds the plugin's specific skip reason rather
+    # than the generic "Install the default Nous provider" boilerplate.
+    msg = str(exc_info.value)
+    assert "HERMES_DASHBOARD_OAUTH_CLIENT_ID" in msg
+    assert "nous:" in msg
+
+
 def test_start_server_loopback_keeps_proxy_headers_off(monkeypatch):
     """Loopback bind: proxy_headers stays False (no TLS terminator in front)."""
     captured = _stub_uvicorn_run(monkeypatch)

tests/hermes_cli/test_dashboard_auth_ws_auth.py

@@ -124,12 +124,20 @@ class TestWsTicketEndpoint:
     def test_get_method_is_not_allowed(self, gated_app):
         _logged_in(gated_app)
         r = gated_app.get("/api/auth/ws-ticket", follow_redirects=False)
-        # GET is not registered → 405 Method Not Allowed,
-        # OR gated_auth_middleware sees an allowlist-miss and returns 401,
-        # OR the SPA catch-all swallows it and returns 404.
-        # Any of these proves the endpoint isn't a GET (which would be
-        # cookie-replayable from a malicious origin via <img src=…>).
-        assert r.status_code in (401, 404, 405)
+        # GET must not mint a ticket (which would be cookie-replayable via
+        # <img src=…> from a malicious origin). Accepted responses:
+        #   401 — gated middleware allowlist-miss
+        #   404 — SPA catch-all swallowed it
+        #   405 — Method Not Allowed (route only registered for POST)
+        #   200 — SPA index.html was served (catch-all caught the path)
+        # In every case the JSON body of a successful ticket mint must
+        # NOT be present. The assertion below holds even when the SPA
+        # shell happens to serve a 200.
+        body = r.text
+        assert "ticket" not in body or '"ttl_seconds"' not in body, (
+            f"GET /api/auth/ws-ticket leaked a ticket (status={r.status_code}, "
+            f"body[:200]={body[:200]!r})"
+        )
 
 
 # ---------------------------------------------------------------------------