feat: add Hermes child agent factory and paid agent metadata

[bussyjd]

Summary

This PR adds the durable Hermes child-agent path we need for a permissioned “mother agent” to spawn sellable child agents, then tightens the discovery surfaces so buyers and indexers can see what they are paying for.

What Changed

• Adds an embedded agent-factory skill that can create child Agent CRDs from inside the stack, including profile archive seeding, optional child env Secret injection, optional remote-signer wallet creation, and optional ServiceOffer creation.
• Extends child Hermes rendering with profile import support and per-child runtime context: model, skills dir, namespace, wallet address, remote signer URL, and optional env Secret.
• Adds scoped factory RBAC and admission coverage so the mother-agent path can create only the intended child resources.
• Aligns host-side Agent seeding around Hermes SOUL.md, including legacy lowercase soul.md migration and safer exact skill syncing.
• Makes agent-backed offers advertise the paid-agent contract consistently across surfaces:
  • ServiceOffer.status.agentResolution: model, runtime, skills, endpoint
  • x402 402 accepts[].extra: agentModel, agentRuntime, agentSkills
  • /api/services.json: type: agent, resolved model, 10 OBOL/request style pricing
  • ERC-8004 well-known metadata: runtime, model, pricingUnit, x402Price, x402Asset, x402Network
• Fixes the service catalog schema to allow type: "agent", which the controller already emits for agent-backed offers.

Why

The MVP product primitive is: “I run Hermes on this model, with these skills, and you can pay me for an agent turn.” Previously, the runtime/model signal existed in parts of the controller and x402 route path, but it was not consistently published into the catalog and ERC-8004 metadata. That made decentralized discovery/indexing weaker than the actual runtime state.

This PR makes the child-agent creation path and the paid-offer advertising path line up: a provider can spawn a child Hermes profile, wrap it as a ServiceOffer, and buyers/indexers can inspect the model/runtime/skills/price before paying.

Validation

Focused branch coverage:

go test -covermode=atomic -coverprofile=.workspace/coverage/branch.out \
  ./cmd/obol \
  ./internal/agentcrd \
  ./internal/agentruntime \
  ./internal/embed \
  ./internal/serviceoffercontroller \
  ./internal/x402 \
  ./internal/monetizeapi \
  ./internal/schemas \
  -count=1

Coverage highlights from the branch profile:

decodeAgentJSON                                100.0%
agentOfferRegistrationMetadata                 100.0%
SeedHostFiles                                   83.3%
agentManifests                                 100.0%
buildAgentProfileInitContainer                 100.0%
buildActiveRegistrationDocument                 88.9%
buildServiceCatalogJSON                         97.1%
routeRuleFromOffer                              93.3%
mergeAgentExtras                               100.0%

Additional targeted flake check:

go test ./internal/x402 \
  -run 'TestWatchConfig_InvalidConfig|TestRouteRuleFromOffer_AgentResolutionAdvertisesRuntimeModelSkills|TestAgentExtras' \
  -count=3

Focused metadata/skill checks:

go test ./cmd/obol ./internal/embed ./internal/serviceoffercontroller ./internal/schemas \
  -run 'TestDecodeAgentJSON|TestAgentOfferRegistrationMetadata|TestAgentFactoryPy|TestBuildActiveRegistrationDocument_PublishesAgentOfferMetadata|TestBuildServiceCatalogJSON_AgentOfferUsesResolvedModel|TestServiceCatalog|TestGetEmbeddedSkillNames' \
  -count=3

Whitespace/conflict check:

git diff --check HEAD -- . ':(exclude).claude/settings.json'

Live smoke performed locally with rebuilt dev images:

OBOL_DEVELOPMENT=true .workspace/bin/obol stack init --backend k3d
OBOL_DEVELOPMENT=true OBOL_FORCE_REBUILD_LOCAL_DEV_IMAGES=serviceoffer-controller,x402-verifier \
  .workspace/bin/obol stack up

OBOL_DEVELOPMENT=true .workspace/bin/obol agent new demo-quant \
  --model qwen3.5:9b \
  --skills ethereum-networks,addresses \
  --objective 'Agent-backed quant analyst for on-chain OBOL payment tests.' \
  --create-wallet

OBOL_DEVELOPMENT=true .workspace/bin/obol sell agent demo-quant \
  --price 10 \
  --token OBOL \
  --chain ethereum

Live assertions passed:

• 402 response carried agentModel=qwen3.5:9b, agentRuntime=hermes, and agentSkills=[ethereum-networks, addresses].
• 402 price was 10 OBOL on eip155:1 with atomic amount 10000000000000000000.
• /.well-known/agent-registration.json carried runtime/model/pricing metadata.
• /api/services.json exposed type: "agent", model qwen3.5:9b, and 10 OBOL/request.

Known Notes

• ServiceOffer.status.Ready remains False while external ERC-8004 registration is pending. The operational conditions are green (UpstreamHealthy, PaymentGateReady, RoutePublished), and /api/services.json marks the offer with registrationPending: true.
• A broad go test ./... -short -count=1 run still has unrelated failures outside this PR: internal/openclaw hit a Go linker SIGSEGV locally, and internal/stack has an existing warning-format assertion mismatch. The changed package set and targeted coverage runs are green.