fix: audit hardening + optimization pass for hermes-mod

[0xNyk]

Summary

This PR applies a full audit/fix/optimization pass to Hermes Mod with low-risk, targeted changes.

Backend hardening

• Make Hermes app/python path resolution cross-platform (macOS/Linux/Windows)
• Improve environment diagnostics via /api/meta
• Add built-in skin source metadata (fallback vs hermes-skin-engine)

Performance optimization

• Add TTL cache for built-in skin loading to avoid repeated Python process spawning

Safety improvements

• Add max image payload guard for hero generation (6MB)
• Reject empty image payloads/files in hero image ingestion flows

Pinokio workflow cleanup

• Speed install/update by using npm install --no-audit --no-fund
• Ignore accidental root pnpm-lock.yaml churn

Validation

• node --check app/server.js
• node --check app/public/app.js
• API smoke tests for status/meta/save/load/activate flows using isolated HERMES_HOME

Risk

Low. Changes are additive or defensive and scoped to known paths/endpoints.