Rewbs/tool use charge to subscription

[rewbs]

What does this PR do?

This PR adds a Nous Subscriber tool-gateway path for the web tools while preserving direct Firecrawl configuration as the explicit override. It also hardens the web tooling stack by normalizing Firecrawl SDK/gateway response shapes, re-resolving auxiliary summarization clients and models at call time instead of relying on stale import-time state, and exposing Nous login URL/TLS overrides through hermes model for local and staging workflows.

This approach keeps existing direct Firecrawl users on the same path, lets subscriber-authenticated users access web tools without separate Firecrawl setup, and makes local development/testing easier without special-case code changes.

Related Issue

n/a

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• Added tool-gateway-backed Firecrawl client resolution in tools/web_tools.py, including support for FIRECRAWL_GATEWAY_URL, TOOL_GATEWAY_DOMAIN, TOOL_GATEWAY_SCHEME, and TOOL_GATEWAY_USER_TOKEN, with direct Firecrawl config still taking precedence.
• Updated tools/web_tools.py to normalize search/scrape/crawl payloads across Firecrawl response shapes and to re-resolve auxiliary clients/models for web extract summaries so late-available backends are picked up correctly.
• Added CLI/config support for local and non-default Nous login flows in hermes_cli/main.py and hermes_cli/config.py, including forwarding portal URL, inference URL, client ID, scope, browser, timeout, CA bundle, and TLS verification flags through hermes model.
• Documented the new web-tool and gateway environment options in .env.example, README.md, website/docs/reference/environment-variables.md, and AGENTS.md.
• Added regression coverage in tests/tools/test_web_tools_config.py and tests/test_cli_provider_resolution.py, and added debugpy to dev dependencies in pyproject.toml and requirements.txt.

How to Test

1. source venv/bin/activate
2. Run python -m pytest tests/tools/test_web_tools_config.py -q and python -m pytest tests/test_cli_provider_resolution.py::test_cmd_model_forwards_nous_login_tls_options -q
3. Run hermes model and select Nous Research Subscription
4. Ensure FIRECRAWL_API_KEY is not set anywhere in your env
5. Start a hermes chat and ask it to search the web. It should succeed.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: macOS 26.3.1

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — N/A (no config.yaml keys changed)
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — AGENTS.md updated
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

• python -m pytest tests/tools/test_web_tools_config.py -q → 17 passed in 2.80s
• python -m pytest tests/test_cli_provider_resolution.py::test_cmd_model_forwards_nous_login_tls_options -q → 1 passed in 1.59s
• python -m pytest tests/ -q → 3456 passed, 162 skipped, 5 failed in 29.44s
• Failing tests from the full suite: tests/test_quick_commands.py::TestCLIQuickCommands::test_exec_command_runs_and_prints_output
• Failing tests from the full suite: tests/test_quick_commands.py::TestCLIQuickCommands::test_quick_command_takes_priority_over_skill_commands
• Failing tests from the full suite: tests/test_managed_server_tool_support.py::TestBaseEnvCompatibility::test_hermes_base_env_managed_server_call_pattern
• Failing tests from the full suite: tests/test_managed_server_tool_support.py::TestBaseEnvCompatibility::test_hermes_base_env_uses_get_parser
• Failing tests from the full suite: tests/test_cli_provider_resolution.py::test_codex_provider_uses_config_model

[rewbs]

Closing PR for now - we'll merge this when we have this working for multiple providers.