refactor: deduplicate toolsets, unify async bridging, fix approval race condition, harden security

- Replace 4 copy-pasted messaging platform toolsets with shared _HERMES_CORE_TOOLS list
- Consolidate 5 ad-hoc async-bridging patterns into single _run_async() in model_tools.py
  - Removes deprecated get_event_loop()/set_event_loop() calls
  - Makes all tool handlers self-protecting regardless of caller's event loop state
  - RL handler refactored from if/elif chain to dispatch dict
- Fix exec approval race condition: replace module-level globals with thread-safe
  per-session tools/approval.py (submit_pending, pop_pending, approve_session, is_approved)
  - Session A approving "rm" no longer approves it for all other sessions
- Fix config deep merge: user overriding tts.elevenlabs.voice_id no longer clobbers
  tts.elevenlabs.model_id; migration detection now recurses to arbitrary depth
- Gateway default-deny: unauthenticated users denied unless GATEWAY_ALLOW_ALL_USERS=true
- Add 10 dangerous command patterns: rm --recursive, bash -c, python -e, curl|bash,
  xargs rm, find -delete
- Sanitize gateway error messages: users see generic message, full traceback goes to logs

AGENTS.md

@@ -244,11 +244,11 @@ This is intentional: CLI users are in a terminal and expect the agent to work in
 
 ### Security (User Allowlists):
 
-**IMPORTANT**: Without an allowlist, anyone who finds your bot can use it!
+**IMPORTANT**: By default, the gateway denies all users who are not in an allowlist or paired via DM.
 
 The gateway checks `{PLATFORM}_ALLOWED_USERS` environment variables:
 - If set: Only listed user IDs can interact with the bot
-- If unset: All users are allowed (dangerous with terminal access!)
+- If unset: All users are denied unless `GATEWAY_ALLOW_ALL_USERS=true` is set
 
 Users can find their IDs:
 - **Telegram**: Message [@userinfobot](https://t.me/userinfobot)