feat(webhook): hermes webhook CLI + skill for event-driven subscriptions (#3578)

Adds 'hermes webhook' CLI subcommand and a skill — zero new model tools.

CLI commands (require webhook platform to be enabled):
  hermes webhook subscribe <name> [--events, --prompt, --deliver, ...]
  hermes webhook list
  hermes webhook remove <name>
  hermes webhook test <name>

All commands gate on webhook platform being enabled in config. If not
configured, prints setup instructions (gateway setup wizard, manual
config.yaml, or env vars).

The agent uses these via terminal tool, guided by the webhook-subscriptions
skill which documents setup, common patterns (GitHub, Stripe, CI/CD,
monitoring), prompt template syntax, security, and troubleshooting.

Adapter enhancement: webhook.py hot-reloads dynamic subscriptions from
~/.hermes/webhook_subscriptions.json on each incoming request (mtime-gated).
Static config.yaml routes always take precedence.

Docs: updated webhooks.md with Dynamic Subscriptions section, added
hermes webhook to cli-commands.md reference.

No new model tools. No toolset changes.

24 new tests for CLI CRUD, persistence, enabled-gate, and adapter
dynamic route loading.

website/docs/user-guide/messaging/webhooks.md

@@ -15,7 +15,7 @@ The agent processes the event and can respond by posting comments on PRs, sendin
 ## Quick Start
 
 1. Enable via `hermes gateway setup` or environment variables
-2. Define webhook routes in `config.yaml`
+2. Define routes in `config.yaml` **or** create them dynamically with `hermes webhook subscribe`
 3. Point your service at `http://your-server:8644/webhooks/<route-name>`
 
 ---
@@ -205,6 +205,56 @@ For cross-platform delivery (telegram, discord, slack, signal, sms), the target
 
 ---
 
+## Dynamic Subscriptions (CLI) {#dynamic-subscriptions}
+
+In addition to static routes in `config.yaml`, you can create webhook subscriptions dynamically using the `hermes webhook` CLI command. This is especially useful when the agent itself needs to set up event-driven triggers.
+
+### Create a subscription
+
+```bash
+hermes webhook subscribe github-issues \
+  --events "issues" \
+  --prompt "New issue #{issue.number}: {issue.title}\nBy: {issue.user.login}\n\n{issue.body}" \
+  --deliver telegram \
+  --deliver-chat-id "-100123456789" \
+  --description "Triage new GitHub issues"
+```
+
+This returns the webhook URL and an auto-generated HMAC secret. Configure your service to POST to that URL.
+
+### List subscriptions
+
+```bash
+hermes webhook list
+```
+
+### Remove a subscription
+
+```bash
+hermes webhook remove github-issues
+```
+
+### Test a subscription
+
+```bash
+hermes webhook test github-issues
+hermes webhook test github-issues --payload '{"issue": {"number": 42, "title": "Test"}}'
+```
+
+### How dynamic subscriptions work
+
+- Subscriptions are stored in `~/.hermes/webhook_subscriptions.json`
+- The webhook adapter hot-reloads this file on each incoming request (mtime-gated, negligible overhead)
+- Static routes from `config.yaml` always take precedence over dynamic ones with the same name
+- Dynamic subscriptions use the same route format and capabilities as static routes (events, prompt templates, skills, delivery)
+- No gateway restart required — subscribe and it's immediately live
+
+### Agent-driven subscriptions
+
+The agent can create subscriptions via the terminal tool when guided by the `webhook-subscriptions` skill. Ask the agent to "set up a webhook for GitHub issues" and it will run the appropriate `hermes webhook subscribe` command.
+
+---
+
 ## Security {#security}
 
 The webhook adapter includes multiple layers of security: