Fix init agent normalization and persist postinstall next steps

[Mr-Lucky]

Summary

• Normalize agentguard init --agent values with trim().toLowerCase() before validation, config persistence, and template installation.
• Add regression coverage for capitalized agent input such as Hermes.
• Persist postinstall next-step guidance to ~/.agentguard/next-steps.txt and the package directory so agents can discover setup instructions even when npm hides lifecycle output.
• Update postinstall tests and changelog.

Testing

• npm run build
• node --test dist/tests/cli-init.test.js
• node --test dist/tests/postinstall.test.js
• npm test

Type

• Bug fix
• New feature / detection rule
• Refactoring
• Documentation

Testing

• npm run build passes
• npm test passes (32 tests)
• Manually tested the change

Related Issues

Closes #

[github-actions]

AgentGuard PR Review

This patch introduces a couple of concrete risks.

1. medium — src/postinstall.ts writes a package-level file during install (writePackageNextStepsFile)

   • What can go wrong: The postinstall script now attempts to write next-steps.txt into the package directory (resolve(__dirname, '..')). In many real installs this directory may be read-only (e.g. global installs, pnpm store, immutable/containerized environments, or packaged distributions), which can fail before the try/catch around the main logic if the write happens during finally. Although writeNextStepsFile swallows errors, this still adds an extra filesystem mutation to every install and can unexpectedly create files inside published package trees.
   • Concrete fix: Keep package-directory writes fully optional and behind an explicit opt-in flag, or restrict them to a writable user-local path only. If retained, ensure the call is guarded before any assumption about package mutability and document/avoid writing into __dirname-derived package contents.

2. low — src/cli.ts accepts any object/stringified value for --agent without validating option type

   • What can go wrong: String(options.agent).trim().toLowerCase() will coerce non-string values into strings, which can mask invalid CLI parsing states and produce confusing behavior ([object Object] becomes invalid only after normalization). This is a correctness regression risk in case the option parser ever changes or receives unexpected structured input.
   • Concrete fix: Validate that options.agent is a string before normalization, and reject non-string values explicitly with the same error path.