From 64acf2c859933f2fb0d6374a8e78501da5202bd3 Mon Sep 17 00:00:00 2001
From: Hermes <hermes@lazyworkhorse.net>
Date: Wed, 20 May 2026 14:05:45 -0400
Subject: [PATCH] Merge feat/add-paperclip into master: add Paperclip agent
 orchestrator services

Brings in commits: 563ccc5 (paperclip), 37bf43c (Dockerfile), bce4032 (revert), 1eacc3c (Traefik ai_net fix)
---
 ai/compose.yml | 64 ++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 60 insertions(+), 4 deletions(-)

diff --git a/ai/compose.yml b/ai/compose.yml
index 1db7831..f699af1 100644
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -44,7 +44,7 @@ services:
       - API_SERVER_HOST=0.0.0.0
       - API_SERVER_KEY=hermes_local_key
       - GATEWAY_ALLOW_ALL_USERS=true
-      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+      - OPENROUTER_API_KEY=${OPEN...KEY}
       # ROCm for GPU-accelerated faster-whisper STT
       - HSA_OVERRIDE_GFX_VERSION=9.0.6
       - HCC_AMDGPU_TARGET=gfx906
@@ -129,6 +129,62 @@ services:
       - "303"
       - "26"
 
+  paperclip-db:
+    image: postgres:17-alpine
+    container_name: paperclip-db
+    restart: always
+    environment:
+      POSTGRES_USER: paperclip
+      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
+      POSTGRES_DB: paperclip
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
+    networks:
+      - ai_backend
+
+  paperclip:
+    image: ghcr.io/paperclipai/paperclip:v2026.517.0
+    container_name: paperclip
+    restart: always
+    ports:
+      - "127.0.0.1:3100:3100"
+    environment:
+      - HOST=0.0.0.0
+      - PORT=3100
+      - SERVE_UI=true
+      - DATABASE_URL=postgres://paperclip:***@paperclip-db:5432/paperclip
+      - BETTER_AUTH_SECRET=${PAPE...CRET must be set}
+      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
+      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
+      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
+    depends_on:
+      paperclip-db:
+        condition: service_healthy
+    networks:
+      - ai_net
+      - ai_backend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-http.entrypoints=web"
+      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
+
+      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
+      - "traefik.http.routers.paperclip-https.tls=true"
+      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
+
 networks:
   ai_net:
     external: true
@@ -280,8 +336,8 @@ networks:
   #     - /home/gortium/infra:/data/workspace/infra
   #   environment:
   #     - TZ=America/Toronto
-  #     - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
-  #     - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+  #     - OPENCLAW_GATEWAY_TOKEN=${OPEN...KEN}
+  #     - OPENROUTER_API_KEY=${OPEN...KEY}
   #     # Point to the sidecar browser
   #     - BROWSER_CDP_URL=http://openclaw-browser:9222
   #     - BROWSER_EVALUATE_ENABLED=true
@@ -326,7 +382,7 @@ networks:
   #     - PGID=1000
   #     - PUBLIC_KEY_FILE=/config/ssh/authorized_keys
   #     - SUDO_ACCESS=false
-  #     - PASSWORD_ACCESS=false
+  #     - PASSWORD_ACCESS=***
   #   volumes:
   #     - /mnt/HoardingCow_docker_data/openclaw/ssh-config:/config
   #     - /home/gortium/infra:/data/workspace/infra:ro