fix: install hermes-agent from pip so build-time TTS patch works

The Dockerfile starts from debian:stable-slim, not from the official
Hermes image. Without installing hermes-agent from pip, there is no
tools/tts_tool.py in the image at build time, so the patch script
crashes with FileNotFoundError.

Adding hermes-agent to uv pip install gives us tts_tool.py in the
venv site-packages, so the COPY+RUN patch step works cleanly.

Also keep the runtime fallback in fix-permissions.sh for cases where
the volume's site-packages differ from the image.

ai/Dockerfile

@@ -41,7 +41,7 @@ COPY --chown=hermes:hermes . .
 
 # ---------- Python virtualenv avec Piper TTS ----------
 RUN uv venv && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy faster-whisper
+    uv pip install --no-cache-dir hermes-agent piper-tts sounddevice numpy faster-whisper
 
 # ---------- Télécharger la voix Piper Ryan (high quality) ----------
 RUN mkdir -p /opt/hermes/.venv/share/piper/voices && \
@@ -53,6 +53,13 @@ urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
 urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
 PYEOF
  
+# ---------- Patch tts_tool.py: replace Edge TTS fallback with Piper ----------
+# Edge TTS calls out to Microsoft servers — we never want that.
+# Piper runs locally on CPU, no cloud, no data leaving the machine.
+# hermes-agent is installed from pip so tools/tts_tool.py exists in the venv.
+COPY patch_tts_tool.py /tmp/patch_tts_tool.py
+RUN /opt/hermes/.venv/bin/python3 /tmp/patch_tts_tool.py && rm /tmp/patch_tts_tool.py
+ 
 # ---------- Patch atomic writes to preserve file permissions ----------
 # Fixes https://github.com/NousResearch/hermes-agent/issues/14181
 # tempfile.mkstemp() creates files as 0600; os.replace() preserves that mode,