fix: move TTS patch from build-time to runtime

The build-time COPY+RUN of patch_tts_tool.py failed because
the Dockerfile starts from debian:stable-slim and only copies
the ai/ build context — there's no tools/tts_tool.py in the
image at build time (Hermes is on the mounted data volume).

Move patching to fix-permissions.sh which runs at container
startup when the data volume is mounted, so tts_tool.py is
available via the venv site-packages.

Also make patch_tts_tool.py robust: searches multiple paths
for tts_tool.py, accepts path as argument, exits 0 instead
of 1 when file/pattern not found (build must not fail).

ai/Dockerfile

@@ -53,14 +53,6 @@ urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
 urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
 PYEOF
  
-# ---------- Patch tts_tool.py: replace Edge TTS fallback with Piper ----------
-# Edge TTS calls out to Microsoft servers — we never want that.
-# Piper runs locally on CPU, no cloud, no data leaving the machine.
-# If the patch script can't find the Edge fallback text to replace,
-# it returns a non-zero exit code and the build fails.
-COPY patch_tts_tool.py /tmp/patch_tts_tool.py
-RUN /opt/hermes/.venv/bin/python3 /tmp/patch_tts_tool.py && rm /tmp/patch_tts_tool.py
- 
 # ---------- Patch atomic writes to preserve file permissions ----------
 # Fixes https://github.com/NousResearch/hermes-agent/issues/14181
 # tempfile.mkstemp() creates files as 0600; os.replace() preserves that mode,