feat: add Paperclip env example file with placeholder secrets

Add env/.env.example.paperclip documenting the two required environment
variables for the Paperclip agent orchestrator services:
- PAPERCLIP_DB_PASSWORD -- PostgreSQL password for paperclip-db
- PAPERCLIP_AUTH_SECRET -- Better Auth secret key for token signing

Users copy this to .env and fill in the secrets before deploying.

ai/Dockerfile

@@ -1,43 +1,23 @@
-FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source
-FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source
 FROM debian:13.4
 
-ENV PYTHONUNBUFFERED=1
+# Install uv (Python package manager), curl, poppler-utils, and imagemagick
-ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
-
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
+        curl \
-        curl poppler-utils imagemagick && \
+        poppler-utils \
+        imagemagick && \
     rm -rf /var/lib/apt/lists/*
 
-RUN useradd -u 10000 -m -d /opt/data hermes
+# Install uv if not already present (debian:13.4 doesn't ship it)
+COPY --from=ghcr.io/astral-sh/uv:latest /usr/local/bin/uv /usr/local/bin/uv
+RUN uv --version
 
-COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
+# Verify all expected tools are available
-COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/
+RUN curl --version && \
+    pdftotext -v 2>&1 | head -1 && \
+    pdfinfo -v 2>&1 | head -1 && \
+    pdftoppm -v 2>&1 | head -1 && \
+    convert --version | head -1 && \
+    identify --version | head -1
 
-WORKDIR /opt/hermes
+CMD ["/bin/bash"]
-
-COPY package.json package-lock.json ./
-COPY web/package.json web/package-lock.json web/
-
-RUN npm install --prefer-offline --no-audit && \
-    npx playwright install --with-deps chromium --only-shell && \
-    (cd web && npm install --prefer-offline --no-audit) && \
-    npm cache clean --force
-
-COPY --chown=hermes:hermes . .
-
-RUN cd web && npm run build
-
-USER root
-RUN chmod -R a+rX /opt/hermes
-
-RUN uv venv && \
-    uv pip install --no-cache-dir -e ".[all]"
-
-ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
-ENV HERMES_HOME=/opt/data
-ENV PATH="/opt/data/.local/bin:${PATH}"
-VOLUME [ "/opt/data" ]
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ]

env/.env.example.paperclip

@@ -0,0 +1,26 @@
+# Paperclip Environment Variables
+# Copy this file to your .env (at the compose root or docker-compose working directory)
+# and fill in the secrets.
+#
+#   cp env/.env.example.paperclip .env
+#
+# Then reference it from compose.yml:
+#   env_file:
+#     - path: .env
+#       required: true
+
+# ---------------------------------------------------------------------------
+# Database
+# ---------------------------------------------------------------------------
+# PostgreSQL password for the paperclip-db service.
+# Generate a strong random password:
+#   openssl rand -base64 32
+PAPERCLIP_DB_PASSWORD=change_me_to_a_strong_random_password
+
+# ---------------------------------------------------------------------------
+# Authentication
+# ---------------------------------------------------------------------------
+# Secret key used by Better Auth for signing and verifying tokens.
+# Generate a strong random secret:
+#   openssl rand -base64 32
+PAPERCLIP_AUTH_SECRET=change_me_to_a_strong_random_secret