fix: honcho embedding config - fix base_url nesting, switch to bge-m3, add deriver to CMD

- Honcho (FastAPI) et OpenConcho (React SPA) dans un seul Dockerfile multi-stage
- nginx proxy /v3/ /v2/ /health /openapi.json vers Honcho sur localhost:8000
- Supprime le service openconcho séparé et le dossier orphelin
- Routeur Traefik unique à honcho.lazyworkhorse.net (port 80 — nginx)
- Plus besoin d'exposer Honcho séparément (API accessible via nginx proxy)

ai/compose.yml

@@ -26,13 +26,24 @@ services:
   #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    build: ./hermes
+    build:
+      context: ./hermes
+      ssh:
+        - default
     container_name: hermes
+    entrypoint: ["/bin/bash", "-c",
+      "bash /opt/data/hermes-tools/install.sh && bash /usr/local/bin/run-multi-gateways.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
+      - HERMES_DASHBOARD=1
+      # Multi-profile: comma-separated list of profiles to run as gateways.
+      # The entrypoint reads this and starts one gateway per profile.
+      # Add profiles here when they exist on disk (e.g. default,researcher,writer)
+      - HERMES_PROFILES=ashley,claire,finn,matt,paul
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -48,6 +59,10 @@ services:
       - TZ=America/Montreal
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
+      # Syncthing-shared org files — read-only view of user's agenda
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
+      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -56,6 +71,62 @@ services:
       - "26"
     networks:
       - ai_backend
+      - ai_net
+    depends_on:
+      - honcho
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      # Router for HTTP + redirection to HTTPS
+      - "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-http.entrypoints=web"
+      - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS with TLS — protected by Authelia
+      - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
+      - "traefik.http.routers.hermes-web-https.tls=true"
+      - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
+      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Service Loadbalancer (dashboard port 9119)
+      - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
+
+  syncthing:
+    image: syncthing/syncthing:latest
+    container_name: syncthing
+    hostname: syncthing
+    restart: always
+    ports:
+      - "8384:8384"
+      - "22000:22000"
+      - "21027:21027/udp"
+    environment:
+      - TZ=America/Montreal
+    volumes:
+      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-http.entrypoints=web"
+      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
+      - "traefik.http.routers.syncthing-https.tls=true"
+      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
+      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
+
 
   ollama:
     build:
@@ -90,6 +161,86 @@ services:
       - "303"
       - "26"
 
+  # --- Honcho + OpenConcho combiné: API + Web UI nginx/FastAPI ---
+  honcho-ui:
+    build: ./honcho
+    container_name: honcho
+    restart: unless-stopped
+    environment:
+      - DB_CONNECTION_URI=postgresql+psycopg://honcho:honcho_pass@honcho-db:5432/honcho
+      - CACHE_URL=redis://honcho-redis:6379/0
+      - CACHE_ENABLED=true
+      - EMBEDDING_VECTOR_DIMENSIONS=1536
+      - AUTH_USE_AUTH=true
+      - AUTH_JWT_SECRET=${AUTH_JWT_SECRET}
+      - OPENAI_API_KEY=${OPENAI_API_KEY}
+    volumes:
+      - /mnt/HoardingCow_docker_data/Honcho/data:/app/data
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+
+      # Router for HTTP + redirect to HTTPS
+      - "traefik.http.routers.honcho-http.rule=Host(`honcho.lazyworkhorse.net`)"
+      - "traefik.http.routers.honcho-http.entrypoints=web"
+      - "traefik.http.routers.honcho-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS with TLS — protected by Authelia
+      - "traefik.http.routers.honcho-https.rule=Host(`honcho.lazyworkhorse.net`)"
+      - "traefik.http.routers.honcho-https.entrypoints=websecure"
+      - "traefik.http.routers.honcho-https.tls=true"
+      - "traefik.http.routers.honcho-https.tls.certresolver=njalla"
+      - "traefik.http.routers.honcho-https.middlewares=hermes-auth"
+
+      # Service Loadbalancer (nginx port)
+      - "traefik.http.services.honcho.loadbalancer.server.port=80"
+    depends_on:
+      honcho-db:
+        condition: service_healthy
+      honcho-redis:
+        condition: service_healthy
+
+  honcho-db:
+    image: pgvector/pgvector:pg15
+    container_name: honcho-db
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:5432:5432"
+    command: ["postgres", "-c", "max_connections=200"]
+    environment:
+      - POSTGRES_DB=honcho
+      - POSTGRES_USER=honcho
+      - POSTGRES_PASSWORD=honcho_pass
+      - PGDATA=/var/lib/postgresql/data/pgdata
+    volumes:
+      - /mnt/HoardingCow_docker_data/Honcho/postgres:/var/lib/postgresql/data
+      - ./honcho/init-db.sql:/docker-entrypoint-initdb.d/init.sql:ro
+    networks:
+      - ai_backend
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U honcho -d honcho"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  honcho-redis:
+    image: redis:8
+    container_name: honcho-redis
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:6379:6379"
+    volumes:
+      - /mnt/HoardingCow_docker_data/Honcho/redis:/data
+    networks:
+      - ai_backend
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
 networks:
   ai_net:
     external: true

ai/hermes/Dockerfile

@@ -1,50 +1,68 @@
-# 1. On récupère la version la plus récente d'UV
-FROM ghcr.io/astral-sh/uv:latest AS uv_source
+# syntax=docker/dockerfile:1
+# Hermes Agent -- custom fork build
+# Builds on top of official image + overlays our forked source from Gitea.
+# Requires Docker BuildKit. Pass SSH agent for git clone:
+#   docker compose build hermes
+# Or manually:
+#   DOCKER_BUILDKIT=1 docker build --ssh default -t hermes-agent:custom .
 
-# 2. Image officielle Hermes Agent de NousResearch
-# Contient déjà: Python, Node.js, npm, Playwright/Chromium, venv, tts_tool.py, etc.
+# ---------- Base: official Hermes image (system deps, npm, uv, Playwright) ----------
 FROM nousresearch/hermes-agent:latest
 
-# ---------- System dependencies ----------
-# The official hermes-agent image already has: git, curl, ffmpeg, python3,
-# gcc, build-essential, openssh-client, procps, tini, ripgrep, docker-cli,
-# libportaudio2, ca-certificates, etc.
-#
-# These extras we need to add back:
-#   - poppler-utils, imagemagick  (PDF/image processing)
-#   - texlive-*                   (LaTeX typesetting for reports)
-#   - qemu-user-static, binfmt-support (QEMU cross-compilation)
-#   - emacs-nox                   (text editing in container)
+# ---------- Overlay our forked source ----------
+# Uses SSH agent forwarding from the build host (no key baked into image).
+# --exclude node_modules/.venv keeps the base image's pre-built layers intact.
+# Only the Python source, web UI source, and config change.
+RUN --mount=type=ssh \
+    mkdir -p /root/.ssh && \
+    ssh-keyscan -p 2222 code.lazyworkhorse.net >> /root/.ssh/known_hosts 2>/dev/null && \
+    cd /tmp && \
+    GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
+    git clone --depth 1 --branch main \
+    git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
+    rm -rf fork/node_modules fork/.venv fork/.git && \
+    cp -a fork/. /opt/hermes/ && \
+    rm -rf /tmp/fork /root/.ssh/
+
+# ---------- Reinstall Python package (editable) ----------
+# Picks up source changes from our fork.
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir --no-deps -e /opt/hermes
+
+# ---------- Extra system deps ----------
 USER root
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        libportaudio2 \
-        ca-certificates \
-        poppler-utils \
-        imagemagick \
-        texlive-latex-base \
-        texlive-latex-extra \
-        texlive-fonts-recommended \
-        texlive-xetex \
-        texlive-science \
-        qemu-user-static \
-        binfmt-support \
-        emacs-nox && \
+        libportaudio2 ca-certificates poppler-utils imagemagick \
+        libolm-dev \
+        texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
+        texlive-xetex texlive-science \
+        qemu-user-static binfmt-support emacs-nox && \
     rm -rf /var/lib/apt/lists/*
 
-# ---------- UV (hyperfast pip alternative) ----------
-COPY --chmod=0755 --from=uv_source /uv /usr/local/bin/
+# ---------- UV ----------
+COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
+
+# ---------- Matrix bridge + extra pip deps ----------
+# Previously installed inline at container startup and persisted via volume mount.
+# Now baked into the image so the fragile venv volume mount can be removed.
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir 'mautrix[encryption]' openai
 
 WORKDIR /opt/hermes
 
-# ---------- Piper TTS dans le venv existant ----------
-# Le venv de l'image de base est root-owned, on doit installer en root aussi
+# ---------- Matrix bridge + extra pip deps ----------
+# Previously installed inline at container startup and persisted via volume mount.
+# Now baked into the image so the fragile venv volume mount can be removed.
 RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy
+    uv pip install --no-cache-dir 'mautrix[encryption]' openai
 
-# ---------- Télécharger la voix Piper Ryan (high quality) ----------
-RUN mkdir -p /opt/hermes/.venv/share/piper/voices && \
-    /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+# ---------- Piper TTS ----------
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
+    mkdir -p /opt/hermes/.venv/share/piper/voices
+
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
 import urllib.request
 base = '/opt/hermes/.venv/share/piper/voices'
 url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
@@ -52,22 +70,34 @@ urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
 urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
 PYEOF
 
-# ---------- Patch tts_tool.py: remplacer Edge TTS par Piper ----------
-# Edge TTS appelle les serveurs Microsoft — on ne veut jamais ça.
-# Piper roule localement sur CPU, aucun cloud, aucune donnée qui sort.
-COPY patch_tts_tool.py /tmp/patch_tts_tool.py
-RUN /opt/hermes/.venv/bin/python3 /tmp/patch_tts_tool.py && rm /tmp/patch_tts_tool.py
+# ---------- Install Himalaya email CLI ----------
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request, tarfile, os, shutil
+url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
+tgz = '/tmp/himalaya.tgz'
+urllib.request.urlretrieve(url, tgz)
+with tarfile.open(tgz) as t:
+    t.extractall('/tmp')
+shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
+os.chmod('/usr/local/bin/himalaya', 0o755)
+os.remove(tgz)
+print('himalaya v1.2.0 installed')
+PYEOF
+
+# ---------- Install multi-gateway launcher ----------
+# Launches one gateway process per profile (HERMES_PROFILES env var)
+COPY --chmod=0755 run-multi-gateways.sh /usr/local/bin/run-multi-gateways.sh
 
 # ---------- Runtime ----------
-# Retour à l'utilisateur non-root pour la sécurité
 USER hermes
-
 ENV HERMES_HOME=/opt/data
 ENV PATH="/opt/data/.local/bin:${PATH}"
+# Point browser tool to Playwright's Chromium (already in base image)
+ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
 
-VOLUME [ "/opt/data" ]
+# Ensure tools directory and toolsets.py are writable by the hermes runtime user
+# so custom tools can be injected from the persistent volume at startup.
+USER root
+RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
 
-# Script de réparation des permissions + patch TTS au démarrage
-COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
-
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]
+VOLUME [ "/opt/data" ]

ai/hermes/fix-permissions.sh

@@ -1,38 +0,0 @@
-#!/bin/bash
-# Startup permission fix + TTS patch.
-# Runs as root before the entrypoint drops to the hermes user.
-set -e
-
-HERMES_HOME="${HERMES_HOME:-/opt/data}"
-
-# Fix ownership on critical writable directories
-chown -R hermes:hermes \
-  "$HERMES_HOME/sessions" \
-  "$HERMES_HOME/checkpoints" \
-  "$HERMES_HOME/skills" \
-  "$HERMES_HOME/memories" \
-  "$HERMES_HOME/workspace" \
-  "$HERMES_HOME/pastes" \
-  "$HERMES_HOME/logs" \
-  "$HERMES_HOME/cron" \
-  "$HERMES_HOME/plans" \
-  "$HERMES_HOME/hooks" \
-  "$HERMES_HOME/cache" \
-  2>/dev/null || true
-
-# Fix data volume root ownership
-if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then
-  chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true
-fi
-
-# ---------- Patch tts_tool.py: replace Edge TTS with Piper ----------
-# Fallback runtime patch in case the volume's site-packages differ from the image.
-# Idempotent: if already patched, the script does nothing.
-PATCH_SCRIPT="/opt/hermes/patch_tts_tool.py"
-if [ -f "$PATCH_SCRIPT" ]; then
-  echo "Applying TTS patch (Piper only, no Edge fallback)..."
-  /opt/hermes/.venv/bin/python3 "$PATCH_SCRIPT" 2>&1 || true
-fi
-
-# Chain to the official Hermes entrypoint
-exec /opt/hermes/docker/entrypoint.sh "$@"

ai/hermes/run-multi-gateways.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Multi-gateway launcher for HERMES_PROFILES env var.
+# Reads comma-separated profile names, spawns one gateway per profile.
+# Designed to run before the main entrypoint — gateways run in background.
+set -e
+
+if [ -z "${HERMES_PROFILES}" ]; then
+  echo "HERMES_PROFILES not set — skipping multi-gateway launch"
+  exit 0
+fi
+
+# Source venv to make 'hermes' available (entrypoint.sh sources it later,
+# but we need it NOW for the background gateways)
+HERMES_BIN="/opt/hermes/.venv/bin/hermes"
+if [ ! -x "$HERMES_BIN" ]; then
+  echo "ERROR: hermes binary not found at $HERMES_BIN"
+  exit 1
+fi
+
+mkdir -p /opt/data/logs
+
+IFS=',' read -ra PROFILES <<< "${HERMES_PROFILES}"
+for profile in "${PROFILES[@]}"; do
+  profile="$(echo "${profile}" | xargs)"  # trim whitespace
+  [ -z "${profile}" ] && continue
+
+  echo "Starting gateway for profile: ${profile}"
+  nohup env API_SERVER_ENABLED=false API_SERVER_KEY= gosu hermes "$HERMES_BIN" --profile "${profile}" gateway run \
+      >> "/opt/data/logs/gateway-${profile}.log" 2>&1 &
+done
+
+echo "All gateways launched: ${HERMES_PROFILES}"

ai/honcho/Dockerfile

@@ -0,0 +1,74 @@
+# build stage — fetches and builds Honcho from source
+FROM python:3.13-slim-bookworm AS honcho-builder
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=ghcr.io/astral-sh/uv:0.9.24 /uv /bin/uv
+
+ARG HONCHO_REPO=https://github.com/plastic-labs/honcho
+ARG HONCHO_REF=main
+RUN git clone --depth 1 --branch ${HONCHO_REF} ${HONCHO_REPO} /app
+
+WORKDIR /app
+
+ENV UV_COMPILE_BYTECODE=1
+ENV UV_LINK_MODE=copy
+ENV UV_PYTHON=/usr/local/bin/python3.13
+
+RUN uv sync --frozen
+
+# build stage — builds OpenConcho SPA
+FROM node:22-bookworm AS openconcho-builder
+
+ENV PNPM_HOME=/pnpm
+ENV PATH=$PNPM_HOME:$PATH
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+WORKDIR /app
+RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
+
+ARG OPENCONCHO_SHA=e490d911fcb27ee193558fd9a28856cde2057665
+RUN git clone --depth 1 https://github.com/offendingcommit/openconcho.git /app && \
+    git -C /app fetch --depth 1 origin ${OPENCONCHO_SHA} && \
+    git -C /app checkout ${OPENCONCHO_SHA}
+
+RUN pnpm install --frozen-lockfile
+RUN pnpm --filter @openconcho/web build
+
+# runtime stage — nginx + Honcho FastAPI
+FROM python:3.13-slim-bookworm
+
+# Install nginx and create runtime dirs before dropping permissions
+RUN apt-get update && apt-get install -y --no-install-recommends nginx && \
+    rm -rf /var/log/nginx/* && \
+    rm -rf /var/lib/apt/lists/* && \
+    rm -f /etc/nginx/sites-enabled/default
+
+# Patch nginx.conf: comment out "user www-data;" so nginx master stays as root
+# (workers inherit root inside a container — fine for single-service isolation)
+RUN sed -i 's/^user /# user /' /etc/nginx/nginx.conf
+
+# Pre-create nginx runtime directories with proper ownership
+RUN mkdir -p /var/lib/nginx/body /var/lib/nginx/proxy /var/lib/nginx/fastcgi \
+             /var/lib/nginx/uwsgi /var/lib/nginx/scgi /var/lib/nginx/proxy_temp \
+             /var/cache/nginx && \
+    chown -R root:root /var/lib/nginx /var/cache/nginx
+
+# Honcho
+COPY --from=honcho-builder /app /app
+WORKDIR /app
+ENV PATH="/app/.venv/bin:$PATH"
+ENV HOME=/app
+COPY config.toml /app/config.toml
+
+# OpenConcho SPA
+COPY --from=openconcho-builder /app/packages/web/dist /usr/share/nginx/html
+
+# nginx config (proxies /v3/, /v2/ to Honcho on localhost:8000)
+COPY honcho-nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 80
+
+CMD ["sh", "-c", "nginx -g 'daemon off;' & fastapi run --host 127.0.0.1 --port 8000 src/main.py & python3 -m src.deriver & wait -n"]

ai/honcho/config.toml

@@ -0,0 +1,117 @@
+[app]
+LOG_LEVEL = "INFO"
+MAX_MESSAGE_SIZE = 25000
+EMBED_MESSAGES = true
+NAMESPACE = "honcho"
+
+[db]
+CONNECTION_URI = "postgresql+psycopg://honcho:honcho_pass@honcho-db:5432/honcho"
+SCHEMA = "public"
+POOL_SIZE = 10
+MAX_OVERFLOW = 20
+
+[auth]
+USE_AUTH = false
+
+[sentry]
+ENABLED = false
+
+[telemetry]
+ENABLED = false
+
+[webhook]
+ENABLED = false
+
+[cache]
+ENABLED = true
+URL = "redis://honcho-redis:6379/0"
+
+[llm]
+DEFAULT_MAX_TOKENS = 4096
+
+# Embeddings via Ollama — bge-m3 provides 1024-dim
+[embedding]
+VECTOR_DIMENSIONS = 1024
+MAX_INPUT_TOKENS = 8192
+
+[embedding.model_config]
+transport = "openai"
+model = "bge-m3"
+overrides = {base_url = "http://ollama:11434/v1", api_key = "ollama"}
+
+# --- Deriver ---
+[deriver]
+ENABLED = true
+WORKERS = 1
+POLLING_SLEEP_INTERVAL_SECONDS = 5.0
+FLUSH_ENABLED = true
+
+[deriver.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Dialectic ---
+[dialectic]
+MAX_INPUT_TOKENS = 4096
+SESSION_HISTORY_MAX_TOKENS = 8192
+
+[dialectic.levels.minimal]
+MAX_TOOL_ITERATIONS = 1
+MAX_OUTPUT_TOKENS = 512
+[dialectic.levels.minimal.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.low]
+MAX_TOOL_ITERATIONS = 3
+[dialectic.levels.low.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.medium]
+MAX_TOOL_ITERATIONS = 2
+[dialectic.levels.medium.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.high]
+MAX_TOOL_ITERATIONS = 4
+[dialectic.levels.high.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.max]
+MAX_TOOL_ITERATIONS = 10
+[dialectic.levels.max.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Summary ---
+[summary]
+ENABLED = true
+MESSAGES_PER_SHORT_SUMMARY = 20
+MESSAGES_PER_LONG_SUMMARY = 60
+
+[summary.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Dream ---
+[dream]
+ENABLED = false
+
+# --- Peer Card ---
+[peer_card]
+ENABLED = true
+
+# --- Vector Store ---
+[vector_store]
+TYPE = "pgvector"
+# DIMENSIONS is deprecated — EMBEDDING.VECTOR_DIMENSIONS is authoritative

ai/honcho/honcho-nginx.conf

@@ -0,0 +1,52 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Honcho API proxy
+    location /v3/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /v2/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Honcho health
+    location /health {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # OpenAPI docs
+    location /openapi.json {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # SPA: fallback to index.html for client-side routing
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}

ai/honcho/init-db.sql

@@ -0,0 +1 @@
+CREATE EXTENSION IF NOT EXISTS vector;

versioncontrol/compose.yml

@@ -10,6 +10,8 @@ services:
       - GITEA__actions__ENABLED=true
       - SSH_PORT=2222
       - SSH_LISTEN_PORT=2222
+      # Enable Gitea Actions (act_runner required on host)
+      - GITEA__actions__ENABLED=true
     volumes:
       - /mnt/HoardingCow_docker_data/Gitea:/data
     networks:
@@ -45,7 +47,7 @@ services:
     image: gitea/act_runner:latest
     container_name: act_runner
     environment:
-      - GITEA_INSTANCE_URL=http://gitea:3000
+      - GITEA_INSTANCE_URL=https://code.lazyworkhorse.net
       - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
       - GITEA_RUNNER_NAME=ai-host-runner
       - GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:full-22.04,nixos-builder:docker://nixos/nix

vpn/Dockerfile

@@ -0,0 +1,9 @@
+# Custom wg-easy with iptables-nft (nftables-backed iptables)
+# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
+FROM ghcr.io/wg-easy/wg-easy:latest
+
+# The upstream image registers only iptables-legacy with update-alternatives.
+# iptables-nft binary exists but isn't registered as an alternative key.
+# Override the alternatives-managed symlinks directly.
+RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
+    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables

vpn/compose.yml

@@ -2,7 +2,10 @@ version: "3.8"
 
 services:
   wireguard:
-    image: weejewel/wg-easy:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: wg-easy-iptables-nft:latest
     container_name: wireguard
     cap_add:
       - NET_ADMIN