feat: add custom Dockerfile with Hermes adapter baked in

Creates ai/paperclip/ with:
- Dockerfile: extends upstream paperclip image, pre-installs
  hermes-paperclip-adapter@0.3.0 npm package as seed data
- docker-entrypoint.sh: seeds the adapter plugin on first boot
  if the persistent volume is empty, then runs original startup

This ensures the Hermes adapter is available on first boot without
requiring network access — no npm install needed at runtime. The
adapter persists on the Docker volume across restarts.

ai/Dockerfile

@@ -1,33 +0,0 @@
-FROM debian:13.4
-
-# Install system dependencies for Hermes agent with headless browser automation
-# Single RUN layer to minimize image size.
-#   PR #7 base: curl, poppler-utils, imagemagick for document processing
-#   New: chromium + xvfb for headless browser automation
-#   New: fonts for comprehensive Unicode/CJK/emoji coverage
-#   New: runtime libs required by Chromium
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        curl \
-        poppler-utils \
-        imagemagick \
-        chromium \
-        xvfb \
-        fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
-        libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 && \
-    rm -rf /var/lib/apt/lists/*
-
-# Install uv (Python package manager)
-COPY --from=ghcr.io/astral-sh/uv:latest /usr/local/bin/uv /usr/local/bin/uv
-RUN uv --version
-
-# Verify all expected tools are available
-RUN curl --version && \
-    pdftotext -v 2>&1 | head -1 && \
-    pdfinfo -v 2>&1 | head -1 && \
-    pdftoppm -v 2>&1 | head -1 && \
-    convert --version | head -1 && \
-    identify --version | head -1 && \
-    chromium --version
-
-CMD ["/bin/bash"]

ai/compose.yml

@@ -54,10 +54,6 @@ services:
       - TZ=America/Montreal
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
-      # Syncthing-shared org files — read-only view of user's agenda
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
-      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -67,35 +63,6 @@ services:
     networks:
       - ai_backend
 
-  syncthing:
-    image: syncthing/syncthing:latest
-    container_name: syncthing
-    hostname: syncthing
-    restart: always
-    ports:
-      - "8384:8384"
-      - "22000:22000"
-      - "21027:21027/udp"
-    environment:
-      - TZ=America/Montreal
-    volumes:
-      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
-    networks:
-      - ai_backend
-      - ai_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-http.entrypoints=web"
-      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
-      - "traefik.http.routers.syncthing-https.tls=true"
-      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
-      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
-
   ollama:
     build:
       context: ./ollama
@@ -129,6 +96,62 @@ services:
       - "303"
       - "26"
 
+  paperclip-db:
+    image: postgres:17-alpine
+    container_name: paperclip-db
+    restart: always
+    environment:
+      POSTGRES_USER: paperclip
+      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
+      POSTGRES_DB: paperclip
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
+    networks:
+      - ai_backend
+
+  paperclip:
+    build:
+      context: ./paperclip
+    container_name: paperclip
+    restart: always
+    ports:
+      - "127.0.0.1:3100:3100"
+    environment:
+      - HOST=0.0.0.0
+      - PORT=3100
+      - SERVE_UI=true
+      - DATABASE_URL=postgres://paperclip:${PAPERCLIP_DB_PASSWORD}@paperclip-db:5432/paperclip
+      - BETTER_AUTH_SECRET=${PAPERCLIP_AUTH_SECRET:?PAPERCLIP_AUTH_SECRET must be set}
+      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
+      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
+      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
+    depends_on:
+      paperclip-db:
+        condition: service_healthy
+    networks:
+      - ai_net
+      - ai_backend
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-http.entrypoints=web"
+      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
+
+      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
+      - "traefik.http.routers.paperclip-https.tls=true"
+      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
+
 networks:
   ai_net:
     external: true

ai/paperclip/Dockerfile

@@ -0,0 +1,47 @@
+# syntax=docker/dockerfile:1.20
+FROM ghcr.io/paperclipai/paperclip:v2026.517.0
+
+# ── Install Hermes adapter npm package into seed directory ──────────
+# This seed data gets copied to the persistent volume on first boot
+# so the adapter is available without network access.
+USER root
+
+RUN npm install --no-save --prefix /opt/paperclip-seed/adapter-plugins \
+    hermes-paperclip-adapter@0.3.0
+
+# Create adapter-plugins.json metadata (Paperclip reads this on startup
+# to discover which external adapters to load)
+RUN mkdir -p /opt/paperclip-seed && python3 -c "
+import json
+record = {
+    'packageName': 'hermes-paperclip-adapter',
+    'version': '0.3.0',
+    'type': 'hermes',
+    'installedAt': '2026-05-18T00:00:00.000Z',
+}
+with open('/opt/paperclip-seed/adapter-plugins.json', 'w') as f:
+    json.dump([record], f, indent=2)
+"
+
+# Ensure the adapter-plugins dir has a package.json (Paperclip expects one)
+RUN python3 -c "
+import json
+pkg = {
+    'name': 'paperclip-adapter-plugins',
+    'version': '0.0.0',
+    'private': True,
+    'description': 'Managed directory for Paperclip external adapter plugins.',
+}
+with open('/opt/paperclip-seed/adapter-plugins/package.json', 'w') as f:
+    json.dump(pkg, f, indent=2)
+"
+
+# ── Custom entrypoint ──────────────────────────────────────────────
+# Seeds the Hermes adapter on fresh volumes, then runs original logic.
+COPY docker-entrypoint.sh /usr/local/bin/paperclip-entrypoint.sh
+RUN chmod +x /usr/local/bin/paperclip-entrypoint.sh
+
+USER node
+
+ENTRYPOINT ["/usr/local/bin/paperclip-entrypoint.sh"]
+CMD ["node", "--import", "./server/node_modules/tsx/dist/loader.mjs", "server/dist/index.js"]

ai/paperclip/docker-entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+set -e
+
+# ── Seed Hermes adapter if volume is fresh ──────────────────────────
+PAPERCLIP_HOME="${PAPERCLIP_HOME:-/paperclip}"
+if [ ! -f "${PAPERCLIP_HOME}/adapter-plugins.json" ]; then
+    echo "[paperclip] Seeding Hermes adapter plugin..."
+    cp -r /opt/paperclip-seed/* "${PAPERCLIP_HOME}/"
+    chown -R "${USER_UID:-1000}:${USER_GID:-1000}" \
+        "${PAPERCLIP_HOME}/adapter-plugins" \
+        "${PAPERCLIP_HOME}/adapter-plugins.json"
+    echo "[paperclip] Hermes adapter seeded. Ready to create Hermes agents."
+fi
+
+# ── Original entrypoint logic (UID/GID adjustment) ──────────────────
+PUID="${USER_UID:-1000}"
+PGID="${USER_GID:-1000}"
+changed=0
+
+if [ "$(id -u node)" -ne "$PUID" ]; then
+    usermod -o -u "$PUID" node
+    changed=1
+fi
+
+if [ "$(id -g node)" -ne "$PGID" ]; then
+    groupmod -o -g "$PGID" node
+    usermod -g "$PGID" node
+    changed=1
+fi
+
+if [ "$changed" = "1" ]; then
+    chown -R node:node "${PAPERCLIP_HOME}"
+fi
+
+exec gosu node "$@"