switch-openconcho-to-fork

- Update Dockerfile to clone from code.lazyworkhorse.net/Hermes/honcho.git
  (uses build arg HONCHO_REPO, can be overridden at build time)
- Add config.toml volume mount from HoardingCow persistent path
- Use named volume honcho_data instead of host bind mount
- Declare honcho_data as external volume in top-level volumes section

ai/compose.yml

@@ -1,4 +1,3 @@
-version: "3.8"
 services:
 
   # webui:
@@ -32,13 +31,18 @@ services:
         - default
     container_name: hermes
     entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "bash /opt/data/hermes-tools/install.sh && bash /usr/local/bin/run-multi-gateways.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
       "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
+      - HERMES_DASHBOARD=1
+      # Multi-profile: comma-separated list of profiles to run as gateways.
+      # The entrypoint reads this and starts one gateway per profile.
+      # Add profiles here when they exist on disk (e.g. default,researcher,writer)
+      - HERMES_PROFILES=ashley,claire,finn,matt,paul
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -54,6 +58,10 @@ services:
       - TZ=America/Montreal
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
+      # Syncthing-shared org files — read-only view of user's agenda
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
+      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -62,6 +70,62 @@ services:
       - "26"
     networks:
       - ai_backend
+      - ai_net
+    depends_on:
+      - honcho
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      # Router for HTTP + redirection to HTTPS
+      - "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-http.entrypoints=web"
+      - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS with TLS — protected by Authelia
+      - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
+      - "traefik.http.routers.hermes-web-https.tls=true"
+      - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
+      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Service Loadbalancer (dashboard port 9119)
+      - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
+
+  syncthing:
+    image: syncthing/syncthing:latest
+    container_name: syncthing
+    hostname: syncthing
+    restart: always
+    ports:
+      - "8384:8384"
+      - "22000:22000"
+      - "21027:21027/udp"
+    environment:
+      - TZ=America/Montreal
+    volumes:
+      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-http.entrypoints=web"
+      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
+      - "traefik.http.routers.syncthing-https.tls=true"
+      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
+      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
+
 
   ollama:
     build:
@@ -96,6 +160,92 @@ services:
       - "303"
       - "26"
 
+  # --- Honcho + OpenConcho combiné: API + Web UI nginx/FastAPI ---
+  honcho:
+    build:
+      context: ./honcho
+      ssh:
+        - default
+    container_name: honcho
+    restart: unless-stopped
+    environment:
+      - DB_CONNECTION_URI=postgresql+psycopg://honcho:honcho_pass@honcho-db:5432/honcho
+      - CACHE_URL=redis://honcho-redis:6379/0
+      - CACHE_ENABLED=true
+      - EMBEDDING_VECTOR_DIMENSIONS=1024
+      - AUTH_USE_AUTH=true
+      - AUTH_JWT_SECRET=${HONCHO_AUTH_JWT_SECRET}
+      # Needed by deriver/dream to make LLM calls (api_key_env = "HONCHO_OPENAI_API_KEY" in config.toml)
+      - HONCHO_OPENAI_API_KEY=${HONCHO_OPENAI_API_KEY}
+    volumes:
+      - honcho_data:/app/data
+      - /mnt/HoardingCow_docker_data/Honcho/config.toml:/app/config.toml:ro
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      # Router for HTTP + redirect to HTTPS
+      - "traefik.http.routers.honcho-http.rule=Host(`honcho.lazyworkhorse.net`)"
+      - "traefik.http.routers.honcho-http.entrypoints=web"
+      - "traefik.http.routers.honcho-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS with TLS — protected by Authelia
+      - "traefik.http.routers.honcho-https.rule=Host(`honcho.lazyworkhorse.net`)"
+      - "traefik.http.routers.honcho-https.entrypoints=websecure"
+      - "traefik.http.routers.honcho-https.tls=true"
+      - "traefik.http.routers.honcho-https.tls.certresolver=njalla"
+      - "traefik.http.routers.honcho-https.middlewares=hermes-auth"
+
+      # Service Loadbalancer (nginx port)
+      - "traefik.http.services.honcho.loadbalancer.server.port=80"
+    depends_on:
+      honcho-db:
+        condition: service_healthy
+      honcho-redis:
+        condition: service_healthy
+
+  honcho-db:
+    image: pgvector/pgvector:pg15
+    container_name: honcho-db
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:5432:5432"
+    command: ["postgres", "-c", "max_connections=200"]
+    environment:
+      - POSTGRES_DB=honcho
+      - POSTGRES_USER=honcho
+      - POSTGRES_PASSWORD=honcho_pass
+      - PGDATA=/var/lib/postgresql/data/pgdata
+    volumes:
+      - /mnt/HoardingCow_docker_data/Honcho/postgres:/var/lib/postgresql/data
+      - ./honcho/init-db.sql:/docker-entrypoint-initdb.d/init.sql:ro
+    networks:
+      - ai_backend
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U honcho -d honcho"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  honcho-redis:
+    image: redis:8
+    container_name: honcho-redis
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:6379:6379"
+    volumes:
+      - /mnt/HoardingCow_docker_data/Honcho/redis:/data
+    networks:
+      - ai_backend
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
 networks:
   ai_net:
     external: true
@@ -104,6 +254,11 @@ networks:
     driver: bridge
     name: ai_backend
 
+volumes:
+  honcho_data:
+    external: true
+    name: honcho_data
+    
   # llama_cpp_devstral:
   #   image: ghcr.io/ggml-org/llama.cpp:server-rocm
   #   container_name: llama_cpp_devstral

ai/hermes/Dockerfile

@@ -20,16 +20,10 @@ RUN --mount=type=ssh \
     GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
     git clone --depth 1 --branch main \
     git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
-    rsync -a --delete fork/ /opt/hermes/ \
-      --exclude node_modules \
-      --exclude .venv \
-      --exclude .git && \
+    rm -rf fork/node_modules fork/.venv fork/.git && \
+    cp -a fork/. /opt/hermes/ && \
     rm -rf /tmp/fork /root/.ssh/
 
-# ---------- Rebuild web UI ----------
-# Source files changed; node_modules (from base image) reused.
-RUN cd /opt/hermes && npm run build
-
 # ---------- Reinstall Python package (editable) ----------
 # Picks up source changes from our fork.
 RUN . /opt/hermes/.venv/bin/activate && \
@@ -40,6 +34,7 @@ USER root
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         libportaudio2 ca-certificates poppler-utils imagemagick \
+        libolm-dev \
         texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
         texlive-xetex texlive-science \
         qemu-user-static binfmt-support emacs-nox && \
@@ -48,6 +43,20 @@ RUN apt-get update && \
 # ---------- UV ----------
 COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
 
+# ---------- Matrix bridge + extra pip deps ----------
+# Previously installed inline at container startup and persisted via volume mount.
+# Now baked into the image so the fragile venv volume mount can be removed.
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir 'mautrix[encryption]' openai
+
+WORKDIR /opt/hermes
+
+# ---------- Matrix bridge + extra pip deps ----------
+# Previously installed inline at container startup and persisted via volume mount.
+# Now baked into the image so the fragile venv volume mount can be removed.
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir 'mautrix[encryption]' openai
+
 # ---------- Piper TTS ----------
 RUN . /opt/hermes/.venv/bin/activate && \
     uv pip install --no-cache-dir piper-tts sounddevice numpy && \
@@ -75,9 +84,9 @@ os.remove(tgz)
 print('himalaya v1.2.0 installed')
 PYEOF
 
-# ---------- Install himalaya-ro wrapper ----------
-COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
-
+# ---------- Install multi-gateway launcher ----------
+# Launches one gateway process per profile (HERMES_PROFILES env var)
+COPY --chmod=0755 run-multi-gateways.sh /usr/local/bin/run-multi-gateways.sh
 
 # ---------- Runtime ----------
 USER hermes
@@ -88,6 +97,7 @@ ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
 
 # Ensure tools directory and toolsets.py are writable by the hermes runtime user
 # so custom tools can be injected from the persistent volume at startup.
+USER root
 RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
 
 VOLUME [ "/opt/data" ]

ai/hermes/himalaya-ro.sh

@@ -1,73 +0,0 @@
-#!/usr/bin/env bash
-# ─────────────────────────────────────────────────────────────
-# himalaya-ro — Read-only wrapper for himalaya
-#
-# Blocks destructive commands and logs audit trail.
-# Pass-through for read-only commands (list, read, search).
-#
-# Usage:  himalaya-ro [options] <command> [args...]
-#
-# Install: place in PATH before the real himalaya, or use
-#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
-# ─────────────────────────────────────────────────────────────
-set -o pipefail
-
-# ── Configuration ───────────────────────────────────────────
-HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
-AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
-
-# ── Destructive commands we block ──────────────────────────
-BLOCKED_CMDS=(
-  "message move"
-  "message delete"
-  "message copy"
-  "flag add"
-  "flag remove"
-  "folder create"
-  "folder delete"
-  "folder rename"
-  "template send"
-  "account configure"
-  "account delete"
-)
-
-# ── Determine the subcommand being invoked ─────────────────
-# Strip leading options (--account, --output, etc.) to find the verb
-ARGS=()
-SKIP_NEXT=false
-for arg in "$@"; do
-  if $SKIP_NEXT; then
-    SKIP_NEXT=false
-    continue
-  fi
-  if [[ "$arg" == --* ]]; then
-    case "$arg" in
-      --account|--output|--page|--page-size|--folder|--color|--format)
-        SKIP_NEXT=true ;;
-    esac
-    continue
-  fi
-  ARGS+=("$arg")
-done
-
-# Build subcommand string and check against blocklist
-CMD_STR=""
-for ((i=0; i<${#ARGS[@]}; i++)); do
-  if [ -z "$CMD_STR" ]; then
-    CMD_STR="${ARGS[$i]}"
-  else
-    CMD_STR="$CMD_STR ${ARGS[$i]}"
-  fi
-  for blocked in "${BLOCKED_CMDS[@]}"; do
-    if [[ "$CMD_STR" == "$blocked" ]]; then
-      TS=$(date '+%Y-%m-%d %H:%M:%S')
-      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
-      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
-      echo "       Audit log: $AUDIT_LOG" >&2
-      exit 100
-    fi
-  done
-done
-
-# ── Allow pass-through ─────────────────────────────────────
-exec "$HIMALAYA_BIN" "$@"

ai/hermes/run-multi-gateways.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Multi-gateway launcher for HERMES_PROFILES env var.
+# Reads comma-separated profile names, spawns one gateway per profile.
+# Designed to run before the main entrypoint — gateways run in background.
+set -e
+
+if [ -z "${HERMES_PROFILES}" ]; then
+  echo "HERMES_PROFILES not set — skipping multi-gateway launch"
+  exit 0
+fi
+
+# Source venv to make 'hermes' available (entrypoint.sh sources it later,
+# but we need it NOW for the background gateways)
+HERMES_BIN="/opt/hermes/.venv/bin/hermes"
+if [ ! -x "$HERMES_BIN" ]; then
+  echo "ERROR: hermes binary not found at $HERMES_BIN"
+  exit 1
+fi
+
+mkdir -p /opt/data/logs
+
+IFS=',' read -ra PROFILES <<< "${HERMES_PROFILES}"
+for profile in "${PROFILES[@]}"; do
+  profile="$(echo "${profile}" | xargs)"  # trim whitespace
+  [ -z "${profile}" ] && continue
+
+  echo "Starting gateway for profile: ${profile}"
+  nohup env API_SERVER_ENABLED=false API_SERVER_KEY= gosu hermes "$HERMES_BIN" --profile "${profile}" gateway run \
+      >> "/opt/data/logs/gateway-${profile}.log" 2>&1 &
+done
+
+echo "All gateways launched: ${HERMES_PROFILES}"

ai/honcho/Dockerfile

@@ -0,0 +1,75 @@
+# build stage — fetches and builds Honcho from source
+FROM python:3.13-slim-bookworm AS honcho-builder
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git openssh-client && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=ghcr.io/astral-sh/uv:0.9.24 /uv /bin/uv
+
+ARG HONCHO_REPO=ssh://git@code.lazyworkhorse.net:2222/Hermes/honcho.git
+ARG HONCHO_REF=main
+RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan -p 2222 code.lazyworkhorse.net >> ~/.ssh/known_hosts 2>/dev/null
+RUN --mount=type=ssh git clone --depth 1 --branch ${HONCHO_REF} ${HONCHO_REPO} /app
+
+WORKDIR /app
+
+ENV UV_COMPILE_BYTECODE=1
+ENV UV_LINK_MODE=copy
+ENV UV_PYTHON=/usr/local/bin/python3.13
+
+RUN uv sync --frozen
+
+# build stage — builds OpenConcho SPA
+FROM node:22-bookworm AS openconcho-builder
+
+ENV PNPM_HOME=/pnpm
+ENV PATH=$PNPM_HOME:$PATH
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+WORKDIR /app
+RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
+
+ARG OPENCONCHO_SHA=3b5c3293fc18d768dbe85285264a8d66c896bd81
+RUN --mount=type=ssh git clone --depth 1 ssh://git@code.lazyworkhorse.net:2222/gortium/openconcho.git /app && \
+    git -C /app fetch --depth 1 origin ${OPENCONCHO_SHA} && \
+    git -C /app checkout ${OPENCONCHO_SHA}
+
+RUN pnpm install --frozen-lockfile
+RUN pnpm --filter @openconcho/web build
+
+# runtime stage — nginx + Honcho FastAPI
+FROM python:3.13-slim-bookworm
+
+# Install nginx and create runtime dirs before dropping permissions
+RUN apt-get update && apt-get install -y --no-install-recommends nginx && \
+    rm -rf /var/log/nginx/* && \
+    rm -rf /var/lib/apt/lists/* && \
+    rm -f /etc/nginx/sites-enabled/default
+
+# Patch nginx.conf: comment out "user www-data;" so nginx master stays as root
+# (workers inherit root inside a container — fine for single-service isolation)
+RUN sed -i 's/^user /# user /' /etc/nginx/nginx.conf
+
+# Pre-create nginx runtime directories with proper ownership
+RUN mkdir -p /var/lib/nginx/body /var/lib/nginx/proxy /var/lib/nginx/fastcgi \
+             /var/lib/nginx/uwsgi /var/lib/nginx/scgi /var/lib/nginx/proxy_temp \
+             /var/cache/nginx && \
+    chown -R root:root /var/lib/nginx /var/cache/nginx
+
+# Honcho
+COPY --from=honcho-builder /app /app
+WORKDIR /app
+ENV PATH="/app/.venv/bin:$PATH"
+ENV HOME=/app
+COPY config.toml /app/config.toml
+
+# OpenConcho SPA
+COPY --from=openconcho-builder /app/packages/web/dist /usr/share/nginx/html
+
+# nginx config (proxies /v3/, /v2/ to Honcho on localhost:8000)
+COPY honcho-nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 80
+
+CMD ["bash", "-c", "nginx -g 'daemon off;' & fastapi run --host 127.0.0.1 --port 8000 src/main.py & python3 -m src.deriver & wait -n"]

ai/honcho/config.toml

@@ -0,0 +1,132 @@
+[app]
+LOG_LEVEL = "INFO"
+MAX_MESSAGE_SIZE = 25000
+EMBED_MESSAGES = true
+NAMESPACE = "honcho"
+
+[db]
+CONNECTION_URI = "postgresql+psycopg://honcho:honcho_pass@honcho-db:5432/honcho"
+SCHEMA = "public"
+POOL_SIZE = 10
+MAX_OVERFLOW = 20
+
+[auth]
+USE_AUTH = false
+
+[sentry]
+ENABLED = false
+
+[telemetry]
+ENABLED = false
+
+[webhook]
+ENABLED = false
+
+[cache]
+ENABLED = true
+URL = "redis://honcho-redis:6379/0"
+
+[llm]
+DEFAULT_MAX_TOKENS = 4096
+
+# Embeddings via Ollama — bge-m3 provides 1024-dim
+[embedding]
+VECTOR_DIMENSIONS = 1024
+MAX_INPUT_TOKENS = 8192
+
+[embedding.model_config]
+transport = "openai"
+model = "bge-m3"
+overrides = {base_url = "http://ollama:11434/v1", api_key = "ollama"}
+
+# --- Deriver ---
+[deriver]
+ENABLED = true
+WORKERS = 1
+POLLING_SLEEP_INTERVAL_SECONDS = 5.0
+FLUSH_ENABLED = true
+
+[deriver.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Dialectic ---
+[dialectic]
+MAX_INPUT_TOKENS = 4096
+SESSION_HISTORY_MAX_TOKENS = 8192
+
+[dialectic.levels.minimal]
+MAX_TOOL_ITERATIONS = 1
+MAX_OUTPUT_TOKENS = 512
+[dialectic.levels.minimal.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.low]
+MAX_TOOL_ITERATIONS = 3
+[dialectic.levels.low.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.medium]
+MAX_TOOL_ITERATIONS = 2
+[dialectic.levels.medium.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.high]
+MAX_TOOL_ITERATIONS = 4
+[dialectic.levels.high.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.max]
+MAX_TOOL_ITERATIONS = 10
+[dialectic.levels.max.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Summary ---
+[summary]
+ENABLED = true
+MESSAGES_PER_SHORT_SUMMARY = 20
+MESSAGES_PER_LONG_SUMMARY = 60
+
+[summary.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Dream ---
+[dream]
+ENABLED = true
+
+[dream.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dream.deduction_model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dream.induction_model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Peer Card ---
+[peer_card]
+ENABLED = true
+
+# --- Vector Store ---
+[vector_store]
+TYPE = "pgvector"
+# DIMENSIONS is deprecated — EMBEDDING.VECTOR_DIMENSIONS is authoritative

ai/honcho/honcho-nginx.conf

@@ -0,0 +1,52 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Honcho API proxy
+    location /v3/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /v2/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Honcho health
+    location /health {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # OpenAPI docs
+    location /openapi.json {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # SPA: fallback to index.html for client-side routing
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}

ai/honcho/init-db.sql

@@ -0,0 +1 @@
+CREATE EXTENSION IF NOT EXISTS vector;

versioncontrol/compose.yml

@@ -8,13 +8,10 @@ services:
       - USER_GID=1000
       - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
       - GITEA__actions__ENABLED=true
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
       - SSH_PORT=2222
       - SSH_LISTEN_PORT=2222
       # Enable Gitea Actions (act_runner required on host)
       - GITEA__actions__ENABLED=true
-      # Don't fetch actions from GitHub (offline mode + local only)
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
     volumes:
       - /mnt/HoardingCow_docker_data/Gitea:/data
     networks: