Merge PR #11: feat(ai): add emacs-nox (PR 5/5)

# Conflicts:
#	ai/Dockerfile

ai/Dockerfile

@@ -0,0 +1,69 @@
+FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source
+FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source
+FROM debian:13.4
+
+# Disable Python stdout buffering to ensure logs are printed immediately
+ENV PYTHONUNBUFFERED=1
+
+# Store Playwright browsers outside the volume mount so the build-time
+# install survives the /opt/data volume overlay at runtime.
+ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
+
+# Install system dependencies in one layer, clear APT cache
+# tini reaps orphaned zombie processes (MCP stdio subprocesses, git, bun, etc.)
+# that would otherwise accumulate when hermes runs as PID 1. See #15012.
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
+        curl poppler-utils imagemagick \
+        chromium xvfb fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
+        libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 \
+        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
+        qemu-user-static binfmt-support qemu-user-binfmt \
+        emacs-nox && \
+    rm -rf /var/lib/apt/lists/*
+
+# Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
+RUN useradd -u 10000 -m -d /opt/data hermes
+
+COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
+COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/
+
+WORKDIR /opt/hermes
+
+# ---------- Layer-cached dependency install ----------
+# Copy only package manifests first so npm install + Playwright are cached
+# unless the lockfiles themselves change.
+COPY package.json package-lock.json ./
+COPY web/package.json web/package-lock.json web/
+
+RUN npm install --prefer-offline --no-audit && \
+    npx playwright install --with-deps chromium --only-shell && \
+    (cd web && npm install --prefer-offline --no-audit) && \
+    npm cache clean --force
+
+# ---------- Source code ----------
+# .dockerignore excludes node_modules, so the installs above survive.
+COPY --chown=hermes:hermes . .
+
+# Build web dashboard (Vite outputs to hermes_cli/web_dist/)
+RUN cd web && npm run build
+
+# ---------- Permissions ----------
+# Make install dir world-readable so any HERMES_UID can read it at runtime.
+# The venv needs to be traversable too.
+USER root
+RUN chmod -R a+rX /opt/hermes
+# Start as root so the entrypoint can usermod/groupmod + gosu.
+# If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000).
+
+# ---------- Python virtualenv ----------
+RUN uv venv && \
+    uv pip install --no-cache-dir -e ".[all]"
+
+# ---------- Runtime ----------
+ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
+ENV HERMES_HOME=/opt/data
+ENV PATH="/opt/data/.local/bin:${PATH}"
+VOLUME [ "/opt/data" ]
+ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ]

ai/compose.yml

@@ -52,10 +52,6 @@ services:
       - ROCR_VISIBLE_DEVICES=0,1
       - HSA_ENABLE_SDMA=0
       - TZ=America/Montreal
-      # Hermes Workspace dashboard (port 9119) — enables multi-agent web UI
-      - HERMES_DASHBOARD=1
-      - HERMES_DASHBOARD_HOST=0.0.0.0
-      - HERMES_DASHBOARD_PORT=9119
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
       # Syncthing-shared org files — read-only view of user's agenda
@@ -70,36 +66,6 @@ services:
       - "26"
     networks:
       - ai_backend
-      - ai_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=ai_net"
-
-      # Router for HTTP + redirect to HTTPS
-      - "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
-      - "traefik.http.routers.hermes-web-http.entrypoints=web"
-      - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
-
-      # Router for HTTPS with TLS — protected by Authelia
-      - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
-      - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
-      - "traefik.http.routers.hermes-web-https.tls=true"
-      - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
-      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
-
-      # Authelia forwardAuth
-      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
-      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
-      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
-
-      # Service Loadbalancer (dashboard port 9119)
-      - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
-    healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8642/health && curl -fsS http://localhost:9119/api/status || exit 1"]
-      interval: 15s
-      timeout: 5s
-      retries: 5
-      start_period: 60s
 
   syncthing:
     image: syncthing/syncthing:latest
@@ -163,46 +129,6 @@ services:
       - "303"
       - "26"
 
-  # ── Hermes Workspace (combined image) ────────────────────────
-  # Web UI + Swarm worker support. Uses custom combined image with
-  # our Hermes fork + workspace web UI + tmux for Swarm workers.
-  hermes-workspace:
-    build:
-      context: ./hermes-workspace
-      ssh:
-        - default
-    container_name: hermes-workspace
-    restart: unless-stopped
-    depends_on:
-      hermes:
-        condition: service_healthy
-    environment:
-      HERMES_API_URL: http://hermes:8642
-      HERMES_DASHBOARD_URL: http://hermes:9119
-      HERMES_API_TOKEN: hermes_local_key
-      HERMES_PASSWORD: ${HERMES_WORKSPACE_PASSWORD:?must be set}
-      COOKIE_SECURE: "1"
-    volumes:
-      - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
-    networks:
-      - ai_backend
-      - ai_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=ai_net"
-
-      - "traefik.http.routers.workspace-http.rule=Host(`workspace.lazyworkhorse.net`)"
-      - "traefik.http.routers.workspace-http.entrypoints=web"
-      - "traefik.http.routers.workspace-http.middlewares=redirect-to-https"
-
-      - "traefik.http.routers.workspace-https.rule=Host(`workspace.lazyworkhorse.net`)"
-      - "traefik.http.routers.workspace-https.entrypoints=websecure"
-      - "traefik.http.routers.workspace-https.tls=true"
-      - "traefik.http.routers.workspace-https.tls.certresolver=njalla"
-
-      - "traefik.http.services.workspace.loadbalancer.server.port=3000"
-# ─────────────────────────────────────────────────────────────
-
 networks:
   ai_net:
     external: true

ai/hermes-workspace/Dockerfile

@@ -1,129 +0,0 @@
-# syntax=docker/dockerfile:1
-# Hermes Agent + Hermes Workspace — combined image
-# Builds on top of official image + our forked source + workspace UI.
-# Supports Swarm Mode (tmux workers) in a single container.
-# Requires Docker BuildKit. Pass SSH agent for git clone:
-#   docker compose build hermes-workspace
-
-# ---------- Stage 1: Build Hermes Workspace (web UI) ----------
-FROM node:22-slim AS workspace-build
-
-WORKDIR /app
-
-# Install pnpm and git
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates git curl \
-    && rm -rf /var/lib/apt/lists/* \
-    && corepack enable
-
-# Clone workspace source (pinned to a known-good commit on main)
-RUN git clone --depth 1 --branch main \
-    https://github.com/outsourc-e/hermes-workspace.git /app/workspace-src \
-    && rm -rf /app/workspace-src/.git
-
-WORKDIR /app/workspace-src
-
-# Install deps and build
-RUN pnpm install --frozen-lockfile && pnpm build
-
-# ---------- Stage 2: Hermes Agent + Workspace runtime ----------
-FROM nousresearch/hermes-agent:latest
-
-# ---------- Install tmux for Swarm workers + curl for health checks ----------
-# Note: Node.js is already shipped with the base hermets-agent image; apt's nodejs
-# would be older and could conflict. Only add what's missing.
-USER root
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    tmux curl \
-    && rm -rf /var/lib/apt/lists/*
-
-# ---------- Overlay our forked Hermes source ----------
-RUN --mount=type=ssh \
-    mkdir -p /root/.ssh && \
-    ssh-keyscan -p 2222 code.lazyworkhorse.net >> /root/.ssh/known_hosts 2>/dev/null && \
-    cd /tmp && \
-    GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
-    git clone --depth 1 --branch main \
-    git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
-    rsync -a --delete fork/ /opt/hermes/ \
-      --exclude node_modules \
-      --exclude .venv \
-      --exclude .git && \
-    rm -rf /tmp/fork /root/.ssh/
-
-# ---------- Rebuild web UI ----------
-RUN cd /opt/hermes && npm run build
-
-# ---------- Reinstall Python package ----------
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir --no-deps -e /opt/hermes
-
-# ---------- Extra system deps ----------
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    libportaudio2 ca-certificates poppler-utils imagemagick \
-    texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
-    texlive-xetex texlive-science \
-    qemu-user-static binfmt-support emacs-nox \
-    && rm -rf /var/lib/apt/lists/*
-
-# ---------- UV ----------
-COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
-
-# ---------- Piper TTS ----------
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
-    mkdir -p /opt/hermes/.venv/share/piper/voices
-
-RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import urllib.request
-base = '/opt/hermes/.venv/share/piper/voices'
-url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
-urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
-urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
-PYEOF
-
-# ---------- Install Himalaya email CLI ----------
-RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import urllib.request, tarfile, os, shutil
-url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
-tgz = '/tmp/himalaya.tgz'
-urllib.request.urlretrieve(url, tgz)
-with tarfile.open(tgz) as t:
-    t.extractall('/tmp')
-shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
-os.chmod('/usr/local/bin/himalaya', 0o755)
-os.remove(tgz)
-print('himalaya v1.2.0 installed')
-PYEOF
-
-# ---------- Install himalaya-ro wrapper ----------
-COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
-
-# ---------- Copy Hermes Workspace build artifacts ----------
-COPY --from=workspace-build --chown=hermes:hermes \
-    /app/workspace-src/dist /workspace/dist
-COPY --from=workspace-build --chown=hermes:hermes \
-    /app/workspace-src/node_modules /workspace/node_modules
-COPY --from=workspace-build --chown=hermes:hermes \
-    /app/workspace-src/package.json /workspace/
-COPY --from=workspace-build --chown=hermes:hermes \
-    /app/workspace-src/server-entry.js /workspace/
-COPY --from=workspace-build --chown=hermes:hermes \
-    /app/workspace-src/skills /workspace/skills
-COPY --chmod=0755 entrypoint-combined.sh /usr/local/bin/entrypoint-combined.sh
-
-# ---------- Runtime ----------
-USER hermes
-ENV HERMES_HOME=/opt/data
-ENV PATH="/opt/data/.local/bin:${PATH}"
-ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
-ENV HOST=0.0.0.0
-ENV NODE_ENV=production
-
-RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
-
-VOLUME [ "/opt/data" ]
-
-EXPOSE 8642 9119 3000
-
-ENTRYPOINT ["/usr/bin/tini", "-g", "--", "/usr/local/bin/entrypoint-combined.sh"]

ai/hermes-workspace/entrypoint-combined.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-set -e
-
-# ── Hermes Workspace + Swarm Worker Entrypoint ──
-# Starts Hermes Workspace web UI (port 3000) and makes
-# hermes CLI + tmux available for Swarm workers.
-# The Hermes gateway runs in a separate container (hermes:8642).
-# Swarm workers spawned here connect to the gateway via HTTP.
-# ──────────────────────────────────────────────────────────
-
-# Install custom tools from persistent volume
-if [ -f /opt/data/hermes-tools/install.sh ]; then
-  bash /opt/data/hermes-tools/install.sh || true
-fi
-
-# Wait for Hermes gateway to be healthy before starting workspace
-if [ -n "${HERMES_API_URL:-}" ]; then
-  echo "Waiting for Hermes gateway..."
-  for i in $(seq 1 30); do
-    if curl -fsS "${HERMES_API_URL}/health" >/dev/null 2>&1; then
-      echo "Gateway healthy after ${i}s"
-      break
-    fi
-    if [ "$i" -eq 30 ]; then
-      echo "WARNING: Gateway not healthy after 30s, starting workspace anyway"
-    fi
-    sleep 1
-  done
-fi
-
-# Start Hermes Workspace in foreground
-cd /workspace
-exec node --max-old-space-size=2048 server-entry.js

ai/hermes-workspace/himalaya-ro.sh

@@ -1,73 +0,0 @@
-#!/usr/bin/env bash
-# ─────────────────────────────────────────────────────────────
-# himalaya-ro — Read-only wrapper for himalaya
-#
-# Blocks destructive commands and logs audit trail.
-# Pass-through for read-only commands (list, read, search).
-#
-# Usage:  himalaya-ro [options] <command> [args...]
-#
-# Install: place in PATH before the real himalaya, or use
-#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
-# ─────────────────────────────────────────────────────────────
-set -o pipefail
-
-# ── Configuration ───────────────────────────────────────────
-HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
-AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
-
-# ── Destructive commands we block ──────────────────────────
-BLOCKED_CMDS=(
-  "message move"
-  "message delete"
-  "message copy"
-  "flag add"
-  "flag remove"
-  "folder create"
-  "folder delete"
-  "folder rename"
-  "template send"
-  "account configure"
-  "account delete"
-)
-
-# ── Determine the subcommand being invoked ─────────────────
-# Strip leading options (--account, --output, etc.) to find the verb
-ARGS=()
-SKIP_NEXT=false
-for arg in "$@"; do
-  if $SKIP_NEXT; then
-    SKIP_NEXT=false
-    continue
-  fi
-  if [[ "$arg" == --* ]]; then
-    case "$arg" in
-      --account|--output|--page|--page-size|--folder|--color|--format)
-        SKIP_NEXT=true ;;
-    esac
-    continue
-  fi
-  ARGS+=("$arg")
-done
-
-# Build subcommand string and check against blocklist
-CMD_STR=""
-for ((i=0; i<${#ARGS[@]}; i++)); do
-  if [ -z "$CMD_STR" ]; then
-    CMD_STR="${ARGS[$i]}"
-  else
-    CMD_STR="$CMD_STR ${ARGS[$i]}"
-  fi
-  for blocked in "${BLOCKED_CMDS[@]}"; do
-    if [[ "$CMD_STR" == "$blocked" ]]; then
-      TS=$(date '+%Y-%m-%d %H:%M:%S')
-      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
-      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
-      echo "       Audit log: $AUDIT_LOG" >&2
-      exit 100
-    fi
-  done
-done
-
-# ── Allow pass-through ─────────────────────────────────────
-exec "$HIMALAYA_BIN" "$@"

env/.env.example.paperclip

@@ -0,0 +1,26 @@
+# Paperclip Environment Variables
+# Copy this file to your .env (at the compose root or docker-compose working directory)
+# and fill in the secrets.
+#
+#   cp env/.env.example.paperclip .env
+#
+# Then reference it from compose.yml:
+#   env_file:
+#     - path: .env
+#       required: true
+
+# ---------------------------------------------------------------------------
+# Database
+# ---------------------------------------------------------------------------
+# PostgreSQL password for the paperclip-db service.
+# Generate a strong random password:
+#   openssl rand -base64 32
+PAPERCLIP_DB_PASSWORD=change_me_to_a_strong_random_password
+
+# ---------------------------------------------------------------------------
+# Authentication
+# ---------------------------------------------------------------------------
+# Secret key used by Better Auth for signing and verifying tokens.
+# Generate a strong random secret:
+#   openssl rand -base64 32
+PAPERCLIP_AUTH_SECRET=change_me_to_a_strong_random_secret