feat: add Paperclip agent orchestrator to AI compose stack

Paperclip (ghcr.io/paperclipai/paperclip:v2026.517.0) is an open-source
agent management dashboard. Adds paperclip-db (PostgreSQL 17) and
paperclip services with Traefik reverse proxy on
paperclip.lazyworkhorse.net.

Requires .env: PAPERCLIP_DB_PASSWORD, PAPERCLIP_AUTH_SECRET.

ai/compose.yml

@@ -52,16 +52,8 @@ services:
       - ROCR_VISIBLE_DEVICES=0,1
       - HSA_ENABLE_SDMA=0
       - TZ=America/Montreal
-      # Hermes Workspace dashboard (port 9119) — enables multi-agent web UI
-      - HERMES_DASHBOARD=1
-      - HERMES_DASHBOARD_HOST=0.0.0.0
-      - HERMES_DASHBOARD_PORT=9119
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
-      # Syncthing-shared org files — read-only view of user's agenda
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
-      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -70,41 +62,6 @@ services:
       - "26"
     networks:
       - ai_backend
-    healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8642/health && curl -fsS http://localhost:9119/api/status || exit 1"]
-      interval: 15s
-      timeout: 5s
-      retries: 5
-      start_period: 60s
-
-  syncthing:
-    image: syncthing/syncthing:latest
-    container_name: syncthing
-    hostname: syncthing
-    restart: always
-    ports:
-      - "8384:8384"
-      - "22000:22000"
-      - "21027:21027/udp"
-    environment:
-      - TZ=America/Montreal
-    volumes:
-      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
-    networks:
-      - ai_backend
-      - ai_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-http.entrypoints=web"
-      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
-      - "traefik.http.routers.syncthing-https.tls=true"
-      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
-      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
 
   ollama:
     build:
@@ -139,45 +96,60 @@ services:
       - "303"
       - "26"
 
-  # ── Hermes Workspace ──────────────────────────────────────────
+  paperclip-db:
-  # Web UI for Hermes Agent — chat, memory, skills, terminal,
+    image: postgres:17-alpine
-  # multi-agent swarm orchestration. Connects to the existing
+    container_name: paperclip-db
-  # hermes gateway (port 8642) and dashboard (port 9119).
+    restart: always
-  hermes-workspace:
-    image: ghcr.io/outsourc-e/hermes-workspace:latest
-    container_name: hermes-workspace
-    restart: unless-stopped
-    depends_on:
-      hermes:
-        condition: service_healthy
     environment:
-      HERMES_API_URL: http://hermes:8642
+      POSTGRES_USER: paperclip
-      HERMES_DASHBOARD_URL: http://hermes:9119
+      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
-      HERMES_API_TOKEN: ${API_SERVER_KEY}
+      POSTGRES_DB: paperclip
-      HERMES_PASSWORD: ${HERMES_WORKSPACE_PASSWORD:?must be set}
+    healthcheck:
-      COOKIE_SECURE: "1"
+      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
     volumes:
-      # Share the same Hermes data — workspace reads config, sessions,
+      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
-      # skills, memory from the agent's persistent volume
-      - /mnt/HoardingCow_docker_data/Hermes/data:/home/workspace/.hermes
     networks:
       - ai_backend
+
+  paperclip:
+    image: ghcr.io/paperclipai/paperclip:v2026.517.0
+    container_name: paperclip
+    restart: always
+    ports:
+      - "127.0.0.1:3100:3100"
+    environment:
+      - HOST=0.0.0.0
+      - PORT=3100
+      - SERVE_UI=true
+      - DATABASE_URL=postgres://paperclip:${PAPERCLIP_DB_PASSWORD}@paperclip-db:5432/paperclip
+      - BETTER_AUTH_SECRET=${PAPERCLIP_AUTH_SECRET:?PAPERCLIP_AUTH_SECRET must be set}
+      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
+      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
+      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
+    depends_on:
+      paperclip-db:
+        condition: service_healthy
+    networks:
       - ai_net
+      - ai_backend
     labels:
       - "traefik.enable=true"
-      - "traefik.docker.network=ai_net"
 
-      - "traefik.http.routers.workspace-http.rule=Host(`workspace.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
-      - "traefik.http.routers.workspace-http.entrypoints=web"
+      - "traefik.http.routers.paperclip-http.entrypoints=web"
-      - "traefik.http.routers.workspace-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
 
-      - "traefik.http.routers.workspace-https.rule=Host(`workspace.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
-      - "traefik.http.routers.workspace-https.entrypoints=websecure"
+      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
-      - "traefik.http.routers.workspace-https.tls=true"
+      - "traefik.http.routers.paperclip-https.tls=true"
-      - "traefik.http.routers.workspace-https.tls.certresolver=njalla"
+      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
 
-      - "traefik.http.services.workspace.loadbalancer.server.port=3000"
+      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
-# ─────────────────────────────────────────────────────────────
 
 networks:
   ai_net: