feat: add Hermes Workspace alongside existing Hermes Agent

- Add HERMES_DASHBOARD=1 env vars to existing hermes service
  (enables multi-agent dashboard API on port 9119)
- Add healthcheck to hermes service (required for workspace dep)
- Add hermes-workspace service (ghcr.io/outsourc-e/hermes-workspace:latest)
  - Connects to existing gateway at hermes:8642 and dashboard at hermes:9119
  - Shares Hermes data volume for config/sessions/skills/memory
  - Exposed via Traefik at workspace.lazyworkhorse.net (port 3000)
  - Requires HERMES_WORKSPACE_PASSWORD in .env (agenix)
- Networks: ai_backend + ai_net (for Traefik)

ai/compose.yml

@@ -32,7 +32,7 @@ services:
         - default
     container_name: hermes
     entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && /opt/hermes/.venv/bin/uv pip install openai mautrix[encryption] --system -q && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
       "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
@@ -44,7 +44,7 @@ services:
       - API_SERVER_HOST=0.0.0.0
       - API_SERVER_KEY=hermes_local_key
       - GATEWAY_ALLOW_ALL_USERS=true
-      - OPENROUTER_API_KEY=${OPEN...KEY}
+      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
       # ROCm for GPU-accelerated faster-whisper STT
       - HSA_OVERRIDE_GFX_VERSION=9.0.6
       - HCC_AMDGPU_TARGET=gfx906
@@ -52,14 +52,16 @@ services:
       - ROCR_VISIBLE_DEVICES=0,1
       - HSA_ENABLE_SDMA=0
       - TZ=America/Montreal
+      # Hermes Workspace dashboard (port 9119) — enables multi-agent web UI
+      - HERMES_DASHBOARD=1
+      - HERMES_DASHBOARD_HOST=0.0.0.0
+      - HERMES_DASHBOARD_PORT=9119
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
       # Syncthing-shared org files — read-only view of user's agenda
       - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
       # Syncthing-shared inbox — write tasks here, they sync to user's laptop
       - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
-      # Persistent venv — Matrix bridge and other pip deps survive container rebuilds
-      - /mnt/HoardingCow_docker_data/Hermes/venv:/opt/hermes/.venv
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -68,6 +70,12 @@ services:
       - "26"
     networks:
       - ai_backend
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fsS http://localhost:8642/health && curl -fsS http://localhost:9119/api/status || exit 1"]
+      interval: 15s
+      timeout: 5s
+      retries: 5
+      start_period: 60s
 
   syncthing:
     image: syncthing/syncthing:latest
@@ -131,61 +139,45 @@ services:
       - "303"
       - "26"
 
-  paperclip-db:
+  # ── Hermes Workspace ──────────────────────────────────────────
-    image: postgres:17-alpine
+  # Web UI for Hermes Agent — chat, memory, skills, terminal,
-    container_name: paperclip-db
+  # multi-agent swarm orchestration. Connects to the existing
-    restart: always
+  # hermes gateway (port 8642) and dashboard (port 9119).
-    environment:
+  hermes-workspace:
-      POSTGRES_USER: paperclip
+    image: ghcr.io/outsourc-e/hermes-workspace:latest
-      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
+    container_name: hermes-workspace
-      POSTGRES_DB: paperclip
+    restart: unless-stopped
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
-      interval: 5s
-      timeout: 5s
-      retries: 10
-    volumes:
-      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
-    networks:
-      - ai_backend
-
-  paperclip:
-    image: ghcr.io/paperclipai/paperclip:v2026.517.0
-    container_name: paperclip
-    restart: always
-    ports:
-      - "127.0.0.1:3100:3100"
-    environment:
-      - HOST=0.0.0.0
-      - PORT=3100
-      - SERVE_UI=true
-      - DATABASE_URL=postgres://paperclip:***@paperclip-db:5432/paperclip
-      - BETTER_AUTH_SECRET=${PAPE...CRET must be set}
-      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
-      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
-      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
-    volumes:
-      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
     depends_on:
-      paperclip-db:
+      hermes:
         condition: service_healthy
+    environment:
+      HERMES_API_URL: http://hermes:8642
+      HERMES_DASHBOARD_URL: http://hermes:9119
+      HERMES_API_TOKEN: ${API_SERVER_KEY}
+      HERMES_PASSWORD: ${HERMES_WORKSPACE_PASSWORD:?must be set}
+      COOKIE_SECURE: "1"
+    volumes:
+      # Share the same Hermes data — workspace reads config, sessions,
+      # skills, memory from the agent's persistent volume
+      - /mnt/HoardingCow_docker_data/Hermes/data:/home/workspace/.hermes
     networks:
-      - ai_net
       - ai_backend
+      - ai_net
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=ai_net"
 
-      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.workspace-http.rule=Host(`workspace.lazyworkhorse.net`)"
-      - "traefik.http.routers.paperclip-http.entrypoints=web"
+      - "traefik.http.routers.workspace-http.entrypoints=web"
-      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.workspace-http.middlewares=redirect-to-https"
 
-      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.workspace-https.rule=Host(`workspace.lazyworkhorse.net`)"
-      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
+      - "traefik.http.routers.workspace-https.entrypoints=websecure"
-      - "traefik.http.routers.paperclip-https.tls=true"
+      - "traefik.http.routers.workspace-https.tls=true"
-      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
+      - "traefik.http.routers.workspace-https.tls.certresolver=njalla"
 
-      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
+      - "traefik.http.services.workspace.loadbalancer.server.port=3000"
+# ─────────────────────────────────────────────────────────────
 
 networks:
   ai_net:
@@ -338,8 +330,8 @@ networks:
   #     - /home/gortium/infra:/data/workspace/infra
   #   environment:
   #     - TZ=America/Toronto
-  #     - OPENCLAW_GATEWAY_TOKEN=${OPEN...KEN}
+  #     - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
-  #     - OPENROUTER_API_KEY=${OPEN...KEY}
+  #     - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
   #     # Point to the sidecar browser
   #     - BROWSER_CDP_URL=http://openclaw-browser:9222
   #     - BROWSER_EVALUATE_ENABLED=true
@@ -384,7 +376,7 @@ networks:
   #     - PGID=1000
   #     - PUBLIC_KEY_FILE=/config/ssh/authorized_keys
   #     - SUDO_ACCESS=false
-  #     - PASSWORD_ACCESS=***
+  #     - PASSWORD_ACCESS=false
   #   volumes:
   #     - /mnt/HoardingCow_docker_data/openclaw/ssh-config:/config
   #     - /home/gortium/infra:/data/workspace/infra:ro

backup/compose.yml

@@ -96,5 +96,5 @@ services:
 
 networks:
   backup_net:
-    driver: bridge
+    external: true
     name: backup_net

network/compose.yml

@@ -82,37 +82,37 @@ networks:
     driver: bridge
     name: traefik_backend
   ai_net:
-    driver: bridge
+    external: true
     name: ai_net
   auth_net:
-    driver: bridge
+    external: true
     name: auth_net
   backup_net:
-    driver: bridge
+    external: true
     name: backup_net
   cloud_net:
-    driver: bridge
+    external: true
     name: cloud_net
   coms_net:
-    driver: bridge
+    external: true
     name: coms_net
   finance_net:
-    driver: bridge
+    external: true
     name: finance_net
   home_auto_net:
-    driver: bridge
+    external: true
     name: home_auto_net
   homepage_net:
-    driver: bridge
+    external: true
     name: homepage_net
   passman_net:
-    driver: bridge
+    external: true
     name: passman_net
   tak_net:
-    driver: bridge
+    external: true
     name: tak_net
   vc_net:
-    driver: bridge
+    external: true
     name: vc_net
 
   # duckdns: