diff --git a/ai/compose.yml b/ai/compose.yml
old mode 100644
new mode 100755
index 1db7831..22c72c1
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -32,7 +32,7 @@ services:
         - default
     container_name: hermes
     entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "bash /opt/data/hermes-tools/install.sh && /opt/hermes/.venv/bin/uv pip install openai mautrix[encryption] --system -q && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
       "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
@@ -44,7 +44,7 @@ services:
       - API_SERVER_HOST=0.0.0.0
       - API_SERVER_KEY=hermes_local_key
       - GATEWAY_ALLOW_ALL_USERS=true
-      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+      - OPENROUTER_API_KEY=${OPEN...KEY}
       # ROCm for GPU-accelerated faster-whisper STT
       - HSA_OVERRIDE_GFX_VERSION=9.0.6
       - HCC_AMDGPU_TARGET=gfx906
@@ -58,6 +58,8 @@ services:
       - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
       # Syncthing-shared inbox — write tasks here, they sync to user's laptop
       - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
+      # Persistent venv — Matrix bridge and other pip deps survive container rebuilds
+      - /mnt/HoardingCow_docker_data/Hermes/venv:/opt/hermes/.venv
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -129,6 +131,62 @@ services:
       - "303"
       - "26"
 
+  paperclip-db:
+    image: postgres:17-alpine
+    container_name: paperclip-db
+    restart: always
+    environment:
+      POSTGRES_USER: paperclip
+      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
+      POSTGRES_DB: paperclip
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
+    networks:
+      - ai_backend
+
+  paperclip:
+    image: ghcr.io/paperclipai/paperclip:v2026.517.0
+    container_name: paperclip
+    restart: always
+    ports:
+      - "127.0.0.1:3100:3100"
+    environment:
+      - HOST=0.0.0.0
+      - PORT=3100
+      - SERVE_UI=true
+      - DATABASE_URL=postgres://paperclip:***@paperclip-db:5432/paperclip
+      - BETTER_AUTH_SECRET=${PAPE...CRET must be set}
+      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
+      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
+      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
+    depends_on:
+      paperclip-db:
+        condition: service_healthy
+    networks:
+      - ai_net
+      - ai_backend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-http.entrypoints=web"
+      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
+
+      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
+      - "traefik.http.routers.paperclip-https.tls=true"
+      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
+
 networks:
   ai_net:
     external: true
@@ -280,8 +338,8 @@ networks:
   #     - /home/gortium/infra:/data/workspace/infra
   #   environment:
   #     - TZ=America/Toronto
-  #     - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
-  #     - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+  #     - OPENCLAW_GATEWAY_TOKEN=${OPEN...KEN}
+  #     - OPENROUTER_API_KEY=${OPEN...KEY}
   #     # Point to the sidecar browser
   #     - BROWSER_CDP_URL=http://openclaw-browser:9222
   #     - BROWSER_EVALUATE_ENABLED=true
@@ -326,7 +384,7 @@ networks:
   #     - PGID=1000
   #     - PUBLIC_KEY_FILE=/config/ssh/authorized_keys
   #     - SUDO_ACCESS=false
-  #     - PASSWORD_ACCESS=false
+  #     - PASSWORD_ACCESS=***
   #   volumes:
   #     - /mnt/HoardingCow_docker_data/openclaw/ssh-config:/config
   #     - /home/gortium/infra:/data/workspace/infra:ro
diff --git a/ai/hermes/Dockerfile b/ai/hermes/Dockerfile
index a6edcfc..269bcda 100644
--- a/ai/hermes/Dockerfile
+++ b/ai/hermes/Dockerfile
@@ -9,6 +9,8 @@
 # ---------- Base: official Hermes image (system deps, npm, uv, Playwright) ----------
 FROM nousresearch/hermes-agent:latest
 
+WORKDIR /opt/hermes
+
 # ---------- Overlay our forked source ----------
 # Uses SSH agent forwarding from the build host (no key baked into image).
 # --exclude node_modules/.venv keeps the base image's pre-built layers intact.
@@ -50,7 +52,7 @@ COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
 
 # ---------- Piper TTS ----------
 RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
+    uv pip install --no-cache-dir piper-tts sounddevice numpy httpx && \
     mkdir -p /opt/hermes/.venv/share/piper/voices
 
 RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'