hermes: two-stage build, make /opt/hermes writable by uid 10000

Upstream ships /opt/hermes (app + .venv + scripts) read-only root, which
blocks the agent self-modifying and the gateway auto-installing the
WhatsApp bridge's node_modules in place. Add a derived Containerfile layer
(FROM the upstream build) that chowns/chmods /opt/hermes writable by the
runtime hermes user. Done in the image, not a volume: a volume over
/opt/hermes copies-up once then freezes the app, silently defeating
AutoUpdate=registry. Persistence stays on the /opt/data volume.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011D3YeWKpjg5bT488fVanCH

images/hermes/build.sh

@@ -17,11 +17,18 @@ fi
 [ -n "${HERMES_REF}" ] || { echo "could not resolve an upstream hermes ref"; exit 1; }
 VERSION="${HERMES_REF#v}"
 
-echo "building ${IMAGE_NAME}:${VERSION} from NousResearch/hermes-agent#${HERMES_REF}"
-podman build --pull=newer \
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+BASE="localhost/hermes-upstream:${VERSION}"
+
+echo "[1/2] building upstream ${BASE} from NousResearch/hermes-agent#${HERMES_REF}"
+podman build --pull=newer -t "${BASE}" \
+  "https://github.com/NousResearch/hermes-agent.git#${HERMES_REF}"
+
+echo "[2/2] building derived (writable /opt/hermes) -> ${IMAGE_NAME}:${VERSION}"
+podman build --build-arg BASE="${BASE}" \
   -t "${IMAGE_NAME}:${VERSION}" \
   -t "${IMAGE_NAME}:latest" \
-  "https://github.com/NousResearch/hermes-agent.git#${HERMES_REF}"
+  "${SCRIPT_DIR}"
 
 echo "built ${IMAGE_NAME}:${VERSION} and :latest"
 echo "push with: podman push ${IMAGE_NAME}:${VERSION} && podman push ${IMAGE_NAME}:latest"