feat: containerize agent fleet for sovereign reproducibility

docker/agent.Dockerfile

@@ -0,0 +1,31 @@
+# --- Build Stage ---
+FROM python:3.11-slim AS builder
+
+# Install build essentials and uv
+RUN apt-get update && apt-get install -y --no-install-recommends     curl git build-essential cmake ca-certificates &&     curl -LsSf https://astral.sh/uv/install.sh | sh &&     rm -rf /var/lib/apt/lists/*
+
+ENV PATH="/root/.local/bin:${PATH}"
+
+WORKDIR /app
+# Copy only dependency files first for caching
+COPY pyproject.toml uv.lock* ./
+RUN uv sync --frozen --no-install-project --no-dev
+
+# --- Final Stage ---
+FROM python:3.11-slim
+
+# Install runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends     curl git socat ripgrep ffmpeg ca-certificates &&     rm -rf /var/lib/apt/lists/*
+
+# Copy the virtual environment from builder
+COPY --from=builder /app/.venv /app/.venv
+ENV PATH="/app/.venv/bin:${PATH}"
+
+WORKDIR /app
+COPY . .
+
+# Expose the gateway port (default)
+EXPOSE 8643
+
+# Run the gateway
+ENTRYPOINT ["hermes", "gateway"]