fix(docker): accept PUID/PGID as aliases for HERMES_UID/HERMES_GID

[konsisumer]

What changed and why

NAS users on #15290 (UGreen UGOS Pro, plus Synology/unRAID reports) bind-mount /opt/data from a host directory owned by their own UID. They set PUID/PGID — the LinuxServer.io convention NAS ecosystems expect — but docker/entrypoint.sh only read HERMES_UID/HERMES_GID, so those vars were silently ignored. The gosu privilege drop then landed on the default hermes user (UID 10000), which cannot read a bind mount owned by the host user, producing the persistent [Errno 13] Permission denied: '/opt/data/config.yaml'.

The entrypoint now resolves HERMES_UID/HERMES_GID from PUID/PGID when unset, so passing PUID/PGID makes the runtime drop to the host UID that already owns the bind mount. HERMES_UID/HERMES_GID still take precedence when both are set, so existing deployments are unaffected.

Per the reporter's 2026-05-14 diagnostics: a Docker named volume works while a NAS bind mount does not, and PUID=1000/PGID=10 were confirmed ignored by the current :latest image — running the container as the host UID is the fix that lets bind mounts work without host-side chown loops. The troubleshooting docs in website/docs/user-guide/docker.md now document the alias and the NAS bind-mount pattern.

How to test

• pytest tests/tools/test_entrypoint_puid_pgid.py -q — new contract test covering PUID/PGID alias resolution and HERMES_UID/HERMES_GID precedence.
• Manual: docker run -e PUID=1000 -e PGID=10 -v /host/dir:/opt/data nousresearch/hermes-agent gateway run against a bind mount owned by host UID 1000 — the entrypoint logs Changing hermes UID to 1000 and the runtime can read/write config.yaml without a host-side chown.

What platforms tested on

• macOS (Darwin 24.6.0): pytest tests/tools/test_entrypoint_puid_pgid.py (4 passed) plus the existing tests/tools/test_docker* and test_dockerfile_* suites (30 passed); bash -n docker/entrypoint.sh clean.
• The entrypoint change is shell-only and platform-agnostic; the target deployment is the Debian-based container image reported by NAS users (UGOS Pro / Btrfs bind mounts).

Addressing maintainer feedback

@alt-glitch flagged this as related to #13731 (CLOSED — duplicate of #15832) with the workaround --user 0:0. #13731 was fixed by commit 14c9f7272, which removed USER hermes from the Dockerfile so the entrypoint runs as root. The reporter's diagnostics confirm they are on a post-fix :latest image, and that --user 0:0 does not resolve their case: the entrypoint correctly detects container-root and drops to UID 10000 by design, which still mismatches the host-owned bind mount. The PUID/PGID alias addresses the remaining gap — it lets NAS users target the host UID directly instead of relying on a chown of a bind mount the host filesystem may reject.

Fixes #15290

[benbarclay]

Thanks @konsisumer! Your fix shipped as 48083211ef606f3305c09df576514ac99bc7f594 via salvage PR #34401. Your branch targeted docker/entrypoint.sh, which is now a deprecation shim under s6-overlay (the May 2026 rework moved all bootstrap to docker/stage2-hook.sh, installed as /etc/cont-init.d/01-hermes-setup), so I reconstructed the same two-line alias resolution at the equivalent spot in stage2-hook.sh and credited you via Co-authored-by: on the merge commit. Tests were retargeted at the new file location and the NAS bind-mount docs example landed verbatim. Appreciate the clean LinuxServer.io-convention writeup — the NAS use case made it straightforward to slot the salvage in.