docs: deep quality pass — expand 10 thin pages, fix specific issues (#4134)

Developer guide stubs expanded to full documentation:
- trajectory-format.md: 56→233 lines (JSONL format, ShareGPT example,
  normalization rules, reasoning markup, replay code)
- session-storage.md: 66→388 lines (SQLite schema, migration table,
  FTS5 search syntax, lineage queries, Python API examples)
- context-compression-and-caching.md: 72→321 lines (dual compression
  system, config defaults, 4-phase algorithm, before/after example,
  prompt caching mechanics, cache-aware patterns)
- tools-runtime.md: 65→246 lines (registry API, dispatch flow,
  availability checking, error wrapping, approval flow)
- prompt-assembly.md: 89→246 lines (concrete assembled prompt example,
  SOUL.md injection, context file discovery table)

User-facing pages expanded:
- docker.md: 62→224 lines (volumes, env forwarding, docker-compose,
  resource limits, troubleshooting)
- updating.md: 79→167 lines (update behavior, version checking,
  rollback instructions, Nix users)
- skins.md: 80→206 lines (all color/spinner/branding keys, built-in
  skin descriptions, full custom skin YAML template)

Hub pages improved:
- integrations/index.md: 25→82 lines (web search backends table,
  TTS/browser providers, quick config example)
- features/overview.md: added Integrations section with 6 missing links

Specific fixes:
- configuration.md: removed duplicate Gateway Streaming section
- mcp.md: removed internal "PR work" language
- plugins.md: added inline minimal plugin example (self-contained)

13 files changed, ~1700 lines added. Docusaurus build verified clean.

website/docs/user-guide/docker.md

@@ -1,10 +1,17 @@
+---
+sidebar_position: 7
+title: "Docker"
+description: "Running Hermes Agent in Docker and using Docker as a terminal backend"
+---
+
 # Hermes Agent — Docker
 
-Want to run Hermes Agent, but without installing packages on your host? This'll sort you out.
+There are two distinct ways Docker intersects with Hermes Agent:
 
-This will let you run the agent in a container, with the most relevant modes outlined below.
+1. **Running Hermes IN Docker** — the agent itself runs inside a container (this page's primary focus)
+2. **Docker as a terminal backend** — the agent runs on your host but executes commands inside a Docker sandbox (see [Configuration → terminal.backend](./configuration.md))
 
-The container stores all user data (config, API keys, sessions, skills, memories) in a single directory mounted from the host at `/opt/data`. The image itself is stateless and can be upgraded by pulling a new version without losing any configuration.
+This page covers option 1. The container stores all user data (config, API keys, sessions, skills, memories) in a single directory mounted from the host at `/opt/data`. The image itself is stateless and can be upgraded by pulling a new version without losing any configuration.
 
 ## Quick start
 
@@ -41,6 +48,110 @@ docker run -it --rm \
   nousresearch/hermes-agent
 ```
 
+## Persistent volumes
+
+The `/opt/data` volume is the single source of truth for all Hermes state. It maps to your host's `~/.hermes/` directory and contains:
+
+| Path | Contents |
+|------|----------|
+| `.env` | API keys and secrets |
+| `config.yaml` | All Hermes configuration |
+| `SOUL.md` | Agent personality/identity |
+| `sessions/` | Conversation history |
+| `memories/` | Persistent memory store |
+| `skills/` | Installed skills |
+| `cron/` | Scheduled job definitions |
+| `hooks/` | Event hooks |
+| `logs/` | Runtime logs |
+| `skins/` | Custom CLI skins |
+
+:::warning
+Never run two Hermes containers against the same data directory simultaneously — session files and memory stores are not designed for concurrent access.
+:::
+
+## Environment variable forwarding
+
+API keys are read from `/opt/data/.env` inside the container. You can also pass environment variables directly:
+
+```sh
+docker run -it --rm \
+  -v ~/.hermes:/opt/data \
+  -e ANTHROPIC_API_KEY="sk-ant-..." \
+  -e OPENAI_API_KEY="sk-..." \
+  nousresearch/hermes-agent
+```
+
+Direct `-e` flags override values from `.env`. This is useful for CI/CD or secrets-manager integrations where you don't want keys on disk.
+
+## Docker Compose example
+
+For persistent gateway deployment, a `docker-compose.yaml` is convenient:
+
+```yaml
+version: "3.8"
+services:
+  hermes:
+    image: nousresearch/hermes-agent:latest
+    container_name: hermes
+    restart: unless-stopped
+    command: gateway run
+    volumes:
+      - ~/.hermes:/opt/data
+    # Uncomment to forward specific env vars instead of using .env file:
+    # environment:
+    #   - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
+    #   - OPENAI_API_KEY=${OPENAI_API_KEY}
+    #   - TELEGRAM_BOT_TOKEN=${TELEGRAM_BOT_TOKEN}
+    deploy:
+      resources:
+        limits:
+          memory: 4G
+          cpus: "2.0"
+```
+
+Start with `docker compose up -d` and view logs with `docker compose logs -f hermes`.
+
+## Resource limits
+
+The Hermes container needs moderate resources. Recommended minimums:
+
+| Resource | Minimum | Recommended |
+|----------|---------|-------------|
+| Memory | 1 GB | 2–4 GB |
+| CPU | 1 core | 2 cores |
+| Disk (data volume) | 500 MB | 2+ GB (grows with sessions/skills) |
+
+Browser automation (Playwright/Chromium) is the most memory-hungry feature. If you don't need browser tools, 1 GB is sufficient. With browser tools active, allocate at least 2 GB.
+
+Set limits in Docker:
+
+```sh
+docker run -d \
+  --name hermes \
+  --restart unless-stopped \
+  --memory=4g --cpus=2 \
+  -v ~/.hermes:/opt/data \
+  nousresearch/hermes-agent gateway run
+```
+
+## What the Dockerfile does
+
+The official image is based on `debian:13.4` and includes:
+
+- Python 3 with all Hermes dependencies (`pip install -e ".[all]"`)
+- Node.js + npm (for browser automation and WhatsApp bridge)
+- Playwright with Chromium (`npx playwright install --with-deps chromium`)
+- ripgrep and ffmpeg as system utilities
+- The WhatsApp bridge (`scripts/whatsapp-bridge/`)
+
+The entrypoint script (`docker/entrypoint.sh`) bootstraps the data volume on first run:
+- Creates the directory structure (`sessions/`, `memories/`, `skills/`, etc.)
+- Copies `.env.example` → `.env` if no `.env` exists
+- Copies default `config.yaml` if missing
+- Copies default `SOUL.md` if missing
+- Syncs bundled skills using a manifest-based approach (preserves user edits)
+- Then runs `hermes` with whatever arguments you pass
+
 ## Upgrading
 
 Pull the latest image and recreate the container. Your data directory is untouched.
@@ -52,7 +163,14 @@ docker run -d \
   --name hermes \
   --restart unless-stopped \
   -v ~/.hermes:/opt/data \
-  nousresearch/hermes-agent
+  nousresearch/hermes-agent gateway run
+```
+
+Or with Docker Compose:
+
+```sh
+docker compose pull
+docker compose up -d
 ```
 
 ## Skills and credential files
@@ -60,3 +178,47 @@ docker run -d \
 When using Docker as the execution environment (not the methods above, but when the agent runs commands inside a Docker sandbox), Hermes automatically bind-mounts the skills directory (`~/.hermes/skills/`) and any credential files declared by skills into the container as read-only volumes. This means skill scripts, templates, and references are available inside the sandbox without manual configuration.
 
 The same syncing happens for SSH and Modal backends — skills and credential files are uploaded via rsync or the Modal mount API before each command.
+
+## Troubleshooting
+
+### Container exits immediately
+
+Check logs: `docker logs hermes`. Common causes:
+- Missing or invalid `.env` file — run interactively first to complete setup
+- Port conflicts if running with exposed ports
+
+### "Permission denied" errors
+
+The container runs as root by default. If your host `~/.hermes/` was created by a non-root user, permissions should work. If you get errors, ensure the data directory is writable:
+
+```sh
+chmod -R 755 ~/.hermes
+```
+
+### Browser tools not working
+
+Playwright needs shared memory. Add `--shm-size=1g` to your Docker run command:
+
+```sh
+docker run -d \
+  --name hermes \
+  --shm-size=1g \
+  -v ~/.hermes:/opt/data \
+  nousresearch/hermes-agent gateway run
+```
+
+### Gateway not reconnecting after network issues
+
+The `--restart unless-stopped` flag handles most transient failures. If the gateway is stuck, restart the container:
+
+```sh
+docker restart hermes
+```
+
+### Checking container health
+
+```sh
+docker logs --tail 50 hermes          # Recent logs
+docker exec hermes hermes version     # Verify version
+docker stats hermes                    # Resource usage
+```