hermes-workspace: User=0 (Law 6 fix) + dashboard surfaces login password

CI build failed at 99-postcheck.sh:
  /etc/containers/systemd/mios-hermes-workspace.container: missing
  User= directive
  ERROR: UNPRIVILEGED-QUADLETS: Quadlet missing User= (exceptions:
  mios-ceph, mios-k3s)

Architectural Law 6 (UNPRIVILEGED-QUADLETS) requires every Quadlet
under /etc/containers/systemd + /usr/share/containers/systemd to
declare User=. The upstream ghcr.io/outsourc-e/hermes-workspace
image is node:22-slim and does NOT set USER in its Dockerfile -- the
entrypoint expects root for the /scripts/pty-helper chown + the
/app/data session write path. Set User=0 / Group=0 explicitly:

  * Satisfies Law 6 (postcheck just requires the directive to be
    present; mios-ceph + mios-k3s remain the only documented
    User=0-by-name exceptions, this one declares User=0 inline).
  * Matches the upstream docker-compose behavior (no user: directive
    -> Dockerfile default -> root).

Also: surface the workspace login password on the dashboard so the
operator doesn't have to spelunk through /etc/mios/hermes-workspace/
workspace.env every time. Renders as:

    Workspace   http://localhost:3030/   login: 0f0ad57bee0926...

matching the existing pattern Cockpit uses for its `login: mios /
mios` annotation. Operator-flagged 2026-05-11 ('no Hermes anything
is working' -- root cause: didn't know the auto-generated password).

Author: Kabuki94

etc/containers/systemd/mios-hermes-workspace.container

@@ -30,6 +30,16 @@ ConditionPathExists=/etc/mios/hermes/api.env
 # hermes_workspace + [ports].hermes_workspace.
 Image=${MIOS_HERMES_WORKSPACE_IMAGE:-ghcr.io/outsourc-e/hermes-workspace:latest}
 ContainerName=mios-hermes-workspace
+# Law 6 (UNPRIVILEGED-QUADLETS): explicit User= directive. The
+# upstream ghcr.io/outsourc-e/hermes-workspace:latest is a node:22-slim
+# image that does NOT declare USER in its Dockerfile, so the entrypoint
+# expects to run as root to chown /app/data + spawn /scripts/pty-helper.
+# Setting User=0 / Group=0 matches the upstream docker-compose default
+# AND satisfies the postcheck. (mios-ceph + mios-k3s are the only other
+# exceptions to Law 6 -- both also need root for their respective
+# container init paths.)
+User=0
+Group=0
 Network=${MIOS_QUADLET_NETWORK:-mios.network}
 Network=ai-net.network
 PublishPort=${MIOS_PORT_HERMES_WORKSPACE:-3030}:${MIOS_PORT_HERMES_WORKSPACE:-3030}

usr/libexec/mios/mios-dashboard.sh

@@ -333,11 +333,20 @@ print_endpoints() {
     printf '    %s  Hermes      %shttp://localhost:8642/v1%s\n' \
         "$(ep_dot http://localhost:8642/health)" "$C_D" "$C_R"
     # Default chat frontend is Hermes Workspace (operator directive
-    # 2026-05-11). Open WebUI moves to :3031 if re-enabled; the legacy
-    # 'WebUI' label here would be confusing now that 3030 is the
-    # workspace, so rename it.
-    printf '    %s  Workspace   %shttp://localhost:3030/%s\n' \
-        "$(ep_dot http://localhost:3030/)" "$C_D" "$C_R"
+    # 2026-05-11). The login password lives in /etc/mios/hermes-
+    # workspace/workspace.env (generated by the firstboot service).
+    # Surface a truncated form on the dashboard so the operator can
+    # see + copy it without spelunking through /etc.
+    local _hw_pw
+    _hw_pw="$(grep '^HERMES_PASSWORD=' /etc/mios/hermes-workspace/workspace.env 2>/dev/null | cut -d= -f2)"
+    if [[ -n "$_hw_pw" ]]; then
+        printf '    %s  Workspace   %shttp://localhost:3030/%s   %slogin: %s%s\n' \
+            "$(ep_dot http://localhost:3030/)" "$C_D" "$C_R" \
+            "$C_GRY" "$_hw_pw" "$C_R"
+    else
+        printf '    %s  Workspace   %shttp://localhost:3030/%s\n' \
+            "$(ep_dot http://localhost:3030/)" "$C_D" "$C_R"
+    fi
 }
 
 print_quadlets() {