docs(README): refresh — landing-page icon + 8 runtimes + Canvas v4 + Memory v2 + SaaS surface

The README was lagging current main:
- Top icon was a PNG; switch to the canonical landing-page SVG (matches moleculesai.app + favicon).
- Runtime list was 6 (LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, OpenClaw); main actually ships 8 (add Hermes 4 + Gemini CLI). The "Runtime Compatibility, Compared" table now lists all 8.
- Canvas section: add the v4 warm-paper theme system (light/dark/follow-system, terminal/code surfaces stay dark unconditionally).
- Platform section: name the typed-discriminated-union A2A response path (RFC #2967).
- Runtime section: add Memory v2 (pgvector semantic recall), thin AMI mention.
- New SaaS section under "What Ships In `main`" — multi-tenant on EC2 + Neon + Cloudflare Tunnels, KMS, WorkOS, Stripe, tenant_resources audit + 30-min reconciler. Points users at molecule-controlplane.
- Architecture diagram: provisioner is "Docker (local) / EC2 + SSM (prod)" — Fly is decommissioned. Add SaaS control plane block.
- Deploy buttons + quick-start: Molecule-AI/molecule-monorepo URLs replaced with molecule-core (the repo was renamed).
- "Current Scope" footer: 6 → 8 adapters; mention Canvas v4, Memory v2, RFC #2967, and cross-link molecule-controlplane.

Adds two SVGs to docs/assets/branding/: molecule-icon.svg (rounded square, prefers-color-scheme aware) and molecule-logo.svg (bare lines, transparent).

README.md

@@ -1,7 +1,7 @@
 <div align="center">
 
 <p>
-  <img src="./docs/assets/branding/molecule-icon.png" alt="Molecule AI Icon Logo" width="160" />
+  <img src="./docs/assets/branding/molecule-icon.svg" alt="Molecule AI" width="160" />
 </p>
 
 <p>
@@ -39,8 +39,8 @@
   <a href="./docs/agent-runtime/workspace-runtime.md"><strong>Workspace Runtime</strong></a>
 </p>
 
-[![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/new/template?template=https://github.com/Molecule-AI/molecule-monorepo)
-[![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/Molecule-AI/molecule-monorepo)
+[![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/new/template?template=https://github.com/Molecule-AI/molecule-core)
+[![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/Molecule-AI/molecule-core)
 
 </div>
 
@@ -53,8 +53,8 @@ Molecule AI is the most powerful way to govern an AI agent organization in produ
 It combines the parts that are usually scattered across demos, internal glue code, and framework-specific tooling into one product:
 
 - one org-native control plane for teams, roles, hierarchy, and lifecycle
-- one runtime layer that lets LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, and OpenClaw run side by side
-- one memory model that keeps recall, sharing, and skill evolution aligned with organizational boundaries
+- one runtime layer that lets **eight** agent runtimes — LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, **Hermes**, **Gemini CLI**, and OpenClaw — run side by side behind one workspace contract
+- one memory model that keeps recall, sharing, and skill evolution aligned with organizational boundaries (Memory v2 backed by pgvector for semantic recall)
 - one operational surface for observing, pausing, restarting, inspecting, and improving live workspaces
 
 Most teams can build a workflow, a strong single agent, a coding agent, or a custom multi-agent graph.
@@ -75,7 +75,7 @@ You do not wire collaboration paths by hand. Hierarchy defines the default commu
 
 ### 3. Runtime choice stops being a dead-end decision
 
-LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, and OpenClaw can all plug into the same workspace abstraction. Teams can standardize governance without forcing every group onto one runtime.
+LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, Hermes, Gemini CLI, and OpenClaw can all plug into the same workspace abstraction. Teams can standardize governance without forcing every group onto one runtime.
 
 ### 4. Memory is treated like infrastructure
 
@@ -117,6 +117,8 @@ Molecule AI is not trying to replace the frameworks below. It is the system that
 | **Claude Code** | Shipping on `main` | Real coding workflows, CLI-native continuity | Secure workspace abstraction, A2A delegation, org boundaries, shared control plane |
 | **CrewAI** | Shipping on `main` | Role-based crews | Persistent workspace identity, policy consistency, shared canvas and registry |
 | **AutoGen** | Shipping on `main` | Assistant/tool orchestration | Standardized deployment, hierarchy-aware collaboration, shared ops plane |
+| **Hermes 4** | Shipping on `main` | Hybrid reasoning, native tools, json_schema (NousResearch/hermes-agent) | Option B upstream hook, A2A bridge to OpenAI-compat API, multi-provider provider derivation |
+| **Gemini CLI** | Shipping on `main` | Google Gemini CLI continuity | Workspace lifecycle, A2A, hierarchy-aware collaboration, shared ops plane |
 | **OpenClaw** | Shipping on `main` | CLI-native runtime with its own session model | Workspace lifecycle, templates, activity logs, topology-aware collaboration |
 | **NemoClaw** | WIP on `feat/nemoclaw-t4-docker` | NVIDIA-oriented runtime path | Planned to join the same abstraction once merged; not yet part of `main` |
 
@@ -182,9 +184,10 @@ The result is not just “an agent that learns.” It is **an organization that
 
 ## What Ships In `main`
 
-### Canvas
+### Canvas (v4)
 
 - Next.js 15 + React Flow + Zustand
+- **warm-paper theme system** — light / dark / follow-system, SSR cookie + nonce'd boot script + ThemeProvider; terminal + code surfaces stay dark unconditionally
 - drag-to-nest team building
 - empty-state deployment + onboarding wizard
 - template palette
@@ -193,8 +196,9 @@ The result is not just “an agent that learns.” It is **an organization that
 
 ### Platform
 
-- Go/Gin control plane
-- workspace CRUD and provisioning
+- Go 1.25 / Gin control plane (80+ HTTP endpoints + Gorilla WebSocket fanout)
+- workspace CRUD and provisioning (pluggable Provisioner — Docker locally, EC2 + SSM in production)
+- **A2A response path is a typed discriminated union (RFC #2967)** — frozen dataclasses + total parser; 100% unit + adversarial fuzz coverage
 - registry and heartbeats
 - browser-safe A2A proxy
 - team expansion/collapse
@@ -204,10 +208,10 @@ The result is not just “an agent that learns.” It is **an organization that
 
 ### Runtime
 
-- unified `workspace/` image
-- adapter-driven execution
+- unified `workspace/` image; thin AMI in production (us-east-2)
+- adapter-driven execution across **8 runtimes** (Claude Code, Hermes, Gemini CLI, LangGraph, DeepAgents, CrewAI, AutoGen, OpenClaw)
 - Agent Card registration
-- awareness-backed memory integration
+- awareness-backed memory integration; **Memory v2 backed by pgvector** for semantic recall
 - plugin-mounted shared rules/skills
 - hot-reloadable local skills
 - coordinator-only delegation path
@@ -221,6 +225,13 @@ The result is not just “an agent that learns.” It is **an organization that
 - runtime tiers
 - direct workspace inspection through terminal and files
 
+### SaaS (via [`molecule-controlplane`](https://github.com/Molecule-AI/molecule-controlplane))
+
+- multi-tenant on AWS EC2 + Neon (per-tenant Postgres branch) + Cloudflare Tunnels (per-tenant, no public ports)
+- WorkOS AuthKit + Stripe Checkout + Customer Portal
+- AWS KMS envelope encryption (DB / Redis connection strings); AWS Secrets Manager for tenant bootstrap
+- `tenant_resources` audit table + 30-min boot-event-aware reconciler — every CF / AWS lifecycle event recorded, claim vs live state diffed
+
 ## Built For Teams That Need More Than A Demo
 
 Molecule AI is especially strong when you need to run:
@@ -233,24 +244,30 @@ Molecule AI is especially strong when you need to run:
 ## Architecture
 
 ```text
-Canvas (Next.js :3000)  <--HTTP / WS-->  Platform (Go :8080)  <---> Postgres + Redis
-         |                                          |
-         |                                          +--> Docker provisioner / bundles / templates / secrets
+Canvas (Next.js 15, warm-paper :3000)  <--HTTP / WS-->  Platform (Go 1.25 :8080)  <---> Postgres + Redis
+         |                                                           |
+         |                                                           +--> Provisioner: Docker (local) / EC2 + SSM (prod)
+         |                                                           +--> bundles · templates · secrets · KMS
          |
-         +-------------------- shows --------------------> workspaces, teams, tasks, traces, events
+         +------------------------- shows ------------------------> workspaces, teams, tasks, traces, events
 
-Workspace Runtime (Python image with adapters)
-  - LangGraph / DeepAgents / Claude Code / CrewAI / AutoGen / OpenClaw
-  - Agent Card + A2A server
-  - heartbeat + activity + awareness-backed memory
+Workspace Runtime (Python ≥3.11, image with adapters)
+  - 8 adapters: LangGraph / DeepAgents / Claude Code / CrewAI / AutoGen / Hermes / Gemini CLI / OpenClaw
+  - Agent Card + A2A server (typed-SSOT response path, RFC #2967)
+  - heartbeat + activity + awareness-backed memory (Memory v2 — pgvector semantic recall)
   - skills + plugins + hot reload
+
+SaaS Control Plane (molecule-controlplane, private)
+  - per-tenant EC2 + Neon (Postgres branch) + Cloudflare Tunnel
+  - WorkOS · Stripe · KMS · AWS Secrets Manager
+  - tenant_resources audit + 30-min reconciler
 ```
 
 ## Quick Start
 
 ```bash
-git clone https://github.com/Molecule-AI/molecule-monorepo.git
-cd molecule-monorepo
+git clone https://github.com/Molecule-AI/molecule-core.git
+cd molecule-core
 
 cp .env.example .env
 # Defaults boot the stack locally out of the box. See .env.example for
@@ -303,7 +320,11 @@ Then open `http://localhost:3000`:
 
 ## Current Scope
 
-The current `main` branch already includes the core platform, canvas, memory model, six production adapters, skill lifecycle, and operational surfaces. Adjacent runtime work such as **NemoClaw** remains branch-level until merged, and this README keeps that distinction explicit on purpose.
+The current `main` branch ships the core platform, Canvas v4 (warm-paper themed), Memory v2 (pgvector semantic recall), the typed-SSOT A2A response path (RFC #2967), **eight production adapters** (Claude Code, Hermes, Gemini CLI, LangGraph, DeepAgents, CrewAI, AutoGen, OpenClaw), skill lifecycle, and operational surfaces.
+
+The companion private repo [`molecule-controlplane`](https://github.com/Molecule-AI/molecule-controlplane) provides the SaaS surface — multi-tenant orchestration on EC2 + Neon + Cloudflare Tunnels, KMS envelope encryption, WorkOS auth, Stripe billing, and a `tenant_resources` audit table with a 30-min reconciler.
+
+Adjacent runtime work such as **NemoClaw** remains branch-level until merged, and this README keeps that distinction explicit on purpose.
 
 ## License
 

docs/assets/branding/molecule-icon.svg

@@ -0,0 +1,28 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64">
+  <style>
+    .bg { fill: #0a1120; }
+    .accent { fill: #7fe8d6; }
+    .accent-stroke { stroke: #7fe8d6; }
+    @media (prefers-color-scheme: light) {
+      .bg { fill: #f5f7fa; }
+      .accent { fill: #1a8a72; }
+      .accent-stroke { stroke: #1a8a72; }
+    }
+  </style>
+  <rect class="bg" width="64" height="64" rx="14"/>
+  <g class="accent-stroke" stroke-width="2.4" stroke-linecap="round" fill="none">
+    <line x1="32" y1="32" x2="12" y2="14"/>
+    <line x1="32" y1="32" x2="52" y2="18"/>
+    <line x1="32" y1="32" x2="10" y2="40"/>
+    <line x1="32" y1="32" x2="54" y2="44"/>
+    <line x1="32" y1="32" x2="32" y2="56"/>
+  </g>
+  <g class="accent">
+    <circle cx="32" cy="32" r="6.5"/>
+    <circle cx="12" cy="14" r="3.5"/>
+    <circle cx="52" cy="18" r="3.5"/>
+    <circle cx="10" cy="40" r="3.5"/>
+    <circle cx="54" cy="44" r="3.5"/>
+    <circle cx="32" cy="56" r="3.5"/>
+  </g>
+</svg>

docs/assets/branding/molecule-logo.svg

@@ -0,0 +1,17 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" role="img" aria-label="Molecule AI">
+  <g stroke="#7fe8d6" stroke-width="2.6" stroke-linecap="round" fill="none">
+    <line x1="32" y1="32" x2="12" y2="14"/>
+    <line x1="32" y1="32" x2="52" y2="18"/>
+    <line x1="32" y1="32" x2="10" y2="40"/>
+    <line x1="32" y1="32" x2="54" y2="44"/>
+    <line x1="32" y1="32" x2="32" y2="56"/>
+  </g>
+  <g fill="#7fe8d6">
+    <circle cx="32" cy="32" r="7"/>
+    <circle cx="12" cy="14" r="3.6"/>
+    <circle cx="52" cy="18" r="3.6"/>
+    <circle cx="10" cy="40" r="3.6"/>
+    <circle cx="54" cy="44" r="3.6"/>
+    <circle cx="32" cy="56" r="3.6"/>
+  </g>
+</svg>

docs/workspace-runtime-package.md

@@ -98,14 +98,14 @@ Each of the 8 adapter template repos contains:
 
 | Adapter | Repo |
 |---------|------|
-| claude-code | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-claude-code |
-| langgraph | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-langgraph |
-| crewai | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-crewai |
-| autogen | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-autogen |
-| deepagents | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-deepagents |
-| hermes | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-hermes |
-| gemini-cli | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-gemini-cli |
-| openclaw | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw |
+| claude-code | https://github.com/Molecule-AI/molecule-ai-workspace-template-claude-code |
+| langgraph | https://github.com/Molecule-AI/molecule-ai-workspace-template-langgraph |
+| crewai | https://github.com/Molecule-AI/molecule-ai-workspace-template-crewai |
+| autogen | https://github.com/Molecule-AI/molecule-ai-workspace-template-autogen |
+| deepagents | https://github.com/Molecule-AI/molecule-ai-workspace-template-deepagents |
+| hermes | https://github.com/Molecule-AI/molecule-ai-workspace-template-hermes |
+| gemini-cli | https://github.com/Molecule-AI/molecule-ai-workspace-template-gemini-cli |
+| openclaw | https://github.com/Molecule-AI/molecule-ai-workspace-template-openclaw |
 
 ## Adapter discovery (ADAPTER_MODULE)
 
@@ -244,7 +244,7 @@ correctness before pushing a `runtime-v*` tag.
 ## Writing a new adapter
 
 Use the GitHub template repo
-[`molecule-ai/molecule-ai-workspace-template-starter`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-starter) (note: the starter repo did not survive the 2026-05-06 GitHub-org-suspension migration; recreation tracked at internal#41)
+[`Molecule-AI/molecule-ai-workspace-template-starter`](https://github.com/Molecule-AI/molecule-ai-workspace-template-starter)
 — it ships with the canonical Dockerfile + adapter.py skeleton + config.yaml
 schema + the `repository_dispatch: [runtime-published]` cascade receiver
 already wired up. No follow-up setup PR required.
@@ -256,7 +256,7 @@ gh repo create Molecule-AI/molecule-ai-workspace-template-<runtime> \
   --public \
   --description "Molecule AI workspace template: <runtime>"
 
-git clone https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-<runtime>.git
+git clone https://github.com/Molecule-AI/molecule-ai-workspace-template-<runtime>
 cd molecule-ai-workspace-template-<runtime>
 ```
 
@@ -286,7 +286,7 @@ After `git push`:
 If the canonical shape changes (e.g. `config.yaml` schema gets a new field,
 the `BaseAdapter` interface adds a method, the reusable CI workflow
 signature changes), update the
-[starter](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-starter) (recreation pending — see note above)
+[starter](https://github.com/Molecule-AI/molecule-ai-workspace-template-starter)
 **first**. Existing templates can either migrate at their own pace or be
 touched in a coordinated cleanup PR. Either way, future templates pick up
 the new shape from day one.

scripts/build_runtime_package.py

@@ -278,7 +278,7 @@ include = ["molecule_runtime*"]
 README_TEMPLATE = """\
 # molecule-ai-workspace-runtime
 
-Shared workspace runtime for [Molecule AI](https://git.moleculesai.app/molecule-ai/molecule-core)
+Shared workspace runtime for [Molecule AI](https://github.com/Molecule-AI/molecule-core)
 agent adapters. Installed by every workspace template image
 (`workspace-template-claude-code`, `-langgraph`, `-hermes`, etc.) to provide
 A2A delegation, heartbeat, memory, plugin loading, and skill management.
@@ -396,7 +396,7 @@ If you don't need real-time push, the default poll path works
 universally with no extra setup; both modes converge on the same
 `inbox_pop` ack so messages never duplicate.
 
-See [`docs/workspace-runtime-package.md`](https://git.moleculesai.app/molecule-ai/molecule-core/src/branch/main/docs/workspace-runtime-package.md)
+See [`docs/workspace-runtime-package.md`](https://github.com/Molecule-AI/molecule-core/blob/main/docs/workspace-runtime-package.md)
 for the publish flow and architecture.
 """
 

workspace-server/internal/handlers/admin_workspace_images.go

@@ -56,17 +56,10 @@ type RefreshResult struct {
 	Recreated []string `json:"recreated"`
 }
 
-// TemplateImageRef returns the canonical image ref for a runtime's template,
-// using the configured registry (provisioner.RegistryPrefix()) and the
-// moving `:latest` tag. Single source of truth shared with imagewatch.
-//
-// Defaults to ghcr.io/molecule-ai/workspace-template-<runtime>:latest
-// (upstream OSS). When MOLECULE_IMAGE_REGISTRY is set in the environment
-// (typically the AWS ECR mirror in production), this returns the prefixed
-// equivalent so admin operations and image-watch checks hit the same
-// registry the provisioner pulls from.
+// TemplateImageRef returns the canonical GHCR ref for a runtime's template
+// image. Single source of truth shared with imagewatch.
 func TemplateImageRef(runtime string) string {
-	return fmt.Sprintf("%s/workspace-template-%s:latest", provisioner.RegistryPrefix(), runtime)
+	return fmt.Sprintf("ghcr.io/molecule-ai/workspace-template-%s:latest", runtime)
 }
 
 // ghcrAuthHeader returns the base64-encoded JSON auth payload Docker's

workspace-server/internal/handlers/org_import_idempotency_test.go

@@ -31,25 +31,11 @@ import (
 // tests pin the helper's three observable behaviors plus an AST gate
 // that catches future re-introductions of the un-checked INSERT.
 
-// lookupChildSQLRE anchors the sqlmock ExpectQuery on every load-bearing
-// token of lookupExistingChild's SELECT (org_import.go:639-645). A loose
-// substring match (the prior shape, just `SELECT id FROM workspaces`)
-// would silent-pass a regression that drops `IS NOT DISTINCT FROM`
-// (breaks NULL-parent matching), drops `parent_id` entirely (hijacks
-// siblings of the same name across different parents), or drops the
-// `status != 'removed'` filter (blocks re-import after Collapse).
-// RFC #2872 Important-2.
-//
-// The four anchored tokens are exactly the predicates the bug shapes
-// would tamper with. Whitespace is `\s+` so a future formatter pass
-// doesn't churn this string.
-const lookupChildSQLRE = `(?s)SELECT id FROM workspaces\s+WHERE name = \$1\s+AND parent_id IS NOT DISTINCT FROM \$2\s+AND status != 'removed'`
-
 func TestLookupExistingChild_NotFound_ReturnsFalseNoError(t *testing.T) {
 	mock := setupTestDB(t)
 	// 0-row result → driver returns sql.ErrNoRows on Scan.
 	parent := "parent-1"
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("Alpha", &parent).
 		WillReturnRows(sqlmock.NewRows([]string{"id"}))
 
@@ -70,7 +56,7 @@ func TestLookupExistingChild_NotFound_ReturnsFalseNoError(t *testing.T) {
 func TestLookupExistingChild_Found_ReturnsIDAndTrue(t *testing.T) {
 	mock := setupTestDB(t)
 	parent := "parent-1"
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("Alpha", &parent).
 		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-existing-uuid"))
 
@@ -93,7 +79,7 @@ func TestLookupExistingChild_NilParent_MatchesRoot(t *testing.T) {
 	// a plain `=` would never match a NULL row. Pin that roots
 	// (parent_id=NULL) are still found by the lookup.
 	mock := setupTestDB(t)
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("RootAgent", (*string)(nil)).
 		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-root-uuid"))
 
@@ -116,7 +102,7 @@ func TestLookupExistingChild_DBError_Propagates(t *testing.T) {
 	mock := setupTestDB(t)
 	parent := "parent-1"
 	connFail := errors.New("simulated postgres unavailable")
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("Alpha", &parent).
 		WillReturnError(connFail)
 
@@ -151,7 +137,7 @@ func TestLookupExistingChild_WrappedNoRows_TreatedAsNotFound(t *testing.T) {
 	mock := setupTestDB(t)
 	parent := "parent-1"
 	wrapped := fmt.Errorf("driver-wrapped: %w", sql.ErrNoRows)
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("Alpha", &parent).
 		WillReturnError(wrapped)
 

workspace-server/internal/provisioner/provisioner.go

@@ -35,37 +35,36 @@ import (
 // drift-risk #6.
 var ErrNoBackend = errors.New("provisioner: no backend configured (zero-valued receiver)")
 
-// RuntimeImages maps runtime names to their Docker image refs.
+// RuntimeImages maps runtime names to their Docker image refs on GHCR.
 // Each standalone template repo publishes its image via the reusable
 // publish-template-image workflow in molecule-ci on every main merge.
 // The provisioner pulls these on demand (see ensureImageLocal) — no
 // pre-build step on the tenant host.
 //
-// The registry prefix is determined by RegistryPrefix() in registry.go;
-// defaults to ghcr.io/molecule-ai (upstream OSS) and is overridden via the
-// MOLECULE_IMAGE_REGISTRY env var in production tenants that mirror to
-// AWS ECR or another registry. The map is computed at package init and
-// captures whatever prefix was active then.
-//
 // Legacy local-build path (`docker build -t workspace-template:<runtime>`
 // via scripts/build-images.sh) is still supported for development:
 // when a bare `workspace-template:<runtime>` image is present locally,
 // Docker's image resolver matches it before any pull is attempted. Set
 // the env var WORKSPACE_IMAGE_LOCAL_OVERRIDE=1 (enforced by callers) to
 // short-circuit pulls entirely if needed.
-var RuntimeImages = computeRuntimeImages()
-
-// DefaultImage is the fallback workspace Docker image (langgraph is the
-// most common runtime). Computed via RegistryPrefix() so the prefix
-// override applies to the fallback path too.
-//
-// NOTE: Every runtime MUST have an entry in knownRuntimes (registry.go).
-// If a runtime is missing, it falls back to DefaultImage which may have
-// wrong deps. Add new runtimes to knownRuntimes AND create the standalone
-// template repo.
-var DefaultImage = RuntimeImage(defaultRuntime)
+var RuntimeImages = map[string]string{
+	"langgraph":   "ghcr.io/molecule-ai/workspace-template-langgraph:latest",
+	"claude-code": "ghcr.io/molecule-ai/workspace-template-claude-code:latest",
+	"openclaw":    "ghcr.io/molecule-ai/workspace-template-openclaw:latest",
+	"deepagents":  "ghcr.io/molecule-ai/workspace-template-deepagents:latest",
+	"crewai":      "ghcr.io/molecule-ai/workspace-template-crewai:latest",
+	"autogen":     "ghcr.io/molecule-ai/workspace-template-autogen:latest",
+	"hermes":      "ghcr.io/molecule-ai/workspace-template-hermes:latest",     // Hermes (Nous Research) — real hermes-agent behind A2A bridge
+	"gemini-cli":  "ghcr.io/molecule-ai/workspace-template-gemini-cli:latest", // Google Gemini CLI
+}
 
 const (
+	// DefaultImage is the fallback workspace Docker image (langgraph is the most common runtime).
+	DefaultImage = "ghcr.io/molecule-ai/workspace-template-langgraph:latest"
+	// NOTE: Every runtime MUST have an entry in RuntimeImages above. If a runtime is missing,
+	// it falls back to DefaultImage which may have wrong deps. Add new runtimes to both
+	// RuntimeImages AND create the standalone template repo.
+
 	// DefaultNetwork is the Docker network workspaces join.
 	DefaultNetwork = "molecule-monorepo-net"
 

workspace-server/internal/provisioner/registry.go

@@ -1,95 +0,0 @@
-package provisioner
-
-import (
-	"fmt"
-	"os"
-)
-
-// defaultRegistryPrefix is the upstream OSS face for all workspace template
-// images. Self-hosted Molecule deployments without the MOLECULE_IMAGE_REGISTRY
-// override pull from here.
-const defaultRegistryPrefix = "ghcr.io/molecule-ai"
-
-// knownRuntimes is the canonical list of workspace template runtimes shipped
-// in main. Any runtime added here MUST also have a standalone template repo
-// (Molecule-AI/molecule-ai-workspace-template-<name>) and an entry in the
-// publish-template-image workflow that builds it.
-//
-// Order matters for deterministic test snapshots; keep alphabetical.
-var knownRuntimes = []string{
-	"autogen",
-	"claude-code",
-	"codex",
-	"crewai",
-	"deepagents",
-	"gemini-cli",
-	"hermes",
-	"langgraph",
-	"openclaw",
-}
-
-// defaultRuntime is the fallback when a workspace's config doesn't specify a
-// runtime. Picked because LangGraph is the most common in our org templates
-// and has the smallest "first impression" cold-start surface.
-const defaultRuntime = "langgraph"
-
-// RegistryPrefix returns the registry prefix all workspace-template image
-// references should use. Defaults to ghcr.io/molecule-ai (the upstream OSS
-// face) and is overridden by the MOLECULE_IMAGE_REGISTRY env var in
-// production tenants where we mirror images to a private registry.
-//
-// The override is set at deploy time (Railway env, EC2 user-data) — never
-// from user-supplied input — so the value is trusted by the time it reaches
-// this code. Validation is deliberately minimal: an operator-supplied
-// prefix that points at a registry the EC2 can't authenticate to will fail
-// loudly at docker-pull time, which is the right blast radius.
-//
-// Example values:
-//
-//	(unset)                                              → ghcr.io/molecule-ai (OSS default)
-//	"123456789012.dkr.ecr.us-east-2.amazonaws.com/molecule-ai"  → AWS ECR mirror
-//	"git.moleculesai.app/molecule-ai"                    → self-hosted Gitea Container Registry (future)
-//
-// Auth is registry-specific and configured outside this function:
-//   - GHCR: GHCR_USER/GHCR_TOKEN env vars consumed by ghcrAuthHeader()
-//   - ECR: docker credential helper (amazon-ecr-credential-helper) configured
-//     in EC2 user-data; ~/.docker/config.json has credHelpers entry; the
-//     daemon resolves auth automatically on every pull.
-func RegistryPrefix() string {
-	if v := os.Getenv("MOLECULE_IMAGE_REGISTRY"); v != "" {
-		return v
-	}
-	return defaultRegistryPrefix
-}
-
-// RuntimeImage returns the canonical image reference for the given runtime,
-// using the current RegistryPrefix() and the moving `:latest` tag.
-//
-// For SHA-pinned references (production thin-AMI launches), the
-// runtime_image_pins lookup in handlers/runtime_image_pin.go strips the
-// `:latest` suffix and appends an immutable `@sha256:<digest>` from the DB.
-// That code path naturally inherits any RegistryPrefix() change because it
-// reads from RuntimeImages[runtime] and only re-formats the tag suffix.
-//
-// Returns the empty string for unknown runtimes; callers should fall through
-// to DefaultImage in that case (matching legacy behavior).
-func RuntimeImage(runtime string) string {
-	for _, r := range knownRuntimes {
-		if r == runtime {
-			return fmt.Sprintf("%s/workspace-template-%s:latest", RegistryPrefix(), runtime)
-		}
-	}
-	return ""
-}
-
-// computeRuntimeImages returns the {runtime: image-ref} map evaluated against
-// the current RegistryPrefix(). Called at package init to populate the
-// exported RuntimeImages var. Tests that flip MOLECULE_IMAGE_REGISTRY between
-// expected values use this helper to rebuild the map mid-run.
-func computeRuntimeImages() map[string]string {
-	out := make(map[string]string, len(knownRuntimes))
-	for _, r := range knownRuntimes {
-		out[r] = RuntimeImage(r)
-	}
-	return out
-}

workspace-server/internal/provisioner/registry_test.go

@@ -1,140 +0,0 @@
-package provisioner
-
-import (
-	"strings"
-	"testing"
-)
-
-// TestRegistryPrefix_DefaultsToGHCR pins the OSS-default behavior. If a future
-// refactor accidentally drops the default, OSS users self-hosting Molecule
-// would silently lose image pulls — this test should fail loudly instead.
-func TestRegistryPrefix_DefaultsToGHCR(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	got := RegistryPrefix()
-	want := "ghcr.io/molecule-ai"
-	if got != want {
-		t.Fatalf("RegistryPrefix() = %q, want %q (default must remain GHCR for OSS users)", got, want)
-	}
-}
-
-// TestRegistryPrefix_RespectsEnv verifies the override path used in
-// production tenants where MOLECULE_IMAGE_REGISTRY points at a private
-// mirror (AWS ECR, self-hosted Harbor, etc.).
-func TestRegistryPrefix_RespectsEnv(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "123456789012.dkr.ecr.us-east-2.amazonaws.com/molecule-ai")
-	got := RegistryPrefix()
-	want := "123456789012.dkr.ecr.us-east-2.amazonaws.com/molecule-ai"
-	if got != want {
-		t.Fatalf("RegistryPrefix() = %q, want %q (env override path is the production cutover mechanism)", got, want)
-	}
-}
-
-// TestRegistryPrefix_EmptyEnvFallsBackToDefault — guard against an operator
-// setting MOLECULE_IMAGE_REGISTRY="" by mistake (e.g. unset deploy variable
-// becomes empty string, not literally absent). We treat "" as "use default"
-// so a misconfigured env doesn't mean an empty registry prefix.
-func TestRegistryPrefix_EmptyEnvFallsBackToDefault(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	if RegistryPrefix() != defaultRegistryPrefix {
-		t.Fatalf("empty MOLECULE_IMAGE_REGISTRY should fall back to %q, got %q", defaultRegistryPrefix, RegistryPrefix())
-	}
-}
-
-// TestRuntimeImage_AllKnownRuntimes — every runtime in the canonical list
-// must produce a properly-formatted image ref. If a new runtime is added to
-// knownRuntimes but the format changes, this catches it.
-func TestRuntimeImage_AllKnownRuntimes(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	for _, r := range knownRuntimes {
-		got := RuntimeImage(r)
-		want := "ghcr.io/molecule-ai/workspace-template-" + r + ":latest"
-		if got != want {
-			t.Errorf("RuntimeImage(%q) = %q, want %q", r, got, want)
-		}
-	}
-	// Pin the count so adding a runtime requires explicit test acknowledgement.
-	if len(knownRuntimes) != 9 {
-		t.Errorf("knownRuntimes length = %d, want 9 (autogen, claude-code, codex, crewai, deepagents, gemini-cli, hermes, langgraph, openclaw)", len(knownRuntimes))
-	}
-}
-
-// TestRuntimeImage_UnknownRuntime — defensive: callers must fall back to
-// DefaultImage when a runtime is unknown, never silently use the wrong
-// prefix. Returning "" enforces an explicit fallback at every call site.
-func TestRuntimeImage_UnknownRuntime(t *testing.T) {
-	for _, name := range []string{"", "nonexistent", "WORKSPACE-TEMPLATE-FAKE", "../../../etc/passwd"} {
-		if got := RuntimeImage(name); got != "" {
-			t.Errorf("RuntimeImage(%q) = %q, want empty string for unknown runtime", name, got)
-		}
-	}
-}
-
-// TestRuntimeImage_RegistryOverrideAppliesToAllRuntimes — the override
-// flips ALL runtimes consistently. If a refactor accidentally hardcoded
-// the prefix in some runtimes but not others (the failure mode that
-// triggered this whole rollout), this test catches it.
-func TestRuntimeImage_RegistryOverrideAppliesToAllRuntimes(t *testing.T) {
-	const ecr = "999999999999.dkr.ecr.us-east-2.amazonaws.com/molecule-ai"
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", ecr)
-
-	for _, r := range knownRuntimes {
-		got := RuntimeImage(r)
-		if !strings.HasPrefix(got, ecr+"/workspace-template-") {
-			t.Errorf("RuntimeImage(%q) = %q, must start with override prefix %q", r, got, ecr)
-		}
-		if !strings.HasSuffix(got, ":latest") {
-			t.Errorf("RuntimeImage(%q) = %q, must keep :latest tag suffix", r, got)
-		}
-	}
-}
-
-// TestComputeRuntimeImages_AllRuntimesPresent — the map must contain every
-// known runtime. Drift between knownRuntimes and computeRuntimeImages would
-// silently break the runtime → image lookup that provisioner.Start uses.
-func TestComputeRuntimeImages_AllRuntimesPresent(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	m := computeRuntimeImages()
-	if len(m) != len(knownRuntimes) {
-		t.Fatalf("computeRuntimeImages() has %d entries, want %d (one per knownRuntime)", len(m), len(knownRuntimes))
-	}
-	for _, r := range knownRuntimes {
-		img, ok := m[r]
-		if !ok {
-			t.Errorf("computeRuntimeImages() missing runtime %q", r)
-			continue
-		}
-		if img == "" {
-			t.Errorf("computeRuntimeImages()[%q] is empty", r)
-		}
-	}
-}
-
-// TestComputeRuntimeImages_ReflectsCurrentEnv — calling computeRuntimeImages
-// after env change rebuilds the map with new prefix. Tests + ops procedures
-// that flip the env in-process rely on this.
-func TestComputeRuntimeImages_ReflectsCurrentEnv(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	defaultMap := computeRuntimeImages()
-	if !strings.HasPrefix(defaultMap["claude-code"], "ghcr.io/molecule-ai/") {
-		t.Fatalf("default map should be GHCR-prefixed, got %q", defaultMap["claude-code"])
-	}
-
-	const mirror = "registry.example.com/molecule-ai"
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", mirror)
-	mirrorMap := computeRuntimeImages()
-	if !strings.HasPrefix(mirrorMap["claude-code"], mirror+"/") {
-		t.Fatalf("mirror-prefixed map should start with %q, got %q", mirror, mirrorMap["claude-code"])
-	}
-}
-
-// TestKnownRuntimes_AlphabeticalOrder — pin the order so test snapshots
-// (and human readers diffing the file) see deterministic output. Adding a
-// new runtime out of alphabetical order will fail this test, which is the
-// nudge to keep the file readable.
-func TestKnownRuntimes_AlphabeticalOrder(t *testing.T) {
-	for i := 1; i < len(knownRuntimes); i++ {
-		if knownRuntimes[i-1] >= knownRuntimes[i] {
-			t.Errorf("knownRuntimes not alphabetical: %q comes before %q", knownRuntimes[i-1], knownRuntimes[i])
-		}
-	}
-}

workspace/build-all.sh

@@ -2,7 +2,7 @@
 # build-all.sh — Rebuild base image and optionally adapter images.
 #
 # NOTE: Adapters have been extracted to standalone template repos:
-#   https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-<runtime>
+#   https://github.com/Molecule-AI/molecule-ai-workspace-template-<runtime>
 #
 # This script now only builds the base image from workspace/Dockerfile.
 # Each adapter repo has its own Dockerfile that installs molecule-ai-workspace-runtime