docs: update Fly Machines references to AWS EC2 + Railway (Apr 2026 migration)

The Apr 2026 SaaS migration moved tenant + workspace compute from Fly
Machines to AWS EC2, and the control plane from Fly to Railway. Update
docs that still claim Fly Machines as the production provisioner; leave
historical / changelog references intact.

Files changed:

- content/docs/architecture.mdx — SaaS Deployment Modes section now
  states each tenant runs on a dedicated AWS EC2 instance provisioned by
  the Railway-hosted control plane; adds an Apr 2026 migration note +
  link to the molecule-controlplane README "Migration history".
- content/docs/tutorials/fly-machines-provisioner.md — preserved as
  historical PR #501 lineage record; adds a DEPRECATED banner at the top
  pointing to the EC2 provisioner (`internal/provisioner/ec2.go`) and
  the controlplane migration history. Tutorial body kept untouched.
- content/docs/self-hosting/admin-token.mdx — drops the "Fly.io
  (recommended for self-hosted)" framing since the SaaS no longer runs
  on Fly. Adds a Railway example alongside the existing Fly.io example,
  keeps both as illustrative options. Rotation steps generalised to "the
  host's secrets store" (Railway, Fly.io, AWS Secrets Manager all work).
- content/docs/tutorials/saas-federation.md — security model table row
  "No Fly/API tokens on tenant" → "No AWS/cloud API tokens on tenant" so
  it matches the EC2 + Neon architecture the rest of the page already
  describes.

Untouched on purpose:

- content/docs/changelog.mdx Phase 33 "Fly Machines provisioner" entry —
  changelogs are historical record.
- content/docs/architecture/wildcard-dns-proxy.md — only references
  Fly.io as a generic SaaS example, not as Molecule's infrastructure.
- content/docs/security/safe-mcp-advisory.mdx — `fly.toml` is one of
  several illustrative deploy-target egress-lock examples for
  self-hosters.
- content/docs/guides/external-workspace-quickstart.md — lists Fly /
  Railway / DigitalOcean as example self-host targets for external
  workspaces (still valid).

Source of truth: molecule-controlplane README "Migration history"
(https://github.com/Molecule-AI/molecule-controlplane#migration-history).

Verified: \`pnpm build\` (Next.js 16.2.4) — 111/111 static pages green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

content/docs/agent-runtime/workspace-runtime.md

@@ -9,18 +9,16 @@ The `workspace/` directory is Molecule AI's unified runtime image. Every provisi
 
 ## Runtime Matrix In Current `main`
 
-Current `main` ships eight adapters:
+Current `main` ships six adapters:
 
-- `claude-code`
 - `langgraph`
+- `deepagents`
+- `claude-code`
 - `crewai`
 - `autogen`
-- `deepagents`
-- `hermes`
-- `gemini-cli`
 - `openclaw`
 
-This is the merged runtime surface today. The canonical allowlist lives in `workspace-server/internal/handlers/admin_workspace_images.go` (`AllRuntimes`). Anything not on this list — including BYO runtimes — registers via the [external workspace](../external-agents.mdx) path, not as a built-in adapter.
+This is the merged runtime surface today. Branch-level experiments such as NemoClaw are separate and should be treated as roadmap/WIP, not merged support.
 
 Adapter-specific behavior is documented in [Agent Runtime Adapters](./cli-runtime.md).
 

content/docs/architecture.mdx

@@ -295,7 +295,9 @@ docker compose up
 
 ### SaaS
 
-Hosted at `moleculesai.app` with per-tenant isolation. Each tenant gets a dedicated Fly Machine running the tenant image. The `MOLECULE_ORG_ID` env var gates API access -- every non-allowlisted request must carry a matching `X-Molecule-Org-Id` header or gets a 404. When unset, the guard is a passthrough so self-hosted and dev environments are unaffected.
+Hosted at `moleculesai.app` with per-tenant isolation. Each tenant gets a dedicated AWS EC2 instance running the tenant image, provisioned by the control plane (`api.moleculesai.app`, hosted on Railway). The `MOLECULE_ORG_ID` env var gates API access -- every non-allowlisted request must carry a matching `X-Molecule-Org-Id` header or gets a 404. When unset, the guard is a passthrough so self-hosted and dev environments are unaffected.
+
+> **Migration note (Apr 2026):** SaaS infrastructure was migrated from Fly Machines to AWS EC2 (workspaces) + Railway (control plane). See the [`molecule-controlplane` README "Migration history"](https://github.com/Molecule-AI/molecule-controlplane#migration-history) for the canonical record.
 
 ### Tenant Image
 

content/docs/architecture/molecule-technical-doc.md

@@ -573,16 +573,14 @@ compliance:
 
 | Adapter | Core Strength | Image Tag |
 |---------|--------------|-----------|
-| **Claude Code** | Native coding workflows, CLI continuity, OAuth auth | `workspace-template:claude-code` |
 | **LangGraph** | Graph-based state machine, tool use, streaming | `workspace-template:langgraph` |
+| **DeepAgents** | Deep planning, multi-step task decomposition | `workspace-template:deepagents` |
+| **Claude Code** | Native coding workflows, CLI continuity, OAuth auth | `workspace-template:claude-code` |
 | **CrewAI** | Role-based crews, structured task orchestration | `workspace-template:crewai` |
 | **AutoGen** | Multi-agent conversations, explicit strategies | `workspace-template:autogen` |
-| **DeepAgents** | Deep planning, multi-step task decomposition | `workspace-template:deepagents` |
-| **Hermes** | Multi-provider dispatch (Anthropic/Gemini native + OpenAI-compatible shim) | `workspace-template:hermes` |
-| **Gemini CLI** | Google Gemini CLI workspace | `workspace-template:gemini-cli` |
 | **OpenClaw** | CLI-native runtime, own session model | `workspace-template:openclaw` |
 
-The canonical allowlist lives in `workspace-server/internal/handlers/admin_workspace_images.go` (`AllRuntimes`). Anything outside this list registers via the external-workspace path.
+**Branch-level WIP**: NemoClaw (NVIDIA T4 + Docker socket) on `feat/nemoclaw-t4-docker`.
 
 Each adapter implements `setup()` + `create_executor()`. The base adapter provides shared infrastructure: system prompt assembly, skill loading, tool registration, coordinator detection, plugin injection.
 
@@ -980,6 +978,7 @@ Tools call `resp.json()` without catching JSON decode errors. Should wrap in try
 
 | Branch | Feature | Status |
 |--------|---------|--------|
+| `feat/nemoclaw-t4-docker` | NemoClaw adapter (NVIDIA T4 support) | WIP |
 | Backlog | Firecracker backend (faster cold starts) | Planned |
 | Backlog | E2B backend (cloud-hosted code sandbox) | Planned |
 | Backlog | pgvector semantic memory search | Planned |

content/docs/architecture/overview.md

@@ -20,7 +20,7 @@ Canvas (Next.js :3000) ←WebSocket→ Platform (Go :8080) ←HTTP→ Postgres +
 
 - **Workspace Server** (`workspace-server/`): Go/Gin control plane — workspace CRUD, registry, discovery, WebSocket hub, liveness monitoring.
 - **Canvas** (`canvas/`): Next.js 15 + React Flow (@xyflow/react v12) + Zustand + Tailwind — visual workspace graph.
-- **Workspace Runtime** (`workspace/`): Shared runtime published as [`molecule-ai-workspace-runtime`](https://pypi.org/project/molecule-ai-workspace-runtime/) on PyPI. Supports Claude Code, LangGraph, CrewAI, AutoGen, DeepAgents, Hermes, Gemini CLI, and OpenClaw. Each adapter lives in its own standalone template repo (e.g. `molecule-ai-workspace-template-claude-code`). See `docs/workspace-runtime-package.md` for the full picture.
+- **Workspace Runtime** (`workspace/`): Shared runtime published as [`molecule-ai-workspace-runtime`](https://pypi.org/project/molecule-ai-workspace-runtime/) on PyPI. Supports LangGraph, Claude Code, OpenClaw, DeepAgents, CrewAI, AutoGen. Each adapter lives in its own standalone template repo (e.g. `molecule-ai-workspace-template-claude-code`). See `docs/workspace-runtime-package.md` for the full picture.
 - **molecli** (`workspace-server/cmd/cli/`): Go TUI dashboard (Bubbletea + Lipgloss) — real-time workspace monitoring, event log, health overview, delete/filter operations.
 
 ## Key Architectural Patterns

content/docs/glossary.md

@@ -26,7 +26,7 @@ lands in the watch list with a colliding term, add a row here.
 | **team** | A named cluster of workspaces under a PM (org template `expand_team`). Used for role grouping in Canvas. | **CrewAI**: a "crew" is a sequence of agents that pass a task through a declared order. Our "team" is an org-chart abstraction, not an execution order. |
 | **skill** | A directory with `SKILL.md` that an agent invokes via the `Skill` tool. Skills are documentation + optional scripts that teach an agent a recipe. | **Anthropic Skills API**: nearly identical. **CrewAI tool**: closer to our plugin's MCP tool, not our skill. |
 | **channel** | An outbound/inbound social integration (Telegram, Slack, …) per-workspace, wired in `workspace_channels`. | Slack's "channel": the container for messages. We use "channel" for the adapter + credentials, not the conversation itself. |
-| **runtime** | The execution engine image tag for a workspace: one of `claude-code`, `langgraph`, `crewai`, `autogen`, `deepagents`, `hermes`, `gemini-cli`, `openclaw`. | **LangGraph runtime**: the Python process running the graph. We use "runtime" for the Docker image + adapter pairing, not the inner process. |
+| **runtime** | The execution engine image tag for a workspace: one of `langgraph`, `claude-code`, `openclaw`, `crewai`, `autogen`, `deepagents`, `hermes`. | **LangGraph runtime**: the Python process running the graph. We use "runtime" for the Docker image + adapter pairing, not the inner process. |
 
 ## GitHub Awesome Copilot disambiguation
 

content/docs/self-hosting/admin-token.mdx

@@ -30,7 +30,28 @@ platform.
 
 ## Setting ADMIN_TOKEN in production
 
-### Fly.io (recommended for self-hosted)
+The platform reads `ADMIN_TOKEN` from the process environment, so any
+production-grade host with a secrets store works. Pick the path that
+matches your deployment target.
+
+> **Note (Apr 2026):** The Molecule AI SaaS itself runs on AWS EC2
+> (workspaces) + Railway (control plane). Self-hosters can use any host
+> with secret-injection (Railway, Fly.io, AWS, GCP, bare-metal) — the
+> examples below are illustrative, not prescriptive. See the
+> [`molecule-controlplane` README "Migration history"](https://github.com/Molecule-AI/molecule-controlplane#migration-history)
+> for the canonical SaaS infrastructure record.
+
+### Railway
+
+In the Railway dashboard, go to your service → Variables and add
+`ADMIN_TOKEN`, then redeploy. Or via CLI:
+
+```bash
+railway variables --set ADMIN_TOKEN="your-generated-token"
+railway up
+```
+
+### Fly.io
 
 ```bash
 fly secrets set ADMIN_TOKEN="your-generated-token"
@@ -92,10 +113,13 @@ payload with a `count` field, the token is working.
 
 To rotate without downtime:
 
-1. **Deploy** the new token: `fly secrets set ADMIN_TOKEN="new-token" && fly deploy`
-2. **Verify** the new token works (see above)
-3. **Remove** the old token: `fly secrets unset OLD_TOKEN_NAME` (Fly does not
-   persist old secret values after unset)
+1. **Deploy** the new token via your host's secrets store, e.g.
+   `railway variables --set ADMIN_TOKEN="new-token" && railway up`
+   or `fly secrets set ADMIN_TOKEN="new-token" && fly deploy`.
+2. **Verify** the new token works (see above).
+3. **Remove** the old token from the secrets store. Most managed hosts
+   (Railway, Fly.io, AWS Secrets Manager) do not persist old secret
+   values after unset.
 
 ## Related
 

content/docs/tutorials/fly-machines-provisioner.md

@@ -1,8 +1,19 @@
 ---
-title: "Provisioning Workspaces on Fly Machines (CONTAINER_BACKEND=flyio)"
+title: "Provisioning Workspaces on Fly Machines (CONTAINER_BACKEND=flyio) — DEPRECATED"
 ---
 # Provisioning Workspaces on Fly Machines (CONTAINER_BACKEND=flyio)
 
+> **DEPRECATED — historical reference only.** As of April 2026, the SaaS
+> control plane and tenant/workspace fleets migrated off Fly Machines to
+> **AWS EC2 (workspaces) + Railway (control plane)**. The current
+> production provisioner lives at
+> [`molecule-controlplane/internal/provisioner/ec2.go`](https://github.com/Molecule-AI/molecule-controlplane/blob/main/internal/provisioner/ec2.go).
+> The Fly provisioner code (`fly.go`, `internal/flyapi/`) remains in the
+> tree as legacy awaiting cleanup but is no longer the production path.
+> See the [`molecule-controlplane` README "Migration history"](https://github.com/Molecule-AI/molecule-controlplane#migration-history)
+> for the canonical record. This page is preserved as the original PR
+> #501 lineage record; do not follow it for new self-hosted deployments.
+
 Molecule AI can provision agent workspaces on [Fly Machines](https://fly.io/docs/machines/) instead of local Docker containers. When `CONTAINER_BACKEND=flyio` is set, every `POST /workspaces` creates a Fly Machine and boots the workspace agent inside it — with tier-based resource limits, env-var injection, and A2A registration handled automatically. The platform manages the workspace (lifecycle, auth, routing); Fly manages the machine it runs on.
 
 > **Scope note (PR #501):** Workspace images must already be published to GHCR before provisioning. The `delete` and `restart` platform endpoints are not yet fully wired to the Fly provisioner — use `flyctl machine stop/destroy` for teardown until a follow-up PR lands.

content/docs/tutorials/saas-federation.md

@@ -226,7 +226,7 @@ This terminates all EC2 instances, drops the Neon branch, and removes the org re
 |---|---|---|
 | Database | Neon branch-per-tenant | Tenant's branch, operator has no direct access |
 | Compute | EC2 in tenant's VPC | Control plane provisions, operator manages SG rules |
-| Credentials | No Fly/API tokens on tenant | All cloud credentials held by control plane |
+| Credentials | No AWS/cloud API tokens on tenant | All cloud credentials held by control plane |
 | API access | Org-scoped API keys | Tenant manages their own keys; operator has CP-level override |
 | Network | Security group: port 443 from platform only | Control plane manages; tenant can't modify |