chore: update all docs from EC2 to Hetzner Cloud

Replace EC2 references, old IP, and SSH key paths across all live
documentation. Fix sudo bug in setup.sh for pnpm install. Update
deploy workflow comments. Historical files (migration plan, memory
logs) left as-is.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sragss

.claude/infrastructure.md

@@ -36,11 +36,7 @@ hcloud server poweron craig
 ssh -i ~/.ssh/hetzner-craig ubuntu@178.156.251.179 "nproc && free -h"
 ```
 
-## AWS teardown (pending)
+## AWS teardown (complete)
 
-Old EC2 is stopped but not terminated. After 24h+ of stable Hetzner operation:
-
-```bash
-aws ec2 terminate-instances --instance-ids i-0e2fb16c6e0fb83d0 --region us-east-1
-aws ec2 release-address --allocation-id eipalloc-0155d2c49a8667e13 --region us-east-1
-```
+Old EC2 instance `i-0e2fb16c6e0fb83d0` terminated and Elastic IP
+`eipalloc-0155d2c49a8667e13` released on 2026-02-15.

.github/workflows/deploy.yml

@@ -8,7 +8,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - name: Deploy to EC2
+      - name: Deploy to server
         uses: appleboy/ssh-action@v1
         with:
           host: ${{ secrets.EC2_HOST }}
@@ -39,7 +39,7 @@ jobs:
               echo "OpenClaw pin unchanged ($CURRENT)"
             fi
 
-            # 2. Render config (repo base + EC2 secrets)
+            # 2. Render config (repo base + server secrets)
             jq -s '.[0] * .[1]' deploy/openclaw.json ~/.openclaw/secrets.json \
               > ~/.openclaw/openclaw.json
 

AGENTS.md

@@ -99,7 +99,7 @@ Example: "Created PR #42 -- fixes the auth timeout in the login middleware."
 
 Your OpenClaw config lives at `deploy/openclaw.json` in this repo. It is the
 source of truth — on every deploy it overwrites `~/.openclaw/openclaw.json`
-(merged with secrets that stay on EC2).
+(merged with secrets that stay on the server).
 
 To change your own config (heartbeat interval, mention patterns, concurrency,
 etc.), edit `deploy/openclaw.json` on a branch and create a PR. Never edit

MEMORY.md

@@ -79,7 +79,7 @@ This file contains durable facts and decisions that persist across sessions. Cra
 - Old bot repo: Merit-Systems/discord-claude-agent (legacy, being replaced)
 - OpenClaw fork: Merit-Systems/openclaw (local: ~/Code/Merit-Systems/openclaw) — always pull before inspecting
 - OpenClaw setup guide: Merit-Systems/OpenClawX402
-- Runtime: OpenClaw on EC2
+- Runtime: OpenClaw on Hetzner Cloud (CCX33, Ashburn VA)
 - Channels: Discord
 
 ## Key Products

README.md

@@ -26,7 +26,7 @@ Craig2 is Merit-Systems' AI agent, powered by [OpenClaw](https://github.com/open
            │                              │
            ▼                              │
 ┌─────────────────────────────────────────┴───────────────┐
-│              EC2 (100.31.229.192)                          │
+│              Hetzner Cloud (178.156.251.179)                │
 │    ~/Code/merit-systems/CraigClaw/  ← git clone         │
 │                                                         │
 │    OpenClaw daemon reads workspace files at session      │
@@ -37,9 +37,9 @@ Craig2 is Merit-Systems' AI agent, powered by [OpenClaw](https://github.com/open
 
 **Two sync directions:**
 
-1. **Inbound (deploy):** A human pushes to `main` (or a PR is merged) → GitHub Actions SSHes into EC2 → runs `git pull` → restarts the OpenClaw gateway → Craig's next session loads the updated files. This is how humans edit Craig's brain.
+1. **Inbound (deploy):** A human pushes to `main` (or a PR is merged) → GitHub Actions SSHes into the server → runs `git pull` → restarts the OpenClaw gateway → Craig's next session loads the updated files. This is how humans edit Craig's brain.
 
-2. **Outbound (self-edit):** Craig edits a file in his workspace on EC2 → creates a branch, commits, pushes → creates a PR via `gh` CLI → a human reviews and merges → triggers the inbound deploy. This is how Craig edits his own brain.
+2. **Outbound (self-edit):** Craig edits a file in his workspace on the server → creates a branch, commits, pushes → creates a PR via `gh` CLI → a human reviews and merges → triggers the inbound deploy. This is how Craig edits his own brain.
 
 The key insight: OpenClaw's workspace directory is just a git clone of this repo. By keeping them in sync via GitHub Actions, every change (whether from Craig or a human) is version-controlled, reviewable, and auto-deployed.
 
@@ -49,7 +49,7 @@ The key insight: OpenClaw's workspace directory is just a git clone of this repo
 Discord message (@Craig2)
        |
        v
-OpenClaw daemon (EC2 100.31.229.192)
+OpenClaw daemon (Hetzner Cloud 178.156.251.179)
        |
        +--> Loads SOUL.md, AGENTS.md, TOOLS.md, MEMORY.md, IDENTITY.md
        |    (these define Craig's personality and behavior)
@@ -80,7 +80,7 @@ Craig can modify his own brain. This is the key feature of the workspace-as-repo
 2. Craig edits the relevant file in this repo (SOUL.md, MEMORY.md, AGENTS.md, etc.)
 3. Craig creates a branch (`craig/<description>`), commits, pushes, and opens a PR
 4. A human reviews and merges the PR
-5. GitHub Actions auto-deploys: SSHes into EC2, runs `git pull`, restarts the gateway
+5. GitHub Actions auto-deploys: SSHes into the server, runs `git pull`, restarts the gateway
 6. Craig's next session loads the updated files -- he's now different
 
 **What Craig can change about himself:**
@@ -115,7 +115,7 @@ CraigClaw/
   memory/              # Daily logs (YYYY-MM-DD.md), auto-generated by memory flush
   skills/              # Custom skills (SKILL.md format)
   deploy/
-    setup.sh           # EC2 provisioning script
+    setup.sh           # Server provisioning script
     openclaw.json.template  # OpenClaw config template (no secrets)
   .github/workflows/
     deploy.yml         # Auto-deploy on push to main
@@ -135,10 +135,10 @@ OpenClaw loads `SOUL.md`, `IDENTITY.md`, `AGENTS.md`, `TOOLS.md`, `MEMORY.md`, `
 
 ### Prerequisites
 
-- AWS account (for EC2)
+- Hetzner Cloud account (with `hcloud` CLI configured)
 - Anthropic API key
 - Discord bot token
-- [OpenClaw base setup](https://github.com/Merit-Systems/OpenClawX402) -- EC2 provisioning guide
+- [OpenClaw base setup](https://github.com/Merit-Systems/OpenClawX402) -- server provisioning guide
 
 ### 1. GitHub App (Org-Wide Repo Access)
 
@@ -272,14 +272,14 @@ openclaw config set channels.discord.guilds.*.requireMention true
 systemctl --user restart openclaw-gateway
 ```
 
-### 4. EC2 Deployment
+### 4. Server Deployment
 
 **Fresh setup:**
 
-1. Launch an EC2 instance (t3.large, Ubuntu 24.04, 25GB gp3)
-2. SSH in and run the setup script:
+1. Provision a Hetzner Cloud server (`hcloud server create --name craig --type ccx33 --image ubuntu-24.04 --ssh-key craig --location ash`)
+2. Create an `ubuntu` user, then SSH in and run the setup script:
    ```bash
-   ssh ubuntu@<ec2-ip>
+   ssh ubuntu@<server-ip>
    curl -fsSL https://raw.githubusercontent.com/Merit-Systems/CraigClaw/main/deploy/setup.sh | bash
    ```
 3. Follow the printed next steps (set env vars, run onboard, add Discord channel)
@@ -321,20 +321,20 @@ Fund the wallet with USDC on Base. Even $5 is enough for testing.
 
 ### 6. Auto-Deploy
 
-Changes pushed to `main` in this repo auto-deploy to EC2 via GitHub Actions.
+Changes pushed to `main` in this repo auto-deploy to the server via GitHub Actions.
 
 **Required GitHub Secrets** (set in [CraigClaw repo Settings > Secrets](https://github.com/Merit-Systems/CraigClaw/settings/secrets/actions)):
 
 | Secret | Value |
 |--------|-------|
-| `EC2_HOST` | EC2 Elastic IP (`100.31.229.192`) |
+| `EC2_HOST` | Server IP (`178.156.251.179`) |
 | `EC2_SSH_KEY` | Private SSH key for the `ubuntu` user |
 
 **Deploy flow:**
 
 1. A change merges to `main` (Craig self-edits via PR, or a human pushes directly)
 2. GitHub Actions triggers (`.github/workflows/deploy.yml`)
-3. SSHes into EC2 via `appleboy/ssh-action`
+3. SSHes into the server via `appleboy/ssh-action`
 4. Runs `git pull origin main` to update the workspace
 5. Runs bundle patches (see below)
 6. Runs `systemctl --user restart openclaw-gateway` to reload Craig
@@ -353,7 +353,7 @@ Patches are idempotent and safe to re-run. See `.claude/patches.md` for full det
 
 ```bash
 # SSH in
-ssh -i ~/.ssh/craigclaw-key.pem ubuntu@100.31.229.192
+ssh -i ~/.ssh/hetzner-craig ubuntu@178.156.251.179
 
 # Check status
 openclaw status --deep
@@ -386,21 +386,20 @@ mcporter call x402 get_wallet_info
 - **GitHub App** has minimal permissions (contents + PRs + issues, read-only metadata)
 - **Branch protection** prevents merging without review -- Craig cannot ship unreviewed code
 - **Org-wide rulesets** enforce this across all repos automatically
-- **Secrets** (API keys, tokens, private keys) live on EC2 only, never in this repo
+- **Secrets** (API keys, tokens, private keys) live on the server only, never in this repo
 - **GitHub App tokens** are short-lived (1 hour), generated on demand
 - **x402 wallet** uses limited funds -- Craig can't overspend
 
 ## Cost
 
 | Resource | Monthly Cost |
 |----------|-------------|
-| EC2 t3.large (8GB RAM) | ~$60 |
-| EBS 25GB gp3 | ~$2 |
+| Hetzner CCX33 (8 vCPU, 32 GB RAM, 240 GB NVMe) | ~$54 |
 | Anthropic API (Claude Opus 4.6) | Pay-per-use |
 | x402 API calls | Pay-per-call (USDC on Base) |
 | GitHub App | Free |
 | Discord bot | Free |
-| **Infrastructure total** | **~$62/month** |
+| **Infrastructure total** | **~$54/month** |
 
 ## Related Repos
 

SOUL.md

@@ -168,7 +168,7 @@ Your job is to write code, push branches, and create PRs. A human merges. Always
 
 ## Self-Awareness
 
-You know who you are. Your workspace lives at `Merit-Systems/CraigClaw`. Your runtime is OpenClaw on EC2. All of the files below are loaded into your system prompt at session start. You can edit any of them and commit the changes -- they'll auto-deploy when merged to main.
+You know who you are. Your workspace lives at `Merit-Systems/CraigClaw`. Your runtime is OpenClaw on Hetzner Cloud. All of the files below are loaded into your system prompt at session start. You can edit any of them and commit the changes -- they'll auto-deploy when merged to main.
 
 ## Your Workspace Files
 
@@ -192,11 +192,11 @@ You know who you are. Your workspace lives at `Merit-Systems/CraigClaw`. Your ru
 
 ## How Self-Editing Works
 
-1. Your workspace on EC2 is a git clone of `Merit-Systems/CraigClaw`
+1. Your workspace on the server is a git clone of `Merit-Systems/CraigClaw`
 2. To change yourself, edit the relevant file in your workspace
 3. Create a branch (`craig/<description>`), commit, push, and open a PR
 4. A human reviews and merges the PR to `main`
-5. GitHub Actions auto-deploys: SSHes into EC2, runs `git pull`, restarts the gateway
+5. GitHub Actions auto-deploys: SSHes into the server, runs `git pull`, restarts the gateway
 6. Your next session loads the updated files
 
 These files are your persistent identity. They survive across sessions. Every self-edit goes through PR review -- you cannot merge your own changes.

deploy/setup.sh

@@ -1,11 +1,11 @@
 #!/bin/bash
 set -euo pipefail
 
-# CraigClaw EC2 Setup Script
-# Run this on a fresh Ubuntu 24.04 EC2 instance after SSH'ing in.
+# CraigClaw Server Setup Script
+# Run this on a fresh Ubuntu 24.04 instance after SSH'ing in.
 #
 # Prerequisites:
-#   - EC2 instance running (see Merit-Systems/OpenClawX402/EC2.md)
+#   - Server running (Hetzner Cloud CCX or similar)
 #   - SSH access configured
 #
 # Usage:
@@ -17,7 +17,7 @@ set -euo pipefail
 #   3. Place GitHub App private key at ~/.config/craig/github-app-key.pem
 #   4. Install x402 (see Merit-Systems/OpenClawX402/x402.md)
 
-echo "=== CraigClaw EC2 Setup ==="
+echo "=== CraigClaw Server Setup ==="
 
 # 1. Install Node.js 22
 echo "Installing Node.js 22..."
@@ -26,7 +26,7 @@ sudo apt-get install -y nodejs
 
 # 2. Install pnpm (needed to build OpenClaw from fork source)
 echo "Installing pnpm..."
-npm install -g pnpm
+sudo npm install -g pnpm
 
 # 3. Install GitHub CLI
 echo "Installing GitHub CLI..."