diff --git a/.env.core.example b/.env.core.example
index fd5b00e..a577aa0 100644
--- a/.env.core.example
+++ b/.env.core.example
@@ -47,7 +47,15 @@ SKILLS_DB_PASSWORD=
 
 # ── Network ──
 AGENT_SUBNET_BASE=10.0.0
-AGENT_DOMAIN=clawdie.invalid
+
+# Domain split:
+# AGENT_DOMAIN          -> public-facing site/API domain. Leave blank until
+#                          you have a real public DNS name configured.
+# AGENT_INTERNAL_DOMAIN -> internal jail/service names written into /etc/hosts
+#
+# Use home.arpa for internal-only names. .local is reserved for mDNS and can
+# create resolver ambiguity on the local link.
+AGENT_DOMAIN=
 AGENT_INTERNAL_DOMAIN=clawdie.home.arpa
 
 # ── Locale (optional — auto-detected on FreeBSD) ──
diff --git a/.env.example b/.env.example
index 6d67aca..208a4ba 100644
--- a/.env.example
+++ b/.env.example
@@ -144,14 +144,15 @@ STRIPE_SECRET_KEY=
 STRIPE_ENABLE_REFUNDS=NO
 
 # Domain split:
-# AGENT_DOMAIN          -> public-facing site/API domain
+# AGENT_DOMAIN          -> public-facing site/API domain. Leave blank until
+#                          you have a real public DNS name configured.
 # AGENT_INTERNAL_DOMAIN -> internal jail/service names written into /etc/hosts
 #
 # Use home.arpa for internal-only names. .local is reserved for mDNS and can
 # create resolver ambiguity on the local link.
-# Use .invalid as the safe placeholder until you set a real public domain.
-# These example values match the default AGENT_NAME above; replace them if you rename the agent.
-AGENT_DOMAIN=clawdie.invalid
+# This example internal value matches the default AGENT_NAME above; replace it
+# if you rename the agent.
+AGENT_DOMAIN=
 AGENT_INTERNAL_DOMAIN=clawdie.home.arpa
 
 # Local code hosting defaults
diff --git a/README.md b/README.md
index 90aef0d..5d39571 100644
--- a/README.md
+++ b/README.md
@@ -357,10 +357,10 @@ Current `main` separates public and internal naming:
 - `AGENT_DOMAIN` is the public-facing site/API domain
 - `AGENT_INTERNAL_DOMAIN` is the internal jail/service zone written into `/etc/hosts`
 
-Fresh installs should use:
+Fresh installs should keep public and internal names separate:
 
-- `AGENT_DOMAIN=home.arpa` for local DNS zone (host uses `<agent>.home.arpa`; replace with a real public domain when ready)
-- `AGENT_INTERNAL_DOMAIN=<agent>.home.arpa`
+- `AGENT_DOMAIN=` until you have a real public DNS name configured
+- `AGENT_INTERNAL_DOMAIN=<agent>.home.arpa` for local jail/service names
 
 Why this changed:
 
@@ -668,7 +668,7 @@ Users then run `/add-slack` on their fork and get clean code that does exactly w
 - FreeBSD 15.x
 - Node.js 24+
 - Python 3.11+ (for voice transcription, screenshots, and other features)
-- ZFS (recommended)
+- ZFS (required for Bastille jails)
 - Optional: Telegram bot token, provider API key, PostgreSQL URLs for memory/skills DB
 
 ## Security
diff --git a/setup/onboarding.ts b/setup/onboarding.ts
index 75c2cda..e0955b7 100644
--- a/setup/onboarding.ts
+++ b/setup/onboarding.ts
@@ -106,7 +106,7 @@ function defaultInternalDomain(): string {
 }
 
 function defaultPublicDomain(): string {
-  return 'home.arpa';
+  return '';
 }
 
 function detectOriginRemote(projectRoot: string): string {