diff --git a/.agent/skills/agent-setup/SKILL.md b/.agent/skills/agent-setup/SKILL.md
index 982ded4..726ba58 100644
--- a/.agent/skills/agent-setup/SKILL.md
+++ b/.agent/skills/agent-setup/SKILL.md
@@ -42,7 +42,7 @@ Notes:
 
 ```sh
 ./setup.sh
-npm run install
+just install
 ```
 
 ## Host prerequisites
diff --git a/.claude/worktrees/sweep b/.claude/worktrees/sweep
new file mode 160000
index 0000000..5051368
--- /dev/null
+++ b/.claude/worktrees/sweep
@@ -0,0 +1 @@
+Subproject commit 50513681b4c4c494845df2a5f0189338989affc5
diff --git a/.opencode/plans/3-fixes-multitenant.md b/.opencode/plans/3-fixes-multitenant.md
new file mode 100644
index 0000000..af2a6cb
--- /dev/null
+++ b/.opencode/plans/3-fixes-multitenant.md
@@ -0,0 +1,93 @@
+# 3 Fixes for Multitenant Branch
+
+## Status: READY TO EXECUTE
+
+Re-validated against `origin/multitenant` at `9ed3ce6` (4 new commits since last analysis).
+
+All 3 fixes confirmed still present and valid. No conflicts with new commits (dns.ts, sites schema, jail-name defaults, apply-plan collapse — all touch different files).
+
+Execute after plan mode ends. Push to `origin/multitenant` only.
+
+---
+
+## Fix 1: Remove duplicate trusted origin in src/auth.ts
+
+**File:** `src/auth.ts:17-22`
+
+`PLATFORM_INTERNAL_DOMAIN` resolves to `ai.home.arpa` (via `platformServiceDomain('ai', 'home.arpa')`). `ai.${PLATFORM_INTERNAL_BASE}` also resolves to `ai.home.arpa`. The `Set` deduplication hides the duplicate, but if `PLATFORM_INTERNAL_DOMAIN` ever changes its label (e.g. to `cp.home.arpa`), the hardcoded `ai.` on line 21 would silently diverge.
+
+**Changes:**
+
+1. Remove `PLATFORM_INTERNAL_BASE` from imports (line 9)
+2. Remove the `http://ai.${PLATFORM_INTERNAL_BASE}:${CONTROLPLANE_API_PORT}` line (line 21)
+3. `PLATFORM_INTERNAL_DOMAIN` is the canonical source — no other change needed
+
+No test changes needed — `auth.test.ts` mocks `PLATFORM_INTERNAL_DOMAIN` and doesn't assert on the array contents.
+
+---
+
+## Fix 2: Inconsistent domain derivation in src/local-hosts.ts
+
+**File:** `src/local-hosts.ts:31-34`
+
+4 constants use tenant-scoped `AGENT_INTERNAL_DOMAIN` for what are platform infrastructure hosts. The other 7 constants in the same file correctly use platform-scoped exports (`CONTROLPLANE_INTERNAL_DOMAIN`, `DB_INTERNAL_DOMAIN`, `CODE_SERVICE_INTERNAL_DOMAIN`, `CMS_INTERNAL_DOMAIN`, `OLLAMA_INTERNAL_DOMAIN`, `LLAMA_CPP_INTERNAL_DOMAIN`, `PLATFORM_INTERNAL_BASE`). Worker/browser/GUI/docs are platform services, not tenant content.
+
+**Changes:**
+
+```typescript
+// BEFORE
+export const WORKER_LOCAL_HOST = `worker.${AGENT_INTERNAL_DOMAIN}`;
+export const BROWSER_LOCAL_HOST = `browser.${AGENT_INTERNAL_DOMAIN}`;
+export const GUI_LOCAL_HOST = `gui.${AGENT_INTERNAL_DOMAIN}`;
+export const DOCS_LOCAL_HOST = `docs.${AGENT_INTERNAL_DOMAIN}`;
+
+// AFTER
+export const WORKER_LOCAL_HOST = `worker.${PLATFORM_INTERNAL_BASE}`;
+export const BROWSER_LOCAL_HOST = `browser.${PLATFORM_INTERNAL_BASE}`;
+export const GUI_LOCAL_HOST = `gui.${PLATFORM_INTERNAL_BASE}`;
+export const DOCS_LOCAL_HOST = `docs.${PLATFORM_INTERNAL_BASE}`;
+```
+
+Keep `AGENT_LOCAL_SITE_HOST = AGENT_INTERNAL_DOMAIN` (line 35) and `www.${AGENT_INTERNAL_DOMAIN}` (line 69) — these are legitimately tenant-scoped. `AGENT_INTERNAL_DOMAIN` stays in imports.
+
+---
+
+## Fix 3: Remove dead AGENT_PID_FILE alias from src/config.ts
+
+**File:** `src/config.ts:378`
+
+`AGENT_PID_FILE` is exported as an alias for `PLATFORM_PID_FILE` but has **zero imports** anywhere in the codebase. Confirmed with grep. Dead exports create confusion about which name is canonical.
+
+**Change:** Remove `export const AGENT_PID_FILE = PLATFORM_PID_FILE;` (line 378)
+
+---
+
+## Commit message
+
+```
+fix(multitenant): remove dead alias, duplicate origin, and tenant-scoped platform hosts (Sam & zAI)
+
+Remove duplicate trusted origin in auth.ts where PLATFORM_INTERNAL_DOMAIN
+and ai.${PLATFORM_INTERNAL_BASE} resolve to the same string.
+
+Switch worker/browser/GUI/docs local hostnames from tenant-scoped
+AGENT_INTERNAL_DOMAIN to PLATFORM_INTERNAL_BASE — these are platform
+infrastructure, not tenant content.
+
+Remove AGENT_PID_FILE dead alias — zero consumers, PLATFORM_PID_FILE
+is canonical.
+
+---
+Build: pass | Tests: pass — N passed (M files)
+```
+
+## Verification
+
+1. `npm run build` — must pass
+2. `npx vitest run src/auth.test.ts setup/hosts.test.ts` — must pass
+3. `npx vitest run` — full suite (2 pre-existing vision test failures expected)
+4. `git push origin multitenant` after commit
+
+## Note for the other agent
+
+The new `setup/dns.ts` emits `no-resolv` and `no-hosts` without any `server=` upstream directive. If deployed as the system resolver, the host would lose all external DNS. This is likely intentional (supplementary config for the `home.arpa` zone only), but worth flagging — the config as-written cannot be used as `/etc/local/dnsmasq.conf` on its own without an upstream forwarder.
diff --git a/CLAWDIE-ISO.md b/CLAWDIE-ISO.md
index c4da467..788dc07 100644
--- a/CLAWDIE-ISO.md
+++ b/CLAWDIE-ISO.md
@@ -273,7 +273,7 @@ First boot from HDD (reboot 1)
        ├─ [tailscale] Remote access setup (fresh only)
        ├─ [npm-globals] Install bundled agent CLIs (pi, claude, gemini)
        ├─ [deploy] Extract clawdie-ai.tar.gz (includes node_modules for offline)
-       │    └─ just install (or npm run install as fallback)
+        │    └─ just install
        │         ├─ environment (host pkg baseline)
        │         ├─ jails (db + git + cms via bastille)
        │         ├─ db (PostgreSQL 18 + pgvector)
@@ -316,7 +316,7 @@ clawdie-iso/
 │   ├── firstboot.sh      ← module runner with run_step_if() mode matrix
 │   ├── shell-zfs.sh      ← pool detection, label cleanup, pre-upgrade snapshots
 │   ├── shell-env.sh      ← .env generation (full fresh, append-only upgrade)
-│   ├── shell-deploy.sh   ← tarball extract + just install (or npm run install)
+│   ├── shell-deploy.sh   ← tarball extract + just install
 │   ├── shell-npm-globals.sh ← bundled pi/claude/gemini CLI install
 │   ├── MODULE-MANIFEST.md   ← module documentation
 │   └── integration-test.sh  ← VPS-path test harness
@@ -438,7 +438,7 @@ agent domain, etc.).
   - `{{AGENT_DOMAIN}}` → configured domain
   - `{{ASSISTANT_LOCALE}}` → selected locale
   - `{{TZ}}` → selected timezone
-- Output written to `groups/global/AGENTS.md` before `npm run install` runs
+- Output written to `groups/global/AGENTS.md` before `just install` runs
 - This ensures the agent has a fully personalized identity from first boot
 
 **Scope:** Template design and rendering are handled in the `clawdie-ai` repo.
@@ -625,7 +625,7 @@ partition is accessible but requires extra step). Blank fields still need wizard
 - 12 shell modules implemented
 - Phase A fixes: upgrade secret preservation, module execution matrix, ZFS label cleanup, pre-upgrade snapshots
 - Offline node_modules bundling in build.sh
-- `just install` integration (with `npm run install` fallback)
+- `just install` integration
 - Agent CLIs bundled (pi, claude, gemini)
 
 **In progress (ISO repo):**
diff --git a/MEMORY.md b/MEMORY.md
index b7ae08b..d8d9bf1 100644
--- a/MEMORY.md
+++ b/MEMORY.md
@@ -38,7 +38,7 @@ _Last updated: 16.Apr.2026_
 - PostgreSQL runs on the host (`DB_RUNTIME=host`, `DB_HOST=127.0.0.1`), not in a db jail
 - Repo registry default for fresh installs is `10.0.1.0/24` in `infra/jails.yaml`, but env overrides change the live host network
 - Current intended repo policy: shared jails are thin by default; only the optional `db` jail is thick
-- Install: `npm run install` (20-step orchestrator), `just` CLI front door (35+ recipes)
+- Install: `just install` (20-step orchestrator), `just` CLI front door (35+ recipes)
 - Docs: markdown source in `docs/public/`, auto-compiled to HTML and deployed daily
 - Remotes: `git@codeberg.org:Clawdie/Clawdie-AI.git` (primary), Clawdie-ISO is cross-repo
 
diff --git a/bootstrap/cms/clawdie-docs/src/content/docs/architecture/deployment-models.md b/bootstrap/cms/clawdie-docs/src/content/docs/architecture/deployment-models.md
index 2c60a70..ce1e381 100644
--- a/bootstrap/cms/clawdie-docs/src/content/docs/architecture/deployment-models.md
+++ b/bootstrap/cms/clawdie-docs/src/content/docs/architecture/deployment-models.md
@@ -87,7 +87,7 @@ Everything in this repository is shared between both models:
 | Ansible playbooks | `infra/ansible/`      |
 
 The ISO build lives in a separate Clawdie-ISO repo and calls
-`just install` (or `npm run install`) after base OS install — the same entry point used
+`just install` after base OS install — the same entry point used
 in Model 1.
 
 ---
diff --git a/bootstrap/cms/clawdie-docs/src/content/docs/install/install.md b/bootstrap/cms/clawdie-docs/src/content/docs/install/install.md
index f896aee..76b968b 100644
--- a/bootstrap/cms/clawdie-docs/src/content/docs/install/install.md
+++ b/bootstrap/cms/clawdie-docs/src/content/docs/install/install.md
@@ -3,7 +3,7 @@ title: Install Orchestrator
 description: Single-command install flow for Clawdie.
 ---
 
-**Command:** `just install` (or `npm run install`)
+**Command:** `just install`
 
 ## Quick start
 
@@ -272,7 +272,7 @@ but can be disabled), or **optional** (skipped unless explicitly enabled).
 | service          | required | —                                                                  |
 | hostd            | required | —                                                                  |
 | identity-restore | optional | `SUPABASE_URL` not set                                             |
-| verify           | optional | warn on most check failures; fail on broken runtime integrity       |
+| verify           | optional | warn on most check failures; fail on broken runtime integrity      |
 
 A required step failure stops the install immediately and prints the resume
 command. Default steps ship enabled (`FEATURE_GITEA=YES`, artifact.sql bundled)
diff --git a/bootstrap/cms/clawdie-docs/src/content/docs/sl/install/install.md b/bootstrap/cms/clawdie-docs/src/content/docs/sl/install/install.md
index fe5bbf2..e4f1304 100644
--- a/bootstrap/cms/clawdie-docs/src/content/docs/sl/install/install.md
+++ b/bootstrap/cms/clawdie-docs/src/content/docs/sl/install/install.md
@@ -3,7 +3,7 @@ title: Namestitev
 description: Tok namestitve z enim ukazom za Clawdie.
 ---
 
-**Ukaz:** `just install` (ali `npm run install`)
+**Ukaz:** `just install`
 
 ## Hitri začetek
 
diff --git a/docs/public/install/install.md b/docs/public/install/install.md
index 66e3960..68a6006 100644
--- a/docs/public/install/install.md
+++ b/docs/public/install/install.md
@@ -3,7 +3,7 @@ title: Install Orchestrator
 description: Single-command install flow for Clawdie.
 ---
 
-**Command:** `just install` (or `npm run install:clawdie`)
+**Command:** `just install`
 
 ## Quick start
 
@@ -301,7 +301,7 @@ but can be disabled), or **optional** (skipped unless explicitly enabled).
 | service          | required | —                                                                  |
 | hostd            | required | —                                                                  |
 | identity-restore | optional | `SUPABASE_URL` not set                                             |
-| verify           | optional | warn on most check failures; fail on broken runtime integrity       |
+| verify           | optional | warn on most check failures; fail on broken runtime integrity      |
 
 A required step failure stops the install immediately and prints the resume
 command. Default steps ship enabled (`FEATURE_GITEA=YES`, artifact.sql bundled)
diff --git a/docs/public/sl/install/install.md b/docs/public/sl/install/install.md
index dba3c31..e4f1304 100644
--- a/docs/public/sl/install/install.md
+++ b/docs/public/sl/install/install.md
@@ -3,7 +3,7 @@ title: Namestitev
 description: Tok namestitve z enim ukazom za Clawdie.
 ---
 
-**Ukaz:** `just install` (ali `npm run install:clawdie`)
+**Ukaz:** `just install`
 
 ## Hitri začetek