PLAN — Domain Isolation

I. The Problem

Right now, every domain serves from the same flat directory: /mnt/public/.

This means 1.foo/deck, 3.foo/deck, flawless.engineering/deck, and 1234567.foo/deck all serve the exact same file. There are ~170 files in /mnt/public/ — all of them accessible from every domain. There's no separation. No isolation. No identity per domain.

The only exception is drip.xxx, which already has its own root at /mnt/public/drip-xxx-site/.

II. The Idea

Each domain gets its own subfolder in /mnt/public/, named after the domain itself:

/mnt/public/
├── 0.foo/           ← serves 0.foo
├── 1.foo/           ← serves 1.foo
├── 2.foo/           ← serves 2.foo
├── 3.foo/           ← serves 3.foo
│   ...
├── 9.foo/           ← serves 9.foo
├── 123.foo/         ← serves 123.foo
├── 1234567.foo/     ← serves 1234567.foo
├── clankers.discount/
├── flawless.engineering/
├── drip.xxx/        ← already exists (drip-xxx-site → renamed)
├── patty.adult/
├── vilka.lol/       ← note: vilka.lol serves from Matilda, not vault
└── (old flat files remain untouched for now)

Step 1: Change the nginx roots. Don't move any files. Just point each domain's root to its subfolder. Create the empty subfolders. Everything breaks (404s everywhere). That's expected — it tells us exactly which domain was serving which files.

Step 2: See what breaks. The domain monitor at 0.foo will immediately show which domains go from 200 to 404. The ones that break are the ones that had content. The ones that stay 403 were already empty.

Step 3: Move files to their new homes. This is the part that requires decisions — which files belong to which domain. That's a separate step, done file-by-file with Daniel's input.

III. Current State — Who Has What

Domains with actual content (served from /mnt/public/):

1.foo — the main document library. ~90% of the files belong here. deck, plan, fuck, null, text, page, note, system, loops, freestyle, gcp, patty, weed, all plan-* files, all report-* files, all format specs.
0.foo — domain-status.html (the domain monitor)
123.foo — 123.foo.html (family front door)
12345.foo — 12345.foo.html (Charlie's thing)
clankers.discount — clankers.html (fleet dashboard)
flawless.engineering — flawless-engineering.html + case files
drip.xxx — already isolated in /mnt/public/drip-xxx-site/
patty.adult — patty-adult.html + variants

Domains with NO content (empty single-digit .foo + counting sequence):

2.foo, 3.foo, 4.foo, 5.foo, 6.foo, 7.foo, 8.foo, 9.foo — no dedicated content yet
1234.foo, 123456.foo, 1234567.foo, 12345678.foo, 123456789.foo — no content yet
if-anyone-builds-it-everyone-dies.help / .rip — dies-help.html, dies-rip.html

IV. Execution Plan

STEP 1 — CREATE SUBFOLDERS

Create a subfolder for every active domain:

mkdir -p /mnt/public/{0,1,2,3,4,5,6,7,8,9}.foo
mkdir -p /mnt/public/{123,1234,12345,123456,1234567,12345678,123456789}.foo
mkdir -p /mnt/public/clankers.discount
mkdir -p /mnt/public/flawless.engineering
mkdir -p /mnt/public/drip.xxx
mkdir -p /mnt/public/patty.adult
mkdir -p /mnt/public/if-anyone-builds-it-everyone-dies.{help,rip}

Just creates empty directories. Changes nothing.

STEP 2 — UPDATE NGINX ROOTS

Change every domain's root directive from /mnt/public to /mnt/public/{domain}.

Example: 1.foo goes from root /mnt/public; to root /mnt/public/1.foo;

This is a sed operation on domains.conf — or more safely, a rewrite of the file from a template.

Backup first: cp domains.conf domains.conf.bak-pre-isolation

STOP — REVIEW NGINX DIFF

Why: This changes the serving root for every domain simultaneously. If the nginx config is wrong, everything goes down.

What happens: Show the diff of the new config vs the old one. Daniel reviews.

How to continue: Daniel says "looks right, reload."

STEP 3 — RELOAD NGINX

nginx -t && systemctl reload nginx

At this point, most domains return 403 (empty folder, no index). 1.foo returns 404 for everything because its files are still in the parent directory. This is expected and correct — it's the diagnostic step.

STEP 4 — MOVE THE KNOWN FILES

Move files that clearly belong to specific domains:

# 0.foo — the domain monitor
mv domain-status.html 0.foo/

# 123.foo — family front door
mv 123.foo.html 123.foo/index.html

# 12345.foo — Charlie's thing
mv 12345.foo.html 12345.foo/index.html

# clankers.discount — fleet dashboard  
mv clankers.html clankers.discount/index.html
mv clankers-backups/ clankers.discount/clankers-backups/

# flawless.engineering — case studies
mv flawless-engineering.html flawless.engineering/index.html
mv flawless.html flawless.engineering/  (if different)

# patty.adult
mv patty-adult*.html patty.adult/
(rename main one to index.html)

# if-anyone-builds-it-everyone-dies.*
mv dies-help.html if-anyone-builds-it-everyone-dies.help/index.html
mv dies-rip.html if-anyone-builds-it-everyone-dies.rip/index.html

# drip.xxx — already has its folder, just rename
mv drip-xxx-site drip.xxx  (or symlink)

DECISION — WHAT GOES TO 1.FOO?

Everything else — the entire document library — goes to /mnt/public/1.foo/. This is the main vault. All format specs, plans, reports, decks, fucks, PDFs, text files. 1.foo is the system domain.

The question is: do we move the files, or symlink them? Moving is cleaner. Symlinking preserves the old paths as a safety net.

STOP — VERIFY EACH DOMAIN

Why: After moving files, every domain needs to be checked. The monitor at 0.foo will show the status, but we should also spot-check key URLs manually.

What to verify:

1.foo/deck — still serves the deck format spec?
1.foo/plan — still serves the plan format spec?
clankers.discount — still shows the dashboard?
flawless.engineering — still shows the case studies?
0.foo — still shows the domain monitor?

How to continue: All key URLs verified working.

STEP 5 — UPDATE SCRIPTS

Scripts that write to /mnt/public/ need to be updated to write to the correct subfolder:

domain-monitor.py — currently writes to /mnt/public/domain-status.html → change to /mnt/public/0.foo/domain-status.html
fleet-monitor.py — currently writes to /mnt/public/clankers.html → change to /mnt/public/clankers.discount/index.html (and update backup path)
Any future robots that publish documents to 1.foo need to write to /mnt/public/1.foo/

V. What This Enables

Domain identity: Each domain is a namespace. 1.foo/plan and 3.foo/plan can be different documents.
Clean delegation: A domain can be handed to someone (e.g. give Patty drip.xxx/) without exposing the whole library.
No accidental cross-domain leakage: Right now, every private document on vault is accessible from every domain.
Per-domain index pages: Each domain can have its own index.html landing page.
Future: per-domain git repos. Each subfolder could become its own git repo, deployable independently.

VI. Risks

RISK — BROKEN LINKS

Every external link to 1.foo/something will break if something.html isn't in /mnt/public/1.foo/. This includes links shared in group chat, in documents, in MEMORY.md, etc. Mitigation: move all document files to 1.foo/ before reloading nginx. Or: keep the flat directory as a fallback with try_files.

RISK — UPLOAD SCRIPT

The upload endpoint at 1.foo/upload writes to /mnt/public/. After isolation, uploads would go to /mnt/public/1.foo/. Need to update the upload script's target directory.

RISK — CLANKERS BACKUPS

The fleet monitor writes backups to /mnt/public/clankers-backups/. Links in the dashboard point there. Need to update both the monitor script and the backup path to live inside clankers.discount/.