One brief, read by two operators. Hand this URL to an AI as a /goal and it takes a bare Linux box all the way to a live, hardened customer website. Work the interview below with the client first — on a call, or via the ready-to-send email at the bottom — and the AI builds from their own words.
Paste this URL into the /goal skill of a fresh Claude Code on a clean Ubuntu box. Part I is the full build sequence — twelve phases, each with a hard verification gate. The agent collects the inputs, then executes.
Part II is an 18-section discovery script — every question needed to build a site that is genuinely the client's. Run it on a call, or send the email in Part III. Transcribe the answers and hand them to the AI alongside this URL.
Instructions to the AI agent. A fresh Ubuntu VPS in, a live customer website out. Static HTML/CSS only — no framework, no build step, no database. The site is reachable because cloudflared dials out; nothing dials in. Work the phases in order. Never skip a GATE.
Ask the human for anything you do not have, in one batched message. Never guess a secret.
| Input | For | Source |
|---|---|---|
| Customer domain | the site address | Customer owns it; nameservers already moved to Cloudflare. |
| Cloudflare API token | DNS, Tunnel, Email, tuning | CF dashboard → My Profile → API Tokens → Custom. Scopes below. |
| Cloudflare Account ID | API calls | Dashboard → any domain → Overview → sidebar. |
| GitHub auth | private backup repo | gh auth login, or a fine-grained PAT. |
| Tailscale auth key | join the tailnet headlessly | Tailscale admin → Settings → Keys. |
| Customer contact email | form delivery + analytics | From the customer. |
| Customer's existing inbox | where domain email forwards | A Gmail/Outlook they already read. |
| Web3Forms access key | static contact-form backend | web3forms.com — free; bind to the contact email. |
| Customer assets | logo, photos, copy, colors | From the customer — see the interview, Part II. |
hello@domainZone Resources → Include → the customer's domain. Set a TTL and rotate. One token does DNS + Tunnel + Email + tuning. GitHub is a separate credential.
# core sudo apt-get update && sudo apt-get -y upgrade sudo apt-get install -y git curl wget unzip jq ufw nginx imagemagick webp pandoc # cloudflared (cloudflare apt repo) + tailscale + github cli curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg \ | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null sudo apt-get install -y cloudflared gh curl -fsSL https://tailscale.com/install.sh | sh # node + playwright + chrome — for verification only curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - sudo apt-get install -y nodejs && npx --yes playwright install chrome
Invoke vps-lockdown. Patch & upgrade; set hostname/timezone; confirm a non-root sudo user with key auth; enable unattended security upgrades; apply sysctl tuning; add a 2 GB swapfile if RAM ≤ 2 GB; stage SSH hardening but do not restart sshd yet.
Join the tailnet, verify you can reach the box over Tailscale, then raise the firewall. Order is safety-critical.
sudo tailscale up --auth-key="$TS_AUTHKEY" --ssh --hostname="<customer>" tailscale ip -4 # verify reachability BEFORE the next block sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow in on tailscale0 sudo ufw --force enable # no 80/443/22 public — site still works
nmap shows
all ports filtered. Admin works only over Tailscale.Run Part II of this document — the 18-section script. Ask
in small batches, listen, probe vague answers, write it all into
intake.md.
intake.md complete
and customer-approved.From intake.md produce: a sitemap & nav order; a
per-page content outline (one h1 each); design tokens
(palette + two fonts as CSS variables); the image list (heroes
16:9); structured-data facts; the contact-form spec.
From the image list, write one Midjourney prompt per image. Use a
shared style suffix so all images match; heroes are
--ar 16:9 (square images cannot fill a banner); one
concrete subject per prompt; never use the words "palette", "collage"
or "moodboard" (they trigger swatch/grid artifacts). Deliver the set as
one copy-paste block — the human runs them on midjourney.com. Then
crop with convert and export .webp with
cwebp -q 82.
site/assets/img/, correctly cropped, no artifacts.Invoke static-site. Plain semantic HTML5 + one shared
stylesheet; no framework, no build step. One page per service; shared
header/nav/footer; one h1 per page; accessible (alt text,
labelled fields, focus states, contrast, 44px targets, mobile
breakpoint). Match the customer's voice — no AI-tell punctuation.
Web3Forms contact form. A friendly 404.
Invoke seo-launch: sitemap.xml,
robots.txt, JSON-LD structured data on every page
(LocalBusiness / Person), FAQPage schema, unique
hand-written titles & meta descriptions, canonical tags, Open Graph
+ Twitter cards, favicons.
nginx origin on localhost:80 — HTML
Cache-Control: no-cache, assets immutable, the config a
symlink in sites-enabled. Then the tunnel via API:
RESP=$(curl -s -X POST "$API/accounts/$ACC/cfd_tunnel" "${AUTH[@]}" \
--data "{\"name\":\"$DOMAIN-site\",\"config_src\":\"cloudflare\"}")
# PUT ingress: hostname -> http://localhost:80 ; POST proxied CNAMEs
sudo cloudflared service install "$(echo "$RESP" | jq -r .result.token)"
Tune the zone (SSL full, Always-HTTPS, Brotli). Enable
Cloudflare Email Routing — forward hello@domain
to the customer's inbox (they must click the verification email). Add
the cookieless Cloudflare Web Analytics beacon to every page.
gh repo create <owner>/<domain> --private.
The repo holds site/, server/,
source-assets/, a per-box CLAUDE.md operating
manual, an empty runbook.md, and sync.sh.
Run git remote -v before every push.
origin matches.Invoke web-deploy: copy site/ to the web root,
chown www-data, then always
systemctl reload nginx — a cp can
leave open_file_cache with a stale size and 502 the whole
site; a reload clears it.
nginx Restart=always; a 15-minute healthcheck timer that
restarts dead services, re-checks that nginx actually answers, and
reclaims disk past 85%; a nightly backup timer; a
recovery/RECOVERY.md.
Playwright every page, desktop + mobile; submit the contact form for
real; test hello@domain; re-confirm zero open ports. Hand
the customer the live URL, a plain summary, and a quote that separates
one-time build from annual hosting/maintenance.
?v=.| Symptom | Cause → fix |
|---|---|
| Site-wide 502 after a deploy | nginx open_file_cache holds a stale file size.
systemctl restart nginx; always reload after deploying. |
| Deploy "did nothing" | HTML was browser-cached. Ensure expires -1; on
location /; bump the asset ?v=. |
| Cloudflare parked page | DNS record missing, not proxied, or not pointing at
<id>.cfargotunnel.com. |
| Locked out after firewalling | ufw raised before Tailscale worked. Recover via the provider console; bring Tailscale up first. |
| Hero crops faces | Square source image. Re-prompt Midjourney with
--ar 16:9. |
intake.md complete and customer-approved..webp.Eighteen sections — everything needed to build a site that is genuinely the client's, not a template. Run it as a conversation, not an interrogation: ask in small batches, listen hard, repeat back what you heard, chase the vague answers. The recording is transcribed and handed to the AI with this URL — so capture the client's own words; they become the copy.
When the client can't take a call, send this. It's the interview compressed to the essentials — grouped, low-pressure, built so they can answer inline in a reply. When their reply comes back, hand it to the AI together with this URL. Fill the [bracketed] fields before sending.
Hi [Client first name], Thanks again for the chance to build your new website - I'm looking forward to it. To make the site genuinely yours, I need to understand your business in your own words. The best way is a quick 20-30 minute call, but if that's hard to schedule, just reply to this email with your answers. Don't worry about polish - bullet points, half-sentences and "you know what I mean" are all perfectly fine. I'll shape it all into a finished site for your review. Feel free to attach your logo and any photos you'd like used. Here's what would help most - answer right under each line: THE BUSINESS - The business name, exactly as it should appear: - In a sentence or two, what you do: - What makes you different from others who do the same thing: - How long you've been doing this: YOUR CUSTOMERS - Who your ideal customer is, and the situation they're in when they need you: - The worries or questions they usually have before getting in touch: YOUR SERVICES - The services you offer (and which one matters most): - Show prices, or "contact for a quote"? THE SITE'S JOB - The ONE thing you want a visitor to do - call, fill in a form, book...: - Which pages you want (Home, About, Contact and a page per service are typical): LOOK & FEEL - Do you have a logo and brand colours? (If so, please attach.) - Three words for how the site should feel: - Any websites you love - or hate? Links are great: PROOF - Testimonials, reviews, or notable numbers (years, clients, results) to feature: - Awards, licenses, or memberships to display: CONTACT DETAILS - Best phone and email to publish: - Your address or service area, and your hours: PRACTICAL - The domain name for the site (and do you own it yet?): - A target launch date, if you have one: - Anything else you'd like me to know: Reply whenever it's convenient - there are no wrong answers, and I'll follow up if I need to dig into anything. Thanks, [Your name] [Your phone] - [Your email]
After they reply: paste the returned email to the AI agent
along with this page's URL as a /goal. The agent treats their
answers as intake.md and proceeds from Phase D.