diff --git a/CLAUDE.md b/CLAUDE.md
index a25fe94..a2a8078 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -251,13 +251,11 @@ Joplin Server note-taking and synchronization platform:
 5. Enter email and password created in step 1
 
 ### Kit (kit/compose.yaml)
-Unified toolkit combining file conversion and image editing:
-- **Base URL**: `kit.pivoine.art`
-- **Services**:
-  - **Vert** (`/vert`): Universal file format converter
-  - **Paint** (`/paint`): Web-based image editor
+Unified toolkit combining file conversion and image editing using subdomain routing:
+- **Vert**: `vert.kit.pivoine.art` - Universal file format converter
+- **Paint**: `paint.kit.pivoine.art` - Web-based image editor
 
-#### Vert Service (`/vert`)
+#### Vert Service (vert.kit.pivoine.art)
 VERT universal file format converter:
 - WebAssembly-based file conversion (client-side processing)
 - Supports 250+ file formats (images, audio, documents, video)
@@ -267,15 +265,15 @@ VERT universal file format converter:
 - Protected by HTTP Basic Auth (credentials in `.env`)
 
 **Configuration**:
-- **PUB_HOSTNAME**: `kit.pivoine.art` (public hostname)
+- **PUB_HOSTNAME**: `vert.kit.pivoine.art` (public hostname)
 - **PUB_ENV**: `production` (environment mode)
 - **PUB_DISABLE_ALL_EXTERNAL_REQUESTS**: `true` (privacy mode)
 - **AUTH_USERS**: Shared HTTP Basic Auth credentials (htpasswd format in `.env`)
 
 **Usage**:
-Access https://kit.pivoine.art/vert and drag/drop files to convert between formats. All processing happens in your browser using WebAssembly - no data is uploaded to the server.
+Access https://vert.kit.pivoine.art and drag/drop files to convert between formats. All processing happens in your browser using WebAssembly - no data is uploaded to the server.
 
-#### Paint Service (`/paint`)
+#### Paint Service (paint.kit.pivoine.art)
 miniPaint web-based image editor built from GitHub:
 - Online image editor with layer support
 - Built directly from https://github.com/viliusle/miniPaint
@@ -291,7 +289,7 @@ miniPaint web-based image editor built from GitHub:
 - Serves static files via nginx
 
 **Usage**:
-Access https://kit.pivoine.art/paint to use the image editor. All editing happens in the browser - images are not uploaded to the server.
+Access https://paint.kit.pivoine.art to use the image editor. All editing happens in the browser - images are not uploaded to the server.
 
 **Note**: Both Kit services are stateless and don't require backups as no data is persisted.
 
diff --git a/README.md b/README.md
index 3e90e3c..3b5a35d 100644
--- a/README.md
+++ b/README.md
@@ -200,19 +200,18 @@ arty env/sync
 ### Toolkit (KIT System)
 
 ```bash
-# Access unified toolkit
-# Base URL: https://kit.pivoine.art
+# Access unified toolkit (subdomain routing)
 
-# File Converter (Vert) - /vert
-# URL: https://kit.pivoine.art/vert
+# File Converter (Vert)
+# URL: https://vert.kit.pivoine.art
 # Features:
 # - WebAssembly-based file conversion (250+ formats)
 # - Images, audio, documents, video
 # - Client-side processing (no uploads)
 # - No file size limits
 
-# Image Editor (Paint) - /paint
-# URL: https://kit.pivoine.art/paint
+# Image Editor (Paint)
+# URL: https://paint.kit.pivoine.art
 # Features:
 # - Browser-based image editing
 # - Layer support
@@ -275,7 +274,7 @@ THE FALCON (falcon_network)
 │  ├─ Linkwarden Marks   [links.pivoine.art]
 │  ├─ Vaultwarden Vault  [vault.pivoine.art]
 │  ├─ Joplin Sync Server [joplin.pivoine.art]
-│  ├─ Kit Toolkit        [kit.pivoine.art/vert, kit.pivoine.art/paint]
+│  ├─ Kit Toolkit        [vert.kit.pivoine.art, paint.kit.pivoine.art]
 │  ├─ Jellyfin Media     [jelly.pivoine.art]
 │  ├─ PairDrop Sharing   [drop.pivoine.art]
 │  ├─ Backrest Backups   [restic.pivoine.art]
diff --git a/arty.yml b/arty.yml
index f04f5fa..67a0e22 100644
--- a/arty.yml
+++ b/arty.yml
@@ -113,8 +113,9 @@ envs:
     # Kit (combines Vert and Paint)
     KIT_TRAEFIK_ENABLED: true
     KIT_COMPOSE_PROJECT_NAME: kit
-    KIT_TRAEFIK_HOST: kit.pivoine.art
     KIT_VERT_IMAGE: ghcr.io/vert-sh/vert:latest
+    KIT_VERT_TRAEFIK_HOST: vert.kit.pivoine.art
+    KIT_PAINT_TRAEFIK_HOST: paint.kit.pivoine.art
     # Jellyfin
     JELLY_TRAEFIK_ENABLED: true
     JELLY_COMPOSE_PROJECT_NAME: jelly
diff --git a/kit/compose.yaml b/kit/compose.yaml
index 2f7f81e..950cda0 100644
--- a/kit/compose.yaml
+++ b/kit/compose.yaml
@@ -4,27 +4,25 @@ services:
     container_name: ${KIT_COMPOSE_PROJECT_NAME}_vert
     restart: unless-stopped
     environment:
-      PUB_HOSTNAME: ${KIT_TRAEFIK_HOST}
+      PUB_HOSTNAME: ${KIT_VERT_TRAEFIK_HOST}
       PUB_ENV: production
       PUB_DISABLE_ALL_EXTERNAL_REQUESTS: true
     networks:
       - compose_network
     labels:
       - 'traefik.enable=${KIT_TRAEFIK_ENABLED}'
-      # HTTP to HTTPS redirect for /vert path
+      # HTTP to HTTPS redirect
       - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-vert-redirect-web-secure.redirectscheme.scheme=https'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web.middlewares=${KIT_COMPOSE_PROJECT_NAME}-vert-redirect-web-secure'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web.rule=Host(`${KIT_TRAEFIK_HOST}`) && PathPrefix(`/vert`)'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web.rule=Host(`${KIT_VERT_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web.entrypoints=web'
-      # HTTPS router for /vert path with auth
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.rule=Host(`${KIT_TRAEFIK_HOST}`) && PathPrefix(`/vert`)'
+      # HTTPS router with auth
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.rule=Host(`${KIT_VERT_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.tls.certresolver=resolver'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.entrypoints=web-secure'
-      # Strip /vert prefix before forwarding to container
-      - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-vert-stripprefix.stripprefix.prefixes=/vert'
       - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-vert-auth.basicauth.users=${AUTH_USERS}'
       - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-vert-compress.compress=true'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-vert-stripprefix,${KIT_COMPOSE_PROJECT_NAME}-vert-auth,${KIT_COMPOSE_PROJECT_NAME}-vert-compress,security-headers@file'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-vert-auth,${KIT_COMPOSE_PROJECT_NAME}-vert-compress,security-headers@file'
       # Service
       - 'traefik.http.services.${KIT_COMPOSE_PROJECT_NAME}-vert.loadbalancer.server.port=80'
       - 'traefik.docker.network=${NETWORK_NAME}'
@@ -42,20 +40,18 @@ services:
       - compose_network
     labels:
       - 'traefik.enable=${KIT_TRAEFIK_ENABLED}'
-      # HTTP to HTTPS redirect for /paint path
+      # HTTP to HTTPS redirect
       - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-paint-redirect-web-secure.redirectscheme.scheme=https'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web.middlewares=${KIT_COMPOSE_PROJECT_NAME}-paint-redirect-web-secure'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web.rule=Host(`${KIT_TRAEFIK_HOST}`) && PathPrefix(`/paint`)'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web.rule=Host(`${KIT_PAINT_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web.entrypoints=web'
-      # HTTPS router for /paint path with auth
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.rule=Host(`${KIT_TRAEFIK_HOST}`) && PathPrefix(`/paint`)'
+      # HTTPS router with auth
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.rule=Host(`${KIT_PAINT_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.tls.certresolver=resolver'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.entrypoints=web-secure'
-      # Strip /paint prefix before forwarding to container
-      - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-paint-stripprefix.stripprefix.prefixes=/paint'
       - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-paint-auth.basicauth.users=${AUTH_USERS}'
       - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-paint-compress.compress=true'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-paint-stripprefix,${KIT_COMPOSE_PROJECT_NAME}-paint-auth,${KIT_COMPOSE_PROJECT_NAME}-paint-compress,security-headers@file'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-paint-auth,${KIT_COMPOSE_PROJECT_NAME}-paint-compress,security-headers@file'
       # Service
       - 'traefik.http.services.${KIT_COMPOSE_PROJECT_NAME}-paint.loadbalancer.server.port=80'
       - 'traefik.docker.network=${NETWORK_NAME}'