Initial commit - combined iTerm2 scripts

Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

VaultMesh_Catalog_v1/pages/page10-canonical-infrastructure.md

@@ -0,0 +1,59 @@
+Page Title: Canonical Infrastructure — VaultMesh v1
+Summary: This page defines the canonical infrastructure for VaultMesh as of the first full catalog: which nodes exist, what runs where, and which services are considered "core mesh". It is the reference snapshot for future migrations and evolutions.
+
+Key Findings:
+- BRICK + v1-nl-gate + nexus-0 form the spine of the system.
+- gate-vm (mesh-core-01) is the canonical host for the mesh-stack-migration bundle.
+- shield-vm is the canonical Shield/TEM node with OffSec tooling and machine-secrets vault.
+- Dual-vault pattern is standard: Vaultwarden (human), HashiCorp Vault (machine).
+- Grafana is the canonical dashboard layer; Wiki.js is explicitly **not** part of the new architecture (external portals like burocrat serve documentation).
+
+Canonical Nodes and Roles:
+| Node         | Role                         | Description                                 |
+|--------------|------------------------------|---------------------------------------------|
+| nexus-0      | Forge                        | Primary dev/forge node (BlackArch)         |
+| brick        | Hypervisor                   | Hosts core VMs (debian-golden, gate-vm, shield-vm) |
+| v1-nl-gate   | External Gate                | Cloud-facing edge server, future ingress   |
+| gate-vm      | mesh-core-01 (Core Stack)    | GitLab, MinIO, Postgres, Prometheus, Grafana, Vaultwarden, backup-freshness, Traefik, WG-Easy |
+| shield-vm    | shield-01 (Shield/TEM)       | OffSec agents, TEM, HashiCorp Vault, incidents & simulations |
+| lab-*        | Experimental Mesh            | lab-mesh-01, lab-agent-01, lab-chaos-01, phoenix-01 |
+
+Canonical Core Services (gate-vm / mesh-core-01):
+- GitLab – source control, CI/CD.
+- MinIO – object storage & backups.
+- PostgreSQL – GitLab and future service DBs.
+- Prometheus – metrics.
+- Grafana – dashboards (infra, backup freshness, proof metrics).
+- Vaultwarden – human password vault (browsers, logins).
+- backup-freshness – monitors MinIO backup age.
+- Traefik – reverse proxy and ingress.
+- WG-Easy (optional) – simplified WireGuard access.
+
+Canonical Security / Shield Services (shield-vm):
+- HashiCorp Vault – machine/app secrets.
+- TEM daemon – threat transmutation engine.
+- OffSec tools and MCP – Oracle, Shield, AppSec scanners.
+- Agent/task scheduler – scheduled security workflows.
+- Optional: local Prometheus exporters for node/security metrics.
+
+Explicitly Non-Core (but allowed as external):
+- Wiki.js – not part of canonical infra; documentation handled via Git-based docs/portals (e.g., burocrat, catalogs).
+- Legacy projects marked ARCHIVE (e.g., old offsec-shield architecture, sovereign-swarm).
+
+Migration & Portability:
+- `mesh-stack-migration/` enables redeploying the entire core stack (GitLab, MinIO, monitoring, backup) to a fresh host:
+  - Copy bundle → set `.env` → `docker compose up -d`.
+  - Run FIRST-LAUNCH and DRY-RUN checklists.
+- VMs can be moved or recreated using debian-golden as base.
+
+Evolution Rules:
+- If a service becomes critical and stateful, it must:
+  - Emit receipts and have a documented backup/restore plan.
+  - Expose metrics consumable by Prometheus.
+  - Be referenced in the Canonical Infrastructure page with node placement.
+- Experimental services stay on Lab HV until they prove their value.
+
+Linked Assets:
+- `mesh-stack-migration/STACK-MANIFEST.md` and `STACK-VERSION`.
+- `VAULTMESH-ETERNAL-PATTERN.md` (architectural shape).
+- `VaultMesh_Infrastructure_Catalog_v1.*` (this catalog).