Initial commit - combined iTerm2 scripts

Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

VaultMesh_Catalog_v1/pages/page3-virtualization.md

@@ -0,0 +1,64 @@
+Page Title: VaultMesh Virtualization Layer (BRICK Hypervisor)
+Summary: The BRICK server runs libvirt/KVM and hosts the core VaultMesh VMs: debian-golden (template), gate-vm (mesh-core-01), and shield-vm (shield-01). Cockpit and VNC provide management and console access, while Tailscale and SSH bring the VMs into the wider mesh.
+
+Key Findings:
+- BRICK is the single hypervisor for core VaultMesh VMs.
+- debian-golden serves as a reusable golden image to clone new VMs.
+- gate-vm runs the mesh-stack-migration bundle (GitLab, MinIO, Prometheus, Grafana, Vaultwarden, backup-freshness, etc.).
+- shield-vm is the Shield/OffSec node and home of the machine-secrets vault and TEM stack.
+- VM networking uses libvirt NAT (192.168.122.x), with VNC reachable via SSH tunnels.
+
+Components:
+- libvirt daemon (qemu-kvm backend).
+- QEMU/KVM for hardware-accelerated virtualization.
+- Cockpit + cockpit-machines for web-based VM management.
+- VNC servers for graphical consoles.
+- Tailscale agents (optional/desired) inside VMs.
+
+VM Network Layout:
+| VM            | NAT IP           | VNC Port | Role                               |
+|---------------|------------------|----------|------------------------------------|
+| debian-golden | 192.168.122.187  | 5900     | Golden image / base template       |
+| gate-vm       | 192.168.122.236  | 5901     | mesh-core-01 core stack host       |
+| shield-vm     | 192.168.122.73   | 5902     | Shield/OffSec/TEM + machine vault  |
+
+Workflows / Pipelines:
+- VM Management: Cockpit → https://brick:9090 → "Virtual Machines".
+- Console Access:
+  - `ssh brick`
+  - `ssh -L 5901:localhost:5901 brick`
+  - `vnc://localhost:5901` (gate-vm) / `vnc://localhost:5902` (shield-vm).
+- Image Pipeline:
+  - Update debian-golden → snapshot → clone → new VM (e.g., future lab nodes).
+- Join to Mesh:
+  - Boot VM → configure SSH → join Tailscale → register in SSH config.
+
+Inputs:
+- libvirt XML definitions for debian-golden, gate-vm, shield-vm.
+- Debian cloud images / base images.
+- SSH keys for root/debian users on each VM.
+- mesh-stack-migration bundle to configure gate-vm.
+
+Outputs:
+- Running core VMs with access via SSH + Tailscale + VNC.
+- Reproducible VM lifecycle (golden → clone → configure → join mesh).
+- Isolated environment for Shield/TEM experiments on shield-vm.
+
+Security Notes:
+- VNC ports are not exposed directly; they're reached via SSH tunnel into brick.
+- Each VM uses its own SSH host keys and per-node authorized_keys.
+- NAT isolation (192.168.122.x) reduces blast radius from VM compromise.
+- Installing Tailscale inside gate-vm/shield-vm avoids public exposure.
+
+Dependencies:
+- libvirt, qemu-kvm, Cockpit, cockpit-machines on brick.
+- SSH and Tailscale inside each VM (where needed).
+- TigerVNC or similar client on the operator's laptop.
+
+Deployment Steps:
+1. Start VM via Cockpit or `virsh`.
+2. Create SSH tunnel from laptop to brick for VNC.
+3. Connect via VNC for first-boot setup if needed.
+4. Deploy SSH keys and install Tailscale inside the VM.
+5. For gate-vm: deploy `mesh-stack-migration` and start core stack.
+6. For shield-vm: deploy Shield/TEM/dual-vault components.