Initial commit - combined iTerm2 scripts

Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

VaultMesh_Catalog_v1/pages/page4-ssh-architecture.md

@@ -0,0 +1,101 @@
+Page Title: SSH Key Architecture (Forge + Mesh)
+Summary: VaultMesh uses a strict per-node ed25519 SSH key model with IdentitiesOnly isolation, ControlMaster multiplexing, and mesh-wide access via Tailscale. nexus-0 serves as the primary forge node; brick, v1-nl-gate, gate-vm, and shield-vm are first-class SSH targets with dedicated keys.
+
+Key Findings:
+- One keypair per destination node (id_gamma, id_brick, id_v1-nl-gate, id_gate-vm, id_shield-vm, etc.).
+- IdentitiesOnly enforces key isolation and prevents cross-host key probing.
+- ControlMaster/ControlPath provide fast multiplexed SSH sessions.
+- Tailscale hostnames (story-ule.ts.net) give stable addressing; LAN IPs are fallback.
+- External service keys (GitHub/GitLab) are separate from infra keys.
+
+Components:
+- Per-node private keys (`~/.ssh/id_{node}`).
+- Public keys (`~/.ssh/id_{node}.pub`).
+- SSH config with host-specific IdentityFile blocks.
+- Control sockets (`~/.ssh/cm-%r@%h:%p`).
+
+Key Inventory (Infra Nodes):
+| Key File         | Target Node    | Algorithm |
+|------------------|----------------|-----------|
+| id_gamma         | gamma          | ed25519   |
+| id_beta          | beta           | ed25519   |
+| id_brick         | brick          | ed25519   |
+| id_w3            | w3             | ed25519   |
+| id_v1-nl-gate    | v1-nl-gate     | ed25519   |
+| id_gate-vm       | gate-vm        | ed25519   |
+| id_debian-golden | debian-golden  | ed25519   |
+| id_shield-vm     | shield-vm      | ed25519   |
+
+Forge + Mobile:
+| Key File         | Target        | Algorithm |
+|------------------|--------------|-----------|
+| id_nexus-0       | nexus-0      | ed25519   |
+| id_kali-forge    | kali-forge   | ed25519   |
+| id_shield        | shield       | ed25519   |
+| id_bank-mobile   | bank-mobile  | ed25519   |
+
+External Service Keys:
+| Key File             | Service    |
+|----------------------|------------|
+| id_ed25519_github    | GitHub     |
+| id_ed25519_gitlab    | GitLab     |
+
+SSH Config Structure:
+```sshconfig
+Host *
+    ServerAliveInterval 30
+    ServerAliveCountMax 3
+    TCPKeepAlive yes
+    ControlMaster auto
+    ControlPath ~/.ssh/cm-%r@%h:%p
+    ControlPersist 10m
+    IdentitiesOnly yes
+    HashKnownHosts no
+    StrictHostKeyChecking accept-new
+    AddKeysToAgent yes
+    UseKeychain yes
+    Compression yes
+
+Host nexus-0
+    HostName 100.67.39.1
+    User root
+    IdentityFile ~/.ssh/id_nexus-0
+
+Host brick
+    HostName brick.story-ule.ts.net
+    User sovereign
+    IdentityFile ~/.ssh/id_brick
+
+Host gate-vm
+    HostName gate-vm.story-ule.ts.net
+    User debian
+    IdentityFile ~/.ssh/id_gate-vm
+
+Host shield-vm
+    HostName shield-vm.story-ule.ts.net
+    User debian
+    IdentityFile ~/.ssh/id_shield-vm
+```
+
+Security Notes:
+- ed25519 keys provide strong security with small keys/signatures.
+- IdentitiesOnly ensures ssh never offers the wrong key to the wrong host.
+- StrictHostKeyChecking=accept-new uses TOFU while still catching host key changes.
+- No password authentication; all critical nodes are key-only.
+
+Key Generation:
+```bash
+ssh-keygen -t ed25519 -f ~/.ssh/id_{node} -C "aurion-to-{node}"
+```
+
+Key Deployment:
+```bash
+ssh-copy-id -i ~/.ssh/id_{node}.pub debian@{node}
+# Or manually
+cat ~/.ssh/id_{node}.pub | ssh debian@{node} "cat >> ~/.ssh/authorized_keys"
+```
+
+Dependencies:
+- OpenSSH client (macOS/Linux/Android).
+- ssh-agent and (on macOS) Keychain integration.
+- Tailscale for stable hostnames and reachability.