Initial commit - combined iTerm2 scripts

Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

VaultMesh_Catalog_v1/pages/page8-appsec-toolchain.md

@@ -0,0 +1,87 @@
+Page Title: AppSec Toolchain (Shield / CI Integration)
+Summary: VaultMesh uses an integrated application security toolchain rooted on shield-vm and CI pipelines. It combines vulnerability scanning, secret detection, SBOM generation, and IaC analysis into a coherent flow, with findings eligible to be logged into the proof spine for high-risk assets.
+
+Key Findings:
+- Nuclei, Trivy, Semgrep, TruffleHog, Gitleaks, Checkov, Syft, and Grype cover distinct layers.
+- shield-vm is the natural home for heavy security scans and OffSec tooling.
+- CI pipelines can call out to shield-vm or run scanners directly in job containers.
+- Secret detection runs in both pre-commit and CI stages for defense-in-depth.
+- SBOM generation and vulnerability scanning support long-term supply chain tracking.
+
+Components:
+- Nuclei (web and service vuln scanning).
+- Trivy (container/filesystem/SBOM vulnerability scanner).
+- Semgrep (static code analysis).
+- TruffleHog / Gitleaks (secret discovery).
+- Checkov (IaC misconfiguration scanner).
+- Syft (SBOM generator).
+- Grype (vulnerability scanner against SBOMs).
+
+Tool Capabilities:
+| Tool       | Target Types                | Output                  |
+|------------|----------------------------|-------------------------|
+| nuclei     | URLs, IPs, domains         | Findings by severity    |
+| trivy      | Images, dirs, repos, SBOMs | CVEs, secrets, configs  |
+| semgrep    | Source code directories    | Security findings       |
+| trufflehog | Git, S3, GCS, etc.         | Verified secrets        |
+| gitleaks   | Git repos, filesystems     | Secret locations        |
+| checkov    | Terraform, K8s, Helm, etc. | Misconfigurations       |
+| syft       | Images, dirs, archives     | CycloneDX/SPDX SBOM     |
+| grype      | Images, dirs, SBOMs        | Vulnerability list      |
+
+Example Scans:
+
+Nuclei Web Scan:
+```json
+{
+  "targets": ["https://example.com"],
+  "severity": ["high", "critical"],
+  "tags": ["cve", "rce"]
+}
+```
+
+Trivy Container Scan:
+```json
+{
+  "target": "vaultmesh-core:latest",
+  "scan_type": "image",
+  "scanners": ["vuln", "secret"],
+  "severity": ["HIGH", "CRITICAL"]
+}
+```
+
+Secret Detection:
+```json
+{
+  "target": "/srv/git/vaultmesh",
+  "source_type": "git",
+  "only_verified": true
+}
+```
+
+MCP Tools:
+- offsec_appsec_nuclei_scan
+- offsec_appsec_trivy_scan
+- offsec_appsec_semgrep_scan
+- offsec_appsec_trufflehog_scan
+- offsec_appsec_gitleaks_scan
+- offsec_appsec_checkov_scan
+- offsec_appsec_syft_sbom
+- offsec_appsec_grype_scan
+
+Workflows:
+1. SBOM Pipeline: Syft → produce CycloneDX JSON → Grype → vulnerability report.
+2. Pre-merge Scans: CI job runs Semgrep, Trivy, Gitleaks on merge requests.
+3. Periodic Deep Scans: shield-vm runs scheduled AppSec scans, logging high-severity findings.
+4. Policy Integration: High-severity or critical findings feed into Lawchain/Lawchain-like policies.
+
+Security Notes:
+- Nuclei and Trivy should be rate-limited when targeting external assets.
+- Secret detection in CI uses only_verified where possible to reduce noise.
+- Baseline files can exclude accepted findings while still tracking new issues.
+- AppSec findings for high-value systems may be recorded as receipts in the proof system.
+
+Dependencies:
+- offsec-mcp server with tools installed (on shield-vm or lab nodes).
+- Network access for pulling scanner templates and vulnerability databases.
+- CI integration (GitLab pipelines on gate-vm) to trigger scans automatically.