Page Title: Canonical Infrastructure — VaultMesh v1
Summary: This page defines the canonical infrastructure for VaultMesh as of the first full catalog: which nodes exist, what runs where, and which services are considered "core mesh". It is the reference snapshot for future migrations and evolutions.

Key Findings:
- BRICK + v1-nl-gate + nexus-0 form the spine of the system.
- gate-vm (mesh-core-01) is the canonical host for the mesh-stack-migration bundle.
- shield-vm is the canonical Shield/TEM node with OffSec tooling and machine-secrets vault.
- Dual-vault pattern is standard: Vaultwarden (human), HashiCorp Vault (machine).
- Grafana is the canonical dashboard layer; Wiki.js is explicitly **not** part of the new architecture (external portals like burocrat serve documentation).

Canonical Nodes and Roles:
| Node         | Role                         | Description                                 |
|--------------|------------------------------|---------------------------------------------|
| nexus-0      | Forge                        | Primary dev/forge node (BlackArch)         |
| brick        | Hypervisor                   | Hosts core VMs (debian-golden, gate-vm, shield-vm) |
| v1-nl-gate   | External Gate                | Cloud-facing edge server, future ingress   |
| gate-vm      | mesh-core-01 (Core Stack)    | GitLab, MinIO, Postgres, Prometheus, Grafana, Vaultwarden, backup-freshness, Traefik, WG-Easy |
| shield-vm    | shield-01 (Shield/TEM)       | OffSec agents, TEM, HashiCorp Vault, incidents & simulations |
| lab-*        | Experimental Mesh            | lab-mesh-01, lab-agent-01, lab-chaos-01, phoenix-01 |

Canonical Core Services (gate-vm / mesh-core-01):
- GitLab – source control, CI/CD.
- MinIO – object storage & backups.
- PostgreSQL – GitLab and future service DBs.
- Prometheus – metrics.
- Grafana – dashboards (infra, backup freshness, proof metrics).
- Vaultwarden – human password vault (browsers, logins).
- backup-freshness – monitors MinIO backup age.
- Traefik – reverse proxy and ingress.
- WG-Easy (optional) – simplified WireGuard access.

Canonical Security / Shield Services (shield-vm):
- HashiCorp Vault – machine/app secrets.
- TEM daemon – threat transmutation engine.
- OffSec tools and MCP – Oracle, Shield, AppSec scanners.
- Agent/task scheduler – scheduled security workflows.
- Optional: local Prometheus exporters for node/security metrics.

Explicitly Non-Core (but allowed as external):
- Wiki.js – not part of canonical infra; documentation handled via Git-based docs/portals (e.g., burocrat, catalogs).
- Legacy projects marked ARCHIVE (e.g., old offsec-shield architecture, sovereign-swarm).

Migration & Portability:
- `mesh-stack-migration/` enables redeploying the entire core stack (GitLab, MinIO, monitoring, backup) to a fresh host:
  - Copy bundle → set `.env` → `docker compose up -d`.
  - Run FIRST-LAUNCH and DRY-RUN checklists.
- VMs can be moved or recreated using debian-golden as base.

Evolution Rules:
- If a service becomes critical and stateful, it must:
  - Emit receipts and have a documented backup/restore plan.
  - Expose metrics consumable by Prometheus.
  - Be referenced in the Canonical Infrastructure page with node placement.
- Experimental services stay on Lab HV until they prove their value.

Linked Assets:
- `mesh-stack-migration/STACK-MANIFEST.md` and `STACK-VERSION`.
- `VAULTMESH-ETERNAL-PATTERN.md` (architectural shape).
- `VaultMesh_Infrastructure_Catalog_v1.*` (this catalog).