vm-core/docs/skill/INFRASTRUCTURE.md

VaultMesh Infrastructure Templates

Kubernetes Deployment

Namespace

apiVersion: v1
kind: Namespace
metadata:
  name: vaultmesh
  labels:
    app.kubernetes.io/name: vaultmesh
    app.kubernetes.io/part-of: civilization-ledger
    pod-security.kubernetes.io/enforce: restricted

Generic Deployment Template

apiVersion: apps/v1
kind: Deployment
metadata:
  name: vaultmesh-{component}
  namespace: vaultmesh
  labels:
    app.kubernetes.io/name: {component}
    app.kubernetes.io/component: {role}
    app.kubernetes.io/part-of: vaultmesh
spec:
  replicas: {replicas}
  selector:
    matchLabels:
      app.kubernetes.io/name: {component}
  template:
    metadata:
      labels:
        app.kubernetes.io/name: {component}
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9090"
        prometheus.io/path: "/metrics"
    spec:
      serviceAccountName: vaultmesh-{component}
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: {component}
          image: ghcr.io/vaultmesh/{component}:{version}
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          ports:
            - name: http
              containerPort: {http_port}
              protocol: TCP
            - name: metrics
              containerPort: 9090
              protocol: TCP
          env:
            - name: RUST_LOG
              value: "info,vaultmesh=debug"
            - name: CONFIG_PATH
              value: "/config/{component}.toml"
            - name: DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: vaultmesh-db-credentials
                  key: {component}-url
          volumeMounts:
            - name: config
              mountPath: /config
              readOnly: true
            - name: receipts
              mountPath: /data/receipts
            - name: tmp
              mountPath: /tmp
          resources:
            requests:
              cpu: {cpu_request}
              memory: {memory_request}
            limits:
              cpu: {cpu_limit}
              memory: {memory_limit}
          livenessProbe:
            httpGet:
              path: /health/live
              port: http
            initialDelaySeconds: 10
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /health/ready
              port: http
            initialDelaySeconds: 5
            periodSeconds: 5
      volumes:
        - name: config
          configMap:
            name: vaultmesh-{component}-config
        - name: receipts
          persistentVolumeClaim:
            claimName: vaultmesh-receipts
        - name: tmp
          emptyDir: {}

Service Template

apiVersion: v1
kind: Service
metadata:
  name: vaultmesh-{component}
  namespace: vaultmesh
spec:
  selector:
    app.kubernetes.io/name: {component}
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: metrics
      port: 9090
      targetPort: metrics
  type: ClusterIP

ConfigMap Template

apiVersion: v1
kind: ConfigMap
metadata:
  name: vaultmesh-{component}-config
  namespace: vaultmesh
data:
  {component}.toml: |
    [server]
    bind = "0.0.0.0:{port}"
    metrics_bind = "0.0.0.0:9090"
    
    [database]
    max_connections = 20
    min_connections = 5
    
    [receipts]
    base_path = "/data/receipts"
    
    # Component-specific configuration

PersistentVolumeClaim

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: vaultmesh-receipts
  namespace: vaultmesh
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-csi
  resources:
    requests:
      storage: 100Gi

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: vaultmesh-ingress
  namespace: vaultmesh
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/rate-limit: "100"
    nginx.ingress.kubernetes.io/rate-limit-window: "1m"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - portal.vaultmesh.io
        - guardian.vaultmesh.io
        - oracle.vaultmesh.io
      secretName: vaultmesh-tls
  rules:
    - host: portal.vaultmesh.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: vaultmesh-portal
                port:
                  name: http

---

Component Configurations

Portal

# Deployment overrides
replicas: 2
http_port: 8080
cpu_request: 100m
memory_request: 256Mi
cpu_limit: 1000m
memory_limit: 1Gi

# portal.toml
[server]
bind = "0.0.0.0:8080"
metrics_bind = "0.0.0.0:9090"

[database]
max_connections = 20
min_connections = 5

[receipts]
base_path = "/data/receipts"

[scrolls]
enabled = [
  "Drills", "Compliance", "Guardian", "Treasury", "Mesh",
  "OffSec", "Identity", "Observability", "Automation",
  "PsiField", "Federation", "Governance"
]

[auth]
jwt_issuer = "vaultmesh-portal"
session_ttl_hours = 24

Guardian

# Deployment overrides
replicas: 1  # Single for coordination
strategy:
  type: Recreate
http_port: 8081
cpu_request: 200m
memory_request: 512Mi
cpu_limit: 2000m
memory_limit: 2Gi

# guardian.toml
[server]
bind = "0.0.0.0:8081"
metrics_bind = "0.0.0.0:9090"

[proofchain]
receipts_path = "/data/receipts"
roots_path = "/data/receipts"

[anchor]
primary = "ethereum"
interval_seconds = 3600
min_receipts_threshold = 10

[anchor.ethereum]
rpc_url = "https://mainnet.infura.io/v3/${INFURA_PROJECT_ID}"
contract_address = "0x..."
chain_id = 1

[anchor.ots]
enabled = true
calendar_urls = [
  "https://a.pool.opentimestamps.org",
  "https://b.pool.opentimestamps.org"
]

[sentinel]
enabled = true
alert_webhook = "http://alertmanager:9093/api/v2/alerts"

Oracle

# Deployment overrides
replicas: 2
http_port: 8082
mcp_port: 8083
cpu_request: 200m
memory_request: 512Mi
cpu_limit: 2000m
memory_limit: 4Gi

# oracle.toml
[server]
http_bind = "0.0.0.0:8082"
mcp_bind = "0.0.0.0:8083"
metrics_bind = "0.0.0.0:9090"

[corpus]
path = "/data/corpus"
index_path = "/data/cache/index"
supported_formats = ["docx", "pdf", "md", "txt"]

[llm]
primary_provider = "anthropic"
primary_model = "claude-sonnet-4-20250514"
fallback_provider = "openai"
fallback_model = "gpt-4o"
temperature = 0.1
max_tokens = 4096

[receipts]
endpoint = "http://vaultmesh-portal/api/receipts/oracle"

---

Docker Compose (Development)

version: "3.9"

services:
  portal:
    build:
      context: .
      dockerfile: docker/portal/Dockerfile
    ports:
      - "8080:8080"
      - "9090:9090"
    environment:
      - RUST_LOG=info,vaultmesh=debug
      - VAULTMESH_CONFIG=/config/portal.toml
      - DATABASE_URL=postgresql://vaultmesh:vaultmesh@postgres:5432/vaultmesh
      - REDIS_URL=redis://redis:6379
    volumes:
      - ./config/portal.toml:/config/portal.toml:ro
      - receipts:/data/receipts
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_started

  guardian:
    build:
      context: .
      dockerfile: docker/guardian/Dockerfile
    ports:
      - "8081:8081"
    environment:
      - RUST_LOG=info,guardian=debug
      - GUARDIAN_CONFIG=/config/guardian.toml
      - DATABASE_URL=postgresql://vaultmesh:vaultmesh@postgres:5432/vaultmesh
    volumes:
      - ./config/guardian.toml:/config/guardian.toml:ro
      - receipts:/data/receipts
      - guardian-state:/data/guardian
    depends_on:
      portal:
        condition: service_healthy

  oracle:
    build:
      context: .
      dockerfile: docker/oracle/Dockerfile
    ports:
      - "8082:8082"
      - "8083:8083"
    environment:
      - ORACLE_CONFIG=/config/oracle.toml
      - OPENAI_API_KEY=${OPENAI_API_KEY}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
      - VAULTMESH_RECEIPT_ENDPOINT=http://portal:8080/api/receipts
    volumes:
      - ./config/oracle.toml:/config/oracle.toml:ro
      - ./corpus:/data/corpus:ro
    depends_on:
      portal:
        condition: service_healthy

  postgres:
    image: postgres:16-alpine
    environment:
      - POSTGRES_USER=vaultmesh
      - POSTGRES_PASSWORD=vaultmesh
      - POSTGRES_DB=vaultmesh
    volumes:
      - postgres-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U vaultmesh"]
      interval: 5s
      timeout: 5s
      retries: 5

  redis:
    image: redis:7-alpine
    volumes:
      - redis-data:/data
    command: redis-server --appendonly yes

  prometheus:
    image: prom/prometheus:v2.47.0
    ports:
      - "9091:9090"
    volumes:
      - ./config/prometheus.yaml:/etc/prometheus/prometheus.yml:ro
      - prometheus-data:/prometheus

  grafana:
    image: grafana/grafana:10.1.0
    ports:
      - "3000:3000"
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=admin
    volumes:
      - ./config/grafana/provisioning:/etc/grafana/provisioning:ro
      - grafana-data:/var/lib/grafana

volumes:
  receipts:
  guardian-state:
  postgres-data:
  redis-data:
  prometheus-data:
  grafana-data:

networks:
  default:
    name: vaultmesh

---

Dockerfile Templates

Rust Service

# Build stage
FROM rust:1.75-alpine AS builder

RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static

WORKDIR /build
COPY Cargo.toml Cargo.lock ./
COPY src ./src

RUN cargo build --release --target x86_64-unknown-linux-musl

# Runtime stage
FROM alpine:3.19

RUN apk add --no-cache ca-certificates tzdata

RUN adduser -D -u 1000 vaultmesh
USER vaultmesh

WORKDIR /app
COPY --from=builder /build/target/x86_64-unknown-linux-musl/release/{binary} /app/

EXPOSE 8080 9090

ENTRYPOINT ["/app/{binary}"]

Python Service

FROM python:3.12-slim

RUN useradd -m -u 1000 vaultmesh

WORKDIR /app

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY --chown=vaultmesh:vaultmesh . .

USER vaultmesh

EXPOSE 8080 9090

CMD ["python", "-m", "{module}"]

---

Prometheus Rules

groups:
  - name: vaultmesh.receipts
    rules:
      - alert: ReceiptWriteFailure
        expr: rate(vaultmesh_receipt_write_errors_total[5m]) > 0
        for: 1m
        labels:
          severity: critical
        annotations:
          summary: "Receipt write failures detected"

      - alert: ReceiptRateAnomaly
        expr: |
          abs(rate(vaultmesh_receipts_total[5m]) - 
          avg_over_time(rate(vaultmesh_receipts_total[5m])[1h:5m])) 
          > 2 * stddev_over_time(rate(vaultmesh_receipts_total[5m])[1h:5m])
        for: 10m
        labels:
          severity: warning
        annotations:
          summary: "Unusual receipt rate"

  - name: vaultmesh.guardian
    rules:
      - alert: AnchorDelayed
        expr: time() - vaultmesh_guardian_last_anchor_timestamp > 7200
        for: 5m
        labels:
          severity: warning
        annotations:
          summary: "Guardian anchor delayed"

      - alert: AnchorCriticallyDelayed
        expr: time() - vaultmesh_guardian_last_anchor_timestamp > 14400
        for: 5m
        labels:
          severity: critical
        annotations:
          summary: "No anchor in over 4 hours"

      - alert: ProofChainDivergence
        expr: vaultmesh_guardian_proofchain_divergence == 1
        for: 1m
        labels:
          severity: critical
        annotations:
          summary: "ProofChain divergence detected"

  - name: vaultmesh.governance
    rules:
      - alert: ConstitutionalViolation
        expr: increase(vaultmesh_governance_violations_total[1h]) > 0
        for: 0m
        labels:
          severity: critical
        annotations:
          summary: "Constitutional violation detected"

      - alert: EmergencyActive
        expr: vaultmesh_governance_emergency_active == 1
        for: 0m
        labels:
          severity: warning
        annotations:
          summary: "Emergency powers in effect"

---

Kustomization

Base

# kubernetes/base/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: vaultmesh

resources:
  - namespace.yaml
  - rbac.yaml
  - portal/
  - guardian/
  - oracle/
  - database/
  - storage/
  - ingress/

commonLabels:
  app.kubernetes.io/part-of: vaultmesh
  app.kubernetes.io/managed-by: kustomize

Production Overlay

# kubernetes/overlays/production/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: vaultmesh

resources:
  - ../../base

patches:
  - path: portal-resources.yaml
  - path: guardian-resources.yaml
  - path: oracle-resources.yaml

configMapGenerator:
  - name: vaultmesh-portal-config
    behavior: merge
    files:
      - portal.toml=configs/portal-prod.toml

replicas:
  - name: vaultmesh-portal
    count: 3
  - name: vaultmesh-oracle
    count: 3

---

Terraform (Infrastructure)

# main.tf
terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.23"
    }
    helm = {
      source  = "hashicorp/helm"
      version = "~> 2.11"
    }
  }
}

resource "kubernetes_namespace" "vaultmesh" {
  metadata {
    name = "vaultmesh"
    labels = {
      "app.kubernetes.io/name"       = "vaultmesh"
      "app.kubernetes.io/part-of"    = "civilization-ledger"
    }
  }
}

resource "helm_release" "vaultmesh" {
  name       = "vaultmesh"
  namespace  = kubernetes_namespace.vaultmesh.metadata[0].name
  chart      = "./charts/vaultmesh"
  
  values = [
    file("values-${var.environment}.yaml")
  ]
  
  set {
    name  = "portal.replicas"
    value = var.portal_replicas
  }
  
  set {
    name  = "guardian.anchor.ethereum.rpcUrl"
    value = var.ethereum_rpc_url
  }
  
  set_sensitive {
    name  = "secrets.anthropicApiKey"
    value = var.anthropic_api_key
  }
}

variable "environment" {
  type    = string
  default = "production"
}

variable "portal_replicas" {
  type    = number
  default = 3
}

variable "ethereum_rpc_url" {
  type = string
}

variable "anthropic_api_key" {
  type      = string
  sensitive = true
}