diff --git a/README.md b/README.md new file mode 100644 index 0000000..68ce3f7 --- /dev/null +++ b/README.md @@ -0,0 +1,58 @@ +# vm-skills + +Production-grade operational skill library (16 skills) following a gated plan → apply → proof → verify → report model with cryptographic evidence. + +## Role +- Acts as the capability layer Claude invokes through vm-mcp tools +- Emits BLAKE3 receipts and reports consumable by vm-ledger and vm-cc +- Enforces governance via REQUIRE_CONFIRM and DRY_RUN defaults + +## Skill Catalog (16) +- backup-sovereign — encrypted backups + restore drill +- btc-anchor — Bitcoin anchoring +- cloudflare-tunnel-manager — Cloudflare tunnel lifecycle +- container-registry — registry operations +- disaster-recovery — DR orchestration +- dns-sovereign — DNS management +- eth-anchor — Ethereum anchoring +- gitea-bootstrap — Git server setup +- hetzner-bootstrap — Hetzner provisioning +- merkle-forest — Merkle tree ops and proof verification +- node-hardening — node security hardening +- operator-bootstrap — operator initialization +- proof-verifier — cryptographic proof verification +- rfc3161-anchor — RFC3161 legal timestamping +- secrets-vault — secrets management +- root-coordinator — master coordinator/composer + +## Execution Model +- preflight: environment and tool checks +- plan: dry-run steps (DRY_RUN=1 default) +- apply: gated by REQUIRE_CONFIRM + CONFIRM_PHRASE +- proof: generate BLAKE3 receipt (when defined) +- verify: assert success (includes restore drills where applicable) +- report: produce audit/compliance output (99_report.sh) + +## Safety & Compliance +- Confirmation required for mutations; DRY_RUN-first workflow +- Receipts chain via BLAKE3; restore drill mandatory for backup-sovereign +- EU/GDPR metadata present in configs (data_residency, jurisdiction, gdpr_applicable) + +## Integration via vm-mcp +- Claude → cognitive_invoke_skill → config.json phases → scripts +- Outputs flow to vm-ledger (receipts) and vm-cc (evidence aggregation) + +## Quickstart +```bash +cd vm-skills//scripts +./00_preflight.sh +./10_*_plan.sh +./11_*_apply.sh # requires confirmation +./30_generate_proof.sh # when present +./50_restore_drill.sh # backup-sovereign +./90_verify.sh && ./99_report.sh +``` + +## Reports & Evidence +- Reports live alongside scripts as 99_report.sh outputs +- BLAKE3 receipts accompany mutations; suitable for vm-cc ingestion