Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/backup-sovereign/scripts/90_verify.sh
+++ b/backup-sovereign/scripts/90_verify.sh
@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# === METADATA ===
+SCRIPT_NAME="$(basename "$0")"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+CHECKS_DIR="$SKILL_ROOT/checks"
+
+# === CONFIGURATION ===
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+: "${NODE_NAME:=node-a}"
+
+# === FUNCTIONS ===
+log_info() { echo "[INFO]  $(date -Iseconds) $*"; }
+die()      { echo "[ERROR] $(date -Iseconds) $*" >&2; exit 1; }
+
+run_check() {
+    local script="$1"
+    if [[ -x "$CHECKS_DIR/$script" ]]; then
+        if "$CHECKS_DIR/$script" &>/dev/null; then
+            echo "true"
+        else
+            echo "false"
+        fi
+    else
+        echo "skip"
+    fi
+}
+
+main() {
+    local last_run_file="$OUTPUT_DIR/last_run_dir.txt"
+    [[ -f "$last_run_file" ]] || die "No last run pointer. Run 11_backup_apply.sh first."
+
+    local run_dir
+    run_dir="$(cat "$last_run_file")"
+
+    mkdir -p "$OUTPUT_DIR"
+    local status="$OUTPUT_DIR/status_matrix.json"
+
+    # Check artifacts
+    local has_archive has_encrypted has_manifest has_proof has_root has_restore
+
+    [[ -f "$run_dir/archive.tar.gz" ]] && has_archive="true" || has_archive="false"
+    [[ -f "$run_dir/archive.tar.gz.age" ]] && has_encrypted="true" || has_encrypted="false"
+    [[ -f "$run_dir/manifest.json" ]] && has_manifest="true" || has_manifest="false"
+    [[ -f "$run_dir/PROOF.json" ]] && has_proof="true" || has_proof="false"
+    [[ -f "$run_dir/ROOT.txt" ]] && has_root="true" || has_root="false"
+    [[ -f "$run_dir/last_restore_dir.txt" ]] && has_restore="true" || has_restore="false"
+
+    # Run check scripts
+    local tools_ok space_ok restore_ok
+    tools_ok=$(run_check "check_tools.sh")
+    space_ok=$(run_check "check_space.sh")
+    restore_ok=$(run_check "check_restore.sh")
+
+    # Determine blockers and warnings
+    local blockers="" warnings="" next_steps=""
+
+    if [[ "$has_restore" == "false" ]]; then
+        blockers="${blockers}\"Restore drill not completed\","
+    fi
+    if [[ "$has_encrypted" == "false" ]]; then
+        blockers="${blockers}\"Archive not encrypted\","
+    fi
+    if [[ "$has_manifest" == "false" ]]; then
+        warnings="${warnings}\"Manifest missing\","
+    fi
+    if [[ "$has_proof" == "false" ]]; then
+        warnings="${warnings}\"Proof receipts missing\","
+    fi
+
+    # Determine next steps
+    if [[ "$has_restore" == "true" && "$has_encrypted" == "true" ]]; then
+        next_steps="${next_steps}\"Store encrypted bundle off-node\","
+        next_steps="${next_steps}\"Anchor ROOT.txt with rfc3161-anchor\","
+        next_steps="${next_steps}\"Proceed to disaster-recovery skill\","
+    else
+        if [[ "$has_encrypted" == "false" ]]; then
+            next_steps="${next_steps}\"Run 21_encrypt_apply.sh\","
+        fi
+        if [[ "$has_restore" == "false" ]]; then
+            next_steps="${next_steps}\"Run 50_restore_drill.sh (MANDATORY)\","
+        fi
+    fi
+
+    # Remove trailing commas
+    blockers="[${blockers%,}]"
+    warnings="[${warnings%,}]"
+    next_steps="[${next_steps%,}]"
+
+    # Get ROOT value if exists
+    local root_value="null"
+    if [[ -f "$run_dir/ROOT.txt" ]]; then
+        root_value="\"$(cat "$run_dir/ROOT.txt")\""
+    fi
+
+    cat > "$status" <<EOF
+{
+  "skill": "backup-sovereign",
+  "node": "$NODE_NAME",
+  "timestamp": "$(date -Iseconds)",
+  "run_dir": "$run_dir",
+  "root": $root_value,
+  "checks": {
+    "archive": $has_archive,
+    "encrypted": $has_encrypted,
+    "manifest": $has_manifest,
+    "proof": $has_proof,
+    "root": $has_root,
+    "restore_drill": $has_restore,
+    "tools": $tools_ok,
+    "space": $space_ok
+  },
+  "blockers": $blockers,
+  "warnings": $warnings,
+  "next_steps": $next_steps
+}
+EOF
+
+    log_info "Wrote status matrix: $status"
+    echo ""
+    echo "============================================"
+    echo "  VERIFICATION SUMMARY"
+    echo "============================================"
+    echo ""
+    echo "  Archive:       $has_archive"
+    echo "  Encrypted:     $has_encrypted"
+    echo "  Manifest:      $has_manifest"
+    echo "  Proof:         $has_proof"
+    echo "  ROOT:          $has_root"
+    echo "  Restore Drill: $has_restore"
+    echo ""
+
+    # Return success only if restore drill passed
+    [[ "$has_restore" == "true" ]]
+}
+
+[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"