Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/disaster-recovery/SKILL.md
+++ b/disaster-recovery/SKILL.md
@@ -0,0 +1,84 @@
+---
+name: disaster-recovery
+description: >
+  Restore runbook as executable checks. Validates recent backups, performs
+  safe, staged restore tests, and generates an audit report. Designed for
+  sovereign EU infrastructure. Triggers: 'disaster recovery', 'restore runbook',
+  'test restore', 'recovery drill', 'verify backups'.
+version: 1.0.0
+---
+
+# Disaster Recovery
+
+Tier 1 skill: convert restoration into **repeatable drills**.
+
+This skill assumes **backup-sovereign** produces run directories like:
+
+`backup-sovereign/outputs/runs/<node>_<label>_<timestamp>/`
+
+Each run should include:
+- `archive.tar.gz.age`
+- `manifest.json`
+- `ROOT.txt`
+- `PROOF.json`
+
+## Quick Start
+
+```bash
+export BACKUP_SKILL_DIR="$HOME/.claude/skills/backup-sovereign"
+export RUN_DIR=""                    # optional; auto-uses backup-sovereign pointer
+export DR_TARGET_BASE="$HOME/recovery-drills"
+export AGE_IDENTITY_FILE="$HOME/.config/age/keys.txt"
+
+export DRY_RUN=1
+export REQUIRE_CONFIRM=1
+export CONFIRM_PHRASE="I UNDERSTAND THIS CAN OVERWRITE RECOVERY TARGETS"
+
+./scripts/00_preflight.sh
+./scripts/10_validate_run.sh
+./scripts/20_restore_plan.sh
+
+export DRY_RUN=0
+./scripts/21_restore_apply.sh
+
+./scripts/30_verify_restored.sh
+./scripts/90_verify.sh
+./scripts/99_report.sh
+```
+
+## Inputs
+
+| Parameter | Required | Default | Description |
+|---|---:|---|---|
+| BACKUP_SKILL_DIR | Yes | (none) | Path to backup-sovereign skill |
+| RUN_DIR | No | (auto) | Backup run directory to restore |
+| DR_TARGET_BASE | No | ~/recovery-drills | Base directory for recovery drills |
+| AGE_IDENTITY_FILE | Yes | (none) | age private key file |
+| DRY_RUN | No | 1 | Apply scripts refuse unless DRY_RUN=0 |
+| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
+| CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN OVERWRITE RECOVERY TARGETS | Safety phrase |
+
+## Outputs
+
+- `outputs/status_matrix.json`
+- `outputs/audit_report.md`
+- `outputs/last_drill_target.txt`
+
+## Safety Guarantees
+
+1. **Default DRY_RUN=1**
+2. **Confirmation phrase required**
+3. **Staged restore only** (never writes to system paths)
+4. **Pre-restore validation** (artifacts exist, ROOT recomputation)
+5. **Post-restore verification** (file counts + spot-check)
+
+## EU Compliance
+
+| Aspect | Value |
+|---|---|
+| Data Residency | EU (Ireland - Dublin) |
+| Jurisdiction | Irish Law |
+| Encryption | age |
+
+## References
+- [Recovery Playbook](references/recovery_playbook.md)