Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

eth-anchor/SKILL.md

@@ -0,0 +1,85 @@
+---
+name: eth-anchor
+description: >
+  Anchor a Merkle root (root_hex) to Ethereum using a minimal calldata transaction,
+  emit PROOF.json + tx metadata, with plan/apply/rollback and verification.
+  Consumes merkle-forest ROOT.txt (or explicit ROOT_HEX). Triggers: 'eth anchor',
+  'anchor root on ethereum', 'calldata tx', 'proof on chain'.
+version: 1.0.0
+---
+
+# ETH Anchor (Calldata TX)
+
+This skill anchors a **root_hex** to Ethereum by sending a small transaction
+with the root embedded in **data** (calldata). It outputs a proof receipt
+linking **ROOT.txt → tx hash → chain**.
+
+## Requirements
+- `cast` (Foundry) **or** `ethers`-compatible RPC with `curl` is possible; v1 uses `cast`.
+- RPC URL for the target network.
+- A funded private key (hot key) OR hardware wallet workflow (not implemented in v1).
+
+## Quick Start
+
+```bash
+cd ~/.claude/skills/eth-anchor
+
+# inputs
+export ROOT_FILE="$HOME/.claude/skills/merkle-forest/outputs/runs/<run>/ROOT.txt"
+# or: export ROOT_HEX="..."
+
+# chain
+export ETH_RPC_URL="https://..."
+export CHAIN_ID=1                     # 1 mainnet, 11155111 sepolia, etc
+export TO_ADDRESS="0x0000000000000000000000000000000000000000"  # burn/null is fine for data-only tx
+
+# signer
+export ETH_PRIVATE_KEY="0x..."        # ensure funded
+
+# safety
+export DRY_RUN=1
+export REQUIRE_CONFIRM=1
+export CONFIRM_PHRASE="I UNDERSTAND THIS WILL SEND AN ETH TRANSACTION"
+
+./scripts/00_preflight.sh
+./scripts/10_plan.sh
+
+export DRY_RUN=0
+./scripts/11_apply.sh
+
+./scripts/90_verify.sh
+./scripts/99_report.sh
+```
+
+## Inputs
+
+| Parameter | Required | Default | Description |
+|---|---:|---|---|
+| ROOT_FILE | No | (empty) | Path to ROOT.txt from merkle-forest |
+| ROOT_HEX | No | (empty) | Explicit root hex (overrides ROOT_FILE) |
+| ETH_RPC_URL | Yes | (none) | RPC endpoint |
+| CHAIN_ID | No | 1 | Chain id |
+| TO_ADDRESS | No | 0x000…000 | Recipient (data-only tx) |
+| GAS_LIMIT | No | 60000 | Gas limit |
+| VALUE_WEI | No | 0 | Value to send (normally 0) |
+| ETH_PRIVATE_KEY | Yes | (none) | Hot key for signing (v1) |
+| DRY_RUN | No | 1 | Apply refuses unless DRY_RUN=0 |
+| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
+| CONFIRM_PHRASE | No | I UNDERSTAND THIS WILL SEND AN ETH TRANSACTION | Safety phrase |
+
+## Outputs (per run)
+
+`outputs/runs/<label>_<timestamp>/`
+- `root_hex.txt`
+- `tx_hash.txt`
+- `tx_receipt.json`
+- `PROOF.json`
+- `status_matrix.json`
+- `audit_report.md`
+
+## Notes
+- Data payload: `0x` + `root_hex` (32 bytes / 64 hex). If root_hex is not 32 bytes, v1 right-pads to 32 bytes.
+- This is a simple anchor. If you later want "contract-based attestations", we can add an EAS backend.
+
+## EU Compliance
+EU (Ireland - Dublin), Irish jurisdiction. Anchors are public chain data.

eth-anchor/config.json

@@ -0,0 +1,40 @@
+{
+  "name": "eth-anchor",
+  "version": "1.0.0",
+  "defaults": {
+    "CHAIN_ID": "1",
+    "TO_ADDRESS": "0x0000000000000000000000000000000000000000",
+    "GAS_LIMIT": "60000",
+    "VALUE_WEI": "0",
+    "DRY_RUN": "1",
+    "REQUIRE_CONFIRM": "1",
+    "CONFIRM_PHRASE": "I UNDERSTAND THIS WILL SEND AN ETH TRANSACTION"
+  },
+  "phases": {
+    "preflight": [
+      "00_preflight.sh"
+    ],
+    "eth": {
+      "plan": [
+        "10_plan.sh"
+      ],
+      "apply": [
+        "11_apply.sh"
+      ],
+      "rollback": [
+        "rollback/undo_last_run.sh"
+      ]
+    },
+    "verify": [
+      "90_verify.sh"
+    ],
+    "report": [
+      "99_report.sh"
+    ]
+  },
+  "eu_compliance": {
+    "data_residency": "EU",
+    "jurisdiction": "Ireland",
+    "gdpr_applicable": true
+  }
+}

eth-anchor/references/eth_anchor_notes.md

@@ -0,0 +1,12 @@
+# ETH Anchor Notes
+
+## Method
+v1 anchors by sending a normal transaction with calldata set to 32-byte root.
+
+- to: 0x000...000 (null) by default
+- value: 0
+- data: 0x + root_hex (padded/truncated to 32 bytes)
+
+## Security
+- Prefer a dedicated small hot key funded only for anchoring.
+- For mainnet, consider hardware wallet signing in a later version.

eth-anchor/scripts/00_preflight.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${ETH_RPC_URL:=}"
+: "${ETH_PRIVATE_KEY:=}"
+
+main() {
+  need date
+  need mkdir
+  need cat
+  need grep
+  need cut
+  need tr
+  need cast
+
+  [[ -n "$ETH_RPC_URL" ]] || die "ETH_RPC_URL is required."
+  [[ -n "$ETH_PRIVATE_KEY" ]] || die "ETH_PRIVATE_KEY is required (v1)."
+
+  # sanity ping
+  cast chain-id --rpc-url "$ETH_RPC_URL" >/dev/null 2>&1 || die "RPC not reachable."
+  log_info "Preflight OK."
+}
+main "$@"

eth-anchor/scripts/10_plan.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${ETH_RPC_URL:=}"
+: "${CHAIN_ID:=1}"
+: "${TO_ADDRESS:=0x0000000000000000000000000000000000000000}"
+: "${GAS_LIMIT:=60000}"
+: "${VALUE_WEI:=0}"
+
+main() {
+  root_hex="$(read_root_hex)"
+  payload="$(pad_to_32_bytes_hex "$root_hex")"
+  echo "[PLAN] $(date -Iseconds) ETH Anchor"
+  echo "[PLAN] Chain ID (desired): $CHAIN_ID"
+  echo "[PLAN] RPC chain-id (actual): $(cast chain-id --rpc-url "$ETH_RPC_URL" 2>/dev/null || echo '?')"
+  echo "[PLAN] To: $TO_ADDRESS"
+  echo "[PLAN] Value (wei): $VALUE_WEI"
+  echo "[PLAN] Gas limit: $GAS_LIMIT"
+  echo "[PLAN] Root (raw): $root_hex"
+  echo "[PLAN] Calldata: 0x$payload"
+  echo "[PLAN] Next: export DRY_RUN=0 && ./scripts/11_apply.sh"
+}
+main "$@"

eth-anchor/scripts/11_apply.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${ETH_RPC_URL:=}"
+: "${CHAIN_ID:=1}"
+: "${TO_ADDRESS:=0x0000000000000000000000000000000000000000}"
+: "${GAS_LIMIT:=60000}"
+: "${VALUE_WEI:=0}"
+: "${ETH_PRIVATE_KEY:=}"
+: "${LABEL:=eth-anchor}"
+
+main() {
+  confirm_gate
+  [[ -n "$ETH_RPC_URL" ]] || die "ETH_RPC_URL required."
+  [[ -n "$ETH_PRIVATE_KEY" ]] || die "ETH_PRIVATE_KEY required."
+
+  mkdir -p "$SKILL_ROOT/outputs/runs"
+  ts="$(date -Iseconds | tr ':' '-')"
+  run_dir="$SKILL_ROOT/outputs/runs/${LABEL}_${ts}"
+  mkdir -p "$run_dir"
+
+  root_hex="$(read_root_hex)"
+  payload="$(pad_to_32_bytes_hex "$root_hex")"
+  echo "$root_hex" > "$run_dir/root_hex.txt"
+
+  # send tx
+  log_info "Sending calldata tx..."
+  tx_hash="$(cast send --rpc-url "$ETH_RPC_URL" --private-key "$ETH_PRIVATE_KEY" \
+    --gas-limit "$GAS_LIMIT" --value "$VALUE_WEI" \
+    "$TO_ADDRESS" "0x$payload" | awk '/transactionHash/ {print $2}' | tr -d '\r' || true)"
+
+  # cast output format varies; fallback: take last 0x... in output
+  if [[ -z "$tx_hash" ]]; then
+    tx_hash="$(cast send --rpc-url "$ETH_RPC_URL" --private-key "$ETH_PRIVATE_KEY" \
+      --gas-limit "$GAS_LIMIT" --value "$VALUE_WEI" \
+      "$TO_ADDRESS" "0x$payload" 2>/dev/null | grep -Eo '0x[a-fA-F0-9]{64}' | tail -n1 || true)"
+  fi
+  [[ -n "$tx_hash" ]] || die "Unable to parse tx hash from cast output."
+
+  echo "$tx_hash" > "$run_dir/tx_hash.txt"
+
+  log_info "Fetching receipt..."
+  cast receipt --rpc-url "$ETH_RPC_URL" "$tx_hash" --json > "$run_dir/tx_receipt.json" || true
+
+  cat > "$run_dir/PROOF.json" <<EOF
+{
+  "skill": "eth-anchor",
+  "version": "1.0.0",
+  "timestamp": "$(date -Iseconds)",
+  "chain_id": "$(cast chain-id --rpc-url "$ETH_RPC_URL")",
+  "to": "$TO_ADDRESS",
+  "value_wei": "$VALUE_WEI",
+  "gas_limit": "$GAS_LIMIT",
+  "root_hex": "$(json_escape "$root_hex")",
+  "calldata": "0x$payload",
+  "tx_hash": "$(json_escape "$tx_hash")",
+  "artifacts": {
+    "root_hex_file": "root_hex.txt",
+    "tx_hash_file": "tx_hash.txt",
+    "tx_receipt": "tx_receipt.json"
+  }
+}
+EOF
+
+  echo "$run_dir" > "$SKILL_ROOT/outputs/last_run_dir.txt"
+  log_info "Anchored on ETH. tx=$tx_hash"
+  log_info "Run dir: $run_dir"
+}
+main "$@"

eth-anchor/scripts/90_verify.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${ETH_RPC_URL:=}"
+
+main() {
+  [[ -f "$SKILL_ROOT/outputs/last_run_dir.txt" ]] || die "No last run. Run 11_apply.sh first."
+  run_dir="$(cat "$SKILL_ROOT/outputs/last_run_dir.txt")"
+  status="$run_dir/status_matrix.json"
+  ok_proof=false; ok_tx=false; ok_receipt=false
+
+  [[ -f "$run_dir/PROOF.json" ]] && ok_proof=true
+  if [[ -f "$run_dir/tx_hash.txt" ]]; then
+    tx="$(cat "$run_dir/tx_hash.txt")"
+    [[ -n "$tx" ]] && ok_tx=true
+    if cast receipt --rpc-url "$ETH_RPC_URL" "$tx" >/dev/null 2>&1; then
+      ok_receipt=true
+    fi
+  fi
+
+  blockers="[]"
+  if [[ "$ok_tx" != "true" ]]; then blockers='["missing_tx_hash"]'
+  elif [[ "$ok_receipt" != "true" ]]; then blockers='["tx_receipt_not_found_yet"]'
+  fi
+
+  cat > "$status" <<EOF
+{
+  "skill": "eth-anchor",
+  "timestamp": "$(date -Iseconds)",
+  "run_dir": "$(json_escape "$run_dir")",
+  "checks": [
+    {"name":"proof_present", "ok": $ok_proof},
+    {"name":"tx_hash_present", "ok": $ok_tx},
+    {"name":"tx_receipt_found", "ok": $ok_receipt}
+  ],
+  "blockers": $blockers,
+  "warnings": [],
+  "next_steps": ["btc-anchor (optional stronger finality)", "proof-verifier"]
+}
+EOF
+  log_info "Wrote $status"
+  cat "$status"
+}
+main "$@"

eth-anchor/scripts/99_report.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+source "$SCRIPT_DIR/_common.sh"
+
+main() {
+  [[ -f "$SKILL_ROOT/outputs/last_run_dir.txt" ]] || die "No last run."
+  run_dir="$(cat "$SKILL_ROOT/outputs/last_run_dir.txt")"
+  report="$run_dir/audit_report.md"
+  status="$run_dir/status_matrix.json"
+  tx="$(cat "$run_dir/tx_hash.txt" 2>/dev/null || true)"
+  root_hex="$(cat "$run_dir/root_hex.txt" 2>/dev/null || true)"
+
+  cat > "$report" <<EOF
+# ETH Anchor Audit Report
+
+**Generated:** $(date -Iseconds)  
+**Run Dir:** \`$run_dir\`  
+**TX Hash:** \`$tx\`  
+**Root Hex:** \`$root_hex\`  
+**Skill Version:** 1.0.0
+
+## Status Matrix
+
+$(if [[ -f "$status" ]]; then echo '```json'; cat "$status"; echo '```'; else echo "_Missing status_matrix.json_"; fi)
+
+## EU Compliance
+
+EU (Ireland - Dublin), Irish jurisdiction. Anchors are public chain data.
+EOF
+
+  log_info "Wrote $report"
+  cat "$report"
+}
+main "$@"

eth-anchor/scripts/_common.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+set -euo pipefail
+log_info(){ echo "[INFO]  $(date -Iseconds) $*"; }
+log_warn(){ echo "[WARN]  $(date -Iseconds) $*" >&2; }
+log_error(){ echo "[ERROR] $(date -Iseconds) $*" >&2; }
+die(){ log_error "$*"; exit 1; }
+need(){ command -v "$1" >/dev/null 2>&1 || die "Missing required tool: $1"; }
+
+confirm_gate() {
+  : "${DRY_RUN:=1}"
+  : "${REQUIRE_CONFIRM:=1}"
+  : "${CONFIRM_PHRASE:=I UNDERSTAND THIS WILL SEND AN ETH TRANSACTION}"
+  [[ "$DRY_RUN" == "0" ]] || die "DRY_RUN=$DRY_RUN (set DRY_RUN=0)."
+  if [[ "$REQUIRE_CONFIRM" == "1" ]]; then
+    echo "Type to confirm:"
+    echo "  $CONFIRM_PHRASE"
+    read -r input
+    [[ "$input" == "$CONFIRM_PHRASE" ]] || die "Confirmation phrase mismatch."
+  fi
+}
+
+json_escape() {
+  local s="$1"
+  s="${s//\\/\\\\}"; s="${s//\"/\\\"}"; s="${s//$'\n'/\\n}"
+  printf "%s" "$s"
+}
+
+read_root_hex() {
+  # precedence: ROOT_HEX, else parse ROOT_FILE
+  : "${ROOT_HEX:=}"
+  : "${ROOT_FILE:=}"
+  if [[ -n "$ROOT_HEX" ]]; then
+    echo "$ROOT_HEX"
+    return 0
+  fi
+  [[ -n "$ROOT_FILE" ]] || die "Set ROOT_HEX or ROOT_FILE."
+  [[ -f "$ROOT_FILE" ]] || die "ROOT_FILE not found: $ROOT_FILE"
+  local rh
+  rh="$(grep '^root_hex=' "$ROOT_FILE" | head -n1 | cut -d= -f2)"
+  [[ -n "$rh" ]] || die "Could not parse root_hex from ROOT_FILE."
+  echo "$rh"
+}
+
+pad_to_32_bytes_hex() {
+  # expects hex without 0x
+  local h="$1"
+  h="${h#0x}"
+  # limit to 64, pad right with zeros if shorter (simple deterministic padding)
+  if [[ ${#h} -gt 64 ]]; then
+    echo "${h:0:64}"
+  else
+    printf "%-64s" "$h" | tr ' ' '0'
+  fi
+}

eth-anchor/scripts/rollback/undo_last_run.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$(dirname "$SCRIPT_DIR")")"
+source "$SKILL_ROOT/scripts/_common.sh"
+
+main() {
+  confirm_gate
+  if [[ ! -f "$SKILL_ROOT/outputs/last_run_dir.txt" ]]; then
+    log_warn "No last run; nothing to undo."
+    exit 0
+  fi
+  run_dir="$(cat "$SKILL_ROOT/outputs/last_run_dir.txt")"
+  log_warn "Removing last run artifacts (cannot undo on-chain tx): $run_dir"
+  rm -rf "$run_dir" || true
+  rm -f "$SKILL_ROOT/outputs/last_run_dir.txt" || true
+  log_info "Local rollback complete (on-chain tx remains)."
+}
+main "$@"