Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

hetzner-bootstrap/SKILL.md

@@ -0,0 +1,87 @@
+---
+name: hetzner-bootstrap
+description: >
+  Bootstrap a Hetzner-hosted Ubuntu/Debian node for sovereign operations:
+  base packages, sovereign user, hostname, UFW, SSH hardening (reload-safe),
+  cloudflared install, and WireGuard scaffold. Plan/apply/rollback with DRY_RUN.
+  Triggers: 'bootstrap hetzner', 'server prep', 'hetzner node a', 'wireguard setup',
+  'install cloudflared', 'ufw + ssh hardening'.
+version: 1.1.0
+---
+
+# Hetzner Bootstrap (Node A)
+
+This skill turns a fresh Hetzner server into a VaultMesh-ready node using the
+exact safe sequence you specified:
+
+- Update + install dependencies
+- Install **cloudflared** (Cloudflare repo)
+- Create `sovereign` user + SSH authorized key
+- Set hostname
+- Configure UFW (WireGuard port opened **before** enable)
+- Harden SSH (disable root + passwords) using **reload** (not restart)
+- Scaffold WireGuard keys + `wg0.conf`
+
+## Safety model
+- **DRY_RUN=1** by default; apply scripts refuse unless `DRY_RUN=0`.
+- **CONFIRM_PHRASE** required for apply steps.
+- SSH changes use `sshd -t` validation and `systemctl reload` to avoid session loss.
+- WireGuard private key is root-owned and `0600`.
+
+## Quick Start
+
+Run as **root** on the server:
+
+```bash
+cd ~/.codex/skills/hetzner-bootstrap  # or ~/.codex/skills/hetzner-bootstrap  # or ~/.claude/skills/hetzner-bootstrap
+
+export SERVER_IP="46.224.119.129"
+export NODE_NAME="vm-de-op"
+export SOVEREIGN_USER="sovereign"
+export SSH_PUBLIC_KEY="ssh-ed25519 AAAA... hetzner-sovereign-YYYYMMDD"
+
+# Optional tuning
+export WG_PORT="51820"
+export WG_CIDR="10.200.0.1/24"
+
+./scripts/00_preflight.sh
+./scripts/10_plan.sh
+
+export DRY_RUN=0
+./scripts/11_apply.sh
+
+# Optional: scaffold WireGuard (root)
+./scripts/20_wireguard_plan.sh
+export DRY_RUN=0
+./scripts/21_wireguard_apply.sh
+
+./scripts/90_verify.sh
+./scripts/99_report.sh
+```
+
+## Inputs
+
+| Parameter | Required | Default | Description |
+|---|---:|---|---|
+| NODE_NAME | Yes | (none) | Hostname to set (e.g. vm-de-op) |
+| SOVEREIGN_USER | No | sovereign | User to create |
+| SSH_PUBLIC_KEY | Yes | (none) | Public key to authorize for sovereign |
+| SSH_PORT | No | 22 | SSH port to allow in UFW (auto-detected if unset) |
+| ALLOW_SSH_FALLBACK_22 | No | true | Safety: keep 22/tcp open if SSH_PORT != 22 |
+| WG_PORT | No | 51820 | WireGuard listen port |
+| WG_CIDR | No | 10.200.0.1/24 | WireGuard interface address |
+| INSTALL_CLOUDFLARED | No | true | Install cloudflared from Cloudflare apt repo |
+| INSTALL_WIREGUARD | No | true | Install wireguard package |
+| DRY_RUN | No | 1 | Apply refuses unless DRY_RUN=0 |
+| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
+| CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN AFFECT REMOTE ACCESS | Safety phrase |
+
+## Outputs
+
+- `outputs/status_matrix.json`
+- `outputs/audit_report.md`
+- `outputs/backups/*` (sshd_config, ufw before, etc.)
+
+## Notes
+- After Phase 11 apply, **open a second SSH session** as the sovereign user.
+- Only after confirming sovereign access should you close the root session.