Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

merkle-forest/scripts/11_apply.sh

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${INPUT_DIR:=}"
+: "${INPUT_FILES:=}"
+: "${EXCLUDES:=.git,node_modules,target,dist,outputs}"
+: "${LABEL:=snapshot}"
+: "${NODE_NAME:=node-a}"
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+
+build_file_list() {
+  local out="$1"
+  local find_args=()
+  IFS=',' read -r -a ex <<< "$EXCLUDES"
+  for pat in "${ex[@]}"; do [[ -n "$pat" ]] && find_args+=( -not -path "*/$pat/*" ); done
+
+  if [[ -n "$INPUT_FILES" ]]; then
+    : > "$out"
+    IFS=',' read -r -a files <<< "$INPUT_FILES"
+    for f in "${files[@]}"; do
+      f="${f#"${f%%[![:space:]]*}"}"; f="${f%"${f##*[![:space:]]}"}"
+      [[ -f "$f" ]] || die "Not a file: $f"
+      echo "$f" >> "$out"
+    done
+  else
+    (cd "$INPUT_DIR" && find . -type f "${find_args[@]}" | sed 's|^\./||') > "$out.rel"
+    awk -v root="$INPUT_DIR" '{print root "/" $0}' "$out.rel" > "$out"
+    rm -f "$out.rel"
+  fi
+  sort -u "$out" -o "$out"
+}
+
+main() {
+  confirm_gate
+  local hasher; hasher="$(pick_hasher)"
+  mkdir -p "$OUTPUT_DIR/runs"
+  local ts; ts="$(date -Iseconds | tr ':' '-')"
+  local run_dir="$OUTPUT_DIR/runs/${NODE_NAME}_${LABEL}_${ts}"
+  mkdir -p "$run_dir/levels"
+
+  local files="$run_dir/files.txt"
+  build_file_list "$files"
+  local n; n="$(wc -l < "$files" | tr -d ' ')"
+  [[ "$n" -gt 0 ]] || die "No files to hash."
+
+  local leaf="$run_dir/leaf_hashes.txt"
+  : > "$leaf"
+  while IFS= read -r f; do
+    h="$(hash_file "$hasher" "$f")"
+    printf "%s  %s\n" "$h" "$f" >> "$leaf"
+  done < "$files"
+  sort "$leaf" -o "$leaf"
+
+  awk '{print $1}' "$leaf" > "$run_dir/levels/level_0.txt"
+  local level=0 cur="$run_dir/levels/level_0.txt"
+  while true; do
+    local count; count="$(wc -l < "$cur" | tr -d ' ')"
+    [[ "$count" -le 1 ]] && break
+    local next="$run_dir/levels/level_$((level+1)).txt"
+    : > "$next"
+    mapfile -t arr < "$cur"
+    i=0
+    while [[ $i -lt ${#arr[@]} ]]; do
+      left="${arr[$i]}"
+      if [[ $((i+1)) -lt ${#arr[@]} ]]; then right="${arr[$((i+1))]}"; else right="$left"; fi
+      hash_pair_hex "$hasher" "$left" "$right" >> "$next"
+      echo "" >> "$next"
+      i=$((i+2))
+    done
+    grep -v '^$' "$next" > "$next.tmp" && mv "$next.tmp" "$next"
+    level=$((level+1)); cur="$next"
+  done
+
+  root_hex="$(head -n 1 "$cur")"
+  [[ -n "$root_hex" ]] || die "Failed to compute root."
+
+  cat > "$run_dir/ROOT.txt" <<EOF
+root_hex=$root_hex
+hasher=BLAKE3
+leaves=$n
+label=$LABEL
+node=$NODE_NAME
+timestamp=$(date -Iseconds)
+EOF
+
+  cat > "$run_dir/PROOF.json" <<EOF
+{
+  "skill": "merkle-forest",
+  "version": "1.0.0",
+  "timestamp": "$(date -Iseconds)",
+  "node": "$NODE_NAME",
+  "label": "$LABEL",
+  "hasher": "BLAKE3",
+  "leaf_count": $n,
+  "root_hex": "$root_hex",
+  "artifacts": {"root":"ROOT.txt","proof":"PROOF.json","leaf_hashes":"leaf_hashes.txt"}
+}
+EOF
+
+  echo "$run_dir" > "$OUTPUT_DIR/last_run_dir.txt"
+  log_info "Run created: $run_dir"
+  log_info "ROOT: $root_hex"
+}
+main "$@"