Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

node-hardening/scripts/00_preflight.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_NAME="$(basename "$0")"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+: "${BACKUP_DIR:=$OUTPUT_DIR/backups}"
+
+log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
+log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }
+log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; }
+die()       { log_error "$@"; exit 1; }
+
+check_dependency() {
+  if command -v "$1" &>/dev/null; then
+    log_info "Found: $1 ($(command -v "$1"))"
+    return 0
+  else
+    log_warn "Missing: $1"
+    return 1
+  fi
+}
+
+is_ssh_session() {
+  [[ -n "${SSH_CONNECTION:-}" || -n "${SSH_CLIENT:-}" ]]
+}
+
+main() {
+  mkdir -p "$OUTPUT_DIR" "$BACKUP_DIR"
+  log_info "Starting $SCRIPT_NAME"
+
+  local missing=0
+
+  log_info "=== Required Dependencies ==="
+  check_dependency sudo || ((missing++))
+  check_dependency systemctl || ((missing++))
+  check_dependency ss || check_dependency netstat || log_warn "No ss/netstat (network inspection limited)"
+  check_dependency awk || ((missing++))
+  check_dependency sed || ((missing++))
+  check_dependency grep || ((missing++))
+
+  log_info "=== Hardening Tooling (may be installed during apply) ==="
+  check_dependency ufw || log_warn "ufw not installed (apply can install)"
+  check_dependency sshd || check_dependency ssh || log_warn "sshd binary not found (service may still exist)"
+  check_dependency fail2ban-client || log_warn "fail2ban not installed (apply can install)"
+  check_dependency auditctl || log_warn "auditd not installed (apply can install)"
+
+  log_info "=== Session Context ==="
+  if is_ssh_session; then
+    log_warn "Detected SSH session: ${SSH_CONNECTION:-${SSH_CLIENT:-unknown}}"
+    log_warn "Recommendation: keep a second session open before applying changes."
+  else
+    log_info "No SSH session detected (console/local run)"
+  fi
+
+  log_info "=== Privilege Check ==="
+  if sudo -n true 2>/dev/null; then
+    log_info "sudo is available without password prompt (non-interactive)"
+  else
+    log_info "sudo may prompt for password (interactive)"
+  fi
+
+  log_info "=== Parameters (defaults if unset) ==="
+  log_info "SSH_PORT=${SSH_PORT:-22}"
+  log_info "ALLOW_HTTP=${ALLOW_HTTP:-true}"
+  log_info "ALLOW_HTTPS=${ALLOW_HTTPS:-true}"
+  log_info "DRY_RUN=${DRY_RUN:-1} (apply scripts require DRY_RUN=0)"
+
+  if [[ $missing -gt 0 ]]; then
+    die "Missing $missing required dependencies. Install them before proceeding."
+  fi
+
+  log_info "Completed $SCRIPT_NAME"
+}
+
+[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"