Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

operator-bootstrap/scripts/90_verify.sh

@@ -0,0 +1,181 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# === METADATA ===
+SCRIPT_NAME="$(basename "$0")"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+CHECKS_DIR="$SKILL_ROOT/checks"
+
+# === CONFIGURATION ===
+: "${NODE_NAME:=node-a}"
+: "${OPERATOR_EMAIL:=}"
+: "${GITOPS_ROOT:=$HOME/infrastructure}"
+: "${TUNNEL_NAME:=$NODE_NAME-tunnel}"
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+
+# === FUNCTIONS ===
+log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
+log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }
+log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; }
+
+preflight() {
+    GITOPS_ROOT="${GITOPS_ROOT/#\~/$HOME}"
+    [[ -d "$OUTPUT_DIR" ]] || mkdir -p "$OUTPUT_DIR"
+}
+
+check_gpg() {
+    if [[ -n "$OPERATOR_EMAIL" ]] && gpg --list-keys "$OPERATOR_EMAIL" &>/dev/null 2>&1; then
+        echo "true"
+    else
+        echo "false"
+    fi
+}
+
+check_ssh() {
+    if [[ -f "$HOME/.ssh/id_ed25519_${NODE_NAME}" ]]; then
+        echo "true"
+    else
+        echo "false"
+    fi
+}
+
+check_pass() {
+    if [[ -d "$HOME/.password-store" ]] && [[ -f "$HOME/.password-store/.gpg-id" ]]; then
+        echo "true"
+    else
+        echo "false"
+    fi
+}
+
+check_tunnel() {
+    if [[ -f "$HOME/.cloudflared/${TUNNEL_NAME}.json" ]]; then
+        echo "true"
+    else
+        echo "false"
+    fi
+}
+
+check_gitops() {
+    if [[ -d "$GITOPS_ROOT/config.git" ]] && \
+       [[ -d "$GITOPS_ROOT/secrets.git" ]] && \
+       [[ -d "$GITOPS_ROOT/manifests.git" ]]; then
+        echo "true"
+    else
+        echo "false"
+    fi
+}
+
+run_external_check() {
+    local check_script="$1"
+    if [[ -x "$CHECKS_DIR/$check_script" ]]; then
+        if "$CHECKS_DIR/$check_script" &>/dev/null; then
+            echo "true"
+        else
+            echo "false"
+        fi
+    else
+        echo "skip"
+    fi
+}
+
+generate_status_matrix() {
+    local status_file="$OUTPUT_DIR/status_matrix.json"
+
+    local gpg_ok=$(check_gpg)
+    local ssh_ok=$(check_ssh)
+    local pass_ok=$(check_pass)
+    local tunnel_ok=$(check_tunnel)
+    local gitops_ok=$(check_gitops)
+
+    # Build arrays for JSON
+    local blockers=""
+    local warnings=""
+    local next_steps=""
+
+    if [[ "$gpg_ok" == "false" ]]; then
+        blockers="${blockers}\"GPG key not found for $OPERATOR_EMAIL\","
+    fi
+    if [[ "$ssh_ok" == "false" ]]; then
+        blockers="${blockers}\"SSH keys not found at ~/.ssh/id_ed25519_${NODE_NAME}\","
+    fi
+    if [[ "$pass_ok" == "false" ]]; then
+        warnings="${warnings}\"Pass store not initialized\","
+    fi
+    if [[ "$tunnel_ok" == "false" ]]; then
+        warnings="${warnings}\"Cloudflare tunnel not configured\","
+    fi
+    if [[ "$gitops_ok" == "false" ]]; then
+        warnings="${warnings}\"GitOps repositories not created\","
+    fi
+
+    if [[ "$tunnel_ok" == "true" ]]; then
+        next_steps="${next_steps}\"Test tunnel: cloudflared tunnel --config ~/.cloudflared/config-${TUNNEL_NAME}.yml run\","
+    fi
+    if [[ "$gitops_ok" == "true" ]]; then
+        next_steps="${next_steps}\"Clone repos: git clone $GITOPS_ROOT/config.git ~/config\","
+    fi
+    if [[ "$gpg_ok" == "true" ]] && [[ "$ssh_ok" == "true" ]]; then
+        next_steps="${next_steps}\"Proceed to node-hardening skill\","
+    fi
+
+    # Remove trailing commas and wrap in arrays
+    blockers="[${blockers%,}]"
+    warnings="[${warnings%,}]"
+    next_steps="[${next_steps%,}]"
+
+    cat > "$status_file" <<EOF
+{
+  "timestamp": "$(date -Iseconds)",
+  "skill": "operator-bootstrap",
+  "node": "$NODE_NAME",
+  "checks": {
+    "gpg_key": $gpg_ok,
+    "ssh_keys": $ssh_ok,
+    "pass_store": $pass_ok,
+    "tunnel": $tunnel_ok,
+    "gitops_repos": $gitops_ok
+  },
+  "blockers": $blockers,
+  "warnings": $warnings,
+  "next_steps": $next_steps
+}
+EOF
+
+    log_info "Status matrix written to $status_file"
+
+    # Print summary
+    echo ""
+    echo "============================================"
+    echo "  VERIFICATION SUMMARY"
+    echo "============================================"
+    echo ""
+    echo "  GPG Key:      $gpg_ok"
+    echo "  SSH Keys:     $ssh_ok"
+    echo "  Pass Store:   $pass_ok"
+    echo "  Tunnel:       $tunnel_ok"
+    echo "  GitOps:       $gitops_ok"
+    echo ""
+
+    # Return success only if no blockers
+    if [[ "$gpg_ok" == "true" ]] && [[ "$ssh_ok" == "true" ]]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+main() {
+    preflight
+    log_info "Starting $SCRIPT_NAME..."
+
+    if generate_status_matrix; then
+        log_info "All critical checks passed"
+    else
+        log_warn "Some checks failed - review status matrix"
+    fi
+
+    log_info "Completed $SCRIPT_NAME"
+}
+
+[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"