Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/operator-bootstrap/scripts/99_report.sh
+++ b/operator-bootstrap/scripts/99_report.sh
@@ -0,0 +1,197 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# === METADATA ===
+SCRIPT_NAME="$(basename "$0")"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+
+# === CONFIGURATION ===
+: "${NODE_NAME:=node-a}"
+: "${OPERATOR_NAME:=Unknown Operator}"
+: "${OPERATOR_EMAIL:=unknown@example.com}"
+: "${DOMAIN:=example.com}"
+: "${GITOPS_ROOT:=$HOME/infrastructure}"
+: "${TUNNEL_NAME:=$NODE_NAME-tunnel}"
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+
+# === FUNCTIONS ===
+log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
+
+preflight() {
+    GITOPS_ROOT="${GITOPS_ROOT/#\~/$HOME}"
+    [[ -d "$OUTPUT_DIR" ]] || mkdir -p "$OUTPUT_DIR"
+}
+
+get_gpg_fingerprint() {
+    gpg --list-keys --with-colons "$OPERATOR_EMAIL" 2>/dev/null | \
+        grep fpr | head -1 | cut -d: -f10 || echo "Not configured"
+}
+
+get_ssh_key_count() {
+    ls -1 "$HOME/.ssh/id_"*"_${NODE_NAME}" 2>/dev/null | wc -l || echo "0"
+}
+
+get_pass_status() {
+    if [[ -d "$HOME/.password-store" ]]; then
+        echo "Initialized ($(cat "$HOME/.password-store/.gpg-id" 2>/dev/null || echo "unknown GPG ID"))"
+    else
+        echo "Not initialized"
+    fi
+}
+
+get_tunnel_status() {
+    if [[ -f "$HOME/.cloudflared/config-${TUNNEL_NAME}.yml" ]]; then
+        echo "Configured"
+    else
+        echo "Not configured"
+    fi
+}
+
+get_gitops_status() {
+    local count=0
+    [[ -d "$GITOPS_ROOT/config.git" ]] && ((count++))
+    [[ -d "$GITOPS_ROOT/secrets.git" ]] && ((count++))
+    [[ -d "$GITOPS_ROOT/manifests.git" ]] && ((count++))
+    echo "$count/3 repositories"
+}
+
+main() {
+    preflight
+    log_info "Starting $SCRIPT_NAME..."
+
+    local report="$OUTPUT_DIR/audit_report.md"
+    local status_file="$OUTPUT_DIR/status_matrix.json"
+
+    cat > "$report" <<EOF
+# Operator Bootstrap Audit Report
+
+**Generated:** $(date -Iseconds)
+**Node:** $NODE_NAME
+**Operator:** $OPERATOR_NAME <$OPERATOR_EMAIL>
+**Skill Version:** 1.0.0
+
+---
+
+## Executive Summary
+
+This report documents the bootstrap operations performed on **$NODE_NAME**
+for sovereign EU infrastructure deployment.
+
+---
+
+## Components Status
+
+### 1. Identity
+
+| Component | Status |
+|-----------|--------|
+| GPG Key | $(get_gpg_fingerprint) |
+| SSH Keys | $(get_ssh_key_count) key pair(s) |
+| SSH Config | $(grep -q "Host $NODE_NAME" "$HOME/.ssh/config" 2>/dev/null && echo "Updated" || echo "Not updated") |
+
+### 2. Secrets Management
+
+| Component | Status |
+|-----------|--------|
+| Pass Store | $(get_pass_status) |
+| Location | ~/.password-store |
+
+### 3. Cloudflare Tunnel
+
+| Component | Status |
+|-----------|--------|
+| Tunnel Name | $TUNNEL_NAME |
+| Configuration | $(get_tunnel_status) |
+| SSH Endpoint | ssh.$DOMAIN |
+
+### 4. GitOps Repositories
+
+| Component | Status |
+|-----------|--------|
+| Repository Count | $(get_gitops_status) |
+| Root Directory | $GITOPS_ROOT |
+
+---
+
+## Verification Results
+
+$(if [[ -f "$status_file" ]]; then
+    echo '```json'
+    cat "$status_file"
+    echo '```'
+else
+    echo "Status matrix not found. Run 90_verify.sh first."
+fi)
+
+---
+
+## EU Compliance Declaration
+
+| Aspect | Value |
+|--------|-------|
+| Data Residency | EU (Ireland - Dublin) |
+| GDPR Applicable | Yes |
+| Jurisdiction | Irish Law |
+| Encryption | GPG (local keys only) |
+
+---
+
+## Rollback Procedures
+
+If any component needs to be reverted, use these scripts in order:
+
+1. **Tunnel:** \`./scripts/rollback/undo_tunnel.sh\`
+2. **GitOps:** \`./scripts/rollback/undo_gitops.sh\`
+3. **SSH Config:** \`./scripts/rollback/undo_ssh_config.sh\`
+4. **Identity:** \`./scripts/rollback/undo_identity.sh\`
+
+---
+
+## Next Steps
+
+1. Test tunnel connectivity:
+   \`\`\`bash
+   cloudflared tunnel --config ~/.cloudflared/config-${TUNNEL_NAME}.yml run
+   \`\`\`
+
+2. Clone GitOps repositories:
+   \`\`\`bash
+   git clone $GITOPS_ROOT/config.git ~/config
+   git clone $GITOPS_ROOT/secrets.git ~/secrets
+   git clone $GITOPS_ROOT/manifests.git ~/manifests
+   \`\`\`
+
+3. Proceed to **node-hardening** skill for security configuration
+
+4. Document this bootstrap in LAWCHAIN (if applicable)
+
+---
+
+## Artifact Locations
+
+| Artifact | Path |
+|----------|------|
+| Identity Manifest | $OUTPUT_DIR/identity_manifest.json |
+| Secrets Manifest | $OUTPUT_DIR/secrets_manifest.json |
+| Tunnel Config | $OUTPUT_DIR/tunnel_config.json |
+| GitOps Manifest | $OUTPUT_DIR/gitops_manifest.json |
+| Status Matrix | $OUTPUT_DIR/status_matrix.json |
+| This Report | $OUTPUT_DIR/audit_report.md |
+
+---
+
+*Report generated by operator-bootstrap skill v1.0.0*
+*$(date -Iseconds)*
+EOF
+
+    log_info "Audit report written to $report"
+
+    # Display the report
+    echo ""
+    cat "$report"
+
+    log_info "Completed $SCRIPT_NAME"
+}
+
+[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"