Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

operator-bootstrap/templates/audit_record.tpl

@@ -0,0 +1,53 @@
+# Bootstrap Audit Record Template
+# Variables: {{TIMESTAMP}}, {{NODE_NAME}}, {{OPERATOR_NAME}}, {{DOMAIN}}
+
+## Metadata
+
+| Field | Value |
+|-------|-------|
+| Timestamp | {{TIMESTAMP}} |
+| Node | {{NODE_NAME}} |
+| Operator | {{OPERATOR_NAME}} |
+| Domain | {{DOMAIN}} |
+| Skill Version | 1.0.0 |
+
+## Actions Performed
+
+{{ACTIONS}}
+
+## Artifacts Created
+
+{{ARTIFACTS}}
+
+## Verification Status
+
+{{STATUS}}
+
+## Evidence Hashes
+
+| Artifact | BLAKE3 Hash |
+|----------|-------------|
+{{EVIDENCE_HASHES}}
+
+## Signature Block
+
+This record should be:
+1. Signed with the operator's GPG key
+2. Committed to the secrets.git repository
+3. Anchored to LAWCHAIN (if applicable)
+
+### GPG Signature Command
+
+```bash
+gpg --armor --detach-sign audit_record.md
+```
+
+### Verification Command
+
+```bash
+gpg --verify audit_record.md.asc audit_record.md
+```
+
+---
+
+*Record generated by operator-bootstrap skill*

operator-bootstrap/templates/cloudflared_config.tpl

@@ -0,0 +1,30 @@
+# Cloudflare Tunnel Configuration Template
+# Generated by operator-bootstrap
+# Variables: {{TUNNEL_NAME}}, {{DOMAIN}}, {{HOME}}
+
+tunnel: {{TUNNEL_NAME}}
+credentials-file: {{HOME}}/.cloudflared/{{TUNNEL_NAME}}.json
+
+# Ingress rules define how traffic is routed
+ingress:
+  # SSH access via Cloudflare Access
+  # Requires Cloudflare Access policy for authentication
+  - hostname: ssh.{{DOMAIN}}
+    service: ssh://localhost:22
+
+  # Web services (uncomment and modify as needed)
+  # - hostname: api.{{DOMAIN}}
+  #   service: http://localhost:8080
+  #
+  # - hostname: dashboard.{{DOMAIN}}
+  #   service: http://localhost:3000
+
+  # Catch-all for undefined hostnames
+  - service: http_status:404
+
+# Optional: Metrics endpoint
+# metrics: localhost:2000
+
+# Optional: Logging
+# loglevel: info
+# logfile: /var/log/cloudflared.log

operator-bootstrap/templates/ssh_config.tpl

@@ -0,0 +1,29 @@
+# SSH Configuration Template
+# Generated by operator-bootstrap
+# Variables: {{NODE_NAME}}, {{NODE_IP}}, {{DOMAIN}}, {{OPERATOR_USER}}
+
+# Direct SSH to node (when on same network)
+Host {{NODE_NAME}}
+    HostName {{NODE_IP}}
+    User {{OPERATOR_USER}}
+    IdentityFile ~/.ssh/id_ed25519_{{NODE_NAME}}
+    IdentitiesOnly yes
+    ForwardAgent no
+    AddKeysToAgent yes
+
+# SSH via Cloudflare Tunnel (remote access)
+Host {{NODE_NAME}}-tunnel
+    HostName ssh.{{DOMAIN}}
+    User {{OPERATOR_USER}}
+    IdentityFile ~/.ssh/id_ed25519_{{NODE_NAME}}
+    IdentitiesOnly yes
+    ProxyCommand cloudflared access ssh --hostname %h
+
+# Fallback with RSA key (for legacy systems)
+Host {{NODE_NAME}}-rsa
+    HostName {{NODE_IP}}
+    User {{OPERATOR_USER}}
+    IdentityFile ~/.ssh/id_rsa_{{NODE_NAME}}
+    IdentitiesOnly yes
+    PubkeyAcceptedAlgorithms +ssh-rsa
+    HostkeyAlgorithms +ssh-rsa