Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

proof-verifier/SKILL.md

@@ -0,0 +1,65 @@
+---
+name: proof-verifier
+description: >
+  Verify VaultMesh proof artifacts end-to-end: Merkle Forest ROOT.txt, RFC3161 timestamp receipt,
+  Ethereum calldata anchor, and Bitcoin OP_RETURN anchor. Produces status_matrix.json and audit report.
+  Triggers: 'verify proof', 'verify root', 'verify rfc3161', 'verify eth anchor', 'verify btc anchor',
+  'proof archaeology'.
+version: 1.0.0
+---
+
+# Proof Verifier (End-to-End)
+
+This skill verifies a proof chain as far as you provide artifacts:
+
+1) **Merkle Forest**: ROOT.txt + leaf/level files (optional)  
+2) **RFC3161**: request.tsq + response.tsr (optional)  
+3) **Ethereum**: tx hash + receipt (optional)  
+4) **Bitcoin**: txid + node visibility (optional)
+
+It is **read-only**. No funds move, nothing changes on the system.
+
+## Quick Start
+
+```bash
+cd ~/.claude/skills/proof-verifier
+
+# point to a merkle-forest run dir
+export MERKLE_RUN_DIR="$HOME/.claude/skills/merkle-forest/outputs/runs/<run>"
+
+# optional: rfc3161 outputs
+export RFC3161_DIR="$HOME/.claude/skills/rfc3161-anchor"   # where request.tsq/response.tsr live
+
+# optional: eth-anchor outputs
+export ETH_RUN_DIR="$HOME/.claude/skills/eth-anchor/outputs/runs/<run>"
+export ETH_RPC_URL="https://..."
+
+# optional: btc-anchor outputs
+export BTC_RUN_DIR="$HOME/.claude/skills/btc-anchor/outputs/runs/<run>"
+export BTC_NETWORK="testnet"
+
+./scripts/00_preflight.sh
+./scripts/10_plan.sh
+./scripts/11_verify.sh
+
+./scripts/99_report.sh
+```
+
+## Inputs
+
+| Parameter | Required | Default | Description |
+|---|---:|---|---|
+| MERKLE_RUN_DIR | Yes | (none) | merkle-forest run directory containing ROOT.txt |
+| RFC3161_DIR | No | (empty) | directory with request.tsq and response.tsr |
+| ETH_RUN_DIR | No | (empty) | eth-anchor run dir with tx_hash.txt |
+| ETH_RPC_URL | No | (empty) | needed if ETH_RUN_DIR set |
+| BTC_RUN_DIR | No | (empty) | btc-anchor run dir with txid.txt |
+| BTC_NETWORK | No | testnet | mainnet|testnet|signet |
+| OUTPUT_DIR | No | outputs | output dir for verifier run |
+
+## Outputs
+- `outputs/verify_<timestamp>/status_matrix.json`
+- `outputs/verify_<timestamp>/audit_report.md`
+
+## EU Compliance
+EU (Ireland - Dublin), Irish jurisdiction. Verification is local-first; chain lookups are public.

proof-verifier/config.json

@@ -0,0 +1,27 @@
+{
+  "name": "proof-verifier",
+  "version": "1.0.0",
+  "defaults": {
+    "BTC_NETWORK": "testnet",
+    "OUTPUT_DIR": "outputs"
+  },
+  "phases": {
+    "preflight": [
+      "00_preflight.sh"
+    ],
+    "plan": [
+      "10_plan.sh"
+    ],
+    "verify": [
+      "11_verify.sh"
+    ],
+    "report": [
+      "99_report.sh"
+    ]
+  },
+  "eu_compliance": {
+    "data_residency": "EU",
+    "jurisdiction": "Ireland",
+    "gdpr_applicable": true
+  }
+}

proof-verifier/references/verification_scope.md

@@ -0,0 +1,11 @@
+# Verification Scope (v1)
+
+v1 focuses on:
+- Presence + parsing of artifacts
+- On-chain visibility via RPC/node when tooling is available
+
+Future v2 can add:
+- Recompute Merkle root from leaves and compare to ROOT.txt
+- RFC3161 cryptographic verification using pinned TSA cert chain
+- Verify ETH calldata contains root bytes
+- Decode BTC OP_RETURN and confirm payload matches root

proof-verifier/scripts/00_preflight.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${MERKLE_RUN_DIR:=}"
+: "${RFC3161_DIR:=}"
+: "${ETH_RUN_DIR:=}"
+: "${ETH_RPC_URL:=}"
+: "${BTC_RUN_DIR:=}"
+: "${BTC_NETWORK:=testnet}"
+
+main() {
+  [[ -n "$MERKLE_RUN_DIR" ]] || { log_error "MERKLE_RUN_DIR is required"; exit 1; }
+  [[ -d "$MERKLE_RUN_DIR" ]] || { log_error "MERKLE_RUN_DIR not found: $MERKLE_RUN_DIR"; exit 1; }
+  [[ -f "$MERKLE_RUN_DIR/ROOT.txt" ]] || { log_error "Missing ROOT.txt in $MERKLE_RUN_DIR"; exit 1; }
+
+  # tools (soft requirements)
+  need jq || true
+  need openssl || true
+  need cast || true
+  need bitcoin-cli || true
+
+  log_info "Preflight OK (soft dependencies may be missing; checks will be skipped accordingly)."
+}
+main "$@"

proof-verifier/scripts/10_plan.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${MERKLE_RUN_DIR:=}"
+: "${RFC3161_DIR:=}"
+: "${ETH_RUN_DIR:=}"
+: "${ETH_RPC_URL:=}"
+: "${BTC_RUN_DIR:=}"
+: "${BTC_NETWORK:=testnet}"
+
+main() {
+  root_hex="$(grep '^root_hex=' "$MERKLE_RUN_DIR/ROOT.txt" | head -n1 | cut -d= -f2 || true)"
+  echo "[PLAN] $(date -Iseconds) Proof Verifier"
+  echo "[PLAN] Merkle run: $MERKLE_RUN_DIR"
+  echo "[PLAN] root_hex: ${root_hex:-?}"
+  echo "[PLAN] RFC3161: ${RFC3161_DIR:-<skipped>}"
+  echo "[PLAN] ETH: ${ETH_RUN_DIR:-<skipped>}"
+  echo "[PLAN] BTC: ${BTC_RUN_DIR:-<skipped>} (network=$BTC_NETWORK)"
+  echo "[PLAN] Next: ./scripts/11_verify.sh"
+}
+main "$@"

proof-verifier/scripts/11_verify.sh

@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${MERKLE_RUN_DIR:=}"
+: "${RFC3161_DIR:=}"
+: "${ETH_RUN_DIR:=}"
+: "${ETH_RPC_URL:=}"
+: "${BTC_RUN_DIR:=}"
+: "${BTC_NETWORK:=testnet}"
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+
+check_merkle() {
+  local ok_root=false ok_levels=false root_hex=""
+  [[ -f "$MERKLE_RUN_DIR/ROOT.txt" ]] && ok_root=true
+  root_hex="$(grep '^root_hex=' "$MERKLE_RUN_DIR/ROOT.txt" | head -n1 | cut -d= -f2 || true)"
+  [[ -d "$MERKLE_RUN_DIR/levels" || -d "$MERKLE_RUN_DIR/levels/" || -d "$MERKLE_RUN_DIR/levels" ]] && ok_levels=true || true
+  echo "$ok_root|$ok_levels|$root_hex"
+}
+
+check_rfc3161() {
+  # verifies token parses; full cryptographic verification requires TSA cert chain (not provided in v1).
+  local ok_req=false ok_res=false ok_parse=false msg=""
+  [[ -n "${RFC3161_DIR:-}" && -f "$RFC3161_DIR/request.tsq" ]] && ok_req=true
+  [[ -n "${RFC3161_DIR:-}" && -f "$RFC3161_DIR/response.tsr" ]] && ok_res=true
+  if [[ "$ok_res" == "true" ]] && command -v openssl >/dev/null 2>&1; then
+    if openssl ts -reply -in "$RFC3161_DIR/response.tsr" -text >/dev/null 2>&1; then
+      ok_parse=true
+      msg="tsr_parsed_ok"
+    else
+      msg="openssl_failed_to_parse_tsr"
+    fi
+  else
+    msg="skipped_no_openssl_or_missing_tsr"
+  fi
+  echo "$ok_req|$ok_res|$ok_parse|$msg"
+}
+
+check_eth() {
+  local ok_txfile=false ok_receipt=false ok_seen=false tx=""
+  if [[ -n "${ETH_RUN_DIR:-}" && -f "$ETH_RUN_DIR/tx_hash.txt" ]]; then
+    ok_txfile=true
+    tx="$(cat "$ETH_RUN_DIR/tx_hash.txt" | tr -d '\r\n')"
+  fi
+  if [[ -n "$tx" && -f "$ETH_RUN_DIR/tx_receipt.json" ]]; then ok_receipt=true; fi
+  if [[ -n "$tx" && -n "${ETH_RPC_URL:-}" && command -v cast >/dev/null 2>&1 ]]; then
+    if cast receipt --rpc-url "$ETH_RPC_URL" "$tx" >/dev/null 2>&1; then ok_seen=true; fi
+  fi
+  echo "$ok_txfile|$ok_receipt|$ok_seen|$tx"
+}
+
+check_btc() {
+  local ok_txidfile=false ok_seen=false txid=""
+  if [[ -n "${BTC_RUN_DIR:-}" && -f "$BTC_RUN_DIR/txid.txt" ]]; then
+    ok_txidfile=true
+    txid="$(cat "$BTC_RUN_DIR/txid.txt" | tr -d '\r\n')"
+  fi
+  if [[ -n "$txid" && command -v bitcoin-cli >/dev/null 2>&1 ]]; then
+    flag="$(net_flag)"
+    if bitcoin-cli $flag getrawtransaction "$txid" >/dev/null 2>&1; then ok_seen=true; fi
+  fi
+  echo "$ok_txidfile|$ok_seen|$txid"
+}
+
+main() {
+  mkdir -p "$OUTPUT_DIR"
+  ts="$(date -Iseconds | tr ':' '-')"
+  out_dir="$OUTPUT_DIR/verify_${ts}"
+  mkdir -p "$out_dir"
+
+  # Merkle
+  IFS='|' read -r m_ok_root m_ok_levels m_root <<< "$(check_merkle)"
+  # RFC3161
+  IFS='|' read -r r_ok_req r_ok_res r_ok_parse r_msg <<< "$(check_rfc3161)"
+  # ETH
+  IFS='|' read -r e_ok_txfile e_ok_receipt e_ok_seen e_tx <<< "$(check_eth)"
+  # BTC
+  IFS='|' read -r b_ok_txidfile b_ok_seen b_txid <<< "$(check_btc)"
+
+  blockers="[]"
+  if [[ "$m_ok_root" != "true" ]]; then blockers='["missing_merkle_root"]'; fi
+
+  warnings=()
+  if [[ -n "${RFC3161_DIR:-}" && "$r_ok_res" != "true" ]]; then warnings+=("missing_rfc3161_tsr"); fi
+  if [[ -n "${ETH_RUN_DIR:-}" && "$e_ok_txfile" != "true" ]]; then warnings+=("missing_eth_tx_hash"); fi
+  if [[ -n "${BTC_RUN_DIR:-}" && "$b_ok_txidfile" != "true" ]]; then warnings+=("missing_btc_txid"); fi
+
+  # warnings json
+  if [[ ${#warnings[@]} -eq 0 ]]; then warn_json="[]"
+  else
+    warn_json="["
+    for i in "${!warnings[@]}"; do
+      warn_json="${warn_json}\"${warnings[$i]}\""
+      [[ $i -lt $((${#warnings[@]}-1)) ]] && warn_json="${warn_json},"
+    done
+    warn_json="${warn_json}]"
+  fi
+
+  cat > "$out_dir/status_matrix.json" <<EOF
+{
+  "skill": "proof-verifier",
+  "timestamp": "$(date -Iseconds)",
+  "inputs": {
+    "merkle_run_dir": "$(json_escape "$MERKLE_RUN_DIR")",
+    "rfc3161_dir": "$(json_escape "${RFC3161_DIR:-}")",
+    "eth_run_dir": "$(json_escape "${ETH_RUN_DIR:-}")",
+    "btc_run_dir": "$(json_escape "${BTC_RUN_DIR:-}")",
+    "btc_network": "$(json_escape "$BTC_NETWORK")"
+  },
+  "root_hex": "$(json_escape "$m_root")",
+  "checks": [
+    {"name":"merkle_root_present", "ok": $m_ok_root},
+    {"name":"merkle_levels_present_optional", "ok": $m_ok_levels},
+    {"name":"rfc3161_request_present_optional", "ok": $r_ok_req},
+    {"name":"rfc3161_response_present_optional", "ok": $r_ok_res},
+    {"name":"rfc3161_tsr_parses_optional", "ok": $r_ok_parse, "note": "$(json_escape "$r_msg")"},
+    {"name":"eth_tx_hash_present_optional", "ok": $e_ok_txfile, "tx": "$(json_escape "$e_tx")"},
+    {"name":"eth_receipt_file_present_optional", "ok": $e_ok_receipt},
+    {"name":"eth_tx_seen_by_rpc_optional", "ok": $e_ok_seen},
+    {"name":"btc_txid_present_optional", "ok": $b_ok_txidfile, "txid": "$(json_escape "$b_txid")"},
+    {"name":"btc_tx_seen_by_node_optional", "ok": $b_ok_seen}
+  ],
+  "blockers": $blockers,
+  "warnings": $warn_json,
+  "next_steps": ["archive PROOF.json and ROOT.txt", "anchor again if needed", "store verifier output as receipt"]
+}
+EOF
+
+  echo "$out_dir" > "$OUTPUT_DIR/last_verify_dir.txt"
+  log_info "Wrote $out_dir/status_matrix.json"
+  cat "$out_dir/status_matrix.json"
+}
+main "$@"

proof-verifier/scripts/99_report.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+
+main() {
+  [[ -f "$OUTPUT_DIR/last_verify_dir.txt" ]] || { log_error "No last verify dir. Run 11_verify.sh first."; exit 1; }
+  vdir="$(cat "$OUTPUT_DIR/last_verify_dir.txt")"
+  status="$vdir/status_matrix.json"
+  report="$vdir/audit_report.md"
+
+  root_hex="$(grep -E '"root_hex"' "$status" 2>/dev/null | head -n1 | sed -E 's/.*"root_hex": "([^"]+)".*/\1/' || true)"
+
+  cat > "$report" <<EOF
+# Proof Verifier Audit Report
+
+**Generated:** $(date -Iseconds)  
+**Verify Dir:** \`$vdir\`  
+**Root Hex:** \`$root_hex\`  
+**Skill Version:** 1.0.0
+
+## Status Matrix
+
+$(if [[ -f "$status" ]]; then echo '```json'; cat "$status"; echo '```'; else echo "_Missing status_matrix.json_"; fi)
+
+## EU Compliance
+
+EU (Ireland - Dublin), Irish jurisdiction. Verification is local-first; chain lookups are public.
+EOF
+
+  log_info "Wrote $report"
+  cat "$report"
+}
+main "$@"

proof-verifier/scripts/_common.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+log_info(){ echo "[INFO]  $(date -Iseconds) $*"; }
+log_warn(){ echo "[WARN]  $(date -Iseconds) $*" >&2; }
+log_error(){ echo "[ERROR] $(date -Iseconds) $*" >&2; }
+need(){ command -v "$1" >/dev/null 2>&1 || { log_error "Missing tool: $1"; return 1; }; }
+
+json_escape() {
+  local s="$1"
+  s="${s//\\/\\\\}"; s="${s//\"/\\\"}"; s="${s//$'\n'/\\n}"
+  printf "%s" "$s"
+}
+
+net_flag() {
+  : "${BTC_NETWORK:=testnet}"
+  case "$BTC_NETWORK" in
+    mainnet) echo "" ;;
+    testnet) echo "-testnet" ;;
+    signet) echo "-signet" ;;
+    *) echo "-testnet" ;;
+  esac
+}