# vm-skills

Production-grade operational skill library (16 skills) following a gated plan → apply → proof → verify → report model with cryptographic evidence.

## Role
- Acts as the capability layer Claude invokes through vm-mcp tools
- Emits BLAKE3 receipts and reports consumable by vm-ledger and vm-cc
- Enforces governance via REQUIRE_CONFIRM and DRY_RUN defaults

## Skill Catalog (16)
- backup-sovereign — encrypted backups + restore drill
- btc-anchor — Bitcoin anchoring
- cloudflare-tunnel-manager — Cloudflare tunnel lifecycle
- container-registry — registry operations
- disaster-recovery — DR orchestration
- dns-sovereign — DNS management
- eth-anchor — Ethereum anchoring
- gitea-bootstrap — Git server setup
- hetzner-bootstrap — Hetzner provisioning
- merkle-forest — Merkle tree ops and proof verification
- node-hardening — node security hardening
- operator-bootstrap — operator initialization
- proof-verifier — cryptographic proof verification
- rfc3161-anchor — RFC3161 legal timestamping
- secrets-vault — secrets management
- root-coordinator — master coordinator/composer

## Execution Model
- preflight: environment and tool checks
- plan: dry-run steps (DRY_RUN=1 default)
- apply: gated by REQUIRE_CONFIRM + CONFIRM_PHRASE
- proof: generate BLAKE3 receipt (when defined)
- verify: assert success (includes restore drills where applicable)
- report: produce audit/compliance output (99_report.sh)

## Safety & Compliance
- Confirmation required for mutations; DRY_RUN-first workflow
- Receipts chain via BLAKE3; restore drill mandatory for backup-sovereign
- EU/GDPR metadata present in configs (data_residency, jurisdiction, gdpr_applicable)

## Integration via vm-mcp
- Claude → cognitive_invoke_skill → config.json phases → scripts
- Outputs flow to vm-ledger (receipts) and vm-cc (evidence aggregation)

## Quickstart
```bash
cd vm-skills/<skill>/scripts
./00_preflight.sh
./10_*_plan.sh
./11_*_apply.sh   # requires confirmation
./30_generate_proof.sh  # when present
./50_restore_drill.sh   # backup-sovereign
./90_verify.sh && ./99_report.sh
```

## Reports & Evidence
- Reports live alongside scripts as 99_report.sh outputs
- BLAKE3 receipts accompany mutations; suitable for vm-cc ingestion