rsc-universal 0.1.1

package/skills/harness/references/wiki-raw-template.md

@@ -0,0 +1,7 @@
+# {Title}
+
+> Source: {URL or origin description}
+> Collected: {YYYY-MM-DD}
+> Published: {YYYY-MM-DD or Unknown}
+
+{Original content below. Preserve the source text faithfully. Clean up formatting noise (extra whitespace, broken HTML artifacts, navigation chrome), but do not rewrite opinions or alter meaning.}

package/skills/hetzner/SKILL.md

@@ -0,0 +1,221 @@
+---
+name: hetzner
+description: "Use when provisioning or hardening a Hetzner Cloud VPS to host real apps: picking a plan/location (CX/CPX/CAX/CCX), bringing a box up reproducibly with the hcloud CLI + cloud-init, locking down SSH, and wiring the Hetzner Cloud Firewall before handing off a Docker/Coolify-ready host. Triggers: 'set up a Hetzner server', 'provision a Hetzner VPS', 'harden SSH on my box', 'which Hetzner plan for a small API', 'configure the Hetzner Cloud Firewall', the non-obvious 'my ipv6-only box is cheaper but docker pull can't reach the registry', and the Spanish/Catalan 'monta un servidor en Hetzner', 'configura el firewall de Hetzner'. NOT deploying apps through Coolify (that is coolify)."
+tags: [hetzner, vps, cloud-firewall, hcloud, ssh-hardening, cloud-init, self-hosting]
+recommends: [coolify, docker, secure-coding, domains-dns, backups, monitoring]
+origin: risco
+---
+
+# Hetzner — the cheap European box, made safe and reproducible
+
+Hetzner Cloud is chosen for one reason: price/performance. A 2 vCPU / 4 GB AMD
+box runs about €7.99/mo, the EU Intel line dips under €4, and EU locations
+include 20 TB of egress. The risk is that "cheap" becomes "unhardened and
+unmonitored" — a root-SSH box on a public IPv4 with password auth on. Your job
+is to make the cheap box **safe** and **reproducible**: every server comes up
+from a committed cloud-init file and a Cloud Firewall ruleset, never from
+click-ops in the console.
+
+Operating posture:
+
+- **Reproducible by default.** A box you can't recreate from a file isn't a box,
+  it's a pet. Bake the non-root user, SSH key, and sshd hardening into first
+  boot via cloud-init — not into a post-login checklist you'll forget.
+- **Two firewalls, edge first.** The Hetzner Cloud Firewall stops packets before
+  they reach the VM; host `ufw` is defense-in-depth. You need both.
+- **Honest about the trade-off.** No managed DB, no uptime SLA, phone support
+  only for dedicated-server customers. Name it; don't pretend it's AWS.
+
+## Decide before you create
+
+Pick the line, then the location. Prices are post-2026-04-01 (a price adjustment
+took effect that date); treat exact cents as "verify in the console."
+
+| Line | Chip | When to pick | Price band | EU-only? |
+|---|---|---|---|---|
+| **CX** | Intel (shared) | Cost-optimized, tiny EU workloads | ~€3.99/mo (2 vCPU/4 GB/40 GB) | Yes |
+| **CPX** | AMD (shared) | Default for apps; best general value | CPX22 ~€7.99, CPX32 ~€13.99, CPX42 ~€25.49 | No |
+| **CAX** | ARM64 (shared) | Cheapest per-core; ARM-clean workloads | Cheapest per-core | Yes |
+| **CCX** | Dedicated vCPU | Steady CPU load, no noisy-neighbor | CCX13 ~€15.99 (2 vCPU/8 GB) | No |
+
+Rules:
+
+- **IPv4 costs extra (~€0.50–0.60/mo); IPv6 is free.** An IPv6-only box is
+  cheaper, but it breaks anything that can't reach IPv6: many container
+  registries, some package mirrors, CI runners, SSH clients on IPv4-only nets.
+  If `docker pull` or `apt` will run on the box, keep one IPv4 unless you've
+  confirmed every upstream is dual-stack. Why: a saved €0.50/mo is not worth a
+  broken `docker pull` at 2 a.m.
+- **Location decides your traffic budget.** EU locations (Nuremberg, Falkenstein,
+  Helsinki) include **20 TB/mo** egress; overage ~€1/TB. US (Ashburn, Hillsboro)
+  and Singapore have **far lower** included transfer. Why: pick US "for latency,"
+  serve a video, and the surprise bill is the traffic cap, not the instance.
+- **No APAC own datacenter.** If your users are in Asia, this is a real latency
+  cost — name it, don't hide it.
+
+Full dated matrix, latency notes, and the no-SLA / no-managed-DB reality:
+`references/plans-and-locations.md`.
+
+## Provision reproducibly
+
+Install the official CLI (latest **v1.65.0**, released 2026-05-21) and create a
+context (the token comes from the project's *Security → API tokens*, Read &
+Write):
+
+```bash
+brew install hcloud            # or: see github.com/hetznercloud/cli releases
+hcloud context create my-project   # paste the Read+Write API token when prompted
+hcloud server-type list        # confirm names/prices before you create
+```
+
+Bring the box up with cloud-init so hardening happens **before first login**:
+
+```bash
+hcloud server create \
+  --name app-01 \
+  --type cpx22 \
+  --location fsn1 \
+  --image debian-12 \
+  --ssh-key my-laptop \
+  --firewall app-edge \
+  --user-data-from-file cloud-init.yaml
+```
+
+Use `--location`, not `--datacenter`: the `datacenter` attribute is **deprecated
+and removed after 2026-07-01** for Servers and Primary IPs. Trimmed cloud-init
+skeleton (full annotated file in `references/cloud-init.md`):
+
+```yaml
+#cloud-config
+users:
+  - name: deploy
+    groups: [sudo]
+    shell: /bin/bash
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+    ssh_authorized_keys:
+      - ssh-ed25519 AAAA... you@laptop   # your real public key, not a placeholder
+disable_root: true                       # no root login at all
+ssh_pwauth: false                        # no password auth, anywhere
+package_update: true
+packages: [ufw, fail2ban, unattended-upgrades]
+runcmd:
+  - sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - ufw default deny incoming && ufw allow 22 && ufw allow 80 && ufw allow 443 && ufw --force enable
+  - systemctl enable --now fail2ban
+  - systemctl restart ssh
+```
+
+Rule: **never create a box with a bare root password and "I'll harden it later."**
+Later is a window where the box is reachable as root with password auth on, and
+Hetzner IPv4 space is scanned constantly. Bake it into boot.
+
+## Two firewalls, in order
+
+The Cloud Firewall runs at the network edge — stateful, applied before the
+packet reaches the VM, and survives a misconfigured host. Create and apply it
+**with or before** the server:
+
+```bash
+hcloud firewall create --name app-edge
+hcloud firewall add-rule app-edge --direction in --protocol tcp --port 22  --source-ips 0.0.0.0/0 --source-ips ::/0
+hcloud firewall add-rule app-edge --direction in --protocol tcp --port 80  --source-ips 0.0.0.0/0 --source-ips ::/0
+hcloud firewall add-rule app-edge --direction in --protocol tcp --port 443 --source-ips 0.0.0.0/0 --source-ips ::/0
+hcloud firewall apply-to-resource app-edge --type server --server app-01
+```
+
+Inbound is default-deny — you only describe what you *allow*. Then the host
+`ufw` (set up in cloud-init above) is defense-in-depth: if you ever detach or
+fat-finger the Cloud Firewall, the box still isn't wide open. Why both: the edge
+firewall is your primary defense, but a single layer is a single point of
+failure, and the two are configured through different surfaces (API vs host).
+
+Tighten SSH to your own IP/range once you know it:
+
+```bash
+hcloud firewall delete-rule app-edge --direction in --protocol tcp --port 22 --source-ips 0.0.0.0/0 --source-ips ::/0
+hcloud firewall add-rule    app-edge --direction in --protocol tcp --port 22 --source-ips 203.0.113.4/32
+```
+
+## SSH hardening rules
+
+- **Key-only auth.** `PasswordAuthentication no`. A password is brute-forceable;
+  an ed25519 key is not.
+- **No root login.** `PermitRootLogin no` + a sudo user. Root over SSH is the
+  single most-targeted login on the internet.
+- **fail2ban on.** Bans IPs after repeated failures — cheap insurance for the
+  one port you must expose.
+- **Moving port 22 is obscurity, not security.** It quiets log noise; it does not
+  harden anything. Do it if you like clean logs, but never *instead* of key-only
+  + a firewall.
+
+Bad → Good:
+
+```diff
+- PermitRootLogin yes
+- PasswordAuthentication yes
++ PermitRootLogin no
++ PasswordAuthentication no
++ PubkeyAuthentication yes
+```
+
+## Hand off to Docker / Coolify
+
+"Host ready" means all of the following are true:
+
+- [ ] `ssh root@<ip>` is refused; `ssh deploy@<ip>` works with the key only.
+- [ ] `sshd -T | grep -E 'permitrootlogin|passwordauthentication'` shows both `no`.
+- [ ] Cloud Firewall attached; only 22 (scoped)/80/443 inbound.
+- [ ] `ufw status` enabled with the same allowlist.
+- [ ] `unattended-upgrades` and `fail2ban` running.
+
+Then route the install/deploy: Coolify (the self-hosted PaaS) and container
+build/run are not this skill's job. Use the `coolify` skill for the Coolify
+install + app deploy flow, and the `docker` skill for Dockerfiles, compose, and
+image hardening. This skill stops at a clean, hardened host.
+
+## Day-2
+
+- **Snapshot ≠ backup.** A snapshot is a one-off manual image you can boot from;
+  the **Backups** add-on is automated, rotating, ~20% of the server price. A
+  snapshot you took once in March is not a backup strategy — for that, see the
+  `backups` skill.
+- **Resize grows, never shrinks.** You can scale the disk up; you cannot scale it
+  back down. Size conservatively or you're stuck paying for it.
+- **Volumes** for data you want to outlive/detach from the server. Keep databases
+  and uploads on a volume so a server rebuild doesn't take the data with it.
+- **Reverse DNS** must match for outbound mail to be accepted — set the PTR in the
+  console/`hcloud` if the box sends email. Forward DNS records belong to the
+  `domains-dns` skill.
+- **No SLA, no managed DB.** There's no uptime guarantee and no managed-database
+  product — you run Postgres yourself, you monitor it yourself. For monitoring
+  and alerting, see the `monitoring` skill; treat the box as something you must
+  watch, not something Hetzner watches for you.
+
+## Anti-patterns
+
+| Anti-pattern | Why it's wrong | Do instead |
+|---|---|---|
+| Root SSH + password auth left on | The most-scanned login on the public internet; bots find it in minutes | `PermitRootLogin no`, `PasswordAuthentication no`, key + sudo user |
+| Only host `ufw`, no Cloud Firewall | A host misconfig or reset exposes everything; no edge layer | Cloud Firewall default-deny first, `ufw` as defense-in-depth |
+| `--source-ips 0.0.0.0/0` on everything "temporarily" | Temporary rules become permanent; the whole box is exposed | Scope inbound to 80/443 public, SSH to your IP/range |
+| Click-ops in the console | Not reproducible — you can't recreate or review the box | cloud-init file + `hcloud` commands committed to the repo |
+| Snapshot treated as backup | One stale manual image, no rotation, no schedule | Enable the Backups add-on or push to off-box storage |
+| US location, then surprised by the bill | US/Singapore include far less than EU's 20 TB egress | EU location for egress-heavy apps; check the traffic cap first |
+| IPv6-only to save €0.50 | Registry/CI/mirror pulls over IPv4-only break | Keep one IPv4 unless every upstream is confirmed dual-stack |
+| Using `--datacenter` | Deprecated, removed after 2026-07-01 | Use `--location` |
+
+## Verify
+
+```bash
+ssh -o BatchMode=yes root@<ip>                 # expect: refused / permission denied
+ssh deploy@<ip> 'sshd -T | grep -E "permitrootlogin|passwordauthentication"'
+# expect: permitrootlogin no / passwordauthentication no
+hcloud firewall describe app-edge              # expect: only 22 (scoped)/80/443 inbound
+ssh deploy@<ip> 'ss -tlnp'                      # expect: only expected listeners
+```
+
+To lint a cloud-init / hardening file before you ever create the box, run
+`scripts/verify.sh path/to/cloud-init.yaml` — it statically checks for the
+must-haves (no root login, no password auth, an SSH key, a firewall step,
+fail2ban) with no network calls.

package/skills/hetzner/evals/README.md

@@ -0,0 +1,35 @@
+# Eval harness — hetzner
+
+`cases.yaml` is the fixture; this file is the procedure. The evals are run by an
+**agent harness** (an agent with the full skill catalog loadable on demand), not
+a pure script. Two things are measured: **triggering** (does the skill fire on
+Hetzner provision/harden/plan/firewall prompts and stay quiet for sibling
+providers and app-deploy) and **capability** (does loading it produce a genuinely
+reproducible, hardened flow rather than a console walkthrough).
+
+## Triggering
+
+For each `should_trigger` / `should_not_trigger` item: start a fresh session with
+the full catalog, feed the `prompt` verbatim, record which skill the agent
+invokes, and run 3–5 trials (the choice is stochastic). Pass when **hetzner** is
+chosen for the majority of `should_trigger` trials and is *not* chosen for
+`should_not_trigger` (ideally the agent routes to the listed `route_to` sibling).
+Target >= 90% trigger accuracy across prompts.
+
+## Capability
+
+For the `capability` scenario run two arms — **WITH** only hetzner loaded vs
+**WITHOUT** any skill — three times each. Grade each response against
+`must_include` (one point per item that is genuinely present and correct, not
+hand-waved). Pass when WITH covers >= 80% of the rubric and beats WITHOUT by a
+clear margin (target >= 25 points). A skill that doesn't move the needle fails
+even if the baseline answer was decent.
+
+## Honesty notes
+
+These are stochastic, LLM-graded evals — re-run on edits and treat small deltas
+as noise. `route_to` targets (coolify, digitalocean, docker, domains-dns, fly-io)
+assume those siblings exist in the catalog; a missing sibling can cause a
+near-miss mis-route that isn't a hetzner fault — note it, don't count it against
+the skill. A static lint of the emitted cloud-init artifact is available
+separately via `scripts/verify.sh`.

package/skills/hetzner/evals/cases.yaml

@@ -0,0 +1,46 @@
+skill: hetzner
+
+should_trigger:
+  - prompt: "Provision a Hetzner Cloud server for my app and harden SSH on it before I deploy anything."
+    why: "Direct provision + harden request — the skill's core: cloud-init box up, key-only SSH, no root login, Cloud Firewall. Flagship trigger."
+  - prompt: "monta un servidor barato en Hetzner con cloud-init y el firewall configurado"
+    why: "Spanish phrasing for provisioning a cheap Hetzner box with cloud-init and firewall — exactly the reproducible-provision + Cloud Firewall flow this skill owns."
+  - prompt: "Which Hetzner plan should I pick — a CPX22 or the ARM CAX box — for a small API?"
+    why: "Plan-choice question across the CPX/CAX lines; the skill's decision table (chip, price band, EU-only, when-to-pick) is the answer surface."
+  - prompt: "My Hetzner box only has IPv6 and docker pull keeps failing to reach the registry. What's going on?"
+    why: "Non-obvious symptom of the IPv4-vs-IPv6 economics fact — IPv6-only breaks IPv4-only registries. User never says 'plan' or 'firewall' but it's the skill's IPv4 rule."
+  - prompt: "Set up the Hetzner Cloud Firewall so only 80/443 and SSH are open, everything else blocked."
+    why: "Edge-firewall configuration with default-deny inbound — the hcloud firewall create/add-rule/apply flow the skill prescribes."
+  - prompt: "Make my new Hetzner VPS ready to install Coolify on it later."
+    why: "Host-prep boundary case: getting the host hardened and Docker/Coolify-ready is still this skill; the actual Coolify install is the handoff, not the work here."
+
+should_not_trigger:
+  - prompt: "Deploy my Next.js app through Coolify's dashboard and set the build command."
+    route_to: "coolify"
+    why: "Past host setup — this is the Coolify app-deploy flow, which the boundary phrase explicitly routes to coolify."
+  - prompt: "Spin up a DigitalOcean droplet and harden the SSH config on it."
+    route_to: "digitalocean"
+    why: "Same shape of task but a different provider; DO droplets and DO tooling belong to digitalocean."
+  - prompt: "Write me a multi-stage Dockerfile that slims the final image and runs as non-root."
+    route_to: "docker"
+    why: "Container authoring — Dockerfiles and image hardening are out of scope; route to docker."
+  - prompt: "Point my domain's A record at the server's IP and add the MX records."
+    route_to: "domains-dns"
+    why: "Forward DNS records (A/MX) are generic domain wiring; the skill only touches host-level reverse DNS. Route to domains-dns."
+  - prompt: "Deploy this service to Fly.io with a release command and a health check."
+    route_to: "fly-io"
+    why: "A managed-platform deploy, not a self-managed VPS — belongs to fly-io."
+
+capability:
+  - scenario: "I bought a CPX22 in Falkenstein on Debian 12. Give me a reproducible flow to provision and harden it — I want to be able to recreate the box from files."
+    must_include:
+      - "hcloud server create with --user-data-from-file (cloud-init), not console click-ops"
+      - "non-root sudo user created via cloud-init with ssh_authorized_keys"
+      - "PermitRootLogin no and PasswordAuthentication no (or disable_root: true / ssh_pwauth: false)"
+      - "SSH key-only auth, no password"
+      - "Hetzner Cloud Firewall: default-deny inbound, allow 80/443 and SSH"
+      - "host ufw as defense-in-depth in addition to the Cloud Firewall"
+      - "fail2ban and unattended-upgrades installed/enabled"
+      - "verification step: ssh root@ip refused and sshd -T shows the hardening"
+      - "uses --location (fsn1), not the deprecated --datacenter"
+      - "notes that a snapshot is not a backup (Backups add-on for that)"

package/skills/hetzner/references/cloud-init.md

@@ -0,0 +1,120 @@
+# Reference: cloud-init + Cloud Firewall
+
+The full, annotated first-boot configuration and the firewall script the SKILL
+trims. Everything here runs **before first login** so the box is never reachable
+in an unhardened state.
+
+## Full annotated `cloud-init.yaml`
+
+```yaml
+#cloud-config
+# Runs on first boot via: hcloud server create --user-data-from-file cloud-init.yaml
+
+# --- non-root sudo user (root SSH gets disabled below) ---
+users:
+  - name: deploy
+    groups: [sudo]
+    shell: /bin/bash
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]   # drop NOPASSWD if you want a sudo password
+    ssh_authorized_keys:
+      - ssh-ed25519 AAAA... you@laptop  # YOUR real public key — never a placeholder
+
+# --- kill root + password login at the cloud-init layer (belt) ---
+disable_root: true        # cloud-init disables the root account's SSH
+ssh_pwauth: false         # cloud-init disables password auth
+
+# --- packages for hardening + patching ---
+package_update: true
+package_upgrade: true
+packages:
+  - ufw
+  - fail2ban
+  - unattended-upgrades
+
+# --- drop-in sshd hardening (braces) so an image default can't re-enable it ---
+write_files:
+  - path: /etc/ssh/sshd_config.d/99-hardening.conf
+    content: |
+      PermitRootLogin no
+      PasswordAuthentication no
+      PubkeyAuthentication yes
+      ChallengeResponseAuthentication no
+      # Optional: move the port. Obscurity, not security — keep key-only + firewall regardless.
+      # Port 2222
+  - path: /etc/apt/apt.conf.d/20auto-upgrades
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+  - path: /etc/fail2ban/jail.d/sshd.local
+    content: |
+      [sshd]
+      enabled = true
+      maxretry = 4
+      bantime = 1h
+
+# --- apply it on first boot ---
+runcmd:
+  - ufw default deny incoming
+  - ufw default allow outgoing
+  - ufw allow 22/tcp        # change to your moved port if you set Port above
+  - ufw allow 80/tcp
+  - ufw allow 443/tcp
+  - ufw --force enable
+  - systemctl enable --now fail2ban
+  - systemctl enable --now unattended-upgrades
+  - systemctl restart ssh
+```
+
+Notes:
+
+- `disable_root` + `ssh_pwauth: false` are the cloud-init-native way; the
+  `sshd_config.d` drop-in is the redundant explicit layer so a base-image default
+  can't quietly re-enable password/root login. Both saying the same thing is
+  intentional.
+- If you move the SSH port, change **both** the `Port` directive and the `ufw
+  allow` line, and add the moved port to the Cloud Firewall before you reboot —
+  or you lock yourself out.
+- Optional Docker install (only if you're not handing off to the `coolify` skill
+  to install it): append the official `get-docker.sh` convenience step in
+  `runcmd`, then add `deploy` to the `docker` group.
+
+## Cloud Firewall script
+
+Create the edge firewall, scope it, and attach it. Inbound is default-deny — you
+only enumerate what you allow.
+
+```bash
+#!/usr/bin/env bash
+set -euo pipefail
+FW=app-edge
+SRV=app-01
+MY_IP=203.0.113.4/32   # your admin IP/range for SSH
+
+hcloud firewall create --name "$FW"
+
+# Public web
+hcloud firewall add-rule "$FW" --direction in --protocol tcp --port 80  --source-ips 0.0.0.0/0 --source-ips ::/0
+hcloud firewall add-rule "$FW" --direction in --protocol tcp --port 443 --source-ips 0.0.0.0/0 --source-ips ::/0
+
+# SSH scoped to you (open to the world only during initial setup, then tighten)
+hcloud firewall add-rule "$FW" --direction in --protocol tcp --port 22 --source-ips "$MY_IP"
+
+hcloud firewall apply-to-resource "$FW" --type server --server "$SRV"
+hcloud firewall describe "$FW"
+```
+
+To open SSH to the world for the first connection, then lock it down:
+
+```bash
+hcloud firewall add-rule    "$FW" --direction in --protocol tcp --port 22 --source-ips 0.0.0.0/0 --source-ips ::/0
+# ... do initial setup, confirm key login works ...
+hcloud firewall delete-rule "$FW" --direction in --protocol tcp --port 22 --source-ips 0.0.0.0/0 --source-ips ::/0
+hcloud firewall add-rule    "$FW" --direction in --protocol tcp --port 22 --source-ips "$MY_IP"
+```
+
+Two layers, why each:
+
+- **Cloud Firewall (edge):** stateful, filters before the packet reaches the VM,
+  configured via API/console — survives a broken host config. Primary defense.
+- **Host `ufw`:** defense-in-depth — if the Cloud Firewall is ever detached or
+  mis-edited, the box still isn't wide open. Keep the two allowlists in sync.

package/skills/hetzner/references/plans-and-locations.md

@@ -0,0 +1,56 @@
+# Reference: plans, prices, locations, reliability
+
+Dated figures (post the **2026-04-01 price adjustment**). Hetzner raised most
+plan prices on that date — treat exact cents as "verify in the console," use
+these as bands for the decision.
+
+## Plan matrix
+
+| Plan | Chip | vCPU / RAM / disk | Price band (post-2026-04-01) | EU-only? | Pick when |
+|---|---|---|---|---|---|
+| CX23-class | Intel (shared) | 2 / 4 GB / 40 GB | ~€3.99/mo | Yes | Cheapest viable, tiny EU workloads |
+| CPX22 | AMD (shared) | 2 / 4 GB / 80 GB | ~€7.99/mo | No | Default app box, best value |
+| CPX32 | AMD (shared) | 4 / 8 GB / 160 GB | ~€13.99/mo | No | Mid app + small DB |
+| CPX42 | AMD (shared) | 8 / 16 GB / 320 GB | ~€25.49/mo | No | Heavier services |
+| CAX (ARM64) | Ampere (shared) | varies | cheapest per-core | Yes | ARM-clean workloads, max cores/€ |
+| CCX13 | Dedicated vCPU | 2 / 8 GB | ~€15.99/mo | No | Steady CPU, no noisy-neighbor |
+
+## IPv4 / IPv6 economics
+
+- **IPv4 is a paid add-on:** ~€0.0010/hour, roughly €0.50–0.60/mo per address.
+- **IPv6 is free.** An IPv6-only box is cheaper.
+- **The catch:** IPv6-only breaks any upstream that isn't dual-stack — several
+  container registries, package mirrors, CI runners, and IPv4-only SSH clients.
+  Symptom: `docker pull` or `apt update` hangs/fails on a fresh IPv6-only box.
+  Keep one IPv4 unless you've confirmed every dependency reaches over IPv6.
+
+## Traffic / locations
+
+- **EU locations include 20 TB/mo egress:** Nuremberg (nbg1), Falkenstein (fsn1),
+  Helsinki (hel1). Overage ~€1/TB.
+- **US (Ashburn / Hillsboro) and Singapore include far less** transfer — the
+  common surprise bill. Choosing US "for latency" can cost more in traffic than
+  it saves in milliseconds for egress-heavy apps.
+- **No own datacenter in APAC** (Singapore aside). Asian users pay a real latency
+  cost; weigh it explicitly rather than assuming a global footprint.
+
+## Reliability trade-offs (name these honestly)
+
+- **No managed-database service.** You run and back up Postgres/MySQL yourself.
+- **No formal uptime SLA.** There is no contractual availability guarantee.
+- **Support tiers:** phone support is only for dedicated-server customers; Cloud
+  is ticket-based.
+
+These are the reasons Hetzner is cheap, not defects to hide. The skill's value is
+making the cheap box reproducible and hardened so the trade-offs are the only
+thing you're accepting — not also an unhardened, un-monitored host.
+
+## Sources
+
+- hcloud CLI v1.65.0 (2026-05-21): github.com/hetznercloud/cli/releases
+- `datacenter` deprecation (removed after 2026-07-01): hcloud CLI release notes
+- Price adjustment (2026-04-01): docs.hetzner.com/general/infrastructure-and-availability/price-adjustment/
+- Plans/prices/traffic/locations/reliability: betterstack.com Hetzner Cloud review + hetzner.com/cloud
+- Firewall layers + cloud-init: community.hetzner.com tutorials
+
+All accessed 2026-06-02.

package/skills/hetzner/scripts/verify.sh

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ============================================================================
+# NAME
+#   verify.sh — hetzner cloud-init / SSH-hardening static lint
+#
+# USAGE
+#   ./verify.sh [path/to/cloud-init.yaml]
+#   With no argument it scans the current directory for cloud-init*.yaml|yml.
+#   Run it BEFORE you create a server, against the user-data file you will pass
+#   to `hcloud server create --user-data-from-file`.
+#
+# WHAT IT CHECKS (pure static text, NO network, NO writes)
+#   FAIL  root SSH not disabled   (need PermitRootLogin no OR disable_root: true)
+#   FAIL  password auth not off   (need PasswordAuthentication no OR ssh_pwauth: false)
+#   FAIL  no SSH key present       (need ssh_authorized_keys / ssh-ed25519 / ssh-rsa)
+#   WARN  no firewall step         (ufw / nftables / hcloud firewall referenced)
+#   WARN  fail2ban absent
+#
+# GUARANTEES
+#   - Read-only and idempotent: never writes, never calls the network.
+#   - Exits 0 on an empty/clean target (no files found = nothing to fail).
+#   - Portable to stock macOS bash 3.2 (no mapfile, no associative arrays).
+#
+# EXIT CODES
+#   0  No FAILs (warnings are fine; no files found is fine).
+#   1  At least one FAIL in at least one scanned file.
+# ============================================================================
+
+if [ -n "${NO_COLOR:-}" ] || [ ! -t 1 ]; then
+  RED="" ; YEL="" ; GRN="" ; RST=""
+else
+  RED=$'\033[31m' ; YEL=$'\033[33m' ; GRN=$'\033[32m' ; RST=$'\033[0m'
+fi
+
+fail()  { printf '%s  FAIL%s %s\n' "$RED" "$RST" "$1" ; }
+warn()  { printf '%s  WARN%s %s\n' "$YEL" "$RST" "$1" ; }
+okmsg() { printf '%s  ok%s   %s\n' "$GRN" "$RST" "$1" ; }
+
+# --- collect target files ---
+TARGETS=""
+if [ "$#" -gt 0 ]; then
+  for f in "$@"; do
+    if [ -f "$f" ]; then
+      TARGETS="$TARGETS $f"
+    else
+      warn "argument is not a file, skipping: $f"
+    fi
+  done
+else
+  for f in cloud-init*.yaml cloud-init*.yml cloud-config*.yaml cloud-config*.yml; do
+    [ -f "$f" ] && TARGETS="$TARGETS $f"
+  done
+fi
+
+# Trim whitespace.
+TARGETS="$(printf '%s' "$TARGETS" | sed 's/^ *//')"
+
+if [ -z "$TARGETS" ]; then
+  echo "hetzner verify: no cloud-init file found to lint — nothing to check."
+  echo "Pass a path explicitly: ./verify.sh path/to/cloud-init.yaml"
+  exit 0
+fi
+
+overall_fail=0
+
+for file in $TARGETS; do
+  echo "── linting: $file"
+  file_fail=0
+
+  # FAIL: root SSH must be disabled
+  if grep -Eqi 'permitrootlogin[[:space:]]+no' "$file" || grep -Eqi 'disable_root:[[:space:]]*true' "$file"; then
+    okmsg "root SSH disabled"
+  else
+    fail "root SSH not disabled — add 'PermitRootLogin no' or 'disable_root: true'"
+    file_fail=1
+  fi
+
+  # FAIL: password auth must be off
+  if grep -Eqi 'passwordauthentication[[:space:]]+no' "$file" || grep -Eqi 'ssh_pwauth:[[:space:]]*(false|no|0)' "$file"; then
+    okmsg "password auth off"
+  else
+    fail "password auth not disabled — add 'PasswordAuthentication no' or 'ssh_pwauth: false'"
+    file_fail=1
+  fi
+
+  # FAIL: an SSH key must be present
+  if grep -Eqi 'ssh_authorized_keys|ssh-ed25519|ssh-rsa|ecdsa-sha2' "$file"; then
+    okmsg "ssh key present"
+  else
+    fail "no SSH public key found — add it under ssh_authorized_keys"
+    file_fail=1
+  fi
+
+  # WARN: a firewall step should be referenced
+  if grep -Eqi 'ufw|nftables|iptables|hcloud firewall' "$file"; then
+    okmsg "firewall step referenced"
+  else
+    warn "no firewall step (ufw/nftables/hcloud firewall) — host has no defense-in-depth layer"
+  fi
+
+  # WARN: fail2ban
+  if grep -Eqi 'fail2ban' "$file"; then
+    okmsg "fail2ban present"
+  else
+    warn "fail2ban not installed — the one exposed SSH port has no brute-force throttle"
+  fi
+
+  if [ "$file_fail" -ne 0 ]; then
+    overall_fail=1
+  fi
+  echo ""
+done
+
+if [ "$overall_fail" -ne 0 ]; then
+  echo "${RED}hetzner verify: FAIL${RST} — resolve the failures above before creating the box."
+  exit 1
+fi
+
+echo "${GRN}hetzner verify: pass${RST} — hardening must-haves present."
+exit 0