feat(skills): /vm-provision 6-phase pipeline
Hub-and-spoke skill:
- SKILL.md (index) + phase-1-select-provider, phase-2-plan,
phase-3-provision, phase-4-harden, phase-5-verify, phase-6-handoff.
Pipeline: select provider → Plan Mode doc → provision (hetzner/vultr
primitives, SSH first-contact TOFU) → harden-base.sh over SSH →
ssh-check + firewall-diff HARD GATE → artefact ledger + optional
/web-deploy handoff.
Invariants:
- ≥ 6 AskUserQuestion calls (Phase 1×2, 2×1, 3×1, 4×1, 5×1).
- Hard gate: Phase 6 refuses to run unless ssh-check AND firewall-diff
both exit 0. "Ignore and proceed" is BLOCKED by design.
- RULE 0.8 (secrets ENV-ref only), RULE 0.4 (cite provider specifics),
RULE 0.5 (plan.md written to <run-dir>/plan.md before provisioning),
RULE -1 (every failure branch returns 2-3 constructive paths).
Defensive-only — no scanning tools, no CVE probes, no third-party
attack-surface analysis. Every phase file ≤ 200 LOC per Constructor
Pattern.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
eee5eecc20