diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 219d29a..67c8983 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,6 +11,35 @@ env: RUSTFLAGS: -Dwarnings jobs: + dco: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: DCO Sign-Off Check + run: | + COMMITS=$(git log --format='%H %s' origin/main..HEAD 2>/dev/null || echo "") + if [ -z "$COMMITS" ]; then + echo "No new commits to check" + exit 0 + fi + FAILED=0 + while IFS= read -r line; do + HASH=$(echo "$line" | cut -d' ' -f1) + MSG=$(git log -1 --format='%B' "$HASH") + if ! echo "$MSG" | grep -q "Signed-off-by:"; then + echo "Missing DCO sign-off: $line" + FAILED=1 + fi + done <<< "$COMMITS" + if [ "$FAILED" -eq 1 ]; then + echo "All commits must include Signed-off-by. Use: git commit -s" + exit 1 + fi + echo "All commits have DCO sign-off" + build: runs-on: ubuntu-latest steps: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9b31786..9a5f3af 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -45,6 +45,38 @@ cargo test --all Format: `type: description` Types: feat, fix, docs, chore, refactor, test +## Developer Certificate of Origin (DCO) + +All contributions must be signed off under the +[Developer Certificate of Origin](DCO) (DCO Version 1.1). + +Every commit must include a `Signed-off-by` line: + +```bash +git commit -s -m "feat: my contribution" +# Result includes: Signed-off-by: Your Name +``` + +### What DCO means + +- You certify you have the right to submit the contribution +- Your contribution is licensed under Apache 2.0 +- You **retain copyright** to your contribution +- You do NOT assign ownership to Guildhouse + +### Corporate contributions + +If contributing on behalf of your employer, ensure your employer +permits the contribution under Apache 2.0. + +### Why DCO (not CLA) + +- DCO doesn't assign rights — you keep your copyright +- DCO is lightweight — one line per commit, no legal review +- DCO is standard — used by Linux, Kubernetes, CNCF projects + +See [GOVERNANCE.md](GOVERNANCE.md) for the full IP and dispute resolution framework. + ## License By contributing, you agree your contributions are licensed under Apache 2.0. diff --git a/DCO b/DCO new file mode 100644 index 0000000..4622e65 --- /dev/null +++ b/DCO @@ -0,0 +1,34 @@ +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project and the open source license(s) involved. diff --git a/GOVERNANCE.md b/GOVERNANCE.md new file mode 100644 index 0000000..4908cea --- /dev/null +++ b/GOVERNANCE.md @@ -0,0 +1,95 @@ +# Bascule Project Governance + +## Maintainers + +Bascule is maintained by [Guildhouse LLC](https://guildhouse.dev). + +**Lead maintainer:** Tyler King + +## Decision Making + +Technical decisions are made by the maintainers with input from the +community via GitHub Issues and Pull Requests. + +Major architectural decisions (new backends, new auth providers, trait +changes) are discussed in Issues before implementation. + +## Contributions + +Contributions are accepted under the [Developer Certificate of Origin](DCO) +(DCO). All commits must include a `Signed-off-by` line: + +```bash +git commit -s -m "feat: my contribution" +``` + +See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines. + +## Intellectual Property + +### What Guildhouse owns + +- The Bascule name, logo, and brand +- The proprietary governance stack (GSAP protocol, SAT attestation, + HFL host functions, Chronicle audit, DEFCON posture system) +- These components are NOT part of bascule-oss and are maintained + in separate repositories under separate licenses + +### What contributors own + +- Copyright to their own contributions (DCO does NOT assign copyright) +- Any implementation of the `SessionHandler` or `AuthProvider` traits +- Any product, service, or extension built using bascule-core as a library + +### What's shared (Apache 2.0) + +- All code in this repository +- The `SessionHandler` and `AuthProvider` trait definitions +- The SSH proxy core, session backends, and authentication framework +- Documentation, Helm charts, container images, and build scripts + +### The boundary + +The `SessionHandler` trait is the product boundary. Everything below +the trait (in this repo) is Apache 2.0. Implementations of the trait +are the intellectual property of their authors. + +Guildhouse's own session handler (which adds authorization contexts, +completion receipts, operational posture, and audit trails) is +proprietary. It depends on bascule-core as a library, which Apache +2.0 permits. + +Third parties are encouraged to build their own session handlers: + +- **Security vendors**: integrate risk scoring into session policy +- **Compliance teams**: add audit logging for regulatory requirements +- **Platform teams**: enforce organization-specific access policies +- **MSPs**: build multi-tenant session management + +## Dispute Resolution + +Guildhouse partners with tribal sovereign nations to provide +technically informed dispute resolution for open source projects. + +Disputes may be submitted to tribal jurisdiction for resolution by +adjudicators with expertise in open source software, contribution +attribution, and digital governance. + +This forum is: +- **Voluntary** — contributors may choose any court of competent jurisdiction +- **Technically informed** — adjudicators understand open source licensing +- **Efficient** — designed for faster resolution than federal litigation +- **Sovereignty-respecting** — rooted in tribal self-determination + +This does not limit any rights under the Apache 2.0 license. + +## Tribal Partnership + +Guildhouse's mission includes advancing cybersecurity capacity and +digital sovereignty in Indian Country through: + +- **Mentorship**: training tribal members in cloud-native infrastructure +- **Infrastructure**: deploying systems on tribal-controlled hardware +- **Jurisdiction**: developing legal frameworks for digital governance +- **Economic participation**: connecting tribal technologists with the + cloud consulting ecosystem diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000..b9f7e7c --- /dev/null +++ b/NOTICE @@ -0,0 +1,59 @@ +Bascule — Identity-Aware SSH Proxy +Copyright 2026 Guildhouse LLC + +This product includes software developed by the Bascule contributors +under the Developer Certificate of Origin (DCO) Version 1.1. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +--- + +CONTRIBUTION AND GOVERNANCE NOTICE + +Bascule is maintained by Guildhouse LLC. Contributions are accepted +under the Developer Certificate of Origin (see DCO file). + +Contributors retain copyright to their contributions. By contributing +under the DCO, you grant a license consistent with Apache 2.0 — you +do NOT assign ownership of your contribution to Guildhouse. + +Contributors are free to: + - Use their contributions in any other project + - Build proprietary products using the SessionHandler or AuthProvider + traits as extension points + - Create and maintain their own session handler implementations + - Commercialize their extensions independently + +The SessionHandler and AuthProvider traits are public APIs. Any +implementation of these traits is the intellectual property of its +author, not of Guildhouse LLC. This applies equally to Guildhouse's +own implementations and to third-party implementations. + +--- + +DISPUTE RESOLUTION + +Guildhouse LLC operates in partnership with tribal sovereign nations +to advance digital governance infrastructure and cybersecurity +capacity in Indian Country. + +Disputes arising from contributions to this project, including but +not limited to attribution, contribution scope, and agreement +interpretation, may be submitted to tribal jurisdiction for +resolution. This forum is offered as an efficient, technically +informed alternative and does not limit any rights granted under the +Apache 2.0 license. + +Participation in tribal dispute resolution is voluntary. Contributors +may alternatively pursue resolution through any court of competent +jurisdiction. diff --git a/README.md b/README.md index 65c9c09..1216525 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,16 @@ impl SessionHandler for AuditHandler { See [docs/architecture.md](docs/architecture.md). +## Governance + +Bascule is maintained by [Guildhouse LLC](https://guildhouse.dev). +Contributions are accepted under the [DCO](DCO) — you retain +copyright to your contributions. + +The `SessionHandler` and `AuthProvider` traits are public APIs. +Implementations are the intellectual property of their authors. +See [GOVERNANCE.md](GOVERNANCE.md). + ## Roadmap Not yet implemented: