docs: DCO, NOTICE, and governance framework

DCO (Developer Certificate of Origin):
  Standard DCO 1.1 (Linux kernel, CNCF, Kubernetes standard)
  Contributors retain copyright — no rights assignment

NOTICE:
  Copyright attribution (Guildhouse LLC)
  Contributors retain copyright, own their implementations
  SessionHandler/AuthProvider as public API boundary
  Tribal jurisdiction for voluntary dispute resolution

GOVERNANCE.md:
  Project governance model and decision making
  IP framework: Guildhouse brand vs contributor code vs shared Apache 2.0
  SessionHandler trait IS the product boundary
  Tribal dispute resolution: voluntary, technically informed
  Tribal partnership mission

CI:
  DCO sign-off check on pull requests
  Existing commits on main exempt

README + CONTRIBUTING:
  Governance section, DCO instructions, corporate guidance

Signed-off-by: Tyler King <tking@guildhouse.dev>

.github/workflows/ci.yml

@@ -11,6 +11,35 @@ env:
   RUSTFLAGS: -Dwarnings
 
 jobs:
+  dco:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: DCO Sign-Off Check
+        run: |
+          COMMITS=$(git log --format='%H %s' origin/main..HEAD 2>/dev/null || echo "")
+          if [ -z "$COMMITS" ]; then
+            echo "No new commits to check"
+            exit 0
+          fi
+          FAILED=0
+          while IFS= read -r line; do
+            HASH=$(echo "$line" | cut -d' ' -f1)
+            MSG=$(git log -1 --format='%B' "$HASH")
+            if ! echo "$MSG" | grep -q "Signed-off-by:"; then
+              echo "Missing DCO sign-off: $line"
+              FAILED=1
+            fi
+          done <<< "$COMMITS"
+          if [ "$FAILED" -eq 1 ]; then
+            echo "All commits must include Signed-off-by. Use: git commit -s"
+            exit 1
+          fi
+          echo "All commits have DCO sign-off"
+
   build:
     runs-on: ubuntu-latest
     steps:

CONTRIBUTING.md

@@ -45,6 +45,38 @@ cargo test --all
 Format: `type: description`
 Types: feat, fix, docs, chore, refactor, test
 
+## Developer Certificate of Origin (DCO)
+
+All contributions must be signed off under the
+[Developer Certificate of Origin](DCO) (DCO Version 1.1).
+
+Every commit must include a `Signed-off-by` line:
+
+```bash
+git commit -s -m "feat: my contribution"
+# Result includes: Signed-off-by: Your Name <your.email@example.com>
+```
+
+### What DCO means
+
+- You certify you have the right to submit the contribution
+- Your contribution is licensed under Apache 2.0
+- You **retain copyright** to your contribution
+- You do NOT assign ownership to Guildhouse
+
+### Corporate contributions
+
+If contributing on behalf of your employer, ensure your employer
+permits the contribution under Apache 2.0.
+
+### Why DCO (not CLA)
+
+- DCO doesn't assign rights — you keep your copyright
+- DCO is lightweight — one line per commit, no legal review
+- DCO is standard — used by Linux, Kubernetes, CNCF projects
+
+See [GOVERNANCE.md](GOVERNANCE.md) for the full IP and dispute resolution framework.
+
 ## License
 
 By contributing, you agree your contributions are licensed under Apache 2.0.

DCO

@@ -0,0 +1,34 @@
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project and the open source license(s) involved.

GOVERNANCE.md

@@ -0,0 +1,95 @@
+# Bascule Project Governance
+
+## Maintainers
+
+Bascule is maintained by [Guildhouse LLC](https://guildhouse.dev).
+
+**Lead maintainer:** Tyler King
+
+## Decision Making
+
+Technical decisions are made by the maintainers with input from the
+community via GitHub Issues and Pull Requests.
+
+Major architectural decisions (new backends, new auth providers, trait
+changes) are discussed in Issues before implementation.
+
+## Contributions
+
+Contributions are accepted under the [Developer Certificate of Origin](DCO)
+(DCO). All commits must include a `Signed-off-by` line:
+
+```bash
+git commit -s -m "feat: my contribution"
+```
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
+
+## Intellectual Property
+
+### What Guildhouse owns
+
+- The Bascule name, logo, and brand
+- The proprietary governance stack (GSAP protocol, SAT attestation,
+  HFL host functions, Chronicle audit, DEFCON posture system)
+- These components are NOT part of bascule-oss and are maintained
+  in separate repositories under separate licenses
+
+### What contributors own
+
+- Copyright to their own contributions (DCO does NOT assign copyright)
+- Any implementation of the `SessionHandler` or `AuthProvider` traits
+- Any product, service, or extension built using bascule-core as a library
+
+### What's shared (Apache 2.0)
+
+- All code in this repository
+- The `SessionHandler` and `AuthProvider` trait definitions
+- The SSH proxy core, session backends, and authentication framework
+- Documentation, Helm charts, container images, and build scripts
+
+### The boundary
+
+The `SessionHandler` trait is the product boundary. Everything below
+the trait (in this repo) is Apache 2.0. Implementations of the trait
+are the intellectual property of their authors.
+
+Guildhouse's own session handler (which adds authorization contexts,
+completion receipts, operational posture, and audit trails) is
+proprietary. It depends on bascule-core as a library, which Apache
+2.0 permits.
+
+Third parties are encouraged to build their own session handlers:
+
+- **Security vendors**: integrate risk scoring into session policy
+- **Compliance teams**: add audit logging for regulatory requirements
+- **Platform teams**: enforce organization-specific access policies
+- **MSPs**: build multi-tenant session management
+
+## Dispute Resolution
+
+Guildhouse partners with tribal sovereign nations to provide
+technically informed dispute resolution for open source projects.
+
+Disputes may be submitted to tribal jurisdiction for resolution by
+adjudicators with expertise in open source software, contribution
+attribution, and digital governance.
+
+This forum is:
+- **Voluntary** — contributors may choose any court of competent jurisdiction
+- **Technically informed** — adjudicators understand open source licensing
+- **Efficient** — designed for faster resolution than federal litigation
+- **Sovereignty-respecting** — rooted in tribal self-determination
+
+This does not limit any rights under the Apache 2.0 license.
+
+## Tribal Partnership
+
+Guildhouse's mission includes advancing cybersecurity capacity and
+digital sovereignty in Indian Country through:
+
+- **Mentorship**: training tribal members in cloud-native infrastructure
+- **Infrastructure**: deploying systems on tribal-controlled hardware
+- **Jurisdiction**: developing legal frameworks for digital governance
+- **Economic participation**: connecting tribal technologists with the
+  cloud consulting ecosystem

NOTICE

@@ -0,0 +1,59 @@
+Bascule — Identity-Aware SSH Proxy
+Copyright 2026 Guildhouse LLC
+
+This product includes software developed by the Bascule contributors
+under the Developer Certificate of Origin (DCO) Version 1.1.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+---
+
+CONTRIBUTION AND GOVERNANCE NOTICE
+
+Bascule is maintained by Guildhouse LLC. Contributions are accepted
+under the Developer Certificate of Origin (see DCO file).
+
+Contributors retain copyright to their contributions. By contributing
+under the DCO, you grant a license consistent with Apache 2.0 — you
+do NOT assign ownership of your contribution to Guildhouse.
+
+Contributors are free to:
+  - Use their contributions in any other project
+  - Build proprietary products using the SessionHandler or AuthProvider
+    traits as extension points
+  - Create and maintain their own session handler implementations
+  - Commercialize their extensions independently
+
+The SessionHandler and AuthProvider traits are public APIs. Any
+implementation of these traits is the intellectual property of its
+author, not of Guildhouse LLC. This applies equally to Guildhouse's
+own implementations and to third-party implementations.
+
+---
+
+DISPUTE RESOLUTION
+
+Guildhouse LLC operates in partnership with tribal sovereign nations
+to advance digital governance infrastructure and cybersecurity
+capacity in Indian Country.
+
+Disputes arising from contributions to this project, including but
+not limited to attribution, contribution scope, and agreement
+interpretation, may be submitted to tribal jurisdiction for
+resolution. This forum is offered as an efficient, technically
+informed alternative and does not limit any rights granted under the
+Apache 2.0 license.
+
+Participation in tribal dispute resolution is voluntary. Contributors
+may alternatively pursue resolution through any court of competent
+jurisdiction.

README.md

@@ -105,6 +105,16 @@ impl SessionHandler for AuditHandler {
 
 See [docs/architecture.md](docs/architecture.md).
 
+## Governance
+
+Bascule is maintained by [Guildhouse LLC](https://guildhouse.dev).
+Contributions are accepted under the [DCO](DCO) — you retain
+copyright to your contributions.
+
+The `SessionHandler` and `AuthProvider` traits are public APIs.
+Implementations are the intellectual property of their authors.
+See [GOVERNANCE.md](GOVERNANCE.md).
+
 ## Roadmap
 
 Not yet implemented: