tking/bascule-oss
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(m2): bascule-shell exports BASCULE_ROLES for gsh's role check

Browse source 
bascule-shell::set_env now populates BASCULE_ROLES so gsh's
M2 role-aware classifier has something to match against.

Precedence:
  1. Caller-set BASCULE_ROLES wins (env var preserved as-is).
  2. Otherwise derive a default from auth_method:
       oidc-entra | oidc-cached | kerberos -> operator
       ssh-key                              -> apprentice
       _                                    -> apprentice

The auth-method fallback is intentionally minimal — bascule-oss
Identity has no real roles field, and proper role provisioning
(Entra group claims, SPIFFE workload roles) lands in M5. This
default at least populates the env var so M2's role-deny path
is exercised end-to-end on existing dev shells instead of
silently empty.

Stacked on feat/m1-session-sat.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Claude Code <claude@guildhouse.dev>
This commit is contained in:
Claude Code 2026-04-07 17:52:50 -04:00
parent 999c78ef4c
commit 56529626f6
1 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
crates/bascule-shell/src/main.rs
View file

@ -123,6 +123,23 @@ fn set_env(
if let Some(ref domain) = id.domain { if let Some(ref domain) = id.domain {
std::env::set_var("BASCULE_DOMAIN", domain); std::env::set_var("BASCULE_DOMAIN", domain);
} }
// M2: export operator roles for gsh's role-aware Corpus check.
// Precedence: caller-set BASCULE_ROLES wins; otherwise derive a
// sensible default from the auth method so existing dev shells
// get *some* role context instead of empty. Real role provisioning
// (Entra group claims, SPIFFE workload roles) will replace this
// in M5; M2 just needs the env var populated so the classifier
// has something to match against.
if std::env::var_os("BASCULE_ROLES").is_none() {
let default_role = match id.auth_method.as_str() {
"oidc-entra" | "oidc-cached" => "operator",
"kerberos" => "operator",
"ssh-key" => "apprentice",
_ => "apprentice",
};
std::env::set_var("BASCULE_ROLES", default_role);
}
// BASCULE_ATTESTATION_HASH was an opaque "evidence string" SHA. M1 // BASCULE_ATTESTATION_HASH was an opaque "evidence string" SHA. M1
// replaces it with the proto SAT composite hash. Kept under the same // replaces it with the proto SAT composite hash. Kept under the same
// env var name for backward compatibility with existing gsh consumers // env var name for backward compatibility with existing gsh consumers