bascule-oss

SHA256

Author	SHA256	Message	Date
Tyler King	04dd74d15f	feat: Dioxus dashboard — session analytics + WASM web target New crates: bascule-dashboard — shared Dioxus component library SessionTable: live active sessions with auth/backend/TPM status StatsCards: active count, 24h total, TPM attested %, failed auth StatusBar: connection health indicator types.rs: DashboardSession, DashboardStats, HealthResponse bascule-dashboard-web — WASM web target (Dioxus 0.6 + web features) Compiles to wasm32-unknown-unknown Dark-first CSS (light mode via prefers-color-scheme) Monospace data display, clean stat cards bascule-core/store.rs — in-memory session store SessionStore with active sessions + aggregate stats Updated via SessionHandler hooks Both dashboard library and web WASM target compile clean. Server and shell builds unaffected. Zero substrate deps. Signed-off-by: Tyler King <tking@guildhouse.dev>	2026-04-05 14:10:01 -04:00
Tyler King	043b9b9bdc	feat: bascule-shell — identity-aware shell with TPM attestation New crate: bascule-shell (471 lines, 1.8MB binary) Login shell that detects identity + platform attestation at startup. Wraps bash/zsh/fish — operator works normally, identity travels with them. Identity detection (priority order): 1. Entra via WSL2 interop 2. Azure CLI 3. Kerberos TGT 4. Cached OIDC token 5. System user (fallback) Platform attestation: TPM 2.0 PCR values via tpm2_pcrread (PCRs 0,1,2,7,10,14) IMA measurement log hash + count Keylime agent state Entra device compliance (WSL2 only) Composite SHA-256 hash over all evidence Shell features: Banner with identity + attestation summary BASCULE_* env vars injected into inner shell --info mode for dry-run display --json mode for machine-readable output --exec mode for single-command execution Configurable via ~/.config/bascule/shell.toml Tested on Fedora with real TPM 2.0: 6 PCRs successfully read from hardware All env vars propagated to inner shell 1.8MB binary, 0 substrate deps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-05 09:47:46 -04:00
Tyler King	02142f7be4	feat: Entra Agent ID auth provider + governance leak cleanup New crate: bascule-auth-agent-id Microsoft Entra Agent ID authentication for AI agents Validates OAuth tokens against Entra JWKS (60min cache) Extracts agent metadata: type, blueprint, sponsor, scopes Detects on-behalf-of (delegated) agents Token-as-password pattern for SSH auth Cleanup: Removed all governance-specific references from comments SessionHandler trait is the only extension point Zero substrate/chronicle/gsap dependencies Config example uses neutral terminology Config: [auth.agent_id] section for Entra configuration tenant_id, audiences, multi_tenant fields 3 crates: bascule-core, bascule-server, bascule-auth-agent-id 938 lines total, 5.6MB binary, 0 substrate deps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 22:35:32 -04:00
Tyler King	bfa26cfd15	feat: Bascule — identity-aware SSH proxy Open-source SSH proxy with pluggable authentication and extensible session handling. Zero external governance dependencies. Core (bascule-core): russh 0.46 SSH server with PTY bridge (portable-pty) Pluggable auth: AuthProvider trait (SSH keys, accept-all dev mode) SessionHandler trait for extending behavior (audit, governance) TOML configuration, ephemeral Ed25519 host key generation Binary (bascule-server): Single binary, 5.6MB release build CLI with --config flag Default: accept-all auth on port 2222 Extension points: AuthProvider — implement for OIDC, certificates, custom auth SessionHandler — implement for audit, governance, recording DefaultHandler — passthrough (ships with open-source version) Zero substrate/chronicle/gsap/hfl dependencies. Apache 2.0 License. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 22:25:33 -04:00

4 commits