bascule-oss

tking/bascule-oss

SHA256

Fork 0

Commit graph

Author	SHA256	Message	Date
Tyler King	e7fc9fa5e1	feat: structured logging, tracing spans, comprehensive documentation Observability: Structured JSON logging via BASCULE_LOG_FORMAT=json Tracing spans on auth (method, principal, peer) Tracing spans on session lifecycle (id, principal, backend, source_ip) Tracing spans on exec requests (session_id, command) Config: [telemetry] and [metrics] sections (OTel export planned) Documentation (8 files, 489 lines): docs/quickstart.md — three-path getting started docs/configuration.md — full config reference with examples docs/authentication.md — all auth modes with setup guides docs/architecture.md — backends, traits, extension model, security docs/observability.md — logging, tracing, metrics docs/comparison.md — vs Teleport, Boundary, StrongDM images/README.md — curated image catalog README.md — features, comparison, quickstart, extension example 1557 lines Rust, 489 lines docs, 0 substrate deps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 23:45:03 -04:00
Tyler King	8d789524e8	feat: container backend — ephemeral right-sized shell containers Third session backend: per-session ephemeral containers. SSH session → container spawns → operator works → disconnect → destroyed. Container runtime abstraction: Docker, Podman, Nerdctl via CLI execution (auto-detect) No libdocker dependency — any OCI-compliant runtime Container config ([container] section): image, pull_policy, mounts, env, memory/cpu limits ephemeral (destroy on exit), hardened (drop caps) read_only_rootfs, network mode, user override Handler: SessionBackend enum now has three variants: Local(PtyBridge) — spawn local shell Proxy(UpstreamSession) — forward to remote SSH host Container(ContainerSession) — spawn ephemeral container Priority: proxy > container > local PTY Curated base images (images/): minimal — bash, coreutils, curl, jq, ssh (~50MB) k8s-ops — + kubectl, helm (~120MB) net-ops — + nmap, dig, traceroute, tcpdump (~90MB) dev — + git, make, gcc, python3 (~250MB) The container IS the access boundary: if it's not in the image, the operator can't run it. SessionHandler hooks fire in all three modes. 6.5MB binary, 0 substrate deps, 1197 lines bascule-core. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 23:23:39 -04:00

Author

SHA256

Message

Date

Tyler King

e7fc9fa5e1

feat: structured logging, tracing spans, comprehensive documentation

Observability:
  Structured JSON logging via BASCULE_LOG_FORMAT=json
  Tracing spans on auth (method, principal, peer)
  Tracing spans on session lifecycle (id, principal, backend, source_ip)
  Tracing spans on exec requests (session_id, command)
  Config: [telemetry] and [metrics] sections (OTel export planned)

Documentation (8 files, 489 lines):
  docs/quickstart.md — three-path getting started
  docs/configuration.md — full config reference with examples
  docs/authentication.md — all auth modes with setup guides
  docs/architecture.md — backends, traits, extension model, security
  docs/observability.md — logging, tracing, metrics
  docs/comparison.md — vs Teleport, Boundary, StrongDM
  images/README.md — curated image catalog
  README.md — features, comparison, quickstart, extension example

1557 lines Rust, 489 lines docs, 0 substrate deps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 23:45:03 -04:00

Tyler King

8d789524e8

feat: container backend — ephemeral right-sized shell containers

Third session backend: per-session ephemeral containers.
SSH session → container spawns → operator works → disconnect → destroyed.

Container runtime abstraction:
  Docker, Podman, Nerdctl via CLI execution (auto-detect)
  No libdocker dependency — any OCI-compliant runtime

Container config ([container] section):
  image, pull_policy, mounts, env, memory/cpu limits
  ephemeral (destroy on exit), hardened (drop caps)
  read_only_rootfs, network mode, user override

Handler: SessionBackend enum now has three variants:
  Local(PtyBridge) — spawn local shell
  Proxy(UpstreamSession) — forward to remote SSH host
  Container(ContainerSession) — spawn ephemeral container
  Priority: proxy > container > local PTY

Curated base images (images/):
  minimal — bash, coreutils, curl, jq, ssh (~50MB)
  k8s-ops — + kubectl, helm (~120MB)
  net-ops — + nmap, dig, traceroute, tcpdump (~90MB)
  dev — + git, make, gcc, python3 (~250MB)

The container IS the access boundary:
if it's not in the image, the operator can't run it.

SessionHandler hooks fire in all three modes.
6.5MB binary, 0 substrate deps, 1197 lines bascule-core.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 23:23:39 -04:00

2 commits