# CLAUDE.md — Context for Claude Code

## What is this?

Bascule is an identity-aware SSH proxy. It authenticates operators via SSH keys or AI agent tokens, then connects them to a shell, remote host, or ephemeral container.

## Workspace

- `crates/bascule-core/` — Library: SSH server, auth, session backends, hooks
- `crates/bascule-server/` — Binary: CLI wrapper, config loading, telemetry setup
- `crates/bascule-auth-agent-id/` — Optional: Entra Agent ID auth provider
- `crates/bascule-shell/` — Binary: Identity-aware login shell with TPM attestation
- `charts/bascule/` — Helm chart for K8s deployment
- `images/` — Curated container images for operator environments

## Key traits

- `AuthProvider` (auth.rs) — implement to add auth methods
- `SessionHandler` (hooks.rs) — implement to add session policy

## Commands

```bash
cargo build --all            # Build everything
cargo test --all             # Run tests
cargo clippy --all-targets   # Lint
make ci                      # Full CI check
make dev                     # Run locally in dev mode
```

## Feature flags (bascule-server)

- `agent-id` — Entra Agent ID auth

## Rules

- Zero substrate/chronicle/gsap dependencies
- No unwrap() in production code
- cargo fmt + cargo clippy must pass