tking/bascule-oss
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bascule-oss/README.md
Tyler King 6eb2de5dc0 docs: update all documentation for management API + dashboard 
Updated 9 files to reflect:
  Management API (axum, port 9090) — embedded in bascule-server
  Dioxus dashboard components (WASM web target)
  6 crates in workspace (was 4)

README.md:
  Added Management API + Dashboard features section
  Added dashboard row to comparison table

docs/architecture.md:
  Updated diagram showing dual-listener architecture
  Added Management API section explaining Arc<SessionStore> sharing
  Updated crate table (6 crates)

docs/configuration.md:
  Added [dashboard] config section reference

docs/observability.md:
  Added Management API monitoring section with curl examples

docs/quickstart.md:
  Added Management API quick start section

docs/comparison.md:
  Added dashboard and TPM attestation rows

CLAUDE.md + CONTRIBUTING.md:
  Updated crate lists and feature flags

config/bascule.example.toml:
  Added [dashboard] section

All 17 README links verified valid. Build clean.

Signed-off-by: Tyler King <tking@guildhouse.dev>
2026-04-05 17:17:18 -04:00

155 lines
4.9 KiB
Markdown
Raw Blame History

# Bascule
Identity-aware SSH proxy for modern infrastructure.
Bascule authenticates operators via SSH keys or AI agent tokens, then connects them to a local shell, remote host, or ephemeral container. No agents to install. No control plane. One binary.
## Quick Start
```bash
cargo build --release -p bascule-server
./target/release/bascule --config config/bascule.example.toml
# In another terminal:
ssh -p 2222 localhost
```
See [docs/quickstart.md](docs/quickstart.md) for Docker, Helm, and container mode.
## Features
### Session Backends
| Mode | Config | Description |
|------|--------|-------------|
| Local PTY | (default) | Spawn a local shell process |
| Remote Proxy | `[proxy]` | Forward to a remote SSH host |
| Container | `[container]` | Ephemeral container per session (Docker/Podman/nerdctl) |
| Kubernetes | `[k8s]` | Shared jumphost with shell sidecar *(config ready, runtime coming)* |
### Authentication
- **SSH Keys** — standard OpenSSH authorized_keys files
- **Accept All** — development only, accepts any key
- **Entra Agent ID** — Microsoft AI agent identity (`--features agent-id`)
- **SPIFFE/SPIRE** — workload identity *(config ready, runtime coming)*
### Security
- Session limiting (semaphore-based `max_sessions`)
- Container hardening (`--cap-drop ALL`, `--security-opt no-new-privileges`)
- Container config validation (injection prevention)
- Read-only rootfs option
- NetworkPolicy for Kubernetes deployments
### Management API + Dashboard
Built-in HTTP management API (port 9090, `--features dashboard`):
- `GET /api/sessions` — active sessions with auth/backend/TPM status
- `GET /api/stats` — aggregate analytics (auth breakdown, peak concurrent, TPM %)
- `GET /api/health` — server health and version
- WASM dashboard at `/dashboard/` *(coming soon)*
### Observability
- Structured JSON logging (`BASCULE_LOG_FORMAT=json`)
- Tracing spans on auth, session lifecycle, exec requests
- Management API for real-time session monitoring
## Client: bascule-shell
Identity-aware login shell with TPM attestation:
```bash
./target/release/bascule-shell --info
```
```
╔═══════════════════════════════════════════════════════╗
║ Bascule Shell v0.1.0 ║
║ Principal: tking ║
║ Method: ssh-key ║
║ TPM: available (6 PCRs verified) ║
║ Platform: sha256:e9b95f002f54222d... ║
╚═══════════════════════════════════════════════════════╝
```
See [docs/bascule-shell.md](docs/bascule-shell.md).
## Comparison
| | Bascule | Teleport | Boundary |
|---|---|---|---|
| License | Apache 2.0 | AGPL / Commercial | MPL / Commercial |
| Agents required | No | Yes | Yes |
| Control plane | No | Required | Required |
| Container sessions | Yes | No | No |
| AI Agent Identity | Yes (Entra Agent ID) | No | No |
| Binary size | ~7MB | ~150MB | ~100MB |
| Built-in dashboard | Yes (port 9090) | Yes | No |
See [docs/comparison.md](docs/comparison.md).
## Deployment
- **Standalone**: `cargo build --release -p bascule-server`
- **Docker**: `docker build -t bascule .`
- **Kubernetes**: `helm install bascule charts/bascule/` — see [docs/kubernetes.md](docs/kubernetes.md)
## Extending Bascule
Implement `SessionHandler` to add custom policy:
```rust
use bascule_core::hooks::{SessionHandler, SessionInfo};
struct AuditHandler;
#[async_trait]
impl SessionHandler for AuditHandler {
async fn on_session_start(&self, s: &SessionInfo) -> anyhow::Result<()> {
println!("{} connected from {}", s.principal, s.source_ip);
Ok(())
}
}
```
See [docs/architecture.md](docs/architecture.md).
## Governance
Bascule is maintained by [Guildhouse LLC](https://guildhouse.dev).
Contributions are accepted under the [DCO](DCO) — you retain
copyright to your contributions.
The `SessionHandler` and `AuthProvider` traits are public APIs.
Implementations are the intellectual property of their authors.
See [GOVERNANCE.md](GOVERNANCE.md).
## Roadmap
Not yet implemented:
- OIDC authentication (Keycloak, Entra, Okta)
- K8s API exec backend runtime
- SPIFFE/SPIRE auth runtime
- OpenTelemetry OTLP exporter
- Prometheus metrics endpoint
- Session recording
- Per-session Pod isolation
## Documentation
- [Quick Start](docs/quickstart.md)
- [Configuration](docs/configuration.md)
- [Authentication](docs/authentication.md)
- [Architecture](docs/architecture.md)
- [Observability](docs/observability.md)
- [Kubernetes](docs/kubernetes.md)
- [bascule-shell](docs/bascule-shell.md)
- [Comparison](docs/comparison.md)
- [Container Images](images/README.md)
- [Contributing](CONTRIBUTING.md)
## License
Apache 2.0
Reference in a new issue View git blame Copy permalink