Claude Code
2520525ec6
Adds bascule_shell::identity::detect_spiffe_svid which reads a SPIFFE SVID URI from /var/run/spire/svid-uri (override via SPIFFE_SVID_PATH). When present it wins over Entra/AZ-CLI/ Kerberos/cached-OIDC/system-user, becoming the SAT session_leaf actor field that QM's M5 SpiffeSvidEvaluator validates against the cluster allowlist. Why a file read instead of the SPIFFE Workload API: bascule-shell ships independently from QM and the standard SPIRE k8s sidecar writes the URI as /var/run/spire/svid-uri alongside svid.pem. The file path is hermetic for tests and matches the deploy model. If a future iteration needs continuous SVID URI rotation, switch to a notify watcher or pull spiffe::workload_api. Trust domain is parsed and surfaced as Identity.domain so the banner / dashboard can show "spiffe://gh.dev" affiliation. bascule_shell::main::set_env: auth_method == "spiffe" maps to BASCULE_ROLES = "operator" by default. SPIRE-attested workloads are explicitly cluster-issued so they get operator role until per-workload provisioning lands. The existing precedence (caller-set BASCULE_ROLES wins) is unchanged. Bascule mTLS *channel* construction (Bascule -> QM gRPC renegotiation) is intentionally NOT wired in this commit. Per ADR D9 hot path is local; the renegotiation client is deferred to M6 alongside the Rekor signing client because they share the rustls dep tree. Tested (Docker rust:1.88-bookworm): cargo build -p bascule-shell -p bascule-core clean cargo test -p bascule-core --lib sat 7/7 (M1 regression) Stacked on feat/m3-defcon-env. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Claude Code <claude@guildhouse.dev> |
||
|---|---|---|
| .. | ||
| bascule-auth-agent-id | ||
| bascule-core | ||
| bascule-dashboard | ||
| bascule-dashboard-web | ||
| bascule-server | ||
| bascule-shell | ||