tking/bascule-workspace
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
9 commits 1 branch 3 tags 410 KiB
Commit graph

4 commits

Author SHA256 Message Date
Tyler J King
9c492d739a docs: add ARCHITECTURE.md, CHANGELOG, fix Cargo metadata 
ARCHITECTURE.md explains the governed shell stack, Keylime integration
model, ShellClass derivation, and implementation status for reviewer
orientation.

CHANGELOG documents v0.1.0-rc.1 deliverables.

Cargo.toml metadata (license, repository) added to bascule-core,
bascule-agent, bascule-gateway.

Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
 2026-04-15 15:37:27 -04:00
Tyler J King
ece4e2349f feat(gateway): session downgrade on posture breach 
Add breach evaluator that compares posture changes against active
sessions and applies BreachResponse policy:
- LogOnly/AlertDelegates: log, no session enforcement
- ReducePosture: downgrade System -> Application, session continues
- SuspendTrust: terminate session immediately
- RevokeAccord: terminate session, Accord dead

Posture change detection via 30s polling loop on posture-current
ConfigMap (matching existing reaper interval pattern).
No mid-session upgrade — downgrade only, upgrade requires new ceremony.

9 unit tests for breach evaluation covering all BreachResponse variants.

Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
 2026-04-15 15:16:11 -04:00
Tyler J King
1a54cc3877 feat(bascule-gateway): derive ShellClass at ceremony grant from posture 
Read the cluster's operational posture level from the posture-current
ConfigMap at ceremony grant time. Derive ShellClass via
derive_shell_class() and stamp into the granted SessionScope.

- Normal posture (5) -> ShellClass::System
- Any DEFCON escalation -> ShellClass::Application
- Fail-closed: missing ConfigMap -> Lockdown -> Application
- posture_level_at_establishment stored for audit/breach comparison

Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
 2026-04-15 10:37:30 -04:00
Tyler King
b1865a0627 initial: bascule v0.1.0 
Bascule shell runtime workspace — governed shell access layer
for Substrate/Guildhouse FFC deployments.

Crates:
- bascule-agent: node agent with SSH server + command filtering
- bascule-core: audit, grant engine, ceremony types, session
- bascule-filter-core: log line filtering (stdio protocol)
- bascule-gateway: OIDC auth, session management, SAT validation
- bascule-node-agent: k8s DaemonSet agent (pod watcher, BPF manager)
- bascule-proto: protobuf definitions
- bascule-shell: governed SSH shell (commands, elevation, REPL)
- bascule-tail: chronicle log tail + fanout
- ceremony-engine: ceremony lifecycle (6 types + request/resolution)

172 tests passing.
Implements SBS-SPEC-0001 shell model.
Reference impl for SPEC-SHELLOPS-0001 Layer 1 (root shell).
 2026-03-18 16:40:48 -04:00