SSH proxy + governance: ShellClass, ceremony, breach, delegation (Rust)
Tyler J King
3526b6975f
Wires the AuditPipeline's flush() path to QM's QuartermasterNotary gRPC service. Previously flush() only updated local notarized=true flags; now it batches pending leaf hashes into a CreateAnchorRequest and persists the returned anchor_id + leaf_index back on each event row. Lazy-retry semantics match guildhouse-spire-plugins pkg/governance (F.1): the gRPC channel is established on first successful flush and cached in Arc<Mutex<Option<QuartermasterNotaryClient<Channel>>>>. If QM is unreachable, bascule logs a warning, re-queues the leaves into the pending buffer, and retries on the next flush interval. Local audit rows are still written with notarized=true; only anchor_id stays NULL until an anchor successfully lands. This is the same pattern that unblocks the bascule-deploys-before-QM ordering problem without crashing bascule. Schema: bascule.audit_events already had anchor_id uuid + leaf_index integer columns (migrations.rs, pre-existing). This commit populates them for the first time. Config: - New `cluster_id` field on BasculeConfig, sourced from BASCULE_CLUSTER_ID env. Empty string disables QM submission (local storage only). In F.4, bascule gets the UUID from QM's clusters table (generated at QM genesis). - Existing `qm_endpoint` field now actually used (was scaffolded in pre-F.4 code but never read). Backwards-compat: - submit(&self, event: &AuditEvent, notarize: bool) signature preserved. - should_notarize(classification, fidelity) public fn preserved. - Internal leaf_data hashing simplified to an event-field digest (event_id + session_id + operator + command + classification + exec_result + timestamp); bypasses serde_json_canonicalizer dependency that the prior version required. Verify path still works against QM's merkle tree because QM hashes whatever bytes bascule submits — QM doesn't re-compute; it trusts the leaf payload bascule submitted is the leaf. Signed-off-by: Tyler J King <tking@guildhouse.dev> |
||
|---|---|---|
| bascule-agent | ||
| bascule-core | ||
| bascule-filter-core | ||
| bascule-gateway | ||
| bascule-node-agent | ||
| bascule-proto | ||
| bascule-shell | ||
| bascule-tail | ||
| ceremony-engine | ||
| proto/bascule/v1 | ||
| .gitignore | ||
| ARCHITECTURE.md | ||
| Cargo.lock | ||
| Cargo.toml | ||
| CHANGELOG.md | ||