Tyler King
b1865a0627
Bascule shell runtime workspace — governed shell access layer for Substrate/Guildhouse FFC deployments. Crates: - bascule-agent: node agent with SSH server + command filtering - bascule-core: audit, grant engine, ceremony types, session - bascule-filter-core: log line filtering (stdio protocol) - bascule-gateway: OIDC auth, session management, SAT validation - bascule-node-agent: k8s DaemonSet agent (pod watcher, BPF manager) - bascule-proto: protobuf definitions - bascule-shell: governed SSH shell (commands, elevation, REPL) - bascule-tail: chronicle log tail + fanout - ceremony-engine: ceremony lifecycle (6 types + request/resolution) 172 tests passing. Implements SBS-SPEC-0001 shell model. Reference impl for SPEC-SHELLOPS-0001 Layer 1 (root shell).
82 lines
1.6 KiB
Protocol Buffer
82 lines
1.6 KiB
Protocol Buffer
syntax = "proto3";
|
|
package bascule.v1;
|
|
|
|
import "google/protobuf/struct.proto";
|
|
|
|
// --- Command execution ---
|
|
|
|
message ExecuteCommandRequest {
|
|
string session_id = 1;
|
|
string verb = 2;
|
|
optional string namespace = 3;
|
|
optional string resource_type = 4;
|
|
optional string resource_name = 5;
|
|
google.protobuf.Struct parameters = 6;
|
|
string output_format = 7;
|
|
}
|
|
|
|
message ExecuteCommandResponse {
|
|
bool allowed = 1;
|
|
string denied_reason = 2;
|
|
oneof result {
|
|
CommandResult success = 3;
|
|
CommandError error = 4;
|
|
}
|
|
AuditRef audit = 5;
|
|
}
|
|
|
|
message CommandResult {
|
|
string output = 1;
|
|
uint32 resources_affected = 2;
|
|
bool session_expired_warning = 3;
|
|
}
|
|
|
|
message CommandError {
|
|
string message = 1;
|
|
string code = 2;
|
|
}
|
|
|
|
// --- Streaming ---
|
|
|
|
message CommandStreamChunk {
|
|
oneof chunk {
|
|
string output_line = 1;
|
|
string error_line = 2;
|
|
bool eof = 3;
|
|
}
|
|
}
|
|
|
|
// --- Audit reference ---
|
|
|
|
message AuditRef {
|
|
string event_id = 1;
|
|
string classification = 2;
|
|
bool notarized = 3;
|
|
}
|
|
|
|
// --- Command discovery ---
|
|
|
|
message DiscoverCommandsRequest {
|
|
string session_id = 1;
|
|
}
|
|
|
|
message DiscoverCommandsResponse {
|
|
repeated CommandDescriptor commands = 1;
|
|
}
|
|
|
|
message CommandDescriptor {
|
|
string verb = 1;
|
|
string description = 2;
|
|
string classification = 3;
|
|
repeated ParameterDescriptor parameters = 4;
|
|
bool requires_namespace = 5;
|
|
bool requires_resource = 6;
|
|
bool streaming = 7;
|
|
}
|
|
|
|
message ParameterDescriptor {
|
|
string name = 1;
|
|
string description = 2;
|
|
string param_type = 3;
|
|
bool required = 4;
|
|
}
|