tking/bascule-workspace
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bascule-workspace/bascule-gateway/tests/fixtures/test-accord.yaml
Tyler King b1865a0627 initial: bascule v0.1.0 
Bascule shell runtime workspace — governed shell access layer
for Substrate/Guildhouse FFC deployments.

Crates:
- bascule-agent: node agent with SSH server + command filtering
- bascule-core: audit, grant engine, ceremony types, session
- bascule-filter-core: log line filtering (stdio protocol)
- bascule-gateway: OIDC auth, session management, SAT validation
- bascule-node-agent: k8s DaemonSet agent (pod watcher, BPF manager)
- bascule-proto: protobuf definitions
- bascule-shell: governed SSH shell (commands, elevation, REPL)
- bascule-tail: chronicle log tail + fanout
- ceremony-engine: ceremony lifecycle (6 types + request/resolution)

172 tests passing.
Implements SBS-SPEC-0001 shell model.
Reference impl for SPEC-SHELLOPS-0001 Layer 1 (root shell).
2026-03-18 16:40:48 -04:00

190 lines
5.8 KiB
YAML
Raw Blame History

apiVersion: guildhouse.io/v1alpha1
kind: Accord
metadata:
name: genesis-accord
version: "1.0.0"
previousVersionHash: "0000000000000000000000000000000000000000000000000000000000000000"
authorizingCeremony: bootstrap
effectiveAt: "2025-06-01T00:00:00Z"
expiresAt: "2027-06-01T00:00:00Z"
spec:
trustDomain: guildhouse.local
policy:
bundleHash: "sha256:genesis"
bundlePath: ".guildhouse/policies/"
classifications:
- name: read-access
description: Read-only
pathways: [imperative, declarative]
resourceSelectors:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- name: workload-scaling
description: Scale workload replicas
pathways: [imperative, declarative]
resourceSelectors:
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
fields: ["spec.replicas"]
verbs: ["patch", "update"]
- name: workload-deployment
description: Deploy and update workloads
pathways: [imperative, declarative]
resourceSelectors:
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["create", "update", "patch", "delete"]
- name: rbac-modification
description: Modify RBAC resources
pathways: [declarative]
resourceSelectors:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
verbs: ["*"]
- name: network-policy
description: Manage network policies
pathways: [declarative]
resourceSelectors:
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["*"]
- name: secret-management
description: Manage secrets
pathways: [declarative]
resourceSelectors:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "update", "patch", "delete"]
- name: emergency-access
description: Emergency break-glass access
pathways: [imperative]
resourceSelectors:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["delete"]
- name: accord-change
description: Changes to the accord document
pathways: [declarative]
resourceSelectors:
- paths:
- ".guildhouse/accord.yaml"
- ".guildhouse/policies/**"
- name: workspace-merge
description: Merge workspace changes
pathways: [declarative]
resourceSelectors:
- paths:
- "namespaces/**"
- name: reconciliation-merge
description: Automated reconciliation
pathways: [autonomous]
resourceSelectors:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
ceremonies:
- classification: read-access
type: self_grant
requirements:
maxDuration: "8h"
scopeConstraints:
verbs: ["get", "list", "watch"]
- classification: workload-scaling
type: single_approval
requirements:
approverRoles: ["namespace-admin"]
maxDuration: "4h"
mutationBudget: 10
requiresCapabilityProfile: true
- classification: workload-deployment
type: single_approval
requirements:
approverRoles: ["namespace-admin"]
maxDuration: "4h"
mutationBudget: 5
requiresTwinValidation: true
- classification: rbac-modification
type: quorum_approval
requirements:
approverRoles: ["namespace-admin"]
quorum: 2
maxDuration: "2h"
mutationBudget: 3
- classification: network-policy
type: single_approval
requirements:
approverRoles: ["namespace-admin"]
maxDuration: "4h"
- classification: secret-management
type: quorum_approval
requirements:
approverRoles: ["namespace-admin"]
quorum: 2
maxDuration: "2h"
mutationBudget: 3
- classification: emergency-access
type: break_glass
requirements:
maxDuration: "30m"
mandatoryPostIncidentReview: true
externalEvidence:
type: jira_ticket
project: INCIDENT
status: ["Active", "In Progress"]
- classification: accord-change
type: quorum_approval
requirements:
quorum: 2
requiresRegoTestsPass: true
requiresSchemaValidation: true
- classification: workspace-merge
type: single_approval
requirements:
approverRoles: ["namespace-admin"]
- classification: reconciliation-merge
type: autonomous
requirements:
controllerSvidMatch: "spiffe://guildhouse.local/ns/*/sa/reconciler"
ledger:
alwaysNotarize:
- ceremony_completion
- session_creation
- mutation_applied
logOnly:
- read_access
- session_heartbeat
sampled:
events:
- health_check
sampleRate: 100
reconciliation:
defaultWindow: "24h"
onExpiry: alert
driftCheckInterval: "5m"
driftResponses:
- resourceSelector:
apiGroups: [""]
resources: ["secrets"]
action: alert
- resourceSelector:
apiGroups: ["apps"]
resources: ["deployments"]
action: auto_reconcile
controllers:
- svid: "spiffe://guildhouse.local/ns/argocd/sa/argocd-application-controller"
classification: workload-deployment
permittedMutations:
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["create", "update", "patch"]
ledgerFidelity: full
roles:
- name: namespace-admin
members:
- identity: "spiffe://guildhouse.local/ns/capstone/sa/admin"
- identity: "oidc:tking@guildhouse.local"
namespaces: ["capstone", "quartermaster"]
- name: cluster-admin
members:
- identity: "oidc:tking@guildhouse.local"
Reference in a new issue View git blame Copy permalink