docs: add CLAUDE.md

Documents the 2 crates (gsh binary + libgsh library), the GSH_* env-var contract that bascule sets and forge-fuse reads (Phase 3 shell-IS-session), the cross-workspace dependency on forge-core::CorpusCapabilityCeiling for the runtime three-way intersection, and the local dev-environment/ playbook for the WSL2 + Bascule + Hetzner Keycloak + Entra federation flow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Tyler J King <tking@guildhouse.dev>
2026-05-04 11:41:30 -04:00 · 2026-05-04 11:41:30 -04:00 · 061e2206ea
commit 061e2206ea
parent 88840ae620
1 changed files with 51 additions and 0 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -0,0 +1,51 @@
+# CLAUDE.md — gsh
+
+The governed shell. Operator-facing CLI that bascule launches after
+OIDC → DID derivation; the binary that consumes `GSH_*` env vars,
+loads the AC, validates the corpus, and runs governed commands.
+Substrate-level (carries the Guildhouse brand intentionally per
+`TODO.md` Layout Principle).
+
+## Crates
+
+- **gsh** — The governed shell binary itself (`GCAP-SPEC-SHELLBOUND-
+  SDK-0001`). Consumes `GSH_DID`, `GSH_ACCORD_HASH`, `GSH_SHELL_CLASS`,
+  `GSH_POSTURE_LEVEL`, `GSH_CAPABILITY_SET` from bascule + propagates
+  to subprocesses via `org-ops-core::context::GshContext` headers.
+- **libgsh** — Library: AC validation, capability-request building,
+  corpus gate. The shell binary's reusable surface.
+
+## Cross-workspace dependencies
+
+**Consumes:** `guildhouse-did` (Did parsing/derivation),
+`bascule-workspace/bascule-core` (`AuthorizationContext` shape),
+`org-ops-core` (env-var contract for child-process governance
+threading), `forge-core::shell_context` (re-exported
+`CorpusCapabilityCeiling` for runtime intersection).
+
+**Consumed by:** the operator's interactive session — invoked by
+bascule-shell after OIDC auth, by `dev-environment/bascule-local.toml`
+locally on WSL2.
+
+## Build / Test
+
+```bash
+CARGO_TARGET_DIR=target-tking cargo build --workspace
+CARGO_TARGET_DIR=target-tking cargo test  --workspace
+```
+
+## Architectural notes
+
+- **`GSH_*` env contract** is the load-bearing interop with bascule
+  (which sets them) and forge-fuse (which reads them via
+  `forge-fuse::ShellContext::from_env`). The contract:
+  `GSH_DID`, `GSH_ACCORD_HASH`, `GSH_SHELL_CLASS=Application|System`,
+  `GSH_POSTURE_LEVEL` (1..=5 DEFCON), `GSH_CAPABILITY_SET` (hex
+  bitmask `0x{:08x}`).
+- **Phase 3 forge-fuse (shell-IS-session)** consumes these env vars
+  to compute the per-mount effective capability via
+  `manifest_cap ∩ shell_cap ∩ corpus_cap`.
+- **Local dev environment** at `dev-environment/` shows the WSL2 +
+  Bascule + gsh + Hetzner Keycloak + Entra federation flow end-to-end.
+- The brand-bound `gsh` name (vs a `substrate-shell`) is preserved
+  intentionally — revisit when the substrate brand solidifies.