feat: Phase 4 — Bascule dual-cluster connectivity

Hetzner Bascule: already deployed (pod 756dccc486-wwg78, 5d uptime).
  Exposed via NodePort 30222 on all worker nodes.
  SSH responds: russh_0.46.0, session created, DID resolved.

Connectivity verified from WSL2:
  ssh stg.gsh '!whoami'
  → session: 019d4fd5-..., did: did:web:guildhouse.dev/user/tyler
  → tier: ReadOnly, roles: ["operator"]

Config files:
  config/bascule-dev.toml    — permissive auth, localhost:2223
  config/bascule-hetzner.toml — reference for Hetzner NodePort endpoints

bascule-proxy built and installed (~/.local/bin/).
  Config at ~/.config/bascule/config.toml
  Hosts: dev (localhost:2223), stg/prod (178.104.110.197:30222)

SSH config: stg.gsh and prod.gsh aliases configured.

The full chain: WSL2 → SSH → Bascule (Hetzner) → session + DID.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

config/bascule-dev.toml

@@ -0,0 +1,13 @@
+# Bascule dev configuration — permissive auth for local development.
+# Run: bascule --config config/bascule-dev.toml
+
+listen_addr = "127.0.0.1:2223"
+ca_key_path = "/dev/null"
+host_key_path = "/dev/null"
+dispatch_mode = "direct"
+auth_mode = "permissive"
+
+[elevation]
+operator_ttl_secs = 3600
+admin_ttl_secs = 1800
+emergency_ttl_secs = 900

config/bascule-hetzner.toml

@@ -0,0 +1,14 @@
+# Bascule Hetzner configuration — reference only.
+# The actual Bascule on Hetzner is deployed as a K8s pod.
+# This file documents the connection details for bascule-proxy.
+
+# Hetzner Bascule is at NodePort 30222 on any worker node:
+#   178.104.110.197:30222  (okd-worker-0)
+#   178.104.110.212:30222  (okd-worker-1)
+#   91.98.67.43:30222      (okd-worker-2)
+#
+# Auth: OIDC via Keycloak at auth.guildhouse.dev
+# Realm: depends on deployment (guildhouse-ops, entropy-opposition, etc.)
+#
+# Pod: bascule-gateway in guildhouse-infra namespace
+# Service: bascule-gateway:2222 (ClusterIP) → NodePort 30222