From 872a53a3c7f5dc880a703be08478cd8b0d6d5e8aa3b7ec8b9d510cb5b59c947e Mon Sep 17 00:00:00 2001
From: Tyler J King <tking@guildhouse.dev>
Date: Thu, 28 May 2026 09:31:47 -0400
Subject: [PATCH] feat: add T0-T6 shell tier context and governance layer
 mapping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

gsh is the T2 Operator Runtime binary per DESIGN-TYPED-SHELL-HIERARCHY-0001.
Added shell tier context, NO_NEW_PRIVS enforcement note, and
Free/Observed/Governed → L1/L2/L3 governance layer mapping.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Tyler J King <tking@guildhouse.dev>
---
 DESIGN.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/DESIGN.md b/DESIGN.md
index a29c891..9b6bce0 100644
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -6,6 +6,15 @@
 **Spec:** GCAP-SPEC-SHELLBOUND-BROKER-0001 (Layer 3)
 **Language:** Rust
 **License:** Apache 2.0
+**References:** DESIGN-TYPED-SHELL-HIERARCHY-0001 (T0-T6), DESIGN-GOVERNANCE-LAYERING-MODEL-0001 (five-layer model)
+
+> **Shell Tier Context (2026-05-28):** gsh is the **T2 Operator Runtime** binary
+> per DESIGN-TYPED-SHELL-HIERARCHY-0001. It compiles with `--features operator`
+> and is one of seven tier-specific binaries (T0-T6). `NO_NEW_PRIVS` is set at
+> session start. The Free/Observed/Governed command categorization maps to
+> governance layers: Free = L1 Permitted (within PosixBinding ceiling),
+> Observed = L2 Authorized (AC-scoped), Governed = L3 Approved (ceremony-gated).
+> See DESIGN-GOVERNANCE-LAYERING-MODEL-0001 for the full five-layer model.
 
 ---