tking/gsh
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(libgsh): DID-sourced capability intersection via IntersectionInput

Browse source 
IntersectionInput replaces separate accord lookups with a DID-document-
sourced three-way intersection: effective = posix_bounding & accord_allowed
& delegation_remaining. denied_to_allowed_mask() converts denied capability
names to a bitmask for the intersection.

Includes workspace-level cleanup and gsh binary refactoring.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Tyler J King <tking@guildhouse.dev>
This commit is contained in:
Tyler J King 2026-05-26 09:56:20 -04:00
parent 7c84854222
commit d0b674f6cd
12 changed files with 682 additions and 924 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

652
Cargo.lock generated
View file

@ -78,12 +78,6 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "atomic-waker"
version = "1.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
[[package]] [[package]]
name = "atty" name = "atty"
version = "0.2.14" version = "0.2.14"
@ -117,12 +111,6 @@ dependencies = [
"match-lookup", "match-lookup",
] ]
[[package]]
name = "base64"
version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
[[package]] [[package]]
name = "base64ct" name = "base64ct"
version = "1.8.3" version = "1.8.3"
@ -290,26 +278,6 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2f421161cb492475f1661ddc9815a745a1c894592070661180fdec3d4872e9c3" checksum = "2f421161cb492475f1661ddc9815a745a1c894592070661180fdec3d4872e9c3"
[[package]]
name = "core-foundation"
version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
dependencies = [
"core-foundation-sys",
"libc",
]
[[package]]
name = "core-foundation"
version = "0.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
dependencies = [
"core-foundation-sys",
"libc",
]
[[package]] [[package]]
name = "core-foundation-sys" name = "core-foundation-sys"
version = "0.8.7" version = "0.8.7"
@ -504,15 +472,6 @@ version = "1.15.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719" checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
[[package]]
name = "encoding_rs"
version = "0.8.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
dependencies = [
"cfg-if",
]
[[package]] [[package]]
name = "equivalent" name = "equivalent"
version = "1.0.2" version = "1.0.2"
@ -558,33 +517,12 @@ version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
[[package]]
name = "fnv"
version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
[[package]] [[package]]
name = "foldhash" name = "foldhash"
version = "0.1.5" version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
[[package]]
name = "foreign-types"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
dependencies = [
"foreign-types-shared",
]
[[package]]
name = "foreign-types-shared"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
[[package]] [[package]]
name = "form_urlencoded" name = "form_urlencoded"
version = "1.2.2" version = "1.2.2"
@ -594,55 +532,6 @@ dependencies = [
"percent-encoding", "percent-encoding",
] ]
[[package]]
name = "futures-channel"
version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
dependencies = [
"futures-core",
"futures-sink",
]
[[package]]
name = "futures-core"
version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
[[package]]
name = "futures-io"
version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
[[package]]
name = "futures-sink"
version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
[[package]]
name = "futures-task"
version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
[[package]]
name = "futures-util"
version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
dependencies = [
"futures-core",
"futures-io",
"futures-sink",
"futures-task",
"memchr",
"pin-project-lite",
"slab",
]
[[package]] [[package]]
name = "generic-array" name = "generic-array"
version = "0.14.7" version = "0.14.7"
@ -712,25 +601,6 @@ dependencies = [
"url", "url",
] ]
[[package]]
name = "h2"
version = "0.4.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54"
dependencies = [
"atomic-waker",
"bytes",
"fnv",
"futures-core",
"futures-sink",
"http",
"indexmap",
"slab",
"tokio",
"tokio-util",
"tracing",
]
[[package]] [[package]]
name = "half" name = "half"
version = "2.7.1" version = "2.7.1"
@ -778,123 +648,6 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "http"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
dependencies = [
"bytes",
"itoa",
]
[[package]]
name = "http-body"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
dependencies = [
"bytes",
"http",
]
[[package]]
name = "http-body-util"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
dependencies = [
"bytes",
"futures-core",
"http",
"http-body",
"pin-project-lite",
]
[[package]]
name = "httparse"
version = "1.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
[[package]]
name = "hyper"
version = "1.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6299f016b246a94207e63da54dbe807655bf9e00044f73ded42c3ac5305fbcca"
dependencies = [
"atomic-waker",
"bytes",
"futures-channel",
"futures-core",
"h2",
"http",
"http-body",
"httparse",
"itoa",
"pin-project-lite",
"smallvec",
"tokio",
"want",
]
[[package]]
name = "hyper-rustls"
version = "0.27.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
dependencies = [
"http",
"hyper",
"hyper-util",
"rustls",
"rustls-pki-types",
"tokio",
"tokio-rustls",
"tower-service",
]
[[package]]
name = "hyper-tls"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
dependencies = [
"bytes",
"http-body-util",
"hyper",
"hyper-util",
"native-tls",
"tokio",
"tokio-native-tls",
"tower-service",
]
[[package]]
name = "hyper-util"
version = "0.1.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
dependencies = [
"base64",
"bytes",
"futures-channel",
"futures-util",
"http",
"http-body",
"hyper",
"ipnet",
"libc",
"percent-encoding",
"pin-project-lite",
"socket2",
"system-configuration",
"tokio",
"tower-service",
"tracing",
"windows-registry",
]
[[package]] [[package]]
name = "iana-time-zone" name = "iana-time-zone"
version = "0.1.65" version = "0.1.65"
@ -1040,22 +793,6 @@ dependencies = [
"serde_core", "serde_core",
] ]
[[package]]
name = "ipnet"
version = "2.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
[[package]]
name = "iri-string"
version = "0.7.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20"
dependencies = [
"memchr",
"serde",
]
[[package]] [[package]]
name = "is_terminal_polyfill" name = "is_terminal_polyfill"
version = "1.70.2" version = "1.70.2"
@ -1083,8 +820,6 @@ version = "0.3.94"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2e04e2ef80ce82e13552136fabeef8a5ed1f985a96805761cbb9a2c34e7664d9" checksum = "2e04e2ef80ce82e13552136fabeef8a5ed1f985a96805761cbb9a2c34e7664d9"
dependencies = [ dependencies = [
"cfg-if",
"futures-util",
"once_cell", "once_cell",
"wasm-bindgen", "wasm-bindgen",
] ]
@ -1115,7 +850,7 @@ dependencies = [
"dirs", "dirs",
"guildhouse-did", "guildhouse-did",
"hex", "hex",
"reqwest", "libc",
"serde", "serde",
"serde_json", "serde_json",
"sha2", "sha2",
@ -1194,12 +929,6 @@ dependencies = [
"autocfg", "autocfg",
] ]
[[package]]
name = "mime"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
[[package]] [[package]]
name = "mio" name = "mio"
version = "1.2.0" version = "1.2.0"
@ -1224,23 +953,6 @@ dependencies = [
"data-encoding-macro", "data-encoding-macro",
] ]
[[package]]
name = "native-tls"
version = "0.2.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2"
dependencies = [
"libc",
"log",
"openssl",
"openssl-probe",
"openssl-sys",
"schannel",
"security-framework",
"security-framework-sys",
"tempfile",
]
[[package]] [[package]]
name = "nix" name = "nix"
version = "0.29.0" version = "0.29.0"
@ -1284,50 +996,6 @@ version = "1.70.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe" checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
[[package]]
name = "openssl"
version = "0.10.76"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "951c002c75e16ea2c65b8c7e4d3d51d5530d8dfa7d060b4776828c88cfb18ecf"
dependencies = [
"bitflags",
"cfg-if",
"foreign-types",
"libc",
"once_cell",
"openssl-macros",
"openssl-sys",
]
[[package]]
name = "openssl-macros"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "openssl-probe"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
[[package]]
name = "openssl-sys"
version = "0.9.112"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "57d55af3b3e226502be1526dfdba67ab0e9c96fc293004e79576b2b9edb0dbdb"
dependencies = [
"cc",
"libc",
"pkg-config",
"vcpkg",
]
[[package]] [[package]]
name = "option-ext" name = "option-ext"
version = "0.2.0" version = "0.2.0"
@ -1379,12 +1047,6 @@ dependencies = [
"spki", "spki",
] ]
[[package]]
name = "pkg-config"
version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
[[package]] [[package]]
name = "potential_utf" name = "potential_utf"
version = "0.1.5" version = "0.1.5"
@ -1477,62 +1139,6 @@ dependencies = [
"unicode-width", "unicode-width",
] ]
[[package]]
name = "reqwest"
version = "0.12.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
dependencies = [
"base64",
"bytes",
"encoding_rs",
"futures-channel",
"futures-core",
"futures-util",
"h2",
"http",
"http-body",
"http-body-util",
"hyper",
"hyper-rustls",
"hyper-tls",
"hyper-util",
"js-sys",
"log",
"mime",
"native-tls",
"percent-encoding",
"pin-project-lite",
"rustls-pki-types",
"serde",
"serde_json",
"serde_urlencoded",
"sync_wrapper",
"tokio",
"tokio-native-tls",
"tower",
"tower-http",
"tower-service",
"url",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
]
[[package]]
name = "ring"
version = "0.17.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
dependencies = [
"cc",
"cfg-if",
"getrandom 0.2.17",
"libc",
"untrusted",
"windows-sys 0.52.0",
]
[[package]] [[package]]
name = "rustc_version" name = "rustc_version"
version = "0.4.1" version = "0.4.1"
@ -1568,89 +1174,18 @@ dependencies = [
"windows-sys 0.61.2", "windows-sys 0.61.2",
] ]
[[package]]
name = "rustls"
version = "0.23.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
dependencies = [
"once_cell",
"rustls-pki-types",
"rustls-webpki",
"subtle",
"zeroize",
]
[[package]]
name = "rustls-pki-types"
version = "1.14.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
dependencies = [
"zeroize",
]
[[package]]
name = "rustls-webpki"
version = "0.103.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
dependencies = [
"ring",
"rustls-pki-types",
"untrusted",
]
[[package]] [[package]]
name = "rustversion" name = "rustversion"
version = "1.0.22" version = "1.0.22"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d" checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
[[package]]
name = "ryu"
version = "1.0.23"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
[[package]]
name = "schannel"
version = "0.1.29"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939"
dependencies = [
"windows-sys 0.61.2",
]
[[package]] [[package]]
name = "scopeguard" name = "scopeguard"
version = "1.2.0" version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
[[package]]
name = "security-framework"
version = "3.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
dependencies = [
"bitflags",
"core-foundation 0.10.1",
"core-foundation-sys",
"libc",
"security-framework-sys",
]
[[package]]
name = "security-framework-sys"
version = "2.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
dependencies = [
"core-foundation-sys",
"libc",
]
[[package]] [[package]]
name = "semver" name = "semver"
version = "1.0.27" version = "1.0.27"
@ -1700,18 +1235,6 @@ dependencies = [
"zmij", "zmij",
] ]
[[package]]
name = "serde_urlencoded"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
dependencies = [
"form_urlencoded",
"itoa",
"ryu",
"serde",
]
[[package]] [[package]]
name = "sha2" name = "sha2"
version = "0.10.9" version = "0.10.9"
@ -1769,12 +1292,6 @@ dependencies = [
"rand_core", "rand_core",
] ]
[[package]]
name = "slab"
version = "0.4.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
[[package]] [[package]]
name = "smallvec" name = "smallvec"
version = "1.15.1" version = "1.15.1"
@ -1848,6 +1365,7 @@ dependencies = [
"ciborium", "ciborium",
"nix", "nix",
"serde", "serde",
"sha2",
"thiserror 2.0.18", "thiserror 2.0.18",
"tokio", "tokio",
] ]
@ -1869,15 +1387,6 @@ dependencies = [
"unicode-ident", "unicode-ident",
] ]
[[package]]
name = "sync_wrapper"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
dependencies = [
"futures-core",
]
[[package]] [[package]]
name = "synstructure" name = "synstructure"
version = "0.13.2" version = "0.13.2"
@ -1889,27 +1398,6 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "system-configuration"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b"
dependencies = [
"bitflags",
"core-foundation 0.9.4",
"system-configuration-sys",
]
[[package]]
name = "system-configuration-sys"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
dependencies = [
"core-foundation-sys",
"libc",
]
[[package]] [[package]]
name = "tempfile" name = "tempfile"
version = "3.27.0" version = "3.27.0"
@ -2001,84 +1489,6 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "tokio-native-tls"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
dependencies = [
"native-tls",
"tokio",
]
[[package]]
name = "tokio-rustls"
version = "0.26.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
dependencies = [
"rustls",
"tokio",
]
[[package]]
name = "tokio-util"
version = "0.7.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098"
dependencies = [
"bytes",
"futures-core",
"futures-sink",
"pin-project-lite",
"tokio",
]
[[package]]
name = "tower"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4"
dependencies = [
"futures-core",
"futures-util",
"pin-project-lite",
"sync_wrapper",
"tokio",
"tower-layer",
"tower-service",
]
[[package]]
name = "tower-http"
version = "0.6.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
dependencies = [
"bitflags",
"bytes",
"futures-util",
"http",
"http-body",
"iri-string",
"pin-project-lite",
"tower",
"tower-layer",
"tower-service",
]
[[package]]
name = "tower-layer"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
[[package]]
name = "tower-service"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
[[package]] [[package]]
name = "tracing" name = "tracing"
version = "0.1.44" version = "0.1.44"
@ -2110,12 +1520,6 @@ dependencies = [
"once_cell", "once_cell",
] ]
[[package]]
name = "try-lock"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
[[package]] [[package]]
name = "typenum" name = "typenum"
version = "1.19.0" version = "1.19.0"
@ -2146,12 +1550,6 @@ version = "0.2.6"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853" checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
[[package]]
name = "untrusted"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
[[package]] [[package]]
name = "url" name = "url"
version = "2.5.8" version = "2.5.8"
@ -2187,12 +1585,6 @@ dependencies = [
"wasm-bindgen", "wasm-bindgen",
] ]
[[package]]
name = "vcpkg"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
[[package]] [[package]]
name = "version_check" name = "version_check"
version = "0.9.5" version = "0.9.5"
@ -2208,15 +1600,6 @@ dependencies = [
"memchr", "memchr",
] ]
[[package]]
name = "want"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
dependencies = [
"try-lock",
]
[[package]] [[package]]
name = "wasi" name = "wasi"
version = "0.11.1+wasi-snapshot-preview1" version = "0.11.1+wasi-snapshot-preview1"
@ -2254,16 +1637,6 @@ dependencies = [
"wasm-bindgen-shared", "wasm-bindgen-shared",
] ]
[[package]]
name = "wasm-bindgen-futures"
version = "0.4.67"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "03623de6905b7206edd0a75f69f747f134b7f0a2323392d664448bf2d3c5d87e"
dependencies = [
"js-sys",
"wasm-bindgen",
]
[[package]] [[package]]
name = "wasm-bindgen-macro" name = "wasm-bindgen-macro"
version = "0.2.117" version = "0.2.117"
@ -2330,16 +1703,6 @@ dependencies = [
"semver", "semver",
] ]
[[package]]
name = "web-sys"
version = "0.3.94"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd70027e39b12f0849461e08ffc50b9cd7688d942c1c8e3c7b22273236b4dd0a"
dependencies = [
"js-sys",
"wasm-bindgen",
]
[[package]] [[package]]
name = "winapi" name = "winapi"
version = "0.3.9" version = "0.3.9"
@ -2403,17 +1766,6 @@ version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5" checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
[[package]]
name = "windows-registry"
version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
dependencies = [
"windows-link",
"windows-result",
"windows-strings",
]
[[package]] [[package]]
name = "windows-result" name = "windows-result"
version = "0.4.1" version = "0.4.1"

2
Cargo.toml
View file

@ -11,7 +11,6 @@ repository = "https://git.guildhouse.dev/guildhouse/gsh"
[workspace.dependencies] [workspace.dependencies]
serde = { version = "1", features = ["derive"] } serde = { version = "1", features = ["derive"] }
serde_json = "1" serde_json = "1"
reqwest = { version = "0.12", features = ["blocking", "json"] }
thiserror = "2" thiserror = "2"
anyhow = "1" anyhow = "1"
clap = { version = "4", features = ["derive"] } clap = { version = "4", features = ["derive"] }
@ -26,3 +25,4 @@ atty = "0.2"
tracing = "0.1" tracing = "0.1"
substrate-ipc = { path = "../substrate/crates/substrate-ipc" } substrate-ipc = { path = "../substrate/crates/substrate-ipc" }
tokio = { version = "1", features = ["full"] } tokio = { version = "1", features = ["full"] }
libc = "0.2"

48
gsh/src/human.rs
View file

@ -1,16 +1,14 @@
//! gsh human mode — interactive governed shell with reedline. //! gsh human mode — interactive governed shell with reedline.
use std::path::{Path, PathBuf}; use std::path::{Path, PathBuf};
use colored::Colorize; use colored::Colorize;
use reedline::{DefaultPrompt, DefaultPromptSegment, Reedline, Signal}; use reedline::{DefaultPrompt, DefaultPromptSegment, Reedline, Signal};
use libgsh::classifier::{classify_command, CommandClass}; use libgsh::classifier::{classify_command, CommandClass};
use libgsh::cr::{build_client, post_cr}; use libgsh::cr::post_cr;
use libgsh::session::SessionState; use libgsh::session::SessionState;
/// Corpus base directory. Configurable via GSH_CORPUS_DIR env. /// Corpus base directory. Configurable via GSH_CORPUS_DIR env.
fn corpus_base() -> PathBuf { fn corpus_base() -> PathBuf {
std::env::var("GSH_CORPUS_DIR") std::env::var("GSH_CORPUS_DIR")
@ -21,22 +19,16 @@ fn corpus_base() -> PathBuf {
/// Run the interactive governed shell. /// Run the interactive governed shell.
pub fn run_human_mode( pub fn run_human_mode(
session: &mut SessionState, session: &mut SessionState,
broker_url: &Option<String>, fabric_socket: &str,
token: &Option<String>, rt: &tokio::runtime::Runtime,
) -> i32 { ) -> i32 {
// Print banner:
print_banner(session); print_banner(session);
// Post SESSION_STARTED CR if broker available: // Post SESSION_STARTED CR via fabric:
if let Some(ref base) = broker_url { let _ = rt.block_on(post_cr(Some(fabric_socket), &session.ac_id, "completed"));
if let Ok(client) = build_client(token) {
let _ = post_cr(&client, base, &session.ac_id, "completed");
}
}
let corpus_dir = corpus_base(); let corpus_dir = corpus_base();
// Reedline REPL:
let mut editor = Reedline::create(); let mut editor = Reedline::create();
let prompt = build_prompt(session); let prompt = build_prompt(session);
@ -51,7 +43,6 @@ pub fn run_human_mode(
break; break;
} }
// Classify command:
match classify_command(line, &session.corpus_cid, &corpus_dir) { match classify_command(line, &session.corpus_cid, &corpus_dir) {
CommandClass::Free => { CommandClass::Free => {
execute_passthrough(line, session); execute_passthrough(line, session);
@ -62,17 +53,12 @@ pub fn run_human_mode(
execute_governed(line, &corpus_binary, session); execute_governed(line, &corpus_binary, session);
session.governed_count += 1; session.governed_count += 1;
// Post lightweight command CR: let outcome = if exit_code == 0 { "completed" } else { "failed" };
if let Some(ref base) = broker_url { let _ = rt.block_on(post_cr(
if let Ok(client) = build_client(token) { Some(fabric_socket),
let outcome = if exit_code == 0 { &session.ac_id,
"completed" outcome,
} else { ));
"failed"
};
let _ = post_cr(&client, base, &session.ac_id, outcome);
}
}
} }
CommandClass::Ungoverned => { CommandClass::Ungoverned => {
let cmd_name = line.split_whitespace().next().unwrap_or("?"); let cmd_name = line.split_whitespace().next().unwrap_or("?");
@ -93,7 +79,6 @@ pub fn run_human_mode(
} }
} }
// AC expiry warning:
let mins = session.minutes_remaining(); let mins = session.minutes_remaining();
if mins < 10 && mins > 0 { if mins < 10 && mins > 0 {
eprintln!( eprintln!(
@ -115,15 +100,10 @@ pub fn run_human_mode(
} }
} }
// Session teardown:
print_summary(session); print_summary(session);
// Post SESSION_ENDED CR: // Post SESSION_ENDED CR via fabric:
if let Some(ref base) = broker_url { let _ = rt.block_on(post_cr(Some(fabric_socket), &session.ac_id, "session_end"));
if let Ok(client) = build_client(token) {
let _ = post_cr(&client, base, &session.ac_id, "session_end");
}
}
0 0
} }
@ -163,7 +143,6 @@ fn print_banner(session: &SessionState) {
}, },
"".bright_blue()); "".bright_blue());
// DEFCON line — only shown when not peacetime
if session.defcon_level < 5 { if session.defcon_level < 5 {
let defcon_label = match session.defcon_level { let defcon_label = match session.defcon_level {
1 => "LOCKDOWN".red().to_string(), 1 => "LOCKDOWN".red().to_string(),
@ -212,7 +191,6 @@ fn print_summary(session: &SessionState) {
} }
fn build_prompt(session: &SessionState) -> DefaultPrompt { fn build_prompt(session: &SessionState) -> DefaultPrompt {
// DEFCON overrides the risk indicator when elevated
let risk_indicator = if session.defcon_level <= 2 { let risk_indicator = if session.defcon_level <= 2 {
"[DEFCON]" "[DEFCON]"
} else if session.defcon_level == 3 { } else if session.defcon_level == 3 {

98
gsh/src/main.rs
View file

@ -17,7 +17,7 @@ use serde::Serialize;
use std::process; use std::process;
use uuid::Uuid; use uuid::Uuid;
use libgsh::cr::{build_client, post_cr, request_ac_inline}; use libgsh::cr::{post_cr, request_ac_inline};
use libgsh::registry::ConsumedRegistry; use libgsh::registry::ConsumedRegistry;
use libgsh::session::SessionState; use libgsh::session::SessionState;
use libgsh::{corpus_check, sha256_hash}; use libgsh::{corpus_check, sha256_hash};
@ -39,8 +39,8 @@ struct Args {
#[arg(long, global = true)] #[arg(long, global = true)]
ungoverned: bool, ungoverned: bool,
#[arg(long, global = true)] #[arg(long, global = true, default_value = "/run/substrate/fabric.sock")]
broker_url: Option<String>, fabric_socket: String,
#[arg(long, global = true)] #[arg(long, global = true)]
agent_did: Option<String>, agent_did: Option<String>,
@ -92,6 +92,10 @@ struct GshOutput {
corpus_cid: String, corpus_cid: String,
} }
fn fabric_sock(args: &Args) -> String {
std::env::var("GSH_FABRIC_SOCKET").unwrap_or_else(|_| args.fabric_socket.clone())
}
// ── Main ───────────────────────────────────────────────────── // ── Main ─────────────────────────────────────────────────────
fn main() { fn main() {
@ -114,7 +118,8 @@ fn main() {
fn run(args: Args) -> Result<i32> { fn run(args: Args) -> Result<i32> {
let corpus = std::env::var("GSAP_CORPUS_CID").unwrap_or_else(|_| "sha256:ungoverned".into()); let corpus = std::env::var("GSAP_CORPUS_CID").unwrap_or_else(|_| "sha256:ungoverned".into());
let token = std::env::var("GSAP_TOKEN").ok(); let rt = tokio::runtime::Runtime::new().context("creating tokio runtime")?;
let sock = fabric_sock(&args);
// ── Ungoverned machine mode ──────────────────────────────── // ── Ungoverned machine mode ────────────────────────────────
if args.ungoverned && args.exec.is_some() { if args.ungoverned && args.exec.is_some() {
@ -140,7 +145,6 @@ fn run(args: Args) -> Result<i32> {
// ── Subcommands ───────────────────────────────────────── // ── Subcommands ─────────────────────────────────────────
if let Some(cmd) = &args.command { if let Some(cmd) = &args.command {
// Register is handled separately — it doesn't need a broker.
if let Cmd::Register { if let Cmd::Register {
service_name, service_name,
fabric_socket, fabric_socket,
@ -150,15 +154,11 @@ fn run(args: Args) -> Result<i32> {
return run_register(service_name, fabric_socket, env_dir.as_deref()); return run_register(service_name, fabric_socket, env_dir.as_deref());
} }
let base = args.broker_url.clone()
.or_else(|| std::env::var("GSAP_BROKER_URL").ok())
.context("GSAP_BROKER_URL not set")?;
let client = build_client(&token).map_err(|e| anyhow::anyhow!(e))?;
return match cmd { return match cmd {
Cmd::SessionStart { scope } => { Cmd::SessionStart { scope } => {
let hash = sha256_hash(format!("session:{}", scope).as_bytes()); let hash = sha256_hash(format!("session:{}", scope).as_bytes());
eprintln!("gsh: starting session (scope: {})", scope); eprintln!("gsh: starting session (scope: {})", scope);
let ac_id = request_ac_inline(&client, &base, scope, &hash, &corpus) let ac_id = rt.block_on(request_ac_inline(Some(&sock), scope, &hash, &corpus))
.map_err(|e| anyhow::anyhow!(e))?; .map_err(|e| anyhow::anyhow!(e))?;
eprintln!("gsh: session AC — {}", &ac_id[..8.min(ac_id.len())]); eprintln!("gsh: session AC — {}", &ac_id[..8.min(ac_id.len())]);
println!("export GSAP_SESSION_AC=\"{}\";", ac_id); println!("export GSAP_SESSION_AC=\"{}\";", ac_id);
@ -169,7 +169,7 @@ fn run(args: Args) -> Result<i32> {
Cmd::SessionEnd => { Cmd::SessionEnd => {
let ac_id = std::env::var("GSAP_SESSION_AC") let ac_id = std::env::var("GSAP_SESSION_AC")
.context("No session active (GSAP_SESSION_AC not set)")?; .context("No session active (GSAP_SESSION_AC not set)")?;
let cr = post_cr(&client, &base, &ac_id, "completed"); let cr = rt.block_on(post_cr(Some(&sock), &ac_id, "completed"));
eprintln!("gsh: session closed"); eprintln!("gsh: session closed");
if !cr.chronicle_cid.is_empty() { if !cr.chronicle_cid.is_empty() {
eprintln!("gsh: session CID {}", &cr.chronicle_cid[..40.min(cr.chronicle_cid.len())]); eprintln!("gsh: session CID {}", &cr.chronicle_cid[..40.min(cr.chronicle_cid.len())]);
@ -194,16 +194,12 @@ fn run(args: Args) -> Result<i32> {
} }
// ── Mode detection ───────────────────────────────────────── // ── Mode detection ─────────────────────────────────────────
// No --exec: human mode (if TTY) or error (if piped)
if args.exec.is_none() { if args.exec.is_none() {
let is_tty = atty::is(atty::Stream::Stdin); let is_tty = atty::is(atty::Stream::Stdin);
if !is_tty { if !is_tty {
anyhow::bail!("No --exec and no TTY. Use --exec for non-interactive mode."); anyhow::bail!("No --exec and no TTY. Use --exec for non-interactive mode.");
} }
// Human mode: interactive governed shell
let token = std::env::var("GSAP_TOKEN").ok();
let broker = args.broker_url.clone().or_else(|| std::env::var("GSAP_BROKER_URL").ok());
let pre_issued = args.ac.clone().or_else(|| std::env::var("GSAP_AC").ok()); let pre_issued = args.ac.clone().or_else(|| std::env::var("GSAP_AC").ok());
let mut session = if args.ungoverned { let mut session = if args.ungoverned {
@ -213,36 +209,31 @@ fn run(args: Args) -> Result<i32> {
let ac = libgsh::ac::validate_ac(&ac_json, &corpus, &mut registry) let ac = libgsh::ac::validate_ac(&ac_json, &corpus, &mut registry)
.map_err(|e| anyhow::anyhow!("AC validation failed (exit {}): {}", e.exit_code(), e))?; .map_err(|e| anyhow::anyhow!("AC validation failed (exit {}): {}", e.exit_code(), e))?;
SessionState::from_ac(&ac, &corpus) SessionState::from_ac(&ac, &corpus)
} else if let Some(ref base) = broker { } else {
// Request a session AC from broker:
let client = build_client(&token).map_err(|e| anyhow::anyhow!(e))?;
let hash = sha256_hash(b"session:human-mode"); let hash = sha256_hash(b"session:human-mode");
let ac_id = request_ac_inline(&client, base, "shell:session", &hash, &corpus) match rt.block_on(request_ac_inline(Some(&sock), "shell:session", &hash, &corpus)) {
.map_err(|e| anyhow::anyhow!(e))?; Ok(ac_id) => {
let mut s = SessionState::ungoverned(&corpus); let mut s = SessionState::ungoverned(&corpus);
s.ac_id = ac_id; s.ac_id = ac_id;
s.risk_level = "standard".to_string(); s.risk_level = "standard".to_string();
s s
} else { }
// No AC and no broker — run ungoverned with warning Err(_) => {
eprintln!("gsh: no GSAP_AC or GSAP_BROKER_URL — running ungoverned"); eprintln!("gsh: fabric unreachable — running ungoverned");
SessionState::ungoverned(&corpus) SessionState::ungoverned(&corpus)
}
}
}; };
return Ok(human::run_human_mode(&mut session, &broker, &token)); return Ok(human::run_human_mode(&mut session, &sock, &rt));
} }
let exec = args.exec.as_ref().unwrap(); // safe: checked above let exec = args.exec.as_ref().unwrap();
let run_id = Uuid::new_v4().to_string(); let run_id = Uuid::new_v4().to_string();
let command_hash = sha256_hash(exec.as_bytes()); let command_hash = sha256_hash(exec.as_bytes());
// Determine AC mode:
let pre_issued = args.ac.clone().or_else(|| std::env::var("GSAP_AC").ok()); let pre_issued = args.ac.clone().or_else(|| std::env::var("GSAP_AC").ok());
// Retain the full AC struct for pre-issued mode so the governance-env
// contract (`GSH_DID`/`GSH_ACCORD_HASH`/...) can be threaded into the
// child process at the exec site below. Session and inline modes only
// surface an ID; their governance fields stay un-exported.
let (ac_id, ac_mode, ac_struct) = if let Some(ac_json) = pre_issued { let (ac_id, ac_mode, ac_struct) = if let Some(ac_json) = pre_issued {
let mut registry = ConsumedRegistry::default_location(); let mut registry = ConsumedRegistry::default_location();
let ac = libgsh::ac::validate_ac(&ac_json, &corpus, &mut registry) let ac = libgsh::ac::validate_ac(&ac_json, &corpus, &mut registry)
@ -255,12 +246,8 @@ fn run(args: Args) -> Result<i32> {
} else if let Ok(session_ac) = std::env::var("GSAP_SESSION_AC") { } else if let Ok(session_ac) = std::env::var("GSAP_SESSION_AC") {
(session_ac, "session".to_string(), None) (session_ac, "session".to_string(), None)
} else { } else {
let base = args.broker_url.clone()
.or_else(|| std::env::var("GSAP_BROKER_URL").ok())
.context("No AC provided. Set GSAP_AC, GSAP_SESSION_AC, or GSAP_BROKER_URL")?;
let client = build_client(&token).map_err(|e| anyhow::anyhow!(e))?;
eprintln!("gsh: requesting AC for '{}'", exec); eprintln!("gsh: requesting AC for '{}'", exec);
let id = request_ac_inline(&client, &base, &args.operation, &command_hash, &corpus) let id = rt.block_on(request_ac_inline(Some(&sock), &args.operation, &command_hash, &corpus))
.map_err(|e| anyhow::anyhow!(e))?; .map_err(|e| anyhow::anyhow!(e))?;
eprintln!("gsh: AC issued — {}", &id[..8.min(id.len())]); eprintln!("gsh: AC issued — {}", &id[..8.min(id.len())]);
(id, "inline".to_string(), None) (id, "inline".to_string(), None)
@ -280,10 +267,7 @@ fn run(args: Args) -> Result<i32> {
} => { } => {
eprintln!( eprintln!(
"gsh: command '{}' content does not match CID {} (found {}, path {}): execution denied (tamper signal)", "gsh: command '{}' content does not match CID {} (found {}, path {}): execution denied (tamper signal)",
command, command, corpus_cid, actual_cid, path.display()
corpus_cid,
actual_cid,
path.display()
); );
return Ok(3); return Ok(3);
} }
@ -295,10 +279,7 @@ fn run(args: Args) -> Result<i32> {
} => { } => {
eprintln!( eprintln!(
"gsh: command '{}' in corpus {} could not be read for hash verification ({}); execution denied fail-closed (path {})", "gsh: command '{}' in corpus {} could not be read for hash verification ({}); execution denied fail-closed (path {})",
command, command, corpus_cid, detail, path.display()
corpus_cid,
detail,
path.display()
); );
return Ok(3); return Ok(3);
} }
@ -320,6 +301,17 @@ fn run(args: Args) -> Result<i32> {
return Ok(0); return Ok(0);
} }
// Apply Linux capability bounding set if declared in PosixBinding
#[cfg(target_os = "linux")]
if let Ok(cap_hex) = std::env::var("GSH_CAP_BOUNDING") {
let bounding = libgsh::capabilities::parse_hex(&cap_hex)
.map_err(|e| anyhow::anyhow!("cap bounding parse: {e}"))?;
if let Err(e) = libgsh::capabilities::apply_cap_bounding(bounding) {
eprintln!("gsh: capability application failed: {e} — denying shell startup");
return Ok(125);
}
}
// Execute: // Execute:
let mut command = process::Command::new("sh"); let mut command = process::Command::new("sh");
command.arg("-c").arg(exec); command.arg("-c").arg(exec);
@ -333,31 +325,23 @@ fn run(args: Args) -> Result<i32> {
// Post CR: // Post CR:
let outcome = if exit_code == 0 { "completed" } else { "failed" }; let outcome = if exit_code == 0 { "completed" } else { "failed" };
let base = args.broker_url.or_else(|| std::env::var("GSAP_BROKER_URL").ok()); let cr = rt.block_on(post_cr(Some(&sock), &ac_id, outcome));
let (cr_id, chronicle_cid) = if let Some(base) = base {
let client = build_client(&token).map_err(|e| anyhow::anyhow!(e))?;
let cr = post_cr(&client, &base, &ac_id, outcome);
if ac_mode == "session" && cr.receipt_id.is_empty() && cr.chronicle_cid.is_empty() { if ac_mode == "session" && cr.receipt_id.is_empty() && cr.chronicle_cid.is_empty() {
eprintln!("gsh: session CR not recorded (broker session support pending)"); eprintln!("gsh: session CR not recorded (fabric session support pending)");
} }
(cr.receipt_id, cr.chronicle_cid)
} else {
eprintln!("gsh: no GSAP_BROKER_URL — CR not posted");
(String::new(), String::new())
};
// Output: // Output:
if args.json { if args.json {
println!("{}", serde_json::to_string_pretty(&GshOutput { println!("{}", serde_json::to_string_pretty(&GshOutput {
exit_code, stdout: stdout_str, stderr: stderr_str, exit_code, stdout: stdout_str, stderr: stderr_str,
ac_id, ac_mode, cr_id, chronicle_cid, command_hash, run_id, corpus_cid: corpus, ac_id, ac_mode, cr_id: cr.receipt_id, chronicle_cid: cr.chronicle_cid.clone(),
command_hash, run_id, corpus_cid: corpus,
})?); })?);
} else { } else {
print!("{}", stdout_str); print!("{}", stdout_str);
eprint!("{}", stderr_str); eprint!("{}", stderr_str);
if !chronicle_cid.is_empty() { if !cr.chronicle_cid.is_empty() {
eprintln!("gsh: CID {}", &chronicle_cid[..40.min(chronicle_cid.len())]); eprintln!("gsh: CID {}", &cr.chronicle_cid[..40.min(cr.chronicle_cid.len())]);
} }
} }

2
libgsh/Cargo.toml
View file

@ -8,7 +8,6 @@ description = "Governed shell library — AC validation, CR building, corpus gat
guildhouse-did = { path = "../../guildhouse-did" } guildhouse-did = { path = "../../guildhouse-did" }
serde = { workspace = true } serde = { workspace = true }
serde_json = { workspace = true } serde_json = { workspace = true }
reqwest = { workspace = true }
thiserror = { workspace = true } thiserror = { workspace = true }
sha2 = { workspace = true } sha2 = { workspace = true }
hex = { workspace = true } hex = { workspace = true }
@ -17,6 +16,7 @@ dirs = { workspace = true }
tracing = { workspace = true } tracing = { workspace = true }
substrate-ipc = { workspace = true } substrate-ipc = { workspace = true }
tokio = { workspace = true } tokio = { workspace = true }
libc = { workspace = true }
[dev-dependencies] [dev-dependencies]

1
libgsh/src/agent_api.rs
View file

@ -93,6 +93,7 @@ pub async fn register_agent_shell(
} }
FabricResponse::Denied { reason } => Err(AgentError::Denied { reason }), FabricResponse::Denied { reason } => Err(AgentError::Denied { reason }),
FabricResponse::Error(msg) => Err(AgentError::FabricError(msg)), FabricResponse::Error(msg) => Err(AgentError::FabricError(msg)),
_ => Err(AgentError::FabricError("unexpected response".into())),
} }
} }

441
libgsh/src/capabilities.rs Normal file
View file

@ -0,0 +1,441 @@
//! Linux capability intersection and materialization for PosixBinding.
//!
//! Provides:
//! - Mapping between Linux capability names and bit positions (u64 bitmask)
//! - Intersection logic: `posix_bounding ∩ accord_allowed ∩ delegation_remaining`
//! - Hex formatting/parsing for `GSH_CAP_BOUNDING` env var
//! - Linux-specific bounding set application via prctl (gated on `target_os`)
use thiserror::Error;
#[derive(Debug, Error)]
pub enum CapError {
#[error("invalid capability hex string: {0}")]
InvalidHex(String),
#[error("unknown capability name: {0}")]
UnknownCap(String),
#[cfg(target_os = "linux")]
#[error("prctl({0}) failed: {1}")]
PrctlFailed(&'static str, std::io::Error),
}
pub const CAP_CHOWN: u8 = 0;
pub const CAP_DAC_OVERRIDE: u8 = 1;
pub const CAP_DAC_READ_SEARCH: u8 = 2;
pub const CAP_FOWNER: u8 = 3;
pub const CAP_FSETID: u8 = 4;
pub const CAP_KILL: u8 = 5;
pub const CAP_SETGID: u8 = 6;
pub const CAP_SETUID: u8 = 7;
pub const CAP_SETPCAP: u8 = 8;
pub const CAP_LINUX_IMMUTABLE: u8 = 9;
pub const CAP_NET_BIND_SERVICE: u8 = 10;
pub const CAP_NET_BROADCAST: u8 = 11;
pub const CAP_NET_ADMIN: u8 = 12;
pub const CAP_NET_RAW: u8 = 13;
pub const CAP_IPC_LOCK: u8 = 14;
pub const CAP_IPC_OWNER: u8 = 15;
pub const CAP_SYS_MODULE: u8 = 16;
pub const CAP_SYS_RAWIO: u8 = 17;
pub const CAP_SYS_CHROOT: u8 = 18;
pub const CAP_SYS_PTRACE: u8 = 19;
pub const CAP_SYS_PACCT: u8 = 20;
pub const CAP_SYS_ADMIN: u8 = 21;
pub const CAP_SYS_BOOT: u8 = 22;
pub const CAP_SYS_NICE: u8 = 23;
pub const CAP_SYS_RESOURCE: u8 = 24;
pub const CAP_SYS_TIME: u8 = 25;
pub const CAP_SYS_TTY_CONFIG: u8 = 26;
pub const CAP_MKNOD: u8 = 27;
pub const CAP_LEASE: u8 = 28;
pub const CAP_AUDIT_WRITE: u8 = 29;
pub const CAP_AUDIT_CONTROL: u8 = 30;
pub const CAP_SETFCAP: u8 = 31;
pub const CAP_MAC_OVERRIDE: u8 = 32;
pub const CAP_MAC_ADMIN: u8 = 33;
pub const CAP_SYSLOG: u8 = 34;
pub const CAP_WAKE_ALARM: u8 = 35;
pub const CAP_BLOCK_SUSPEND: u8 = 36;
pub const CAP_AUDIT_READ: u8 = 37;
pub const CAP_PERFMON: u8 = 38;
pub const CAP_BPF: u8 = 39;
pub const CAP_CHECKPOINT_RESTORE: u8 = 40;
const CAP_LAST_CAP: u8 = 40;
const CAP_TABLE: &[(&str, u8)] = &[
("CAP_CHOWN", CAP_CHOWN),
("CAP_DAC_OVERRIDE", CAP_DAC_OVERRIDE),
("CAP_DAC_READ_SEARCH", CAP_DAC_READ_SEARCH),
("CAP_FOWNER", CAP_FOWNER),
("CAP_FSETID", CAP_FSETID),
("CAP_KILL", CAP_KILL),
("CAP_SETGID", CAP_SETGID),
("CAP_SETUID", CAP_SETUID),
("CAP_SETPCAP", CAP_SETPCAP),
("CAP_LINUX_IMMUTABLE", CAP_LINUX_IMMUTABLE),
("CAP_NET_BIND_SERVICE", CAP_NET_BIND_SERVICE),
("CAP_NET_BROADCAST", CAP_NET_BROADCAST),
("CAP_NET_ADMIN", CAP_NET_ADMIN),
("CAP_NET_RAW", CAP_NET_RAW),
("CAP_IPC_LOCK", CAP_IPC_LOCK),
("CAP_IPC_OWNER", CAP_IPC_OWNER),
("CAP_SYS_MODULE", CAP_SYS_MODULE),
("CAP_SYS_RAWIO", CAP_SYS_RAWIO),
("CAP_SYS_CHROOT", CAP_SYS_CHROOT),
("CAP_SYS_PTRACE", CAP_SYS_PTRACE),
("CAP_SYS_PACCT", CAP_SYS_PACCT),
("CAP_SYS_ADMIN", CAP_SYS_ADMIN),
("CAP_SYS_BOOT", CAP_SYS_BOOT),
("CAP_SYS_NICE", CAP_SYS_NICE),
("CAP_SYS_RESOURCE", CAP_SYS_RESOURCE),
("CAP_SYS_TIME", CAP_SYS_TIME),
("CAP_SYS_TTY_CONFIG", CAP_SYS_TTY_CONFIG),
("CAP_MKNOD", CAP_MKNOD),
("CAP_LEASE", CAP_LEASE),
("CAP_AUDIT_WRITE", CAP_AUDIT_WRITE),
("CAP_AUDIT_CONTROL", CAP_AUDIT_CONTROL),
("CAP_SETFCAP", CAP_SETFCAP),
("CAP_MAC_OVERRIDE", CAP_MAC_OVERRIDE),
("CAP_MAC_ADMIN", CAP_MAC_ADMIN),
("CAP_SYSLOG", CAP_SYSLOG),
("CAP_WAKE_ALARM", CAP_WAKE_ALARM),
("CAP_BLOCK_SUSPEND", CAP_BLOCK_SUSPEND),
("CAP_AUDIT_READ", CAP_AUDIT_READ),
("CAP_PERFMON", CAP_PERFMON),
("CAP_BPF", CAP_BPF),
("CAP_CHECKPOINT_RESTORE", CAP_CHECKPOINT_RESTORE),
];
pub fn cap_name_to_bit(name: &str) -> Option<u8> {
CAP_TABLE.iter().find(|(n, _)| *n == name).map(|(_, b)| *b)
}
pub fn cap_bit_to_name(bit: u8) -> Option<&'static str> {
CAP_TABLE.iter().find(|(_, b)| *b == bit).map(|(n, _)| *n)
}
/// Convert a list of capability name strings to a bitmask.
pub fn parse_cap_names(names: &[String]) -> Result<u64, CapError> {
let mut mask = 0u64;
for name in names {
let bit = cap_name_to_bit(name).ok_or_else(|| CapError::UnknownCap(name.clone()))?;
mask |= 1u64 << bit;
}
Ok(mask)
}
/// Compute the effective capability bitmask as the intersection of all
/// governance dimensions. Capabilities can only be narrowed, never widened.
pub fn intersect(posix_bounding: u64, accord_allowed: u64, delegation_remaining: u64) -> u64 {
posix_bounding & accord_allowed & delegation_remaining
}
/// Input for capability intersection sourced from DID document bindings.
///
/// Constructed from a `GovernanceDeclaration` — the DID document carries
/// all three dimensions of the intersection natively:
/// - PosixBinding.kernel.capabilities.bounding → posix bitmask
/// - AccordBinding.attenuation.denied_capabilities → accord allowed (complement)
/// - Delegation chain (external, passed as `delegation_remaining`)
pub struct IntersectionInput {
pub posix_bounding: u64,
pub accord_allowed: u64,
pub delegation_remaining: u64,
}
impl IntersectionInput {
/// Construct from a governance declaration and delegation chain bitmask.
///
/// Extracts the PosixBinding bounding set (first binding found) and
/// computes the accord allowed mask from the effective attenuation.
/// Unknown capability names in the attenuation are silently ignored.
pub fn from_governance(
gov: &guildhouse_did::GovernanceDeclaration,
delegation_remaining: u64,
) -> Self {
let posix_bounding = gov
.posix_bindings
.first()
.and_then(|p| p.kernel.capabilities.as_ref())
.map(|caps| {
caps.bounding
.iter()
.filter_map(|name| cap_name_to_bit(name))
.fold(0u64, |mask, bit| mask | (1u64 << bit))
})
.unwrap_or(0);
let attenuation = gov.effective_attenuation();
let accord_allowed = denied_to_allowed_mask(&attenuation.denied_capabilities);
Self {
posix_bounding,
accord_allowed,
delegation_remaining,
}
}
/// Compute the effective capability bitmask.
pub fn effective(&self) -> u64 {
intersect(self.posix_bounding, self.accord_allowed, self.delegation_remaining)
}
}
/// Convert a list of denied capability names to an allowed bitmask.
/// All bits start high; each denied capability clears its bit.
pub fn denied_to_allowed_mask(denied: &[String]) -> u64 {
let mut mask = u64::MAX;
for name in denied {
if let Some(bit) = cap_name_to_bit(name) {
mask &= !(1u64 << bit);
}
}
mask
}
/// Format a capability bitmask as the `GSH_CAP_BOUNDING` hex string.
pub fn format_hex(mask: u64) -> String {
format!("0x{mask:016x}")
}
/// Parse a hex bitmask string (with optional `0x` prefix).
pub fn parse_hex(s: &str) -> Result<u64, CapError> {
let hex = s.strip_prefix("0x").or_else(|| s.strip_prefix("0X")).unwrap_or(s);
u64::from_str_radix(hex, 16).map_err(|_| CapError::InvalidHex(s.to_owned()))
}
/// Apply Linux capability bounding set restrictions to the current process.
///
/// Drops all capabilities NOT present in the given bitmask from the bounding
/// set, and sets securebits to prevent setuid from granting new capabilities.
/// Fails closed — returns an error if any prctl call fails (except EINVAL for
/// capabilities not supported by the running kernel).
#[cfg(target_os = "linux")]
pub fn apply_cap_bounding(bounding: u64) -> Result<(), CapError> {
const PR_SET_SECUREBITS: libc::c_int = 28;
const SECBIT_NOROOT: libc::c_ulong = 0x01;
const SECBIT_NO_SETUID_FIXUP: libc::c_ulong = 0x04;
const PR_CAPBSET_DROP: libc::c_int = 24;
let ret = unsafe {
libc::prctl(
PR_SET_SECUREBITS,
SECBIT_NOROOT | SECBIT_NO_SETUID_FIXUP,
0,
0,
0,
)
};
if ret != 0 {
let err = std::io::Error::last_os_error();
if err.raw_os_error() != Some(libc::EPERM) {
return Err(CapError::PrctlFailed("PR_SET_SECUREBITS", err));
}
}
for cap in 0..=CAP_LAST_CAP {
if (bounding >> cap) & 1 == 0 {
let ret = unsafe { libc::prctl(PR_CAPBSET_DROP, cap as libc::c_ulong, 0, 0, 0) };
if ret != 0 {
let err = std::io::Error::last_os_error();
if err.raw_os_error() != Some(libc::EINVAL) {
return Err(CapError::PrctlFailed("PR_CAPBSET_DROP", err));
}
}
}
}
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn parse_known_caps() {
let names = vec![
"CAP_NET_BIND_SERVICE".into(),
"CAP_DAC_READ_SEARCH".into(),
];
let mask = parse_cap_names(&names).unwrap();
assert_eq!(mask, (1u64 << 10) | (1u64 << 2));
}
#[test]
fn parse_unknown_cap_errors() {
let names = vec!["CAP_DOES_NOT_EXIST".into()];
assert!(parse_cap_names(&names).is_err());
}
#[test]
fn intersection_narrows() {
let posix = (1u64 << CAP_NET_BIND_SERVICE)
| (1u64 << CAP_DAC_READ_SEARCH)
| (1u64 << CAP_SYS_ADMIN);
let accord = (1u64 << CAP_NET_BIND_SERVICE) | (1u64 << CAP_DAC_READ_SEARCH);
let delegation = u64::MAX; // no attenuation
let effective = intersect(posix, accord, delegation);
assert_eq!(
effective,
(1u64 << CAP_NET_BIND_SERVICE) | (1u64 << CAP_DAC_READ_SEARCH)
);
assert_eq!(effective & (1u64 << CAP_SYS_ADMIN), 0);
}
#[test]
fn intersection_all_zeros() {
assert_eq!(intersect(0xFF, 0x00, 0xFF), 0);
}
#[test]
fn delegation_attenuates() {
let posix = (1u64 << CAP_NET_BIND_SERVICE) | (1u64 << CAP_SYS_ADMIN);
let accord = u64::MAX;
let delegation = 1u64 << CAP_NET_BIND_SERVICE; // only net_bind
let effective = intersect(posix, accord, delegation);
assert_eq!(effective, 1u64 << CAP_NET_BIND_SERVICE);
}
#[test]
fn hex_format_round_trip() {
let mask = (1u64 << CAP_NET_BIND_SERVICE) | (1u64 << CAP_DAC_READ_SEARCH);
let hex = format_hex(mask);
assert_eq!(hex, "0x0000000000000404");
let parsed = parse_hex(&hex).unwrap();
assert_eq!(parsed, mask);
}
#[test]
fn parse_hex_no_prefix() {
let parsed = parse_hex("0000000000200400").unwrap();
assert_eq!(parsed, (1u64 << 10) | (1u64 << 21));
}
#[test]
fn parse_hex_invalid() {
assert!(parse_hex("0xZZZZ").is_err());
}
#[test]
fn cap_name_round_trip() {
for (name, bit) in CAP_TABLE {
assert_eq!(cap_name_to_bit(name), Some(*bit));
assert_eq!(cap_bit_to_name(*bit), Some(*name));
}
}
#[test]
fn all_41_caps_present() {
assert_eq!(CAP_TABLE.len(), 41);
}
#[test]
fn denied_to_allowed_clears_bits() {
let denied = vec!["CAP_SYS_ADMIN".into(), "CAP_NET_ADMIN".into()];
let mask = denied_to_allowed_mask(&denied);
assert_eq!(mask & (1u64 << CAP_SYS_ADMIN), 0);
assert_eq!(mask & (1u64 << CAP_NET_ADMIN), 0);
assert_ne!(mask & (1u64 << CAP_NET_BIND_SERVICE), 0);
}
#[test]
fn denied_to_allowed_empty_is_all_ones() {
let mask = denied_to_allowed_mask(&[]);
assert_eq!(mask, u64::MAX);
}
#[test]
fn denied_to_allowed_unknown_caps_ignored() {
let denied = vec!["CAP_DOES_NOT_EXIST".into(), "CAP_SYS_ADMIN".into()];
let mask = denied_to_allowed_mask(&denied);
assert_eq!(mask & (1u64 << CAP_SYS_ADMIN), 0);
}
#[test]
fn intersection_input_from_governance() {
use chrono::{TimeZone, Utc};
use guildhouse_did::document::*;
use guildhouse_did::{Did, GovernanceDeclaration};
let did = Did::parse("did:web:test.dev:user:a").unwrap();
let mut doc = DidDocument::minimal(did.clone());
doc.add_binding(
ServiceEndpoint::typed(
format!("{}#posix", did.as_str()),
BINDING_TYPE_POSIX,
&PosixBinding {
binding_version: "0.1.0".into(),
identity: PosixIdentity {
uid: 60001,
gid: 60001,
username: "test".into(),
home_directory: None,
login_shell: None,
gecos: None,
supplementary_groups: vec![],
},
kernel: PosixKernel {
capabilities: Some(PosixCapabilities {
bounding: vec![
"CAP_NET_BIND_SERVICE".into(),
"CAP_DAC_READ_SEARCH".into(),
"CAP_SYS_ADMIN".into(),
],
ambient: vec![],
inheritable: vec![],
}),
namespaces: None,
},
filesystem: None,
network: None,
node_selector: None,
host_did: None,
allocation_method: None,
bound_at: None,
ceremony_id: None,
},
)
.unwrap(),
)
.unwrap();
doc.add_binding(
ServiceEndpoint::typed(
format!("{}#accord", did.as_str()),
BINDING_TYPE_ACCORD,
&AccordBinding {
accord_id: "acc-001".into(),
accord_hash: "hash".into(),
trust_domain: "test.dev".into(),
scope: "test".into(),
state: AccordBindingState::Active,
attenuation: AccordAttenuation {
denied_capabilities: vec!["CAP_SYS_ADMIN".into()],
max_forge_source_count: None,
denied_forge_sources: vec![],
denied_network_services: vec![],
max_connections: None,
},
limits: None,
sla: None,
bound_at: Utc.timestamp_opt(1_700_000_000, 0).unwrap(),
expires_at: None,
ceremony_id: None,
},
)
.unwrap(),
)
.unwrap();
let gov = GovernanceDeclaration::from_document(&doc);
let input = IntersectionInput::from_governance(&gov, u64::MAX);
let effective = input.effective();
assert_ne!(effective & (1u64 << CAP_NET_BIND_SERVICE), 0);
assert_ne!(effective & (1u64 << CAP_DAC_READ_SEARCH), 0);
assert_eq!(effective & (1u64 << CAP_SYS_ADMIN), 0);
}
}

331
libgsh/src/cr.rs
View file

@ -1,203 +1,192 @@
//! Completion Receipt construction and posting. //! Completion Receipt and Authorization Context via fabric IPC.
use reqwest::blocking::Client; use substrate_ipc::fabric_api::{FabricRequest, FabricResponse};
use serde::{Deserialize, Serialize}; use substrate_ipc::wire;
use std::time::Duration; use tokio::net::UnixStream;
#[derive(Serialize)] const DEFAULT_FABRIC_SOCKET: &str = "/run/substrate/fabric.sock";
pub struct CrRequest {
pub context_id: String,
pub outcome: String,
pub completed_at: String,
pub chronicle_evidence: CrEvidence,
pub behavioral_attestation: CrAttestation,
pub ffc: serde_json::Value,
pub signature: serde_json::Value,
}
#[derive(Serialize)]
pub struct CrEvidence {
pub session_id: Option<String>,
pub events: Vec<serde_json::Value>,
pub merkle_root: Option<String>,
}
#[derive(Serialize)]
pub struct CrAttestation {
pub status: String,
}
#[derive(Deserialize)]
pub struct CrResponse {
pub receipt_id: Option<String>,
pub chronicle_event_cid: Option<String>,
}
/// Result of posting a CR.
pub struct CrResult { pub struct CrResult {
pub receipt_id: String, pub receipt_id: String,
pub chronicle_cid: String, pub chronicle_cid: String,
} }
/// Build an HTTP client with optional bearer token. /// Post a Completion Receipt through the fabric socket.
pub fn build_client(token: &Option<String>) -> Result<Client, String> { pub async fn post_cr(
let mut headers = reqwest::header::HeaderMap::new(); fabric_socket: Option<&str>,
if let Some(tok) = token { ac_id: &str,
headers.insert( outcome: &str,
"Authorization", ) -> CrResult {
format!("Bearer {}", tok) let sock = fabric_socket.unwrap_or(DEFAULT_FABRIC_SOCKET);
.parse() let req = FabricRequest::SubmitCompletionRecord {
.map_err(|_| "Invalid token".to_string())?, ac_id: ac_id.into(),
);
}
Client::builder()
.timeout(Duration::from_secs(30))
.default_headers(headers)
.build()
.map_err(|e| format!("HTTP client failed: {}", e))
}
/// Format a broker URL path.
pub fn broker_url(base: &str, path: &str) -> String {
format!(
"{}/{}",
base.trim_end_matches('/'),
path.trim_start_matches('/')
)
}
/// Post a Completion Receipt to the broker.
pub fn post_cr(client: &Client, base: &str, ac_id: &str, outcome: &str) -> CrResult {
let now = chrono::Utc::now().to_rfc3339();
let session_id = std::env::var("CHRONICLE_SESSION_ID").unwrap_or_default();
// Phase 0 D1: FFC DID sourced from env (FFC_DID), not hardcoded.
// W3C colon form. Empty on error → null in payload.
let ffc_did = std::env::var("FFC_DID")
.ok()
.filter(|s| !s.is_empty())
.and_then(|s| guildhouse_did::Did::parse(&s).ok())
.map(|d| d.as_str().to_owned());
match client
.post(broker_url(base, "governance/complete/"))
.json(&CrRequest {
context_id: ac_id.into(),
outcome: outcome.into(), outcome: outcome.into(),
completed_at: now, };
chronicle_evidence: CrEvidence {
session_id: if session_id.is_empty() { None } else { Some(session_id.clone()) }, match send_fabric_request(sock, &req).await {
events: vec![], Ok(FabricResponse::CompletionRecordAccepted { cr_id, chronicle_cid }) => {
merkle_root: None, CrResult { receipt_id: cr_id, chronicle_cid }
},
behavioral_attestation: CrAttestation {
status: "unavailable".into(),
},
ffc: serde_json::json!({"did": ffc_did, "chronicle_session_id": session_id}),
signature: serde_json::json!({"value": "gsh"}),
})
.send()
{
Ok(r) if r.status().is_success() => {
let cr: CrResponse = r.json().unwrap_or(CrResponse {
receipt_id: None,
chronicle_event_cid: None,
});
CrResult {
receipt_id: cr.receipt_id.unwrap_or_default(),
chronicle_cid: cr.chronicle_event_cid.unwrap_or_default(),
} }
Ok(FabricResponse::Error(msg)) => {
eprintln!("gsh: CR failed: {}", msg);
CrResult { receipt_id: String::new(), chronicle_cid: String::new() }
} }
Ok(r) => { Ok(_) => {
eprintln!("gsh: CR failed: {}", r.status()); eprintln!("gsh: CR unexpected response");
CrResult { CrResult { receipt_id: String::new(), chronicle_cid: String::new() }
receipt_id: String::new(),
chronicle_cid: String::new(),
}
} }
Err(e) => { Err(e) => {
eprintln!("gsh: CR error: {}", e); eprintln!("gsh: CR error: {}", e);
CrResult { CrResult { receipt_id: String::new(), chronicle_cid: String::new() }
receipt_id: String::new(),
chronicle_cid: String::new(),
}
} }
} }
} }
/// Request an inline AC from the broker (fallback mode). /// Request an inline Authorization Context through the fabric socket.
pub fn request_ac_inline( pub async fn request_ac_inline(
client: &Client, fabric_socket: Option<&str>,
base: &str,
operation: &str, operation: &str,
command_hash: &str, command_hash: &str,
corpus_cid: &str, corpus_cid: &str,
) -> Result<String, String> { ) -> Result<String, String> {
#[derive(Serialize)] let sock = fabric_socket.unwrap_or(DEFAULT_FABRIC_SOCKET);
struct AcRequest { let req = FabricRequest::RequestAuthorization {
driver_id: String, operation: operation.into(),
playbook: String, command_hash: command_hash.into(),
corpus_entry_cid: String, corpus_cid: corpus_cid.into(),
parameters_cid: String, };
accord_template: String,
match send_fabric_request(sock, &req).await {
Ok(FabricResponse::AuthorizationGranted { ac_id }) => Ok(ac_id),
Ok(FabricResponse::Denied { reason }) => Err(format!("AC denied: {}", reason)),
Ok(FabricResponse::Error(msg)) => Err(format!("fabric error: {}", msg)),
Ok(_) => Err("unexpected fabric response".into()),
Err(e) => Err(format!("fabric IPC error: {}", e)),
}
} }
#[derive(Deserialize)] async fn send_fabric_request(
struct AcResponse { sock_path: &str,
authorization_context: Option<AcCtx>, req: &FabricRequest,
} ) -> Result<FabricResponse, String> {
let stream = UnixStream::connect(sock_path)
#[derive(Deserialize)] .await
struct AcCtx { .map_err(|e| format!("connecting to {}: {}", sock_path, e))?;
context_id: String, let (mut rd, mut wr) = tokio::io::split(stream);
} wire::send_msg(&mut wr, req)
.await
let resp = client .map_err(|e| format!("sending request: {}", e))?;
.post(broker_url(base, "governance/authorize/")) wire::recv_msg(&mut rd)
.json(&AcRequest { .await
driver_id: "keycloak".into(), .map_err(|e| format!("receiving response: {}", e))
playbook: format!(
"{}:{}",
operation,
&command_hash[..20.min(command_hash.len())]
),
corpus_entry_cid: corpus_cid.into(),
parameters_cid: command_hash.into(),
accord_template: "shell-exec".into(),
})
.send()
.map_err(|e| format!("Failed to reach broker: {}", e))?;
if !resp.status().is_success() {
return Err(format!(
"AC denied: {} — {}",
resp.status(),
resp.text().unwrap_or_default()
));
}
let ac: AcResponse = resp
.json()
.map_err(|e| format!("Invalid AC response: {}", e))?;
ac.authorization_context
.map(|c| c.context_id)
.filter(|id| !id.is_empty())
.ok_or_else(|| "No AC ID returned".to_string())
} }
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
use std::collections::HashMap;
#[test] #[tokio::test]
fn test_broker_url() { async fn post_cr_round_trip_with_mock_fabric() {
assert_eq!( let dir = tempfile::tempdir().unwrap();
broker_url("http://localhost:8000", "governance/complete/"), let sock_path = dir.path().join("fabric.sock");
"http://localhost:8000/governance/complete/" let sock_str = sock_path.to_str().unwrap().to_string();
);
assert_eq!( let listener = tokio::net::UnixListener::bind(&sock_path).unwrap();
broker_url("http://localhost:8000/", "/governance/complete/"),
"http://localhost:8000/governance/complete/" let sock_clone = sock_str.clone();
); let client = tokio::spawn(async move {
post_cr(Some(&sock_clone), "ac-123", "completed").await
});
let (stream, _) = listener.accept().await.unwrap();
let (mut rd, mut wr) = tokio::io::split(stream);
let req: FabricRequest = wire::recv_msg(&mut rd).await.unwrap();
match req {
FabricRequest::SubmitCompletionRecord { ac_id, outcome } => {
assert_eq!(ac_id, "ac-123");
assert_eq!(outcome, "completed");
}
_ => panic!("wrong request variant"),
}
let resp = FabricResponse::CompletionRecordAccepted {
cr_id: "cr-456".into(),
chronicle_cid: "bafy...".into(),
};
wire::send_msg(&mut wr, &resp).await.unwrap();
let result = client.await.unwrap();
assert_eq!(result.receipt_id, "cr-456");
assert_eq!(result.chronicle_cid, "bafy...");
}
#[tokio::test]
async fn request_ac_round_trip_with_mock_fabric() {
let dir = tempfile::tempdir().unwrap();
let sock_path = dir.path().join("fabric.sock");
let sock_str = sock_path.to_str().unwrap().to_string();
let listener = tokio::net::UnixListener::bind(&sock_path).unwrap();
let sock_clone = sock_str.clone();
let client = tokio::spawn(async move {
request_ac_inline(Some(&sock_clone), "shell:exec", "abc123", "sha256:corpus").await
});
let (stream, _) = listener.accept().await.unwrap();
let (mut rd, mut wr) = tokio::io::split(stream);
let req: FabricRequest = wire::recv_msg(&mut rd).await.unwrap();
match req {
FabricRequest::RequestAuthorization { operation, command_hash, corpus_cid } => {
assert_eq!(operation, "shell:exec");
assert_eq!(command_hash, "abc123");
assert_eq!(corpus_cid, "sha256:corpus");
}
_ => panic!("wrong request variant"),
}
let resp = FabricResponse::AuthorizationGranted {
ac_id: "ac-789".into(),
};
wire::send_msg(&mut wr, &resp).await.unwrap();
let result = client.await.unwrap().unwrap();
assert_eq!(result, "ac-789");
}
#[tokio::test]
async fn request_ac_denied() {
let dir = tempfile::tempdir().unwrap();
let sock_path = dir.path().join("fabric.sock");
let sock_str = sock_path.to_str().unwrap().to_string();
let listener = tokio::net::UnixListener::bind(&sock_path).unwrap();
let sock_clone = sock_str.clone();
let client = tokio::spawn(async move {
request_ac_inline(Some(&sock_clone), "shell:exec", "abc", "sha256:c").await
});
let (stream, _) = listener.accept().await.unwrap();
let (mut rd, mut wr) = tokio::io::split(stream);
let _req: FabricRequest = wire::recv_msg(&mut rd).await.unwrap();
let resp = FabricResponse::Denied {
reason: "posture too low".into(),
};
wire::send_msg(&mut wr, &resp).await.unwrap();
let result = client.await.unwrap();
assert!(result.is_err());
assert!(result.unwrap_err().contains("denied"));
}
#[tokio::test]
async fn post_cr_socket_missing() {
let result = post_cr(Some("/tmp/nonexistent-fabric-cr.sock"), "ac", "ok").await;
assert!(result.receipt_id.is_empty());
} }
} }

12
libgsh/src/governance_env.rs
View file

@ -32,6 +32,7 @@ pub fn apply(
shell_class: Option<&str>, shell_class: Option<&str>,
posture_level: Option<u8>, posture_level: Option<u8>,
capability_set: Option<u32>, capability_set: Option<u32>,
cap_bounding: Option<u64>,
) { ) {
if let Some(d) = did { if let Some(d) = did {
cmd.env("GSH_DID", d); cmd.env("GSH_DID", d);
@ -48,6 +49,9 @@ pub fn apply(
if let Some(c) = capability_set { if let Some(c) = capability_set {
cmd.env("GSH_CAPABILITY_SET", format!("0x{:08x}", c)); cmd.env("GSH_CAPABILITY_SET", format!("0x{:08x}", c));
} }
if let Some(b) = cap_bounding {
cmd.env("GSH_CAP_BOUNDING", format!("0x{b:016x}"));
}
} }
/// Apply the `GSH_*` env-var contract from a parsed AC. /// Apply the `GSH_*` env-var contract from a parsed AC.
@ -64,6 +68,7 @@ pub fn apply_from_ac(cmd: &mut Command, ac: &AuthorizationContext) {
ac.shell_class.as_deref(), ac.shell_class.as_deref(),
ac.posture_level, ac.posture_level,
ac.capability_set, ac.capability_set,
None,
); );
} }
@ -92,6 +97,7 @@ mod tests {
Some("Application"), Some("Application"),
Some(3), Some(3),
Some(0xCAFEBABE), Some(0xCAFEBABE),
Some(0x0000000000200404),
); );
assert_eq!( assert_eq!(
cmd_env(&cmd, "GSH_DID").as_deref(), cmd_env(&cmd, "GSH_DID").as_deref(),
@ -104,12 +110,16 @@ mod tests {
cmd_env(&cmd, "GSH_CAPABILITY_SET").as_deref(), cmd_env(&cmd, "GSH_CAPABILITY_SET").as_deref(),
Some("0xcafebabe") Some("0xcafebabe")
); );
assert_eq!(
cmd_env(&cmd, "GSH_CAP_BOUNDING").as_deref(),
Some("0x0000000000200404")
);
} }
#[test] #[test]
fn apply_partial_only_did() { fn apply_partial_only_did() {
let mut cmd = Command::new("true"); let mut cmd = Command::new("true");
apply(&mut cmd, Some("did:web:foo:bar"), None, None, None, None); apply(&mut cmd, Some("did:web:foo:bar"), None, None, None, None, None);
assert_eq!(cmd_env(&cmd, "GSH_DID").as_deref(), Some("did:web:foo:bar")); assert_eq!(cmd_env(&cmd, "GSH_DID").as_deref(), Some("did:web:foo:bar"));
assert!(cmd_env(&cmd, "GSH_ACCORD_HASH").is_none()); assert!(cmd_env(&cmd, "GSH_ACCORD_HASH").is_none());
assert!(cmd_env(&cmd, "GSH_SHELL_CLASS").is_none()); assert!(cmd_env(&cmd, "GSH_SHELL_CLASS").is_none());

1
libgsh/src/lib.rs
View file

@ -1,5 +1,6 @@
pub mod ac; pub mod ac;
pub mod agent_api; pub mod agent_api;
pub mod capabilities;
pub mod chronicle_events; pub mod chronicle_events;
pub mod classifier; pub mod classifier;
pub mod config; pub mod config;

1
libgsh/src/register.rs
View file

@ -79,6 +79,7 @@ pub async fn register_app_shell(
} }
FabricResponse::Denied { reason } => Err(RegisterError::Denied { reason }), FabricResponse::Denied { reason } => Err(RegisterError::Denied { reason }),
FabricResponse::Error(msg) => Err(RegisterError::FabricError(msg)), FabricResponse::Error(msg) => Err(RegisterError::FabricError(msg)),
_ => Err(RegisterError::FabricError("unexpected response".into())),
} }
} }

1
libgsh/src/session.rs
View file

@ -129,6 +129,7 @@ impl SessionState {
self.shell_class.as_deref(), self.shell_class.as_deref(),
self.posture_level, self.posture_level,
self.capability_set, self.capability_set,
None,
); );
} }