Phase 1 of org-ops-core CLI standardization: gsh now exports a
discrete set of governance-context env vars to child processes so
org-ops-core (substrate-level operations library, future move) can
construct a GshContext without re-parsing the GSAP_SESSION_AC blob.
Contract:
GSH_DID principal.did (canonical string)
GSH_ACCORD_HASH accord_hash
GSH_SHELL_CLASS shell_class ("Application" | "System" | ...)
GSH_POSTURE_LEVEL posture_level (decimal 1..=5)
GSH_CAPABILITY_SET capability_set formatted "0x{:08x}"
AC schema (libgsh::ac::AuthorizationContext) gains four optional
fields — accord_hash, shell_class, capability_set, posture_level —
all #[serde(default, skip_serializing_if = "Option::is_none")].
Existing AC producers continue working unchanged; ACs without the
new fields parse cleanly. Serialize is added to the AC structs
to enable round-trip and to let library consumers construct ACs
programmatically.
New module libgsh::governance_env exposes:
- apply(cmd, did, accord_hash, shell_class, posture_level,
capability_set) — stateless decorator
- apply_from_ac(cmd, &AC) — convenience wrapper over apply
SessionState gains the four governance fields (populated from AC
in from_ac, left None in ungoverned). SessionState::apply_governance_env
threads them onto a child Command at REPL spawn sites.
Spawn sites updated:
- gsh::main::run (governed --exec) — retains the parsed AC and
calls governance_env::apply_from_ac on the exec Command.
- gsh::human::execute_passthrough — now takes &SessionState;
applies session governance env (REPL Free/Ungoverned paths).
- gsh::human::execute_governed — applies session governance env
alongside the existing BASCULE_SESSION_ID / BASCULE_CORPUS_CID.
Legacy GSAP_SESSION_AC / GSAP_SESSION_ID / GSAP_SESSION_SCOPE exports
remain intact — the GSH_* vars are purely additive convenience for
org-ops-core. Session and inline AC modes (which surface only an
ID, not the full struct) export nothing new — same fail-soft
behaviour as before.
Tests added:
- ac::tests::test_governance_fields_round_trip — full payload
parses and re-serializes losslessly.
- ac::tests::test_governance_fields_absent_back_compat — legacy
AC parses without governance fields and round-trips without
emitting them.
- governance_env::tests::apply_all_fields — every GSH_* var set.
- governance_env::tests::apply_partial_only_did — missing fields
leave the env var unset rather than empty.
- governance_env::tests::apply_from_ac_full — end-to-end AC →
env var application.
- governance_env::tests::apply_from_legacy_ac_no_governance_fields
— legacy AC sets only GSH_DID, no other GSH_* vars.
24 tests pass; cargo build clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Tyler J King <tking@guildhouse.dev>
corpus_check() previously returned Allowed as soon as it found a file by
name in the corpus directory keyed by CID. The CID acted as a directory
label, not a content commitment. An attacker with write access to the
corpus directory could plant a malicious binary under a legitimate CID
and it would execute with that CID's authorization.
This change hashes the binary at the resolved path and compares to the
CID its directory is named for. Mismatches return a new ContentMismatch
variant; unreadable binaries return ReadFailed. Both are execution-denied
states — main.rs handles each explicitly with exit code 3 (previously
used only for Denied).
Both error classes emit Chronicle-shaped structured tracing events
(target: "chronicle") with stable event_type constants from
libgsh::chronicle_events. The field shape matches what substrate-chronicle's
post-io_uring emission API is expected to require; migration to direct
Chronicle emission becomes a mechanical translation once that API
stabilizes.
The tamper signal is that the binary and its directory name disagree.
This closes the execution-path half of the CID-content verification
audit fix — admission (corpus-operator) rejects CID forgery before the
enforcement ConfigMap is written; execution (libgsh) rejects any tamper
that landed after admission. Defense in depth across both layers.
Kernel-layer CID verification (the third layer, where eBPF LSM hooks
authorize by binary name via FNV-1a hash of comm) is explicit backlog,
deferred to Bifrost where in-kernel hashing or a ring-buffer userspace
verifier can be evaluated properly.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Tyler J King <tking@guildhouse.dev>
Reads BASCULE_DEFCON_LEVEL from env. At DEFCON <5:
Banner: DEFCON level + label (RESTRICTED/CRITICAL/LOCKDOWN) + reason
Prompt: [restricted] at DEFCON 3, [DEFCON] at ≤2
DEFCON 5 (peacetime): no DEFCON line in banner, normal prompt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Banner shows human-readable principal and DID on separate lines:
Principal: tking@guildhouse.dev
DID: did:web:guildhouse.dev/user/tking
Prompt uses short name: [governed] tking@gsh
Reads BASCULE_DISPLAY_NAME env. Fallback: parse DID to name@domain.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Broker now supports session-scoped ACs that stay active across
multiple CRs. Session start posts 'completed' CR, session end
posts 'session_end' CR which consumes the AC.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Session start/end CRs used invalid outcome values (session_started,
session_ended) not in broker's Outcome enum, causing 422. Also, broker
consumes AC on first CR, blocking subsequent per-command CRs.
Skipped session lifecycle CRs until session-scoped AC model is
implemented. Per-command CRs still post on governed command completion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
