IntersectionInput replaces separate accord lookups with a DID-document-
sourced three-way intersection: effective = posix_bounding & accord_allowed
& delegation_remaining. denied_to_allowed_mask() converts denied capability
names to a bitmask for the intersection.
Includes workspace-level cleanup and gsh binary refactoring.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Tyler J King <tking@guildhouse.dev>
Phase 1 of org-ops-core CLI standardization: gsh now exports a
discrete set of governance-context env vars to child processes so
org-ops-core (substrate-level operations library, future move) can
construct a GshContext without re-parsing the GSAP_SESSION_AC blob.
Contract:
GSH_DID principal.did (canonical string)
GSH_ACCORD_HASH accord_hash
GSH_SHELL_CLASS shell_class ("Application" | "System" | ...)
GSH_POSTURE_LEVEL posture_level (decimal 1..=5)
GSH_CAPABILITY_SET capability_set formatted "0x{:08x}"
AC schema (libgsh::ac::AuthorizationContext) gains four optional
fields — accord_hash, shell_class, capability_set, posture_level —
all #[serde(default, skip_serializing_if = "Option::is_none")].
Existing AC producers continue working unchanged; ACs without the
new fields parse cleanly. Serialize is added to the AC structs
to enable round-trip and to let library consumers construct ACs
programmatically.
New module libgsh::governance_env exposes:
- apply(cmd, did, accord_hash, shell_class, posture_level,
capability_set) — stateless decorator
- apply_from_ac(cmd, &AC) — convenience wrapper over apply
SessionState gains the four governance fields (populated from AC
in from_ac, left None in ungoverned). SessionState::apply_governance_env
threads them onto a child Command at REPL spawn sites.
Spawn sites updated:
- gsh::main::run (governed --exec) — retains the parsed AC and
calls governance_env::apply_from_ac on the exec Command.
- gsh::human::execute_passthrough — now takes &SessionState;
applies session governance env (REPL Free/Ungoverned paths).
- gsh::human::execute_governed — applies session governance env
alongside the existing BASCULE_SESSION_ID / BASCULE_CORPUS_CID.
Legacy GSAP_SESSION_AC / GSAP_SESSION_ID / GSAP_SESSION_SCOPE exports
remain intact — the GSH_* vars are purely additive convenience for
org-ops-core. Session and inline AC modes (which surface only an
ID, not the full struct) export nothing new — same fail-soft
behaviour as before.
Tests added:
- ac::tests::test_governance_fields_round_trip — full payload
parses and re-serializes losslessly.
- ac::tests::test_governance_fields_absent_back_compat — legacy
AC parses without governance fields and round-trips without
emitting them.
- governance_env::tests::apply_all_fields — every GSH_* var set.
- governance_env::tests::apply_partial_only_did — missing fields
leave the env var unset rather than empty.
- governance_env::tests::apply_from_ac_full — end-to-end AC →
env var application.
- governance_env::tests::apply_from_legacy_ac_no_governance_fields
— legacy AC sets only GSH_DID, no other GSH_* vars.
24 tests pass; cargo build clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Tyler J King <tking@guildhouse.dev>
