Temporary diagnostic commit — surfaces the exact data SPIRE sends to
the Configure RPC so we can determine why JSON decode fails.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SPIRE's chart renders plugin_data as JSON via reformat-and-yaml2json,
so hclsimple.Decode with "plugin.json" filename triggers HCL v2 JSON
mode. Falls back to native HCL for direct testing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The original implementation used hashicorp/go-plugin directly with a
custom handshake, which SPIRE rejected. Switch to spire-plugin-sdk's
pluginmain.Serve() for correct WorkloadAttestor protocol negotiation,
implement ConfigServer for plugin_data parsing, and return selector
values in key:value format (SPIRE infers the type prefix from the
plugin name). Config decoding tries JSON first (chart renders YAML
as JSON) then falls back to HCL.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SPIRE WorkloadAttestor that reads governance env vars from /proc/{pid}/environ
(walking up the process tree to find gsh) and emits gsap: selectors on workload
SVIDs. Maps BASCULE_* vars set by bascule-shell and future GSH_* vars to the
11-selector vocabulary defined in gsap-types/src/selectors.rs.
- pkg/gsap/selectors.go: shared Go constants mirroring Rust vocabulary
- cmd/gsap-attestor/: plugin implementation with /proc reading, process tree
walking, capability ceiling translation, and fail-open for non-governed processes
- 28 tests covering selector extraction, proc parsing, tree walking, and depth limits
- Makefile, Dockerfile, deploy config updated
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
