RubyGems - legate - Versions diffs - 0.1.0 - Mend

legate 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +7 -0
data/LICENSE +21 -0
data/README.md +345 -0
data/bin/legate +13 -0
data/examples/00_quickstart.rb +51 -0
data/examples/01_simple_agent.rb +105 -0
data/examples/02_multi_tool_agent.rb +140 -0
data/examples/03_custom_tool.rb +93 -0
data/examples/04_agent_instructions.rb +84 -0
data/examples/05_state_and_sessions.rb +91 -0
data/examples/06_callbacks.rb +186 -0
data/examples/07_async_jobs.rb +112 -0
data/examples/08_loop_agent.rb +197 -0
data/examples/09_sequential_workflow.rb +40 -0
data/examples/10_parallel_workflow.rb +34 -0
data/examples/11_agent_delegation.rb +24 -0
data/examples/12_http_client_tool.rb +156 -0
data/examples/13_authentication.rb +220 -0
data/examples/14_mcp_client.rb +154 -0
data/examples/15_mcp_server.rb +79 -0
data/examples/16_webhooks.rb +91 -0
data/examples/README_sequential_agents.md +164 -0
data/examples/advanced/auth/cookie_auth_tool.rb +146 -0
data/examples/advanced/auth/custom_auth_flows_example.rb +626 -0
data/examples/advanced/auth/excon_middleware.rb +317 -0
data/examples/advanced/auth/excon_middleware_auth.rb +399 -0
data/examples/advanced/auth/fiber_auth_example.rb +281 -0
data/examples/advanced/auth/fiber_oidc_example.rb +403 -0
data/examples/advanced/auth/httpbin_bearer_tool.rb +159 -0
data/examples/advanced/auth/oauth2_auth.rb +419 -0
data/examples/advanced/auth/oidc_auth.rb +514 -0
data/examples/advanced/auth/openweather_api.rb +251 -0
data/examples/advanced/auth/openweather_tool.rb +153 -0
data/examples/advanced/auth/query_param_middleware_test.rb +138 -0
data/examples/advanced/auth/service_account.rb +135 -0
data/examples/advanced/auth/test_with_httpbin.rb +202 -0
data/examples/advanced/auth/token_lifecycle_example.rb +428 -0
data/examples/advanced/callback_monitoring.rb +679 -0
data/examples/advanced/mas/fixed_delegation_example.rb +191 -0
data/examples/advanced/mas/loop_workflow.rb +28 -0
data/examples/advanced/mas/mock_planner.rb +77 -0
data/examples/advanced/mas/proper_delegation_example.rb +276 -0
data/examples/advanced/mcp/legate_mcp_server_resource_example.rb +182 -0
data/examples/advanced/mcp/mcp_resource_server_example.rb +309 -0
data/examples/advanced/mcp/mcp_server_async.rb +76 -0
data/examples/advanced/mcp/mcp_server_async_tools.rb +122 -0
data/examples/advanced/mcp/mcp_server_legate_agent.rb +95 -0
data/examples/advanced/mcp/mcp_server_rack.rb +89 -0
data/examples/advanced/random_calculator.rb +104 -0
data/examples/advanced/sleep_agent.rb +153 -0
data/examples/advanced/webhooks/webhook_e2e_runner.rb +110 -0
data/examples/advanced/webhooks/webhook_receiver_agent.rb +58 -0
data/examples/advanced/workflows/task_refinement_loop_agent.rb +278 -0
data/examples/advanced/workflows/travel_planner_auto_sequential.rb +444 -0
data/examples/advanced/workflows/travel_planner_parallel.rb +656 -0
data/examples/advanced/workflows/travel_planner_sequential.rb +512 -0
data/examples/tools/oauth2_example.rb +136 -0
data/examples/tools/sleepy_tool.rb +42 -0
data/lib/legate/activity_log.rb +71 -0
data/lib/legate/agent.rb +959 -0
data/lib/legate/agent_code_generator.rb +185 -0
data/lib/legate/agent_definition.rb +812 -0
data/lib/legate/agentic/decision.rb +49 -0
data/lib/legate/agentic/loop.rb +134 -0
data/lib/legate/agentic.rb +5 -0
data/lib/legate/agents/loop_agent.rb +248 -0
data/lib/legate/agents/parallel_agent.rb +163 -0
data/lib/legate/agents/sequential_agent.rb +190 -0
data/lib/legate/agents.rb +14 -0
data/lib/legate/auth/config.rb +148 -0
data/lib/legate/auth/coordinator.rb +218 -0
data/lib/legate/auth/coordinators/oauth2_coordinator.rb +99 -0
data/lib/legate/auth/coordinators/oidc_coordinator.rb +68 -0
data/lib/legate/auth/coordinators/service_account_coordinator.rb +122 -0
data/lib/legate/auth/credential.rb +157 -0
data/lib/legate/auth/encryption.rb +108 -0
data/lib/legate/auth/error.rb +94 -0
data/lib/legate/auth/exchanged_credential.rb +180 -0
data/lib/legate/auth/excon_middleware.rb +285 -0
data/lib/legate/auth/http_client_utils.rb +364 -0
data/lib/legate/auth/manager.rb +531 -0
data/lib/legate/auth/manager_store.rb +394 -0
data/lib/legate/auth/middleware_factory.rb +290 -0
data/lib/legate/auth/runner.rb +279 -0
data/lib/legate/auth/scheme.rb +125 -0
data/lib/legate/auth/schemes/api_key.rb +212 -0
data/lib/legate/auth/schemes/google_service_account.rb +108 -0
data/lib/legate/auth/schemes/http_bearer.rb +98 -0
data/lib/legate/auth/schemes/oauth2.rb +396 -0
data/lib/legate/auth/schemes/openid_connect.rb +346 -0
data/lib/legate/auth/schemes/service_account.rb +388 -0
data/lib/legate/auth/schemes.rb +40 -0
data/lib/legate/auth/token_manager.rb +362 -0
data/lib/legate/auth/token_store.rb +86 -0
data/lib/legate/auth/tool_context_extension.rb +97 -0
data/lib/legate/auth/tool_integration.rb +188 -0
data/lib/legate/auth/url_guard.rb +81 -0
data/lib/legate/auth.rb +453 -0
data/lib/legate/callbacks/callback_context.rb +71 -0
data/lib/legate/cli/agent_commands.rb +950 -0
data/lib/legate/cli/auth_commands.rb +520 -0
data/lib/legate/cli/base_command.rb +24 -0
data/lib/legate/cli/deployment_commands.rb +934 -0
data/lib/legate/cli/output_helper.rb +108 -0
data/lib/legate/cli/session_commands.rb +138 -0
data/lib/legate/cli/skaffold_commands.rb +223 -0
data/lib/legate/cli/tool_commands.rb +261 -0
data/lib/legate/cli/web_commands.rb +182 -0
data/lib/legate/cli.rb +40 -0
data/lib/legate/configuration/webhooks.rb +113 -0
data/lib/legate/configuration.rb +39 -0
data/lib/legate/definition_store.rb +23 -0
data/lib/legate/errors.rb +118 -0
data/lib/legate/event.rb +161 -0
data/lib/legate/gemini_ai_beta_patch.rb +39 -0
data/lib/legate/generators/agent_generator.rb +412 -0
data/lib/legate/generators/code_validator.rb +48 -0
data/lib/legate/generators/legate/install_generator.rb +35 -0
data/lib/legate/generators/legate/templates/create_legate_tables.rb.tt +36 -0
data/lib/legate/generators/legate/templates/initializer.rb +18 -0
data/lib/legate/generators/runtime_tool_loader.rb +76 -0
data/lib/legate/generators/tool_generator.rb +408 -0
data/lib/legate/generators.rb +11 -0
data/lib/legate/global_definition_registry.rb +506 -0
data/lib/legate/global_tool_manager.rb +135 -0
data/lib/legate/llm/adapter.rb +69 -0
data/lib/legate/llm/gemini.rb +172 -0
data/lib/legate/llm/ollama.rb +80 -0
data/lib/legate/llm.rb +34 -0
data/lib/legate/mcp/client.rb +320 -0
data/lib/legate/mcp/connection/sse.rb +292 -0
data/lib/legate/mcp/connection/stdio.rb +273 -0
data/lib/legate/mcp/connection_manager.rb +103 -0
data/lib/legate/mcp/server/legate_agent_adapter.rb +170 -0
data/lib/legate/mcp/server/legate_direct_agent_adapter.rb +140 -0
data/lib/legate/mcp/server/legate_tool_adapter.rb +119 -0
data/lib/legate/mcp/tool_wrapper.rb +138 -0
data/lib/legate/mcp/util/schema_converter.rb +134 -0
data/lib/legate/mcp.rb +23 -0
data/lib/legate/plan_executor.rb +375 -0
data/lib/legate/planner.rb +839 -0
data/lib/legate/rails/railtie.rb +43 -0
data/lib/legate/rails.rb +9 -0
data/lib/legate/redaction.rb +32 -0
data/lib/legate/session.rb +299 -0
data/lib/legate/session_service/active_record.rb +300 -0
data/lib/legate/session_service/base.rb +68 -0
data/lib/legate/session_service/event_broadcast.rb +74 -0
data/lib/legate/session_service/in_memory.rb +188 -0
data/lib/legate/tool/metadata_dsl.rb +122 -0
data/lib/legate/tool.rb +276 -0
data/lib/legate/tool_code_generator.rb +103 -0
data/lib/legate/tool_context.rb +350 -0
data/lib/legate/tool_loader.rb +39 -0
data/lib/legate/tool_registry.rb +73 -0
data/lib/legate/tool_result.rb +61 -0
data/lib/legate/tools/agent_tool.rb +187 -0
data/lib/legate/tools/base/http_client.rb +319 -0
data/lib/legate/tools/base/safe_url.rb +56 -0
data/lib/legate/tools/base_async_job_tool.rb +91 -0
data/lib/legate/tools/calculator.rb +89 -0
data/lib/legate/tools/cat_facts.rb +81 -0
data/lib/legate/tools/check_job_status_tool.rb +48 -0
data/lib/legate/tools/current_time_tool.rb +64 -0
data/lib/legate/tools/echo.rb +43 -0
data/lib/legate/tools/http_request_tool.rb +105 -0
data/lib/legate/tools/random_number_tool.rb +64 -0
data/lib/legate/tools/read_webpage_tool.rb +92 -0
data/lib/legate/tools/sleepy_tool.rb +74 -0
data/lib/legate/tools/webhook_tool.rb +146 -0
data/lib/legate/version.rb +5 -0
data/lib/legate/web/app.rb +984 -0
data/lib/legate/web/public/css/main.css +4980 -0
data/lib/legate/web/public/images/favicon-256.png +0 -0
data/lib/legate/web/public/images/favicon-32.png +0 -0
data/lib/legate/web/public/images/legate-logo-dark.png +0 -0
data/lib/legate/web/public/images/legate-logo-light.png +0 -0
data/lib/legate/web/public/js/legate.js +616 -0
data/lib/legate/web/public/styles/main.scss +4402 -0
data/lib/legate/web/routes/agent_authentication_routes.rb +530 -0
data/lib/legate/web/routes/agent_definition_routes.rb +803 -0
data/lib/legate/web/routes/agent_generator_routes.rb +80 -0
data/lib/legate/web/routes/agent_interaction_routes.rb +734 -0
data/lib/legate/web/routes/agent_runtime_routes.rb +323 -0
data/lib/legate/web/routes/api_routes.rb +56 -0
data/lib/legate/web/routes/authentication_routes.rb +1541 -0
data/lib/legate/web/routes/core_routes.rb +111 -0
data/lib/legate/web/routes/documentation_routes.rb +220 -0
data/lib/legate/web/routes/tool_generator_routes.rb +81 -0
data/lib/legate/web/routes/tools_ui_routes.rb +207 -0
data/lib/legate/web/sass_compiler.rb +73 -0
data/lib/legate/web/views/_active_session_info.slim +25 -0
data/lib/legate/web/views/_activity_list.slim +55 -0
data/lib/legate/web/views/_agent_card.slim +56 -0
data/lib/legate/web/views/_agent_generator_modal.slim +382 -0
data/lib/legate/web/views/_agent_status_controls.slim +71 -0
data/lib/legate/web/views/_agent_tool_table.slim +74 -0
data/lib/legate/web/views/_chat_message.slim +95 -0
data/lib/legate/web/views/_display_agent_configuration.slim +26 -0
data/lib/legate/web/views/_display_agent_description.slim +11 -0
data/lib/legate/web/views/_display_agent_fallback.slim +15 -0
data/lib/legate/web/views/_display_agent_hierarchy.slim +93 -0
data/lib/legate/web/views/_display_agent_instruction.slim +17 -0
data/lib/legate/web/views/_display_agent_mcp.slim +13 -0
data/lib/legate/web/views/_display_agent_model.slim +17 -0
data/lib/legate/web/views/_display_agent_name.slim +42 -0
data/lib/legate/web/views/_display_agent_output_key.slim +26 -0
data/lib/legate/web/views/_display_agent_type.slim +65 -0
data/lib/legate/web/views/_edit_agent_configuration.slim +74 -0
data/lib/legate/web/views/_edit_agent_description.slim +16 -0
data/lib/legate/web/views/_edit_agent_fallback.slim +25 -0
data/lib/legate/web/views/_edit_agent_hierarchy.slim +98 -0
data/lib/legate/web/views/_edit_agent_instruction.slim +49 -0
data/lib/legate/web/views/_edit_agent_mcp.slim +33 -0
data/lib/legate/web/views/_edit_agent_model.slim +23 -0
data/lib/legate/web/views/_edit_agent_output_key.slim +36 -0
data/lib/legate/web/views/_edit_agent_tools.slim +40 -0
data/lib/legate/web/views/_edit_agent_type.slim +67 -0
data/lib/legate/web/views/_session_error.slim +4 -0
data/lib/legate/web/views/_skeleton.slim +69 -0
data/lib/legate/web/views/_tool_card.slim +9 -0
data/lib/legate/web/views/_tool_generator_modal.slim +311 -0
data/lib/legate/web/views/agent.slim +436 -0
data/lib/legate/web/views/agent_auth.slim +562 -0
data/lib/legate/web/views/agents.slim +369 -0
data/lib/legate/web/views/auth.slim +112 -0
data/lib/legate/web/views/auth_credential_detail.slim +327 -0
data/lib/legate/web/views/auth_credentials.slim +261 -0
data/lib/legate/web/views/auth_debug.slim +94 -0
data/lib/legate/web/views/auth_mapping_detail.slim +151 -0
data/lib/legate/web/views/auth_mapping_new.slim +123 -0
data/lib/legate/web/views/auth_mappings.slim +120 -0
data/lib/legate/web/views/auth_scheme_detail.slim +274 -0
data/lib/legate/web/views/auth_schemes.slim +259 -0
data/lib/legate/web/views/auth_test.slim +418 -0
data/lib/legate/web/views/chat.slim +192 -0
data/lib/legate/web/views/docs_index.slim +105 -0
data/lib/legate/web/views/docs_show.slim +105 -0
data/lib/legate/web/views/error_404.slim +5 -0
data/lib/legate/web/views/index.slim +148 -0
data/lib/legate/web/views/layout.slim +144 -0
data/lib/legate/web/views/tool_detail.slim +87 -0
data/lib/legate/web/views/tools.slim +50 -0
data/lib/legate/web/webhook_listener.rb +367 -0
data/lib/legate/web.rb +9 -0
data/lib/legate.rb +220 -0
data/public/docs/advanced/callbacks.md +828 -0
data/public/docs/advanced/mcp_schema_conversion.md +59 -0
data/public/docs/authentication/api_reference/config.md +210 -0
data/public/docs/authentication/api_reference/credential.md +246 -0
data/public/docs/authentication/api_reference/encryption.md +218 -0
data/public/docs/authentication/api_reference/exchanged_credential.md +271 -0
data/public/docs/authentication/api_reference/excon_middleware.md +175 -0
data/public/docs/authentication/api_reference/index.md +30 -0
data/public/docs/authentication/api_reference/scheme.md +250 -0
data/public/docs/authentication/api_reference/schemes/api_key.md +175 -0
data/public/docs/authentication/api_reference/schemes/google_service_account.md +221 -0
data/public/docs/authentication/api_reference/schemes/http_bearer.md +169 -0
data/public/docs/authentication/api_reference/schemes/oauth2.md +343 -0
data/public/docs/authentication/api_reference/schemes/oidc.md +73 -0
data/public/docs/authentication/api_reference/schemes/openid_connect.md +311 -0
data/public/docs/authentication/api_reference/schemes/service_account.md +287 -0
data/public/docs/authentication/api_reference/token_manager.md +221 -0
data/public/docs/authentication/api_reference/token_store.md +146 -0
data/public/docs/authentication/api_reference/tool_context_extension.md +166 -0
data/public/docs/authentication/guides/api_key.md +190 -0
data/public/docs/authentication/guides/bearer.md +172 -0
data/public/docs/authentication/guides/configuration.md +255 -0
data/public/docs/authentication/guides/custom_flow.md +523 -0
data/public/docs/authentication/guides/index.md +24 -0
data/public/docs/authentication/guides/migration.md +435 -0
data/public/docs/authentication/guides/oauth2.md +252 -0
data/public/docs/authentication/guides/oidc.md +241 -0
data/public/docs/authentication/guides/overview.md +155 -0
data/public/docs/authentication/guides/secure_storage.md +301 -0
data/public/docs/authentication/guides/service_account.md +228 -0
data/public/docs/authentication/guides/token_lifecycle.md +295 -0
data/public/docs/authentication/guides/web_ui_integration.md +504 -0
data/public/docs/authentication/index.md +58 -0
data/public/docs/authentication/troubleshooting/credential_storage.md +550 -0
data/public/docs/authentication/troubleshooting/environment_variables.md +540 -0
data/public/docs/authentication/troubleshooting/index.md +11 -0
data/public/docs/authentication/troubleshooting/oauth2_issues.md +220 -0
data/public/docs/authentication/troubleshooting/oidc_issues.md +412 -0
data/public/docs/authentication/troubleshooting/token_refresh.md +338 -0
data/public/docs/cli/legate_cli_usage.md +363 -0
data/public/docs/core_concepts/legate_agent_lifecycle.md +124 -0
data/public/docs/core_concepts/legate_architecture_overview.md +110 -0
data/public/docs/core_concepts/legate_configuration.md +116 -0
data/public/docs/core_concepts/legate_definition_store.md +102 -0
data/public/docs/core_concepts/legate_planner.md +94 -0
data/public/docs/core_concepts/legate_session_service.md +104 -0
data/public/docs/error_handling/legate_error_handling.md +122 -0
data/public/docs/examples.md +199 -0
data/public/docs/getting_started.md +111 -0
data/public/docs/guides/agentic_agents.md +137 -0
data/public/docs/guides/ai_code_generators.md +437 -0
data/public/docs/guides/auto_loading.md +326 -0
data/public/docs/guides/configuring_agent_webhooks.md +219 -0
data/public/docs/guides/http_client_usage.md +264 -0
data/public/docs/guides/llm_providers.md +137 -0
data/public/docs/guides/mcp_client_integration.md +232 -0
data/public/docs/guides/mcp_server_exposure.md +206 -0
data/public/docs/guides/rails_integration.md +128 -0
data/public/docs/guides/sending_outbound_webhooks.md +227 -0
data/public/docs/guides/streaming.md +112 -0
data/public/docs/guides/webhooks.md +288 -0
data/public/docs/introduction.md +51 -0
data/public/docs/multi_agent_systems/advanced_features.md +57 -0
data/public/docs/multi_agent_systems/agent_delegation.md +190 -0
data/public/docs/multi_agent_systems/agent_hierarchy.md +49 -0
data/public/docs/multi_agent_systems/state_management.md +47 -0
data/public/docs/multi_agent_systems/workflow_agents.md +72 -0
data/public/docs/tools/legate_built_in_tools.md +332 -0
data/public/docs/tools/legate_tools_and_registry.md +263 -0
data/public/docs/web_ui/legate_web_ui.md +137 -0
metadata +823 -0

data/lib/legate/cli/auth_commands.rb ADDED Viewed

@@ -0,0 +1,520 @@
+# File: lib/legate/cli/auth_commands.rb
+# frozen_string_literal: true
+require 'thor'
+require_relative 'base_command'
+require 'cli/ui'
+require_relative '../../legate'
+module Legate
+  module CLI
+    # Helper module for auth command formatting
+    module AuthCommandHelpers
+      # Mask sensitive values for display
+      def mask_sensitive_value(value)
+        return '(not set)' if value.nil? || value.empty?
+        return value if value.start_with?('ENV:') # Show env var references as-is
+        if value.length <= 8
+          '********'
+        else
+          "#{value[0, 4]}********#{value[-4..]}"
+        end
+      end
+      # Get scheme type description
+      def scheme_type_description(scheme_type)
+        case scheme_type.to_sym
+        when :api_key then 'API Key authentication'
+        when :http_bearer then 'HTTP Bearer token'
+        when :oauth2 then 'OAuth 2.0 flow'
+        when :oidc, :openid_connect then 'OpenID Connect'
+        when :service_account then 'Service Account'
+        when :google_service_account then 'Google Service Account'
+        else scheme_type.to_s
+        end
+      end
+      # Get credential type description
+      def credential_type_description(auth_type)
+        case auth_type.to_sym
+        when :api_key then 'API Key'
+        when :http_bearer then 'Bearer Token'
+        when :oauth2 then 'OAuth2 Client'
+        when :oidc then 'OIDC Client'
+        when :service_account then 'Service Account'
+        when :google_service_account then 'Google Service Account'
+        when :basic then 'Basic Auth'
+        else auth_type.to_s
+        end
+      end
+      # Sensitive field names
+      def sensitive_field?(name)
+        %i[api_key client_secret bearer_token password private_key service_account_key token].include?(name.to_sym)
+      end
+      # Print styled header
+      def print_header(text)
+        puts ::CLI::UI.fmt("{{bold:#{text}}}")
+      end
+      # Print styled table row
+      def print_row(label, value, indent: 2)
+        padding = ' ' * indent
+        puts "#{padding}#{::CLI::UI.fmt("{{cyan:#{label}:}}")} #{value}"
+      end
+      # Ensure auth manager is ready
+      def auth_manager
+        @auth_manager ||= begin
+          manager = Legate::Auth::Manager.instance
+          manager.load_from_store
+          manager
+        end
+      end
+    end
+    # Scheme management subcommands
+    class AuthSchemeCommands < BaseCommand
+      include AuthCommandHelpers
+      namespace 'auth:schemes'
+      desc 'list', 'List all registered authentication schemes'
+      def list
+        schemes = auth_manager.instance_variable_get(:@schemes) || {}
+        if schemes.empty?
+          puts ::CLI::UI.fmt('{{yellow:No authentication schemes registered.}}')
+          return
+        end
+        print_header("Authentication Schemes (#{schemes.size})")
+        puts
+        schemes.each do |name, scheme|
+          puts ::CLI::UI.fmt("  {{bold:#{name}}} {{gray:(#{scheme.scheme_type})}}")
+          puts "    #{scheme_type_description(scheme.scheme_type)}"
+          puts
+        end
+      end
+      desc 'show NAME', 'Show details for a specific scheme'
+      def show(name)
+        scheme = auth_manager.get_scheme(name.to_sym)
+        unless scheme
+          puts ::CLI::UI.fmt("{{red:Scheme not found:}} #{name}")
+          exit 1
+        end
+        print_header("Scheme: #{name}")
+        print_row('Type', scheme.scheme_type)
+        print_row('Class', scheme.class.name.split('::').last)
+        print_row('Description', scheme_type_description(scheme.scheme_type))
+        # Show scheme-specific config
+        config = scheme.to_h
+        config.each do |key, value|
+          next if key == :type
+          print_row(key.to_s.capitalize, value) if value
+        end
+      end
+      desc 'create NAME', 'Create a new authentication scheme'
+      method_option :type, type: :string, required: true,
+                           desc: 'Scheme type (api_key, http_bearer, oauth2, oidc, service_account, google_service_account)'
+      method_option :authorization_url, type: :string, desc: 'OAuth2/OIDC authorization URL'
+      method_option :token_url, type: :string, desc: 'OAuth2/OIDC/Service Account token URL'
+      method_option :userinfo_url, type: :string, desc: 'OIDC userinfo URL'
+      method_option :scopes, type: :string, desc: 'Space-separated scopes'
+      method_option :use_pkce, type: :boolean, default: false, desc: 'Use PKCE for OAuth2/OIDC'
+      method_option :revocation_url, type: :string, desc: 'OAuth2 revocation URL'
+      def create(name)
+        scheme_name = name.to_sym
+        scheme_type = options[:type].to_sym
+        if auth_manager.get_scheme(scheme_name)
+          puts ::CLI::UI.fmt("{{red:Scheme already exists:}} #{name}")
+          exit 1
+        end
+        scheme = case scheme_type
+                 when :api_key
+                   Legate::Auth::Schemes::ApiKey.new
+                 when :http_bearer
+                   Legate::Auth::Schemes::HTTPBearer.new
+                 when :oauth2
+                   Legate::Auth::Schemes::OAuth2.new(
+                     authorization_url: options[:authorization_url],
+                     token_url: options[:token_url],
+                     scopes: options[:scopes]&.split(/\s+/),
+                     use_pkce: options[:use_pkce],
+                     revocation_url: options[:revocation_url]
+                   )
+                 when :oidc, :openid_connect
+                   Legate::Auth::Schemes::OpenIDConnect.new(
+                     authorization_url: options[:authorization_url],
+                     token_url: options[:token_url],
+                     userinfo_url: options[:userinfo_url],
+                     scopes: options[:scopes]&.split(/\s+/),
+                     use_pkce: options[:use_pkce]
+                   )
+                 when :service_account
+                   Legate::Auth::Schemes::ServiceAccount.new(
+                     token_url: options[:token_url],
+                     scopes: options[:scopes]&.split(/\s+/)
+                   )
+                 when :google_service_account
+                   Legate::Auth::Schemes::GoogleServiceAccount.new(
+                     scopes: options[:scopes]&.split(/\s+/)
+                   )
+                 else
+                   puts ::CLI::UI.fmt("{{red:Unsupported scheme type:}} #{scheme_type}")
+                   exit 1
+                 end
+        auth_manager.register_scheme(scheme, scheme_name)
+        puts ::CLI::UI.fmt("{{green:✓}} Scheme '#{name}' created successfully")
+      end
+      desc 'delete NAME', 'Delete an authentication scheme'
+      method_option :force, type: :boolean, default: false, desc: 'Force delete even if in use'
+      def delete(name)
+        scheme_name = name.to_sym
+        unless auth_manager.get_scheme(scheme_name)
+          puts ::CLI::UI.fmt("{{red:Scheme not found:}} #{name}")
+          exit 1
+        end
+        # Check for dependent mappings
+        url_mappings = auth_manager.instance_variable_get(:@url_mappings) || []
+        dependent = url_mappings.select { |m| m[:scheme_name] == scheme_name }
+        if dependent.any? && !options[:force]
+          puts ::CLI::UI.fmt("{{red:Cannot delete}} - scheme is used by #{dependent.size} URL mapping(s)")
+          puts 'Use --force to delete anyway'
+          exit 1
+        end
+        auth_manager.unregister_scheme(scheme_name)
+        puts ::CLI::UI.fmt("{{green:✓}} Scheme '#{name}' deleted")
+      end
+    end
+    # Credential management subcommands
+    class AuthCredentialCommands < BaseCommand
+      include AuthCommandHelpers
+      namespace 'auth:credentials'
+      desc 'list', 'List all registered credentials'
+      def list
+        credentials = auth_manager.instance_variable_get(:@credentials) || {}
+        if credentials.empty?
+          puts ::CLI::UI.fmt('{{yellow:No credentials registered.}}')
+          return
+        end
+        print_header("Credentials (#{credentials.size})")
+        puts
+        credentials.each do |name, cred|
+          puts ::CLI::UI.fmt("  {{bold:#{name}}} {{gray:(#{cred.auth_type})}}")
+          # Show masked key info
+          case cred.auth_type
+          when :api_key
+            puts "    API Key: #{mask_sensitive_value(cred[:api_key, resolve_env: false])}"
+          when :http_bearer
+            puts "    Token: #{mask_sensitive_value(cred[:bearer_token, resolve_env: false])}"
+          when :oauth2, :oidc
+            puts "    Client ID: #{cred[:client_id, resolve_env: false]}"
+          when :service_account, :google_service_account
+            puts '    Service Account Key: ********'
+          end
+          puts
+        end
+      end
+      desc 'show NAME', 'Show details for a specific credential'
+      def show(name)
+        credential = auth_manager.get_credential(name.to_sym)
+        unless credential
+          puts ::CLI::UI.fmt("{{red:Credential not found:}} #{name}")
+          exit 1
+        end
+        print_header("Credential: #{name}")
+        print_row('Type', credential_type_description(credential.auth_type))
+        credential.to_h(resolve_env: false).each do |key, value|
+          next if key == :auth_type
+          display_value = sensitive_field?(key) ? mask_sensitive_value(value.to_s) : value
+          print_row(key.to_s, display_value)
+        end
+      end
+      desc 'create NAME', 'Create a new credential'
+      method_option :type, type: :string, required: true,
+                           desc: 'Credential type (api_key, http_bearer, oauth2, oidc, service_account, google_service_account, basic)'
+      method_option :api_key, type: :string, desc: 'API key value (or ENV:VAR_NAME)'
+      method_option :bearer_token, type: :string, desc: 'Bearer token (or ENV:VAR_NAME)'
+      method_option :client_id, type: :string, desc: 'OAuth2/OIDC client ID'
+      method_option :client_secret, type: :string, desc: 'OAuth2/OIDC client secret (or ENV:VAR_NAME)'
+      method_option :redirect_uri, type: :string, desc: 'OAuth2/OIDC redirect URI'
+      method_option :username, type: :string, desc: 'Basic auth username'
+      method_option :password, type: :string, desc: 'Basic auth password (or ENV:VAR_NAME)'
+      method_option :service_account_key, type: :string, desc: 'Service account JSON key (or ENV:VAR_NAME)'
+      method_option :service_account_key_file, type: :string, desc: 'Path to service account key file'
+      def create(name)
+        cred_name = name.to_sym
+        auth_type = options[:type].to_sym
+        if auth_manager.get_credential(cred_name)
+          puts ::CLI::UI.fmt("{{red:Credential already exists:}} #{name}")
+          exit 1
+        end
+        attrs = { auth_type: auth_type }
+        case auth_type
+        when :api_key
+          attrs[:api_key] = options[:api_key] || prompt_for('API Key')
+        when :http_bearer
+          attrs[:bearer_token] = options[:bearer_token] || prompt_for('Bearer Token')
+        when :oauth2, :oidc
+          attrs[:client_id] = options[:client_id] || prompt_for('Client ID')
+          attrs[:client_secret] = options[:client_secret]
+          attrs[:redirect_uri] = options[:redirect_uri] if options[:redirect_uri]
+        when :service_account, :google_service_account
+          attrs[:service_account_key] = if options[:service_account_key_file]
+                                          File.read(options[:service_account_key_file])
+                                        else
+                                          options[:service_account_key] || prompt_for('Service Account Key JSON')
+                                        end
+        when :basic
+          attrs[:username] = options[:username] || prompt_for('Username')
+          attrs[:password] = options[:password] || prompt_for('Password')
+        else
+          puts ::CLI::UI.fmt("{{red:Unsupported credential type:}} #{auth_type}")
+          exit 1
+        end
+        credential = Legate::Auth::Credential.new(**attrs)
+        auth_manager.register_credential(credential, cred_name)
+        puts ::CLI::UI.fmt("{{green:✓}} Credential '#{name}' created successfully")
+      rescue Legate::Auth::CredentialError => e
+        puts ::CLI::UI.fmt("{{red:Invalid credential:}} #{e.message}")
+        exit 1
+      end
+      desc 'delete NAME', 'Delete a credential'
+      method_option :force, type: :boolean, default: false, desc: 'Force delete even if in use'
+      def delete(name)
+        cred_name = name.to_sym
+        unless auth_manager.get_credential(cred_name)
+          puts ::CLI::UI.fmt("{{red:Credential not found:}} #{name}")
+          exit 1
+        end
+        # Check for dependent mappings
+        url_mappings = auth_manager.instance_variable_get(:@url_mappings) || []
+        dependent = url_mappings.select { |m| m[:credential_name] == cred_name }
+        if dependent.any? && !options[:force]
+          puts ::CLI::UI.fmt("{{red:Cannot delete}} - credential is used by #{dependent.size} URL mapping(s)")
+          puts 'Use --force to delete anyway'
+          exit 1
+        end
+        auth_manager.unregister_credential(cred_name)
+        puts ::CLI::UI.fmt("{{green:✓}} Credential '#{name}' deleted")
+      end
+      desc 'test NAME', 'Test a credential'
+      method_option :url, type: :string, desc: 'URL to test the credential against'
+      def test(name)
+        credential = auth_manager.get_credential(name.to_sym)
+        unless credential
+          puts ::CLI::UI.fmt("{{red:Credential not found:}} #{name}")
+          exit 1
+        end
+        print_header("Testing credential: #{name}")
+        puts
+        # Basic validation
+        begin
+          credential.to_h(resolve_env: true)
+          puts ::CLI::UI.fmt('  {{green:✓}} Basic validation passed')
+        rescue Legate::Auth::EnvironmentVariableNotFoundError => e
+          puts ::CLI::UI.fmt("  {{red:✗}} Environment variable not found: #{e.message}")
+          exit 1
+        end
+        # Type-specific validation
+        case credential.auth_type
+        when :api_key
+          api_key = credential[:api_key]
+          if api_key && !api_key.empty?
+            puts ::CLI::UI.fmt('  {{green:✓}} API key is present')
+          else
+            puts ::CLI::UI.fmt('  {{red:✗}} API key is empty')
+          end
+        when :oauth2, :oidc
+          client_id = credential[:client_id]
+          client_secret = credential[:client_secret]
+          puts client_id ? ::CLI::UI.fmt('  {{green:✓}} Client ID is present') : ::CLI::UI.fmt('  {{red:✗}} Client ID missing')
+          puts client_secret ? ::CLI::UI.fmt('  {{green:✓}} Client secret is present') : ::CLI::UI.fmt('  {{yellow:⚠}} Client secret not set')
+        when :google_service_account
+          begin
+            key_data = credential[:service_account_key]
+            parsed = JSON.parse(key_data)
+            required = %w[type project_id private_key_id private_key client_email client_id]
+            missing = required.reject { |f| parsed.key?(f) }
+            if missing.empty?
+              puts ::CLI::UI.fmt('  {{green:✓}} Service account key is valid JSON with all required fields')
+            else
+              puts ::CLI::UI.fmt("  {{red:✗}} Missing fields: #{missing.join(', ')}")
+            end
+          rescue JSON::ParserError
+            puts ::CLI::UI.fmt('  {{red:✗}} Service account key is not valid JSON')
+          end
+        end
+        puts
+        puts ::CLI::UI.fmt('{{green:Test complete}}')
+      end
+      private
+      def prompt_for(field)
+        print "#{field}: "
+        $stdin.gets.chomp
+      end
+    end
+    # URL mapping management subcommands
+    class AuthMappingCommands < BaseCommand
+      include AuthCommandHelpers
+      namespace 'auth:mappings'
+      desc 'list', 'List all URL-to-auth mappings'
+      def list
+        mappings = auth_manager.instance_variable_get(:@url_mappings) || []
+        if mappings.empty?
+          puts ::CLI::UI.fmt('{{yellow:No URL mappings registered.}}')
+          return
+        end
+        print_header("URL Mappings (#{mappings.size})")
+        puts
+        mappings.each_with_index do |mapping, idx|
+          pattern = mapping[:pattern].is_a?(Regexp) ? mapping[:pattern].source : mapping[:pattern].to_s
+          pattern_type = mapping[:pattern].is_a?(Regexp) ? 'regex' : 'string'
+          puts ::CLI::UI.fmt("  {{bold:[#{idx}]}} #{pattern} {{gray:(#{pattern_type})}}")
+          puts "       Scheme: #{mapping[:scheme_name]}, Credential: #{mapping[:credential_name]}"
+          puts
+        end
+      end
+      desc 'create', 'Create a new URL mapping'
+      method_option :pattern, type: :string, required: true, desc: 'URL pattern (string or regex)'
+      method_option :scheme, type: :string, required: true, desc: 'Scheme name to use'
+      method_option :credential, type: :string, required: true, desc: 'Credential name to use'
+      method_option :regex, type: :boolean, default: false, desc: 'Treat pattern as regex'
+      def create
+        scheme_name = options[:scheme].to_sym
+        cred_name = options[:credential].to_sym
+        unless auth_manager.get_scheme(scheme_name)
+          puts ::CLI::UI.fmt("{{red:Scheme not found:}} #{options[:scheme]}")
+          exit 1
+        end
+        unless auth_manager.get_credential(cred_name)
+          puts ::CLI::UI.fmt("{{red:Credential not found:}} #{options[:credential]}")
+          exit 1
+        end
+        pattern = if options[:regex]
+                    begin
+                      Regexp.new(options[:pattern])
+                    rescue RegexpError => e
+                      puts ::CLI::UI.fmt("{{red:Invalid regex:}} #{e.message}")
+                      exit 1
+                    end
+                  else
+                    options[:pattern]
+                  end
+        auth_manager.register_url_mapping(pattern, scheme_name, cred_name)
+        puts ::CLI::UI.fmt('{{green:✓}} URL mapping created successfully')
+      end
+      desc 'delete INDEX', 'Delete a URL mapping by index'
+      def delete(index)
+        idx = index.to_i
+        mappings = auth_manager.instance_variable_get(:@url_mappings) || []
+        if idx < 0 || idx >= mappings.size
+          puts ::CLI::UI.fmt("{{red:Invalid index:}} #{index} (valid range: 0-#{mappings.size - 1})")
+          exit 1
+        end
+        auth_manager.remove_url_mapping(idx)
+        puts ::CLI::UI.fmt("{{green:✓}} URL mapping [#{index}] deleted")
+      end
+    end
+    # Main auth commands class that registers subcommands
+    class AuthCommands < BaseCommand
+      namespace :auth
+      desc 'schemes SUBCOMMAND', 'Manage authentication schemes'
+      subcommand 'schemes', AuthSchemeCommands
+      desc 'credentials SUBCOMMAND', 'Manage authentication credentials'
+      subcommand 'credentials', AuthCredentialCommands
+      desc 'mappings SUBCOMMAND', 'Manage URL-to-auth mappings'
+      subcommand 'mappings', AuthMappingCommands
+      desc 'status', 'Show authentication system status'
+      def status
+        manager = Legate::Auth::Manager.instance
+        manager.load_from_store
+        schemes = manager.instance_variable_get(:@schemes) || {}
+        credentials = manager.instance_variable_get(:@credentials) || {}
+        mappings = manager.instance_variable_get(:@url_mappings) || []
+        puts ::CLI::UI.fmt('{{bold:Authentication System Status}}')
+        puts
+        puts ::CLI::UI.fmt("  Schemes:     {{cyan:#{schemes.size}}}")
+        puts ::CLI::UI.fmt("  Credentials: {{cyan:#{credentials.size}}}")
+        puts ::CLI::UI.fmt("  Mappings:    {{cyan:#{mappings.size}}}")
+        puts
+        puts ::CLI::UI.fmt('  {{gray:Scheme types:}} ' + schemes.values.map(&:scheme_type).uniq.join(', ')) if schemes.any?
+        return unless credentials.any?
+        puts ::CLI::UI.fmt('  {{gray:Credential types:}} ' + credentials.values.map(&:auth_type).uniq.join(', '))
+      end
+    end
+  end
+end

data/lib/legate/cli/base_command.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# File: lib/legate/cli/base_command.rb
+# frozen_string_literal: true
+require 'thor'
+module Legate
+  module CLI
+    # Base class for every Legate CLI command group.
+    #
+    # Thor 1.5 ships a built-in `tree` command on the base Thor class. Left
+    # alone it leaks into help output namespaced by the implementation class
+    # (e.g. `legate tool_commands tree`), which looks like a bug. We hide it
+    # here once so all command groups inherit clean help output.
+    class BaseCommand < Thor
+      # The method body is intentionally a bare `super`: redefining `tree` here
+      # is what lets the preceding `hide: true` take effect, suppressing Thor's
+      # inherited (visible) command without changing its behavior.
+      desc 'tree', 'Print a tree of all available commands', hide: true
+      def tree # rubocop:disable Lint/UselessMethodDefinition
+        super
+      end
+    end
+  end
+end