legion-crypt 1.4.1 → 1.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13bcc3fe80b97d57f54b1e5449f0319865ee5b05c5402ce9a5f3b3a30f89ad88
-  data.tar.gz: 1ba4f54c017ec83868defedd3fe4d7a3659b5d84f3afa030722dce9d9bb1211c
+  metadata.gz: 755c4278bc3e6f3ba845f5d46ba61b753a19b9a4fc0212f9da9827e6fefe3ac2
+  data.tar.gz: '04585ab20ddb62568949ca90c33405b61bb477cd2750503944acadcf665925b9'
 SHA512:
-  metadata.gz: 6f120ed5f85a929fe22e750e482253550000888afbc6633c989df680c7acdc93673303014d911871642a48f66ab05e6899ab773319b1a195c64736eb052fc204
-  data.tar.gz: 8a4d154360dca522f05982d986eb28d25212038c7ca37e94253a4a1a89b03a9a51a15e46e2dedc77f382b5b7f84fcca3c8924332c9dae230858a3c154e3e8b15
+  metadata.gz: 53c5f43b6ab1ca2f0dad978a3cee6b1d3314b8aa57ffae077641d9882756f3a331b21258f3b45a9789639095facdff27baec911e6cbd066c7d2c2fc1058237bd
+  data.tar.gz: f3b542c8ca98c768ddfae7763da33ddc3638fd46dbb174abf037cd0baca348fa6127c4ad1d3efa46c86a943b2cd3d2c6f2df5d8d179e0a64a5b94d5b3ec4f35c

data/CHANGELOG.md

@@ -1,6 +1,21 @@
 # Legion::Crypt
 
-## [Unreleased]
+## [1.4.3] - 2026-03-17
+
+### Added
+- `Crypt::TLS`: mTLS configuration for RabbitMQ (Bunny) and PostgreSQL (Sequel) connections
+- `TLS.ssl_context` builds OpenSSL::SSL::SSLContext with TLS 1.2+ and VERIFY_PEER
+- `TLS.bunny_options` and `TLS.sequel_options` generate adapter-specific TLS option hashes
+- Configurable cert/key/ca paths via settings with sensible defaults
+
+## [1.4.2] - 2026-03-16
+
+### Added
+- `Legion::Crypt::Ed25519`: Ed25519 key generation, signing, verification, Vault key storage
+- `Legion::Crypt::PartitionKeys`: HKDF-based per-tenant key derivation with AES-256-GCM encrypt/decrypt
+- `Legion::Crypt::Erasure`: cryptographic erasure via Vault master key deletion with event emission
+- `Legion::Crypt::Attestation`: signed identity claims with Ed25519 signatures and freshness checking
+- Dependency: `ed25519` gem ~> 1.3
 
 ## [1.4.1] - 2026-03-16
 

data/CLAUDE.md

@@ -51,6 +51,10 @@ Legion::Crypt (singleton module)
 │   └── .worker_login  # Issue a Legion JWT and authenticate to Vault in one step
 │
 ├── VaultRenewer       # Background Vault token renewal thread
+├── Ed25519            # Ed25519 key generation, signing, verification, Vault storage
+├── PartitionKeys      # HKDF per-tenant key derivation, AES-256-GCM encrypt/decrypt
+├── Erasure            # Cryptographic erasure via Vault master key deletion
+├── Attestation        # Signed identity claims with Ed25519, freshness checking
 ├── LeaseManager       # Dynamic Vault lease lifecycle: fetch, cache, renew, rotate, push-back
 ├── MockVault          # In-memory Vault mock for local development mode
 ├── Settings           # Default crypt config
@@ -91,6 +95,7 @@ Legion::Crypt (singleton module)
 
 | Gem | Purpose |
 |-----|---------|
+| `ed25519` (~> 1.3) | Ed25519 key operations (pure Ruby) |
 | `jwt` (>= 2.7) | JSON Web Token encoding/decoding |
 | `vault` (>= 0.17) | HashiCorp Vault Ruby client |
 
@@ -110,6 +115,10 @@ Dev dependencies: `legion-logging`, `legion-settings`
 | `lib/legion/crypt/vault_renewer.rb` | Background Vault token renewal |
 | `lib/legion/crypt/lease_manager.rb` | Dynamic Vault lease lifecycle management |
 | `lib/legion/crypt/settings.rb` | Default configuration |
+| `lib/legion/crypt/ed25519.rb` | Ed25519 key generation, signing, verification, Vault storage |
+| `lib/legion/crypt/partition_keys.rb` | HKDF per-tenant key derivation with AES-256-GCM |
+| `lib/legion/crypt/erasure.rb` | Cryptographic erasure via Vault master key deletion |
+| `lib/legion/crypt/attestation.rb` | Signed identity claims with Ed25519 signatures |
 | `lib/legion/crypt/version.rb` | VERSION constant |
 
 ## Role in LegionIO

data/legion-crypt.gemspec

@@ -25,6 +25,7 @@ Gem::Specification.new do |spec|
     'rubygems_mfa_required' => 'true'
   }
 
+  spec.add_dependency 'ed25519', '~> 1.3'
   spec.add_dependency 'jwt', '>= 2.7'
   spec.add_dependency 'vault', '>= 0.17'
 end

data/lib/legion/crypt/attestation.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module Legion
+  module Crypt
+    module Attestation
+      class << self
+        def create(agent_id:, capabilities:, state:, private_key:)
+          claim = {
+            agent_id:     agent_id,
+            capabilities: Array(capabilities),
+            state:        state.to_s,
+            timestamp:    Time.now.utc.iso8601,
+            nonce:        SecureRandom.hex(16)
+          }
+
+          payload = Legion::JSON.dump(claim)
+          signature = Legion::Crypt::Ed25519.sign(payload, private_key)
+
+          { claim: claim, signature: signature.unpack1('H*'), payload: payload }
+        end
+
+        def verify(claim_hash:, signature_hex:, public_key:)
+          payload = Legion::JSON.dump(claim_hash)
+          signature = [signature_hex].pack('H*')
+          Legion::Crypt::Ed25519.verify(payload, signature, public_key)
+        end
+
+        def fresh?(claim_hash, max_age_seconds: 300)
+          timestamp = Time.parse(claim_hash[:timestamp])
+          Time.now.utc - timestamp < max_age_seconds
+        rescue StandardError
+          false
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/ed25519.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'ed25519'
+
+module Legion
+  module Crypt
+    module Ed25519
+      class << self
+        def generate_keypair
+          signing_key = ::Ed25519::SigningKey.generate
+          {
+            private_key:    signing_key.to_bytes,
+            public_key:     signing_key.verify_key.to_bytes,
+            public_key_hex: signing_key.verify_key.to_bytes.unpack1('H*')
+          }
+        end
+
+        def sign(message, private_key_bytes)
+          signing_key = ::Ed25519::SigningKey.new(private_key_bytes)
+          signing_key.sign(message)
+        end
+
+        def verify(message, signature, public_key_bytes)
+          verify_key = ::Ed25519::VerifyKey.new(public_key_bytes)
+          verify_key.verify(signature, message)
+          true
+        rescue ::Ed25519::VerifyError
+          false
+        end
+
+        def store_keypair(agent_id:, keypair: nil)
+          keypair ||= generate_keypair
+          vault_path = "#{key_prefix}/#{agent_id}"
+          if defined?(Legion::Crypt::Vault)
+            Legion::Crypt::Vault.write(vault_path, {
+                                         private_key: keypair[:private_key].unpack1('H*'),
+                                         public_key:  keypair[:public_key_hex]
+                                       })
+          end
+          keypair
+        end
+
+        def load_private_key(agent_id:)
+          vault_path = "#{key_prefix}/#{agent_id}"
+          data = Legion::Crypt::Vault.read(vault_path)
+          [data[:private_key]].pack('H*') if data&.dig(:private_key)
+        rescue StandardError
+          nil
+        end
+
+        private
+
+        def key_prefix
+          begin
+            Legion::Settings[:crypt][:ed25519][:vault_key_prefix]
+          rescue StandardError
+            nil
+          end || 'secret/data/legion/keys'
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/erasure.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Legion
+  module Crypt
+    module Erasure
+      class << self
+        def erase_tenant(tenant_id:)
+          key_path = "#{tenant_prefix}/#{tenant_id}/master_key"
+
+          delete_vault_key(key_path) if defined?(Legion::Crypt::Vault)
+          Legion::Events.emit('crypt.tenant_erased', { tenant_id: tenant_id, erased_at: Time.now.utc }) if defined?(Legion::Events)
+          Legion::Logging.warn "[crypt] Tenant #{tenant_id} cryptographically erased" if defined?(Legion::Logging)
+
+          { erased: true, tenant_id: tenant_id, path: key_path }
+        rescue StandardError => e
+          { erased: false, tenant_id: tenant_id, error: e.message }
+        end
+
+        def verify_erasure(tenant_id:)
+          key_path = "#{tenant_prefix}/#{tenant_id}/master_key"
+          data = Legion::Crypt::Vault.read(key_path)
+          { erased: data.nil?, tenant_id: tenant_id }
+        rescue StandardError
+          { erased: true, tenant_id: tenant_id }
+        end
+
+        private
+
+        def delete_vault_key(path)
+          ::Vault.logical.delete(path)
+        end
+
+        def tenant_prefix
+          begin
+            Legion::Settings[:crypt][:partition_keys][:vault_tenant_prefix]
+          rescue StandardError
+            nil
+          end || 'secret/data/legion/tenants'
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/partition_keys.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Legion
+  module Crypt
+    module PartitionKeys
+      class << self
+        def derive_key(master_key:, tenant_id:, context: nil)
+          context ||= begin
+            Legion::Settings[:crypt][:partition_keys][:derivation_context]
+          rescue StandardError
+            nil
+          end || 'legion-partition'
+          salt = OpenSSL::Digest::SHA256.digest(tenant_id.to_s)
+          OpenSSL::KDF.hkdf(master_key, salt: salt, info: context, length: 32, hash: 'SHA256')
+        end
+
+        def encrypt_for_tenant(plaintext:, tenant_id:, master_key:)
+          key = derive_key(master_key: master_key, tenant_id: tenant_id)
+          cipher = OpenSSL::Cipher.new('aes-256-gcm')
+          cipher.encrypt
+          cipher.key = key
+          iv = cipher.random_iv
+          ciphertext = cipher.update(plaintext) + cipher.final
+          auth_tag = cipher.auth_tag
+
+          { ciphertext: ciphertext, iv: iv, auth_tag: auth_tag }
+        end
+
+        def decrypt_for_tenant(ciphertext:, init_vector:, auth_tag:, tenant_id:, master_key:)
+          key = derive_key(master_key: master_key, tenant_id: tenant_id)
+          decipher = OpenSSL::Cipher.new('aes-256-gcm')
+          decipher.decrypt
+          decipher.key = key
+          decipher.iv = init_vector
+          decipher.auth_tag = auth_tag
+          decipher.update(ciphertext) + decipher.final
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/tls.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Legion
+  module Crypt
+    module TLS
+      DEFAULT_CERT_DIR = '/etc/legion/tls'
+
+      class << self
+        def enabled?
+          settings_dig(:enabled) == true
+        end
+
+        def ssl_context(role: :client) # rubocop:disable Lint/UnusedMethodArgument
+          ctx = OpenSSL::SSL::SSLContext.new
+          ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
+          ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+          ctx.cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) if cert_path && File.exist?(cert_path)
+          ctx.key = OpenSSL::PKey.read(File.read(key_path)) if key_path && File.exist?(key_path)
+          ctx.ca_file = ca_path if ca_path && File.exist?(ca_path)
+
+          ctx
+        end
+
+        def bunny_options
+          return {} unless enabled?
+
+          {
+            tls:                 true,
+            tls_cert:            cert_path,
+            tls_key:             key_path,
+            tls_ca_certificates: [ca_path].compact,
+            verify_peer:         true
+          }
+        end
+
+        def sequel_options
+          return {} unless enabled?
+
+          {
+            sslmode:     'verify-full',
+            sslcert:     cert_path,
+            sslkey:      key_path,
+            sslrootcert: ca_path
+          }
+        end
+
+        def cert_path
+          settings_dig(:cert_path) || File.join(DEFAULT_CERT_DIR, 'legion.crt')
+        end
+
+        def key_path
+          settings_dig(:key_path) || File.join(DEFAULT_CERT_DIR, 'legion.key')
+        end
+
+        def ca_path
+          settings_dig(:ca_path) || File.join(DEFAULT_CERT_DIR, 'ca-bundle.crt')
+        end
+
+        private
+
+        def settings_dig(*keys)
+          return nil unless defined?(Legion::Settings)
+
+          result = Legion::Settings[:crypt]
+          [:tls, *keys].each do |key|
+            return nil unless result.is_a?(Hash)
+
+            result = result[key]
+          end
+          result
+        rescue StandardError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '1.4.1'
+    VERSION = '1.4.3'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.4.3
 platform: ruby
 authors:
 - Esity
@@ -9,6 +9,20 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: ed25519
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -57,13 +71,18 @@ files:
 - README.md
 - legion-crypt.gemspec
 - lib/legion/crypt.rb
+- lib/legion/crypt/attestation.rb
 - lib/legion/crypt/cipher.rb
 - lib/legion/crypt/cluster_secret.rb
+- lib/legion/crypt/ed25519.rb
+- lib/legion/crypt/erasure.rb
 - lib/legion/crypt/jwks_client.rb
 - lib/legion/crypt/jwt.rb
 - lib/legion/crypt/lease_manager.rb
 - lib/legion/crypt/mock_vault.rb
+- lib/legion/crypt/partition_keys.rb
 - lib/legion/crypt/settings.rb
+- lib/legion/crypt/tls.rb
 - lib/legion/crypt/vault.rb
 - lib/legion/crypt/vault_jwt_auth.rb
 - lib/legion/crypt/vault_renewer.rb