legion-settings 1.3.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b2fb957d328761484c232467b3f37dfea86359a31726a6f3910e2e02838e3977
-  data.tar.gz: f10dcf26575430c481b466ebf490e3331d2d1c8ba841b438ca15560c8554c965
+  metadata.gz: cb0e2c44578e9e5b6cbb495c5160e1a37c067ea5692979e50e89494d33da9888
+  data.tar.gz: ebca4fdb1fb58e2fa315620209ccbe5f5302057a7dc0d4a256f9689ea8d5d8b0
 SHA512:
-  metadata.gz: b69cabe6c5265040c40791eb9b0c9c284c42438b11b9c146113b57fa9dc6c87d4c28072a3ce569cf9a5f34d3151bac4adaf8ed0a923fd8cecbcf40b8aae6103c
-  data.tar.gz: cbeaf56feeaca1cb4a02fdf76cf501e82d5619d489228570ec0906033e437249e3d85e98db652072c73b145bb80162f66f206dc6e1b0c79266606b7e647bf922
+  metadata.gz: 738f2ced6bf58fcb2d9ad4fca307d63abea4241bd6c5e788ff3ee47346f8f1054fd1cceb94d86e2f393f7985a0a835076513b94de730a89e9e233d923d5c1775
+  data.tar.gz: ac60c369c84bd0dcb53b84f5fcdf9440fcd25ea00d15bb32386b67a4b999ceead7dde040fa66de53c9e6b06a5e99628b674923d0503dcbbe945a5b30a7d88bb6

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Legion::Settings Changelog
 
+## [1.3.1] - 2026-03-16
+
+### Added
+- `lease://name#key` URI scheme in secret resolver for dynamic Vault leases
+- Delegates to `Legion::Crypt::LeaseManager` for lease data lookup
+- Registers reverse references for push-back on credential rotation
+
 ## [1.3.0] - 2026-03-16
 
 ### Added

data/CLAUDE.md

@@ -77,7 +77,7 @@ Legion::Settings (singleton module)
 | `spec/legion/settings/validation_error_spec.rb` | Error formatting tests |
 | `spec/legion/settings/integration_spec.rb` | End-to-end validation tests |
 | `spec/legion/settings/role_defaults_spec.rb` | Role profile default settings tests |
-| `spec/legion/settings/resolver_spec.rb` | Secret resolver tests (env://, vault://, fallback chains) |
+| `spec/legion/settings/resolver_spec.rb` | Secret resolver tests (env://, vault://, lease://, fallback chains) |
 
 ## Secret Resolution
 
@@ -87,8 +87,9 @@ Settings values can reference external secret sources using URI syntax. Resolved
 
 | Scheme | Format | Resolution |
 |--------|--------|------------|
-| `vault://` | `vault://path/to/secret#key` | `Legion::Crypt.read(path)[key]` |
+| `vault://` | `vault://path/to/secret#key` | `Legion::Crypt.read(path)[key]` (static KV secrets) |
 | `env://` | `env://ENV_VAR_NAME` | `ENV['ENV_VAR_NAME']` |
+| `lease://` | `lease://name#key` | `Legion::Crypt::LeaseManager.instance.fetch(name, key)` (dynamic Vault leases) |
 | *(plain string)* | `"guest"` | Returned as-is |
 
 ### Fallback Chains

data/README.md

@@ -28,11 +28,40 @@ Legion::Settings[:transport][:connection][:host]
 ### Config Paths (checked in order)
 
 1. `/etc/legionio/`
-2. `~/legionio/`
-3. `./settings/`
+2. `~/.legionio/settings/`
+3. `~/legionio/`
+4. `./settings/`
 
 Each Legion module registers its own defaults via `merge_settings` during startup.
 
+### Secret Resolution
+
+Settings values can reference external secret sources using URI syntax. Two schemes are supported:
+
+| Scheme | Format | Resolution |
+|--------|--------|------------|
+| `vault://` | `vault://path/to/secret#key` | Reads from HashiCorp Vault via `Legion::Crypt` |
+| `env://` | `env://ENV_VAR_NAME` | Reads from environment variable |
+
+Array values act as fallback chains — the first non-nil result wins:
+
+```json
+{
+  "transport": {
+    "connection": {
+      "password": ["vault://secret/data/rabbitmq#password", "env://RABBITMQ_PASSWORD", "guest"]
+    }
+  }
+}
+```
+
+Call `Legion::Settings.resolve_secrets!` to resolve all URIs in-place. In the LegionIO boot sequence this is called automatically after `Legion::Crypt.start`. The `env://` scheme works even when Vault is not connected.
+
+```ruby
+Legion::Settings.resolve_secrets!
+# All vault:// and env:// references are now replaced with their resolved values
+```
+
 ### Schema Validation
 
 Types are inferred automatically from default values. Optional constraints can be added:

data/lib/legion/settings/resolver.rb

@@ -3,9 +3,10 @@
 module Legion
   module Settings
     module Resolver
-      VAULT_PATTERN = %r{\Avault://(.+?)#(.+)\z}
-      ENV_PATTERN   = %r{\Aenv://(.+)\z}
-      URI_PATTERN   = %r{\A(?:vault|env)://}
+      VAULT_PATTERN  = %r{\Avault://(.+?)#(.+)\z}
+      ENV_PATTERN    = %r{\Aenv://(.+)\z}
+      LEASE_PATTERN  = %r{\Alease://(.+?)#(.+)\z}
+      URI_PATTERN    = %r{\A(?:vault|env|lease)://}
 
       module_function
 
@@ -18,6 +19,9 @@ module Legion
         vault_count = count_vault_refs(settings_hash)
         log_warn("Vault not connected — #{vault_count} vault:// reference(s) will not be resolved") if vault_count.positive? && !@vault_available
 
+        lease_count = count_lease_refs(settings_hash)
+        log_warn("LeaseManager not available — #{lease_count} lease:// reference(s) will not be resolved") if lease_count.positive? && !lease_manager_available?
+
         resolved = 0
         unresolved = 0
         walk(settings_hash, path: '') do |result|
@@ -51,6 +55,8 @@ module Legion
       def resolve_single(str)
         if (m = str.match(VAULT_PATTERN))
           resolve_vault(m[1], m[2])
+        elsif (m = str.match(LEASE_PATTERN))
+          resolve_lease(m[1], m[2])
         elsif (m = str.match(ENV_PATTERN))
           ENV.fetch(m[1], nil)
         else
@@ -112,6 +118,7 @@ module Legion
               block&.call(:unresolved)
             else
               hash[key] = resolved
+              register_lease_ref(value, current_path) if value.match?(LEASE_PATTERN)
               block&.call(:resolved)
             end
           when Array
@@ -123,6 +130,7 @@ module Legion
               block&.call(:unresolved)
             else
               hash[key] = resolved
+              register_lease_refs_from_chain(value, current_path)
               block&.call(:resolved)
             end
           end
@@ -145,10 +153,60 @@ module Legion
         data[key.to_sym] || data[key.to_s]
       end
 
+      def resolve_lease(name, key)
+        return nil unless lease_manager_available?
+
+        Legion::Crypt::LeaseManager.instance.fetch(name, key)
+      rescue StandardError => e
+        log_debug("Settings resolver: lease fetch failed for #{name}##{key}: #{e.message}")
+        nil
+      end
+
+      def lease_manager_available?
+        defined?(Legion::Crypt::LeaseManager)
+      rescue StandardError
+        false
+      end
+
       def resolvable_chain?(arr)
         arr.any? { |v| v.is_a?(String) && v.match?(URI_PATTERN) }
       end
 
+      def register_lease_ref(value, path_string)
+        return unless lease_manager_available?
+
+        m = value.match(LEASE_PATTERN)
+        return unless m
+
+        path_parts = path_string.split('.').map(&:to_sym)
+        Legion::Crypt::LeaseManager.instance.register_ref(m[1], m[2], path_parts)
+      rescue StandardError
+        nil
+      end
+
+      def register_lease_refs_from_chain(arr, path_string)
+        return unless lease_manager_available?
+
+        arr.each do |entry|
+          next unless entry.is_a?(String)
+
+          register_lease_ref(entry, path_string) if entry.match?(LEASE_PATTERN)
+        end
+      end
+
+      def count_lease_refs(hash)
+        return 0 unless hash.is_a?(Hash)
+
+        hash.sum do |_key, value|
+          case value
+          when String then value.match?(LEASE_PATTERN) ? 1 : 0
+          when Array  then value.count { |v| v.is_a?(String) && v.match?(LEASE_PATTERN) }
+          when Hash   then count_lease_refs(value)
+          else 0
+          end
+        end
+      end
+
       def log_info(message)
         if defined?(Legion::Logging)
           Legion::Logging.info(message)

data/lib/legion/settings/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Settings
-    VERSION = '1.3.0'
+    VERSION = '1.3.1'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-settings
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.1
 platform: ruby
 authors:
 - Esity