legionio 1.4.103 → 1.4.105

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f036f54d059c1cdf1660a1ae08ed95b1fe97404d509123574508b9a6b36a1674
-  data.tar.gz: 616cacd65849dcdf73095f946df27c1afd9af68f9ee5f1b292ef53ee06f4554c
+  metadata.gz: bc07c77ea1337b17cf9a4be55e6469e9273beaa182e11aa7afac08405fe70275
+  data.tar.gz: e1666f8f6255c3a5cfd418357435fc407d5261be55621ae2cd875e01590c8fb0
 SHA512:
-  metadata.gz: 6681f51110762da3d76aa93b1e1ee2a92814c22e101842ef588f3a4d9492f585bdbf9bb4244df59c320c89d0dc992e17ba388b2ad56015a533fd7dec5411d378
-  data.tar.gz: ef6398f327e82cc91396d26fc855a6472eff22ee5f12e3ad225fbbbc06ee6df92912ef5c376dc9c0c838e0b6108bb3dbc7066f0372c820bb8e740d677fa70923
+  metadata.gz: 893094d33f99257ec0c2066a77cb680bc44ad6bb952e0ac7fa8a2099729b2a9643043e02bbb07bf7f638e9e0f22f101c35527e3c15578c241aa796ec241b85d8
+  data.tar.gz: 59400eb852207387b9f7df6d22f2f3668ae52a2d5b578e935a11277622029096f51184f8212b7a13cb18a7f733067c652c57d6b09f0e3f6bd1ffc53cbce283f8

data/.rubocop.yml

@@ -43,7 +43,9 @@ Metrics/BlockLength:
     - 'lib/legion/cli/detect_command.rb'
     - 'lib/legion/cli/prompt_command.rb'
     - 'lib/legion/cli/image_command.rb'
+    - 'lib/legion/cli/notebook_command.rb'
     - 'lib/legion/api/acp.rb'
+    - 'lib/legion/api/auth_saml.rb'
 
 Metrics/AbcSize:
   Max: 60

data/CHANGELOG.md

@@ -1,5 +1,37 @@
 # Legion Changelog
 
+## [1.4.105] - 2026-03-21
+
+### Added
+- `Legion::API::Routes::AuthSaml` — SAML 2.0 SP authentication flow
+- `GET /api/auth/saml/metadata` — generates SP metadata XML (delegates to `OneLogin::RubySaml::Metadata`)
+- `GET /api/auth/saml/login` — initiates IdP redirect via `OneLogin::RubySaml::Authrequest`
+- `POST /api/auth/saml/acs` — validates SAML assertion, extracts claims (nameid, email, displayName, groups), maps groups to Legion RBAC roles, and issues a Legion JWT
+- Routes are only registered when `OneLogin::RubySaml` is defined and `auth.saml.enabled` is true
+- Claims mapping delegates to `Legion::Rbac::ClaimsMapper.groups_to_roles` when available, falls back to `['worker']`
+- Configuration via `Legion::Settings.dig(:auth, :saml)` — keys: `idp_sso_url`, `idp_cert`, `sp_entity_id`, `sp_acs_url`, `group_map`, `default_role`, `want_assertions_signed`, `want_assertions_encrypted`
+- `Legion::Registry` review workflow: `submit_for_review`, `approve`, `reject`, `deprecate`, `pending_reviews`, `usage_stats` class methods
+- `Legion::Registry::Entry` gains `status`, `review_notes`, `reject_reason`, `successor`, `sunset_date`, and timestamp fields; `deprecated?` and `pending_review?` predicates
+- `legion marketplace submit NAME` — submit extension for review
+- `legion marketplace review` — list extensions pending review
+- `legion marketplace approve NAME [--notes TEXT]` — approve an extension
+- `legion marketplace reject NAME [--reason TEXT]` — reject an extension
+- `legion marketplace deprecate NAME [--successor NAME] [--sunset-date DATE]` — mark extension as deprecated
+- `legion marketplace stats NAME` — show usage statistics (install count, active instances, downloads)
+- `Legion::API::Routes::Marketplace` — full REST API: `GET /api/marketplace`, `GET /api/marketplace/:name`, `POST /api/marketplace/:name/submit`, `POST /api/marketplace/:name/approve`, `POST /api/marketplace/:name/reject`, `POST /api/marketplace/:name/deprecate`, `GET /api/marketplace/:name/stats`
+- 123 new specs across registry, CLI, and API layers
+
+## [1.4.104] - 2026-03-21
+
+### Added
+- `legion notebook read PATH` — parse and display a .ipynb notebook with Rouge syntax highlighting
+- `legion notebook cells PATH` — list all cells with index numbers and line counts
+- `legion notebook export PATH --format md|script` — export notebook to markdown or Python script
+- `legion notebook create PATH --description "..."` — generate a new notebook from natural language via LLM (requires legion-llm)
+- `Legion::Notebook::Parser` — parse .ipynb JSON into structured data (metadata, kernel, language, cells with outputs)
+- `Legion::Notebook::Renderer` — display notebook cells in terminal with Rouge syntax highlighting
+- `Legion::Notebook::Generator` — generate notebooks from natural language; strips LLM markdown fences; validates .ipynb structure
+
 ## [1.4.103] - 2026-03-21
 
 ### Added

data/lib/legion/api/auth_saml.rb

@@ -0,0 +1,181 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module AuthSaml
+        def self.registered(app)
+          return unless saml_enabled?
+
+          app.helpers do
+            define_method(:saml_settings) { Routes::AuthSaml.build_saml_settings }
+          end
+
+          register_metadata(app)
+          register_login(app)
+          register_acs(app)
+        end
+
+        def self.saml_enabled?
+          return false unless defined?(OneLogin::RubySaml)
+
+          cfg = resolve_saml_config
+          cfg.is_a?(Hash) && cfg[:enabled]
+        end
+
+        def self.resolve_saml_config
+          return {} unless defined?(Legion::Settings)
+
+          auth = Legion::Settings[:auth]
+          saml = auth.is_a?(Hash) ? auth[:saml] : nil
+          return saml if saml.is_a?(Hash)
+
+          {}
+        rescue StandardError
+          {}
+        end
+
+        def self.build_saml_settings
+          cfg = resolve_saml_config
+
+          settings                            = OneLogin::RubySaml::Settings.new
+          settings.idp_sso_service_url        = cfg[:idp_sso_url]
+          settings.idp_cert                   = cfg[:idp_cert]
+          settings.sp_entity_id               = cfg[:sp_entity_id]
+          settings.assertion_consumer_service_url = cfg[:sp_acs_url]
+          settings.name_identifier_format = cfg[:name_id_format] ||
+                                            'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+          settings.security[:authn_requests_signed]   = false
+          settings.security[:want_assertions_signed]  = cfg.fetch(:want_assertions_signed, true)
+          settings.security[:want_assertions_encrypted] = cfg.fetch(:want_assertions_encrypted, false)
+          settings
+        end
+
+        def self.register_metadata(app)
+          app.get '/api/auth/saml/metadata' do
+            halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)
+
+            meta = OneLogin::RubySaml::Metadata.new
+            content_type 'application/xml'
+            meta.generate(saml_settings, true)
+          end
+        end
+
+        def self.register_login(app)
+          app.get '/api/auth/saml/login' do
+            halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)
+
+            cfg = Routes::AuthSaml.resolve_saml_config
+            unless cfg[:idp_sso_url] && cfg[:sp_entity_id]
+              halt 500, json_error('saml_misconfigured', 'auth.saml.idp_sso_url and sp_entity_id are required',
+                                   status_code: 500)
+            end
+
+            auth_request = OneLogin::RubySaml::Authrequest.new
+            redirect auth_request.create(saml_settings)
+          end
+        end
+
+        def self.register_acs(app)
+          app.post '/api/auth/saml/acs' do
+            halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)
+
+            unless params['SAMLResponse']
+              halt 400, json_error('missing_saml_response', 'SAMLResponse parameter is required',
+                                   status_code: 400)
+            end
+
+            response = OneLogin::RubySaml::Response.new(
+              params['SAMLResponse'],
+              settings: saml_settings
+            )
+
+            unless response.is_valid?
+              errors = response.errors.join(', ')
+              halt 401, json_error('saml_invalid', "SAML assertion is invalid: #{errors}", status_code: 401)
+            end
+
+            claims = Routes::AuthSaml.extract_claims(response)
+            roles  = Routes::AuthSaml.map_roles(claims[:groups])
+
+            ttl   = 28_800
+            token = Legion::API::Token.issue_human_token(
+              msid:  claims[:nameid],
+              name:  claims[:display_name],
+              roles: roles,
+              ttl:   ttl
+            )
+
+            json_response({
+                            access_token: token,
+                            token_type:   'Bearer',
+                            expires_in:   ttl,
+                            roles:        roles,
+                            name:         claims[:display_name]
+                          })
+          end
+        end
+
+        def self.extract_claims(response)
+          attrs = response.attributes
+
+          email        = first_attr(attrs, 'email', 'mail', 'emailAddress',
+                                    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress')
+          display_name = first_attr(attrs, 'displayName', 'name',
+                                    'http://schemas.microsoft.com/identity/claims/displayname',
+                                    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name')
+          groups       = multi_attr(attrs, 'groups',
+                                    'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups')
+
+          {
+            nameid:       response.nameid,
+            email:        email,
+            display_name: display_name || email,
+            groups:       groups
+          }
+        end
+
+        def self.map_roles(groups)
+          if defined?(Legion::Rbac::ClaimsMapper) && Legion::Rbac::ClaimsMapper.respond_to?(:groups_to_roles)
+            cfg          = resolve_saml_config
+            group_map    = cfg[:group_map] || {}
+            default_role = cfg[:default_role] || 'worker'
+            Legion::Rbac::ClaimsMapper.groups_to_roles(groups, group_map: group_map, default_role: default_role)
+          else
+            ['worker']
+          end
+        end
+
+        class << self
+          private
+
+          def first_attr(attrs, *names)
+            names.each do |n|
+              v = safe_attr(attrs, n)
+              return v if v
+            end
+            nil
+          end
+
+          def multi_attr(attrs, *names)
+            names.each do |n|
+              v = attrs.multi(n)
+              return Array(v) if v
+            rescue StandardError
+              nil
+            end
+            []
+          end
+
+          def safe_attr(attrs, name)
+            attrs[name]
+          rescue StandardError
+            nil
+          end
+
+          private :register_metadata, :register_login, :register_acs
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/marketplace.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require 'date'
+require 'legion/registry'
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module Marketplace
+        module Helpers
+          def parse_sunset_date(date_str)
+            return nil if date_str.nil? || date_str.empty?
+
+            Date.parse(date_str.to_s)
+          rescue ArgumentError
+            nil
+          end
+        end
+
+        def self.registered(app)
+          app.helpers Helpers
+          register_collection(app)
+          register_member(app)
+          register_review_actions(app)
+          register_stats(app)
+        end
+
+        def self.register_collection(app)
+          app.get '/api/marketplace' do
+            query   = params[:q] || params[:query]
+            entries = query ? Legion::Registry.search(query) : Legion::Registry.all
+            entries = entries.select { |e| e.status.to_s == params[:status] } if params[:status]
+            entries = entries.select { |e| e.risk_tier == params[:tier] }     if params[:tier]
+
+            paginated = entries.slice((page_offset)..(page_offset + page_limit - 1)) || []
+            content_type :json
+            status 200
+            Legion::JSON.dump({
+                                data: paginated.map(&:to_h),
+                                meta: response_meta.merge(total: entries.size, limit: page_limit, offset: page_offset)
+                              })
+          end
+        end
+
+        def self.register_member(app)
+          app.get '/api/marketplace/:name' do
+            entry = Legion::Registry.lookup(params[:name])
+            unless entry
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: "Extension #{params[:name]} not found" } })
+            end
+
+            json_response(entry.to_h.merge(stats: Legion::Registry.usage_stats(params[:name])))
+          end
+        end
+
+        def self.register_review_actions(app) # rubocop:disable Metrics/AbcSize
+          app.post '/api/marketplace/:name/submit' do
+            begin
+              Legion::Registry.submit_for_review(params[:name])
+            rescue ArgumentError => e
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: e.message } })
+            end
+            json_response({ name: params[:name], status: 'pending_review' }, status_code: 202)
+          end
+
+          app.post '/api/marketplace/:name/approve' do
+            body = parse_request_body
+            begin
+              Legion::Registry.approve(params[:name], notes: body[:notes])
+            rescue ArgumentError => e
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: e.message } })
+            end
+            entry = Legion::Registry.lookup(params[:name])
+            json_response({ name: params[:name], status: 'approved', entry: entry.to_h })
+          end
+
+          app.post '/api/marketplace/:name/reject' do
+            body = parse_request_body
+            begin
+              Legion::Registry.reject(params[:name], reason: body[:reason])
+            rescue ArgumentError => e
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: e.message } })
+            end
+            entry = Legion::Registry.lookup(params[:name])
+            json_response({ name: params[:name], status: 'rejected', entry: entry.to_h })
+          end
+
+          app.post '/api/marketplace/:name/deprecate' do
+            body = parse_request_body
+            sunset = begin
+              body[:sunset_date] ? Date.parse(body[:sunset_date].to_s) : nil
+            rescue ArgumentError
+              nil
+            end
+            begin
+              Legion::Registry.deprecate(params[:name], successor: body[:successor], sunset_date: sunset)
+            rescue ArgumentError => e
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: e.message } })
+            end
+            entry = Legion::Registry.lookup(params[:name])
+            json_response({ name: params[:name], status: 'deprecated', entry: entry.to_h })
+          end
+        end
+
+        def self.register_stats(app)
+          app.get '/api/marketplace/:name/stats' do
+            data = Legion::Registry.usage_stats(params[:name])
+            unless data
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: "Extension #{params[:name]} not found" } })
+            end
+
+            json_response(data)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/api.rb

@@ -30,6 +30,7 @@ require_relative 'api/rbac'
 require_relative 'api/auth'
 require_relative 'api/auth_worker'
 require_relative 'api/auth_human'
+require_relative 'api/auth_saml'
 require_relative 'api/capacity'
 require_relative 'api/audit'
 require_relative 'api/metrics'
@@ -40,6 +41,7 @@ require_relative 'api/workflow'
 require_relative 'api/governance'
 require_relative 'api/acp'
 require_relative 'api/prompts'
+require_relative 'api/marketplace'
 
 module Legion
   class API < Sinatra::Base
@@ -114,6 +116,7 @@ module Legion
     register Routes::Auth
     register Routes::AuthWorker
     register Routes::AuthHuman
+    register Routes::AuthSaml
     register Routes::Capacity
     register Routes::Audit
     register Routes::Metrics
@@ -123,6 +126,7 @@ module Legion
     register Routes::Governance
     register Routes::Acp
     register Routes::Prompts
+    register Routes::Marketplace
 
     use Legion::API::Middleware::RequestLogger
     use Legion::Rbac::Middleware if defined?(Legion::Rbac::Middleware)

data/lib/legion/cli/marketplace_command.rb

@@ -9,70 +9,285 @@ module Legion
         true
       end
 
+      class_option :json,     type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+
+      # ──────────────────────────────────────────────────────────
+      # search
+      # ──────────────────────────────────────────────────────────
+
       desc 'search QUERY', 'Search extension registry'
       def search(query)
         require 'legion/registry'
+        out = formatter
         results = Legion::Registry.search(query)
+
         if results.empty?
-          say "No extensions found matching '#{query}'", :yellow
+          out.warn("No extensions found matching '#{query}'")
           return
         end
 
-        say "Found #{results.size} extension(s):", :green
-        results.each do |e|
-          status = e.approved? ? '[approved]' : "[#{e.airb_status}]"
-          say "  #{e.name.ljust(25)} #{e.version.to_s.ljust(10)} #{status} #{e.description}"
+        if options[:json]
+          out.json(results.map(&:to_h))
+        else
+          rows = results.map do |e|
+            status_label = e.approved? ? 'approved' : (e.status || e.airb_status).to_s
+            [e.name, e.version.to_s, status_label, (e.description || '')[0..60]]
+          end
+          out.table(%w[Name Version Status Description], rows)
         end
       end
 
+      # ──────────────────────────────────────────────────────────
+      # info
+      # ──────────────────────────────────────────────────────────
+
       desc 'info NAME', 'Show extension details'
       def info(name)
         require 'legion/registry'
+        out = formatter
         entry = Legion::Registry.lookup(name)
+
         unless entry
-          say "Extension '#{name}' not found", :red
+          out.error("Extension '#{name}' not found")
           return
         end
 
-        entry.to_h.each { |k, v| say "  #{k}: #{v}" }
+        if options[:json]
+          out.json(entry.to_h)
+        else
+          out.header("Extension: #{entry.name}")
+          out.spacer
+          out.detail(entry.to_h.compact)
+        end
       end
 
+      # ──────────────────────────────────────────────────────────
+      # list
+      # ──────────────────────────────────────────────────────────
+
       desc 'list', 'List all registered extensions'
       option :approved, type: :boolean, desc: 'Show only approved extensions'
-      option :tier, type: :string, desc: 'Filter by risk tier'
+      option :tier,     type: :string,  desc: 'Filter by risk tier'
+      option :status,   type: :string,  desc: 'Filter by review status'
       def list
         require 'legion/registry'
-        extensions = if options[:approved]
-                       Legion::Registry.approved
-                     elsif options[:tier]
-                       Legion::Registry.by_risk_tier(options[:tier])
-                     else
-                       Legion::Registry.all
-                     end
+        out = formatter
+        extensions = build_extension_list
 
         if extensions.empty?
-          say 'No extensions registered', :yellow
+          out.warn('No extensions registered')
           return
         end
 
-        say "#{extensions.size} extension(s):", :green
-        extensions.each do |e|
-          say "  #{e.name.ljust(25)} #{e.version.to_s.ljust(10)} [#{e.risk_tier}]"
+        if options[:json]
+          out.json(extensions.map(&:to_h))
+        else
+          rows = extensions.map { |e| [e.name, e.version.to_s, e.status.to_s, e.risk_tier] }
+          out.table(%w[Name Version Status Tier], rows)
+          puts "  #{extensions.size} extension(s)"
         end
       end
 
+      # ──────────────────────────────────────────────────────────
+      # scan
+      # ──────────────────────────────────────────────────────────
+
       desc 'scan NAME', 'Run security scan on extension'
       def scan(name)
         require 'legion/registry/security_scanner'
+        out = formatter
         scanner = Legion::Registry::SecurityScanner.new
-        result = scanner.scan(name: name)
+        result  = scanner.scan(name: name)
 
-        result[:checks].each do |check|
-          color = check[:status] == :fail ? :red : :green
-          say "  #{check[:check]}: #{check[:status]} - #{check[:details]}", color
+        if options[:json]
+          out.json(result)
+        else
+          result[:checks].each do |check|
+            color = check[:status] == :fail ? :critical : :nominal
+            puts "  #{out.colorize(check[:check].to_s.ljust(25), color)} #{check[:status]} - #{check[:details]}"
+          end
+          if result[:passed]
+            out.success('Scan PASSED')
+          else
+            out.error('Scan FAILED')
+          end
         end
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # submit
+      # ──────────────────────────────────────────────────────────
+
+      desc 'submit NAME', 'Submit extension for review'
+      def submit(name)
+        require 'legion/registry'
+        out = formatter
+
+        Legion::Registry.submit_for_review(name)
+
+        if options[:json]
+          out.json(success: true, name: name, status: 'pending_review')
+        else
+          out.success("'#{name}' submitted for review")
+        end
+      rescue ArgumentError => e
+        out.error(e.message)
+      end
 
-        say result[:passed] ? 'PASSED' : 'FAILED', result[:passed] ? :green : :red
+      # ──────────────────────────────────────────────────────────
+      # review
+      # ──────────────────────────────────────────────────────────
+
+      desc 'review', 'List extensions pending review'
+      def review
+        require 'legion/registry'
+        out = formatter
+        pending = Legion::Registry.pending_reviews
+
+        if pending.empty?
+          out.warn('No extensions pending review')
+          return
+        end
+
+        if options[:json]
+          out.json(pending.map(&:to_h))
+        else
+          rows = pending.map { |e| [e.name, e.version.to_s, e.author.to_s, e.submitted_at.to_s] }
+          out.table(%w[Name Version Author Submitted], rows)
+          puts "  #{pending.size} pending review(s)"
+        end
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # approve
+      # ──────────────────────────────────────────────────────────
+
+      desc 'approve NAME', 'Approve an extension'
+      option :notes, type: :string, desc: 'Reviewer notes'
+      def approve(name)
+        require 'legion/registry'
+        out = formatter
+
+        Legion::Registry.approve(name, notes: options[:notes])
+
+        if options[:json]
+          out.json(success: true, name: name, status: 'approved')
+        else
+          out.success("'#{name}' approved")
+          out.detail({ 'Notes' => options[:notes] }) if options[:notes]
+        end
+      rescue ArgumentError => e
+        out.error(e.message)
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # reject
+      # ──────────────────────────────────────────────────────────
+
+      desc 'reject NAME', 'Reject an extension'
+      option :reason, type: :string, desc: 'Rejection reason'
+      def reject(name)
+        require 'legion/registry'
+        out = formatter
+
+        Legion::Registry.reject(name, reason: options[:reason])
+
+        if options[:json]
+          out.json(success: true, name: name, status: 'rejected')
+        else
+          out.success("'#{name}' rejected")
+          out.detail({ 'Reason' => options[:reason] }) if options[:reason]
+        end
+      rescue ArgumentError => e
+        out.error(e.message)
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # deprecate
+      # ──────────────────────────────────────────────────────────
+
+      desc 'deprecate NAME', 'Mark an extension as deprecated'
+      option :successor,   type: :string, desc: 'Replacement extension name'
+      option :sunset_date, type: :string, desc: 'Sunset date (YYYY-MM-DD)'
+      def deprecate(name)
+        require 'legion/registry'
+        out = formatter
+
+        sunset = parse_sunset_date(options[:sunset_date])
+        Legion::Registry.deprecate(name, successor: options[:successor], sunset_date: sunset)
+
+        if options[:json]
+          out.json(success: true, name: name, status: 'deprecated',
+                   successor: options[:successor], sunset_date: options[:sunset_date])
+        else
+          out.success("'#{name}' marked as deprecated")
+          detail_hash = {}
+          detail_hash['Successor']   = options[:successor]   if options[:successor]
+          detail_hash['Sunset Date'] = options[:sunset_date] if options[:sunset_date]
+          out.detail(detail_hash) unless detail_hash.empty?
+        end
+      rescue ArgumentError => e
+        out.error(e.message)
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # stats
+      # ──────────────────────────────────────────────────────────
+
+      desc 'stats NAME', 'Show usage statistics for an extension'
+      def stats(name)
+        require 'legion/registry'
+        out = formatter
+        data = Legion::Registry.usage_stats(name)
+
+        unless data
+          out.error("Extension '#{name}' not found")
+          return
+        end
+
+        if options[:json]
+          out.json(data)
+        else
+          out.header("Usage Stats: #{name}")
+          out.spacer
+          out.detail({
+                       'Install Count'    => data[:install_count].to_s,
+                       'Active Instances' => data[:active_instances].to_s,
+                       'Downloads (7d)'   => data[:downloads_7d].to_s,
+                       'Downloads (30d)'  => data[:downloads_30d].to_s,
+                       'Last Updated'     => data[:last_updated].to_s
+                     })
+        end
+      end
+
+      no_commands do
+        def formatter
+          @formatter ||= Output::Formatter.new(
+            json:  options[:json],
+            color: !options[:no_color]
+          )
+        end
+
+        def build_extension_list
+          if options[:approved]
+            Legion::Registry.approved
+          elsif options[:tier]
+            Legion::Registry.by_risk_tier(options[:tier])
+          elsif options[:status]
+            Legion::Registry.all.select { |e| e.status.to_s == options[:status] }
+          else
+            Legion::Registry.all
+          end
+        end
+
+        def parse_sunset_date(date_str)
+          return nil if date_str.nil? || date_str.empty?
+
+          Date.parse(date_str)
+        rescue ArgumentError
+          nil
+        end
       end
     end
   end

data/lib/legion/cli/notebook_command.rb

@@ -1,6 +1,10 @@
 # frozen_string_literal: true
 
 require 'thor'
+require 'json'
+require 'legion/cli/output'
+require 'legion/cli/error'
+require 'legion/cli/connection'
 
 module Legion
   module CLI
@@ -9,60 +13,207 @@ module Legion
         true
       end
 
-      desc 'read PATH', 'Read and display a Jupyter notebook'
+      class_option :json,       type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color,   type: :boolean, default: false, desc: 'Disable color output'
+      class_option :verbose,    type: :boolean, default: false, aliases: ['-V'], desc: 'Verbose logging'
+      class_option :config_dir, type: :string,                  desc: 'Config directory path'
+
+      desc 'read PATH', 'Parse and display a Jupyter notebook with syntax highlighting'
       def read(path)
-        nb = parse_notebook(path)
-        cells = nb['cells'] || []
-
-        cells.each_with_index do |cell, i|
-          type = cell['cell_type'] || 'unknown'
-          source = Array(cell['source']).join
-          say "--- Cell #{i + 1} [#{type}] ---", :yellow
-          say source
-          say ''
+        out = formatter
+        load_notebook(path, out)
+        color = !options[:no_color]
+
+        require 'legion/notebook/parser'
+        require 'legion/notebook/renderer'
+
+        parsed   = Legion::Notebook::Parser.parse(path)
+        rendered = Legion::Notebook::Renderer.render_notebook(parsed, color: color)
+
+        if options[:json]
+          out.json(cells: parsed[:cells].length, kernel: parsed[:kernel], path: path)
+        else
+          puts rendered
+          out.spacer
+          count = parsed[:cells].length
+          puts "#{count} cell#{'s' unless count == 1} total"
         end
-        say "#{cells.size} cells total", :green
+      rescue CLI::Error => e
+        formatter.error(e.message)
+        raise SystemExit, 1
       end
 
-      desc 'export PATH', 'Export notebook cells as markdown or script'
-      option :format, type: :string, default: 'markdown', enum: %w[markdown script]
-      def export(path)
-        nb = parse_notebook(path)
-        cells = nb['cells'] || []
-        lang = nb.dig('metadata', 'kernelspec', 'language') || 'python'
-
-        case options[:format]
-        when 'script'
-          cells.select { |c| c['cell_type'] == 'code' }.each do |cell|
-            say Array(cell['source']).join
-            say ''
+      desc 'cells PATH', 'List all cells with index numbers and types'
+      def cells(path)
+        out = formatter
+        load_notebook(path, out)
+
+        require 'legion/notebook/parser'
+
+        parsed = Legion::Notebook::Parser.parse(path)
+        color  = !options[:no_color]
+
+        if options[:json]
+          cell_list = parsed[:cells].each_with_index.map do |cell, i|
+            { index: i + 1, type: cell[:type], lines: cell[:source].lines.count }
           end
+          out.json(cells: cell_list, total: parsed[:cells].length)
         else
-          cells.each do |cell|
-            if cell['cell_type'] == 'code'
-              say "```#{lang}"
-              say Array(cell['source']).join
-              say '```'
+          parsed[:cells].each_with_index do |cell, i|
+            lines  = cell[:source].lines.count
+            plural = lines == 1 ? '' : 's'
+            label  = "  [#{(i + 1).to_s.rjust(2)}] #{cell[:type].to_s.ljust(8)}  #{lines} line#{plural}"
+            if color
+              type_color = cell[:type] == 'code' ? "\e[36m" : "\e[33m"
+              puts "#{type_color}#{label}\e[0m"
             else
-              say Array(cell['source']).join
+              puts label
             end
-            say ''
           end
+          out.spacer
+          puts "Total: #{parsed[:cells].length} cell#{'s' unless parsed[:cells].length == 1}"
         end
+      rescue CLI::Error => e
+        formatter.error(e.message)
+        raise SystemExit, 1
       end
 
-      private
+      desc 'export PATH', 'Export notebook to another format'
+      option :format, type: :string, default: 'md', enum: %w[md markdown script], desc: 'Export format: md or script'
+      option :output, type: :string, aliases: ['-o'], desc: 'Write to file instead of stdout'
+      def export(path)
+        out = formatter
+        load_notebook(path, out)
+
+        require 'legion/notebook/parser'
 
-      def parse_notebook(path)
-        unless File.exist?(path)
-          say "File not found: #{path}", :red
+        parsed = Legion::Notebook::Parser.parse(path)
+        lang   = parsed[:language]
+
+        content = case options[:format]
+                  when 'script'
+                    export_as_script(parsed[:cells], lang)
+                  else
+                    export_as_markdown(parsed[:cells], lang)
+                  end
+
+        if options[:output]
+          File.write(options[:output], content)
+          out.success("Exported to #{options[:output]}")
+        elsif options[:json]
+          out.json(content: content, format: options[:format], path: path)
+        else
+          puts content
+        end
+      rescue CLI::Error => e
+        formatter.error(e.message)
+        raise SystemExit, 1
+      end
+
+      desc 'create PATH', 'Generate a Jupyter notebook from a natural language description (requires legion-llm)'
+      option :description, type: :string, aliases: ['-d'], desc: 'What the notebook should do'
+      option :kernel,      type: :string, default: 'python3', desc: 'Kernel name (default: python3)'
+      option :model,       type: :string, aliases: ['-m'], desc: 'LLM model override'
+      option :provider,    type: :string, desc: 'LLM provider override'
+      def create(path)
+        out = formatter
+        setup_llm_connection(out)
+
+        require 'legion/notebook/generator'
+
+        description = options[:description]
+        if description.nil? || description.strip.empty?
+          out.error('--description is required for notebook creation')
           raise SystemExit, 1
         end
 
-        ::JSON.parse(File.read(path))
-      rescue ::JSON::ParserError => e
-        say "Invalid notebook format: #{e.message}", :red
+        out.success("Generating notebook: #{description}") unless options[:json]
+
+        notebook_data = Legion::Notebook::Generator.generate(
+          description: description,
+          kernel:      options[:kernel],
+          model:       options[:model],
+          provider:    options[:provider]
+        )
+
+        Legion::Notebook::Generator.write(path, notebook_data)
+        cell_count = Array(notebook_data['cells']).length
+
+        if options[:json]
+          out.json(path: path, cells: cell_count, kernel: options[:kernel])
+        else
+          out.success("Created #{path} (#{cell_count} cells)")
+        end
+      rescue ArgumentError, CLI::Error => e
+        formatter.error(e.message)
         raise SystemExit, 1
+      ensure
+        Connection.shutdown
+      end
+
+      no_commands do
+        def formatter
+          @formatter ||= Output::Formatter.new(
+            json:  options[:json],
+            color: !options[:no_color]
+          )
+        end
+
+        def setup_llm_connection(out)
+          Connection.config_dir = options[:config_dir] if options[:config_dir]
+          Connection.log_level  = options[:verbose] ? 'debug' : 'error'
+          Connection.ensure_llm
+        rescue CLI::Error => e
+          out.error(e.message)
+          raise SystemExit, 1
+        end
+
+        def load_notebook(path, out)
+          unless File.exist?(path)
+            out.error("File not found: #{path}")
+            raise SystemExit, 1
+          end
+
+          unless path.end_with?('.ipynb')
+            out.error("Expected a .ipynb file, got: #{File.basename(path)}")
+            raise SystemExit, 1
+          end
+
+          ::JSON.parse(File.read(path))
+        rescue ::JSON::ParserError => e
+          out.error("Invalid notebook JSON: #{e.message}")
+          raise SystemExit, 1
+        end
+
+        def export_as_markdown(cells, lang)
+          lines = []
+          cells.each do |cell|
+            if cell[:type] == 'code'
+              lines << "```#{lang}"
+              lines << cell[:source]
+              lines << '```'
+            else
+              lines << cell[:source]
+            end
+            lines << ''
+          end
+          lines.join("\n")
+        end
+
+        def export_as_script(cells, _lang)
+          lines = []
+          cells.each do |cell|
+            if cell[:type] == 'code'
+              lines << cell[:source]
+            else
+              cell[:source].each_line do |line|
+                lines << "# #{line.chomp}"
+              end
+            end
+            lines << ''
+          end
+          lines.join("\n")
+        end
       end
     end
   end

data/lib/legion/notebook/generator.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Legion
+  module Notebook
+    module Generator
+      NOTEBOOK_TEMPLATE = {
+        'nbformat'       => 4,
+        'nbformat_minor' => 5,
+        'metadata'       => {
+          'kernelspec'    => {
+            'display_name' => 'Python 3',
+            'language'     => 'python',
+            'name'         => 'python3'
+          },
+          'language_info' => {
+            'name' => 'python'
+          }
+        },
+        'cells'          => []
+      }.freeze
+
+      def self.generate(description:, kernel: 'python3', model: nil, provider: nil)
+        raise ArgumentError, 'legion-llm is required for notebook generation' unless defined?(Legion::LLM)
+
+        prompt = build_prompt(description, kernel)
+        response = call_llm(prompt, model: model, provider: provider)
+        parse_notebook_response(response)
+      end
+
+      def self.write(path, notebook_data)
+        File.write(path, ::JSON.pretty_generate(notebook_data))
+      end
+
+      def self.build_prompt(description, kernel)
+        <<~PROMPT
+          Generate a Jupyter notebook as valid JSON (.ipynb format) for the following task:
+
+          #{description}
+
+          Requirements:
+          - Use kernel: #{kernel}
+          - Include a markdown cell with a title and description at the top
+          - Include well-commented code cells
+          - Include markdown explanation cells between code sections
+          - Return ONLY the raw JSON, no markdown fences, no explanation
+
+          The JSON must follow the .ipynb format with these top-level keys:
+          nbformat, nbformat_minor, metadata, cells
+
+          Each cell must have: cell_type, metadata, source (array of strings), outputs (array), execution_count
+        PROMPT
+      end
+
+      def self.call_llm(prompt, model: nil, provider: nil)
+        kwargs = { messages: [{ role: 'user', content: prompt }] }
+        kwargs[:model]    = model           if model
+        kwargs[:provider] = provider.to_sym if provider
+        Legion::LLM.chat(**kwargs)
+      end
+
+      def self.parse_notebook_response(response)
+        content = response[:content].to_s.strip
+        # Strip markdown fences if the LLM wrapped the JSON
+        content = content.gsub(/\A```(?:json)?\n?/, '').gsub(/\n?```\z/, '').strip
+        data = ::JSON.parse(content)
+        validate_notebook!(data)
+        data
+      rescue ::JSON::ParserError => e
+        raise ArgumentError, "LLM returned invalid JSON: #{e.message}"
+      end
+
+      def self.validate_notebook!(data)
+        raise ArgumentError, 'Missing nbformat key'  unless data.key?('nbformat')
+        raise ArgumentError, 'Missing cells key'     unless data.key?('cells')
+        raise ArgumentError, 'cells must be an array' unless data['cells'].is_a?(Array)
+      end
+    end
+  end
+end

data/lib/legion/notebook/parser.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Legion
+  module Notebook
+    module Parser
+      def self.parse(path)
+        data = ::JSON.parse(File.read(path))
+        {
+          metadata: data['metadata'],
+          kernel:   data.dig('metadata', 'kernelspec', 'display_name'),
+          language: data.dig('metadata', 'kernelspec', 'language') || 'python',
+          cells:    Array(data['cells']).map { |c| parse_cell(c) }
+        }
+      end
+
+      def self.parse_cell(cell)
+        {
+          type:    cell['cell_type'],
+          source:  Array(cell['source']).join,
+          outputs: Array(cell.fetch('outputs', [])).map { |o| parse_output(o) }
+        }
+      end
+
+      def self.parse_output(output)
+        text = case output['output_type']
+               when 'execute_result', 'display_data'
+                 data = output.fetch('data', {})
+                 Array(data.fetch('text/plain', [])).join
+               when 'error'
+                 "#{output['ename']}: #{output['evalue']}"
+               else
+                 Array(output.fetch('text', [])).join
+               end
+
+        {
+          output_type: output['output_type'],
+          text:        text
+        }
+      end
+    end
+  end
+end

data/lib/legion/notebook/renderer.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Legion
+  module Notebook
+    module Renderer
+      RESET  = "\e[0m"
+      BOLD   = "\e[1m"
+      DIM    = "\e[2m"
+      YELLOW = "\e[33m"
+      CYAN   = "\e[36m"
+      GREEN  = "\e[32m"
+      RED    = "\e[31m"
+      RULE   = "\e[2m#{'─' * 60}\e[0m".freeze
+
+      def self.render_notebook(notebook, color: true)
+        lines = []
+        kernel = notebook[:kernel]
+        lines << (color ? "#{BOLD}#{CYAN}Kernel: #{kernel}#{RESET}" : "Kernel: #{kernel}") if kernel
+
+        notebook[:cells].each_with_index do |cell, idx|
+          lines << ''
+          lines << render_cell_header(idx + 1, cell[:type], color)
+          lines << render_cell_source(cell, notebook[:language], color)
+          lines += render_cell_outputs(cell[:outputs], color) unless cell[:outputs].empty?
+        end
+
+        lines.join("\n")
+      end
+
+      def self.render_cell_header(index, type, color)
+        label = "[#{type}] Cell #{index}"
+        color ? "#{BOLD}#{YELLOW}#{label}#{RESET}" : label
+      end
+
+      def self.render_cell_source(cell, language, color)
+        return '' if cell[:source].empty?
+
+        if cell[:type] == 'code'
+          highlight(cell[:source], language, color)
+        else
+          color ? "#{DIM}#{cell[:source]}#{RESET}" : cell[:source]
+        end
+      end
+
+      def self.render_cell_outputs(outputs, color)
+        outputs.filter_map do |output|
+          next if output[:text].to_s.strip.empty?
+
+          prefix = color ? "#{DIM}  => " : '  => '
+          suffix = color ? RESET : ''
+          "#{prefix}#{output[:text].strip}#{suffix}"
+        end
+      end
+
+      def self.highlight(code, language, color)
+        return code unless color
+
+        begin
+          require 'rouge'
+          lexer     = Rouge::Lexer.find(language.to_s) || Rouge::Lexers::PlainText.new
+          formatter = Rouge::Formatters::Terminal256.new(Rouge::Themes::Monokai.new)
+          formatter.format(lexer.lex(code))
+        rescue LoadError
+          code
+        end
+      end
+
+      def self.rule(color)
+        color ? RULE : ('-' * 60)
+      end
+    end
+  end
+end

data/lib/legion/registry.rb

@@ -2,24 +2,37 @@
 
 module Legion
   module Registry
+    VALID_STATUSES = %i[pending_review approved rejected deprecated sunset active].freeze
+
     class Entry
       ATTRS = %i[name version author risk_tier permissions airb_status
-                 description homepage checksum capabilities].freeze
+                 description homepage checksum capabilities
+                 status review_notes reject_reason successor sunset_date
+                 submitted_at approved_at rejected_at deprecated_at].freeze
 
       attr_reader(*ATTRS)
 
       def initialize(**attrs)
         ATTRS.each { |a| instance_variable_set(:"@#{a}", attrs[a]) }
-        @risk_tier ||= 'low'
+        @risk_tier   ||= 'low'
         @airb_status ||= 'pending'
         @capabilities ||= []
-        @permissions ||= []
+        @permissions  ||= []
+        @status       ||= :active
       end
 
       def approved?
         airb_status == 'approved'
       end
 
+      def deprecated?
+        %i[deprecated sunset].include?(status)
+      end
+
+      def pending_review?
+        status == :pending_review
+      end
+
       def to_h
         ATTRS.to_h { |a| [a, send(a)] }
       end
@@ -62,11 +75,79 @@ module Legion
         @store = {}
       end
 
+      # Review workflow
+
+      def submit_for_review(name)
+        entry = find_or_raise(name)
+        update_entry(name, entry, status: :pending_review, submitted_at: Time.now.utc)
+        true
+      end
+
+      def approve(name, notes: nil)
+        entry = find_or_raise(name)
+        update_entry(name, entry,
+                     status:       :approved,
+                     airb_status:  'approved',
+                     review_notes: notes,
+                     approved_at:  Time.now.utc)
+        true
+      end
+
+      def reject(name, reason: nil)
+        entry = find_or_raise(name)
+        update_entry(name, entry,
+                     status:        :rejected,
+                     reject_reason: reason,
+                     rejected_at:   Time.now.utc)
+        true
+      end
+
+      def deprecate(name, successor: nil, sunset_date: nil)
+        entry = find_or_raise(name)
+        update_entry(name, entry,
+                     status:        :deprecated,
+                     successor:     successor,
+                     sunset_date:   sunset_date,
+                     deprecated_at: Time.now.utc)
+        true
+      end
+
+      def pending_reviews
+        store.values.select(&:pending_review?)
+      end
+
+      def usage_stats(name)
+        entry = lookup(name.to_s)
+        return nil unless entry
+
+        {
+          name:             entry.name,
+          version:          entry.version,
+          install_count:    0,
+          active_instances: 0,
+          last_updated:     nil,
+          downloads_7d:     0,
+          downloads_30d:    0
+        }
+      end
+
       private
 
       def store
         @store ||= {}
       end
+
+      def find_or_raise(name)
+        entry = lookup(name.to_s)
+        raise ArgumentError, "Extension '#{name}' not found in registry" unless entry
+
+        entry
+      end
+
+      def update_entry(name, entry, **overrides)
+        attrs = entry.to_h.merge(overrides)
+        store[name.to_s] = Entry.new(**attrs)
+      end
     end
   end
 end

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.4.103'
+  VERSION = '1.4.105'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.4.103
+  version: 1.4.105
 platform: ruby
 authors:
 - Esity
@@ -357,6 +357,7 @@ files:
 - lib/legion/api/audit.rb
 - lib/legion/api/auth.rb
 - lib/legion/api/auth_human.rb
+- lib/legion/api/auth_saml.rb
 - lib/legion/api/auth_worker.rb
 - lib/legion/api/capacity.rb
 - lib/legion/api/catalog.rb
@@ -370,6 +371,7 @@ files:
 - lib/legion/api/hooks.rb
 - lib/legion/api/lex.rb
 - lib/legion/api/llm.rb
+- lib/legion/api/marketplace.rb
 - lib/legion/api/metrics.rb
 - lib/legion/api/middleware/api_version.rb
 - lib/legion/api/middleware/auth.rb
@@ -609,6 +611,9 @@ files:
 - lib/legion/isolation.rb
 - lib/legion/lex.rb
 - lib/legion/metrics.rb
+- lib/legion/notebook/generator.rb
+- lib/legion/notebook/parser.rb
+- lib/legion/notebook/renderer.rb
 - lib/legion/process.rb
 - lib/legion/readiness.rb
 - lib/legion/registry.rb