RubyGems - legionio - Versions diffs - 1.4.119 → 1.4.123 - Mend

legionio 1.4.119 → 1.4.123

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +31 -0
data/legionio.gemspec +1 -0
data/lib/legion/alerts.rb +7 -2
data/lib/legion/api/acp.rb +8 -4
data/lib/legion/api/audit.rb +11 -2
data/lib/legion/api/auth.rb +14 -2
data/lib/legion/api/auth_human.rb +32 -9
data/lib/legion/api/auth_saml.rb +6 -3
data/lib/legion/api/auth_worker.rb +20 -4
data/lib/legion/api/capacity.rb +11 -1
data/lib/legion/api/catalog.rb +6 -3
data/lib/legion/api/chains.rb +26 -6
data/lib/legion/api/coldstart.rb +16 -4
data/lib/legion/api/events.rb +2 -1
data/lib/legion/api/extensions.rb +6 -2
data/lib/legion/api/gaia.rb +8 -3
data/lib/legion/api/governance.rb +2 -1
data/lib/legion/api/graphql/resolvers/extensions.rb +4 -2
data/lib/legion/api/graphql/resolvers/node.rb +4 -2
data/lib/legion/api/graphql/resolvers/tasks.rb +4 -2
data/lib/legion/api/graphql/resolvers/workers.rb +4 -2
data/lib/legion/api/graphql.rb +3 -1
data/lib/legion/api/helpers.rb +4 -2
data/lib/legion/api/hooks.rb +19 -5
data/lib/legion/api/lex.rb +4 -1
data/lib/legion/api/llm.rb +54 -1
data/lib/legion/api/marketplace.rb +9 -3
data/lib/legion/api/middleware/auth.rb +13 -5
data/lib/legion/api/middleware/body_limit.rb +3 -0
data/lib/legion/api/middleware/rate_limit.rb +3 -1
data/lib/legion/api/middleware/tenant.rb +4 -1
data/lib/legion/api/org_chart.rb +2 -1
data/lib/legion/api/prompts.rb +11 -5
data/lib/legion/api/rbac.rb +17 -1
data/lib/legion/api/relationships.rb +5 -0
data/lib/legion/api/schedules.rb +12 -2
data/lib/legion/api/settings.rb +14 -3
data/lib/legion/api/tasks.rb +13 -3
data/lib/legion/api/transport.rb +17 -7
data/lib/legion/api/webhooks.rb +5 -1
data/lib/legion/api/workers.rb +28 -8
data/lib/legion/api/workflow.rb +2 -1
data/lib/legion/api.rb +2 -1
data/lib/legion/audit.rb +3 -2
data/lib/legion/capacity/model.rb +11 -2
data/lib/legion/catalog.rb +5 -1
data/lib/legion/chat/notification_bridge.rb +2 -1
data/lib/legion/cli/acp_command.rb +3 -1
data/lib/legion/cli/auth_command.rb +7 -1
data/lib/legion/cli/chat/agent_registry.rb +2 -1
data/lib/legion/cli/chat/checkpoint.rb +4 -2
data/lib/legion/cli/chat/context.rb +4 -3
data/lib/legion/cli/chat/extension_tool_loader.rb +4 -2
data/lib/legion/cli/chat/markdown_renderer.rb +2 -1
data/lib/legion/cli/chat/session.rb +2 -1
data/lib/legion/cli/chat/subagent.rb +6 -2
data/lib/legion/cli/chat/tool_registry.rb +4 -3
data/lib/legion/cli/chat/tools/edit_file.rb +1 -0
data/lib/legion/cli/chat/tools/read_file.rb +1 -0
data/lib/legion/cli/chat/tools/run_command.rb +3 -1
data/lib/legion/cli/chat/tools/save_memory.rb +1 -0
data/lib/legion/cli/chat/tools/search_content.rb +7 -3
data/lib/legion/cli/chat/tools/search_files.rb +1 -0
data/lib/legion/cli/chat/tools/search_memory.rb +1 -0
data/lib/legion/cli/chat/tools/spawn_agent.rb +1 -0
data/lib/legion/cli/chat/tools/web_search.rb +2 -0
data/lib/legion/cli/chat/tools/write_file.rb +1 -0
data/lib/legion/cli/chat/web_search.rb +4 -2
data/lib/legion/cli/chat_command.rb +21 -8
data/lib/legion/cli/check/privacy_check.rb +6 -3
data/lib/legion/cli/check_command.rb +4 -3
data/lib/legion/cli/coldstart_command.rb +4 -2
data/lib/legion/cli/config_command.rb +2 -1
data/lib/legion/cli/config_scaffold.rb +2 -1
data/lib/legion/cli/connection.rb +2 -2
data/lib/legion/cli/cost/data_client.rb +2 -1
data/lib/legion/cli/dashboard/data_fetcher.rb +2 -1
data/lib/legion/cli/dashboard_command.rb +1 -0
data/lib/legion/cli/detect_command.rb +2 -1
data/lib/legion/cli/doctor/bundle_check.rb +2 -1
data/lib/legion/cli/doctor/cache_check.rb +2 -1
data/lib/legion/cli/doctor/database_check.rb +2 -1
data/lib/legion/cli/doctor/extensions_check.rb +2 -1
data/lib/legion/cli/doctor/pid_check.rb +2 -1
data/lib/legion/cli/doctor/rabbitmq_check.rb +4 -2
data/lib/legion/cli/doctor/vault_check.rb +2 -1
data/lib/legion/cli/doctor_command.rb +1 -0
data/lib/legion/cli/error_handler.rb +9 -1
data/lib/legion/cli/gaia_command.rb +4 -2
data/lib/legion/cli/init/environment_detector.rb +4 -2
data/lib/legion/cli/lex_cli_manifest.rb +2 -1
data/lib/legion/cli/lex_command.rb +8 -4
data/lib/legion/cli/llm_command.rb +9 -5
data/lib/legion/cli/marketplace_command.rb +2 -1
data/lib/legion/cli/payroll_command.rb +3 -0
data/lib/legion/cli/plan_command.rb +2 -1
data/lib/legion/cli/setup_command.rb +8 -4
data/lib/legion/cli/start.rb +2 -1
data/lib/legion/cli/status.rb +2 -1
data/lib/legion/cli/task_command.rb +6 -3
data/lib/legion/cli/tty_command.rb +1 -0
data/lib/legion/cli/update_command.rb +4 -2
data/lib/legion/cli.rb +10 -4
data/lib/legion/cluster/leader.rb +2 -1
data/lib/legion/cluster/lock.rb +8 -4
data/lib/legion/context.rb +3 -0
data/lib/legion/digital_worker/lifecycle.rb +5 -1
data/lib/legion/digital_worker/registry.rb +7 -0
data/lib/legion/digital_worker/value_metrics.rb +2 -1
data/lib/legion/docs/site_generator.rb +8 -6
data/lib/legion/events.rb +3 -2
data/lib/legion/extensions/actors/every.rb +7 -1
data/lib/legion/extensions/actors/subscription.rb +9 -6
data/lib/legion/extensions/builders/actors.rb +2 -1
data/lib/legion/extensions/builders/routes.rb +1 -0
data/lib/legion/extensions/builders/runners.rb +1 -0
data/lib/legion/extensions/core.rb +11 -3
data/lib/legion/extensions/permissions.rb +6 -3
data/lib/legion/extensions/transport.rb +3 -1
data/lib/legion/extensions.rb +12 -6
data/lib/legion/graph/builder.rb +4 -1
data/lib/legion/graph/exporter.rb +2 -0
data/lib/legion/guardrails.rb +10 -3
data/lib/legion/ingress.rb +14 -2
data/lib/legion/lock.rb +8 -4
data/lib/legion/metrics.rb +2 -1
data/lib/legion/notebook/renderer.rb +2 -1
data/lib/legion/phi/access_log.rb +2 -1
data/lib/legion/phi/erasure.rb +4 -2
data/lib/legion/phi.rb +4 -2
data/lib/legion/process.rb +8 -2
data/lib/legion/process_role.rb +6 -1
data/lib/legion/readiness.rb +10 -4
data/lib/legion/region/failover.rb +2 -1
data/lib/legion/region.rb +14 -7
data/lib/legion/registry/governance.rb +2 -1
data/lib/legion/registry/persistence.rb +2 -1
data/lib/legion/runner/status.rb +8 -8
data/lib/legion/runner.rb +7 -3
data/lib/legion/service.rb +20 -6
data/lib/legion/telemetry/open_inference.rb +18 -9
data/lib/legion/telemetry/safety_metrics.rb +4 -2
data/lib/legion/telemetry.rb +16 -8
data/lib/legion/tenants.rb +2 -1
data/lib/legion/trace_search.rb +3 -0
data/lib/legion/version.rb +1 -1
data/lib/legion/webhooks.rb +17 -4
metadata +15 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac22c22ec64e117b1568d5569a2983e46fdc9aadb566642c05c35973fb29428a
-  data.tar.gz: e6b5a99eebc5b0de37a59ad9cebc4fd5e96b8fb125b1974faa64e2454e268907
+  metadata.gz: 6d78fc201a2601de3ce04849d24c9234c75bd77f6cdb3b46ca700f7cdd6fcc9f
+  data.tar.gz: 5746d467cb709dbf02837ebd2d4288dbe137d234c8f6e1e3b3445dcd899d3515
 SHA512:
-  metadata.gz: 789c1485afd78d006d6d9aad725e483c5b6fd467a952476a11e1db29ac8c710f9d80c7e8dce4ac0045627abc45defae5ae45ebe995d167b95ffa866897ae4979
-  data.tar.gz: 852f58359d4cb4beb1a1708f6d01f9423dc2d18e0d9f028493f2f018eaa5f999b87c564b8015d39004f08ff70e43e41ff92bfcb075fc28b8608281c702704fd8
+  metadata.gz: 106274f7798ddf16c3da87f2c0ba204e98c0f8c8d9dedf312376fc8cbde8dbac447306cfd76c6cb0a5e210a22db9304fc37f5e3305f1cd80d918514aad80b4b4
+  data.tar.gz: 54ebdc455f6f5f86a0564809a67d6f3edffc20b7c3f438956382d32bff16d2b3469f51d4a48c1a30c312edfe0ad2d81abacc4962a96e79e7669d652cb4644605

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,36 @@
 # Legion Changelog
+## [1.4.123] - 2026-03-22
+### Changed
+- Add logging to silent rescue blocks: all rescue blocks now capture the exception variable and emit `Legion::Logging.debug` or `.warn` calls so errors are visible in logs rather than silently swallowed
+## [1.4.122] - 2026-03-22
+### Added
+- GraphQL API via `graphql-ruby` gem: `POST /api/graphql` endpoint alongside existing REST API
+- Schema types: QueryType, WorkerType, TaskType, ExtensionType, TeamType with field-level resolvers
+- Resolver modules for workers, tasks, extensions, and teams (safe stubs with `defined?` guards)
+- 45 new specs for GraphQL schema, queries, and error handling
+## [1.4.121] - 2026-03-22
+### Added
+- Route `/api/llm/chat` through full Legion pipeline (Ingress -> RBAC -> Events -> Task -> Gateway metering -> LLM) when `lex-llm-gateway` is loaded
+- `gateway_available?` helper to detect gateway runner presence
+- Proper result extraction from `ingress_result[:result]` with support for RubyLLM response objects, error hashes, and plain strings
+- Error logging in async LLM rescue block (previously silent)
+## [1.4.120] - 2026-03-22
+### Added
+- Comprehensive logging throughout the framework: 55 files, 443 lines of `.info`, `.warn`, `.error`, `.debug` calls
+- API routes: every non-2xx response logs at warn (4xx) or error (5xx), every mutation logs at info, debug for request entry
+- Core framework: ingress, runner, extensions, actors, service lifecycle, readiness, events all log state transitions
+- Extension system: autobuild, actor hooking, transport setup, builder phases all log at debug/info
+- Digital worker lifecycle, capacity model, catalog, guardrails, webhooks, alerts, audit, telemetry all instrumented
+- CLI error handler logs matched patterns (warn) and unhandled errors (error)
 ## [1.4.119] - 2026-03-22
 ### Added

data/legionio.gemspec CHANGED Viewed

@@ -42,6 +42,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'concurrent-ruby', '>= 1.2'
   spec.add_dependency 'concurrent-ruby-ext', '>= 1.2'
   spec.add_dependency 'daemons', '>= 1.4'
+  spec.add_dependency 'graphql', '>= 2.0'
   spec.add_dependency 'oj', '>= 3.16'
   spec.add_dependency 'puma', '>= 6.0'
   spec.add_dependency 'rackup', '>= 2.0'

data/lib/legion/alerts.rb CHANGED Viewed

@@ -40,6 +40,8 @@ module Legion
         fired = []
         @rules.each do |rule|
           next unless event_matches?(event_name, rule.event_pattern)
+          Legion::Logging.debug "[Alerts] evaluating rule=#{rule.name} for event=#{event_name}" if defined?(Legion::Logging)
           next unless condition_met?(rule, event_name)
           next if in_cooldown?(rule)
@@ -81,12 +83,14 @@ module Legion
         alert = { rule: rule.name, event: event_name, severity: rule.severity,
                   payload: payload, fired_at: Time.now.utc }
+        Legion::Logging.info "[Alerts] alert fired: rule=#{rule.name} event=#{event_name} severity=#{rule.severity}" if defined?(Legion::Logging)
         (rule.channels || []).each do |channel|
           case channel.to_sym
           when :events
             Legion::Events.emit('alert.fired', alert) if defined?(Legion::Events)
           when :log
-            Legion::Logging.warn "[alert] #{rule.name}: #{event_name} (#{rule.severity})" if defined?(Legion::Logging)
+            Legion::Logging.warn "[Alerts] #{rule.name}: #{event_name} (#{rule.severity})" if defined?(Legion::Logging)
           when :webhook
             Legion::Webhooks.dispatch('alert.fired', alert) if defined?(Legion::Webhooks)
           end
@@ -113,7 +117,8 @@ module Legion
       def load_rules
         custom = begin
           Legion::Settings[:alerts][:rules]
-        rescue StandardError
+        rescue StandardError => e
+          Legion::Logging.debug "Alerts#load_rules failed to read settings: #{e.message}" if defined?(Legion::Logging)
           nil
         end
         custom && !custom.empty? ? custom : DEFAULT_RULES

data/lib/legion/api/acp.rb CHANGED Viewed

@@ -7,12 +7,14 @@ module Legion
         def build_agent_card
           name = begin
             Legion::Settings[:client][:name]
-          rescue StandardError
+          rescue StandardError => e
+            Legion::Logging.debug "Acp#build_agent_card failed to read client name: #{e.message}" if defined?(Legion::Logging)
             'legion'
           end
           port = begin
             settings.port || 4567
-          rescue StandardError
+          rescue StandardError => e
+            Legion::Logging.debug "Acp#build_agent_card failed to read port: #{e.message}" if defined?(Legion::Logging)
             4567
           end
           {
@@ -34,7 +36,8 @@ module Legion
           else
             []
           end
-        rescue StandardError
+        rescue StandardError => e
+          Legion::Logging.warn "Acp#discover_capabilities failed: #{e.message}" if defined?(Legion::Logging)
           []
         end
@@ -42,7 +45,8 @@ module Legion
           return nil unless defined?(Legion::Data)
           Legion::Data::Model::Task[id.to_i]&.values
-        rescue StandardError
+        rescue StandardError => e
+          Legion::Logging.warn "Acp#find_task failed for id=#{id}: #{e.message}" if defined?(Legion::Logging)
           nil
         end

data/lib/legion/api/audit.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Legion
   class API < Sinatra::Base
     module Routes
       module Audit
-        def self.registered(app)
+        def self.registered(app) # rubocop:disable Metrics/AbcSize
           app.get '/api/audit' do
             require_data!
             dataset = Legion::Data::Model::AuditLog.order(Sequel.desc(:id))
@@ -15,15 +15,24 @@ module Legion
             dataset = dataset.where { created_at >= Time.parse(params[:since]) } if params[:since]
             dataset = dataset.where { created_at <= Time.parse(params[:until]) } if params[:until]
             json_collection(dataset)
+          rescue StandardError => e
+            Legion::Logging.error "API GET /api/audit: #{e.class} — #{e.message}"
+            json_error('audit_error', e.message, status_code: 500)
           end
           app.get '/api/audit/verify' do
             require_data!
-            halt 503, json_error('unavailable', 'lex-audit is not loaded', status_code: 503) unless defined?(Legion::Extensions::Audit::Runners::Audit)
+            unless defined?(Legion::Extensions::Audit::Runners::Audit)
+              Legion::Logging.warn 'API GET /api/audit/verify returned 503: lex-audit is not loaded'
+              halt 503, json_error('unavailable', 'lex-audit is not loaded', status_code: 503)
+            end
             runner = Object.new.extend(Legion::Extensions::Audit::Runners::Audit)
             result = runner.verify
             json_response(result)
+          rescue StandardError => e
+            Legion::Logging.error "API GET /api/audit/verify: #{e.class} — #{e.message}"
+            json_error('audit_error', e.message, status_code: 500)
           end
         end
       end

data/lib/legion/api/auth.rb CHANGED Viewed

@@ -10,16 +10,21 @@ module Legion
         def self.register_token_exchange(app) # rubocop:disable Metrics/MethodLength
           app.post '/api/auth/token' do
+            Legion::Logging.debug "API: POST /api/auth/token params=#{params.keys}"
             body = parse_request_body
             grant_type = body[:grant_type]
             subject_token = body[:subject_token]
             unless grant_type == 'urn:ietf:params:oauth:grant-type:token-exchange'
+              Legion::Logging.warn "API POST /api/auth/token returned 400: unsupported grant_type=#{grant_type}"
               halt 400, json_error('unsupported_grant_type', 'expected urn:ietf:params:oauth:grant-type:token-exchange',
                                    status_code: 400)
             end
-            halt 400, json_error('missing_subject_token', 'subject_token is required', status_code: 400) unless subject_token
+            unless subject_token
+              Legion::Logging.warn 'API POST /api/auth/token returned 400: subject_token is required'
+              halt 400, json_error('missing_subject_token', 'subject_token is required', status_code: 400)
+            end
             unless defined?(Legion::Crypt::JWT) && Legion::Crypt::JWT.respond_to?(:verify_with_jwks)
               halt 501, json_error('jwks_validation_not_available', 'legion-crypt JWKS support not loaded',
@@ -28,7 +33,10 @@ module Legion
             rbac_settings = (Legion::Settings[:rbac].is_a?(Hash) && Legion::Settings[:rbac][:entra]) || {}
             tenant_id = rbac_settings[:tenant_id]
-            halt 500, json_error('entra_tenant_not_configured', 'rbac.entra.tenant_id not set', status_code: 500) unless tenant_id
+            unless tenant_id
+              Legion::Logging.error 'API POST /api/auth/token returned 500: rbac.entra.tenant_id not set'
+              halt 500, json_error('entra_tenant_not_configured', 'rbac.entra.tenant_id not set', status_code: 500)
+            end
             jwks_url = "https://login.microsoftonline.com/#{tenant_id}/discovery/v2.0/keys"
             issuer = "https://login.microsoftonline.com/#{tenant_id}/v2.0"
@@ -38,10 +46,13 @@ module Legion
                 subject_token, jwks_url: jwks_url, issuers: [issuer]
               )
             rescue Legion::Crypt::JWT::ExpiredTokenError
+              Legion::Logging.warn 'API POST /api/auth/token returned 401: Entra token has expired'
               halt 401, json_error('token_expired', 'Entra token has expired', status_code: 401)
             rescue Legion::Crypt::JWT::InvalidTokenError => e
+              Legion::Logging.warn "API POST /api/auth/token returned 401: #{e.message}"
               halt 401, json_error('invalid_token', e.message, status_code: 401)
             rescue Legion::Crypt::JWT::Error => e
+              Legion::Logging.error "API POST /api/auth/token returned 502: #{e.message}"
               halt 502, json_error('identity_provider_unavailable', e.message, status_code: 502)
             end
@@ -63,6 +74,7 @@ module Legion
               roles: mapped[:roles], ttl: ttl
             )
+            Legion::Logging.info "API: issued human token for sub=#{mapped[:sub]} roles=#{mapped[:roles]&.join(',')}"
             json_response({
                             access_token: token,
                             token_type:   'Bearer',

data/lib/legion/api/auth_human.rb CHANGED Viewed

@@ -20,7 +20,8 @@ module Legion
           return entra if entra.is_a?(Hash)
           {}
-        rescue StandardError
+        rescue StandardError => e
+          Legion::Logging.debug "AuthHuman#resolve_entra_settings failed: #{e.message}" if defined?(Legion::Logging)
           {}
         end
@@ -37,14 +38,18 @@ module Legion
           return nil unless response.is_a?(Net::HTTPSuccess)
           Legion::JSON.load(response.body)
-        rescue StandardError
+        rescue StandardError => e
+          Legion::Logging.warn "AuthHuman#exchange_code failed: #{e.message}" if defined?(Legion::Logging)
           nil
         end
         def self.register_authorize(app)
           app.get '/api/auth/authorize' do
             entra = Routes::AuthHuman.resolve_entra_settings
-            halt 500, json_error('entra_not_configured', 'Entra OAuth settings are missing', status_code: 500) unless entra[:tenant_id] && entra[:client_id]
+            unless entra[:tenant_id] && entra[:client_id]
+              Legion::Logging.error 'API GET /api/auth/authorize returned 500: Entra OAuth settings are missing'
+              halt 500, json_error('entra_not_configured', 'Entra OAuth settings are missing', status_code: 500)
+            end
             state = Legion::Crypt::JWT.issue(
               { nonce: SecureRandom.hex(16), purpose: 'oauth_state' },
@@ -63,27 +68,43 @@ module Legion
           end
         end
-        def self.register_callback(app) # rubocop:disable Metrics/AbcSize
+        def self.register_callback(app) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
           app.get '/api/auth/callback' do
             entra = Routes::AuthHuman.resolve_entra_settings
-            halt 500, json_error('entra_not_configured', 'Entra OAuth settings are missing', status_code: 500) unless entra[:tenant_id] && entra[:client_id]
+            unless entra[:tenant_id] && entra[:client_id]
+              Legion::Logging.error 'API GET /api/auth/callback returned 500: Entra OAuth settings are missing'
+              halt 500, json_error('entra_not_configured', 'Entra OAuth settings are missing', status_code: 500)
+            end
-            halt 400, json_error('oauth_error', params[:error_description] || params[:error], status_code: 400) if params[:error]
-            halt 400, json_error('missing_code', 'authorization code is required', status_code: 400) unless params[:code]
+            if params[:error]
+              Legion::Logging.warn "API GET /api/auth/callback returned 400: #{params[:error_description] || params[:error]}"
+              halt 400, json_error('oauth_error', params[:error_description] || params[:error], status_code: 400)
+            end
+            unless params[:code]
+              Legion::Logging.warn 'API GET /api/auth/callback returned 400: authorization code is required'
+              halt 400, json_error('missing_code', 'authorization code is required', status_code: 400)
+            end
             if params[:state]
               begin
                 Legion::Crypt::JWT.verify(params[:state])
               rescue Legion::Crypt::JWT::Error
+                Legion::Logging.warn 'API GET /api/auth/callback returned 400: CSRF state token is invalid or expired'
                 halt 400, json_error('invalid_state', 'CSRF state token is invalid or expired', status_code: 400)
               end
             end
             token_response = Routes::AuthHuman.exchange_code(entra, params[:code])
-            halt 502, json_error('token_exchange_failed', 'Failed to exchange code for tokens', status_code: 502) unless token_response
+            unless token_response
+              Legion::Logging.error 'API GET /api/auth/callback returned 502: Failed to exchange code for tokens'
+              halt 502, json_error('token_exchange_failed', 'Failed to exchange code for tokens', status_code: 502)
+            end
             id_token = token_response[:id_token] || token_response['id_token']
-            halt 502, json_error('no_id_token', 'Entra did not return an id_token', status_code: 502) unless id_token
+            unless id_token
+              Legion::Logging.error 'API GET /api/auth/callback returned 502: Entra did not return an id_token'
+              halt 502, json_error('no_id_token', 'Entra did not return an id_token', status_code: 502)
+            end
             jwks_url = "https://login.microsoftonline.com/#{entra[:tenant_id]}/discovery/v2.0/keys"
             issuer = "https://login.microsoftonline.com/#{entra[:tenant_id]}/v2.0"
@@ -91,6 +112,7 @@ module Legion
             begin
               claims = Legion::Crypt::JWT.verify_with_jwks(id_token, jwks_url: jwks_url, issuers: [issuer])
             rescue Legion::Crypt::JWT::Error => e
+              Legion::Logging.warn "API GET /api/auth/callback returned 401: #{e.message}"
               halt 401, json_error('invalid_id_token', e.message, status_code: 401)
             end
@@ -110,6 +132,7 @@ module Legion
               msid: mapped[:sub], name: mapped[:name], roles: mapped[:roles], ttl: ttl
             )
+            Legion::Logging.info "API: human OAuth callback issued token for sub=#{mapped[:sub]}"
             if request.env['HTTP_ACCEPT']&.include?('application/json')
               json_response({
                               access_token: token,

data/lib/legion/api/auth_saml.rb CHANGED Viewed

@@ -31,7 +31,8 @@ module Legion
           return saml if saml.is_a?(Hash)
           {}
-        rescue StandardError
+        rescue StandardError => e
+          Legion::Logging.debug "AuthSaml#resolve_saml_config failed: #{e.message}" if defined?(Legion::Logging)
           {}
         end
@@ -161,7 +162,8 @@ module Legion
             names.each do |n|
               v = attrs.multi(n)
               return Array(v) if v
-            rescue StandardError
+            rescue StandardError => e
+              Legion::Logging.debug "AuthSaml#multi_attr failed for attr=#{n}: #{e.message}" if defined?(Legion::Logging)
               nil
             end
             []
@@ -169,7 +171,8 @@ module Legion
           def safe_attr(attrs, name)
             attrs[name]
-          rescue StandardError
+          rescue StandardError => e
+            Legion::Logging.debug "AuthSaml#safe_attr failed for name=#{name}: #{e.message}" if defined?(Legion::Logging)
             nil
           end

data/lib/legion/api/auth_worker.rb CHANGED Viewed

@@ -8,18 +8,23 @@ module Legion
           register_worker_token_exchange(app)
         end
-        def self.register_worker_token_exchange(app) # rubocop:disable Metrics/MethodLength
+        def self.register_worker_token_exchange(app) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
           app.post '/api/auth/worker-token' do
+            Legion::Logging.debug "API: POST /api/auth/worker-token params=#{params.keys}"
             body = parse_request_body
             grant_type = body[:grant_type]
             entra_token = body[:entra_token]
             unless grant_type == 'client_credentials'
+              Legion::Logging.warn "API POST /api/auth/worker-token returned 400: unsupported grant_type=#{grant_type}"
               halt 400, json_error('unsupported_grant_type', 'grant_type must be client_credentials',
                                    status_code: 400)
             end
-            halt 400, json_error('missing_entra_token', 'entra_token is required', status_code: 400) unless entra_token
+            unless entra_token
+              Legion::Logging.warn 'API POST /api/auth/worker-token returned 400: entra_token is required'
+              halt 400, json_error('missing_entra_token', 'entra_token is required', status_code: 400)
+            end
             unless defined?(Legion::Crypt::JWT) && Legion::Crypt::JWT.respond_to?(:verify_with_jwks)
               halt 501, json_error('jwks_validation_not_available',
@@ -29,6 +34,7 @@ module Legion
             entra_settings = Routes::AuthWorker.resolve_entra_settings
             tenant_id = entra_settings[:tenant_id]
             unless tenant_id
+              Legion::Logging.error 'API POST /api/auth/worker-token returned 500: Entra tenant_id is not configured'
               halt 500, json_error('entra_tenant_not_configured',
                                    'Entra tenant_id is not configured', status_code: 500)
             end
@@ -41,25 +47,33 @@ module Legion
                 entra_token, jwks_url: jwks_url, issuers: [issuer]
               )
             rescue Legion::Crypt::JWT::ExpiredTokenError
+              Legion::Logging.warn 'API POST /api/auth/worker-token returned 401: Entra token has expired'
               halt 401, json_error('token_expired', 'Entra token has expired', status_code: 401)
             rescue Legion::Crypt::JWT::InvalidTokenError => e
+              Legion::Logging.warn "API POST /api/auth/worker-token returned 401: #{e.message}"
               halt 401, json_error('invalid_token', e.message, status_code: 401)
             rescue Legion::Crypt::JWT::Error => e
+              Legion::Logging.error "API POST /api/auth/worker-token returned 502: #{e.message}"
               halt 502, json_error('identity_provider_unavailable', e.message, status_code: 502)
             end
             app_id = claims[:appid] || claims[:azp] || claims['appid'] || claims['azp']
-            halt 401, json_error('invalid_token', 'missing appid claim', status_code: 401) unless app_id
+            unless app_id
+              Legion::Logging.warn 'API POST /api/auth/worker-token returned 401: missing appid claim'
+              halt 401, json_error('invalid_token', 'missing appid claim', status_code: 401)
+            end
             halt 503, json_error('data_unavailable', 'legion-data not connected', status_code: 503) unless defined?(Legion::Data::Model::DigitalWorker)
             worker = Legion::Data::Model::DigitalWorker.first(entra_app_id: app_id)
             unless worker
+              Legion::Logging.warn "API POST /api/auth/worker-token returned 404: no worker for entra_app_id=#{app_id}"
               halt 404, json_error('worker_not_found',
                                    "no worker registered for entra_app_id #{app_id}", status_code: 404)
             end
             unless worker.lifecycle_state == 'active'
+              Legion::Logging.warn "API POST /api/auth/worker-token returned 403: worker #{worker.worker_id} is in #{worker.lifecycle_state} state"
               halt 403, json_error('worker_not_active',
                                    "worker is in #{worker.lifecycle_state} state", status_code: 403)
             end
@@ -69,6 +83,7 @@ module Legion
               worker_id: worker.worker_id, owner_msid: worker.owner_msid, ttl: ttl
             )
+            Legion::Logging.info "API: issued worker token for worker_id=#{worker.worker_id}"
             json_response({
                             access_token: token,
                             token_type:   'Bearer',
@@ -91,7 +106,8 @@ module Legion
           return entra if entra.is_a?(Hash)
           {}
-        rescue StandardError
+        rescue StandardError => e
+          Legion::Logging.debug "AuthWorker#resolve_entra_settings failed: #{e.message}" if defined?(Legion::Logging)
           {}
         end

data/lib/legion/api/capacity.rb CHANGED Viewed

@@ -11,6 +11,9 @@ module Legion
             workers = Routes::Capacity.fetch_worker_list
             model = Legion::Capacity::Model.new(workers: workers)
             json_response(model.aggregate)
+          rescue StandardError => e
+            Legion::Logging.error "API GET /api/capacity: #{e.class} — #{e.message}"
+            json_error('capacity_error', e.message, status_code: 500)
           end
           app.get '/api/capacity/forecast' do
@@ -21,12 +24,18 @@ module Legion
               growth_rate: (params[:growth_rate] || 0).to_f
             )
             json_response(forecast)
+          rescue StandardError => e
+            Legion::Logging.error "API GET /api/capacity/forecast: #{e.class} — #{e.message}"
+            json_error('capacity_error', e.message, status_code: 500)
           end
           app.get '/api/capacity/workers' do
             workers = Routes::Capacity.fetch_worker_list
             model = Legion::Capacity::Model.new(workers: workers)
             json_response(model.per_worker_stats)
+          rescue StandardError => e
+            Legion::Logging.error "API GET /api/capacity/workers: #{e.class} — #{e.message}"
+            json_error('capacity_error', e.message, status_code: 500)
           end
         end
@@ -36,7 +45,8 @@ module Legion
           Legion::Data::Model::DigitalWorker.all.map do |w|
             { worker_id: w.worker_id, status: w.lifecycle_state }
           end
-        rescue StandardError
+        rescue StandardError => e
+          Legion::Logging.warn "Capacity#fetch_worker_list failed: #{e.message}" if defined?(Legion::Logging)
           []
         end
       end

data/lib/legion/api/catalog.rb CHANGED Viewed

@@ -45,7 +45,8 @@ module Legion
           read_paths:  declared[:read_paths],
           write_paths: declared[:write_paths]
         }
-      rescue StandardError
+      rescue StandardError => e
+        Legion::Logging.warn "API#build_catalog_permissions failed for #{name}: #{e.message}" if defined?(Legion::Logging)
         { sandbox: Legion::Extensions::Permissions.sandbox_path(name), read_paths: [], write_paths: [] }
       end
@@ -61,7 +62,8 @@ module Legion
             description: runner.values[:description]
           }]
         end
-      rescue StandardError
+      rescue StandardError => e
+        Legion::Logging.warn "API#build_catalog_runners failed for #{name}: #{e.message}" if defined?(Legion::Logging)
         {}
       end
@@ -74,7 +76,8 @@ module Legion
         matched.map do |_hash, pattern|
           { intent: pattern[:intent_text], tool_chain: pattern[:tool_chain], confidence: pattern[:confidence] }
         end
-      rescue StandardError
+      rescue StandardError => e
+        Legion::Logging.warn "API#build_catalog_known_intents failed for #{name}: #{e.message}" if defined?(Legion::Logging)
         []
       end
     end

data/lib/legion/api/chains.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Legion
   class API < Sinatra::Base
     module Routes
       module Chains
-        def self.registered(app)
+        def self.registered(app) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
           app.get '/api/chains' do
             require_data!
             halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501) unless Legion::Data::Model.const_defined?(:Chain)
@@ -13,42 +13,62 @@ module Legion
           end
           app.post '/api/chains' do
+            Legion::Logging.debug "API: POST /api/chains params=#{params.keys}"
             require_data!
-            halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501) unless Legion::Data::Model.const_defined?(:Chain)
+            unless Legion::Data::Model.const_defined?(:Chain)
+              Legion::Logging.warn 'API POST /api/chains returned 501: chain data model is not yet available'
+              halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501)
+            end
             body = parse_request_body
-            halt 422, json_error('missing_field', 'name is required', status_code: 422) unless body[:name]
+            unless body[:name]
+              Legion::Logging.warn 'API POST /api/chains returned 422: name is required'
+              halt 422, json_error('missing_field', 'name is required', status_code: 422)
+            end
             id = Legion::Data::Model::Chain.insert(body)
             record = Legion::Data::Model::Chain[id]
+            Legion::Logging.info "API: created chain #{id} (#{body[:name]})"
             json_response(record.values, status_code: 201)
           end
           app.get '/api/chains/:id' do
             require_data!
-            halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501) unless Legion::Data::Model.const_defined?(:Chain)
+            unless Legion::Data::Model.const_defined?(:Chain)
+              Legion::Logging.warn "API GET /api/chains/#{params[:id]} returned 501: chain data model is not yet available"
+              halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501)
+            end
             record = find_or_halt(Legion::Data::Model::Chain, params[:id])
             json_response(record.values)
           end
           app.put '/api/chains/:id' do
+            Legion::Logging.debug "API: PUT /api/chains/#{params[:id]} params=#{params.keys}"
             require_data!
-            halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501) unless Legion::Data::Model.const_defined?(:Chain)
+            unless Legion::Data::Model.const_defined?(:Chain)
+              Legion::Logging.warn "API PUT /api/chains/#{params[:id]} returned 501: chain data model is not yet available"
+              halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501)
+            end
             record = find_or_halt(Legion::Data::Model::Chain, params[:id])
             body = parse_request_body
             record.update(body)
             record.refresh
+            Legion::Logging.info "API: updated chain #{params[:id]}"
             json_response(record.values)
           end
           app.delete '/api/chains/:id' do
             require_data!
-            halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501) unless Legion::Data::Model.const_defined?(:Chain)
+            unless Legion::Data::Model.const_defined?(:Chain)
+              Legion::Logging.warn "API DELETE /api/chains/#{params[:id]} returned 501: chain data model is not yet available"
+              halt 501, json_error('not_implemented', 'chain data model is not yet available', status_code: 501)
+            end
             record = find_or_halt(Legion::Data::Model::Chain, params[:id])
             record.delete
+            Legion::Logging.info "API: deleted chain #{params[:id]}"
             json_response({ deleted: true })
           end
         end

data/lib/legion/api/coldstart.rb CHANGED Viewed

@@ -6,13 +6,23 @@ module Legion
       module Coldstart
         def self.registered(app)
           app.post '/api/coldstart/ingest' do
+            Legion::Logging.debug "API: POST /api/coldstart/ingest params=#{params.keys}"
             body = parse_request_body
             path = body[:path]
-            halt 422, json_error('missing_field', 'path is required', status_code: 422) if path.nil? || path.empty?
+            if path.nil? || path.empty?
+              Legion::Logging.warn 'API POST /api/coldstart/ingest returned 422: path is required'
+              halt 422, json_error('missing_field', 'path is required', status_code: 422)
+            end
-            halt 503, json_error('coldstart_unavailable', 'lex-coldstart is not loaded', status_code: 503) unless defined?(Legion::Extensions::Coldstart)
+            unless defined?(Legion::Extensions::Coldstart)
+              Legion::Logging.warn 'API POST /api/coldstart/ingest returned 503: lex-coldstart is not loaded'
+              halt 503, json_error('coldstart_unavailable', 'lex-coldstart is not loaded', status_code: 503)
+            end
-            halt 503, json_error('memory_unavailable', 'lex-memory is not loaded', status_code: 503) unless defined?(Legion::Extensions::Memory)
+            unless defined?(Legion::Extensions::Memory)
+              Legion::Logging.warn 'API POST /api/coldstart/ingest returned 503: lex-memory is not loaded'
+              halt 503, json_error('memory_unavailable', 'lex-memory is not loaded', status_code: 503)
+            end
             runner = Object.new.extend(Legion::Extensions::Coldstart::Runners::Ingest)
@@ -24,12 +34,14 @@ module Legion
                          pattern:  body[:pattern] || '**/{CLAUDE,MEMORY}.md'
                        )
                      else
+                       Legion::Logging.warn "API POST /api/coldstart/ingest returned 404: path not found: #{path}"
                        halt 404, json_error('path_not_found', "path not found: #{path}", status_code: 404)
                      end
+            Legion::Logging.info "API: coldstart ingest completed for path=#{path}"
             json_response(result, status_code: 201)
           rescue StandardError => e
-            Legion::Logging.error "API coldstart ingest error: #{e.message}"
+            Legion::Logging.error "API POST /api/coldstart/ingest: #{e.class} — #{e.message}"
             json_error('execution_error', e.message, status_code: 500)
           end
         end

data/lib/legion/api/events.rb CHANGED Viewed

@@ -58,7 +58,8 @@ module Legion
                     event = queue.pop
                     data = Legion::JSON.dump(event.transform_keys(&:to_s))
                     out << "event: #{event[:event]}\ndata: #{data}\n\n"
-                  rescue IOError, Errno::EPIPE
+                  rescue IOError, Errno::EPIPE => e
+                    Legion::Logging.debug "Events SSE stream broken for #{event[:event]}: #{e.message}" if defined?(Legion::Logging)
                     break
                   end
                 ensure