legionio 1.4.13 → 1.4.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8b61599f64cd23e52b9cbf85631dce4bdb16afeec87b5022229e7ae63f664917
-  data.tar.gz: 339df852d48a4ce9eddc92d1a8fd6c3240bda51f7d91f258352a6bc021aea2f0
+  metadata.gz: '0927bca374a6df75ab9a1e75067219af7205291a694defff2fa356fe2b330bf3'
+  data.tar.gz: 1c3171e36c3447a104889d556df53596e611b4965d60abb08d4e91fe5c50a996
 SHA512:
-  metadata.gz: bbb574075f5512af6a3783acb5bf02d666cf94eb959ac9827639e3bfb29467b1c97ad0d2d562e8318b173e3eaaf73a1ad2db7aaa29957f1682ffd0076dfaa27d
-  data.tar.gz: 2e4dd37e3f3a7e4520d4b270998a2df0eb1e51accc235061b0974fad27977895e7e29064a6af671b003462815a143081c808fd938e0e4b11eda2823de5416c8d
+  metadata.gz: 4bba3556ee1380f6b61aaa14263dbcccb4340428237f0203cbed9d7090d1cf95e811109b75ebf14e1a1bd3767640ad805e2dee4b4d5711352aa7becd528bf259
+  data.tar.gz: 243d79f20efa83d65b41a6e39f3953aee765369f37aa30caa6b85d16cb0baeab95e46628a443c45b082f233925c3ba413734c5e8aa45146c3827e9f367597ae7

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Legion Changelog
 
+## [1.4.14] - 2026-03-16
+
+### Added
+- Optional RBAC integration via legion-rbac gem (`if defined?(Legion::Rbac)` guards)
+- `setup_rbac` lifecycle hook in Service (after setup_data)
+- `authorize_execution!` guard in Ingress for task execution
+- Rack middleware registration in API when legion-rbac loaded
+- REST API routes for RBAC management (roles, assignments, grants, cross-team grants, check)
+- `legion rbac` CLI subcommand (roles, show, assignments, assign, revoke, grants, grant, check)
+- MCP tools: legion.rbac_check, legion.rbac_assignments, legion.rbac_grants
+
 ## [1.4.13] - 2026-03-16
 
 ### Changed

data/CLAUDE.md

@@ -346,6 +346,22 @@ legion
     bash                             # output bash completion script
     zsh                              # output zsh completion script
     install                          # print installation instructions
+
+  openapi
+    generate [-o FILE]               # output OpenAPI 3.1.0 spec JSON
+    routes                           # list all API routes with HTTP method + summary
+
+  doctor [--fix] [--json]            # diagnose environment, suggest/apply fixes
+                                     # checks: Ruby, bundle, config, RabbitMQ, DB, cache, Vault,
+                                     #   extensions, PID files, permissions
+                                     # exit 0=all pass, 1=any fail
+
+  telemetry
+    stats [SESSION_ID]               # aggregate or per-session telemetry stats
+    ingest PATH                      # manually ingest a session log file
+
+  auth
+    teams [--tenant-id ID] [--client-id ID]  # browser OAuth flow for Microsoft Teams
 ```
 
 **CLI design rules:**
@@ -450,6 +466,8 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 | `lib/legion/api/coldstart.rb` | Coldstart: `POST /api/coldstart/ingest` — triggers lex-coldstart ingest runner (requires lex-coldstart + lex-memory) |
 | `lib/legion/api/gaia.rb` | Gaia: system status endpoints |
 | `lib/legion/api/token.rb` | Token: JWT token issuance endpoint |
+| `lib/legion/api/openapi.rb` | OpenAPI: `Legion::API::OpenAPI.spec` / `.to_json`; also served at `GET /api/openapi.json` |
+| `lib/legion/api/oauth.rb` | OAuth: `GET /api/oauth/microsoft_teams/callback` — receives delegated OAuth redirect and stores tokens |
 | `lib/legion/api/middleware/auth.rb` | Auth: JWT Bearer auth middleware (real token validation, skip paths for health/ready) |
 | **MCP** | |
 | `lib/legion/mcp.rb` | Entry point: `Legion::MCP.server` singleton factory |
@@ -506,6 +524,10 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 | `lib/legion/cli/gaia_command.rb` | `legion gaia` subcommands (status) |
 | `lib/legion/cli/schedule_command.rb` | `legion schedule` subcommands (list, show, add, remove, logs) |
 | `lib/legion/cli/completion_command.rb` | `legion completion` subcommands (bash, zsh, install) |
+| `lib/legion/cli/openapi_command.rb` | `legion openapi` subcommands (generate, routes); also `GET /api/openapi.json` endpoint |
+| `lib/legion/cli/doctor_command.rb` | `legion doctor` — 10-check environment diagnosis; `Doctor::Result` value object with status/message/prescription/auto_fixable |
+| `lib/legion/cli/telemetry_command.rb` | `legion telemetry` subcommands (stats, ingest) — session log analytics |
+| `lib/legion/cli/auth_command.rb` | `legion auth` subcommands (teams) — delegated OAuth browser flow for external services |
 | `completions/legion.bash` | Bash tab completion script |
 | `completions/_legion` | Zsh tab completion script |
 | `lib/legion/cli/theme.rb` | Purple palette, orbital ASCII banner, branded CLI output |

data/Gemfile

@@ -14,6 +14,7 @@ unless ENV['CI']
   gem 'legion-json',      path: '../legion-json'
   gem 'legion-llm',       path: '../legion-llm'
   gem 'legion-logging',   path: '../legion-logging'
+  gem 'legion-rbac',      path: '../legion-rbac'
   gem 'legion-settings',  path: '../legion-settings'
   gem 'legion-transport', path: '../legion-transport'
 

data/README.md

@@ -14,7 +14,7 @@ Schedule tasks, chain services into dependency graphs, run them concurrently via
          ╰──────────────────────────────────────╯
 ```
 
-**Ruby >= 3.4** | **v1.4.6** | **Apache-2.0** | [@Esity](https://github.com/Esity)
+**Ruby >= 3.4** | **v1.4.13** | **Apache-2.0** | [@Esity](https://github.com/Esity)
 
 ---
 
@@ -210,6 +210,16 @@ legion config scaffold          # generate starter config files
 
 Settings load from the first directory found: `/etc/legionio/` → `~/legionio/` → `./settings/`
 
+### Diagnostics
+
+```bash
+legion doctor                   # diagnose environment, suggest fixes
+legion doctor --fix             # auto-remediate fixable issues (stale PIDs, missing gems)
+legion doctor --json            # machine-readable output
+```
+
+Checks Ruby version, bundle status, config files, RabbitMQ, database, cache, Vault, extensions, PID files, and permissions. Exits 1 if any check fails.
+
 All commands support `--json` for structured output and `--no-color` to strip ANSI codes.
 
 ## REST API
@@ -332,6 +342,25 @@ legion generate actor myactor
 bundle exec rspec
 ```
 
+## Role Profiles
+
+Control which extensions load at startup via `settings/legion.json`:
+
+```json
+{"role": {"profile": "dev"}}
+```
+
+| Profile | What loads |
+|---------|-----------|
+| *(default)* | Everything — no filtering |
+| `core` | 14 core operational extensions only |
+| `cognitive` | core + all agentic extensions |
+| `service` | core + service + other integrations |
+| `dev` | core + AI + essential agentic (~20 extensions) |
+| `custom` | only what's listed in `role.extensions` |
+
+Faster boot and lower memory footprint for dedicated worker roles.
+
 ## Scaling
 
 Task distribution uses RabbitMQ FIFO queues. Add workers by running more Legion processes — each subscribes to the same queues and picks up work automatically. Tested to 100+ workers.
@@ -363,6 +392,12 @@ CMD ruby --yjit $(which legion) start
 
 ## Architecture
 
+Before any Legion code loads, the executable applies three performance optimizations:
+
+- **YJIT** — `RubyVM::YJIT.enable` for 15-30% runtime throughput (Ruby 3.1+ builds)
+- **GC tuning** — pre-allocates 600k heap slots and raises malloc limits (ENV overrides respected)
+- **bootsnap** — caches YARV bytecodes and `$LOAD_PATH` resolution at `~/.legionio/cache/bootsnap/`
+
 ```
 legion start
   └── Legion::Service
@@ -374,13 +409,15 @@ legion start
       ├── 6. Data             (legion-data — database + migrations)
       ├── 7. LLM              (legion-llm — AI provider setup + routing)
       ├── 8. Supervision      (process supervision)
-      ├── 9. Extensions       (discover + load 280+ LEX gems)
+      ├── 9. Extensions       (discover + load 280+ LEX gems, filtered by role profile)
       ├── 10. Cluster Secret  (distribute via Vault or memory)
       └── 11. API             (Sinatra/Puma on port 4567)
 ```
 
 Each phase registers with `Legion::Readiness`. All phases are individually toggleable.
 
+`SIGHUP` triggers a live reload (`Legion.reload`) — subsystems shut down in reverse order and restart fresh without killing the process. Useful for rolling restarts and config changes.
+
 ## Similar Projects
 
 | Project | Language | HA | AI | Cognitive |
@@ -397,7 +434,7 @@ Each phase registers with `Legion::Readiness`. All phases are individually toggl
 git clone https://github.com/LegionIO/LegionIO.git
 cd LegionIO
 bundle install
-bundle exec rspec       # 694 examples, 0 failures
+bundle exec rspec       # 880 examples, 0 failures
 bundle exec rubocop     # 0 offenses
 ```
 

data/lib/legion/api/rbac.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module Rbac
+        def self.registered(app)
+          register_roles(app)
+          register_check(app)
+          register_assignments(app)
+          register_grants(app)
+          register_cross_team_grants(app)
+        end
+
+        def self.register_roles(app)
+          app.get '/api/rbac/roles' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+
+            roles = Legion::Rbac.role_index.transform_values do |role|
+              { name: role.name, description: role.description, cross_team: role.cross_team? }
+            end
+            json_response(roles)
+          end
+
+          app.get '/api/rbac/roles/:name' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+
+            role = Legion::Rbac.role_index[params[:name].to_sym]
+            halt 404, json_error('not_found', "Role #{params[:name]} not found", status_code: 404) unless role
+
+            json_response({
+                            name:        role.name,
+                            description: role.description,
+                            cross_team:  role.cross_team?,
+                            permissions: role.permissions.map { |p| { resource: p.resource_pattern, actions: p.actions } },
+                            deny_rules:  role.deny_rules.map { |d| { resource: d.resource_pattern, above_level: d.above_level } }
+                          })
+          end
+        end
+
+        def self.register_check(app)
+          app.post '/api/rbac/check' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+
+            body = parse_request_body
+            principal = Legion::Rbac::Principal.new(
+              id:    body[:principal] || 'anonymous',
+              roles: body[:roles] || [],
+              team:  body[:team]
+            )
+            result = Legion::Rbac::PolicyEngine.evaluate(
+              principal: principal,
+              action:    body[:action] || 'read',
+              resource:  body[:resource] || '*',
+              enforce:   false
+            )
+            json_response(result)
+          end
+        end
+
+        def self.register_assignments(app)
+          app.get '/api/rbac/assignments' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            dataset = Legion::Data::Model::RbacRoleAssignment.order(:id)
+            dataset = dataset.where(team: params[:team]) if params[:team]
+            dataset = dataset.where(role: params[:role]) if params[:role]
+            dataset = dataset.where(principal_id: params[:principal]) if params[:principal]
+            json_collection(dataset)
+          end
+
+          app.post '/api/rbac/assignments' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            body = parse_request_body
+            record = Legion::Data::Model::RbacRoleAssignment.create(
+              principal_type: body[:principal_type] || 'human',
+              principal_id:   body[:principal_id],
+              role:           body[:role],
+              team:           body[:team],
+              granted_by:     current_owner_msid || 'api',
+              expires_at:     body[:expires_at] ? Time.parse(body[:expires_at]) : nil
+            )
+            json_response(record.values, status_code: 201)
+          rescue Sequel::ValidationFailed => e
+            json_error('validation_error', e.message, status_code: 422)
+          end
+
+          app.delete '/api/rbac/assignments/:id' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            record = Legion::Data::Model::RbacRoleAssignment[params[:id].to_i]
+            halt 404, json_error('not_found', 'Assignment not found', status_code: 404) unless record
+
+            record.destroy
+            json_response({ deleted: true })
+          end
+        end
+
+        def self.register_grants(app)
+          app.get '/api/rbac/grants' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            dataset = Legion::Data::Model::RbacRunnerGrant.order(:id)
+            dataset = dataset.where(team: params[:team]) if params[:team]
+            json_collection(dataset)
+          end
+
+          app.post '/api/rbac/grants' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            body = parse_request_body
+            record = Legion::Data::Model::RbacRunnerGrant.create(
+              team:           body[:team],
+              runner_pattern: body[:runner_pattern],
+              actions:        Array(body[:actions]).join(','),
+              granted_by:     current_owner_msid || 'api'
+            )
+            json_response(record.values, status_code: 201)
+          rescue Sequel::ValidationFailed => e
+            json_error('validation_error', e.message, status_code: 422)
+          end
+
+          app.delete '/api/rbac/grants/:id' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            record = Legion::Data::Model::RbacRunnerGrant[params[:id].to_i]
+            halt 404, json_error('not_found', 'Grant not found', status_code: 404) unless record
+
+            record.destroy
+            json_response({ deleted: true })
+          end
+        end
+
+        def self.register_cross_team_grants(app)
+          app.get '/api/rbac/grants/cross-team' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            dataset = Legion::Data::Model::RbacCrossTeamGrant.order(:id)
+            json_collection(dataset)
+          end
+
+          app.post '/api/rbac/grants/cross-team' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            body = parse_request_body
+            record = Legion::Data::Model::RbacCrossTeamGrant.create(
+              source_team:    body[:source_team],
+              target_team:    body[:target_team],
+              runner_pattern: body[:runner_pattern],
+              actions:        Array(body[:actions]).join(','),
+              granted_by:     current_owner_msid || 'api',
+              expires_at:     body[:expires_at] ? Time.parse(body[:expires_at]) : nil
+            )
+            json_response(record.values, status_code: 201)
+          rescue Sequel::ValidationFailed => e
+            json_error('validation_error', e.message, status_code: 422)
+          end
+
+          app.delete '/api/rbac/grants/cross-team/:id' do
+            return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+            return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+            record = Legion::Data::Model::RbacCrossTeamGrant[params[:id].to_i]
+            halt 404, json_error('not_found', 'Grant not found', status_code: 404) unless record
+
+            record.destroy
+            json_response({ deleted: true })
+          end
+        end
+
+        class << self
+          private :register_roles, :register_check, :register_assignments, :register_grants, :register_cross_team_grants
+        end
+      end
+    end
+  end
+end

data/lib/legion/api.rb

@@ -22,6 +22,7 @@ require_relative 'api/coldstart'
 require_relative 'api/gaia'
 require_relative 'api/oauth'
 require_relative 'api/openapi'
+require_relative 'api/rbac'
 
 module Legion
   class API < Sinatra::Base
@@ -88,6 +89,9 @@ module Legion
     register Routes::Coldstart
     register Routes::Gaia
     register Routes::OAuth
+    register Routes::Rbac
+
+    use Legion::Rbac::Middleware if defined?(Legion::Rbac::Middleware)
 
     # Hook registry (preserved from original implementation)
     class << self

data/lib/legion/cli/config_scaffold.rb

@@ -11,7 +11,7 @@ module Legion
       module_function
 
       def run(formatter, options)
-        dir       = options[:dir] || './settings'
+        dir       = options[:dir] || "#{Dir.home}/.legionio/settings"
         only      = options[:only] ? options[:only].split(',').map(&:strip) : SUBSYSTEMS
         full_mode = options[:full]
         force     = options[:force]

data/lib/legion/cli/connection.rb

@@ -132,6 +132,7 @@ module Legion
 
           [
             '/etc/legionio',
+            "#{Dir.home}/.legionio/settings",
             "#{Dir.home}/legionio",
             '~/legionio',
             './settings'

data/lib/legion/cli/rbac_command.rb

@@ -0,0 +1,209 @@
+# frozen_string_literal: true
+
+module Legion
+  module CLI
+    class Rbac < Thor
+      def self.exit_on_failure?
+        true
+      end
+
+      class_option :json, type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+      class_option :verbose, type: :boolean, default: false, aliases: ['-V'], desc: 'Verbose logging'
+      class_option :config_dir, type: :string, desc: 'Config directory path'
+
+      desc 'roles', 'List role definitions from config'
+      def roles
+        out = formatter
+        with_rbac do
+          index = Legion::Rbac.role_index
+          if options[:json]
+            out.json(index.transform_values { |r| { description: r.description, cross_team: r.cross_team? } })
+          else
+            rows = index.map { |name, r| [name.to_s, r.description, r.cross_team? ? 'yes' : 'no'] }
+            out.table(%w[Role Description CrossTeam], rows)
+          end
+        end
+      end
+      default_task :roles
+
+      desc 'show ROLE', 'Show permissions for a role'
+      def show(role_name)
+        out = formatter
+        with_rbac do
+          role = Legion::Rbac.role_index[role_name.to_sym]
+          unless role
+            out.error("Role not found: #{role_name}")
+            return
+          end
+
+          if options[:json]
+            out.json({
+                       name:        role.name,
+                       description: role.description,
+                       cross_team:  role.cross_team?,
+                       permissions: role.permissions.map { |p| { resource: p.resource_pattern, actions: p.actions } },
+                       deny_rules:  role.deny_rules.map { |d| { resource: d.resource_pattern, above_level: d.above_level } }
+                     })
+          else
+            out.header("Role: #{role.name}")
+            puts "  #{role.description}"
+            puts "  Cross-team: #{role.cross_team? ? 'yes' : 'no'}"
+            puts "\n  Permissions:"
+            role.permissions.each { |p| puts "    #{p.resource_pattern} -> #{p.actions.join(', ')}" }
+            puts "\n  Deny rules:"
+            role.deny_rules.each { |d| puts "    #{d.resource_pattern}#{" (above level #{d.above_level})" if d.above_level}" }
+          end
+        end
+      end
+
+      desc 'assignments', 'List role assignments from DB'
+      option :team, type: :string, desc: 'Filter by team'
+      option :role, type: :string, desc: 'Filter by role'
+      option :principal, type: :string, desc: 'Filter by principal ID'
+      def assignments
+        out = formatter
+        with_data do
+          ds = Legion::Data::Model::RbacRoleAssignment.dataset
+          ds = ds.where(team: options[:team]) if options[:team]
+          ds = ds.where(role: options[:role]) if options[:role]
+          ds = ds.where(principal_id: options[:principal]) if options[:principal]
+
+          records = ds.all
+          if options[:json]
+            out.json(records.map(&:values))
+          else
+            rows = records.map { |r| [r.id, r.principal_id, r.principal_type, r.role, r.team || '-', r.active? ? 'active' : 'expired'] }
+            out.table(%w[ID Principal Type Role Team Status], rows)
+          end
+        end
+      end
+
+      desc 'assign PRINCIPAL ROLE', 'Assign a role to a principal'
+      option :type, type: :string, default: 'human', desc: 'Principal type (human/worker)'
+      option :team, type: :string, desc: 'Team scope'
+      option :expires, type: :string, desc: 'Expiry (ISO 8601)'
+      def assign(principal, role)
+        out = formatter
+        with_data do
+          record = Legion::Data::Model::RbacRoleAssignment.create(
+            principal_type: options[:type],
+            principal_id:   principal,
+            role:           role,
+            team:           options[:team],
+            granted_by:     'cli',
+            expires_at:     options[:expires] ? Time.parse(options[:expires]) : nil
+          )
+          out.success("Assigned #{role} to #{principal} (id: #{record.id})")
+        end
+      end
+
+      desc 'revoke PRINCIPAL ROLE', 'Remove a role assignment'
+      def revoke(principal, role)
+        out = formatter
+        with_data do
+          ds = Legion::Data::Model::RbacRoleAssignment.where(principal_id: principal, role: role)
+          count = ds.count
+          ds.destroy
+          out.success("Revoked #{count} assignment(s) of #{role} from #{principal}")
+        end
+      end
+
+      desc 'grants', 'List runner grants'
+      option :team, type: :string, desc: 'Filter by team'
+      def grants
+        out = formatter
+        with_data do
+          ds = Legion::Data::Model::RbacRunnerGrant.dataset
+          ds = ds.where(team: options[:team]) if options[:team]
+
+          records = ds.all
+          if options[:json]
+            out.json(records.map(&:values))
+          else
+            rows = records.map { |r| [r.id, r.team, r.runner_pattern, r.actions] }
+            out.table(%w[ID Team Pattern Actions], rows)
+          end
+        end
+      end
+
+      desc 'grant TEAM PATTERN', 'Grant runner access to a team'
+      option :actions, type: :string, default: 'execute', desc: 'Comma-separated actions'
+      def grant(team, pattern)
+        out = formatter
+        with_data do
+          record = Legion::Data::Model::RbacRunnerGrant.create(
+            team:           team,
+            runner_pattern: pattern,
+            actions:        options[:actions],
+            granted_by:     'cli'
+          )
+          out.success("Granted #{pattern} to team #{team} (id: #{record.id})")
+        end
+      end
+
+      desc 'check PRINCIPAL RESOURCE', 'Dry-run authorization check'
+      option :action, type: :string, default: 'read', desc: 'Action to check'
+      option :roles, type: :array, default: [], desc: 'Roles to check (comma-separated)'
+      option :team, type: :string, desc: 'Team scope'
+      def check(principal_id, resource)
+        out = formatter
+        with_rbac do
+          principal = Legion::Rbac::Principal.new(
+            id:    principal_id,
+            roles: options[:roles],
+            team:  options[:team]
+          )
+          result = Legion::Rbac::PolicyEngine.evaluate(
+            principal: principal,
+            action:    options[:action],
+            resource:  resource,
+            enforce:   false
+          )
+          if options[:json]
+            out.json(result)
+          else
+            status = result[:allowed] ? 'ALLOWED' : 'DENIED'
+            puts "  #{status}: #{principal_id} -> #{options[:action]} #{resource}"
+            puts "  Reason: #{result[:reason]}" if result[:reason]
+            puts "  Would deny: #{result[:would_deny]}" if result[:would_deny]
+          end
+        end
+      end
+
+      no_commands do
+        def formatter
+          @formatter ||= Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        end
+
+        private
+
+        def with_rbac
+          Connection.config_dir = options[:config_dir] if options[:config_dir]
+          Connection.log_level = options[:verbose] ? 'debug' : 'error'
+          Connection.ensure_settings
+          require 'legion/rbac'
+          Legion::Rbac.setup
+          yield
+        rescue CLI::Error => e
+          formatter.error(e.message)
+          raise SystemExit, 1
+        end
+
+        def with_data
+          Connection.config_dir = options[:config_dir] if options[:config_dir]
+          Connection.log_level = options[:verbose] ? 'debug' : 'error'
+          Connection.ensure_data
+          require 'legion/rbac'
+          Legion::Rbac.setup
+          yield
+        rescue CLI::Error => e
+          formatter.error(e.message)
+          raise SystemExit, 1
+        ensure
+          Connection.shutdown
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli.rb

@@ -33,6 +33,7 @@ module Legion
     autoload :Doctor,     'legion/cli/doctor_command'
     autoload :Telemetry,  'legion/cli/telemetry_command'
     autoload :Auth,       'legion/cli/auth_command'
+    autoload :Rbac,       'legion/cli/rbac_command'
 
     class Main < Thor
       def self.exit_on_failure?
@@ -195,6 +196,9 @@ module Legion
       desc 'auth SUBCOMMAND', 'Authenticate with external services'
       subcommand 'auth', Legion::CLI::Auth
 
+      desc 'rbac SUBCOMMAND', 'Role-based access control management'
+      subcommand 'rbac', Legion::CLI::Rbac
+
       desc 'tree', 'Print a tree of all available commands'
       def tree
         legion_print_command_tree(self.class, 'legion', '')

data/lib/legion/ingress.rb

@@ -25,11 +25,12 @@ module Legion
 
       # Normalize and execute via Legion::Runner.run.
       # Returns the runner result hash.
-      def run(payload:, runner_class: nil, function: nil, source: 'unknown', **opts)
+      def run(payload:, runner_class: nil, function: nil, source: 'unknown', principal: nil, **opts) # rubocop:disable Metrics/ParameterLists
         check_subtask = opts.fetch(:check_subtask, true)
         generate_task = opts.fetch(:generate_task, true)
         message = normalize(payload: payload, runner_class: runner_class,
-                            function: function, source: source, **opts.except(:check_subtask, :generate_task))
+                            function: function, source: source,
+                            **opts.except(:check_subtask, :generate_task, :principal))
 
         rc = message.delete(:runner_class)
         fn = message.delete(:function)
@@ -37,6 +38,11 @@ module Legion
         raise 'runner_class is required' if rc.nil?
         raise 'function is required' if fn.nil?
 
+        if defined?(Legion::Rbac)
+          principal ||= Legion::Rbac::Principal.local_admin
+          Legion::Rbac.authorize_execution!(principal: principal, runner_class: rc.to_s, function: fn.to_s)
+        end
+
         Legion::Events.emit('ingress.received', runner_class: rc.to_s, function: fn, source: source)
 
         Legion::Runner.run(

data/lib/legion/mcp/server.rb

@@ -30,6 +30,9 @@ require_relative 'tools/worker_lifecycle'
 require_relative 'tools/worker_costs'
 require_relative 'tools/team_summary'
 require_relative 'tools/routing_stats'
+require_relative 'tools/rbac_check'
+require_relative 'tools/rbac_assignments'
+require_relative 'tools/rbac_grants'
 require_relative 'resources/runner_catalog'
 require_relative 'resources/extension_info'
 
@@ -66,7 +69,10 @@ module Legion
         Tools::WorkerLifecycle,
         Tools::WorkerCosts,
         Tools::TeamSummary,
-        Tools::RoutingStats
+        Tools::RoutingStats,
+        Tools::RbacCheck,
+        Tools::RbacAssignments,
+        Tools::RbacGrants
       ].freeze
 
       class << self

data/lib/legion/mcp/tools/rbac_assignments.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Legion
+  module MCP
+    module Tools
+      class RbacAssignments < ::MCP::Tool
+        tool_name 'legion.rbac_assignments'
+        description 'List RBAC role assignments. Filterable by team, role, or principal.'
+
+        input_schema(
+          properties: {
+            team:      { type: 'string', description: 'Filter by team' },
+            role:      { type: 'string', description: 'Filter by role name' },
+            principal: { type: 'string', description: 'Filter by principal ID' }
+          }
+        )
+
+        class << self
+          def call(team: nil, role: nil, principal: nil)
+            return error_response('legion-rbac not installed') unless defined?(Legion::Rbac)
+            return error_response('legion-data not connected') unless Legion::Rbac::Store.db_available?
+
+            ds = Legion::Data::Model::RbacRoleAssignment.dataset
+            ds = ds.where(team: team) if team
+            ds = ds.where(role: role) if role
+            ds = ds.where(principal_id: principal) if principal
+            text_response(ds.all.map(&:values))
+          rescue StandardError => e
+            error_response("Failed to list assignments: #{e.message}")
+          end
+
+          private
+
+          def text_response(data)
+            ::MCP::Tool::Response.new([{ type: 'text', text: Legion::JSON.dump(data) }])
+          end
+
+          def error_response(msg)
+            ::MCP::Tool::Response.new([{ type: 'text', text: Legion::JSON.dump({ error: msg }) }], error: true)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/mcp/tools/rbac_check.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Legion
+  module MCP
+    module Tools
+      class RbacCheck < ::MCP::Tool
+        tool_name 'legion.rbac_check'
+        description 'Dry-run authorization check. Evaluates RBAC policies without enforcing.'
+
+        input_schema(
+          properties: {
+            principal: { type: 'string', description: 'Principal ID to check' },
+            action:    { type: 'string', description: 'Action (read, execute, manage, etc.)' },
+            resource:  { type: 'string', description: 'Resource path (e.g. runners/lex-github/*)' },
+            roles:     { type: 'array', items: { type: 'string' }, description: 'Roles to evaluate' },
+            team:      { type: 'string', description: 'Team scope' }
+          },
+          required:   %w[principal action resource roles]
+        )
+
+        class << self
+          def call(principal:, action:, resource:, roles: [], team: nil)
+            return error_response('legion-rbac not installed') unless defined?(Legion::Rbac)
+
+            p = Legion::Rbac::Principal.new(id: principal, roles: roles, team: team)
+            result = Legion::Rbac::PolicyEngine.evaluate(principal: p, action: action, resource: resource, enforce: false)
+            text_response(result)
+          rescue StandardError => e
+            error_response("RBAC check failed: #{e.message}")
+          end
+
+          private
+
+          def text_response(data)
+            ::MCP::Tool::Response.new([{ type: 'text', text: Legion::JSON.dump(data) }])
+          end
+
+          def error_response(msg)
+            ::MCP::Tool::Response.new([{ type: 'text', text: Legion::JSON.dump({ error: msg }) }], error: true)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/mcp/tools/rbac_grants.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Legion
+  module MCP
+    module Tools
+      class RbacGrants < ::MCP::Tool
+        tool_name 'legion.rbac_grants'
+        description 'List RBAC runner grants. Filterable by team.'
+
+        input_schema(
+          properties: {
+            team: { type: 'string', description: 'Filter by team' }
+          }
+        )
+
+        class << self
+          def call(team: nil)
+            return error_response('legion-rbac not installed') unless defined?(Legion::Rbac)
+            return error_response('legion-data not connected') unless Legion::Rbac::Store.db_available?
+
+            ds = Legion::Data::Model::RbacRunnerGrant.dataset
+            ds = ds.where(team: team) if team
+            text_response(ds.all.map(&:values))
+          rescue StandardError => e
+            error_response("Failed to list grants: #{e.message}")
+          end
+
+          private
+
+          def text_response(data)
+            ::MCP::Tool::Response.new([{ type: 'text', text: Legion::JSON.dump(data) }])
+          end
+
+          def error_response(msg)
+            ::MCP::Tool::Response.new([{ type: 'text', text: Legion::JSON.dump({ error: msg }) }], error: true)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/service.rb

@@ -25,6 +25,8 @@ module Legion
         Legion::Readiness.mark_ready(:crypt)
       end
 
+      Legion::Settings.resolve_secrets!
+
       if transport
         setup_transport
         Legion::Readiness.mark_ready(:transport)
@@ -41,6 +43,8 @@ module Legion
         Legion::Readiness.mark_ready(:data)
       end
 
+      setup_rbac if data
+
       if llm
         setup_llm
         Legion::Readiness.mark_ready(:llm)
@@ -74,10 +78,22 @@ module Legion
       Legion::Logging.warn "Legion::Data failed to load, starting without it. e: #{e.message}"
     end
 
+    def setup_rbac
+      require 'legion/rbac'
+      Legion::Rbac.setup
+      Legion::Readiness.mark_ready(:rbac)
+      Legion::Logging.info 'Legion::Rbac loaded'
+    rescue LoadError
+      Legion::Logging.debug 'Legion::Rbac gem is not installed, starting without RBAC'
+    rescue StandardError => e
+      Legion::Logging.warn "Legion::Rbac failed to load: #{e.message}"
+    end
+
     # noinspection RubyArgCount
     def default_paths
       [
         '/etc/legionio',
+        "#{Dir.home}/.legionio/settings",
         "#{ENV.fetch('home', nil)}/legionio",
         '~/legionio',
         './settings'
@@ -212,6 +228,11 @@ module Legion
         Legion::Readiness.mark_not_ready(:llm)
       end
 
+      if defined?(Legion::Rbac) && Legion::Settings[:rbac]&.dig(:connected)
+        Legion::Rbac.shutdown
+        Legion::Readiness.mark_not_ready(:rbac)
+      end
+
       Legion::Data.shutdown if Legion::Settings[:data][:connected]
       Legion::Readiness.mark_not_ready(:data)
 

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.4.13'
+  VERSION = '1.4.14'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.4.13
+  version: 1.4.14
 platform: ruby
 authors:
 - Esity
@@ -326,6 +326,7 @@ files:
 - lib/legion/api/nodes.rb
 - lib/legion/api/oauth.rb
 - lib/legion/api/openapi.rb
+- lib/legion/api/rbac.rb
 - lib/legion/api/relationships.rb
 - lib/legion/api/schedules.rb
 - lib/legion/api/settings.rb
@@ -426,6 +427,7 @@ files:
 - lib/legion/cli/output.rb
 - lib/legion/cli/plan_command.rb
 - lib/legion/cli/pr_command.rb
+- lib/legion/cli/rbac_command.rb
 - lib/legion/cli/relationship.rb
 - lib/legion/cli/review_command.rb
 - lib/legion/cli/schedule_command.rb
@@ -500,6 +502,9 @@ files:
 - lib/legion/mcp/tools/list_schedules.rb
 - lib/legion/mcp/tools/list_tasks.rb
 - lib/legion/mcp/tools/list_workers.rb
+- lib/legion/mcp/tools/rbac_assignments.rb
+- lib/legion/mcp/tools/rbac_check.rb
+- lib/legion/mcp/tools/rbac_grants.rb
 - lib/legion/mcp/tools/routing_stats.rb
 - lib/legion/mcp/tools/run_task.rb
 - lib/legion/mcp/tools/show_worker.rb