legionio 1.4.44 → 1.4.47

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16599e1c095434bfb65c5a5aa763cb821324e192f8e367cad1aff64fadec7e10
-  data.tar.gz: 2747877e468f15212ed3bbd19eaa287323d159a676a01e80e6b1ca11e0abed9b
+  metadata.gz: 61d1b58d973cadaa88f3236a2d191452324ce20721fb6a41bf9b08488e077754
+  data.tar.gz: '09129066576304957d34a58a8c54731e8228b3d5a45603592ee9b9ce10f72c55'
 SHA512:
-  metadata.gz: e522c7f831673baa38cf887b1493e78e7133d930f3e857b82fefddbeeffbcc88877e4d741330a222e744170bd0e5876ec08deca5c8a00d8dc6cc520fbd0f54dc
-  data.tar.gz: 802b45c5a8d13d79f0c52ac872080a6fde0e5b64bc7ee0f46a21fbdb5be56c23ddad2f6b242b535b9a862e13b446735cb57c44ac50a9a0b021a728c620defe20
+  metadata.gz: 4e9bfacc58941fb83fe9725779d8a500b514e483dfd84dc759a7184e548b43379252c638007ced10de99164ee749cc9dd7a33134e31e4c0bd8605e6307648d8f
+  data.tar.gz: 989f282c012adb51747e8bbb143e29eabf1c213fd0ad7b531737f98cb948791a6e163c13fa5c1a73d0a5da20efa4cfabad237d90e0e3adbaa21d05c2a8cbc5dc

data/.rubocop.yml

@@ -38,6 +38,7 @@ Metrics/BlockLength:
     - 'lib/legion/cli/update_command.rb'
     - 'lib/legion/api/auth.rb'
     - 'lib/legion/api/auth_worker.rb'
+    - 'lib/legion/api/auth_human.rb'
 
 Metrics/AbcSize:
   Max: 60
@@ -48,9 +49,12 @@ Metrics/CyclomaticComplexity:
   Max: 15
   Exclude:
     - 'lib/legion/cli/chat_command.rb'
+    - 'lib/legion/api/auth_human.rb'
 
 Metrics/PerceivedComplexity:
   Max: 17
+  Exclude:
+    - 'lib/legion/api/auth_human.rb'
 
 Style/Documentation:
   Enabled: false

data/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Legion Changelog
 
+## [1.4.47] - 2026-03-17
+
+### Fixed
+- `gem_load` rescue block referenced undefined `gem_path` variable, causing secondary NameError that masked original LoadError
+- `meta_actors` type guard checked `is_a?(Array)` but called `each_value` (Hash method), so meta actors were never hooked
+- `build_actor_list` crashed entire extension load when actor file didn't define expected constant (now skips gracefully)
+- `build_transport` raised NoMethodError on extensions with custom Transport modules missing `build` (now falls back to auto-generate)
+
+## [1.4.46] - 2026-03-17
+
+### Added
+- `Legion::Telemetry.configure_exporter`: OTLP and console span exporters
+- OTLP exporter uses BatchSpanProcessor for production performance
+- Settings: `telemetry.tracing.exporter`, `endpoint`, `headers`, `batch_size`
+- Graceful fallback when opentelemetry-exporter-otlp gem absent
+
+## [1.4.45] - 2026-03-17
+
+### Added
+- `GET /api/auth/authorize`: redirects to Entra authorization endpoint for browser-based OAuth2 login
+- `GET /api/auth/callback`: exchanges authorization code for tokens, validates id_token via JWKS, maps claims, issues Legion human JWT
+- Auth middleware SKIP_PATHS now includes `/api/auth/authorize` and `/api/auth/callback`
+
 ## [1.4.44] - 2026-03-17
 
 ### Added

data/lib/legion/api/auth_human.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'securerandom'
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module AuthHuman
+        def self.registered(app)
+          register_authorize(app)
+          register_callback(app)
+        end
+
+        def self.resolve_entra_settings
+          return {} unless defined?(Legion::Settings)
+
+          rbac = Legion::Settings[:rbac]
+          entra = rbac.is_a?(Hash) ? rbac[:entra] : nil
+          return entra if entra.is_a?(Hash)
+
+          {}
+        rescue StandardError
+          {}
+        end
+
+        def self.exchange_code(entra, code)
+          uri = URI("https://login.microsoftonline.com/#{entra[:tenant_id]}/oauth2/v2.0/token")
+          response = Net::HTTP.post_form(uri, {
+                                           'client_id'     => entra[:client_id],
+                                           'client_secret' => entra[:client_secret],
+                                           'code'          => code,
+                                           'redirect_uri'  => entra[:redirect_uri],
+                                           'grant_type'    => 'authorization_code'
+                                         })
+
+          return nil unless response.is_a?(Net::HTTPSuccess)
+
+          Legion::JSON.load(response.body)
+        rescue StandardError
+          nil
+        end
+
+        def self.register_authorize(app)
+          app.get '/api/auth/authorize' do
+            entra = Routes::AuthHuman.resolve_entra_settings
+            halt 500, json_error('entra_not_configured', 'Entra OAuth settings are missing', status_code: 500) unless entra[:tenant_id] && entra[:client_id]
+
+            state = Legion::Crypt::JWT.issue(
+              { nonce: SecureRandom.hex(16), purpose: 'oauth_state' },
+              ttl: 300
+            )
+
+            query = URI.encode_www_form({
+                                          'client_id'     => entra[:client_id],
+                                          'redirect_uri'  => entra[:redirect_uri],
+                                          'response_type' => 'code',
+                                          'scope'         => 'openid profile',
+                                          'state'         => state
+                                        })
+
+            redirect "https://login.microsoftonline.com/#{entra[:tenant_id]}/oauth2/v2.0/authorize?#{query}"
+          end
+        end
+
+        def self.register_callback(app) # rubocop:disable Metrics/AbcSize
+          app.get '/api/auth/callback' do
+            entra = Routes::AuthHuman.resolve_entra_settings
+            halt 500, json_error('entra_not_configured', 'Entra OAuth settings are missing', status_code: 500) unless entra[:tenant_id] && entra[:client_id]
+
+            halt 400, json_error('oauth_error', params[:error_description] || params[:error], status_code: 400) if params[:error]
+            halt 400, json_error('missing_code', 'authorization code is required', status_code: 400) unless params[:code]
+
+            if params[:state]
+              begin
+                Legion::Crypt::JWT.verify(params[:state])
+              rescue Legion::Crypt::JWT::Error
+                halt 400, json_error('invalid_state', 'CSRF state token is invalid or expired', status_code: 400)
+              end
+            end
+
+            token_response = Routes::AuthHuman.exchange_code(entra, params[:code])
+            halt 502, json_error('token_exchange_failed', 'Failed to exchange code for tokens', status_code: 502) unless token_response
+
+            id_token = token_response[:id_token] || token_response['id_token']
+            halt 502, json_error('no_id_token', 'Entra did not return an id_token', status_code: 502) unless id_token
+
+            jwks_url = "https://login.microsoftonline.com/#{entra[:tenant_id]}/discovery/v2.0/keys"
+            issuer = "https://login.microsoftonline.com/#{entra[:tenant_id]}/v2.0"
+
+            begin
+              claims = Legion::Crypt::JWT.verify_with_jwks(id_token, jwks_url: jwks_url, issuers: [issuer])
+            rescue Legion::Crypt::JWT::Error => e
+              halt 401, json_error('invalid_id_token', e.message, status_code: 401)
+            end
+
+            unless defined?(Legion::Rbac::EntraClaimsMapper)
+              halt 501, json_error('claims_mapper_not_available', 'EntraClaimsMapper is not loaded', status_code: 501)
+            end
+
+            mapped = Legion::Rbac::EntraClaimsMapper.map_claims(
+              claims,
+              role_map:     entra[:role_map] || Legion::Rbac::EntraClaimsMapper::DEFAULT_ROLE_MAP,
+              group_map:    entra[:group_map] || {},
+              default_role: entra[:default_role] || 'worker'
+            )
+
+            ttl = 28_800
+            token = Legion::API::Token.issue_human_token(
+              msid: mapped[:sub], name: mapped[:name], roles: mapped[:roles], ttl: ttl
+            )
+
+            if request.env['HTTP_ACCEPT']&.include?('application/json')
+              json_response({
+                              access_token: token,
+                              token_type:   'Bearer',
+                              expires_in:   ttl,
+                              roles:        mapped[:roles],
+                              name:         mapped[:name]
+                            })
+            else
+              redirect_url = entra[:success_redirect] || '/api/health'
+              redirect "#{redirect_url}#access_token=#{token}"
+            end
+          end
+        end
+
+        class << self
+          private :register_authorize, :register_callback
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/middleware/auth.rb

@@ -4,7 +4,8 @@ module Legion
   class API < Sinatra::Base
     module Middleware
       class Auth
-        SKIP_PATHS      = %w[/api/health /api/ready /api/openapi.json /metrics /api/auth/token /api/auth/worker-token].freeze
+        SKIP_PATHS      = %w[/api/health /api/ready /api/openapi.json /metrics /api/auth/token /api/auth/worker-token
+                             /api/auth/authorize /api/auth/callback].freeze
         AUTH_HEADER     = 'HTTP_AUTHORIZATION'
         BEARER_PATTERN  = /\ABearer\s+(.+)\z/i
         API_KEY_HEADER  = 'HTTP_X_API_KEY'

data/lib/legion/api.rb

@@ -28,6 +28,7 @@ require_relative 'api/openapi'
 require_relative 'api/rbac'
 require_relative 'api/auth'
 require_relative 'api/auth_worker'
+require_relative 'api/auth_human'
 require_relative 'api/audit'
 require_relative 'api/metrics'
 
@@ -100,6 +101,7 @@ module Legion
     register Routes::Rbac
     register Routes::Auth
     register Routes::AuthWorker
+    register Routes::AuthHuman
     register Routes::Audit
     register Routes::Metrics
 

data/lib/legion/extensions/builders/actors.rb

@@ -21,6 +21,10 @@ module Legion
           actor_files.each do |file|
             actor_name = file.split('/').last.sub('.rb', '')
             actor_class = "#{lex_class}::Actor::#{actor_name.split('_').collect(&:capitalize).join}"
+            unless Kernel.const_defined?(actor_class)
+              Legion::Logging.warn "Actor constant #{actor_class} not defined, skipping"
+              next
+            end
             @actors[actor_name.to_sym] = {
               extension:      lex_class.to_s.downcase,
               extension_name: extension_name,

data/lib/legion/extensions/core.rb

@@ -92,13 +92,19 @@ module Legion
           require "#{extension_path}/transport/autobuild"
           extension_class::Transport::AutoBuild.build
           log.warn 'still using transport::autobuild, please upgrade'
-        elsif File.exist? "#{extension_path}/transport.rb"
+          return
+        end
+
+        if File.exist? "#{extension_path}/transport.rb"
           require "#{extension_path}/transport"
-          extension_class::Transport.build
+          unless extension_class::Transport.respond_to?(:build)
+            log.warn "#{extension_class}::Transport does not respond to build, auto-generating"
+            auto_generate_transport
+          end
         else
           auto_generate_transport
-          extension_class::Transport.build
         end
+        extension_class::Transport.build
       end
 
       def build_settings

data/lib/legion/extensions.rb

@@ -108,7 +108,7 @@ module Legion
         require 'legion/transport/messages/lex_register'
         Legion::Transport::Messages::LexRegister.new(function: 'save', opts: extension.runners).publish
 
-        if extension.respond_to?(:meta_actors) && extension.meta_actors.is_a?(Array)
+        if extension.respond_to?(:meta_actors) && extension.meta_actors.is_a?(Hash)
           extension.meta_actors.each_value do |actor|
             extension.log.debug("hooking meta actor: #{actor}") if has_logger
             hook_actor(**actor)
@@ -199,12 +199,13 @@ module Legion
       end
 
       def gem_load(gem_name, name)
-        require "#{Gem::Specification.find_by_name(gem_name).gem_dir}/lib/legion/extensions/#{name}"
+        gem_dir = Gem::Specification.find_by_name(gem_name).gem_dir
+        require "#{gem_dir}/lib/legion/extensions/#{name}"
         true
       rescue LoadError => e
         Legion::Logging.error e.message
         Legion::Logging.error e.backtrace
-        Legion::Logging.error "gem_path: #{gem_path}" unless gem_path.nil?
+        Legion::Logging.error "gem_path: #{gem_dir}" if defined?(gem_dir) && gem_dir
         false
       end
 

data/lib/legion/telemetry.rb

@@ -56,10 +56,67 @@ module Legion
       {}
     end
 
+    def configure_exporter
+      backend = tracing_settings[:exporter]&.to_sym || :none
+
+      case backend
+      when :otlp
+        configure_otlp
+      when :console
+        configure_console
+      end
+    end
+
+    def tracing_settings
+      telemetry = Legion::Settings[:telemetry]
+      return {} unless telemetry.is_a?(Hash)
+
+      tracing = telemetry[:tracing]
+      tracing.is_a?(Hash) ? tracing : {}
+    rescue StandardError
+      {}
+    end
+
     def otel_init_error?(error)
       error.message.include?('OpenTelemetry') || error.message.include?('tracer')
     rescue StandardError
       false
     end
+
+    def configure_otlp
+      require 'opentelemetry-exporter-otlp'
+
+      endpoint = tracing_settings[:endpoint] || 'http://localhost:4318/v1/traces'
+      headers = tracing_settings[:headers] || {}
+
+      exporter = OpenTelemetry::Exporter::OTLP::Exporter.new(
+        endpoint: endpoint,
+        headers:  headers
+      )
+
+      processor = OpenTelemetry::SDK::Trace::Export::BatchSpanProcessor.new(
+        exporter,
+        max_queue_size:        2048,
+        max_export_batch_size: tracing_settings[:batch_size] || 512
+      )
+
+      OpenTelemetry.tracer_provider.add_span_processor(processor)
+      Legion::Logging.info "OTLP exporter configured: #{endpoint}"
+      true
+    rescue LoadError
+      Legion::Logging.warn 'opentelemetry-exporter-otlp gem not available'
+      false
+    end
+
+    def configure_console
+      return false unless defined?(OpenTelemetry::SDK::Trace::Export::ConsoleSpanExporter)
+
+      exporter = OpenTelemetry::SDK::Trace::Export::ConsoleSpanExporter.new
+      processor = OpenTelemetry::SDK::Trace::Export::SimpleSpanProcessor.new(exporter)
+      OpenTelemetry.tracer_provider.add_span_processor(processor)
+      true
+    rescue StandardError
+      false
+    end
   end
 end

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.4.44'
+  VERSION = '1.4.47'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.4.44
+  version: 1.4.47
 platform: ruby
 authors:
 - Esity
@@ -318,6 +318,7 @@ files:
 - lib/legion/api.rb
 - lib/legion/api/audit.rb
 - lib/legion/api/auth.rb
+- lib/legion/api/auth_human.rb
 - lib/legion/api/auth_worker.rb
 - lib/legion/api/chains.rb
 - lib/legion/api/coldstart.rb