legionio 1.4.59 → 1.4.61

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb8c466919694ff3ee71e207099e6cdbc7d93ec3a641c7213a9efa5f624fceec
-  data.tar.gz: 714ca199c88b04b1f6b84680dbffe2c6f5d953d09d6114d115878cc98a10e3fe
+  metadata.gz: 6c7e2aaea33b6be8c15f2059d61621a70e9e431957e4e574b8ff574d33d40045
+  data.tar.gz: 07ea8f95f7b2c5132f8fe7992ccb247d5cec1fe909f3ba927f42bf172fff22ec
 SHA512:
-  metadata.gz: '08cce649982a2b0fabb240cf1ce373bf8b98c7807d5608d4e05caea9f26458b56c98f7b62584950d15376112d3f6396dbd3bd5c91e2779ca61867e1debaab2c5'
-  data.tar.gz: a7d37673e26e87ef65a04100884720da7c762f5fbd8c15f116febd7dc02314df77e0f1243acd2c383bc3e55e4ac940f3ca70ae49e0dfa76ece907871f39e7892
+  metadata.gz: a5648ed88592cb9eaaac03a285f3862812ff9dbd93ea3a0f8a2bd1ff400e7b2084c3d59e5b2b5fbbf0016ff05f4897291f25f59b62c543ef86b9806aeba6a377
+  data.tar.gz: 73b80071c84f14627df14ceca94a9f7201143ca47149244838d649387d82430cfffaf3a1998fcb92f91d6aecc73abc9a8ce151eb6ea626c8237b738554ca9965

data/.rubocop.yml

@@ -39,6 +39,7 @@ Metrics/BlockLength:
     - 'lib/legion/api/auth.rb'
     - 'lib/legion/api/auth_worker.rb'
     - 'lib/legion/api/auth_human.rb'
+    - 'lib/legion/cli/auth_command.rb'
 
 Metrics/AbcSize:
   Max: 60

data/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Legion Changelog
 
+## [1.4.61] - 2026-03-18
+
+### Added
+- Chat persistent settings defaults via `Legion::Settings` (issue #5)
+- `chat_setting(*keys)` helper for centralized settings access with error handling
+- Settings priority chain: CLI flag > `Legion::Settings.dig(:chat, ...)` > hardcoded default
+- Configurable via settings: model, provider, personality, permissions, markdown, incognito, max_budget_usd, subagent concurrency/timeout, headless max_turns
+- `chat` subsystem added to `config scaffold` with full template
+- `Subagent.configure_from_settings` reads concurrency and timeout from settings
+- 22 new specs (19 settings integration + 3 subagent settings)
+
+## [1.4.60] - 2026-03-18
+
+### Fixed
+- Empty Enter in chat REPL no longer exits the session; returns empty string instead of nil to disambiguate from Ctrl+D (EOF)
+
 ## [1.4.59] - 2026-03-17
 
 ### Added

data/CLAUDE.md

@@ -9,7 +9,7 @@ The primary gem for the LegionIO framework. An extensible async job engine for s
 
 **GitHub**: https://github.com/LegionIO/LegionIO
 **Gem**: `legionio`
-**Version**: 1.4.52
+**Version**: 1.4.61
 **License**: Apache-2.0
 **Docker**: `legionio/legion`
 **Ruby**: >= 3.4
@@ -711,7 +711,7 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 
 ```bash
 bundle install
-bundle exec rspec       # 1208 examples, 0 failures
+bundle exec rspec       # 1379 examples, 0 failures
 bundle exec rubocop     # 396 files, 0 offenses
 ```
 

data/lib/legion/api/auth_kerberos.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module AuthKerberos
+        def self.registered(app)
+          register_negotiate(app)
+        end
+
+        def self.resolve_kerberos_role_map
+          return {} unless defined?(Legion::Settings)
+
+          Legion::Settings.dig(:kerberos, :role_map) || {}
+        rescue StandardError
+          {}
+        end
+
+        def self.kerberos_available?
+          defined?(Legion::Extensions::Kerberos::Client) &&
+            defined?(Legion::Rbac::KerberosClaimsMapper)
+        end
+
+        def self.register_negotiate(app)
+          app.get '/api/auth/negotiate' do
+            auth_header = request.env['HTTP_AUTHORIZATION']
+
+            unless auth_header&.match?(/\ANegotiate\s+/i)
+              headers['WWW-Authenticate'] = 'Negotiate'
+              halt 401, json_error('negotiate_required', 'Negotiate token required', status_code: 401)
+            end
+
+            halt 501, json_error('kerberos_not_available', 'Kerberos extension is not loaded', status_code: 501) unless Routes::AuthKerberos.kerberos_available?
+
+            token = auth_header.sub(/\ANegotiate\s+/i, '')
+
+            auth_result = begin
+              client = Legion::Extensions::Kerberos::Client.new
+              client.authenticate(token: token)
+            rescue StandardError
+              nil
+            end
+
+            unless auth_result&.dig(:success)
+              headers['WWW-Authenticate'] = 'Negotiate'
+              halt 401, json_error('kerberos_auth_failed', 'Kerberos authentication failed', status_code: 401)
+            end
+
+            role_map = Routes::AuthKerberos.resolve_kerberos_role_map
+            mapped = Legion::Rbac::KerberosClaimsMapper.map_with_fallback(
+              principal: auth_result[:principal],
+              groups:    auth_result[:groups] || [],
+              role_map:  role_map
+            )
+
+            ttl = 28_800
+            legion_token = Legion::API::Token.issue_human_token(
+              msid: mapped[:sub], name: mapped[:name], roles: mapped[:roles], ttl: ttl
+            )
+
+            output_token = auth_result[:output_token]
+            headers['WWW-Authenticate'] = "Negotiate #{output_token}" if output_token
+
+            json_response({
+                            token:       legion_token,
+                            principal:   auth_result[:principal],
+                            roles:       mapped[:roles],
+                            auth_method: 'kerberos'
+                          })
+          end
+        end
+
+        class << self
+          private :register_negotiate
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/middleware/auth.rb

@@ -4,11 +4,12 @@ module Legion
   class API < Sinatra::Base
     module Middleware
       class Auth
-        SKIP_PATHS      = %w[/api/health /api/ready /api/openapi.json /metrics /api/auth/token /api/auth/worker-token
-                             /api/auth/authorize /api/auth/callback].freeze
-        AUTH_HEADER     = 'HTTP_AUTHORIZATION'
-        BEARER_PATTERN  = /\ABearer\s+(.+)\z/i
-        API_KEY_HEADER  = 'HTTP_X_API_KEY'
+        SKIP_PATHS       = %w[/api/health /api/ready /api/openapi.json /metrics /api/auth/token /api/auth/worker-token
+                              /api/auth/authorize /api/auth/callback /api/auth/negotiate].freeze
+        AUTH_HEADER      = 'HTTP_AUTHORIZATION'
+        BEARER_PATTERN   = /\ABearer\s+(.+)\z/i
+        NEGOTIATE_PATTERN = /\ANegotiate\s+(.+)\z/i
+        API_KEY_HEADER = 'HTTP_X_API_KEY'
 
         def initialize(app, opts = {})
           @app        = app
@@ -21,6 +22,10 @@ module Legion
           return @app.call(env) unless @enabled
           return @app.call(env) if skip_path?(env['PATH_INFO'])
 
+          # Try Negotiate/SPNEGO first (Kerberos)
+          result = try_negotiate(env)
+          return result if result
+
           # Try Bearer JWT first
           token = extract_token(env)
           if token
@@ -54,10 +59,76 @@ module Legion
 
         private
 
+        def try_negotiate(env)
+          negotiate_token = extract_negotiate_token(env)
+          return nil unless negotiate_token
+
+          negotiate_result = verify_negotiate(negotiate_token)
+          unless negotiate_result
+            return kerberos_available? ? unauthorized('Kerberos authentication failed') : nil
+          end
+
+          env['legion.auth']        = negotiate_result[:claims]
+          env['legion.auth_method'] = 'kerberos'
+          env['legion.owner_msid']  = negotiate_result[:claims][:sub]
+          status, app_headers, body = @app.call(env)
+          response_headers = app_headers.dup
+          response_headers['WWW-Authenticate'] = "Negotiate #{negotiate_result[:output_token]}" if negotiate_result[:output_token]
+          [status, response_headers, body]
+        end
+
         def skip_path?(path)
           SKIP_PATHS.any? { |p| path.start_with?(p) }
         end
 
+        def extract_negotiate_token(env)
+          header = env[AUTH_HEADER]
+          return nil unless header
+
+          match = header.match(NEGOTIATE_PATTERN)
+          match&.captures&.first
+        end
+
+        def verify_negotiate(token)
+          return nil unless kerberos_available?
+
+          client = Legion::Extensions::Kerberos::Client.new
+          auth_result = client.authenticate(token: token)
+          return nil unless auth_result[:success]
+
+          claims = Legion::Rbac::KerberosClaimsMapper.map_with_fallback(
+            principal: auth_result[:principal],
+            groups:    auth_result[:groups] || [],
+            role_map:  kerberos_role_map,
+            fallback:  kerberos_fallback
+          )
+
+          { claims: claims, output_token: auth_result[:output_token] }
+        rescue StandardError
+          nil
+        end
+
+        def kerberos_available?
+          defined?(Legion::Extensions::Kerberos::Client) &&
+            defined?(Legion::Rbac::KerberosClaimsMapper)
+        end
+
+        def kerberos_role_map
+          return {} unless defined?(Legion::Settings)
+
+          Legion::Settings.dig(:kerberos, :role_map) || {}
+        rescue StandardError
+          {}
+        end
+
+        def kerberos_fallback
+          return :entra unless defined?(Legion::Settings)
+
+          Legion::Settings.dig(:kerberos, :fallback) || :entra
+        rescue StandardError
+          :entra
+        end
+
         def extract_api_key(env)
           env[API_KEY_HEADER]
         end

data/lib/legion/api.rb

@@ -29,6 +29,7 @@ require_relative 'api/rbac'
 require_relative 'api/auth'
 require_relative 'api/auth_worker'
 require_relative 'api/auth_human'
+require_relative 'api/auth_kerberos'
 require_relative 'api/capacity'
 require_relative 'api/audit'
 require_relative 'api/metrics'
@@ -103,6 +104,7 @@ module Legion
     register Routes::Auth
     register Routes::AuthWorker
     register Routes::AuthHuman
+    register Routes::AuthKerberos
     register Routes::Capacity
     register Routes::Audit
     register Routes::Metrics

data/lib/legion/cli/auth_command.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require 'thor'
+require 'uri'
+require 'fileutils'
 
 module Legion
   module CLI
@@ -72,6 +74,38 @@ module Legion
         out.json({ authenticated: true, scopes: scopes, expires_in: body['expires_in'] })
       end
 
+      desc 'kerberos', 'Authenticate using Kerberos TGT from your workstation'
+      method_option :api_url, type: :string, desc: 'Legion API base URL'
+      method_option :realm,   type: :string, desc: 'Kerberos realm override'
+      def kerberos
+        klist_output = `klist 2>&1`
+        unless $CHILD_STATUS&.success?
+          say 'No Kerberos ticket found. Run kinit first or check your domain connection.', :red
+          return
+        end
+
+        principal_match = klist_output.match(/Principal:\s+(\S+)/)
+        unless principal_match
+          say 'Could not detect Kerberos principal from klist output.', :red
+          return
+        end
+
+        principal = principal_match[1]
+        realm     = options[:realm] || principal.split('@', 2).last
+        say 'Detected Kerberos ticket:', :green
+        say "  Principal: #{principal}"
+        say "  Realm: #{realm}"
+
+        api_url = resolve_api_url
+        say "Authenticating to #{api_url}..."
+
+        token    = build_spnego_token(api_url)
+        response = send_negotiate_request(api_url, token)
+        handle_negotiate_response(response)
+      rescue StandardError => e
+        say "Kerberos auth error: #{e.message}", :red
+      end
+
       default_task :teams
 
       no_commands do
@@ -81,6 +115,56 @@ module Legion
             color: !options[:no_color]
           )
         end
+
+        def resolve_api_url
+          url = options[:api_url]
+          url ||= Legion::Settings.dig(:api, :url) if defined?(Legion::Settings)
+          url || 'http://127.0.0.1:4567'
+        end
+
+        def build_spnego_token(api_url)
+          require 'gssapi'
+          require 'base64'
+          host = ::URI.parse(api_url).host
+          spnego = GSSAPI::Simple.new(host, 'HTTP')
+          ::Base64.strict_encode64(spnego.init_context)
+        end
+
+        def send_negotiate_request(api_url, token)
+          require 'net/http'
+          uri = ::URI.parse("#{api_url}/api/auth/negotiate")
+          http = ::Net::HTTP.new(uri.host, uri.port)
+          request = ::Net::HTTP::Get.new(uri.request_uri)
+          request['Authorization'] = "Negotiate #{token}"
+          http.request(request)
+        end
+
+        def handle_negotiate_response(response)
+          if response.code.to_i == 200
+            body = ::JSON.parse(response.body) rescue {} # rubocop:disable Style/RescueModifier
+            token_val = body.is_a?(Hash) ? (body['token'] || body.dig('data', 'token')) : nil
+            if token_val
+              save_credentials(token_val)
+              roles = body['roles'] || body.dig('data', 'roles') || []
+              say "  Roles: #{Array(roles).join(', ')}", :green
+              say '  Token saved to ~/.legionio/credentials', :green
+              say 'Login successful (kerberos)', :green
+            else
+              say 'Authentication succeeded but no token in response', :yellow
+            end
+          else
+            say "Authentication failed: HTTP #{response.code}", :red
+            say response.body.to_s, :red
+          end
+        end
+
+        def save_credentials(token_val)
+          credentials_dir = ::File.join(::Dir.home, '.legionio')
+          ::FileUtils.mkdir_p(credentials_dir)
+          cred_path = ::File.join(credentials_dir, 'credentials')
+          ::File.write(cred_path, token_val)
+          ::File.chmod(0o600, cred_path)
+        end
       end
     end
   end

data/lib/legion/cli/chat/subagent.rb

@@ -13,15 +13,32 @@ module Legion
         @running = []
         @mutex = Mutex.new
         @max_concurrency = MAX_CONCURRENCY
+        @timeout = TIMEOUT
 
         class << self
-          attr_accessor :max_concurrency
+          attr_accessor :max_concurrency, :timeout
 
-          def configure(max_concurrency: MAX_CONCURRENCY)
+          def configure(max_concurrency: MAX_CONCURRENCY, timeout: TIMEOUT)
             @max_concurrency = max_concurrency
+            @timeout = timeout
             @running = []
           end
 
+          def configure_from_settings
+            mc = begin
+              Legion::Settings.dig(:chat, :subagent, :max_concurrency)
+            rescue StandardError
+              nil
+            end
+            to = begin
+              Legion::Settings.dig(:chat, :subagent, :timeout)
+            rescue StandardError
+              nil
+            end
+            @max_concurrency = mc || MAX_CONCURRENCY
+            @timeout = to || TIMEOUT
+          end
+
           def spawn(task:, model: nil, provider: nil, on_complete: nil)
             return { error: "Max concurrency reached (#{@max_concurrency}). Wait for a subagent to finish." } if at_capacity?
 
@@ -54,7 +71,7 @@ module Legion
             @mutex.synchronize { @running.length >= @max_concurrency }
           end
 
-          def wait_all(timeout: TIMEOUT)
+          def wait_all(timeout: @timeout || TIMEOUT)
             deadline = Time.now + timeout
             @running.each do |agent|
               remaining = deadline - Time.now

data/lib/legion/cli/chat_command.rb

@@ -45,7 +45,7 @@ module Legion
         system_prompt = build_system_prompt
         @session = Chat::Session.new(
           chat: chat_obj, system_prompt: system_prompt,
-          budget_usd: options[:max_budget_usd]
+          budget_usd: effective_budget
         )
         @indicator = Chat::StatusIndicator.new(@session) unless options[:json]
 
@@ -55,7 +55,7 @@ module Legion
 
         setup_notification_bridge
 
-        chat_log.info "session started model=#{@session.model_id} incognito=#{options[:incognito]}"
+        chat_log.info "session started model=#{@session.model_id} incognito=#{incognito?}"
         out.banner(version: Legion::VERSION)
         puts
         puts out.dim("  Model: #{@session.model_id}")
@@ -80,7 +80,7 @@ module Legion
 
       desc 'prompt TEXT', 'Send a single prompt and exit (headless mode)'
       option :output_format, type: :string, default: 'text', desc: 'Output format: text, json'
-      option :max_turns, type: :numeric, default: 10, desc: 'Maximum tool-use turns'
+      option :max_turns, type: :numeric, desc: 'Maximum tool-use turns (default: 10)'
       def prompt(text)
         out = formatter
         setup_chat_logger
@@ -94,7 +94,7 @@ module Legion
         system_prompt = build_system_prompt
         session = Chat::Session.new(
           chat: chat_obj, system_prompt: system_prompt,
-          budget_usd: options[:max_budget_usd]
+          budget_usd: effective_budget
         )
 
         chat_log.info "headless prompt model=#{session.model_id} length=#{text.length}"
@@ -129,6 +129,24 @@ module Legion
       end
 
       no_commands do
+        def chat_setting(*keys)
+          Legion::Settings.dig(:chat, *keys)
+        rescue StandardError
+          nil
+        end
+
+        def incognito?
+          options[:incognito] || chat_setting(:incognito) == true
+        end
+
+        def effective_budget
+          options[:max_budget_usd] || chat_setting(:max_budget_usd)
+        end
+
+        def effective_max_turns
+          options[:max_turns] || chat_setting(:headless, :max_turns) || 10
+        end
+
         def formatter
           @formatter ||= Output::Formatter.new(
             json:  options[:json],
@@ -173,7 +191,12 @@ module Legion
         end
 
         def render_response(text, out)
-          return text if options[:no_markdown] || options[:no_color]
+          markdown_enabled = if options[:no_markdown]
+                               false
+                             else
+                               chat_setting(:markdown) != false
+                             end
+          return text unless markdown_enabled && out.color_enabled
 
           require 'legion/cli/chat/markdown_renderer'
           Chat::MarkdownRenderer.render(text, color: out.color_enabled)
@@ -194,6 +217,8 @@ module Legion
           require 'legion/cli/chat/permissions'
           Chat::Permissions.mode = if options[:auto_approve]
                                      :auto_approve
+                                   elsif (setting = chat_setting(:permissions))
+                                     setting.to_sym
                                    else
                                      default
                                    end
@@ -201,8 +226,9 @@ module Legion
 
         def create_chat
           opts = {}
-          opts[:model]    = options[:model] if options[:model]
-          opts[:provider] = options[:provider]&.to_sym if options[:provider]
+          opts[:model]    = options[:model] || chat_setting(:model)
+          opts[:provider] = (options[:provider] || chat_setting(:provider))&.to_sym
+          opts.compact!
 
           require 'legion/cli/chat/tool_registry'
           chat = Legion::LLM.chat(**opts)
@@ -217,13 +243,11 @@ module Legion
           @extra_dirs = options[:add_dir] || []
           prompt = Chat::Context.to_system_prompt(Dir.pwd, extra_dirs: @extra_dirs)
 
-          if options[:personality]
-            @personality = options[:personality]
-            case @personality
-            when 'concise'     then prompt += "\n\nBe extremely concise. Short answers, minimal explanation. Code over prose."
-            when 'verbose'     then prompt += "\n\nBe thorough and detailed. Explain your reasoning step by step."
-            when 'educational' then prompt += "\n\nBe educational. Explain concepts, provide context, teach as you help."
-            end
+          @personality = options[:personality] || chat_setting(:personality)
+          case @personality
+          when 'concise'     then prompt += "\n\nBe extremely concise. Short answers, minimal explanation. Code over prose."
+          when 'verbose'     then prompt += "\n\nBe thorough and detailed. Explain your reasoning step by step."
+          when 'educational' then prompt += "\n\nBe educational. Explain concepts, provide context, teach as you help."
           end
 
           prompt
@@ -335,7 +359,7 @@ module Legion
           end
 
           result = lines.join("\n")
-          result.strip.empty? ? nil : result
+          result.strip.empty? ? '' : result
         rescue Interrupt
           raise if first_line
 
@@ -1014,7 +1038,7 @@ module Legion
 
         def auto_save_session(out)
           return if @auto_saved
-          return if options[:incognito]
+          return if incognito?
           return unless @session
           return if @session.stats[:messages_sent].zero?
 

data/lib/legion/cli/config_scaffold.rb

@@ -7,7 +7,7 @@ require 'net/http'
 module Legion
   module CLI
     module ConfigScaffold
-      SUBSYSTEMS = %w[transport data cache crypt logging llm].freeze
+      SUBSYSTEMS = %w[transport data cache crypt logging llm chat].freeze
 
       ENV_DETECTIONS = {
         'AWS_BEARER_TOKEN_BEDROCK' => { subsystem: 'llm', provider: :bedrock, field: :bearer_token },
@@ -202,6 +202,19 @@ module Legion
               ollama:    { enabled: false, base_url: 'http://localhost:11434' }
             }
           } }
+        when 'chat'
+          { chat: {
+            permissions:    'interactive',
+            model:          nil,
+            provider:       nil,
+            personality:    nil,
+            markdown:       true,
+            incognito:      false,
+            max_budget_usd: nil,
+            subagent:       { max_concurrency: 3, timeout: 300 },
+            headless:       { max_turns: 10 },
+            notifications:  { patterns: [] }
+          } }
         end
       end
 
@@ -344,6 +357,19 @@ module Legion
               ollama:    { enabled: false, base_url: 'http://localhost:11434' }
             }
           } }
+        when 'chat'
+          { chat: {
+            permissions:    'interactive',
+            model:          nil,
+            provider:       nil,
+            personality:    nil,
+            markdown:       true,
+            incognito:      false,
+            max_budget_usd: nil,
+            subagent:       { max_concurrency: 3, timeout: 300 },
+            headless:       { max_turns: 10 },
+            notifications:  { patterns: [] }
+          } }
         end
       end
     end

data/lib/legion/cli/tty_command.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require 'thor'
+require 'legion/cli/output'
+
+module Legion
+  module CLI
+    class Tty < Thor
+      def self.exit_on_failure?
+        true
+      end
+
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+      class_option :config_dir, type: :string, desc: 'Config directory (~/.legionio/settings)'
+      class_option :skip_rain, type: :boolean, default: false, desc: 'Skip the digital rain intro'
+
+      default_task :interactive
+
+      desc 'interactive', 'Launch the rich terminal UI (default)'
+      long_desc <<~DESC
+        Launches the Legion TTY - a rich terminal interface with:
+        - Onboarding wizard (first run)
+        - AI chat shell with streaming responses
+        - Operational dashboard (Ctrl+D or /dashboard)
+        - Session persistence across runs
+
+        Similar to tools like Claude Code (CLI) and OpenAI Codex,
+        but purpose-built for LegionIO's async cognition engine.
+
+        First run: walks you through identity detection (Kerberos/GitHub),
+        provider selection, and API key setup.
+
+        Subsequent runs: loads saved identity, re-scans environment,
+        and drops straight into the chat shell.
+      DESC
+      def interactive
+        require_tty_gem
+        config_dir = options[:config_dir] || Legion::TTY::App::CONFIG_DIR
+        app = Legion::TTY::App.new(config_dir: config_dir)
+        app.start
+      rescue Interrupt
+        app&.shutdown
+      end
+
+      desc 'reset', 'Clear saved identity and credentials (re-run onboarding)'
+      option :confirm, type: :boolean, default: false, aliases: ['-y'], desc: 'Skip confirmation'
+      def reset
+        out = formatter
+        config_dir = options[:config_dir] || File.expand_path('~/.legionio/settings')
+
+        identity = File.join(config_dir, 'identity.json')
+        credentials = File.join(config_dir, 'credentials.json')
+
+        unless options[:confirm]
+          out.warn('This will delete your saved identity and credentials.')
+          out.warn('You will need to re-run onboarding.')
+          require 'tty-prompt'
+          prompt = ::TTY::Prompt.new
+          return unless prompt.yes?('Continue?')
+        end
+
+        [identity, credentials].each do |path|
+          if File.exist?(path)
+            File.delete(path)
+            out.success("Deleted #{File.basename(path)}")
+          end
+        end
+      end
+
+      desc 'sessions', 'List saved chat sessions'
+      def sessions
+        out = formatter
+        require_tty_gem
+
+        store = Legion::TTY::SessionStore.new
+        list = store.list
+
+        if list.empty?
+          out.detail('No saved sessions.')
+          return
+        end
+
+        list.each do |session|
+          name = session[:name]
+          count = session[:message_count]
+          saved = session[:saved_at] || 'unknown'
+          puts "  #{name.ljust(30)} #{count} messages  #{saved}"
+        end
+      end
+
+      desc 'version', 'Show legion-tty version'
+      def version
+        require_tty_gem
+        puts "legion-tty #{Legion::TTY::VERSION}"
+      end
+
+      no_commands do
+        def formatter
+          @formatter ||= Output::Formatter.new(
+            json:  false,
+            color: !options[:no_color]
+          )
+        end
+
+        private
+
+        def require_tty_gem
+          require 'legion/tty'
+        rescue LoadError => e
+          formatter.error("legion-tty gem not installed: #{e.message}")
+          formatter.detail('Install with: gem install legion-tty')
+          raise SystemExit, 1
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli.rb

@@ -41,6 +41,7 @@ module Legion
     autoload :Cost,        'legion/cli/cost_command'
     autoload :Marketplace, 'legion/cli/marketplace_command'
     autoload :Notebook,    'legion/cli/notebook_command'
+    autoload :Tty,         'legion/cli/tty_command'
 
     class Main < Thor
       def self.exit_on_failure?
@@ -227,6 +228,9 @@ module Legion
       desc 'notebook', 'Read and export Jupyter notebooks'
       subcommand 'notebook', Legion::CLI::Notebook
 
+      desc 'tty', 'Rich terminal UI (onboarding, AI chat, dashboard)'
+      subcommand 'tty', Legion::CLI::Tty
+
       desc 'tree', 'Print a tree of all available commands'
       def tree
         legion_print_command_tree(self.class, 'legion', '')

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.4.59'
+  VERSION = '1.4.61'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.4.59
+  version: 1.4.61
 platform: ruby
 authors:
 - Esity
@@ -319,6 +319,7 @@ files:
 - lib/legion/api/audit.rb
 - lib/legion/api/auth.rb
 - lib/legion/api/auth_human.rb
+- lib/legion/api/auth_kerberos.rb
 - lib/legion/api/auth_worker.rb
 - lib/legion/api/capacity.rb
 - lib/legion/api/chains.rb
@@ -479,6 +480,7 @@ files:
 - lib/legion/cli/theme.rb
 - lib/legion/cli/trace_command.rb
 - lib/legion/cli/trigger.rb
+- lib/legion/cli/tty_command.rb
 - lib/legion/cli/update_command.rb
 - lib/legion/cli/version.rb
 - lib/legion/cli/worker_command.rb