legionio 1.4.73 → 1.4.82

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7693068b5190222c508dd07a248424e8f9e1eff77e80059cbd8a4fc81e9e6325
-  data.tar.gz: 43cc0da2efe7d604101ab87426c21b5f8ce677a8c023aeec38e5b91018b515ae
+  metadata.gz: be7718191541e7f3c7d122c0df0f74145ef0ed5aa8e4b8a67396932155e4cccf
+  data.tar.gz: 5b4f4e5453fe9667b6424433d8d0ec9cfe524b6f9c35be64f7e4b0edeae1c3f3
 SHA512:
-  metadata.gz: a2d75a86b1646113be917a9f8ed17f8f7aa8ffb48ff371db78ee62fbfdba1929d85e675f2bf7d6a5469b077f10370f3d044eb6f5049db353d471f5be1c3cbab5
-  data.tar.gz: 2f00a29a6ddf7be18ee71839b97e1a8aeeb74f2cecd820932447bc574fcfeb595a6adce0d757909bf3e3d68909235fcbb32ad95182192b5471dea0a2f3d39a0e
+  metadata.gz: dd10e410a69d1cae47dadbaf02f287857410b44e8f8d305c1cd8b555a44a32d2a6b0a63950a3ee2e54d815ef28a25ee7dc08fd7e78a584ec39698b03385bcac0
+  data.tar.gz: ce22d223fd1b67df63878d1e1f4d54273437c01a4359f384dc0658ecf06e1e83481285d2b78afd511ee17fabe75a5cb8342826e5cab6ee63cc49a33ccb3c38e4

data/.dockerignore

@@ -0,0 +1,11 @@
+.git
+.github
+spec
+docs
+*.md
+.rubocop.yml
+.rspec
+tmp
+log
+.dockerignore
+Dockerfile

data/.github/workflow-templates/eval-gate.yml

@@ -0,0 +1,118 @@
+# .github/workflow-templates/eval-gate.yml
+#
+# Eval gate workflow template for LegionIO CI/CD pipelines.
+# Copy this file to .github/workflows/eval-gate.yml in your repo and adjust the
+# env vars to match your dataset and threshold requirements.
+#
+# Required secrets:
+#   LEGIONIO_BOOTSTRAP_CONFIG  (base64-encoded bootstrap JSON, or omit for defaults)
+#
+# Usage:
+#   - Trigger manually (workflow_dispatch) or on push/PR targeting main
+#   - Job exits 0 if avg_score >= threshold, exits 1 and fails the pipeline if below
+
+name: Eval Gate
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      dataset:
+        description: 'Dataset name to evaluate'
+        required: true
+        default: 'default'
+      threshold:
+        description: 'Pass/fail threshold (0.0 - 1.0)'
+        required: false
+        default: '0.8'
+      evaluator:
+        description: 'Evaluator name (leave blank for first builtin template)'
+        required: false
+        default: ''
+
+env:
+  DATASET:   ${{ github.event.inputs.dataset   || 'default' }}
+  THRESHOLD: ${{ github.event.inputs.threshold || '0.8' }}
+  EVALUATOR: ${{ github.event.inputs.evaluator || '' }}
+
+jobs:
+  eval-gate:
+    name: Eval Gate (${{ env.DATASET }} @ ${{ env.THRESHOLD }})
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Install Legion
+        run: gem install legionio --no-document
+
+      - name: Bootstrap config (optional)
+        if: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG != '' }}
+        env:
+          LEGIONIO_BOOTSTRAP_CONFIG: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG }}
+        run: echo "Bootstrap config present"
+
+      - name: Run eval gate
+        id: eval
+        env:
+          LEGIONIO_BOOTSTRAP_CONFIG: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG }}
+        run: |
+          EVAL_ARGS="--dataset $DATASET --threshold $THRESHOLD --exit-code --json"
+          if [ -n "$EVALUATOR" ]; then
+            EVAL_ARGS="$EVAL_ARGS --evaluator $EVALUATOR"
+          fi
+          legion eval run $EVAL_ARGS | tee eval-report.json
+
+      - name: Upload eval report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: eval-report-${{ github.run_number }}
+          path: eval-report.json
+          retention-days: 30
+
+      - name: Annotate PR with eval results
+        if: github.event_name == 'pull_request' && always()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            let report;
+            try {
+              report = JSON.parse(fs.readFileSync('eval-report.json', 'utf8'));
+            } catch (e) {
+              console.log('Could not parse eval report:', e.message);
+              return;
+            }
+            const gate   = report.passed ? 'PASSED' : 'FAILED';
+            const score  = (report.avg_score || 0).toFixed(3);
+            const thresh = report.threshold || 0;
+            const body   = [
+              `## Eval Gate: ${gate}`,
+              '',
+              `| Metric | Value |`,
+              `|--------|-------|`,
+              `| Dataset | \`${report.dataset}\` |`,
+              `| Evaluator | \`${report.evaluator}\` |`,
+              `| Avg Score | ${score} |`,
+              `| Threshold | ${thresh} |`,
+              `| Total Rows | ${report.summary?.total ?? 'N/A'} |`,
+              `| Passed | ${report.summary?.passed ?? 'N/A'} |`,
+              `| Failed | ${report.summary?.failed ?? 'N/A'} |`,
+            ].join('\n');
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner:        context.repo.owner,
+              repo:         context.repo.repo,
+              body:         body,
+            });

data/.github/workflows/ci-cd.yml

@@ -0,0 +1,67 @@
+name: CI/CD
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    services:
+      rabbitmq:
+        image: rabbitmq:3.13-management
+        ports: ['5672:5672']
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_PASSWORD: test
+          POSTGRES_DB: legion_test
+        ports: ['5432:5432']
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+      - run: bundle install && bundle exec rspec
+      - run: bundle exec rubocop
+
+  build:
+    name: Build Image
+    needs: test
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/legionio/legion:${{ github.sha }}
+            ghcr.io/legionio/legion:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  helm-lint:
+    name: Helm Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: azure/setup-helm@v3
+      - run: helm lint deploy/helm/legion

data/.github/workflows/ci.yml

@@ -14,3 +14,16 @@ jobs:
     uses: LegionIO/.github/.github/workflows/release.yml@main
     secrets:
       rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}
+
+  trigger-homebrew:
+    needs: release
+    if: needs.release.outputs.changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger daemon build
+        env:
+          GH_TOKEN: ${{ secrets.HOMEBREW_DISPATCH_TOKEN }}
+        run: |
+          gh api repos/LegionIO/homebrew-tap/dispatches \
+            -f event_type=build-daemon \
+            -f "client_payload[legionio_version]=${{ needs.release.outputs.version }}"

data/CHANGELOG.md

@@ -1,5 +1,92 @@
 # Legion Changelog
 
+## [1.4.82] - 2026-03-20
+
+### Added
+- `legion check --privacy` command: verifies enterprise privacy mode (flag set, no cloud API keys, external endpoints unreachable)
+- `PrivacyCheck` class with three probes: flag_set, no_cloud_keys, no_external_endpoints
+- `Legion::Service.log_privacy_mode_status` logs enterprise privacy state at startup
+
+## [1.4.81] - 2026-03-20
+
+### Added
+- `legion eval experiments` subcommand: list all experiment runs with status and summary
+- `legion eval promote --experiment NAME --tag TAG` subcommand: tag a prompt version for production via lex-prompt
+- `legion eval compare --run1 NAME --run2 NAME` subcommand: side-by-side diff of two experiment runs
+- `require_prompt!` guard for lex-prompt extension availability
+
+## [1.4.80] - 2026-03-20
+
+### Added
+- `legion eval run` CLI subcommand for CI/CD threshold-based eval gating
+- `--dataset`, `--threshold`, `--evaluator`, `--exit-code` options on `eval run`
+- JSON report output to stdout with per-row scores, summary, and timestamp
+- `.github/workflow-templates/eval-gate.yml` reusable GitHub Actions workflow template
+- PR annotation step in workflow template for inline eval result comments
+
+## [1.4.79] - 2026-03-20
+
+### Added
+- Unified LEX routing layer: auto-expose runner functions as POST endpoints at `/api/lex/{ext}/{runner}/{action}`
+- `Builders::Routes` auto-discovers runner public methods during extension autobuild
+- `Routes::Lex` wildcard handler dispatches through Ingress with JWT + RBAC
+- `GET /api/lex` listing endpoint for route discovery
+- Settings-based configuration at `api.lex_routes` (global enable, per-extension enable, runner/function exclusions)
+- `skip_routes` DSL for runner modules to opt out of auto-route exposure
+- Auto-routes included in OpenAPI spec generation
+- `runner_module` reference stored in builders runner hash for introspection
+
+## [1.4.78] - 2026-03-19
+
+### Added
+- Response headers support in `render_custom_response`: runners can return `response[:headers]` hash for custom HTTP headers
+
+### Removed
+- Legacy `POST /api/hooks/:lex_name/:hook_name` route (superseded by `GET|POST /api/hooks/lex/*` splat routes in v1.4.76)
+- Hardcoded `GET /api/auth/negotiate` Kerberos route (migrated to lex-kerberos hook at `/api/hooks/lex/kerberos/negotiate`)
+- `Routes::AuthKerberos` module and `api/auth_kerberos.rb` file
+
+## [1.4.77] - 2026-03-19
+
+### Added
+- Hardcoded deny list in `Extensions::Permissions` blocking access to `~/.ssh`, `~/.gnupg`, `~/.aws/credentials`
+- Deny list overrides all other permission checks including explicit approvals
+
+## [1.4.76] - 2026-03-19
+
+### Added
+- `Hooks::Base.mount(path)` DSL for extension-derived URL suffixes (e.g., `/callback`)
+- `GET /api/hooks/lex/*` splat route for hook discovery via GET requests
+- `POST /api/hooks/lex/*` splat route with `route_path`-based hook dispatch
+- `Legion::API.find_hook_by_path(path)` for direct route-path lookup in hook registry
+- `route_path` field stored in hook registry entries and returned in `GET /api/hooks` listing
+- Runner-controlled responses: `result[:response]` hash with `:status`, `:content_type`, `:body`
+- `build_payload`, `dispatch_hook`, `render_custom_response` extracted helpers in Routes::Hooks
+
+### Changed
+- `register_hook` now accepts `route_path:` keyword; defaults to `lex_name/hook_name` if omitted
+- `builders/hooks.rb` computes `route_path` from `extension_name/hook_name + mount_path`
+- `extensions/core.rb` passes `route_path:` when calling `Legion::API.register_hook`
+- `GET /api/hooks` listing now includes `route_path` and updated `endpoint` field
+- Removed `Routes::OAuth` (moved OAuth callback to lex-microsoft_teams hook with mount path)
+- `handle_hook_request` refactored into smaller helpers to stay within complexity limits
+
+## [1.4.75] - 2026-03-19
+
+### Added
+- `Legion::Extensions::Catalog` singleton state machine tracking extension lifecycle (registered/loaded/starting/running/stopping/stopped)
+- `Legion::Extensions::Permissions` three-layer file permission model (sandbox, declared paths, auto-approve globs)
+- `GET /api/catalog` and `GET /api/catalog/:name` extension capability manifest endpoints
+- Tier 0 routing in `POST /api/llm/chat` via `Legion::MCP::TierRouter` for LLM-free cached responses
+- Data::Local migrations for extension_catalog and extension_permissions tables
+- Catalog lifecycle wired into extension loader (register/loaded/running/stopping/stopped transitions)
+
+## [1.4.74] - 2026-03-19
+
+### Changed
+- Extracted `Legion::MCP` to dedicated `legion-mcp` gem (v0.1.0)
+- Replaced `mcp` gem dependency with `legion-mcp`
+
 ## [1.4.73] - 2026-03-19
 
 ### Added

data/CLAUDE.md

@@ -9,7 +9,7 @@ The primary gem for the LegionIO framework. An extensible async job engine for s
 
 **GitHub**: https://github.com/LegionIO/LegionIO
 **Gem**: `legionio`
-**Version**: 1.4.70
+**Version**: 1.4.79
 **License**: Apache-2.0
 **Docker**: `legionio/legion`
 **Ruby**: >= 3.4
@@ -46,8 +46,8 @@ Legion.start
       ├── 5.  require legion-cache
       ├── 6.  setup_data         (legion-data, MySQL/SQLite + migrations, optional)
       ├── 7.  setup_rbac         (legion-rbac, optional)
-      ├── 8.  setup_llm          (legion-llm, optional)
-      ├── 9.  setup_gaia         (legion-gaia, cognitive layer, optional)
+      ├── 8.  setup_llm          (legion-llm, AI provider setup + routing, optional)
+      ├── 9.  setup_gaia         (legion-gaia, cognitive coordination layer, optional)
       ├── 10. setup_telemetry    (OpenTelemetry, optional)
       ├── 11. setup_supervision  (process supervision)
       ├── 12. load_extensions    (two-phase: require+autobuild all, then hook_all_actors)
@@ -95,9 +95,10 @@ Legion (lib/legion.rb)
 │   │   └── Nothing    # No-op actor
 │   ├── Builders/      # Build actors and runners from LEX definitions
 │   │   ├── Actors     # Build actors from extension definitions
-│   │   ├── Runners    # Build runners from extension definitions
+│   │   ├── Runners    # Build runners from extension definitions (stores runner_module ref)
 │   │   ├── Helpers    # Builder utilities
-│   │   └── Hooks      # Webhook hook system builder
+│   │   ├── Hooks      # Webhook hook system builder
+│   │   └── Routes     # Auto-route builder: introspects runners, registers POST /api/lex/* routes
 │   ├── Helpers/       # Helper mixins for extensions
 │   │   ├── Base       # Base helper mixin
 │   │   ├── Core       # Core helper mixin
@@ -128,6 +129,7 @@ Legion (lib/legion.rb)
 │   │   ├── Events     # SSE stream (sinatra stream) + ring buffer polling fallback
 │   │   ├── Transport  # Connection status, exchanges, queues, publish
 │   │   ├── Hooks      # List + trigger registered extension hooks
+│   │   ├── Lex        # Auto-routes: `POST /api/lex/*` wildcard + `GET /api/lex` listing
 │   │   ├── Workers    # Digital worker lifecycle (`/api/workers/*`) + team routes (`/api/teams/*`)
 │   │   ├── Coldstart  # `POST /api/coldstart/ingest` — trigger lex-coldstart ingest from API
 │   │   ├── Capacity   # Aggregate, forecast, per-worker capacity endpoints
@@ -142,26 +144,13 @@ Legion (lib/legion.rb)
 │   │   ├── ApiVersion # `/api/v1/` rewrite, Deprecation/Sunset headers
 │   │   ├── BodyLimit  # Request body size limit (1MB max, returns 413)
 │   │   └── RateLimit  # Sliding-window rate limiting with per-IP/agent/tenant tiers
-│   └── hook_registry  # Class-level registry: register_hook, find_hook, registered_hooks
-│                      # Populated by extensions via Legion::API.register_hook(...)
+│   ├── hook_registry  # Class-level registry: register_hook, find_hook, registered_hooks
+│   │                  # Populated by extensions via Legion::API.register_hook(...)
+│   └── route_registry # Class-level registry: register_route, find_route_by_path, registered_routes
+│                      # Populated by Builders::Routes during autobuild
 │
-├── MCP (mcp gem)      # MCP server for AI agent integration
-│   ├── MCP.server     # Singleton factory: Legion::MCP.server returns MCP::Server instance
-│   ├── Server         # MCP::Server builder, tool/resource registration
-│   ├── Tools/         # 35 MCP::Tool subclasses (legion.* namespace)
-│   │   ├── RunTask         # Agentic: dot notation task execution
-│   │   ├── DescribeRunner  # Agentic: runner/function discovery
-│   │   ├── List/Get/Delete Task + GetTaskLogs
-│   │   ├── List/Create/Update/Delete Chain
-│   │   ├── List/Create/Update/Delete Relationship
-│   │   ├── List/Get/Enable/Disable Extension
-│   │   ├── List/Create/Update/Delete Schedule
-│   │   ├── GetStatus, GetConfig
-│   │   ├── ListWorkers, ShowWorker, WorkerLifecycle, WorkerCosts, TeamSummary, RoutingStats
-│   │   └── RbacAssignments, RbacCheck, RbacGrants
-│   └── Resources/
-│       ├── RunnerCatalog   # legion://runners - all ext.runner.func paths
-│       └── ExtensionInfo   # legion://extensions/{name} - extension detail template
+├── MCP (legion-mcp gem)  # Extracted to standalone gem — see legion-mcp/CLAUDE.md
+│   └── (35 tools, 2 resources, TierRouter, PatternStore, ContextGuard, Observer, EmbeddingIndex)
 │
 ├── DigitalWorker      # Digital worker platform (AI-as-labor governance)
 │   ├── Lifecycle      # Worker state machine (active/paused/retired/terminated)
@@ -228,6 +217,10 @@ Legion (lib/legion.rb)
     ├── Pr                 # `legion pr` - AI-generated PR title and description via LLM
     ├── Review             # `legion review` - AI code review with severity levels
     ├── Gaia               # `legion gaia` - Gaia status
+    ├── Llm                # `legion llm` - LLM subsystem status and provider health
+    ├── Detect             # `legion detect scan` - scan environment and recommend extensions
+    ├── Observe            # `legion observe stats` - MCP tool usage statistics from Observer
+    ├── Tty                # `legion tty interactive` - launch rich terminal UI (legion-tty)
     ├── Graph              # `legion graph show` - task relationship graph (mermaid/dot)
     ├── Trace              # `legion trace search` - NL trace search via LLM
     ├── Dashboard          # `legion dashboard` - TUI operational dashboard with auto-refresh
@@ -364,7 +357,7 @@ legion
 
   plan                               # read-only exploration mode (no writes/edits/shell)
     [--model MODEL] [--provider PROVIDER]
-    # Slash commands: /save (writes plan to docs/plans/), /help, /quit
+    # Slash commands: /save (writes plan to docs/work/planning/), /help, /quit
 
   swarm                              # multi-agent workflow orchestration
     start NAME                       # run a workflow from .legion/swarms/NAME.json
@@ -483,11 +476,11 @@ legion
 
 ### MCP Design
 
-- Uses `mcp` gem (~> 0.8): `MCP::Server`, `MCP::Tool`, `MCP::Resource`
-- Transports: `MCP::Server::Transports::StdioTransport`, `MCP::Server::Transports::StreamableHTTPTransport`
-- HTTP transport uses rackup + puma
+Extracted to the `legion-mcp` gem (v0.1.0). See `legion-mcp/CLAUDE.md` for full architecture.
+
 - `Legion::MCP.server` is memoized singleton — call `Legion::MCP.reset!` in tests
 - Tool naming: `legion.snake_case_name` (dot namespace, not slash)
+- Tier 0 routing: PatternStore + TierRouter + ContextGuard for LLM-free cached responses
 
 ## Dependencies
 
@@ -507,7 +500,7 @@ legion
 | `oj` (>= 3.16) | Fast JSON (C extension) |
 | `puma` (>= 6.0) | HTTP server for API |
 | `rackup` (>= 2.0) | Rack server launcher for MCP HTTP transport |
-| `mcp` (~> 0.8) | MCP server SDK |
+| `legion-mcp` | MCP server + Tier 0 routing (extracted gem) |
 | `reline` (>= 0.5) | Interactive line editing for chat REPL |
 | `rouge` (>= 4.0) | Syntax highlighting for chat markdown rendering |
 | `tty-spinner` (~> 0.9) | Spinner animation for CLI loading states |
@@ -539,7 +532,7 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 | `lib/legion/extensions.rb` | LEX discovery, loading, actor hooking, shutdown |
 | `lib/legion/extensions/core.rb` | Extension mixin (requirement flags, autobuild) |
 | `lib/legion/extensions/actors/` | Actor types: base, every, loop, once, poll, subscription, nothing, defaults |
-| `lib/legion/extensions/builders/` | Build actors, runners, helpers, hooks from definitions |
+| `lib/legion/extensions/builders/` | Build actors, runners, helpers, hooks, routes from definitions |
 | `lib/legion/extensions/helpers/` | Mixins: base, core, cache, data, logger, transport, task, lex |
 | `lib/legion/extensions/data/` | Extension-level migrator and model |
 | `lib/legion/extensions/hooks/base.rb` | Webhook hook base class |
@@ -572,16 +565,19 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 | `lib/legion/api/settings.rb` | Settings: read/write with redaction + readonly guards |
 | `lib/legion/api/events.rb` | Events: SSE stream + polling fallback (ring buffer) |
 | `lib/legion/api/transport.rb` | Transport: status, exchanges, queues, publish |
-| `lib/legion/api/hooks.rb` | Hooks: list registered + trigger via Ingress |
+| `lib/legion/api/hooks.rb` | Hooks: list registered + trigger via Ingress; supports custom response headers |
+| `lib/legion/api/lex.rb` | Lex auto-routes: `POST /api/lex/*` wildcard dispatch + `GET /api/lex` listing |
 | `lib/legion/api/workers.rb` | Workers + Teams: digital worker lifecycle REST endpoints (`/api/workers/*`) and team cost endpoints (`/api/teams/*`) |
 | `lib/legion/api/coldstart.rb` | Coldstart: `POST /api/coldstart/ingest` — triggers lex-coldstart ingest runner (requires lex-coldstart + lex-memory) |
 | `lib/legion/api/gaia.rb` | Gaia: system status endpoints |
 | `lib/legion/api/token.rb` | Token: JWT token issuance endpoint |
 | `lib/legion/api/openapi.rb` | OpenAPI: `Legion::API::OpenAPI.spec` / `.to_json`; also served at `GET /api/openapi.json` |
-| `lib/legion/api/oauth.rb` | OAuth: `GET /api/oauth/microsoft_teams/callback` — receives delegated OAuth redirect and stores tokens |
 | `lib/legion/api/capacity.rb` | Capacity: aggregate, forecast, and per-worker capacity endpoints |
 | `lib/legion/api/tenants.rb` | Tenants: listing, provisioning, suspension, quota check |
+| `lib/legion/api/catalog.rb` | Catalog: extension catalog with metadata endpoints |
+| `lib/legion/api/llm.rb` | LLM: provider status and routing configuration endpoints |
 | `lib/legion/api/audit.rb` | Audit: list, show, count, export audit log entries |
+| `lib/legion/api/auth.rb` | Auth: combined token exchange endpoint (`POST /api/auth/token` — JWKS verify + RBAC claims mapper) |
 | `lib/legion/api/auth_human.rb` | Auth: human user authentication endpoints |
 | `lib/legion/api/auth_worker.rb` | Auth: digital worker authentication endpoints |
 | `lib/legion/api/rbac.rb` | RBAC: role listing, permission grants, access checks |
@@ -604,19 +600,12 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 | `lib/legion/tenant_context.rb` | Thread-local tenant context propagation (set, clear, with block) |
 | `lib/legion/tenants.rb` | Tenant CRUD, suspension, quota enforcement |
 | `lib/legion/capacity/model.rb` | Workforce capacity calculation (throughput, utilization, forecast, per-worker) |
-| **MCP** | |
-| `lib/legion/mcp.rb` | Entry point: `Legion::MCP.server` singleton factory, `server_for(token:)` |
-| `lib/legion/mcp/auth.rb` | MCP authentication: JWT + API key verification |
-| `lib/legion/mcp/tool_governance.rb` | Risk-tier tool filtering and invocation audit |
-| `lib/legion/mcp/server.rb` | MCP::Server builder, TOOL_CLASSES array, governance-aware build |
+| **MCP** (extracted to `legion-mcp` gem) | |
 | `lib/legion/digital_worker.rb` | DigitalWorker module entry point |
 | `lib/legion/digital_worker/lifecycle.rb` | Worker state machine |
 | `lib/legion/digital_worker/registry.rb` | In-process worker registry |
 | `lib/legion/digital_worker/risk_tier.rb` | AIRB risk tier + governance constraints |
 | `lib/legion/digital_worker/value_metrics.rb` | Token/cost/latency tracking |
-| `lib/legion/mcp/tools/` | 35 MCP::Tool subclasses (incl. rbac_assignments, rbac_check, rbac_grants) |
-| `lib/legion/mcp/resources/runner_catalog.rb` | `legion://runners` resource |
-| `lib/legion/mcp/resources/extension_info.rb` | `legion://extensions/{name}` resource template |
 | **CLI v2** | |
 | `lib/legion/cli.rb` | `Legion::CLI::Main` Thor app, global flags, version, start/stop/status/check |
 | `lib/legion/cli/output.rb` | `Output::Formatter`: color, tables, JSON mode, ANSI stripping |
@@ -676,16 +665,23 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 | `lib/legion/cli/version.rb` | CLI version display helper |
 | `lib/legion/docs/site_generator.rb` | Static documentation site generator |
 | `lib/legion/cli/memory_command.rb` | `legion memory` subcommands (list, add, forget, search, clear) |
-| `lib/legion/cli/plan_command.rb` | `legion plan` — read-only exploration mode with /save to docs/plans/ |
+| `lib/legion/cli/plan_command.rb` | `legion plan` — read-only exploration mode with /save to docs/work/planning/ |
 | `lib/legion/cli/swarm_command.rb` | `legion swarm` — multi-agent workflow orchestration from `.legion/swarms/` |
 | `lib/legion/cli/commit_command.rb` | `legion commit` — AI-generated commit messages via LLM |
 | `lib/legion/cli/pr_command.rb` | `legion pr` — AI-generated PR title + description via LLM |
 | `lib/legion/cli/review_command.rb` | `legion review` — AI code review with severity levels (CRITICAL/WARNING/SUGGESTION/NOTE) |
 | `lib/legion/cli/gaia_command.rb` | `legion gaia` subcommands (status) |
+| `lib/legion/cli/llm_command.rb` | `legion llm` subcommands (status) — LLM subsystem status and provider health |
+| `lib/legion/cli/detect_command.rb` | `legion detect scan` — scan environment and recommend extensions |
+| `lib/legion/cli/observe_command.rb` | `legion observe stats` — MCP tool usage statistics from Observer |
+| `lib/legion/cli/tty_command.rb` | `legion tty interactive` — launch rich terminal UI (legion-tty interactive shell) |
+| `lib/legion/cli/interactive.rb` | `Interactive` Thor class — shared CLI module for `legion` binary entry point |
+| `lib/legion/cli/config_import.rb` | `legion config import` — import config from external sources |
 | `lib/legion/cli/schedule_command.rb` | `legion schedule` subcommands (list, show, add, remove, logs) |
 | `lib/legion/cli/completion_command.rb` | `legion completion` subcommands (bash, zsh, install) |
 | `lib/legion/cli/openapi_command.rb` | `legion openapi` subcommands (generate, routes); also `GET /api/openapi.json` endpoint |
-| `lib/legion/cli/doctor_command.rb` | `legion doctor` — 10-check environment diagnosis; `Doctor::Result` value object with status/message/prescription/auto_fixable |
+| `lib/legion/cli/doctor_command.rb` | `legion doctor` — 11-check environment diagnosis; `Doctor::Result` value object with status/message/prescription/auto_fixable |
+| `lib/legion/cli/doctor/` | Individual check modules: ruby_version, bundle, config, rabbitmq, database, cache, vault, extensions, pid, permissions, plus result.rb |
 | `lib/legion/cli/telemetry_command.rb` | `legion telemetry` subcommands (stats, ingest) — session log analytics |
 | `lib/legion/cli/auth_command.rb` | `legion auth` subcommands (teams) — delegated OAuth browser flow for external services |
 | `completions/legion.bash` | Bash tab completion script |
@@ -713,8 +709,6 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 | `API::Routes::Relationships` | Fully implemented (backed by legion-data migration 013) |
 | `API::Routes::Chains` | 501 stub - no data model |
 | `API::Middleware::Auth` | JWT Bearer auth middleware — real token validation and API key (`X-API-Key` header) auth both implemented |
-| `MCP::Auth` | JWT + API key authentication for MCP server (HTTP transport) |
-| `MCP::ToolGovernance` | Risk-tier tool filtering + audit — disabled by default, opt-in via settings |
 | `legion-data` chains/relationships models | Not yet implemented |
 
 ## Rubocop Notes
@@ -728,7 +722,7 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 
 ```bash
 bundle install
-bundle exec rspec       # 1433 examples, 0 failures
+bundle exec rspec       # 1499 examples, 0 failures
 bundle exec rubocop     # 418 files, 0 offenses
 ```
 

data/Dockerfile

@@ -1,9 +1,26 @@
-FROM ruby:3.4-alpine
-LABEL maintainer="Matthew Iverson <matthewdiverson@gmail.com>"
+# Build stage
+FROM ruby:3.4-slim AS builder
+WORKDIR /app
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends build-essential libpq-dev git && \
+    rm -rf /var/lib/apt/lists/*
+COPY Gemfile Gemfile.lock ./
+RUN bundle config set --local deployment true && \
+    bundle config set --local without 'development test' && \
+    bundle install --jobs 4 --retry 3
+COPY . .
 
-RUN mkdir /etc/legionio
-RUN apk update && apk add build-base postgresql-dev mysql-client mariadb-dev tzdata gcc git
-
-COPY . ./
-RUN gem install legionio tzinfo-data tzinfo --no-document --no-prerelease
-CMD ruby --yjit $(which legion)
+# Runtime stage
+FROM ruby:3.4-slim AS runtime
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libpq5 curl && \
+    rm -rf /var/lib/apt/lists/* && \
+    groupadd -r legion && useradd -r -g legion -d /app -s /sbin/nologin legion
+WORKDIR /app
+COPY --from=builder --chown=legion:legion /app /app
+USER legion
+EXPOSE 4567
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD curl -sf http://localhost:4567/api/health || exit 1
+ENTRYPOINT ["bundle", "exec"]
+CMD ["legion", "start"]

data/README.md

@@ -14,7 +14,7 @@ Schedule tasks, chain services into dependency graphs, run them concurrently via
          ╰──────────────────────────────────────╯
 ```
 
-**Ruby >= 3.4** | **v1.4.67** | **Apache-2.0** | [@Esity](https://github.com/Esity)
+**Ruby >= 3.4** | **v1.4.78** | **Apache-2.0** | [@Esity](https://github.com/Esity)
 
 ---
 
@@ -461,11 +461,13 @@ legion start
       ├── 4. Transport        (legion-transport — RabbitMQ)
       ├── 5. Cache            (legion-cache — Redis/Memcached)
       ├── 6. Data             (legion-data — database + migrations)
-      ├── 7. LLM              (legion-llm — AI provider setup + routing)
-      ├── 8. Supervision      (process supervision)
-      ├── 9. Extensions       (discover + load 280+ LEX gems, filtered by role profile)
-      ├── 10. Cluster Secret  (distribute via Vault or memory)
-      └── 11. API             (Sinatra/Puma on port 4567)
+      ├── 7. RBAC             (legion-rbac — optional role-based access control)
+      ├── 8. LLM              (legion-llm — AI provider setup + routing)
+      ├── 9. GAIA             (legion-gaia — cognitive coordination layer)
+      ├── 10. Supervision     (process supervision)
+      ├── 11. Extensions      (discover + load 280+ LEX gems, filtered by role profile)
+      ├── 12. Cluster Secret  (distribute via Vault or memory)
+      └── 13. API             (Sinatra/Puma on port 4567)
 ```
 
 Each phase registers with `Legion::Readiness`. All phases are individually toggleable.

data/deploy/helm/legion/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: legion
+description: LegionIO async job engine
+version: 0.1.0
+appVersion: "1.4.13"
+type: application

data/deploy/helm/legion/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{- define "legion.fullname" -}}
+{{- .Release.Name }}-legion
+{{- end }}
+
+{{- define "legion.labels" -}}
+app.kubernetes.io/name: legion
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+{{- end }}
+
+{{- define "legion.selectorLabels" -}}
+app.kubernetes.io/name: legion
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}