legionio 1.4.79 → 1.4.85

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 833830caa5613e077d49c9a67c1dc00b907a473daf7be9033c9389c51546a5e3
-  data.tar.gz: 9c93197f8b0a9ecd0f784598c9b81e98d0158ab03b94d4b822a3d6ef55419868
+  metadata.gz: 512139af5d950a28790627a762f8dc5f52e37cd093ed2829a9a42aa833ededec
+  data.tar.gz: f80a9bfa077caa791bf68058c91eb1061b9cf3851c1766ef5aedd49e9ecda95e
 SHA512:
-  metadata.gz: 4689fa56cc6ad0cfd06f1b836fd36211edeaedacc65306ed888bdc97d36e1d430f5c7c6f3eb65427ff7c234cf1908f2fb14f26f448b8d6f2a414c726011c699f
-  data.tar.gz: 3a127117aba989a57d1e1077e6972a2d32d07c02148fb53eae5c083e8752d509d4a9d84a9db9bb3086292a983e3154d8632e7bca41483a5e9740ccb1769c1ec0
+  metadata.gz: ecd74de131841cb6a00d1fe66ccfa51fe0a0eafe649e0cdf26e90c8602127f0d29d7f55b4cfeda0f13908b0eebe9828d61dc380a7518268e29bda49bd780855d
+  data.tar.gz: 9d27ac10782d1e6319e96b517c6da5a819e7b599f15a2e9ae27a5d1f3e33f13d70838bd64390218931ded9be7ec45c3cc28e1e65dc2cedebcbd5faf17fa1ba6a

data/.dockerignore

@@ -0,0 +1,11 @@
+.git
+.github
+spec
+docs
+*.md
+.rubocop.yml
+.rspec
+tmp
+log
+.dockerignore
+Dockerfile

data/.github/workflow-templates/eval-gate.yml

@@ -0,0 +1,118 @@
+# .github/workflow-templates/eval-gate.yml
+#
+# Eval gate workflow template for LegionIO CI/CD pipelines.
+# Copy this file to .github/workflows/eval-gate.yml in your repo and adjust the
+# env vars to match your dataset and threshold requirements.
+#
+# Required secrets:
+#   LEGIONIO_BOOTSTRAP_CONFIG  (base64-encoded bootstrap JSON, or omit for defaults)
+#
+# Usage:
+#   - Trigger manually (workflow_dispatch) or on push/PR targeting main
+#   - Job exits 0 if avg_score >= threshold, exits 1 and fails the pipeline if below
+
+name: Eval Gate
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      dataset:
+        description: 'Dataset name to evaluate'
+        required: true
+        default: 'default'
+      threshold:
+        description: 'Pass/fail threshold (0.0 - 1.0)'
+        required: false
+        default: '0.8'
+      evaluator:
+        description: 'Evaluator name (leave blank for first builtin template)'
+        required: false
+        default: ''
+
+env:
+  DATASET:   ${{ github.event.inputs.dataset   || 'default' }}
+  THRESHOLD: ${{ github.event.inputs.threshold || '0.8' }}
+  EVALUATOR: ${{ github.event.inputs.evaluator || '' }}
+
+jobs:
+  eval-gate:
+    name: Eval Gate (${{ env.DATASET }} @ ${{ env.THRESHOLD }})
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Install Legion
+        run: gem install legionio --no-document
+
+      - name: Bootstrap config (optional)
+        if: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG != '' }}
+        env:
+          LEGIONIO_BOOTSTRAP_CONFIG: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG }}
+        run: echo "Bootstrap config present"
+
+      - name: Run eval gate
+        id: eval
+        env:
+          LEGIONIO_BOOTSTRAP_CONFIG: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG }}
+        run: |
+          EVAL_ARGS="--dataset $DATASET --threshold $THRESHOLD --exit-code --json"
+          if [ -n "$EVALUATOR" ]; then
+            EVAL_ARGS="$EVAL_ARGS --evaluator $EVALUATOR"
+          fi
+          legion eval run $EVAL_ARGS | tee eval-report.json
+
+      - name: Upload eval report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: eval-report-${{ github.run_number }}
+          path: eval-report.json
+          retention-days: 30
+
+      - name: Annotate PR with eval results
+        if: github.event_name == 'pull_request' && always()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            let report;
+            try {
+              report = JSON.parse(fs.readFileSync('eval-report.json', 'utf8'));
+            } catch (e) {
+              console.log('Could not parse eval report:', e.message);
+              return;
+            }
+            const gate   = report.passed ? 'PASSED' : 'FAILED';
+            const score  = (report.avg_score || 0).toFixed(3);
+            const thresh = report.threshold || 0;
+            const body   = [
+              `## Eval Gate: ${gate}`,
+              '',
+              `| Metric | Value |`,
+              `|--------|-------|`,
+              `| Dataset | \`${report.dataset}\` |`,
+              `| Evaluator | \`${report.evaluator}\` |`,
+              `| Avg Score | ${score} |`,
+              `| Threshold | ${thresh} |`,
+              `| Total Rows | ${report.summary?.total ?? 'N/A'} |`,
+              `| Passed | ${report.summary?.passed ?? 'N/A'} |`,
+              `| Failed | ${report.summary?.failed ?? 'N/A'} |`,
+            ].join('\n');
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner:        context.repo.owner,
+              repo:         context.repo.repo,
+              body:         body,
+            });

data/.github/workflows/ci-cd.yml

@@ -0,0 +1,40 @@
+name: CI/CD
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    services:
+      rabbitmq:
+        image: rabbitmq:3.13-management
+        ports: ['5672:5672']
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_PASSWORD: test
+          POSTGRES_DB: legion_test
+        ports: ['5432:5432']
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+      - run: bundle install && bundle exec rspec
+      - run: bundle exec rubocop
+
+  helm-lint:
+    name: Helm Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: azure/setup-helm@v3
+      - run: helm lint deploy/helm/legion

data/.github/workflows/ci.yml

@@ -27,3 +27,28 @@ jobs:
           gh api repos/LegionIO/homebrew-tap/dispatches \
             -f event_type=build-daemon \
             -f "client_payload[legionio_version]=${{ needs.release.outputs.version }}"
+
+  docker-build:
+    name: Build Docker Image
+    needs: release
+    if: needs.release.outputs.changed == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/legionio/legion:${{ needs.release.outputs.version }}
+            ghcr.io/legionio/legion:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

data/CHANGELOG.md

@@ -1,5 +1,57 @@
 # Legion Changelog
 
+## [1.4.85] - 2026-03-20
+
+### Added
+- `legion lex fixes` CLI command to list pending auto-fix patches (filterable by status)
+- `legion lex approve-fix FIX_ID` CLI command to approve LLM-generated fixes
+- `legion lex reject-fix FIX_ID` CLI command to reject LLM-generated fixes
+- `with_data` helper to `legion lex` subcommand class for data-required operations
+
+## [1.4.84] - 2026-03-20
+
+### Added
+- `Legion::Extensions.load_yaml_agents` — loads YAML/JSON agent definitions from `~/.legionio/agents/` or configured directory
+- `generate_yaml_runner` — dynamically generates a runner Module for each agent with `llm`, `script`, and `http` function types
+- YAML agent loading integrated into `hook_extensions` boot sequence
+- Governance API routes under `/api/governance/approvals` (list, show, submit, approve, reject)
+- HTML governance dashboard at `/governance/` with approve/reject buttons, 30s auto-poll, and reviewer dialog
+- Static file serving enabled for `public/` directory in Sinatra
+
+## [1.4.83] - 2026-03-20
+
+### Added
+- `Helpers::Context` for filesystem-based inter-agent context sharing
+- Org chart API endpoint (`GET /api/org-chart`) with dashboard panel
+- Workflow relationship graph API (`GET /api/relationships/graph`)
+- Workflow visualizer web page (`public/workflow/`) with Cytoscape.js
+- `--worktree` flag for `legion chat` with auto-checkpointing
+- `.legion-context/` and `.legion-worktrees/` in generated `.gitignore`
+
+## [1.4.82] - 2026-03-20
+
+### Added
+- `legion check --privacy` command: verifies enterprise privacy mode (flag set, no cloud API keys, external endpoints unreachable)
+- `PrivacyCheck` class with three probes: flag_set, no_cloud_keys, no_external_endpoints
+- `Legion::Service.log_privacy_mode_status` logs enterprise privacy state at startup
+
+## [1.4.81] - 2026-03-20
+
+### Added
+- `legion eval experiments` subcommand: list all experiment runs with status and summary
+- `legion eval promote --experiment NAME --tag TAG` subcommand: tag a prompt version for production via lex-prompt
+- `legion eval compare --run1 NAME --run2 NAME` subcommand: side-by-side diff of two experiment runs
+- `require_prompt!` guard for lex-prompt extension availability
+
+## [1.4.80] - 2026-03-20
+
+### Added
+- `legion eval run` CLI subcommand for CI/CD threshold-based eval gating
+- `--dataset`, `--threshold`, `--evaluator`, `--exit-code` options on `eval run`
+- JSON report output to stdout with per-row scores, summary, and timestamp
+- `.github/workflow-templates/eval-gate.yml` reusable GitHub Actions workflow template
+- PR annotation step in workflow template for inline eval result comments
+
 ## [1.4.79] - 2026-03-20
 
 ### Added

data/Dockerfile

@@ -1,9 +1,27 @@
-FROM ruby:3.4-alpine
-LABEL maintainer="Matthew Iverson <matthewdiverson@gmail.com>"
+# Build stage
+FROM ruby:3.4-slim AS builder
+WORKDIR /app
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends build-essential libpq-dev git && \
+    rm -rf /var/lib/apt/lists/*
+COPY Gemfile legionio.gemspec ./
+COPY lib/legion/version.rb lib/legion/
+RUN bundle lock && \
+    bundle config set --local without 'development test' && \
+    bundle install --jobs 4 --retry 3
+COPY . .
 
-RUN mkdir /etc/legionio
-RUN apk update && apk add build-base postgresql-dev mysql-client mariadb-dev tzdata gcc git
-
-COPY . ./
-RUN gem install legionio tzinfo-data tzinfo --no-document --no-prerelease
-CMD ruby --yjit $(which legion)
+# Runtime stage
+FROM ruby:3.4-slim AS runtime
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libpq5 curl && \
+    rm -rf /var/lib/apt/lists/* && \
+    groupadd -r legion && useradd -r -g legion -d /app -s /sbin/nologin legion
+WORKDIR /app
+COPY --from=builder --chown=legion:legion /app /app
+USER legion
+EXPOSE 4567
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD curl -sf http://localhost:4567/api/health || exit 1
+ENTRYPOINT ["bundle", "exec"]
+CMD ["legion", "start"]

data/deploy/helm/legion/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: legion
+description: LegionIO async job engine
+version: 0.1.0
+appVersion: "1.4.13"
+type: application

data/deploy/helm/legion/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{- define "legion.fullname" -}}
+{{- .Release.Name }}-legion
+{{- end }}
+
+{{- define "legion.labels" -}}
+app.kubernetes.io/name: legion
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+{{- end }}
+
+{{- define "legion.selectorLabels" -}}
+app.kubernetes.io/name: legion
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

data/deploy/helm/legion/templates/deployment-api.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "legion.fullname" . }}-api
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+    app.kubernetes.io/component: api
+spec:
+  replicas: {{ .Values.api.replicas }}
+  selector:
+    matchLabels:
+      {{- include "legion.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: api
+  template:
+    metadata:
+      labels:
+        {{- include "legion.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: api
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      containers:
+        - name: api
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["bundle", "exec", "legion", "api"]
+          ports:
+            - containerPort: {{ .Values.api.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /api/health
+              port: {{ .Values.api.port }}
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /api/health
+              port: {{ .Values.api.port }}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            {{- toYaml .Values.api.resources | nindent 12 }}
+          env:
+            - name: LEGION_TRANSPORT_HOST
+              value: {{ .Values.rabbitmq.host | quote }}
+            - name: LEGION_DATA_URL
+              value: "postgres://$(DB_USER):$(DB_PASS)@{{ .Values.postgresql.host }}:{{ .Values.postgresql.port }}/{{ .Values.postgresql.database }}"
+            {{- with .Values.api.env }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.rabbitmq.existingSecret }}
+            - secretRef:
+                name: {{ .Values.postgresql.existingSecret }}

data/deploy/helm/legion/templates/deployment-worker.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "legion.fullname" . }}-worker
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+    app.kubernetes.io/component: worker
+spec:
+  replicas: {{ .Values.worker.replicas }}
+  selector:
+    matchLabels:
+      {{- include "legion.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: worker
+  template:
+    metadata:
+      labels:
+        {{- include "legion.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: worker
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      containers:
+        - name: worker
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["bundle", "exec", "legion", "start"]
+          resources:
+            {{- toYaml .Values.worker.resources | nindent 12 }}
+          env:
+            - name: LEGION_TRANSPORT_HOST
+              value: {{ .Values.rabbitmq.host | quote }}
+            - name: LEGION_TRANSPORT_PORT
+              value: {{ .Values.rabbitmq.port | quote }}
+            - name: LEGION_DATA_URL
+              value: "postgres://$(DB_USER):$(DB_PASS)@{{ .Values.postgresql.host }}:{{ .Values.postgresql.port }}/{{ .Values.postgresql.database }}"
+            {{- with .Values.worker.env }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.rabbitmq.existingSecret }}
+            - secretRef:
+                name: {{ .Values.postgresql.existingSecret }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

data/deploy/helm/legion/templates/hpa-worker.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.worker.hpa.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "legion.fullname" . }}-worker
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "legion.fullname" . }}-worker
+  minReplicas: {{ .Values.worker.hpa.minReplicas }}
+  maxReplicas: {{ .Values.worker.hpa.maxReplicas }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.worker.hpa.targetCPUUtilization }}
+{{- end }}

data/deploy/helm/legion/templates/pdb.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "legion.fullname" . }}
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+spec:
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  selector:
+    matchLabels:
+      {{- include "legion.selectorLabels" . | nindent 6 }}
+{{- end }}

data/deploy/helm/legion/templates/service-api.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "legion.fullname" . }}-api
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.api.service.type }}
+  ports:
+    - port: {{ .Values.api.port }}
+      targetPort: {{ .Values.api.port }}
+      protocol: TCP
+  selector:
+    {{- include "legion.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: api

data/deploy/helm/legion/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+{{- end }}

data/deploy/helm/legion/values.yaml

@@ -0,0 +1,69 @@
+image:
+  repository: ghcr.io/legionio/legion
+  tag: latest
+  pullPolicy: IfNotPresent
+
+worker:
+  replicas: 2
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+  hpa:
+    enabled: false
+    minReplicas: 2
+    maxReplicas: 20
+    targetCPUUtilization: 70
+  env: []
+
+api:
+  replicas: 2
+  port: 4567
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 256Mi
+  service:
+    type: ClusterIP
+  ingress:
+    enabled: false
+  env: []
+
+rabbitmq:
+  host: rabbitmq
+  port: 5672
+  vhost: /
+  existingSecret: legion-rabbitmq
+
+postgresql:
+  host: postgresql
+  port: 5432
+  database: legion
+  existingSecret: legion-postgresql
+
+redis:
+  host: redis
+  port: 6379
+
+vault:
+  enabled: false
+  address: ""
+  role: legion
+
+serviceAccount:
+  create: true
+  name: legion
+
+podDisruptionBudget:
+  enabled: true
+  minAvailable: 1
+
+nodeSelector: {}
+tolerations: []
+affinity: {}

data/lib/legion/api/governance.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module Governance
+        def self.registered(app)
+          app.helpers GovernanceHelpers
+          register_approvals(app)
+        end
+
+        module GovernanceHelpers
+          def run_governance_runner(method, **)
+            require 'legion/extensions/audit/runners/approval_queue'
+            runner = Object.new.extend(Legion::Extensions::Audit::Runners::ApprovalQueue)
+            runner.send(method, **)
+          rescue LoadError
+            halt 503, json_error('service_unavailable', 'lex-audit not available', status_code: 503)
+          end
+        end
+
+        def self.register_approvals(app)
+          app.get '/api/governance/approvals' do
+            require_data!
+            result = run_governance_runner(:list_pending,
+                                           tenant_id: params[:tenant_id],
+                                           limit:     (params[:limit] || 50).to_i)
+            json_response(result)
+          end
+
+          app.get '/api/governance/approvals/:id' do
+            require_data!
+            result = run_governance_runner(:show_approval, id: params[:id].to_i)
+            if result[:success]
+              json_response(result)
+            else
+              halt 404, json_error('not_found', 'Approval not found', status_code: 404)
+            end
+          end
+
+          app.post '/api/governance/approvals' do
+            require_data!
+            body = parse_request_body
+            halt 422, json_error('missing_field', 'approval_type is required', status_code: 422) unless body[:approval_type]
+            halt 422, json_error('missing_field', 'requester_id is required', status_code: 422) unless body[:requester_id]
+
+            result = run_governance_runner(:submit,
+                                           approval_type: body[:approval_type],
+                                           payload:       body[:payload] || {},
+                                           requester_id:  body[:requester_id],
+                                           tenant_id:     body[:tenant_id])
+            json_response(result, status_code: 201)
+          end
+
+          app.put '/api/governance/approvals/:id/approve' do
+            require_data!
+            body = parse_request_body
+            halt 422, json_error('missing_field', 'reviewer_id is required', status_code: 422) unless body[:reviewer_id]
+
+            result = run_governance_runner(:approve,
+                                           id:          params[:id].to_i,
+                                           reviewer_id: body[:reviewer_id])
+            json_response(result)
+          end
+
+          app.put '/api/governance/approvals/:id/reject' do
+            require_data!
+            body = parse_request_body
+            halt 422, json_error('missing_field', 'reviewer_id is required', status_code: 422) unless body[:reviewer_id]
+
+            result = run_governance_runner(:reject,
+                                           id:          params[:id].to_i,
+                                           reviewer_id: body[:reviewer_id])
+            json_response(result)
+          end
+        end
+      end
+    end
+  end
+end