legionio 1.6.0 → 1.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6413e545fabb634ddda16a99e884701751aa1cdd8245b649799f4836ae0c7360
-  data.tar.gz: 4239fd5af0278ba21cf33bbd320e62e67b103d93d36f3f5266eb5269019b7859
+  metadata.gz: 49e219b9a9c790b6ec63903daee3a26194a5a1611cccd0013a05bb7a34a3d7c9
+  data.tar.gz: eedbb6e81c2ba386cee0718eb3aed307a021d25959579bb2a02c8bd011ca4fa5
 SHA512:
-  metadata.gz: 2dee1932ef724c587ff8d26c496913cb7b90b1385f7793b3d13c7e3e703440c0b6ad4f7b431215c395ee742cd920afebcda784e29feca058d67a6afb73cb0abb
-  data.tar.gz: fd476599db94cf729ed3e5b66f82f1f090b44215222c24e6a8cf8e6d67c9837fd204561c6054f83505b0fc194a3766aef365eadaa46712babb5750dde82383c3
+  metadata.gz: 141f1ad15ae3595a411e4e1ddaf7fa4544bd1fd5aa23be7425574e783a55581773d0a860ace1d7f6dce97bf3004b6fc42998374cdfe8b3555b01547e98be5f1e
+  data.tar.gz: a05b2f2cb76d9237dc785b396af6f72b03657866ba4f57fd9b7673594d3212634e9c920d90529c5134544cbdb8d32e9994b188e155366f6f69f7df803355dc90

data/.gitignore

@@ -15,7 +15,8 @@
 legionio.key
 # runtime artifacts
 .DS_Store
-legionio.db
+*.db
+*.json
 logs/
 # local settings (may contain secrets)
 settings/

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Legion Changelog
 
+## [1.6.2] - 2026-03-26
+
+### Fixed
+- `legionio update` remote check failed for all gems due to TCP connection exhaustion (24 parallel SSL connections to rubygems.org)
+- Replace thread pool with 4 batched threads using persistent HTTP keep-alive connections (55 gems in ~4s)
+
+## [1.6.1] - 2026-03-26
+
+### Fixed
+- `legionio update` now shows "(remote check failed)" instead of "(already latest)" when rubygems.org fetch fails
+- Add HTTP timeouts (5s connect, 10s read) to remote version checks to prevent thread pool exhaustion
+- Install failures now show "(install may have failed)" instead of "(already latest)"
+- Distinct statuses: current, check_failed, installed, failed (was single ambiguous "updated" for all)
+
 ## [1.6.0] - 2026-03-26
 
 ### Added

data/legionio.gemspec

@@ -60,8 +60,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'legion-settings', '>= 1.3.19'
   spec.add_dependency 'legion-transport', '>= 1.4.0'
 
-  spec.add_dependency 'legion-apollo', '>= 0.2.1'
-  spec.add_dependency 'legion-gaia', '>= 0.9.24'
+  spec.add_dependency 'legion-apollo', '>= 0.3.1'
+  spec.add_dependency 'legion-gaia', '>= 0.9.26'
   spec.add_dependency 'legion-llm', '>= 0.5.8'
   spec.add_dependency 'legion-tty', '>= 0.4.35'
   spec.add_dependency 'lex-node'

data/lib/legion/cli/update_command.rb

@@ -89,61 +89,75 @@ module Legion
             remote && local && Gem::Version.new(remote) > Gem::Version.new(local)
           end
 
-          if dry_run
-            return gem_names.map do |name|
-              local = local_versions[name]
-              remote = remote_versions[name]
-              needs_update = remote && local && Gem::Version.new(remote) > Gem::Version.new(local)
-              { name: name, from: local, to: remote, status: needs_update ? 'available' : 'current' }
-            end
+          return dry_run_results(gem_names, local_versions, remote_versions, outdated) if dry_run
+
+          return current_results(gem_names, remote_versions) if outdated.empty?
+
+          install_results(gem_names, gem_bin, remote_versions, outdated)
+        end
+
+        def dry_run_results(gem_names, local_versions, remote_versions, outdated)
+          gem_names.map do |name|
+            remote = remote_versions[name]
+            status = if outdated.include?(name) then 'available'
+                     elsif remote then 'current'
+                     else 'check_failed'
+                     end
+            { name: name, from: local_versions[name], to: remote, status: status }
           end
+        end
 
-          return gem_names.map { |name| { name: name, status: 'updated', output: '' } } if outdated.empty?
+        def current_results(gem_names, remote_versions)
+          gem_names.map do |name|
+            { name: name, status: remote_versions[name] ? 'current' : 'check_failed', remote: remote_versions[name] }
+          end
+        end
 
+        def install_results(gem_names, gem_bin, remote_versions, outdated)
           output = `#{gem_bin} install #{outdated.join(' ')} --no-document 2>&1`
           success = $CHILD_STATUS.success?
           gem_names.map do |name|
             if outdated.include?(name)
-              { name: name, status: success ? 'updated' : 'failed', output: output.strip }
+              { name: name, status: success ? 'installed' : 'failed', remote: remote_versions[name], output: output.strip }
             else
-              { name: name, status: 'updated', output: '' }
+              { name: name, status: remote_versions[name] ? 'current' : 'check_failed', remote: remote_versions[name] }
             end
           end
         end
 
         def fetch_remote_versions_parallel(gem_names)
           results = Concurrent::Hash.new
-          pool = Concurrent::FixedThreadPool.new([gem_names.size, 24].min)
-          latch = Concurrent::CountDownLatch.new(gem_names.size)
-
-          gem_names.each do |name|
-            pool.post do
-              version = fetch_remote_version(name)
-              results[name] = version if version
-            rescue StandardError => e
-              Legion::Logging.debug("UpdateCommand#fetch_remote_version #{name}: #{e.message}") if defined?(Legion::Logging)
-            ensure
-              latch.count_down
+          thread_count = [gem_names.size, 4].min
+          slices = gem_names.each_slice((gem_names.size / thread_count.to_f).ceil).to_a
+          threads = slices.map do |batch|
+            Thread.new(batch) do |names|
+              fetch_batch(names, results)
             end
           end
-
-          latch.wait(30)
-          pool.shutdown
+          threads.each { |t| t.join(60) }
           results
         end
 
-        def fetch_remote_version(name)
-          uri = URI("https://rubygems.org/api/v1/versions/#{name}/latest.json")
-          response = Net::HTTP.get_response(uri)
-          return nil unless response.is_a?(Net::HTTPSuccess)
+        def fetch_batch(names, results)
+          Net::HTTP.start('rubygems.org', 443, use_ssl: true, open_timeout: 10, read_timeout: 10) do |http|
+            names.each do |name|
+              response = http.request(Net::HTTP::Get.new("/api/v1/versions/#{name}/latest.json"))
+              next unless response.is_a?(Net::HTTPSuccess)
 
-          data = ::JSON.parse(response.body)
-          data['version']
+              data = ::JSON.parse(response.body)
+              results[name] = data['version'] if data['version']
+            rescue StandardError => e
+              Legion::Logging.debug("UpdateCommand#fetch_batch #{name}: #{e.message}") if defined?(Legion::Logging)
+            end
+          end
+        rescue StandardError => e
+          Legion::Logging.debug("UpdateCommand#fetch_batch connection: #{e.message}") if defined?(Legion::Logging)
         end
 
         def display_results(out, results, before, after)
           updated = []
           failed = []
+          check_failures = 0
 
           results.each do |r|
             name = r[:name]
@@ -152,12 +166,17 @@ module Legion
               puts "  #{name}: #{r[:from]} -> #{r[:to]}"
               updated << name
             when 'current'
-              puts "  #{name}: #{r[:from] || '?'} (current)"
-            when 'updated'
+              local = r[:from] || before[name]
+              puts "  #{name}: #{local || '?'} (already latest)"
+            when 'check_failed'
+              puts "  #{name}: #{before[name]} (remote check failed)"
+              check_failures += 1
+            when 'installed'
               old_v = before[name]
               new_v = after[name]
               if old_v == new_v
-                puts "  #{name}: #{old_v} (already latest)"
+                out.error("  #{name}: #{old_v} (install may have failed)")
+                failed << name
               else
                 out.success("  #{name}: #{old_v} -> #{new_v}")
                 updated << name
@@ -171,6 +190,8 @@ module Legion
           out.spacer
           if updated.any?
             out.success("Updated #{updated.size} gem(s)")
+          elsif check_failures.positive?
+            puts "#{check_failures} gem(s) could not be checked - retry or use --dry-run for details"
           else
             puts 'All gems are up to date'
           end

data/lib/legion/extensions/helpers/lex.rb

@@ -10,6 +10,30 @@ module Legion
         include Legion::Extensions::Helpers::Logger
         include Legion::JSON::Helper
 
+        module ClassMethods
+          def expose_as_mcp_tool(value = :_unset)
+            if value == :_unset
+              return @expose_as_mcp_tool unless @expose_as_mcp_tool.nil?
+
+              if defined?(Legion::Settings) && Legion::Settings.respond_to?(:dig)
+                Legion::Settings.dig(:mcp, :auto_expose_runners) || false
+              else
+                false
+              end
+            else
+              @expose_as_mcp_tool = value
+            end
+          end
+
+          def mcp_tool_prefix(value = :_unset)
+            if value == :_unset
+              @mcp_tool_prefix
+            else
+              @mcp_tool_prefix = value
+            end
+          end
+        end
+
         def function_example(function, example)
           function_set(function, :example, example)
         end
@@ -22,6 +46,34 @@ module Legion
           function_set(function, :desc, desc)
         end
 
+        def function_outputs(function, outputs)
+          function_set(function, :outputs, outputs)
+        end
+
+        def function_category(function, category)
+          function_set(function, :category, category)
+        end
+
+        def function_tags(function, tags)
+          function_set(function, :tags, tags)
+        end
+
+        def function_risk_tier(function, tier)
+          function_set(function, :risk_tier, tier)
+        end
+
+        def function_idempotent(function, value)
+          function_set(function, :idempotent, value)
+        end
+
+        def function_requires(function, deps)
+          function_set(function, :requires, deps)
+        end
+
+        def function_expose(function, value)
+          function_set(function, :expose, value)
+        end
+
         def function_set(function, key, value)
           unless respond_to? function
             log.debug "function_#{key} called but function doesn't exist, f: #{function}"
@@ -41,6 +93,7 @@ module Legion
         def self.included(base)
           base.send :extend, Legion::Extensions::Helpers::Core if base.instance_of?(Class)
           base.send :extend, Legion::Extensions::Helpers::Logger if base.instance_of?(Class)
+          base.extend ClassMethods if base.instance_of?(Class)
           base.extend base if base.instance_of?(Module)
         end
 

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.6.0'
+  VERSION = '1.6.2'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.6.2
 platform: ruby
 authors:
 - Esity
@@ -323,28 +323,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.1
+        version: 0.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.1
+        version: 0.3.1
 - !ruby/object:Gem::Dependency
   name: legion-gaia
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.9.24
+        version: 0.9.26
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.9.24
+        version: 0.9.26
 - !ruby/object:Gem::Dependency
   name: legion-llm
   requirement: !ruby/object:Gem::Requirement
@@ -431,17 +431,9 @@ files:
 - deploy/helm/legion/values.yaml
 - docker_deploy.rb
 - docs/README.md
-- docs/plans/2026-03-18-config-import-vault-multicluster-design.md
-- docs/plans/2026-03-18-config-import-vault-multicluster-implementation.md
-- docs/plans/2026-03-18-core-lex-uplift-design.md
-- docs/plans/2026-03-18-core-lex-uplift-implementation.md
-- docs/plans/2026-03-18-legion-tty-default-cli-design.md
-- docs/plans/2026-03-18-legion-tty-default-cli-implementation.md
-- docs/plans/2026-03-19-hooks-expansion-design.md
 - exe/legion
 - exe/legionio
 - legionio.gemspec
-- legionio_local.db
 - lib/legion.rb
 - lib/legion/alerts.rb
 - lib/legion/api.rb

data/docs/plans/2026-03-18-config-import-vault-multicluster-design.md

@@ -1,272 +0,0 @@
-# Config Import + Multi-Cluster Vault Design
-
-## Problem
-
-LegionIO currently supports a single Vault cluster (`crypt.vault.address/port/token`). In enterprise environments, engineers work with multiple Vault clusters (dev, test, stage, production) and need different tokens for each. There's also no way to bootstrap a new developer's environment from a shared config — they must manually create JSON files in `~/.legionio/settings/`.
-
-## Solution
-
-Three changes across three repos:
-
-### 1. legion-crypt: Multi-Cluster Vault Support
-
-Upgrade `crypt.vault` from a single cluster to a named clusters hash with a `default` pointer.
-
-#### Settings Schema
-
-```json
-{
-  "crypt": {
-    "vault": {
-      "default": "prod",
-      "clusters": {
-        "dev": {
-          "address": "vault-dev.example.com",
-          "port": 8200,
-          "protocol": "https",
-          "namespace": "myapp",
-          "token": null,
-          "auth_method": "ldap"
-        },
-        "stage": {
-          "address": "vault-stage.example.com",
-          "port": 8200,
-          "protocol": "https",
-          "namespace": "myapp",
-          "token": null,
-          "auth_method": "ldap"
-        },
-        "prod": {
-          "address": "vault.example.com",
-          "port": 8200,
-          "protocol": "https",
-          "namespace": "myapp",
-          "token": null,
-          "auth_method": "ldap"
-        }
-      }
-    }
-  }
-}
-```
-
-#### Backward Compatibility
-
-If `crypt.vault.clusters` is absent but `crypt.vault.address` is present, treat it as a single unnamed cluster (current behavior). The migration path is:
-
-```ruby
-# Old style (still works)
-Legion::Settings[:crypt][:vault][:address]  # => "vault.example.com"
-
-# New style
-Legion::Crypt.cluster(:prod)    # => cluster config hash
-Legion::Crypt.cluster            # => default cluster config hash
-Legion::Crypt.default_cluster    # => "prod"
-```
-
-#### New Module: `Legion::Crypt::VaultCluster`
-
-Manages per-cluster Vault connections:
-
-```ruby
-module Legion::Crypt
-  module VaultCluster
-    # Get a configured ::Vault client for a named cluster
-    def vault_client(name = nil)
-      name ||= default_cluster_name
-      @vault_clients ||= {}
-      @vault_clients[name] ||= build_client(clusters[name])
-    end
-
-    # Cluster config hash
-    def cluster(name = nil)
-      name ||= default_cluster_name
-      clusters[name]
-    end
-
-    def default_cluster_name
-      vault_settings[:default] || clusters.keys.first
-    end
-
-    def clusters
-      vault_settings[:clusters] || {}
-    end
-
-    # Connect to all clusters that have tokens
-    def connect_all
-      clusters.each do |name, config|
-        next unless config[:token]
-        connect_cluster(name)
-      end
-    end
-
-    private
-
-    def build_client(config)
-      client = ::Vault::Client.new(
-        address: "#{config[:protocol]}://#{config[:address]}:#{config[:port]}",
-        token:   config[:token]
-      )
-      client.namespace = config[:namespace] if config[:namespace]
-      client
-    end
-  end
-end
-```
-
-#### New Module: `Legion::Crypt::LdapAuth`
-
-LDAP authentication against Vault's LDAP auth method (HTTP API, no vault CLI):
-
-```ruby
-module Legion::Crypt
-  module LdapAuth
-    # Authenticate to a single cluster via LDAP
-    # POST /v1/auth/ldap/login/:username
-    # Returns: { token:, lease_duration:, renewable:, policies: }
-    def ldap_login(cluster_name:, username:, password:)
-      client = vault_client(cluster_name)
-      # Or raw HTTP if ::Vault gem doesn't expose ldap auth:
-      response = client.post("/v1/auth/ldap/login/#{username}", password: password)
-      token = response.auth.client_token
-      # Store token in cluster config (in-memory only, not written to disk with password)
-      clusters[cluster_name][:token] = token
-      clusters[cluster_name][:connected] = true
-      { token: token, lease_duration: response.auth.lease_duration,
-        renewable: response.auth.renewable, policies: response.auth.policies }
-    end
-
-    # Authenticate to ALL configured clusters with same credentials
-    def ldap_login_all(username:, password:)
-      results = {}
-      clusters.each do |name, config|
-        next unless config[:auth_method] == 'ldap'
-        results[name] = ldap_login(cluster_name: name, username: username, password: password)
-      rescue StandardError => e
-        results[name] = { error: e.message }
-      end
-      results
-    end
-  end
-end
-```
-
-#### Existing Code Changes
-
-- `Legion::Crypt.start` — if `clusters` present, call `connect_all` instead of `connect_vault`
-- `Legion::Crypt::Vault.read/write/get` — route through `vault_client(name)` for cluster-aware reads
-- `Legion::Crypt::Vault.connect_vault` — still works for legacy single-cluster config
-- `Legion::Crypt::VaultRenewer` — renew tokens for ALL connected clusters
-- `Legion::Settings::Resolver` — `vault://` refs gain optional cluster prefix: `vault://prod/secret/data/myapp#password` (falls back to default cluster if no prefix)
-
-### 2. LegionIO: `legion config import` / `legionio config import` CLI Command
-
-New subcommand under `Config`:
-
-```
-legionio config import <source>     # URL or local file path
-legion config import <source>       # same command available in interactive binary
-```
-
-#### Behavior
-
-1. **Fetch source:**
-   - If `source` starts with `http://` or `https://` — HTTP GET, follow redirects
-   - Otherwise — read local file
-2. **Decode payload:**
-   - Try `JSON.parse(body)` first
-   - If that fails, try `JSON.parse(Base64.decode64(body))`
-   - If both fail, error with "not valid JSON or base64-encoded JSON"
-3. **Validate structure:**
-   - Must be a Hash
-   - Warn on unrecognized top-level keys (not in known settings keys)
-4. **Write to `~/.legionio/settings/imported.json`:**
-   - Deep merge with existing imported.json if present
-   - Or overwrite with `--force`
-5. **Display summary:**
-   - Which settings sections were imported (crypt, transport, cache, etc.)
-   - How many vault clusters configured
-   - Remind user to run `legion` for onboarding vault auth
-
-#### Example Config File
-
-```json
-{
-  "crypt": {
-    "vault": {
-      "default": "prod",
-      "clusters": {
-        "dev":   { "address": "vault-dev.uhg.com",   "port": 8200, "protocol": "https", "auth_method": "ldap" },
-        "test":  { "address": "vault-test.uhg.com",  "port": 8200, "protocol": "https", "auth_method": "ldap" },
-        "stage": { "address": "vault-stage.uhg.com", "port": 8200, "protocol": "https", "auth_method": "ldap" },
-        "prod":  { "address": "vault.uhg.com",       "port": 8200, "protocol": "https", "auth_method": "ldap" }
-      }
-    }
-  },
-  "transport": {
-    "host": "rabbitmq.uhg.com",
-    "port": 5672,
-    "vhost": "legion"
-  },
-  "cache": {
-    "driver": "dalli",
-    "servers": ["memcached.uhg.com:11211"]
-  }
-}
-```
-
-### 3. legion-tty: Onboarding Vault Auth Step
-
-After the wizard (name + LLM providers), before the reveal box:
-
-```
-[digital rain]
-[intro - kerberos identity, github quick]
-[wizard - name, LLM providers]
-[NEW: vault auth prompt]
-[reveal box - now includes vault cluster status]
-```
-
-#### Flow
-
-1. Check if any vault clusters are configured in settings
-2. If none, skip entirely
-3. If clusters exist, ask: "I found N Vault clusters. Connect now?" (TTY::Prompt confirm)
-4. If yes:
-   - Default username = kerberos `samaccountname` (from `@kerberos_identity[:samaccountname]`), fallback to `ENV['USER']`
-   - Ask: "Username:" with default pre-filled (TTY::Prompt ask)
-   - Ask: "Password:" with `echo: false` (hidden input)
-   - For each LDAP-configured cluster, attempt `Legion::Crypt.ldap_login`
-   - Show green checkmark / red X per cluster with name
-5. Store tokens in memory (settings hash), NOT on disk with the password
-6. Reveal box now shows vault cluster connection status
-
-#### New Background Probe: Not Needed
-
-Vault auth requires user interaction (password prompt), so it runs inline after the wizard, not in a background thread.
-
-## Alternatives Considered
-
-**Use lex-vault instead of vault gem for multi-cluster:** lex-vault's Faraday-based client is simpler and already supports per-instance address/token/namespace. Could replace the `vault` gem dependency in legion-crypt entirely. Deferred — not a requirement for this iteration but a good future optimization.
-
-**Kerberos auth for Vault:** Not a default Vault auth method. Would require a custom Vault plugin. Deferred.
-
-**Store tokens on disk:** Vault tokens are renewable and short-lived. Storing them risks stale tokens. Better to re-auth on each `legion` startup if needed. Could add optional token caching later.
-
-## Constraints
-
-- LDAP password is NEVER written to disk or settings files
-- Vault tokens are stored in-memory only during the session
-- `vault://` resolver must remain backward compatible (no cluster prefix = default cluster)
-- Single-cluster config (`crypt.vault.address`) must continue to work unchanged
-- Config import file is plain JSON, no wrapper format
-- HTTP sources must handle both raw JSON and base64-encoded JSON
-
-## Repos Affected
-
-| Repo | Changes |
-|------|---------|
-| `legion-crypt` | `VaultCluster` module, `LdapAuth` module, multi-cluster settings, `VaultRenewer` update, backward compat |
-| `LegionIO` | `config import` CLI command (both binaries), HTTP fetch + base64 detection |
-| `legion-tty` | Onboarding vault auth step after wizard |
-| `legion-settings` | `Resolver` update for cluster-prefixed `vault://` refs (optional, can defer) |