legionio 1.6.1 → 1.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97707f0bdbc4ad1ce6b714bcb703b6d53725210b6565d700e8677db9912a9ab8
-  data.tar.gz: 3e2171d5dd1de801ed929a0581e4d3920845be921a528147c4d6e9ddd122e2de
+  metadata.gz: 49e219b9a9c790b6ec63903daee3a26194a5a1611cccd0013a05bb7a34a3d7c9
+  data.tar.gz: eedbb6e81c2ba386cee0718eb3aed307a021d25959579bb2a02c8bd011ca4fa5
 SHA512:
-  metadata.gz: 1f9f67128de7fa3eac1cff947d2275fdc595f5bec7150c218af10cf08b4245abc455b48324492104c92da9f44e31633792d513eddcb1b6316313381eace45c00
-  data.tar.gz: 7b5d3952a503ce07268076a20eecc86828ef5d7b53d87614c2bb874fbe6b55398e740f3bd8ab448f7047130917612bb2b3a18dcb2c116699c32663ab80862647
+  metadata.gz: 141f1ad15ae3595a411e4e1ddaf7fa4544bd1fd5aa23be7425574e783a55581773d0a860ace1d7f6dce97bf3004b6fc42998374cdfe8b3555b01547e98be5f1e
+  data.tar.gz: a05b2f2cb76d9237dc785b396af6f72b03657866ba4f57fd9b7673594d3212634e9c920d90529c5134544cbdb8d32e9994b188e155366f6f69f7df803355dc90

data/.gitignore

@@ -15,7 +15,8 @@
 legionio.key
 # runtime artifacts
 .DS_Store
-legionio.db
+*.db
+*.json
 logs/
 # local settings (may contain secrets)
 settings/

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Legion Changelog
 
+## [1.6.2] - 2026-03-26
+
+### Fixed
+- `legionio update` remote check failed for all gems due to TCP connection exhaustion (24 parallel SSL connections to rubygems.org)
+- Replace thread pool with 4 batched threads using persistent HTTP keep-alive connections (55 gems in ~4s)
+
 ## [1.6.1] - 2026-03-26
 
 ### Fixed

data/lib/legion/cli/update_command.rb

@@ -127,36 +127,31 @@ module Legion
 
         def fetch_remote_versions_parallel(gem_names)
           results = Concurrent::Hash.new
-          pool = Concurrent::FixedThreadPool.new([gem_names.size, 24].min)
-          latch = Concurrent::CountDownLatch.new(gem_names.size)
-
-          gem_names.each do |name|
-            pool.post do
-              version = fetch_remote_version(name)
-              results[name] = version if version
-            rescue StandardError => e
-              Legion::Logging.debug("UpdateCommand#fetch_remote_version #{name}: #{e.message}") if defined?(Legion::Logging)
-            ensure
-              latch.count_down
+          thread_count = [gem_names.size, 4].min
+          slices = gem_names.each_slice((gem_names.size / thread_count.to_f).ceil).to_a
+          threads = slices.map do |batch|
+            Thread.new(batch) do |names|
+              fetch_batch(names, results)
             end
           end
-
-          latch.wait(30)
-          pool.shutdown
+          threads.each { |t| t.join(60) }
           results
         end
 
-        def fetch_remote_version(name)
-          uri = URI("https://rubygems.org/api/v1/versions/#{name}/latest.json")
-          http = Net::HTTP.new(uri.host, uri.port)
-          http.use_ssl = true
-          http.open_timeout = 5
-          http.read_timeout = 10
-          response = http.request(Net::HTTP::Get.new(uri))
-          return nil unless response.is_a?(Net::HTTPSuccess)
-
-          data = ::JSON.parse(response.body)
-          data['version']
+        def fetch_batch(names, results)
+          Net::HTTP.start('rubygems.org', 443, use_ssl: true, open_timeout: 10, read_timeout: 10) do |http|
+            names.each do |name|
+              response = http.request(Net::HTTP::Get.new("/api/v1/versions/#{name}/latest.json"))
+              next unless response.is_a?(Net::HTTPSuccess)
+
+              data = ::JSON.parse(response.body)
+              results[name] = data['version'] if data['version']
+            rescue StandardError => e
+              Legion::Logging.debug("UpdateCommand#fetch_batch #{name}: #{e.message}") if defined?(Legion::Logging)
+            end
+          end
+        rescue StandardError => e
+          Legion::Logging.debug("UpdateCommand#fetch_batch connection: #{e.message}") if defined?(Legion::Logging)
         end
 
         def display_results(out, results, before, after)

data/lib/legion/extensions/helpers/lex.rb

@@ -10,6 +10,30 @@ module Legion
         include Legion::Extensions::Helpers::Logger
         include Legion::JSON::Helper
 
+        module ClassMethods
+          def expose_as_mcp_tool(value = :_unset)
+            if value == :_unset
+              return @expose_as_mcp_tool unless @expose_as_mcp_tool.nil?
+
+              if defined?(Legion::Settings) && Legion::Settings.respond_to?(:dig)
+                Legion::Settings.dig(:mcp, :auto_expose_runners) || false
+              else
+                false
+              end
+            else
+              @expose_as_mcp_tool = value
+            end
+          end
+
+          def mcp_tool_prefix(value = :_unset)
+            if value == :_unset
+              @mcp_tool_prefix
+            else
+              @mcp_tool_prefix = value
+            end
+          end
+        end
+
         def function_example(function, example)
           function_set(function, :example, example)
         end
@@ -22,6 +46,34 @@ module Legion
           function_set(function, :desc, desc)
         end
 
+        def function_outputs(function, outputs)
+          function_set(function, :outputs, outputs)
+        end
+
+        def function_category(function, category)
+          function_set(function, :category, category)
+        end
+
+        def function_tags(function, tags)
+          function_set(function, :tags, tags)
+        end
+
+        def function_risk_tier(function, tier)
+          function_set(function, :risk_tier, tier)
+        end
+
+        def function_idempotent(function, value)
+          function_set(function, :idempotent, value)
+        end
+
+        def function_requires(function, deps)
+          function_set(function, :requires, deps)
+        end
+
+        def function_expose(function, value)
+          function_set(function, :expose, value)
+        end
+
         def function_set(function, key, value)
           unless respond_to? function
             log.debug "function_#{key} called but function doesn't exist, f: #{function}"
@@ -41,6 +93,7 @@ module Legion
         def self.included(base)
           base.send :extend, Legion::Extensions::Helpers::Core if base.instance_of?(Class)
           base.send :extend, Legion::Extensions::Helpers::Logger if base.instance_of?(Class)
+          base.extend ClassMethods if base.instance_of?(Class)
           base.extend base if base.instance_of?(Module)
         end
 

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.6.1'
+  VERSION = '1.6.2'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.6.1
+  version: 1.6.2
 platform: ruby
 authors:
 - Esity
@@ -431,17 +431,9 @@ files:
 - deploy/helm/legion/values.yaml
 - docker_deploy.rb
 - docs/README.md
-- docs/plans/2026-03-18-config-import-vault-multicluster-design.md
-- docs/plans/2026-03-18-config-import-vault-multicluster-implementation.md
-- docs/plans/2026-03-18-core-lex-uplift-design.md
-- docs/plans/2026-03-18-core-lex-uplift-implementation.md
-- docs/plans/2026-03-18-legion-tty-default-cli-design.md
-- docs/plans/2026-03-18-legion-tty-default-cli-implementation.md
-- docs/plans/2026-03-19-hooks-expansion-design.md
 - exe/legion
 - exe/legionio
 - legionio.gemspec
-- legionio_local.db
 - lib/legion.rb
 - lib/legion/alerts.rb
 - lib/legion/api.rb

data/docs/plans/2026-03-18-config-import-vault-multicluster-design.md

@@ -1,272 +0,0 @@
-# Config Import + Multi-Cluster Vault Design
-
-## Problem
-
-LegionIO currently supports a single Vault cluster (`crypt.vault.address/port/token`). In enterprise environments, engineers work with multiple Vault clusters (dev, test, stage, production) and need different tokens for each. There's also no way to bootstrap a new developer's environment from a shared config — they must manually create JSON files in `~/.legionio/settings/`.
-
-## Solution
-
-Three changes across three repos:
-
-### 1. legion-crypt: Multi-Cluster Vault Support
-
-Upgrade `crypt.vault` from a single cluster to a named clusters hash with a `default` pointer.
-
-#### Settings Schema
-
-```json
-{
-  "crypt": {
-    "vault": {
-      "default": "prod",
-      "clusters": {
-        "dev": {
-          "address": "vault-dev.example.com",
-          "port": 8200,
-          "protocol": "https",
-          "namespace": "myapp",
-          "token": null,
-          "auth_method": "ldap"
-        },
-        "stage": {
-          "address": "vault-stage.example.com",
-          "port": 8200,
-          "protocol": "https",
-          "namespace": "myapp",
-          "token": null,
-          "auth_method": "ldap"
-        },
-        "prod": {
-          "address": "vault.example.com",
-          "port": 8200,
-          "protocol": "https",
-          "namespace": "myapp",
-          "token": null,
-          "auth_method": "ldap"
-        }
-      }
-    }
-  }
-}
-```
-
-#### Backward Compatibility
-
-If `crypt.vault.clusters` is absent but `crypt.vault.address` is present, treat it as a single unnamed cluster (current behavior). The migration path is:
-
-```ruby
-# Old style (still works)
-Legion::Settings[:crypt][:vault][:address]  # => "vault.example.com"
-
-# New style
-Legion::Crypt.cluster(:prod)    # => cluster config hash
-Legion::Crypt.cluster            # => default cluster config hash
-Legion::Crypt.default_cluster    # => "prod"
-```
-
-#### New Module: `Legion::Crypt::VaultCluster`
-
-Manages per-cluster Vault connections:
-
-```ruby
-module Legion::Crypt
-  module VaultCluster
-    # Get a configured ::Vault client for a named cluster
-    def vault_client(name = nil)
-      name ||= default_cluster_name
-      @vault_clients ||= {}
-      @vault_clients[name] ||= build_client(clusters[name])
-    end
-
-    # Cluster config hash
-    def cluster(name = nil)
-      name ||= default_cluster_name
-      clusters[name]
-    end
-
-    def default_cluster_name
-      vault_settings[:default] || clusters.keys.first
-    end
-
-    def clusters
-      vault_settings[:clusters] || {}
-    end
-
-    # Connect to all clusters that have tokens
-    def connect_all
-      clusters.each do |name, config|
-        next unless config[:token]
-        connect_cluster(name)
-      end
-    end
-
-    private
-
-    def build_client(config)
-      client = ::Vault::Client.new(
-        address: "#{config[:protocol]}://#{config[:address]}:#{config[:port]}",
-        token:   config[:token]
-      )
-      client.namespace = config[:namespace] if config[:namespace]
-      client
-    end
-  end
-end
-```
-
-#### New Module: `Legion::Crypt::LdapAuth`
-
-LDAP authentication against Vault's LDAP auth method (HTTP API, no vault CLI):
-
-```ruby
-module Legion::Crypt
-  module LdapAuth
-    # Authenticate to a single cluster via LDAP
-    # POST /v1/auth/ldap/login/:username
-    # Returns: { token:, lease_duration:, renewable:, policies: }
-    def ldap_login(cluster_name:, username:, password:)
-      client = vault_client(cluster_name)
-      # Or raw HTTP if ::Vault gem doesn't expose ldap auth:
-      response = client.post("/v1/auth/ldap/login/#{username}", password: password)
-      token = response.auth.client_token
-      # Store token in cluster config (in-memory only, not written to disk with password)
-      clusters[cluster_name][:token] = token
-      clusters[cluster_name][:connected] = true
-      { token: token, lease_duration: response.auth.lease_duration,
-        renewable: response.auth.renewable, policies: response.auth.policies }
-    end
-
-    # Authenticate to ALL configured clusters with same credentials
-    def ldap_login_all(username:, password:)
-      results = {}
-      clusters.each do |name, config|
-        next unless config[:auth_method] == 'ldap'
-        results[name] = ldap_login(cluster_name: name, username: username, password: password)
-      rescue StandardError => e
-        results[name] = { error: e.message }
-      end
-      results
-    end
-  end
-end
-```
-
-#### Existing Code Changes
-
-- `Legion::Crypt.start` — if `clusters` present, call `connect_all` instead of `connect_vault`
-- `Legion::Crypt::Vault.read/write/get` — route through `vault_client(name)` for cluster-aware reads
-- `Legion::Crypt::Vault.connect_vault` — still works for legacy single-cluster config
-- `Legion::Crypt::VaultRenewer` — renew tokens for ALL connected clusters
-- `Legion::Settings::Resolver` — `vault://` refs gain optional cluster prefix: `vault://prod/secret/data/myapp#password` (falls back to default cluster if no prefix)
-
-### 2. LegionIO: `legion config import` / `legionio config import` CLI Command
-
-New subcommand under `Config`:
-
-```
-legionio config import <source>     # URL or local file path
-legion config import <source>       # same command available in interactive binary
-```
-
-#### Behavior
-
-1. **Fetch source:**
-   - If `source` starts with `http://` or `https://` — HTTP GET, follow redirects
-   - Otherwise — read local file
-2. **Decode payload:**
-   - Try `JSON.parse(body)` first
-   - If that fails, try `JSON.parse(Base64.decode64(body))`
-   - If both fail, error with "not valid JSON or base64-encoded JSON"
-3. **Validate structure:**
-   - Must be a Hash
-   - Warn on unrecognized top-level keys (not in known settings keys)
-4. **Write to `~/.legionio/settings/imported.json`:**
-   - Deep merge with existing imported.json if present
-   - Or overwrite with `--force`
-5. **Display summary:**
-   - Which settings sections were imported (crypt, transport, cache, etc.)
-   - How many vault clusters configured
-   - Remind user to run `legion` for onboarding vault auth
-
-#### Example Config File
-
-```json
-{
-  "crypt": {
-    "vault": {
-      "default": "prod",
-      "clusters": {
-        "dev":   { "address": "vault-dev.uhg.com",   "port": 8200, "protocol": "https", "auth_method": "ldap" },
-        "test":  { "address": "vault-test.uhg.com",  "port": 8200, "protocol": "https", "auth_method": "ldap" },
-        "stage": { "address": "vault-stage.uhg.com", "port": 8200, "protocol": "https", "auth_method": "ldap" },
-        "prod":  { "address": "vault.uhg.com",       "port": 8200, "protocol": "https", "auth_method": "ldap" }
-      }
-    }
-  },
-  "transport": {
-    "host": "rabbitmq.uhg.com",
-    "port": 5672,
-    "vhost": "legion"
-  },
-  "cache": {
-    "driver": "dalli",
-    "servers": ["memcached.uhg.com:11211"]
-  }
-}
-```
-
-### 3. legion-tty: Onboarding Vault Auth Step
-
-After the wizard (name + LLM providers), before the reveal box:
-
-```
-[digital rain]
-[intro - kerberos identity, github quick]
-[wizard - name, LLM providers]
-[NEW: vault auth prompt]
-[reveal box - now includes vault cluster status]
-```
-
-#### Flow
-
-1. Check if any vault clusters are configured in settings
-2. If none, skip entirely
-3. If clusters exist, ask: "I found N Vault clusters. Connect now?" (TTY::Prompt confirm)
-4. If yes:
-   - Default username = kerberos `samaccountname` (from `@kerberos_identity[:samaccountname]`), fallback to `ENV['USER']`
-   - Ask: "Username:" with default pre-filled (TTY::Prompt ask)
-   - Ask: "Password:" with `echo: false` (hidden input)
-   - For each LDAP-configured cluster, attempt `Legion::Crypt.ldap_login`
-   - Show green checkmark / red X per cluster with name
-5. Store tokens in memory (settings hash), NOT on disk with the password
-6. Reveal box now shows vault cluster connection status
-
-#### New Background Probe: Not Needed
-
-Vault auth requires user interaction (password prompt), so it runs inline after the wizard, not in a background thread.
-
-## Alternatives Considered
-
-**Use lex-vault instead of vault gem for multi-cluster:** lex-vault's Faraday-based client is simpler and already supports per-instance address/token/namespace. Could replace the `vault` gem dependency in legion-crypt entirely. Deferred — not a requirement for this iteration but a good future optimization.
-
-**Kerberos auth for Vault:** Not a default Vault auth method. Would require a custom Vault plugin. Deferred.
-
-**Store tokens on disk:** Vault tokens are renewable and short-lived. Storing them risks stale tokens. Better to re-auth on each `legion` startup if needed. Could add optional token caching later.
-
-## Constraints
-
-- LDAP password is NEVER written to disk or settings files
-- Vault tokens are stored in-memory only during the session
-- `vault://` resolver must remain backward compatible (no cluster prefix = default cluster)
-- Single-cluster config (`crypt.vault.address`) must continue to work unchanged
-- Config import file is plain JSON, no wrapper format
-- HTTP sources must handle both raw JSON and base64-encoded JSON
-
-## Repos Affected
-
-| Repo | Changes |
-|------|---------|
-| `legion-crypt` | `VaultCluster` module, `LdapAuth` module, multi-cluster settings, `VaultRenewer` update, backward compat |
-| `LegionIO` | `config import` CLI command (both binaries), HTTP fetch + base64 detection |
-| `legion-tty` | Onboarding vault auth step after wizard |
-| `legion-settings` | `Resolver` update for cluster-prefixed `vault://` refs (optional, can defer) |