legionio 1.6.13 → 1.6.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8682edaf8eaf214c03e6dca287e4298260dde6482506bacee7c6ef247ad1fc8f
-  data.tar.gz: 3f045eec756ee09f7d15ea25c7d40709fd95dd71d6e277845e400c4c6be19f98
+  metadata.gz: 5796d0724836fec4f8426fa337d5c6de420fbdf81c94fa9d070ca2a1a6abd9c7
+  data.tar.gz: bbaa73b5ee1d36c1c8b7cb9536d1c7e4144464cacfe68c1b4fee55b9bfea08df
 SHA512:
-  metadata.gz: b41ad3b698ae6318ae2a6e7f1c3e0f1d34a46df6dcc183bcf644f5850d458c0d5c1ca080ddee2f81d69dce7a8d5ecdcbb7ae509295a7fd56f852e8f5af8aa189
-  data.tar.gz: 860b776fc04f33f031f07c1969058f4278b8c6a124c09920a54c40b808bdbf708454b8062be32d3960741e8cef5afd1c2c38bb546ad382dd98e528c806a46bf4
+  metadata.gz: 2c1a641e20d067fddcf0d949c3d2f11bbbcca141783b20e581f361bb916821c07e3538037e00c21f7866a12399d3a2c3ce56ad040f8af5713ff2969ea4ee1463
+  data.tar.gz: 568b3efc39291f9e2593b373eb3009db4d708fc7030b38237924d52acf2933c5a64e0aafb4e39265fe8997a7fd7a66aded647d969a4dcb3a8af1e3207afe0c29

data/.github/workflows/ci-cd.yml

@@ -4,33 +4,6 @@ on:
     branches: [main]
 
 jobs:
-  test:
-    name: Test
-    runs-on: ubuntu-latest
-    services:
-      rabbitmq:
-        image: rabbitmq:3.13-management
-        ports: ['5672:5672']
-      postgres:
-        image: postgres:16
-        env:
-          POSTGRES_PASSWORD: test
-          POSTGRES_DB: legion_test
-        ports: ['5432:5432']
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.4'
-          bundler-cache: true
-      - run: bundle install && bundle exec rspec
-      - run: bundle exec rubocop
-
   helm-lint:
     name: Helm Lint
     runs-on: ubuntu-latest

data/CHANGELOG.md

@@ -2,6 +2,56 @@
 
 ## [Unreleased]
 
+## [1.6.18] - 2026-03-27
+
+### Fixed
+- `legionio pipeline image analyze`: `call_llm` no longer passes unsupported `messages:` keyword to `Legion::LLM.chat`; now creates a chat object and sends multimodal content via `chat.ask`, returning a plain hash with `:content` and `:usage` keys
+- `legionio ai trace search/summarize`: both commands now call `setup_connection` before invoking `TraceSearch`, ensuring `Legion::LLM` is booted so `TraceSearch.generate_filter` can use structured LLM output instead of returning "no filter generated"; added `class_option :config_dir` and `class_option :verbose` to `TraceCommand`
+
+## [1.6.17] - 2026-03-27
+
+### Fixed
+- `legionio check`: `resolve_secrets!` is now called after a successful crypt check so `lease://`, `vault://`, and `env://` credential URIs are resolved before transport/data checks attempt to connect
+- `legionio check transport`: raises an early descriptive error when transport credentials are still unresolved URI references (Vault lease pending), instead of failing with a confusing connection error
+- `legionio check data`: raises an early descriptive error when database credentials are still unresolved URI references (Vault lease pending)
+- `legionio llm status/providers/models`: `boot_llm_settings` now calls `resolve_secrets!` so `env://` and `vault://` API key references are resolved before provider enabled-state is evaluated
+- `legionio llm providers`: providers with unresolved credential URIs are now shown as `deferred (credentials pending Vault)` in yellow instead of incorrectly `disabled`
+- `Connection.ensure_settings`: calls `resolve_secrets!` after loading settings so `env://` references are resolved in all CLI commands that use the lazy connection manager
+
+## [1.6.16] - 2026-03-27
+
+### Fixed
+- `config validate` transport host check now reads from `transport.connection.host` instead of `transport.host` (correct config nesting)
+- `doctor diagnose` now loads settings via `Connection.ensure_settings` before running checks, so cache/database/vault/extensions checks no longer skip due to `Legion::Settings` being undefined; also adds `ensure Connection.shutdown` for clean teardown
+
+## [1.6.15] - 2026-03-27
+
+### Added
+- Absorbers: new LEX component type for pattern-matched content acquisition
+- `Absorbers::Base` class with `pattern`/`description` DSL and knowledge helpers (`absorb_to_knowledge`, `absorb_raw`, `translate`, `report_progress`)
+- `Absorbers::Matchers::Base` auto-registering matcher interface with `Matchers::Url` for URL glob matching
+- `Absorbers::PatternMatcher` for thread-safe input-to-absorber resolution with priority-based dispatch
+- `Builders::Absorbers` for auto-discovery of absorber classes during extension boot
+- `Capability.from_absorber` factory method for Capability Registry integration
+- `AbsorberDispatch` module for pattern resolution and handler execution
+- `legionio absorb` CLI command with `url`, `list`, and `resolve` subcommands
+- `legionio dev generate absorber` scaffolding template
+
+## [1.6.14] - 2026-03-27
+
+### Added
+- `Legion::Compliance` module rewritten with DEFAULTS hash, `merge_settings` registration, and clean API
+- `Compliance.setup` registers max-classification defaults: PHI, PCI, PII, FedRAMP all enabled by default
+- `Compliance.enabled?`, `.phi_enabled?`, `.pci_enabled?`, `.pii_enabled?`, `.fedramp_enabled?` convenience methods
+- `Compliance.classification_level` returns `'confidential'` by default (highest level)
+- `Compliance.profile` returns a hash with all compliance flags for downstream consumers
+- `setup_compliance` wired into Service boot sequence after settings load
+- Compliance profile spec (8 examples)
+
+### Changed
+- `Compliance.phi_enabled?` now uses `Settings.dig(:compliance, :phi_enabled)` instead of chaining `[]` calls
+- Existing PhiTag and PhiAccessLog specs updated to use `merge_settings` instead of stubbing `Settings.[]`
+
 ## [1.6.13] - 2026-03-27
 
 ### Added

data/lib/legion/cli/absorb_command.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/absorbers'
+require 'legion/extensions/absorbers/pattern_matcher'
+require 'legion/extensions/actors/absorber_dispatch'
+
+module Legion
+  module CLI
+    class AbsorbCommand < Thor
+      def self.exit_on_failure?
+        true
+      end
+
+      class_option :json,     type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+
+      desc 'url URL', 'Absorb content from a URL'
+      option :scope, type: :string, default: 'global', desc: 'Knowledge scope (global/local/all)'
+      def url(input_url)
+        Connection.ensure_settings
+        out = formatter
+        result = Legion::Extensions::Actors::AbsorberDispatch.dispatch(
+          input:   input_url,
+          context: { scope: options[:scope]&.to_sym }
+        )
+
+        if options[:json]
+          out.json(result)
+        elsif result[:success]
+          out.success("Absorbed: #{input_url}")
+          out.detail(absorber: result[:absorber], job_id: result[:job_id])
+        else
+          out.warn("Failed: #{result[:error]}")
+        end
+      end
+
+      desc 'list', 'List registered absorber patterns'
+      def list
+        Connection.ensure_settings
+        out = formatter
+        patterns = Legion::Extensions::Absorbers::PatternMatcher.list
+
+        if options[:json]
+          out.json(patterns.map { |p| { type: p[:type], value: p[:value], description: p[:description] } })
+        elsif patterns.empty?
+          out.warn('No absorbers registered')
+        else
+          headers = %w[Type Pattern Description]
+          rows = patterns.map do |p|
+            [p[:type].to_s, p[:value], p[:description] || '']
+          end
+          out.header('Registered Absorbers')
+          out.table(headers, rows)
+        end
+      end
+
+      desc 'resolve URL', 'Show which absorber would handle a URL (dry run)'
+      def resolve(input_url)
+        Connection.ensure_settings
+        out = formatter
+        absorber = Legion::Extensions::Absorbers::PatternMatcher.resolve(input_url)
+
+        if options[:json]
+          out.json({ input: input_url, absorber: absorber&.name, match: !absorber.nil? })
+        elsif absorber
+          out.success("#{input_url} -> #{absorber.name}")
+        else
+          out.warn("No absorber registered for: #{input_url}")
+        end
+      end
+
+      no_commands do
+        def formatter
+          @formatter ||= Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli/chat/tools/run_command.rb

@@ -18,9 +18,20 @@ module Legion
           def execute(command:, timeout: 120, working_directory: nil)
             dir = working_directory ? File.expand_path(working_directory) : Dir.pwd
 
-            stdout, stderr, status = nil
-            ::Timeout.timeout(timeout) do
-              stdout, stderr, status = Open3.capture3(command, chdir: dir)
+            stdout, stderr, status = Open3.popen3(command, chdir: dir) do |stdin, out, err, wait_thr|
+              stdin.close
+              out_reader = Thread.new { out.read }
+              err_reader = Thread.new { err.read }
+
+              unless wait_thr.join(timeout)
+                ::Process.kill('TERM', wait_thr.pid)
+                wait_thr.join(5) || ::Process.kill('KILL', wait_thr.pid)
+                out_reader.kill
+                err_reader.kill
+                raise ::Timeout::Error, "command timed out after #{timeout}s"
+              end
+
+              [out_reader.value, err_reader.value, wait_thr.value]
             end
 
             output = String.new
@@ -29,11 +40,9 @@ module Legion
             output << stderr unless stderr.empty?
             output << "\n[exit code: #{status.exitstatus}]"
             output
-          rescue ::Timeout::Error => e
-            Legion::Logging.warn("RunCommand#execute timed out after #{timeout}s for command #{command}: #{e.message}") if defined?(Legion::Logging)
+          rescue ::Timeout::Error
             "[command timed out after #{timeout}s]: #{command}"
           rescue StandardError => e
-            Legion::Logging.warn("RunCommand#execute failed for command #{command}: #{e.message}") if defined?(Legion::Logging)
             "Error executing command: #{e.message}"
           end
         end

data/lib/legion/cli/check_command.rb

@@ -107,6 +107,7 @@ module Legion
 
             results[name] = run_check(name, options)
             started << name if results[name][:status] == 'pass'
+            resolve_secrets_after_crypt(name, results[name])
             print_result(formatter, name, results[name], options) unless options[:json]
           end
 
@@ -123,6 +124,15 @@ module Legion
           Legion::Logging.setup(log_level: log_level, level: log_level, trace: false)
         end
 
+        def resolve_secrets_after_crypt(name, result)
+          return unless name == :crypt && result[:status] == 'pass'
+          return unless Legion::Settings.respond_to?(:resolve_secrets!)
+
+          Legion::Settings.resolve_secrets!
+        rescue StandardError => e
+          Legion::Logging.warn("Check#run secret resolution failed: #{e.message}") if defined?(Legion::Logging)
+        end
+
         def run_check(name, options)
           start = ::Process.clock_gettime(::Process::CLOCK_MONOTONIC)
           detail = send(:"check_#{name}", options)
@@ -151,6 +161,15 @@ module Legion
         def check_transport(_options)
           require 'legion/transport'
           Legion::Settings.merge_settings('transport', Legion::Transport::Settings.default)
+          conn = Legion::Settings[:transport][:connection] || {}
+          user = conn[:user].to_s
+          pass = conn[:password].to_s
+          if user.start_with?('lease://', 'vault://') || pass.start_with?('lease://', 'vault://')
+            scheme = user[%r{\A[^:]+://}]
+            redacted = scheme ? "#{scheme}..." : '(unresolved)'
+            raise "credentials not resolved (Vault lease pending) — user: #{redacted}"
+          end
+
           Legion::Transport::Connection.setup
           if Legion::Transport::Connection.lite_mode?
             'InProcess (lite mode)'
@@ -189,6 +208,11 @@ module Legion
         def check_data(_options)
           require 'legion/data'
           Legion::Settings.merge_settings(:data, Legion::Data::Settings.default)
+          creds = Legion::Settings[:data][:creds] || Legion::Settings[:data] || {}
+          db_user = (creds[:user] || creds[:username]).to_s
+          db_pass = creds[:password].to_s
+          raise_if_unresolved_data_creds(db_user, db_pass)
+
           Legion::Data.setup
           ds = Legion::Settings[:data] || {}
           adapter = ds[:adapter] || 'sqlite'
@@ -203,6 +227,20 @@ module Legion
           end
         end
 
+        def raise_if_unresolved_data_creds(db_user, db_pass)
+          return unless db_user.start_with?('lease://', 'vault://') || db_pass.start_with?('lease://', 'vault://')
+
+          unresolved_fields = []
+          unresolved_fields << 'user'     if db_user.start_with?('lease://', 'vault://')
+          unresolved_fields << 'password' if db_pass.start_with?('lease://', 'vault://')
+          scheme_hints = []
+          scheme_hints << 'lease://...' if db_user.start_with?('lease://') || db_pass.start_with?('lease://')
+          scheme_hints << 'vault://...' if db_user.start_with?('vault://') || db_pass.start_with?('vault://')
+          details = "unresolved fields: #{unresolved_fields.join(', ')}"
+          details += " (#{scheme_hints.join(', ')})" unless scheme_hints.empty?
+          raise "credentials not resolved (Vault lease pending) — #{details}"
+        end
+
         def check_data_local(_options)
           if defined?(Legion::Data::Local) && Legion::Data::Local.respond_to?(:setup)
             Legion::Data::Local.setup unless Legion::Data::Local.respond_to?(:connected?) && Legion::Data::Local.connected?

data/lib/legion/cli/config_command.rb

@@ -119,7 +119,8 @@ module Legion
         # Check transport config
         if Connection.settings?
           transport = Legion::Settings[:transport] || {}
-          warnings << 'Transport host not configured (RabbitMQ will use default localhost)' if transport[:host].nil? || transport[:host].to_s.empty?
+          transport_host = transport.dig(:connection, :host)
+          warnings << 'Transport host not configured (RabbitMQ will use default localhost)' if transport_host.nil? || transport_host.to_s.empty?
 
           # Check data config
           data = Legion::Settings[:data] || {}

data/lib/legion/cli/connection.rb

@@ -31,6 +31,7 @@ module Legion
 
           dir = resolve_config_dir
           Legion::Settings.load(config_dir: dir)
+          Legion::Settings.resolve_secrets! if Legion::Settings.respond_to?(:resolve_secrets!)
           @settings_ready = true
         end
 

data/lib/legion/cli/doctor_command.rb

@@ -42,7 +42,12 @@ module Legion
       desc 'diagnose', 'Check environment health and suggest fixes'
       method_option :fix, type: :boolean, default: false, desc: 'Auto-fix issues where possible'
       def diagnose
-        out     = formatter
+        out = formatter
+        begin
+          Connection.ensure_settings
+        rescue StandardError => e
+          Legion::Logging.debug("Doctor#diagnose settings load failed: #{e.message}") if defined?(Legion::Logging)
+        end
         results = run_all_checks
 
         if options[:json]
@@ -54,6 +59,8 @@ module Legion
         auto_fix(results) if options[:fix]
 
         exit(1) if results.any?(&:fail?)
+      ensure
+        Connection.shutdown
       end
 
       default_task :diagnose

data/lib/legion/cli/generate_command.rb

@@ -125,6 +125,30 @@ module Legion
         out.success("Created #{message_path}")
       end
 
+      desc 'absorber NAME', 'Add an absorber to the current LEX'
+      option :url_pattern, type: :string, default: 'example.com/path/*', desc: 'URL pattern to match'
+      def absorber(name)
+        out = formatter
+        lex = detect_lex(out)
+
+        snake = name.downcase.gsub(/[^a-z0-9]/, '_')
+        class_name = snake.split('_').map(&:capitalize).join
+        lex_class = lex.split('_').map(&:capitalize).join
+        url_pat = options[:url_pattern]
+
+        absorber_path = "lib/legion/extensions/#{lex}/absorbers/#{snake}.rb"
+        spec_path = "spec/absorbers/#{snake}_spec.rb"
+
+        ensure_dir(File.dirname(absorber_path))
+        ensure_dir(File.dirname(spec_path))
+
+        File.write(absorber_path, absorber_template(lex_class, class_name, url_pat))
+        File.write(spec_path, absorber_spec_template(lex_class, class_name, url_pat))
+
+        out.success("Created #{absorber_path}")
+        out.success("Created #{spec_path}")
+      end
+
       desc 'tool NAME', 'Add a chat tool to the current LEX'
       def tool(name)
         out = formatter
@@ -360,6 +384,58 @@ module Legion
             end
           RUBY
         end
+
+        def absorber_template(lex_class, class_name, url_pat)
+          escaped_pat = url_pat.inspect
+          <<~RUBY
+            # frozen_string_literal: true
+
+            module Legion
+              module Extensions
+                module #{lex_class}
+                  module Absorbers
+                    class #{class_name} < Legion::Extensions::Absorbers::Base
+                      pattern :url, #{escaped_pat}
+                      description 'TODO: describe what this absorber handles'
+
+                      def handle(url: nil, content: nil, metadata: {}, context: {})
+                        report_progress(message: 'starting absorption')
+
+                        # TODO: implement content acquisition and processing
+                        # absorb_to_knowledge(content: text, tags: ['tag'])
+
+                        report_progress(message: 'done', percent: 100)
+                        { success: true }
+                      end
+                    end
+                  end
+                end
+              end
+            end
+          RUBY
+        end
+
+        def absorber_spec_template(lex_class, class_name, url_pat)
+          test_url = url_pat.gsub('*', 'test')
+          <<~RUBY
+            # frozen_string_literal: true
+
+            RSpec.describe Legion::Extensions::#{lex_class}::Absorbers::#{class_name} do
+              describe '.patterns' do
+                it 'has registered patterns' do
+                  expect(described_class.patterns).not_to be_empty
+                end
+              end
+
+              describe '#handle' do
+                it 'returns success' do
+                  result = described_class.new.handle(url: 'https://#{test_url}')
+                  expect(result[:success]).to be true
+                end
+              end
+            end
+          RUBY
+        end
       end
     end
   end

data/lib/legion/cli/image_command.rb

@@ -136,12 +136,26 @@ module Legion
           llm_kwargs[:model]    = options[:model]           if options[:model]
           llm_kwargs[:provider] = options[:provider].to_sym if options[:provider]
 
-          Legion::LLM.chat(messages: messages, caller: { source: 'cli', command: 'image' }, **llm_kwargs)
+          chat = Legion::LLM.chat(**llm_kwargs)
+          user_msg = messages.first
+          response = chat.ask(user_msg[:content])
+          { content: response.content, usage: extract_usage(response) }
         rescue StandardError => e
           out.error("LLM call failed: #{e.message}")
           raise SystemExit, 1
         end
 
+        def extract_usage(response)
+          return {} unless response.respond_to?(:usage) && response.usage
+
+          {
+            input_tokens:  response.usage.input_tokens,
+            output_tokens: response.usage.output_tokens
+          }
+        rescue StandardError
+          {}
+        end
+
         def render_response(out, response, meta)
           content = response[:content].to_s
           usage   = response[:usage] || {}

data/lib/legion/cli/llm_command.rb

@@ -84,6 +84,7 @@ module Legion
           Connection.config_dir = options[:config_dir] if options[:config_dir]
           Connection.log_level = options[:verbose] ? 'debug' : 'error'
           Connection.ensure_settings
+          Legion::Settings.resolve_secrets! if Legion::Settings.respond_to?(:resolve_secrets!)
           require 'legion/llm'
           Legion::Settings.merge_settings(:llm, Legion::LLM::Settings.default)
         end
@@ -121,15 +122,24 @@ module Legion
         def collect_providers
           providers_cfg = llm_settings[:providers] || {}
           providers_cfg.map do |name, cfg|
+            enabled = cfg[:enabled] == true
             {
               name:          name,
-              enabled:       cfg[:enabled] == true,
+              enabled:       enabled,
+              deferred:      !enabled && unresolved_credentials?(cfg),
               default_model: cfg[:default_model],
               reachable:     check_reachable(name, cfg)
             }
           end
         end
 
+        def unresolved_credentials?(cfg)
+          %i[api_key secret_key bearer_token password].any? do |key|
+            val = cfg[key].to_s
+            val.start_with?('vault://', 'lease://', 'env://')
+          end
+        end
+
         def check_reachable(name, cfg)
           case name
           when :ollama
@@ -293,11 +303,19 @@ module Legion
                        when false then 'enabled, unreachable'
                        else 'enabled'
                        end
+                     elsif p[:deferred]
+                       'deferred (credentials pending Vault)'
                      else
                        'disabled'
                      end
 
-            color = p[:enabled] ? :green : :muted
+            color = if p[:enabled]
+                      :green
+                    elsif p[:deferred]
+                      :yellow
+                    else
+                      :muted
+                    end
             name_str = p[:name].to_s.ljust(12)
             model_str = p[:default_model] ? " (#{p[:default_model]})" : ''
             puts "  #{out.colorize(name_str, :label)}#{out.colorize(status, color)}#{model_str}"

data/lib/legion/cli/trace_command.rb

@@ -2,6 +2,7 @@
 
 require 'thor'
 require 'legion/cli/output'
+require 'legion/cli/connection'
 
 module Legion
   module CLI
@@ -12,12 +13,16 @@ module Legion
         true
       end
 
-      class_option :json,     type: :boolean, default: false, desc: 'Output as JSON'
-      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+      class_option :json,       type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color,   type: :boolean, default: false, desc: 'Disable color output'
+      class_option :verbose,    type: :boolean, default: false, aliases: ['-V'], desc: 'Verbose logging'
+      class_option :config_dir, type: :string,                  desc: 'Config directory path'
 
       desc 'search QUERY', 'Search traces with natural language'
       option :limit, type: :numeric, default: 50, desc: 'Max results to return'
       def search(*query_parts)
+        return unless setup_connection
+
         require 'legion/trace_search'
         query = query_parts.join(' ')
         out = formatter
@@ -38,10 +43,14 @@ module Legion
         end
 
         display_results(out, result)
+      ensure
+        Legion::CLI::Connection.shutdown
       end
 
       desc 'summarize QUERY', 'Show aggregate statistics for matching traces'
       def summarize(*query_parts)
+        return unless setup_connection
+
         require 'legion/trace_search'
         query = query_parts.join(' ')
         out = formatter
@@ -62,6 +71,8 @@ module Legion
         end
 
         display_summary(out, result)
+      ensure
+        Legion::CLI::Connection.shutdown
       end
 
       default_task :search
@@ -71,6 +82,17 @@ module Legion
           @formatter ||= Output::Formatter.new(json: options[:json], color: !options[:no_color])
         end
 
+        def setup_connection
+          Legion::CLI::Connection.config_dir = options[:config_dir] if options[:config_dir]
+          Legion::CLI::Connection.log_level  = options[:verbose] ? 'debug' : 'error'
+          Legion::CLI::Connection.ensure_llm
+          Legion::CLI::Connection.ensure_data
+          true
+        rescue CLI::Error => e
+          formatter.error("Setup failed: #{e.message}")
+          false
+        end
+
         private
 
         def display_results(out, result)

data/lib/legion/cli.rb

@@ -60,7 +60,8 @@ module Legion
     autoload :Interactive, 'legion/cli/interactive'
     autoload :Docs,        'legion/cli/docs_command'
     autoload :Failover,    'legion/cli/failover_command'
-    autoload :Apollo,      'legion/cli/apollo_command'
+    autoload :AbsorbCommand, 'legion/cli/absorb_command'
+    autoload :Apollo,        'legion/cli/apollo_command'
     autoload :TraceCommand, 'legion/cli/trace_command'
     autoload :Features,     'legion/cli/features_command'
     autoload :Debug,        'legion/cli/debug_command'
@@ -276,6 +277,9 @@ module Legion
       desc 'dev SUBCOMMAND', 'Generators, docs, marketplace, and shell completion'
       subcommand 'dev', Legion::CLI::Groups::Dev
 
+      desc 'absorb SUBCOMMAND', 'Absorb content from external sources'
+      subcommand 'absorb', AbsorbCommand
+
       desc 'broker SUBCOMMAND', 'RabbitMQ broker management (stats, cleanup)'
       subcommand 'broker', Legion::CLI::Broker
 

data/lib/legion/compliance.rb

@@ -6,13 +6,69 @@ require 'legion/compliance/phi_erasure'
 
 module Legion
   module Compliance
+    DEFAULTS = {
+      enabled:              true,
+      classification_level: 'confidential',
+      phi_enabled:          true,
+      pci_enabled:          true,
+      pii_enabled:          true,
+      fedramp_enabled:      true,
+      log_redaction:        true,
+      cache_phi_max_ttl:    3600
+    }.freeze
+
     class << self
+      def setup
+        return unless defined?(Legion::Settings)
+
+        Legion::Settings.merge_settings(:compliance, DEFAULTS)
+        Legion::Logging.info('[Compliance] max-classification profile active') if defined?(Legion::Logging)
+      end
+
+      def enabled?
+        setting(:enabled) == true
+      end
+
       def phi_enabled?
-        return false unless defined?(Legion::Settings)
+        setting(:phi_enabled) == true
+      end
+
+      def pci_enabled?
+        setting(:pci_enabled) == true
+      end
+
+      def pii_enabled?
+        setting(:pii_enabled) == true
+      end
+
+      def fedramp_enabled?
+        setting(:fedramp_enabled) == true
+      end
+
+      def classification_level
+        setting(:classification_level) || 'confidential'
+      end
+
+      def profile
+        {
+          classification_level: classification_level,
+          phi:                  phi_enabled?,
+          pci:                  pci_enabled?,
+          pii:                  pii_enabled?,
+          fedramp:              fedramp_enabled?,
+          log_redaction:        setting(:log_redaction) == true,
+          cache_phi_max_ttl:    setting(:cache_phi_max_ttl) || 3600
+        }
+      end
+
+      private
+
+      def setting(key)
+        return nil unless defined?(Legion::Settings)
 
-        Legion::Settings[:compliance][:phi_enabled] == true
+        Legion::Settings.dig(:compliance, key)
       rescue StandardError
-        false
+        nil
       end
     end
   end

data/lib/legion/extensions/absorbers/base.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Absorbers
+      class Base
+        attr_accessor :job_id, :runners
+
+        class << self
+          def pattern(type, value, priority: 100)
+            @patterns ||= []
+            @patterns << { type: type, value: value, priority: priority }
+          end
+
+          def patterns
+            @patterns || []
+          end
+
+          def description(text = nil)
+            text ? @description = text : @description
+          end
+        end
+
+        def handle(url: nil, content: nil, metadata: {}, context: {})
+          raise NotImplementedError, "#{self.class.name} must implement #handle"
+        end
+
+        def absorb_to_knowledge(content:, tags: [], scope: :global, **opts)
+          return fallback_absorb(:chunker, content, tags, scope, opts) unless chunker_available?
+          return fallback_absorb(:apollo, content, tags, scope, opts) unless apollo_available?
+
+          sections = [{ heading:      opts.delete(:heading) || 'absorbed',
+                        content:      content,
+                        section_path: opts.delete(:section_path) || 'absorbed',
+                        source_file:  opts.delete(:source_file) || 'absorber' }]
+          chunks     = Legion::Extensions::Knowledge::Helpers::Chunker.chunk(sections: sections)
+          embeddings = fetch_embeddings(chunks)
+          ingest_chunks(chunks, embeddings, tags, scope, opts)
+        end
+
+        def absorb_raw(content:, tags: [], scope: :global, **)
+          if apollo_available?
+            Legion::Apollo.ingest(content: content, tags: Array(tags), scope: scope, **)
+          else
+            Legion::Logging.warn('absorb_raw: Apollo not available') if defined?(Legion::Logging)
+            { success: false, error: :apollo_not_available }
+          end
+        end
+
+        def translate(source, type: :auto)
+          raise 'legion-data is required for translate — add it to your Gemfile' unless defined?(Legion::Data::Extract)
+
+          Legion::Data::Extract.extract(source, type: type)
+        end
+
+        def report_progress(message:, percent: nil)
+          return unless job_id
+          return unless defined?(Legion::Logging)
+
+          Legion::Logging.info("absorb[#{job_id}] #{"#{percent}% " if percent}#{message}")
+        end
+
+        private
+
+        def chunker_available?
+          defined?(Legion::Extensions::Knowledge::Helpers::Chunker)
+        end
+
+        def apollo_available?
+          defined?(Legion::Apollo) &&
+            Legion::Apollo.respond_to?(:ingest) &&
+            (!Legion::Apollo.respond_to?(:started?) || Legion::Apollo.started?)
+        end
+
+        def fallback_absorb(reason, content, tags, scope, opts)
+          if defined?(Legion::Logging)
+            label = reason == :chunker ? 'lex-knowledge not available' : 'Apollo not available'
+            Legion::Logging.warn("absorb_to_knowledge: #{label}, falling back to absorb_raw")
+          end
+          absorb_raw(content: content, tags: tags, scope: scope, **opts)
+        end
+
+        def fetch_embeddings(chunks)
+          return [] unless defined?(Legion::LLM) && Legion::LLM.respond_to?(:embed_batch)
+
+          Legion::LLM.embed_batch(chunks.map { |c| c[:content] })
+        rescue StandardError
+          []
+        end
+
+        def ingest_chunks(chunks, embeddings, tags, scope, opts)
+          chunks.each_with_index do |chunk, idx|
+            vector  = embeddings.is_a?(Array) ? embeddings.dig(idx, :vector) : nil
+            payload = build_chunk_payload(chunk, tags, opts)
+            payload[:embedding] = vector if vector
+            Legion::Apollo.ingest(content: payload[:content], tags: payload[:tags],
+                                  scope: scope, **payload.except(:content, :tags))
+          end
+        end
+
+        def build_chunk_payload(chunk, tags, opts)
+          {
+            content:      chunk[:content],
+            content_type: opts[:content_type] || 'absorbed_chunk',
+            content_hash: chunk[:content_hash],
+            tags:         (Array(tags) + [chunk[:heading], 'absorbed']).compact.uniq,
+            metadata:     {
+              source_file:  chunk[:source_file],
+              heading:      chunk[:heading],
+              section_path: chunk[:section_path],
+              chunk_index:  chunk[:chunk_index],
+              token_count:  chunk[:token_count]
+            }.merge(opts.fetch(:metadata, {}))
+          }
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/absorbers/matchers/base.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Absorbers
+      module Matchers
+        class Base
+          @registry = {}
+
+          class << self
+            attr_reader :registry
+
+            def inherited(subclass)
+              super
+              TracePoint.new(:end) do |tp|
+                if tp.self == subclass
+                  register(subclass) if subclass.respond_to?(:type) && subclass.type
+                  tp.disable
+                end
+              end.enable
+            end
+
+            def register(matcher_class)
+              @registry[matcher_class.type] = matcher_class
+            end
+
+            def for_type(type)
+              @registry[type&.to_sym]
+            end
+
+            def type = nil
+
+            def match?(_pattern, _input)
+              raise NotImplementedError, "#{name} must implement .match?"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/absorbers/matchers/url.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'uri'
+
+module Legion
+  module Extensions
+    module Absorbers
+      module Matchers
+        class Url < Base
+          def self.type = :url
+
+          def self.match?(pattern, input)
+            uri = parse_uri(input)
+            return false unless uri
+
+            host_pattern, path_pattern = split_pattern(pattern)
+            return false unless host_matches?(host_pattern, uri.host)
+
+            path_matches?(path_pattern || '**', uri.path)
+          end
+
+          class << self
+            private
+
+            def parse_uri(input)
+              str = input.to_s.strip
+              str = "https://#{str}" unless str.match?(%r{\A\w+://})
+              uri = URI.parse(str)
+              return nil unless uri.is_a?(URI::HTTP) && uri.host
+
+              uri
+            rescue URI::InvalidURIError
+              nil
+            end
+
+            def split_pattern(pattern)
+              clean = pattern.sub(%r{\A\w+://}, '')
+              parts = clean.split('/', 2)
+              [parts[0], parts[1]]
+            end
+
+            def host_matches?(pattern, host)
+              return false unless host
+
+              regex = Regexp.new(
+                "\\A#{Regexp.escape(pattern).gsub('\\*', '[^.]+')}\\z",
+                Regexp::IGNORECASE
+              )
+              regex.match?(host)
+            end
+
+            def path_matches?(pattern, path)
+              path = path.to_s.sub(%r{\A/}, '')
+              escaped = Regexp.escape(pattern)
+                              .gsub('\\*\\*', '__.DOUBLE_STAR__.')
+                              .gsub('\\*', '[^/]*')
+                              .gsub('__.DOUBLE_STAR__.', '.*')
+              Regexp.new("\\A#{escaped}\\z").match?(path)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/absorbers/pattern_matcher.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Absorbers
+      module PatternMatcher
+        @registrations = []
+        @mutex = Mutex.new
+
+        module_function
+
+        def register(absorber_class)
+          @mutex.synchronize do
+            absorber_class.patterns.each do |pat|
+              @registrations << {
+                type:           pat[:type],
+                value:          pat[:value],
+                priority:       pat[:priority],
+                absorber_class: absorber_class,
+                description:    absorber_class.description
+              }
+            end
+          end
+        end
+
+        def resolve(input)
+          matches = @mutex.synchronize { @registrations.dup }.select do |reg|
+            matcher = Matchers::Base.for_type(reg[:type])
+            next false unless matcher
+
+            matcher.match?(reg[:value], input)
+          end
+          return nil if matches.empty?
+
+          matches.min_by { |m| [m[:priority], -m[:value].gsub('*', '').length] }&.dig(:absorber_class)
+        end
+
+        def list
+          @mutex.synchronize { @registrations.dup }
+        end
+
+        def registrations
+          @mutex.synchronize { @registrations.dup }
+        end
+
+        def reset!
+          @mutex.synchronize { @registrations.clear }
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/absorbers.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require_relative 'absorbers/matchers/base'
+require_relative 'absorbers/matchers/url'
+require_relative 'absorbers/base'
+require_relative 'absorbers/pattern_matcher'
+
+module Legion
+  module Extensions
+    module Absorbers
+    end
+  end
+end

data/lib/legion/extensions/actors/absorber_dispatch.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module Legion
+  module Extensions
+    module Actors
+      module AbsorberDispatch
+        module_function
+
+        def dispatch(input:, job_id: nil, context: {})
+          job_id ||= SecureRandom.hex(8)
+          absorber_class = Absorbers::PatternMatcher.resolve(input)
+
+          unless absorber_class
+            publish_event("absorb.failed.#{job_id}", job_id: job_id, error: 'no handler found for input')
+            return { success: false, error: 'no handler found for input', job_id: job_id }
+          end
+
+          absorber = absorber_class.new
+          absorber.job_id = job_id
+          result = absorber.handle(url: input, content: context[:content],
+                                   metadata: context[:metadata] || {}, context: context)
+          publish_event("absorb.complete.#{job_id}", job_id: job_id, absorber: absorber_class.name,
+                                                     result: result)
+          { success: true, job_id: job_id, absorber: absorber_class.name, result: result }
+        rescue StandardError => e
+          Legion::Logging.error("AbsorberDispatch failed: #{e.message}") if defined?(Legion::Logging)
+          publish_event("absorb.failed.#{job_id}", job_id: job_id, error: e.message)
+          { success: false, job_id: job_id, error: e.message }
+        end
+
+        def publish_event(routing_key, **payload)
+          return unless defined?(Legion::Transport)
+
+          session = Legion::Transport.respond_to?(:session) ? Legion::Transport.session : nil
+          if session.respond_to?(:open?)
+            return unless session.open?
+          elsif session.nil?
+            return
+          end
+
+          message_class =
+            if defined?(Legion::Transport::Messages::Dynamic)
+              Legion::Transport::Messages::Dynamic
+            elsif defined?(Legion::Transport::Message)
+              Legion::Transport::Message
+            end
+          return unless message_class
+
+          message_class.new(routing_key: routing_key, **payload).publish
+        rescue StandardError => e
+          Legion::Logging.warn("AbsorberDispatch publish failed: #{e.message}") if defined?(Legion::Logging)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/builders/absorbers.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require_relative 'base'
+
+module Legion
+  module Extensions
+    module Builder
+      module Absorbers
+        include Legion::Extensions::Builder::Base
+
+        def build_absorbers
+          @absorbers = {}
+          absorber_files = find_files('absorbers')
+          return if absorber_files.empty?
+
+          require_files(absorber_files)
+
+          absorber_files.each do |file|
+            snake_name  = file.split('/').last.sub('.rb', '')
+            class_name  = snake_name.split('_').collect(&:capitalize).join
+            absorber_class = "#{lex_class}::Absorbers::#{class_name}"
+
+            next unless Kernel.const_defined?(absorber_class)
+
+            klass = Kernel.const_get(absorber_class)
+            next unless klass < Legion::Extensions::Absorbers::Base
+
+            @absorbers[snake_name.to_sym] = {
+              extension:       lex_name,
+              extension_class: lex_class,
+              absorber_name:   snake_name,
+              absorber_class:  absorber_class,
+              absorber_module: klass,
+              patterns:        klass.patterns,
+              description:     klass.description
+            }
+
+            Legion::Extensions::Absorbers::PatternMatcher.register(klass)
+          end
+        rescue StandardError => e
+          Legion::Logging.error("Failed to build absorbers: #{e.message}") if defined?(Legion::Logging)
+        end
+
+        def absorbers
+          @absorbers || {}
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/capability.rb

@@ -6,6 +6,22 @@ module Legion
       :name, :extension, :runner, :function,
       :description, :parameters, :tags, :loaded_at
     ) do
+      def self.from_absorber(extension:, absorber:, patterns: [], description: nil)
+        absorber_name = absorber.name&.split('::')&.last || absorber.object_id.to_s
+        snake = absorber_name.gsub(/([A-Z])/, '_\1').sub(/^_/, '').downcase
+        canonical = "#{extension}:absorber:#{snake}"
+        new(
+          name:        canonical,
+          extension:   extension,
+          runner:      'Absorber',
+          function:    absorber_name,
+          description: description,
+          parameters:  { input: { type: :string, required: true } },
+          tags:        ['absorber'] + patterns.map { |p| "pattern:#{p[:type]}:#{p[:value]}" },
+          loaded_at:   Time.now
+        )
+      end
+
       def self.from_runner(extension:, runner:, function:, **opts)
         canonical = "#{extension}:#{runner.to_s.gsub(/([A-Z])/, '_\1').sub(/^_/, '').downcase}:#{function}"
         new(

data/lib/legion/extensions/core.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'absorbers'
+require_relative 'builders/absorbers'
 require_relative 'builders/actors'
 require_relative 'builders/helpers'
 require_relative 'builders/hooks'
@@ -49,6 +51,7 @@ module Legion
       include Legion::Extensions::Helpers::Lex
       include Legion::Extensions::Helpers::Knowledge if defined?(Legion::Extensions::Helpers::Knowledge)
 
+      include Legion::Extensions::Builder::Absorbers
       include Legion::Extensions::Builder::Runners
       include Legion::Extensions::Builder::Helpers
       include Legion::Extensions::Builder::Actors
@@ -73,6 +76,7 @@ module Legion
         end
         build_helpers
         build_runners
+        build_absorbers
         build_actors
         build_hooks
         build_routes

data/lib/legion/extensions.rb

@@ -229,6 +229,7 @@ module Legion
         Legion::Transport::Messages::LexRegister.new(function: 'save', opts: extension.runners).publish
 
         register_capabilities(entry[:gem_name], extension.runners) if extension.respond_to?(:runners)
+        register_absorber_capabilities(entry[:gem_name], extension.absorbers) if extension.respond_to?(:absorbers)
 
         if extension.respond_to?(:meta_actors) && extension.meta_actors.is_a?(Hash)
           extension.meta_actors.each_value do |actor|
@@ -502,6 +503,25 @@ module Legion
         Extensions::Catalog::Registry.unregister_extension(gem_name)
       end
 
+      def register_absorber_capabilities(gem_name, absorbers)
+        absorbers.each_value do |absorber_meta|
+          cap = Extensions::Capability.from_absorber(
+            extension:   gem_name,
+            absorber:    absorber_meta[:absorber_module],
+            patterns:    absorber_meta[:patterns],
+            description: absorber_meta[:description]
+          )
+          Extensions::Catalog::Registry.register(cap)
+        rescue StandardError => e
+          if defined?(Legion::Logging)
+            Legion::Logging.warn(
+              "Absorber catalog registration error for #{gem_name} " \
+              "(#{absorber_meta[:absorber_module]}): #{e.message}"
+            )
+          end
+        end
+      end
+
       def register_capabilities(gem_name, runners)
         runners.each_value do |runner_meta|
           runner_name = runner_meta[:runner_name]

data/lib/legion/service.rb

@@ -31,6 +31,7 @@ module Legion
       Legion::Logging.debug('Starting Legion::Service')
       setup_settings
       apply_cli_overrides(http_port: http_port)
+      setup_compliance
       setup_local_mode
       reconfigure_logging(log_level)
       Legion::Logging.info("node name: #{Legion::Settings[:client][:name]}")
@@ -225,6 +226,15 @@ module Legion
       self.class.log_privacy_mode_status
     end
 
+    def setup_compliance
+      require 'legion/compliance'
+      Legion::Compliance.setup
+    rescue LoadError => e
+      Legion::Logging.debug "Compliance module not available: #{e.message}"
+    rescue StandardError => e
+      Legion::Logging.warn "Compliance setup failed: #{e.message}"
+    end
+
     def apply_cli_overrides(http_port: nil)
       return unless http_port
 

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.6.13'
+  VERSION = '1.6.18'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.6.13
+  version: 1.6.18
 platform: ruby
 authors:
 - Esity
@@ -509,6 +509,7 @@ files:
 - lib/legion/chat/notification_queue.rb
 - lib/legion/chat/skills.rb
 - lib/legion/cli.rb
+- lib/legion/cli/absorb_command.rb
 - lib/legion/cli/acp_command.rb
 - lib/legion/cli/apollo_command.rb
 - lib/legion/cli/audit_command.rb
@@ -740,6 +741,12 @@ files:
 - lib/legion/docs/site_generator.rb
 - lib/legion/events.rb
 - lib/legion/extensions.rb
+- lib/legion/extensions/absorbers.rb
+- lib/legion/extensions/absorbers/base.rb
+- lib/legion/extensions/absorbers/matchers/base.rb
+- lib/legion/extensions/absorbers/matchers/url.rb
+- lib/legion/extensions/absorbers/pattern_matcher.rb
+- lib/legion/extensions/actors/absorber_dispatch.rb
 - lib/legion/extensions/actors/base.rb
 - lib/legion/extensions/actors/defaults.rb
 - lib/legion/extensions/actors/every.rb
@@ -750,6 +757,7 @@ files:
 - lib/legion/extensions/actors/poll.rb
 - lib/legion/extensions/actors/singleton.rb
 - lib/legion/extensions/actors/subscription.rb
+- lib/legion/extensions/builders/absorbers.rb
 - lib/legion/extensions/builders/actors.rb
 - lib/legion/extensions/builders/base.rb
 - lib/legion/extensions/builders/helpers.rb