RubyGems - legionio - Versions diffs - 1.6.7 → 1.6.9 - Mend

legionio 1.6.7 → 1.6.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/.rubocop.yml +1 -0
data/CHANGELOG.md +27 -13
data/Gemfile +2 -0
data/integration/self_generate_spec.rb +398 -0
data/lib/legion/cli/bootstrap_command.rb +399 -0
data/lib/legion/cli/chat/context.rb +11 -0
data/lib/legion/cli.rb +4 -0
data/lib/legion/extensions/helpers/lex.rb +2 -0
data/lib/legion/extensions/helpers/secret.rb +144 -0
data/lib/legion/version.rb +1 -1
metadata +4 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e025887526f8b9e258eb168a14a83d5c34e60668eadbe9e1ccd5c995e27d725c
-  data.tar.gz: a85e52dc5ec39293461e7df402f2ea8f1a410d293c28141fc935cfb6023b71df
+  metadata.gz: e67d5abaf8c274cad673af9996e29577949a9e945c66ee099b1c8e23eeff4a3f
+  data.tar.gz: 4c3113323f086005de660cd84128036d59919ee2f2482ce84a855334bab007c4
 SHA512:
-  metadata.gz: 6ecefca3ab028b370f8e590cf4fa81290e3a9e106f53a5655d11928f40ec99a0d48451ab94c9516086fd81bd5c42d4523eae4d975b9df667d8db7010656884c6
-  data.tar.gz: c5f4aa31b5431e6fb012991fe0048ac75c0d25d95e6402983590d7954491ad53e78b18d2911cb7969427cd60e63a47975d7ca89ff7642857cd857328dec559e3
+  metadata.gz: d221a3d63b90d155b24fabd47594aef550467d6136a96092208a7f710455f87f416ae4110815e323c7bfcb83aec13ec4c41dff7b2db14b0846dafbe55ca9be66
+  data.tar.gz: b495e7daddcbb0e5cbda7c93f152ca285e044972ee8b74c9d432f91e97c4536d1087539f7b8daf784910cb359935453b6aa1f9e972c8d81b688d55c8986e2f34

data/.rubocop.yml CHANGED Viewed

@@ -32,6 +32,7 @@ Metrics/BlockLength:
   Max: 40
   Exclude:
     - 'spec/**/*'
+    - 'integration/**/*'
     - 'legionio.gemspec'
     - 'lib/legion/cli/chat_command.rb'
     - 'lib/legion/cli/plan_command.rb'

data/CHANGELOG.md CHANGED Viewed

@@ -1,27 +1,41 @@
 # Legion Changelog
-## [1.6.7] - 2026-03-26
+## [Unreleased]
+### Added
+- End-to-end integration test for TBI Phase 5 self-generating functions loop (9 examples)
+- Test dependencies: lex-codegen, lex-eval added to Gemfile for integration testing
+- Specs for `legion codegen` CLI subcommand (8 subcommands, 22 examples)
+- Specs for `/api/codegen/*` API routes (8 routes, 20 examples)
+- Specs for `setup_generated_functions` boot loading in Service (4 examples)
 ### Fixed
-- `setup_generated_functions` now runs only when `extensions: true` (inside the extensions gate) preventing unexpected boot side-effects in CLI flows that disable extensions
-- Consumer tag entropy upgraded from `SecureRandom.hex(4)` (32-bit) to `SecureRandom.uuid` (122-bit) in both `prepare` and `subscribe` paths of subscription actor, eliminating the theoretical RabbitMQ `NOT_ALLOWED` tag collision
+- Guard `Legion::Transport::Messages::Dynamic` stub definition in integration spec with `unless defined?` to prevent redefinition conflicts when real implementations are present
+- Wrap `lex-codegen` and `lex-eval` requires in `LoadError` rescue guards in integration spec; sets `LEGION_CODEGEN_EXTENSION_AVAILABLE` / `LEGION_EVAL_EXTENSION_AVAILABLE` flags and skips entire example group via `before(:all)` when extensions are unavailable
+- Move `Legion::LLM.chat` stub to `RSpec.configure before(:each)` block so it always intercepts regardless of whether the real `legion-llm` gem is loaded, preventing external LLM calls in integration tests
+- Fix `service_setup_apollo_spec` "starts Apollo::Local" example: stub `Legion::Apollo.start` to prevent internal double-call of `Apollo::Local.start`
-## [1.6.6] - 2026-03-26
+## [1.6.9] - 2026-03-26
+### Added
+- `Helpers::Secret` mixin with `SecretAccessor` for per-user and per-lex Vault KV v2 secret access
+- Identity resolution chain: Kerberos principal -> Entra UPN -> explicit user -> ENV['USER']
+- `secret[:name]` / `secret[:name] = { ... }` / `secret.write` / `secret.exist?` / `secret.delete`
+- `shared: true` option for extension-scoped (non-user) secrets
+## [1.6.8] - 2026-03-26
 ### Added
 - `legionio bootstrap SOURCE` command: combines `config import`, `config scaffold`, and `setup agentic` into one command
 - Pre-flight checks for klist (Kerberos ticket), brew availability, and legionio binary
-- `--skip-packs` flag to skip gem pack installation (config-only mode)
-- `--start` flag to start redis + legionio via brew services after bootstrap
-- `--force` flag to overwrite existing config files during bootstrap
-- `--json` flag for machine-readable bootstrap output
-- `shell_capture` helper extracted to make shell invocations stubbable in specs
-- 62 specs covering preflight checks, pack extraction, config fetch/write delegation, pack install, summary output, all flags, and error handling
+- `--skip-packs`, `--start`, `--force`, `--json` flags for bootstrap command
+- Self-awareness system prompt enrichment: `Context.to_system_prompt` appends live metacognition self-narrative from `lex-agentic-self` when loaded; guarded with `defined?()` and `rescue StandardError`
-## [1.6.5] - 2026-03-26
+## [1.6.7] - 2026-03-26
-### Added
-- `Context.to_system_prompt` appends a live self-awareness section from `lex-agentic-self` Metacognition when the gem is loaded; logic extracted into `self_awareness_hint` helper to keep `to_system_prompt` within Metrics/CyclomaticComplexity limits; guarded with `defined?()` and `rescue StandardError`
+### Fixed
+- `setup_generated_functions` now runs only when `extensions: true` (inside the extensions gate) preventing unexpected boot side-effects in CLI flows that disable extensions
+- Consumer tag entropy upgraded from `SecureRandom.hex(4)` (32-bit) to `SecureRandom.uuid` (122-bit) in both `prepare` and `subscribe` paths of subscription actor, eliminating the theoretical RabbitMQ `NOT_ALLOWED` tag collision
 ## [1.6.4] - 2026-03-26

data/Gemfile CHANGED Viewed

@@ -23,6 +23,8 @@ gem 'mysql2'
 group :test do
   gem 'graphql'
+  gem 'lex-codegen'
+  gem 'lex-eval'
   gem 'rack-test'
   gem 'rake'
   gem 'rspec'

data/integration/self_generate_spec.rb ADDED Viewed

@@ -0,0 +1,398 @@
+# frozen_string_literal: true
+require 'rspec'
+require 'tmpdir'
+require 'fileutils'
+# Load core gems
+require 'legion/json'
+require 'legion/logging'
+require 'legion/settings'
+# Stub modules that may not be available in isolation
+unless defined?(Legion::Transport::Messages::Dynamic)
+  module Legion
+    module Transport
+      module Messages
+        class Dynamic
+          attr_reader :function, :data
+          def initialize(function:, data:, **)
+            @function = function
+            @data = data
+          end
+          def publish
+            Legion::Transport::Local.publish('codegen', @function, Legion::JSON.dump(@data))
+          end
+        end
+      end
+    end
+  end
+end
+# Ensure Legion::LLM module exists so it can be stubbed, but don't overwrite a real implementation.
+unless defined?(Legion::LLM)
+  module Legion
+    module LLM
+    end
+  end
+end
+# Load transport Local for InProcess mode
+require 'legion/transport/local'
+# Load codegen extension
+begin
+  require 'legion/extensions/codegen'
+  LEGION_CODEGEN_EXTENSION_AVAILABLE = true
+rescue LoadError => e
+  LEGION_CODEGEN_EXTENSION_AVAILABLE = false
+  warn "lex-codegen / legion codegen extension not available; skipping dependent behavior: #{e.message}"
+end
+# Load eval extension (only code_review runner + security evaluator)
+begin
+  require 'legion/extensions/eval'
+  LEGION_EVAL_EXTENSION_AVAILABLE = true
+rescue LoadError => e
+  LEGION_EVAL_EXTENSION_AVAILABLE = false
+  warn "lex-eval / legion eval extension not available; skipping dependent behavior: #{e.message}"
+end
+# Stub MCP Server if not available
+unless defined?(Legion::MCP::Server)
+  module Legion
+    module MCP
+      module Server
+        @tool_registry = []
+        @tool_registry_lock = Mutex.new
+        class << self
+          attr_reader :tool_registry
+          def register_tool(tool_class)
+            @tool_registry_lock.synchronize do
+              return if tool_registry.any? { |tc| tc.respond_to?(:tool_name) && tc.tool_name == tool_class.tool_name }
+              tool_registry << tool_class
+            end
+          end
+          def unregister_tool(tool_name)
+            @tool_registry_lock.synchronize do
+              tool_registry.reject! { |tc| tc.respond_to?(:tool_name) && tc.tool_name == tool_name }
+            end
+          end
+          def reset_caches!; end
+        end
+      end
+    end
+  end
+end
+LLM_STUB_CODE = <<~RUBY
+  # frozen_string_literal: true
+  module Legion
+    module Generated
+      module GreetUser
+        extend self
+        def greet(name:)
+          { success: true, greeting: "Hello, \#{name}!" }
+        end
+      end
+    end
+  end
+RUBY
+RSpec.configure do |config|
+  config.disable_monkey_patching!
+  config.expect_with(:rspec) { |c| c.syntax = :expect }
+  config.before(:each) do
+    allow(Legion::LLM).to receive(:chat) do |messages:, _caller: nil, **_kwargs|
+      messages.last[:content]
+      Struct.new(:content).new(LLM_STUB_CODE)
+    end
+  end
+end
+RSpec.describe 'Self-Generating Functions End-to-End' do
+  # Skip this entire example group if the required extensions are not available.
+  before(:all) do
+    extensions_unavailable =
+      (defined?(LEGION_CODEGEN_EXTENSION_AVAILABLE) && !LEGION_CODEGEN_EXTENSION_AVAILABLE) ||
+      (defined?(LEGION_EVAL_EXTENSION_AVAILABLE) && !LEGION_EVAL_EXTENSION_AVAILABLE)
+    skip('Legion Codegen/Eval extensions are not available; skipping self-generate integration specs.') if extensions_unavailable
+  end
+  let(:output_dir) { Dir.mktmpdir('legion_e2e_codegen') }
+  before do
+    # Reset Local transport
+    Legion::Transport::Local.reset! if Legion::Transport::Local.respond_to?(:reset!)
+    # Reset GeneratedRegistry (only if Codegen extension is loaded)
+    Legion::Extensions::Codegen::Helpers::GeneratedRegistry.reset! if defined?(Legion::Extensions::Codegen::Helpers::GeneratedRegistry)
+    # Configure settings for test
+    allow(Legion::Settings).to receive(:dig).and_return(nil)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :enabled).and_return(true)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :cooldown_seconds).and_return(0)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :max_gaps_per_cycle).and_return(5)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :runner_method, :output_dir).and_return(output_dir)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :validation).and_return(
+      { syntax_check: true, run_specs: false, llm_review: false, max_retries: 2 }
+    )
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :corroboration, :enabled).and_return(false)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :corroboration, :min_agents).and_return(2)
+    allow(Legion::Settings).to receive(:dig).with(:node, :name).and_return('test-node')
+    allow(Legion::Settings).to receive(:[]).and_return(nil)
+  end
+  after do
+    FileUtils.rm_rf(output_dir)
+  end
+  describe 'gap detection -> generation -> validation -> registration' do
+    let(:synthetic_gap) do
+      {
+        gap_id:           'gap_e2e_001',
+        gap_type:         'unmatched_intent',
+        intent:           'greet user',
+        occurrence_count: 3,
+        priority:         0.7,
+        metadata:         {}
+      }
+    end
+    it 'generates code from a gap and passes validation' do
+      # Phase 1: GapSubscriber receives a gap and generates code
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      expect(generation[:generation_id]).to start_with('gen_')
+      expect(generation[:tier]).to eq(:simple)
+      expect(generation[:code]).to include('module Legion')
+      expect(generation[:file_path]).to start_with(output_dir)
+      expect(File.exist?(generation[:file_path])).to be true
+    end
+    it 'validates generated code through the review pipeline' do
+      # Phase 1: Generate
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      # Phase 2: Review (simulating what CodeReviewSubscriber does)
+      review = Legion::Extensions::Eval::Runners::CodeReview.review_generated(
+        code:      generation[:code],
+        spec_code: generation[:spec_code],
+        context:   { gap_type: 'unmatched_intent', intent: 'greet user' }
+      )
+      expect(review[:passed]).to be true
+      expect(review[:verdict]).to eq(:approve)
+      expect(review[:confidence]).to be > 0.0
+      expect(review[:stages][:syntax][:passed]).to be true
+      expect(review[:stages][:security][:passed]).to be true
+    end
+    it 'registers approved code via ReviewHandler' do
+      # Phase 1: Generate
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      # Phase 2: Persist to registry
+      registry_record = Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:        generation[:generation_id],
+          gap_id:    generation[:gap_id],
+          gap_type:  generation[:gap_type],
+          tier:      generation[:tier],
+          name:      'greet_user',
+          file_path: generation[:file_path],
+          spec_path: generation[:spec_path]
+        }
+      )
+      expect(registry_record[:status]).to eq('pending')
+      # Phase 3: Review
+      review_result = {
+        generation_id: generation[:generation_id],
+        verdict:       :approve,
+        confidence:    0.95,
+        issues:        [],
+        scores:        {}
+      }
+      # Phase 4: ReviewHandler processes the verdict
+      result = Legion::Extensions::Codegen::Runners::ReviewHandler.handle_verdict(review: review_result)
+      expect(result[:success]).to be true
+      expect(result[:action]).to eq(:approved)
+      # Verify registry updated
+      record = Legion::Extensions::Codegen::Helpers::GeneratedRegistry.get(id: generation[:generation_id])
+      expect(record[:status]).to eq('approved')
+    end
+    it 'parks rejected code' do
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:        generation[:generation_id],
+          gap_id:    generation[:gap_id],
+          gap_type:  generation[:gap_type],
+          tier:      generation[:tier],
+          name:      'greet_user',
+          file_path: generation[:file_path],
+          spec_path: generation[:spec_path]
+        }
+      )
+      result = Legion::Extensions::Codegen::Runners::ReviewHandler.handle_verdict(
+        review: { generation_id: generation[:generation_id], verdict: :reject, confidence: 0.1, issues: ['unsafe code'] }
+      )
+      expect(result[:success]).to be true
+      expect(result[:action]).to eq(:parked)
+      record = Legion::Extensions::Codegen::Helpers::GeneratedRegistry.get(id: generation[:generation_id])
+      expect(record[:status]).to eq('parked')
+    end
+    it 'retries on revise verdict up to max_retries then parks' do
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:            generation[:generation_id],
+          gap_id:        generation[:gap_id],
+          gap_type:      generation[:gap_type],
+          tier:          generation[:tier],
+          name:          'greet_user',
+          file_path:     generation[:file_path],
+          spec_path:     generation[:spec_path],
+          attempt_count: 2
+        }
+      )
+      result = Legion::Extensions::Codegen::Runners::ReviewHandler.handle_verdict(
+        review: { generation_id: generation[:generation_id], verdict: :revise, confidence: 0.4, issues: ['needs improvement'] }
+      )
+      expect(result[:success]).to be true
+      expect(result[:action]).to eq(:parked)
+    end
+    it 'exercises the full loop: generate -> validate -> register -> boot load' do
+      # Step 1: Generate
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      # Step 2: Validate
+      review = Legion::Extensions::Eval::Runners::CodeReview.review_generated(
+        code: generation[:code], spec_code: generation[:spec_code], context: {}
+      )
+      expect(review[:verdict]).to eq(:approve)
+      # Step 3: Persist + Approve
+      Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:        generation[:generation_id],
+          gap_id:    generation[:gap_id],
+          gap_type:  generation[:gap_type],
+          tier:      generation[:tier],
+          name:      'greet_user',
+          file_path: generation[:file_path],
+          spec_path: generation[:spec_path]
+        }
+      )
+      Legion::Extensions::Codegen::Runners::ReviewHandler.handle_verdict(
+        review: { generation_id: generation[:generation_id], verdict: :approve, confidence: 0.95, issues: [] }
+      )
+      # Step 4: Boot load (simulates service restart)
+      loaded = Legion::Extensions::Codegen::Helpers::GeneratedRegistry.load_on_boot
+      expect(loaded).to eq(1)
+      # Step 5: Verify the generated module is actually loaded
+      expect(defined?(Legion::Generated::GreetUser)).to be_truthy
+      result = Legion::Generated::GreetUser.greet(name: 'World')
+      expect(result[:success]).to be true
+      expect(result[:greeting]).to eq('Hello, World!')
+    end
+  end
+  describe 'tier classification' do
+    it 'classifies low occurrence gaps as simple' do
+      tier = Legion::Extensions::Codegen::Helpers::TierClassifier.classify(gap: { occurrence_count: 5 })
+      expect(tier).to eq(:simple)
+    end
+    it 'classifies high occurrence gaps as complex' do
+      allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :tier, :simple_max_occurrences).and_return(10)
+      tier = Legion::Extensions::Codegen::Helpers::TierClassifier.classify(gap: { occurrence_count: 15 })
+      expect(tier).to eq(:complex)
+    end
+  end
+  describe 'ReviewSubscriber actor' do
+    it 'routes verdict through ReviewHandler' do
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(
+        gap_id: 'gap_rs_001', gap_type: 'unmatched_intent', intent: 'greet user',
+        occurrence_count: 3, priority: 0.7
+      )
+      expect(generation[:success]).to be true
+      Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:        generation[:generation_id],
+          gap_id:    generation[:gap_id],
+          gap_type:  generation[:gap_type],
+          tier:      generation[:tier],
+          name:      'greet_user',
+          file_path: generation[:file_path],
+          spec_path: generation[:spec_path]
+        }
+      )
+      review_sub = Object.new
+      review_sub.extend(Legion::Extensions::Codegen::Actor::ReviewSubscriber)
+      result = review_sub.action(
+        generation_id: generation[:generation_id],
+        verdict:       'approve',
+        confidence:    0.9,
+        issues:        [],
+        scores:        {}
+      )
+      expect(result[:success]).to be true
+      expect(result[:action]).to eq(:approved)
+    end
+  end
+end

data/lib/legion/cli/bootstrap_command.rb ADDED Viewed

@@ -0,0 +1,399 @@
+# frozen_string_literal: true
+require 'English'
+require 'json'
+require 'fileutils'
+require 'rbconfig'
+require 'thor'
+require 'legion/cli/output'
+module Legion
+  module CLI
+    class Bootstrap < Thor
+      namespace 'bootstrap'
+      def self.exit_on_failure?
+        true
+      end
+      class_option :json,       type: :boolean, default: false, desc: 'Machine-readable output'
+      class_option :no_color,   type: :boolean, default: false, desc: 'Disable color output'
+      class_option :skip_packs, type: :boolean, default: false, desc: 'Skip gem pack installation (config only)'
+      class_option :start,      type: :boolean, default: false, desc: 'Start redis + legionio via brew services after bootstrap'
+      class_option :force,      type: :boolean, default: false, desc: 'Overwrite existing config files'
+      desc 'SOURCE', 'Bootstrap Legion from a URL or local config file (fetch config, scaffold, install packs)'
+      long_desc <<~DESC
+        Combines three manual steps into one:
+          legionio config import SOURCE   (fetch + write config)
+          legionio config scaffold        (fill gaps with env-detected defaults)
+          legionio setup agentic          (install cognitive gem packs)
+        SOURCE may be an HTTPS URL or a local file path to a bootstrap JSON file.
+        The JSON may include a "packs" array (e.g. ["agentic"]) which controls which
+        gem packs are installed. That key is removed before the config is written.
+        Options:
+          --skip-packs   Skip gem pack installation entirely
+          --start        After bootstrap, run: brew services start redis && brew services start legionio
+          --force        Overwrite existing config files
+          --json         Machine-readable JSON output
+      DESC
+      def execute(source)
+        require_relative 'config_import'
+        require_relative 'config_scaffold'
+        require_relative 'setup_command'
+        out     = formatter
+        results = {}
+        warns   = []
+        # 1. Pre-flight checks
+        print_step(out, 'Pre-flight checks')
+        results[:preflight] = run_preflight_checks(out, warns)
+        # 2. Fetch + parse config
+        print_step(out, "Fetching config from #{source}")
+        body   = ConfigImport.fetch_source(source)
+        config = ConfigImport.parse_payload(body)
+        # 3. Extract packs before writing (bootstrap-only directive)
+        pack_names = Array(config.delete(:packs)).map(&:to_s).reject(&:empty?)
+        results[:packs_requested] = pack_names
+        # 4. Write config
+        path = ConfigImport.write_config(config, force: options[:force])
+        results[:config_written] = path
+        out.success("Config written to #{path}") unless options[:json]
+        # 5. Scaffold missing subsystem files
+        results[:scaffold] = run_scaffold(out)
+        # 6. Install packs (unless --skip-packs)
+        results[:packs_installed] = install_packs_step(pack_names, out)
+        # 7. Post-bootstrap summary
+        summary = build_summary(config, results, warns)
+        results[:summary] = summary
+        print_summary(out, summary)
+        # 8. Optional --start
+        if options[:start]
+          print_step(out, 'Starting services')
+          results[:services_started] = start_services(out)
+        end
+        out.json(results) if options[:json]
+      rescue CLI::Error => e
+        formatter.error(e.message)
+        raise SystemExit, 1
+      end
+      default_task :execute
+      no_commands do # rubocop:disable Metrics/BlockLength
+        def formatter
+          @formatter ||= Output::Formatter.new(
+            json:  options[:json],
+            color: !options[:no_color]
+          )
+        end
+        private
+        def print_step(out, message)
+          return if options[:json]
+          out.spacer
+          out.header(message)
+        end
+        # Wraps backtick execution, returning [output, success_bool].
+        # Extracted as a method so specs can stub it cleanly.
+        def shell_capture(cmd)
+          output = `#{cmd} 2>&1`
+          [output, $CHILD_STATUS.success?]
+        end
+        # -----------------------------------------------------------------------
+        # Pre-flight checks
+        # -----------------------------------------------------------------------
+        def run_preflight_checks(out, warns)
+          {
+            klist:    check_klist(out, warns),
+            brew:     check_brew(out, warns),
+            legionio: check_legionio_binary(out, warns)
+          }
+        end
+        def check_klist(out, warns)
+          output, success = shell_capture('klist')
+          if success && output.match?(/principal|Credentials/i)
+            out.success('Kerberos ticket valid') unless options[:json]
+            { status: :ok }
+          else
+            msg = 'No valid Kerberos ticket found. Run `kinit` before bootstrapping.'
+            warns << msg
+            out.warn(msg) unless options[:json]
+            { status: :warn, message: msg }
+          end
+        rescue StandardError => e
+          msg = "klist check failed: #{e.message}"
+          warns << msg
+          out.warn(msg) unless options[:json]
+          { status: :warn, message: msg }
+        end
+        def check_brew(out, warns)
+          _, success = shell_capture('brew --version')
+          if success
+            out.success('Homebrew available') unless options[:json]
+            { status: :ok }
+          else
+            msg = 'Homebrew not found. Install from https://brew.sh'
+            warns << msg
+            out.warn(msg) unless options[:json]
+            { status: :warn, message: msg }
+          end
+        rescue StandardError => e
+          msg = "brew check failed: #{e.message}"
+          warns << msg
+          out.warn(msg) unless options[:json]
+          { status: :warn, message: msg }
+        end
+        def check_legionio_binary(out, warns)
+          _, success = shell_capture('legionio version')
+          if success
+            out.success('legionio binary works') unless options[:json]
+            { status: :ok }
+          else
+            msg = 'legionio binary not responding. Try reinstalling: brew reinstall legionio'
+            warns << msg
+            out.warn(msg) unless options[:json]
+            { status: :warn, message: msg }
+          end
+        rescue StandardError => e
+          msg = "legionio binary check failed: #{e.message}"
+          warns << msg
+          out.warn(msg) unless options[:json]
+          { status: :warn, message: msg }
+        end
+        def run_scaffold(out)
+          print_step(out, 'Scaffolding missing subsystem files')
+          silent_out    = Output::Formatter.new(json: false, color: false)
+          scaffold_opts = build_scaffold_opts
+          scaffold_opts[:json] = false if options[:json]
+          ConfigScaffold.run(options[:json] ? silent_out : out, scaffold_opts)
+          :done
+        end
+        def install_packs_step(pack_names, out)
+          if options[:skip_packs]
+            out.warn('Skipping pack installation (--skip-packs)') unless options[:json]
+            []
+          else
+            print_step(out, "Installing packs: #{pack_names.join(', ')}") unless pack_names.empty?
+            install_packs(pack_names, out)
+          end
+        end
+        # -----------------------------------------------------------------------
+        # Scaffold options
+        # -----------------------------------------------------------------------
+        def build_scaffold_opts
+          {
+            force: options[:force],
+            json:  options[:json],
+            only:  options[:only],
+            full:  options[:full],
+            dir:   options[:dir]
+          }
+        end
+        # -----------------------------------------------------------------------
+        # Pack installation
+        # -----------------------------------------------------------------------
+        def install_packs(pack_names, out)
+          return [] if pack_names.empty?
+          gem_bin  = File.join(RbConfig::CONFIG['bindir'], 'gem')
+          results  = []
+          pack_names.each do |pack_name|
+            pack_sym = pack_name.to_sym
+            pack     = Setup::PACKS[pack_sym]
+            unless pack
+              out.warn("Unknown pack: #{pack_name} (valid: #{Setup::PACKS.keys.join(', ')})") unless options[:json]
+              next
+            end
+            out.header("Installing pack: #{pack_name}") unless options[:json]
+            gem_results = install_pack_gems(pack[:gems], gem_bin, out)
+            Gem::Specification.reset
+            results << { pack: pack_name, results: gem_results }
+          end
+          results
+        end
+        def install_pack_gems(gem_names, gem_bin, out)
+          already_installed = []
+          to_install        = []
+          gem_names.each do |name|
+            Gem::Specification.find_by_name(name)
+            already_installed << name
+          rescue Gem::MissingSpecError
+            to_install << name
+          end
+          gem_results = to_install.map { |g| install_single_gem(g, gem_bin, out) }
+          already_installed.each do |g|
+            out.success("  #{g} already installed") unless options[:json]
+          end
+          gem_results
+        end
+        def install_single_gem(name, gem_bin, out)
+          puts "  Installing #{name}..." unless options[:json]
+          output, success = shell_capture("#{gem_bin} install #{name} --no-document")
+          if success
+            out.success("  #{name} installed") unless options[:json]
+            { name: name, status: 'installed' }
+          else
+            out.error("  #{name} failed") unless options[:json]
+            { name: name, status: 'failed', error: output.strip.lines.last&.strip }
+          end
+        end
+        # -----------------------------------------------------------------------
+        # Summary
+        # -----------------------------------------------------------------------
+        def build_summary(config, results, warns)
+          settings_dir = ConfigImport::SETTINGS_DIR
+          subsystem_files = ConfigScaffold::SUBSYSTEMS.to_h do |s|
+            path = File.join(settings_dir, "#{s}.json")
+            [s, File.exist?(path)]
+          end
+          {
+            config_sections: config.keys.map(&:to_s),
+            packs_requested: results[:packs_requested] || [],
+            packs_installed: results[:packs_installed] || [],
+            subsystem_files: subsystem_files,
+            warnings:        warns,
+            preflight:       results[:preflight] || {}
+          }
+        end
+        def print_summary(out, summary)
+          return if options[:json]
+          out.spacer
+          out.header('Bootstrap Summary')
+          out.spacer
+          print_config_sections(summary)
+          print_subsystem_files(summary)
+          print_packs_summary(out, summary)
+          print_warnings_section(out, summary)
+          print_next_steps(out)
+        end
+        def print_config_sections(summary)
+          puts "  Config sections: #{summary[:config_sections].join(', ')}" if summary[:config_sections].any?
+        end
+        def print_subsystem_files(summary)
+          present = summary[:subsystem_files].select { |_, v| v }.keys
+          absent  = summary[:subsystem_files].reject { |_, v| v }.keys
+          puts "  Subsystem files present: #{present.join(', ')}" if present.any?
+          puts "  Subsystem files missing: #{absent.join(', ')}"  if absent.any?
+        end
+        def print_packs_summary(out, summary)
+          summary[:packs_installed].each do |pack_result|
+            successes = (pack_result[:results] || []).count { |r| r[:status] == 'installed' }
+            failures  = (pack_result[:results] || []).count { |r| r[:status] == 'failed' }
+            if failures.zero?
+              out.success("Pack #{pack_result[:pack]}: #{successes} gem(s) installed")
+            else
+              out.warn("Pack #{pack_result[:pack]}: #{successes} installed, #{failures} failed")
+            end
+          end
+          out.warn('Pack installation skipped') if options[:skip_packs]
+        end
+        def print_warnings_section(out, summary)
+          return unless summary[:warnings].any?
+          out.spacer
+          out.header('Attention')
+          summary[:warnings].each { |w| out.warn(w) }
+        end
+        def print_next_steps(out)
+          return if options[:start]
+          out.spacer
+          puts '  Next steps:'
+          puts '    brew services start redis && brew services start legionio'
+          puts '    legion'
+        end
+        # -----------------------------------------------------------------------
+        # Service startup (--start)
+        # -----------------------------------------------------------------------
+        def start_services(out)
+          redis_ok   = run_brew_service('redis', out)
+          legion_ok  = run_brew_service('legionio', out)
+          poll_daemon_ready(out) if redis_ok && legion_ok
+          { redis: redis_ok, legionio: legion_ok }
+        end
+        def run_brew_service(service, out)
+          output, success = shell_capture("brew services start #{service}")
+          if success
+            out.success("#{service} started") unless options[:json]
+            true
+          else
+            out.warn("#{service} failed to start: #{output.strip.lines.last&.strip}") unless options[:json]
+            false
+          end
+        rescue StandardError => e
+          out.warn("brew services start #{service} raised: #{e.message}") unless options[:json]
+          false
+        end
+        def poll_daemon_ready(out, port: 4567, timeout: 30)
+          require 'net/http'
+          deadline = ::Time.now + timeout
+          until ::Time.now > deadline
+            begin
+              resp = Net::HTTP.get_response(URI("http://localhost:#{port}/api/ready"))
+              if resp.is_a?(Net::HTTPSuccess)
+                out.success("Daemon ready on port #{port}") unless options[:json]
+                return true
+              end
+            rescue StandardError
+              # not ready yet — keep polling
+            end
+            sleep 1
+          end
+          out.warn("Daemon did not become ready within #{timeout}s") unless options[:json]
+          false
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli/chat/context.rb CHANGED Viewed

@@ -61,6 +61,7 @@ module Legion
           end
           parts << cognitive_awareness(directory)
+          parts << self_awareness_hint
           extra_dirs.each do |dir|
             expanded = File.expand_path(dir)
@@ -181,6 +182,16 @@ module Legion
           end
           nil
         end
+        def self.self_awareness_hint
+          return nil unless defined?(Legion::Extensions::Agentic::Self::Metacognition::Runners::Metacognition)
+          result = Legion::Extensions::Agentic::Self::Metacognition::Runners::Metacognition.self_narrative
+          narrative = result[:prose] if result.is_a?(Hash) && result[:prose]
+          narrative ? "\nCurrent self-awareness:\n#{narrative}" : nil
+        rescue StandardError
+          nil
+        end
       end
     end
   end

data/lib/legion/cli.rb CHANGED Viewed

@@ -65,6 +65,7 @@ module Legion
     autoload :Features,     'legion/cli/features_command'
     autoload :Debug,        'legion/cli/debug_command'
     autoload :CodegenCommand, 'legion/cli/codegen_command'
+    autoload :Bootstrap,      'legion/cli/bootstrap_command'
     module Groups
       autoload :Ai,       'legion/cli/groups/ai_group'
@@ -236,6 +237,9 @@ module Legion
       desc 'setup SUBCOMMAND', 'Install feature packs and configure IDE integrations'
       subcommand 'setup', Legion::CLI::Setup
+      desc 'bootstrap SOURCE', 'One-command setup: fetch config, scaffold, and install packs'
+      subcommand 'bootstrap', Legion::CLI::Bootstrap
       desc 'update', 'Update Legion gems to latest versions'
       subcommand 'update', Legion::CLI::Update

data/lib/legion/extensions/helpers/lex.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require 'legion/json/helper'
+require_relative 'secret'
 module Legion
   module Extensions
@@ -9,6 +10,7 @@ module Legion
         include Legion::Extensions::Helpers::Core
         include Legion::Extensions::Helpers::Logger
         include Legion::JSON::Helper
+        include Legion::Extensions::Helpers::Secret
         module ClassMethods
           def expose_as_mcp_tool(value = :_unset)

data/lib/legion/extensions/helpers/secret.rb ADDED Viewed

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+module Legion
+  module Extensions
+    module Helpers
+      class SecretAccessor
+        def initialize(lex_name:)
+          @lex_name = lex_name
+          @warned = false
+        end
+        def [](name, shared: false, user: nil)
+          return nil unless crypt_available?
+          Legion::Crypt.get(resolve_path(name, shared: shared, user: user))
+        rescue StandardError => e
+          log_warn("secret read failed for #{name}: #{e.message}")
+          nil
+        end
+        def []=(name, value)
+          return unless crypt_available?
+          Legion::Crypt.write(resolve_path(name, shared: false, user: nil), **value)
+        rescue StandardError => e
+          log_warn("secret write failed for #{name}: #{e.message}")
+        end
+        def write(name, shared: false, user: nil, **data)
+          return false unless crypt_available?
+          Legion::Crypt.write(resolve_path(name, shared: shared, user: user), **data)
+          true
+        rescue StandardError => e
+          log_warn("secret write failed for #{name}: #{e.message}")
+          false
+        end
+        def exist?(name, shared: false, user: nil)
+          return false unless crypt_available?
+          Legion::Crypt.exist?(resolve_path(name, shared: shared, user: user))
+        rescue StandardError
+          false
+        end
+        def delete(name, shared: false, user: nil)
+          return false unless crypt_available?
+          Legion::Crypt.delete(resolve_path(name, shared: shared, user: user))
+          true
+        rescue StandardError => e
+          log_warn("secret delete failed for #{name}: #{e.message}")
+          false
+        end
+        private
+        def resolve_path(name, shared:, user:)
+          prefix = shared ? 'shared' : "users/#{resolve_user(user)}"
+          "#{prefix}/#{@lex_name}/#{name}"
+        end
+        def resolve_user(explicit_user)
+          return explicit_user if explicit_user
+          Secret.resolved_identity || ENV.fetch('USER', 'default')
+        end
+        def crypt_available?
+          return false unless defined?(Legion::Crypt)
+          unless @warned || vault_connected?
+            log_warn('Vault not connected — secret operations may fail')
+            @warned = true
+          end
+          true
+        end
+        def vault_connected?
+          defined?(Legion::Settings) &&
+            Legion::Settings[:crypt]&.dig(:vault, :connected) == true
+        rescue StandardError
+          false
+        end
+        def log_warn(msg)
+          Legion::Logging.warn("[Secret] #{msg}") if defined?(Legion::Logging)
+        end
+      end
+      module Secret
+        @resolved_identity = nil
+        @identity_source = nil
+        class << self
+          attr_reader :resolved_identity, :identity_source
+          def resolve_identity!
+            @resolved_identity = nil
+            @identity_source = nil
+            if defined?(Legion::Crypt) && Legion::Crypt.respond_to?(:kerberos_principal) &&
+               Legion::Crypt.kerberos_principal
+              @resolved_identity = Legion::Crypt.kerberos_principal
+              @identity_source = :kerberos
+            elsif entra_principal
+              @resolved_identity = entra_principal
+              @identity_source = :entra
+            end
+            @resolved_identity
+          end
+          def reset_identity!
+            @resolved_identity = nil
+            @identity_source = nil
+          end
+          private
+          def entra_principal
+            return nil unless defined?(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache)
+            cache = Legion::Extensions::MicrosoftTeams::Helpers::TokenCache
+            return nil unless cache.respond_to?(:instance)
+            instance = cache.instance
+            return nil unless instance.respond_to?(:user_principal)
+            principal = instance.user_principal
+            principal unless principal.nil? || principal.empty?
+          rescue StandardError
+            nil
+          end
+        end
+        def secret
+          @secret ||= SecretAccessor.new(lex_name: lex_name)
+        end
+      end
+    end
+  end
+end

data/lib/legion/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Legion
-  VERSION = '1.6.7'
+  VERSION = '1.6.9'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.6.7
+  version: 1.6.9
 platform: ruby
 authors:
 - Esity
@@ -433,6 +433,7 @@ files:
 - docs/README.md
 - exe/legion
 - exe/legionio
+- integration/self_generate_spec.rb
 - legionio.gemspec
 - lib/legion.rb
 - lib/legion/alerts.rb
@@ -512,6 +513,7 @@ files:
 - lib/legion/cli/apollo_command.rb
 - lib/legion/cli/audit_command.rb
 - lib/legion/cli/auth_command.rb
+- lib/legion/cli/bootstrap_command.rb
 - lib/legion/cli/chain.rb
 - lib/legion/cli/chain_command.rb
 - lib/legion/cli/chat/agent_delegator.rb
@@ -766,6 +768,7 @@ files:
 - lib/legion/extensions/helpers/lex.rb
 - lib/legion/extensions/helpers/llm.rb
 - lib/legion/extensions/helpers/logger.rb
+- lib/legion/extensions/helpers/secret.rb
 - lib/legion/extensions/helpers/segments.rb
 - lib/legion/extensions/helpers/task.rb
 - lib/legion/extensions/helpers/transport.rb