legionio 1.7.19 → 1.7.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2114c2b32ae4dbc1650bef546391f6abb1499a0b9d96d577739503c47caba79
-  data.tar.gz: 1e95267b23de0b635ffb32c9f745f58fe0bac63aa7d806a6581e3557b9b1aad6
+  metadata.gz: f1c44047319bdcf02eb061d73517101f695f380d976cb65ad9e2a0d2afb824b2
+  data.tar.gz: e756182d3fdfea35882961412f7d3093884d7477954c3b67d2037039ad310189
 SHA512:
-  metadata.gz: 56c140c38d73a16c97574b405c4f27bdb91de199758692e76aecd0ec55afad66acab08fc011cf31a658df408cfcf8506e5e2971f4fbe92a4276e8856153a7481
-  data.tar.gz: 903faf2b78e2f27e1176e03558138f58ee9e6bdfcc34ac3f61c8c933424a0f7a0c641ba97d38d27c527b41cad93c9d8f69bffb64fed8a032a5d1aeb2bd6cb5ff
+  metadata.gz: 1178b2efaadc7801e37a68fd556add983eede7acd3f01dd1c744b029c8e048dc7ac681db0b578fc545419ca8d4f447cc518d3f7d5c2b351323350c1ae9ea908c
+  data.tar.gz: c9f34008bef206a7108cbc4013213342c4bc25fa6396884fec1e471b3b6d46d7110027214a0829c05a0d59d59c348fad8726d089c03ffbb1b40ce5f7d9de10a7

data/.rubocop.yml

@@ -3,6 +3,9 @@ AllCops:
   NewCops: enable
   SuggestExtensions: false
 
+Style/RedundantConstantBase:
+  Enabled: false
+
 Layout/LineLength:
   Max: 160
   Exclude:

data/CHANGELOG.md

@@ -2,6 +2,38 @@
 
 ## [Unreleased]
 
+## [1.7.21] - 2026-04-06
+### Fixed
+- Optional components (rbac, llm, apollo, gaia) no longer block readiness when not installed
+- Split `Readiness::COMPONENTS` into `REQUIRED_COMPONENTS` and `OPTIONAL_COMPONENTS`
+- Added `Readiness.mark_skipped` for components that are absent or disabled
+- Reload path now correctly marks optional components as skipped when not loaded
+
+## [1.7.20] - 2026-04-06
+### Added
+- `Legion::Mode` module with `LEGACY_MAP`, ENV/Settings fallback chain, `agent?`/`worker?`/`infra?`/`lite?` predicates
+- `Legion.instance_id` — UUID computed at load time, ENV override via `LEGIONIO_INSTANCE_ID`
+- `Legion::Identity::Process` singleton — process identity with `bind!`, `bind_fallback!`, `queue_prefix` per-mode, `AtomicReference` thread safety
+- `Legion::Identity::Request` — per-request immutable identity with `from_env`, `from_auth_context`, `to_caller_hash`, `to_rbac_principal`
+- `Legion::Identity::Lease` — credential lease value object with `expired?`, `stale?` (50% TTL), `ttl_seconds`, `valid?`
+- `Legion::Identity::LeaseRenewer` — background thread per provider, 50% TTL renewal, cooperative shutdown (no `Thread#kill`)
+- `Legion::Identity::Broker` — provider management with groups cache (60s TTL, single-flight CAS), `token_for`, `credentials_for`, `shutdown`
+- `Legion::Identity::Middleware` — Rack middleware bridging `legion.auth` to `legion.principal` (`Identity::Request`)
+- `setup_identity` boot step 9 — parallel provider resolution via `Concurrent::Promises`, fallback to `ENV['USER']`
+- Extension publish suppression — defers `LexRegister.publish` until identity resolves, `flush_pending_registrations!`
+- Identity provider auto-registration during phased extension load (`identity_provider?` duck-type check)
+- `GET /api/identity/audit` route with principal and duration filtering
+- `legion doctor` checks: `ApiBindCheck` (non-loopback without auth), `ModeCheck` (no explicit process.mode)
+
+### Changed
+- `Readiness.status` upgraded to `Concurrent::Hash` for thread safety; `:identity` added to `COMPONENTS`
+- `READONLY_SECTIONS` extended with `:identity`, `:rbac`, `:api`
+- Default API bind changed from `0.0.0.0` to `127.0.0.1`
+- `ProcessRole` delegates `.current` to `Mode.current`; added `:agent` and `:infra` role entries
+- `lite_mode?` delegates to `Mode.lite?`
+- Reload path adds `Identity::Process.refresh_credentials` after transport reconnect
+- Shutdown adds cooperative `Identity::Broker.shutdown` and JWKS background refresh stop
+
 ## [1.7.19] - 2026-04-06
 
 ### Added

data/CLAUDE.md

@@ -9,7 +9,7 @@ The primary gem for the LegionIO framework. An extensible async job engine for s
 
 **GitHub**: https://github.com/LegionIO/LegionIO
 **Gem**: `legionio`
-**Version**: 1.7.18
+**Version**: 1.7.21
 **License**: Apache-2.0
 **Docker**: `legionio/legion`
 **Ruby**: >= 3.4

data/README.md

@@ -8,13 +8,13 @@ Schedule tasks, chain services into dependency graphs, run them concurrently via
          ╭──────────────────────────────────────╮
          │           L E G I O N I O            │
          │                                      │
-         │   280+ extensions  ·  58 MCP tools   │
+         │   280+ extensions  ·  60 MCP tools   │
          │   AI chat CLI  ·  REST API  ·  HA    │
          │   cognitive architecture  ·  Vault    │
          ╰──────────────────────────────────────╯
 ```
 
-**Ruby >= 3.4** | **v1.6.20** | **Apache-2.0** | [@Esity](https://github.com/Esity)
+**Ruby >= 3.4** | **v1.7.21** | **Apache-2.0** | [@Esity](https://github.com/Esity)
 
 ---
 
@@ -33,7 +33,7 @@ When A completes, B runs. B triggers C, D, and E in parallel. Conditions gate ex
 But that's just the foundation. LegionIO is also:
 
 - **An AI coding assistant** — interactive chat with tools, code review, commit messages, PR generation, and multi-agent workflows
-- **An MCP server** — 58 tools that let any AI agent run tasks, manage extensions, and query your infrastructure
+- **An MCP server** — 60 tools that let any AI agent run tasks, manage extensions, and query your infrastructure
 - **A cognitive computing platform** — 242 brain-modeled extensions across 18 cognitive domains
 - **A digital worker platform** — AI-as-labor with governance, risk tiers, and cost tracking
 
@@ -359,7 +359,7 @@ legion mcp http           # streamable HTTP on localhost:9393
 legion mcp http --port 8080 --host 0.0.0.0
 ```
 
-**58 tools** in the `legion.*` namespace:
+**60 tools** in the `legion.*` namespace:
 
 | Category | Tools |
 |----------|-------|

data/lib/legion/api/default_settings.rb

@@ -9,7 +9,7 @@ module Legion
         {
           enabled:         true,
           port:            4567,
-          bind:            '0.0.0.0',
+          bind:            '127.0.0.1',
           puma:            puma_defaults,
           bind_retries:    3,
           bind_retry_wait: 2,

data/lib/legion/api/identity_audit.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module IdentityAudit
+        def self.registered(app)
+          app.helpers IdentityAuditHelpers
+
+          app.get '/api/identity/audit' do
+            halt 503, json_error('unavailable', 'audit records not available') unless defined?(Legion::Data::Model::AuditRecord)
+
+            dataset = Legion::Data::Model::AuditRecord.where(entity_type: 'identity')
+
+            principal = params[:principal]
+            dataset = dataset.where(Sequel.lit("metadata->>'principal' = ?", principal)) if principal
+
+            since = params[:since]
+            if since
+              duration = parse_since_duration(since)
+              dataset = dataset.where { created_at >= Time.now - duration } if duration
+            end
+
+            records = dataset.order(Sequel.desc(:created_at)).limit(100).all
+            json_collection(records.map do |r|
+              { id: r.id, action: r.action, entity_type: r.entity_type, metadata: r.parsed_metadata, created_at: r.created_at }
+            end)
+          end
+        end
+
+        module IdentityAuditHelpers
+          def parse_since_duration(value)
+            return nil unless value.is_a?(String)
+
+            case value
+            when /\A(\d+)h\z/ then Regexp.last_match(1).to_i * 3600
+            when /\A(\d+)m\z/ then Regexp.last_match(1).to_i * 60
+            when /\A(\d+)s\z/ then Regexp.last_match(1).to_i
+            when /\A(\d+)d\z/ then Regexp.last_match(1).to_i * 86_400
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/settings.rb

@@ -5,7 +5,7 @@ module Legion
     module Routes
       module Settings
         SENSITIVE_KEYS = %i[password secret token key cert private_key api_key].freeze
-        READONLY_SECTIONS = %i[crypt transport].freeze
+        READONLY_SECTIONS = %i[crypt transport identity rbac api].freeze
 
         def self.registered(app)
           app.get '/api/settings' do

data/lib/legion/api.rb

@@ -60,6 +60,7 @@ require_relative 'api/tbi_patterns'
 require_relative 'api/webhooks'
 require_relative 'api/tenants'
 require_relative 'api/inbound_webhooks'
+require_relative 'api/identity_audit'
 require_relative 'api/graphql' if defined?(GraphQL)
 
 module Legion
@@ -216,6 +217,7 @@ module Legion
     register Routes::Webhooks
     register Routes::Tenants
     register Routes::InboundWebhooks
+    register Routes::IdentityAudit
     register Routes::GraphQL if defined?(Routes::GraphQL)
 
     use Legion::API::Middleware::RequestLogger

data/lib/legion/cli/doctor/api_bind_check.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Legion
+  module CLI
+    class Doctor
+      class ApiBindCheck
+        LOOPBACK_BINDS = %w[127.0.0.1 ::1 localhost].freeze
+
+        def name
+          'API bind address'
+        end
+
+        def run
+          return skip_result unless defined?(Legion::Settings)
+
+          api_settings = Legion::Settings[:api]
+          return skip_result unless api_settings.is_a?(Hash)
+
+          bind = api_settings[:bind]
+          return skip_result if bind.nil?
+
+          if LOOPBACK_BINDS.include?(bind)
+            Result.new(
+              name:    name,
+              status:  :pass,
+              message: "API bound to loopback (#{bind})"
+            )
+          elsif api_settings.dig(:auth, :enabled) == true
+            Result.new(
+              name:    name,
+              status:  :pass,
+              message: "API bound to #{bind} with auth enabled"
+            )
+          else
+            Result.new(
+              name:         name,
+              status:       :warn,
+              message:      "API bound to non-loopback address (#{bind}) without explicit auth configuration",
+              prescription: "Set api.auth.enabled: true or change api.bind to '127.0.0.1'"
+            )
+          end
+        end
+
+        private
+
+        def skip_result
+          Result.new(
+            name:    name,
+            status:  :pass,
+            message: 'API settings not loaded'
+          )
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli/doctor/mode_check.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Legion
+  module CLI
+    class Doctor
+      class ModeCheck
+        def name
+          'Process mode'
+        end
+
+        def run
+          unless defined?(Legion::Settings)
+            return Result.new(
+              name:    name,
+              status:  :pass,
+              message: 'Settings not loaded'
+            )
+          end
+
+          explicit_mode = Legion::Settings.dig(:process, :mode) || Legion::Settings[:mode]
+
+          if explicit_mode
+            Result.new(
+              name:    name,
+              status:  :pass,
+              message: "Explicit process mode configured: #{explicit_mode}"
+            )
+          else
+            Result.new(
+              name:         name,
+              status:       :warn,
+              message:      'No explicit process.mode configured (defaulting to agent)',
+              prescription: 'Set {"process": {"mode": "agent"}} in settings to prepare for Phase 9 default change to worker'
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli/doctor_command.rb

@@ -17,6 +17,8 @@ module Legion
       autoload :PidCheck,         'legion/cli/doctor/pid_check'
       autoload :PermissionsCheck, 'legion/cli/doctor/permissions_check'
       autoload :TlsCheck,         'legion/cli/doctor/tls_check'
+      autoload :ApiBindCheck,     'legion/cli/doctor/api_bind_check'
+      autoload :ModeCheck,        'legion/cli/doctor/mode_check'
 
       def self.exit_on_failure?
         true
@@ -37,6 +39,8 @@ module Legion
         PidCheck
         PermissionsCheck
         TlsCheck
+        ApiBindCheck
+        ModeCheck
       ].freeze
 
       # Weights: security > connectivity > convenience

data/lib/legion/extensions.rb

@@ -22,6 +22,7 @@ module Legion
         @actors = []
         @running_instances = Concurrent::Array.new
         @loaded_extensions = []
+        @pending_registrations = Concurrent::Array.new
 
         find_extensions
 
@@ -106,6 +107,21 @@ module Legion
         Legion::Logging.info "Successfully shut down all actors (#{(Time.now - shutdown_start).round(1)}s)"
       end
 
+      def flush_pending_registrations!
+        return if @pending_registrations.nil? || @pending_registrations.empty?
+
+        registrations = @pending_registrations
+        count = registrations.size
+        @pending_registrations = nil
+
+        registrations.each do |registration|
+          registration.publish
+        rescue StandardError => e
+          Legion::Logging.warn "[Extensions] flush registration failed: #{e.message}" if defined?(Legion::Logging)
+        end
+        Legion::Logging.info "[Extensions] flushed #{count} pending registrations" if defined?(Legion::Logging)
+      end
+
       def pause_actors
         @running_instances&.each do |inst|
           timer = inst.instance_variable_get(:@timer)
@@ -253,8 +269,15 @@ module Legion
         has_logger = extension.respond_to?(:log)
         extension.autobuild
 
+        register_identity_provider(extension, entry) if identity_provider?(extension)
+
         require 'legion/transport/messages/lex_register'
-        Legion::Transport::Messages::LexRegister.new(function: 'save', opts: extension.runners).publish
+        registration = Legion::Transport::Messages::LexRegister.new(function: 'save', opts: extension.runners)
+        if @pending_registrations
+          @pending_registrations << registration
+        else
+          registration.publish
+        end
 
         register_capabilities(entry[:gem_name], extension.runners) if extension.respond_to?(:runners)
         write_lex_cli_manifest(entry, extension)
@@ -405,6 +428,39 @@ module Legion
 
       private
 
+      def identity_provider?(extension)
+        extension.respond_to?(:provider_name) &&
+          extension.respond_to?(:provider_type) &&
+          extension.respond_to?(:facing)
+      end
+
+      def register_identity_provider(extension, entry)
+        return unless defined?(Legion::Data) && Legion::Data.connected?
+        return unless defined?(Legion::Data::Model::IdentityProvider)
+
+        name = extension.provider_name.to_s
+        attrs = {
+          provider_type: extension.provider_type.to_s,
+          facing:        extension.facing.to_s,
+          priority:      extension.respond_to?(:priority) ? extension.priority : 100,
+          trust_weight:  extension.respond_to?(:trust_weight) ? extension.trust_weight : 50,
+          capabilities:  extension.respond_to?(:capabilities) ? Array(extension.capabilities).map(&:to_s) : [],
+          source:        'gem',
+          enabled:       true
+        }
+
+        existing = Legion::Data::Model::IdentityProvider.where(name: name).first
+        if existing
+          diverged = attrs.any? { |k, v| existing.send(k).to_s != v.to_s }
+          Legion::Logging.info "[identity][provider] name=#{name} source=db/gem diverged=#{diverged}" if defined?(Legion::Logging)
+        else
+          Legion::Data::Model::IdentityProvider.insert_conflict(target: :name, update: attrs).insert(attrs.merge(name: name))
+          Legion::Logging.info "[identity][provider] name=#{name} registered" if defined?(Legion::Logging)
+        end
+      rescue StandardError => e
+        Legion::Logging.warn "[identity][provider] registration failed for #{entry[:gem_name]}: #{e.message}" if defined?(Legion::Logging)
+      end
+
       def write_lex_cli_manifest(entry, extension)
         require 'legion/cli/lex_cli_manifest'
 

data/lib/legion/identity/broker.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+require 'concurrent'
+
+module Legion
+  module Identity
+    module Broker
+      GROUPS_CACHE_TTL = 60
+
+      class << self
+        def token_for(provider_name)
+          renewer = renewers[provider_name.to_sym]
+          return nil unless renewer
+
+          lease = renewer.current_lease
+          lease&.valid? ? lease.token : nil
+        end
+
+        def credentials_for(provider_name, service: nil)
+          renewer = renewers[provider_name.to_sym]
+          return nil unless renewer
+
+          lease = renewer.current_lease
+          return nil unless lease&.valid?
+
+          { token: lease.token, provider: provider_name.to_sym, service: service, lease: lease }
+        end
+
+        def register_provider(provider_name, provider:, lease:)
+          name = provider_name.to_sym
+          renewers[name]&.stop!
+          renewers[name] = LeaseRenewer.new(
+            provider_name: name,
+            provider:      provider,
+            lease:         lease
+          )
+        end
+
+        def authenticated?
+          Identity::Process.resolved?
+        end
+
+        def groups
+          cached = @groups_cache&.get
+          return cached[:groups] if cached && (Time.now - cached[:fetched_at]) < GROUPS_CACHE_TTL
+
+          if @groups_fetch_in_progress.make_true
+            begin
+              fetched = fetch_groups
+              @groups_cache.set({ groups: fetched, fetched_at: Time.now })
+              fetched
+            ensure
+              @groups_fetch_in_progress.make_false
+            end
+          else
+            loop do
+              current = @groups_cache&.get
+              return current[:groups] if current
+
+              break unless @groups_fetch_in_progress.true?
+
+              sleep(0.01)
+            end
+
+            cached ? cached[:groups] : []
+          end
+        end
+
+        def invalidate_groups_cache!
+          @groups_cache.set(nil)
+        end
+
+        def emails
+          process_state = Identity::Process.identity_hash
+          metadata = process_state[:metadata] || {}
+          Array(metadata[:emails])
+        end
+
+        def providers
+          renewers.keys
+        end
+
+        def leases
+          renewers.transform_values { |r| r.current_lease&.to_h }
+        end
+
+        def shutdown
+          renewers.each_value do |r|
+            r.stop!
+          rescue Exception # rubocop:disable Lint/RescueException
+            nil
+          end
+          renewers.clear
+        end
+
+        def reset!
+          shutdown
+          @groups_cache = Concurrent::AtomicReference.new(nil)
+          @groups_fetch_in_progress = Concurrent::AtomicBoolean.new(false)
+        end
+
+        private
+
+        def renewers
+          @renewers ||= Concurrent::Hash.new
+        end
+
+        def fetch_groups
+          process_groups = Identity::Process.identity_hash[:groups]
+          return process_groups if process_groups && !process_groups.empty?
+
+          return db_groups if db_available?
+
+          []
+        end
+
+        def db_groups
+          return [] unless defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
+
+          model = begin
+            Legion::Data::Model::IdentityGroupMembership
+          rescue StandardError
+            nil
+          end
+          return [] unless model
+
+          principal_id = Identity::Process.id
+          memberships = model.where(principal_id: principal_id, status: 'active').all
+          memberships.filter_map do |m|
+            m.group.name
+          rescue StandardError
+            nil
+          end
+        rescue StandardError => e
+          log_warn("Broker.db_groups failed: #{e.message}")
+          []
+        end
+
+        def db_available?
+          defined?(Legion::Data) &&
+            Legion::Data.respond_to?(:connected?) &&
+            Legion::Data.connected?
+        end
+
+        def log_warn(message)
+          if defined?(Legion::Logging) && Legion::Logging.respond_to?(:warn)
+            Legion::Logging.warn("[Identity::Broker] #{message}")
+          else
+            $stderr.puts "[Identity::Broker] #{message}" # rubocop:disable Style/StderrPuts
+          end
+        end
+      end
+
+      # Initialize atomics at module definition time
+      @groups_cache = Concurrent::AtomicReference.new(nil)
+      @groups_fetch_in_progress = Concurrent::AtomicBoolean.new(false)
+    end
+  end
+end

data/lib/legion/identity/lease.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Legion
+  module Identity
+    class Lease
+      attr_reader :provider, :credential, :lease_id, :expires_at, :renewable, :issued_at, :metadata
+
+      def initialize(provider:, credential:, lease_id: nil, expires_at: nil, renewable: false, issued_at: nil, metadata: {}) # rubocop:disable Metrics/ParameterLists
+        @provider = provider
+        @credential = credential
+        @lease_id = lease_id
+        @expires_at = expires_at
+        @renewable = renewable
+        @issued_at = issued_at || Time.now
+        @metadata = metadata.freeze
+      end
+
+      def token
+        credential
+      end
+
+      def expired?
+        return false if expires_at.nil?
+
+        Time.now >= expires_at
+      end
+
+      def stale?
+        return false if expires_at.nil? || issued_at.nil?
+
+        elapsed = Time.now - issued_at
+        total = expires_at - issued_at
+        return false if total <= 0
+
+        elapsed >= (total * 0.5)
+      end
+
+      def ttl_seconds
+        return nil if expires_at.nil?
+
+        remaining = expires_at - Time.now
+        remaining.negative? ? 0 : remaining.to_i
+      end
+
+      def valid?
+        !credential.nil? && !expired?
+      end
+
+      def to_h
+        {
+          provider:   provider,
+          lease_id:   lease_id,
+          expires_at: expires_at&.iso8601,
+          renewable:  renewable,
+          issued_at:  issued_at&.iso8601,
+          ttl:        ttl_seconds,
+          valid:      valid?,
+          metadata:   metadata
+        }
+      end
+    end
+  end
+end