legionio 1.7.19 → 1.7.21

data/lib/legion/service.rb

@@ -3,6 +3,7 @@
 require 'timeout'
 require 'legion/logging'
 require_relative 'readiness'
+require_relative 'mode'
 require_relative 'process_role'
 
 module Legion
@@ -101,7 +102,11 @@ module Legion
         end
       end
 
-      setup_rbac if data
+      if data
+        setup_rbac
+      else
+        Legion::Readiness.mark_skipped(:rbac)
+      end
       setup_cluster if data
 
       if llm
@@ -111,9 +116,13 @@ module Legion
         rescue LoadError => e
           handle_exception(e, level: :debug, operation: 'service.initialize.llm', availability: 'missing')
           log.info 'Legion::LLM gem is not installed'
+          Legion::Readiness.mark_skipped(:llm)
         rescue StandardError => e
           handle_exception(e, level: :warn, operation: 'service.initialize.llm')
+          Legion::Readiness.mark_skipped(:llm)
         end
+      else
+        Legion::Readiness.mark_skipped(:llm)
       end
 
       begin
@@ -122,8 +131,10 @@ module Legion
       rescue LoadError => e
         handle_exception(e, level: :debug, operation: 'service.initialize.apollo', availability: 'missing')
         log.info 'Legion::Apollo gem is not installed, starting without Apollo'
+        Legion::Readiness.mark_skipped(:apollo)
       rescue StandardError => e
         handle_exception(e, level: :warn, operation: 'service.initialize.apollo')
+        Legion::Readiness.mark_skipped(:apollo)
       end
 
       if gaia
@@ -133,9 +144,13 @@ module Legion
         rescue LoadError => e
           handle_exception(e, level: :debug, operation: 'service.initialize.gaia', availability: 'missing')
           log.info 'Legion::Gaia gem is not installed'
+          Legion::Readiness.mark_skipped(:gaia)
         rescue StandardError => e
           handle_exception(e, level: :warn, operation: 'service.initialize.gaia')
+          Legion::Readiness.mark_skipped(:gaia)
         end
+      else
+        Legion::Readiness.mark_skipped(:gaia)
       end
 
       setup_telemetry
@@ -149,6 +164,9 @@ module Legion
         setup_generated_functions
       end
 
+      # Identity resolution — after extensions so lex-identity-* providers are loaded
+      setup_identity if transport
+
       register_core_tools
 
       Legion::Gaia.registry&.rediscover if gaia && defined?(Legion::Gaia) && Legion::Gaia.started?
@@ -174,6 +192,7 @@ module Legion
       require 'legion/api/default_settings'
       api_settings = Legion::Settings[:api]
       @api_enabled = api && api_settings[:enabled]
+      setup_apm if @api_enabled
       setup_api if @api_enabled
       setup_network_watchdog
       Legion::Settings[:client][:ready] = true
@@ -204,8 +223,7 @@ module Legion
     end
 
     def lite_mode?
-      ENV['LEGION_MODE'] == 'lite' ||
-        Legion::Settings[:mode].to_s == 'lite'
+      Legion::Mode.lite?
     end
 
     def setup_data
@@ -229,8 +247,10 @@ module Legion
     rescue LoadError => e
       handle_exception(e, level: :debug, operation: 'service.setup_rbac', availability: 'missing')
       log.debug 'Legion::Rbac gem is not installed, starting without RBAC'
+      Legion::Readiness.mark_skipped(:rbac)
     rescue StandardError => e
       handle_exception(e, level: :warn, operation: 'service.setup_rbac')
+      Legion::Readiness.mark_skipped(:rbac)
     end
 
     def setup_cluster
@@ -306,6 +326,42 @@ module Legion
       )
     end
 
+    def setup_apm
+      apm_settings = Legion::Settings[:apm] || {}
+      return unless apm_settings[:enabled]
+
+      require 'elastic-apm'
+
+      config = {
+        service_name:            apm_settings[:service_name] || "legion-#{Legion::Settings[:client][:name]}",
+        server_url:              apm_settings[:server_url] || 'http://localhost:8200',
+        environment:             apm_settings[:environment] || Legion::Settings[:environment] || 'development',
+        secret_token:            apm_settings[:secret_token],
+        api_key:                 apm_settings[:api_key],
+        log_level:               apm_settings[:log_level]&.to_sym || Logger::WARN,
+        transaction_sample_rate: apm_settings[:sample_rate] || 1.0
+      }.compact
+
+      ElasticAPM.start(**config)
+      @apm_running = true
+      log.info "Elastic APM started: server=#{config[:server_url]} service=#{config[:service_name]}"
+    rescue LoadError => e
+      handle_exception(e, level: :debug, operation: 'service.setup_apm', availability: 'missing')
+      log.info 'elastic-apm gem is not installed, starting without APM'
+    rescue StandardError => e
+      handle_exception(e, level: :warn, operation: 'service.setup_apm')
+    end
+
+    def shutdown_apm
+      return unless @apm_running
+
+      ElasticAPM.stop if defined?(ElasticAPM) && ElasticAPM.running?
+      @apm_running = false
+      log.info 'Elastic APM stopped'
+    rescue StandardError => e
+      handle_exception(e, level: :warn, operation: 'service.shutdown_apm')
+    end
+
     def setup_api # rubocop:disable Metrics/MethodLength
       if @api_thread&.alive?
         log.warn 'API already running, skipping duplicate setup_api call'
@@ -344,6 +400,12 @@ module Legion
         log.info "Starting Legion API on #{bind}:#{port}"
       end
 
+      # Mount identity middleware — bridges legion.auth to legion.principal
+      if defined?(Legion::Identity::Middleware)
+        require_auth = Legion::Identity::Middleware.require_auth?(bind: bind, mode: Legion::Mode.current)
+        Legion::API.use Legion::Identity::Middleware, require_auth: require_auth
+      end
+
       @api_thread = Thread.new do
         retries = 0
         max_retries = api_settings[:bind_retries]
@@ -427,6 +489,45 @@ module Legion
       log.info 'Legion::Transport connected'
     end
 
+    def setup_identity
+      require_relative 'identity/process'
+      require_relative 'identity/broker'
+      require_relative 'identity/lease'
+      require_relative 'identity/lease_renewer'
+      require_relative 'identity/request'
+      require_relative 'identity/middleware'
+
+      # Resolve identity from available providers (Phase 4 adds real providers)
+      resolved = resolve_identity_providers
+      unless resolved
+        Legion::Identity::Process.bind_fallback!
+        log.info "[Identity] fallback identity: #{Legion::Identity::Process.canonical_name}"
+      end
+
+      # Re-resolve secrets for any identity-scoped lease:// refs (task 2.25)
+      Legion::Settings.resolve_secrets! if Legion::Settings.respond_to?(:resolve_secrets!)
+
+      # Fire-and-forget JWKS prefetch
+      jwks_url = Legion::Settings.dig(:identity, :jwks_endpoint) || Legion::Settings.dig(:crypt, :jwt, :jwks_endpoint)
+      if jwks_url && defined?(Legion::Crypt::JwksClient)
+        Legion::Crypt::JwksClient.prefetch!(jwks_url)
+        Legion::Crypt::JwksClient.start_background_refresh!(jwks_url)
+      end
+
+      log.info "[Identity] resolved=#{Legion::Identity::Process.resolved?} mode=#{Legion::Mode.current} queue_prefix=#{Legion::Identity::Process.queue_prefix}"
+    rescue StandardError => e
+      handle_exception(e, level: :warn, operation: 'service.setup_identity')
+      Legion::Identity::Process.bind_fallback! if defined?(Legion::Identity::Process) && !Legion::Identity::Process.resolved?
+    ensure
+      Legion::Readiness.mark_ready(:identity)
+      begin
+        Legion::Extensions.flush_pending_registrations! if defined?(Legion::Extensions) &&
+                                                           Legion::Extensions.respond_to?(:flush_pending_registrations!)
+      rescue StandardError => e
+        handle_exception(e, level: :warn, operation: 'service.setup_identity.flush_pending_registrations')
+      end
+    end
+
     def setup_logging_transport # rubocop:disable Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
       return unless defined?(Legion::Transport::Connection)
       return unless Legion::Transport::Connection.session_open?
@@ -610,7 +711,7 @@ module Legion
       handle_exception(e, level: :warn, operation: 'service.shutdown_api')
     end
 
-    def shutdown # rubocop:disable Metrics/CyclomaticComplexity
+    def shutdown # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
       log.info('Legion::Service.shutdown was called')
       @shutdown = true
       Legion::Settings[:client][:shutting_down] = true
@@ -619,6 +720,7 @@ module Legion
       shutdown_network_watchdog
       shutdown_audit_archiver
       shutdown_api
+      shutdown_apm
 
       Legion::Metrics.reset! if defined?(Legion::Metrics)
 
@@ -658,6 +760,17 @@ module Legion
       shutdown_component('Cache') { Legion::Cache.shutdown }
       Legion::Readiness.mark_not_ready(:cache)
 
+      # Identity: cooperative shutdown of Broker (stops all LeaseRenewer threads)
+      if defined?(Legion::Identity::Broker)
+        shutdown_component('Identity::Broker') { Legion::Identity::Broker.shutdown }
+        Legion::Readiness.mark_not_ready(:identity)
+      end
+
+      # Stop JWKS background refresh
+      if defined?(Legion::Crypt::JwksClient) && Legion::Crypt::JwksClient.respond_to?(:stop_background_refresh!)
+        Legion::Crypt::JwksClient.stop_background_refresh!
+      end
+
       teardown_logging_transport
       shutdown_component('Transport') { Legion::Transport::Connection.shutdown }
       Legion::Readiness.mark_not_ready(:transport)
@@ -679,6 +792,7 @@ module Legion
 
       shutdown_network_watchdog
       shutdown_api
+      shutdown_apm
 
       if defined?(Legion::Gaia) && Legion::Gaia.respond_to?(:started?) && Legion::Gaia.started?
         shutdown_component('Gaia') { Legion::Gaia.shutdown }
@@ -718,6 +832,8 @@ module Legion
       teardown_logging_transport
       setup_logging_transport
 
+      Legion::Identity::Process.refresh_credentials if defined?(Legion::Identity::Process)
+
       require 'legion/cache' unless defined?(Legion::Cache)
       Legion::Cache.setup
       Legion::Readiness.mark_ready(:cache)
@@ -725,19 +841,44 @@ module Legion
       setup_data
       Legion::Readiness.mark_ready(:data)
 
-      setup_rbac if defined?(Legion::Rbac)
-      setup_llm if defined?(Legion::LLM)
+      if defined?(Legion::Rbac)
+        setup_rbac
+      else
+        Legion::Readiness.mark_skipped(:rbac)
+      end
 
-      setup_gaia if defined?(Legion::Gaia)
-      Legion::Readiness.mark_ready(:gaia)
+      if defined?(Legion::LLM)
+        setup_llm
+      else
+        Legion::Readiness.mark_skipped(:llm)
+      end
+
+      if defined?(Legion::Apollo)
+        setup_apollo
+        Legion::Readiness.mark_ready(:apollo)
+      else
+        Legion::Readiness.mark_skipped(:apollo)
+      end
+
+      if defined?(Legion::Gaia)
+        setup_gaia
+        Legion::Readiness.mark_ready(:gaia)
+      else
+        Legion::Readiness.mark_skipped(:gaia)
+      end
+
+      Legion::Readiness.mark_ready(:identity)
 
       setup_supervision
       load_extensions
       Legion::Readiness.mark_ready(:extensions)
 
+      Legion::Extensions.flush_pending_registrations! if defined?(Legion::Extensions) && Legion::Extensions.respond_to?(:flush_pending_registrations!)
+
       register_core_tools
 
       Legion::Crypt.cs
+      setup_apm if @api_enabled
       setup_api if @api_enabled
 
       if defined?(Legion::MCP)
@@ -895,6 +1036,72 @@ module Legion
 
     private
 
+    def resolve_identity_providers
+      # Phase 4 adds lex-identity-* providers. For now, check if any are loaded.
+      return false unless defined?(Legion::Extensions)
+
+      providers = find_identity_providers
+      return false if providers.empty?
+
+      # Parallel resolution with 5s per-provider timeout (NO Timeout.timeout — uses future.value)
+      pool = Concurrent::FixedThreadPool.new([providers.size, 4].min)
+      futures = providers.map do |provider|
+        Concurrent::Promises.future_on(pool, provider, &:resolve)
+      end
+
+      winner_pair = providers.zip(futures).find do |_provider, future|
+        result = begin
+          future.value(5) # 5s timeout per provider
+        rescue StandardError => e
+          handle_exception(e, level: :debug, operation: 'service.resolve_identity_providers.future')
+          nil
+        end
+        result.is_a?(Hash) && result[:canonical_name]
+      end
+
+      if winner_pair
+        provider, future = winner_pair
+        identity = future.value
+        Legion::Identity::Process.bind!(provider, identity)
+        log.info "[Identity] resolved via #{provider.class.name}: #{identity[:canonical_name]}"
+        true
+      else
+        false
+      end
+    rescue StandardError => e
+      handle_exception(e, level: :warn, operation: 'service.resolve_identity_providers')
+      false
+    ensure
+      pool&.shutdown
+      pool&.kill unless pool&.wait_for_termination(2)
+    end
+
+    def find_identity_providers
+      return [] unless defined?(Legion::Extensions)
+
+      collect_identity_providers(Legion::Extensions)
+    end
+
+    def collect_identity_providers(namespace, visited = Set.new)
+      return [] unless namespace.is_a?(Module)
+      return [] if visited.include?(namespace.object_id)
+
+      visited.add(namespace.object_id)
+      providers = []
+
+      namespace.constants(false).each do |const_name|
+        mod = namespace.const_get(const_name, false)
+        next unless mod.is_a?(Module)
+
+        providers << mod if mod.respond_to?(:resolve) && mod.respond_to?(:provider_name)
+        providers.concat(collect_identity_providers(mod, visited))
+      rescue StandardError
+        next
+      end
+
+      providers
+    end
+
     def bootstrap_log_level(cli_level)
       cli_level = nil if cli_level.respond_to?(:empty?) && cli_level.empty?
       return cli_level if cli_level

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.7.19'
+  VERSION = '1.7.21'
 end

data/lib/legion.rb

@@ -6,6 +6,7 @@ require 'securerandom'
 require 'legion/version'
 require 'legion/logging'
 require 'legion/events'
+require 'legion/mode'
 require 'legion/ingress'
 require 'legion/process'
 require 'legion/service'
@@ -18,6 +19,12 @@ module Legion
   autoload :Leader,  'legion/leader'
   autoload :Prompts, 'legion/prompts'
 
+  @instance_id = ENV.fetch('LEGIONIO_INSTANCE_ID') { SecureRandom.uuid }.downcase.strip.gsub(/[^a-z0-9-]/, '')
+
+  def self.instance_id
+    @instance_id
+  end
+
   attr_reader :service
 
   def self.start

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.7.19
+  version: 1.7.21
 platform: ruby
 authors:
 - Esity
@@ -490,6 +490,7 @@ files:
 - lib/legion/api/graphql/types/task_type.rb
 - lib/legion/api/graphql/types/worker_type.rb
 - lib/legion/api/helpers.rb
+- lib/legion/api/identity_audit.rb
 - lib/legion/api/inbound_webhooks.rb
 - lib/legion/api/knowledge.rb
 - lib/legion/api/lex_dispatch.rb
@@ -641,11 +642,13 @@ files:
 - lib/legion/cli/do_command.rb
 - lib/legion/cli/docs_command.rb
 - lib/legion/cli/doctor.rb
+- lib/legion/cli/doctor/api_bind_check.rb
 - lib/legion/cli/doctor/bundle_check.rb
 - lib/legion/cli/doctor/cache_check.rb
 - lib/legion/cli/doctor/config_check.rb
 - lib/legion/cli/doctor/database_check.rb
 - lib/legion/cli/doctor/extensions_check.rb
+- lib/legion/cli/doctor/mode_check.rb
 - lib/legion/cli/doctor/permissions_check.rb
 - lib/legion/cli/doctor/pid_check.rb
 - lib/legion/cli/doctor/rabbitmq_check.rb
@@ -841,6 +844,12 @@ files:
 - lib/legion/graph/exporter.rb
 - lib/legion/guardrails.rb
 - lib/legion/helpers/context.rb
+- lib/legion/identity/broker.rb
+- lib/legion/identity/lease.rb
+- lib/legion/identity/lease_renewer.rb
+- lib/legion/identity/middleware.rb
+- lib/legion/identity/process.rb
+- lib/legion/identity/request.rb
 - lib/legion/ingress.rb
 - lib/legion/isolation.rb
 - lib/legion/leader.rb
@@ -848,6 +857,7 @@ files:
 - lib/legion/lock.rb
 - lib/legion/memory/consolidator.rb
 - lib/legion/metrics.rb
+- lib/legion/mode.rb
 - lib/legion/notebook/generator.rb
 - lib/legion/notebook/parser.rb
 - lib/legion/notebook/renderer.rb