legionio 1.7.24 → 1.7.26

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8e469923d32f8ead43a892e473c93737139885622f40683a63aa0a757a0c282d
-  data.tar.gz: 2e88c8468007f617c075178410da534337931e37a3c50fb11a67fa3801807689
+  metadata.gz: 010545b8c47b9d866f1f5da8597e82f2e94bcd7c2a065f8aa97a9383f34325df
+  data.tar.gz: 7e75584a9fdf08247ec2e8834584a25499f1150814d6888701adea1689a85c37
 SHA512:
-  metadata.gz: 4d7cd5a0513e26ca92bf5b909ac924a7041bbe2b74602d6a552357d155f9101c0d81b75c6d4db0c06b9748b08fd174363ad7d26ffa021f82001923d428ecd5ec
-  data.tar.gz: 252dc15217cf3d320fa9f96703967d9c9320f2d3e26d18d91c992a8819dbf34ced50eca926ddcba0a3c2be1a74619d3f6106d20ca9f09919ba6c32901b8d5197
+  metadata.gz: 582fd272567d6bcca36b3d9fa8eff39b123f8c664f557a3a26d832bde3756e9c5d32d94693533d31d6231ff9d3f77201d067c3b8e26c9fd416888245993c0dc7
+  data.tar.gz: fc1f7f556c6f7cb5c4a24b8733fc23032a3cc54561ccb0d40fba8189190a424e58c84412824d5e195c870b05015ecc93f398fd74948f8fce837f842a63641e41

data/CHANGELOG.md

@@ -1,5 +1,22 @@
 # Legion Changelog
 
+## [1.7.26] - 2026-04-07
+
+### Added
+- Phase 5 Credential Scoping — service.rb integration (§8 of `docs/plans/2026-04-07-credential-scoping-design.md`)
+- Boot: call `Legion::Crypt.fetch_bootstrap_rmq_creds` after `Crypt.start` to acquire short-lived bootstrap RMQ credentials from Vault before transport connects (no-op when `dynamic_rmq_creds: false`)
+- `setup_identity`: after identity resolves, call `Legion::Crypt.swap_to_identity_creds(mode:)` to swap from bootstrap to identity-scoped RMQ credentials — gated on `vault_connected? && dynamic_rmq_creds? && !lite?`; fallback identity still gets scoped creds
+- `shutdown`: call `Legion::Crypt.revoke_bootstrap_lease` before Crypt shutdown for defense-in-depth lease cleanup
+- `reload`: call `fetch_bootstrap_rmq_creds` after Crypt.start, `resolve_secrets!` after settings reload, and `setup_identity` (replacing static `mark_ready(:identity)`) so reloaded processes acquire identity-scoped credentials
+- Specs for all Phase 5 service.rb integration paths: boot credential fetch, identity swap per mode, vault/flag/lite guards, swap failure recovery, shutdown revocation, reload credential flow
+
+## [1.7.25] - 2026-04-06
+
+### Added
+- Wire Format Phase 3 Group 2: `Identity::Request::SOURCE_NORMALIZATION` constant — maps middleware-emitted source values (`:api_key`, `:local`, `:jwt`, `:kerberos`, `:system`) to canonical credential enum at `from_auth_context` construction time
+- Wire Format Phase 3 Group 2: `response_meta` in `API::Helpers` now includes `caller` block (`canonical_name`, `kind`, `source`) when the request is authenticated and `env['legion.principal']` is set by `Identity::Middleware`
+- Wire Format Phase 3 Group 2: `POST /api/llm/inference` wires `to_caller_hash` from the authenticated principal into the pipeline `caller:` field, replacing the hardcoded `{ type: :user, credential: :api }` fallback
+
 ## [1.7.24] - 2026-04-06
 
 ### Fixed

data/lib/legion/api/default_settings.rb

@@ -13,7 +13,8 @@ module Legion
           puma:            puma_defaults,
           bind_retries:    3,
           bind_retry_wait: 2,
-          tls:             tls_defaults
+          tls:             tls_defaults,
+          elastic_apm:     elastic_apm_defaults
         }
       end
 
@@ -31,6 +32,33 @@ module Legion
           enabled: false
         }
       end
+
+      def self.elastic_apm_defaults
+        {
+          enabled:                  false,
+          server_url:               'http://localhost:8200',
+          api_key:                  nil,
+          secret_token:             nil,
+          api_buffer_size:          256,
+          api_request_size:         '750kb',
+          api_request_time:         '10s',
+          capture_body:             'off',
+          capture_headers:          true,
+          capture_env:              true,
+          disable_send:             false,
+          environment:              nil,
+          hostname:                 nil,
+          ignore_url_patterns:      %w[/api/health /api/ready],
+          pool_size:                1,
+          service_name:             'LegionIO',
+          service_node_name:        nil,
+          service_version:          nil,
+          sample_rate:              1.0,
+          verify_server_cert:       true,
+          central_config:           true,
+          span_frames_min_duration: '5ms'
+        }
+      end
     end
   end
 end

data/lib/legion/api/helpers.rb

@@ -173,10 +173,23 @@ module Legion
       private
 
       def response_meta
-        {
+        meta = {
           timestamp: Time.now.utc.iso8601,
           node:      Legion::Settings[:client][:name]
         }
+
+        if authenticated? && defined?(Legion::Identity::Request)
+          req = env['legion.principal']
+          if req
+            meta[:caller] = {
+              canonical_name: req.canonical_name,
+              kind:           req.kind,
+              source:         req.source
+            }
+          end
+        end
+
+        meta
       end
 
       def page_limit

data/lib/legion/api/llm.rb

@@ -280,12 +280,19 @@ module Legion
             require 'legion/llm/pipeline/request' unless defined?(Legion::LLM::Pipeline::Request)
             require 'legion/llm/pipeline/executor' unless defined?(Legion::LLM::Pipeline::Executor)
 
+            principal  = defined?(Legion::Identity::Request) && env['legion.principal']
+            caller_ctx = if principal
+                           principal.to_caller_hash
+                         else
+                           { requested_by: { identity: caller_identity, type: :user, credential: :api } }
+                         end
+
             req = Legion::LLM::Pipeline::Request.build(
               messages:        messages,
               system:          body[:system],
               routing:         { provider: provider, model: model },
               tools:           tool_classes,
-              caller:          { requested_by: { identity: caller_identity, type: :user, credential: :api } },
+              caller:          caller_ctx,
               conversation_id: body[:conversation_id],
               metadata:        { requested_tools: requested_tools },
               stream:          streaming,

data/lib/legion/api/middleware/request_logger.rb

@@ -49,6 +49,25 @@ module Legion
           parts << "query=#{query}" if query
           parts.join(' ')
         end
+
+        def peek_body(env)
+          input = env['rack.input']
+          return '-' unless input.respond_to?(:read) && input.respond_to?(:rewind)
+
+          begin
+            input.rewind
+            raw = input.read(1024)
+            raw.to_s.gsub(/\s+/, ' ')[0, 512]
+          rescue StandardError
+            '-'
+          ensure
+            begin
+              input.rewind
+            rescue StandardError
+              nil
+            end
+          end
+        end
       end
     end
   end

data/lib/legion/api.rb

@@ -222,5 +222,7 @@ module Legion
 
     use Legion::API::Middleware::RequestLogger
     use Legion::Rbac::Middleware if defined?(Legion::Rbac::Middleware)
+    use ElasticAPM::Middleware if defined?(ElasticAPM::Middleware) &&
+                                  Legion::Settings.dig(:api, :elastic_apm, :enabled)
   end
 end

data/lib/legion/identity/request.rb

@@ -3,6 +3,19 @@
 module Legion
   module Identity
     class Request
+      # Maps middleware-emitted source values to the canonical credential enum.
+      # :local is emitted by Middleware#system_principal for unauthenticated loopback
+      # requests and must normalize to :system to maintain audit trail consistency.
+      # :jwt is intentionally kept distinct — JWT is the transport, not the provider.
+      # Entra-specific identification requires issuer inspection (Phase 7 concern).
+      SOURCE_NORMALIZATION = {
+        api_key:  :api,
+        jwt:      :jwt,
+        kerberos: :kerberos,
+        local:    :system,
+        system:   :system
+      }.freeze
+
       attr_reader :principal_id, :canonical_name, :kind, :groups, :source, :metadata
 
       def initialize(principal_id:, canonical_name:, kind:, groups: [], source: nil, metadata: {}) # rubocop:disable Metrics/ParameterLists
@@ -10,7 +23,7 @@ module Legion
         @canonical_name = canonical_name
         @kind           = kind
         @groups         = groups.freeze
-        @source         = source
+        @source         = SOURCE_NORMALIZATION.fetch(source&.to_sym, source)
         @metadata       = metadata.freeze
         freeze
       end
@@ -23,16 +36,19 @@ module Legion
 
       # Builds a Request from a parsed auth claims hash with symbol keys:
       #   { sub:, name:, preferred_username:, kind:, groups:, source: }
+      # The source value is normalized via SOURCE_NORMALIZATION at construction time.
       def self.from_auth_context(claims_hash)
         raw_name = claims_hash[:name] || claims_hash[:preferred_username] || ''
         canonical = raw_name.to_s.strip.downcase.gsub('.', '-')
+        raw_source = claims_hash[:source]&.to_sym
+        normalized_source = SOURCE_NORMALIZATION.fetch(raw_source, raw_source)
 
         new(
           principal_id:   claims_hash[:sub],
           canonical_name: canonical,
           kind:           claims_hash[:kind] || :human,
           groups:         claims_hash[:groups] || [],
-          source:         claims_hash[:source]
+          source:         normalized_source
         )
       end
 

data/lib/legion/service.rb

@@ -56,6 +56,9 @@ module Legion
         Legion::Crypt.start
         Legion::Readiness.mark_ready(:crypt)
         setup_mtls_rotation
+        # Phase 5: fetch short-lived bootstrap RMQ creds from Vault before transport connects.
+        # Service is the authoritative gate (vault_connected? + dynamic_rmq_creds?).
+        fetch_phase5_bootstrap_creds unless Legion::Mode.respond_to?(:lite?) && Legion::Mode.lite?
       end
 
       Legion::Settings.resolve_secrets!
@@ -327,21 +330,12 @@ module Legion
     end
 
     def setup_apm
-      apm_settings = Legion::Settings[:apm] || {}
+      apm_settings = Legion::Settings.dig(:api, :elastic_apm) || {}
       return unless apm_settings[:enabled]
 
       require 'elastic-apm'
 
-      config = {
-        service_name:            apm_settings[:service_name] || "legion-#{Legion::Settings[:client][:name]}",
-        server_url:              apm_settings[:server_url] || 'http://localhost:8200',
-        environment:             apm_settings[:environment] || Legion::Settings[:environment] || 'development',
-        secret_token:            apm_settings[:secret_token],
-        api_key:                 apm_settings[:api_key],
-        log_level:               apm_settings[:log_level]&.to_sym || Logger::WARN,
-        transaction_sample_rate: apm_settings[:sample_rate] || 1.0
-      }.compact
-
+      config = build_apm_config(apm_settings)
       ElasticAPM.start(**config)
       @apm_running = true
       log.info "Elastic APM started: server=#{config[:server_url]} service=#{config[:service_name]}"
@@ -489,7 +483,7 @@ module Legion
       log.info 'Legion::Transport connected'
     end
 
-    def setup_identity
+    def setup_identity # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
       require_relative 'identity/process'
       require_relative 'identity/broker'
       require_relative 'identity/lease'
@@ -504,6 +498,18 @@ module Legion
         log.info "[Identity] fallback identity: #{Legion::Identity::Process.canonical_name}"
       end
 
+      # Phase 5: Swap from bootstrap RMQ credentials to identity-scoped credentials.
+      # Gate on vault_connected? + dynamic_rmq_creds? — NOT on resolved? (fallback identity
+      # still needs scoped creds via the mode-based role).
+      if defined?(Legion::Crypt) &&
+         Legion::Crypt.respond_to?(:vault_connected?) && Legion::Crypt.vault_connected? &&
+         Legion::Crypt.respond_to?(:dynamic_rmq_creds?) && Legion::Crypt.dynamic_rmq_creds? &&
+         Legion::Crypt.respond_to?(:swap_to_identity_creds) &&
+         !Legion::Mode.lite?
+        log.info '[Identity] swapping to identity-scoped RMQ credentials'
+        Legion::Crypt.swap_to_identity_creds(mode: Legion::Mode.current)
+      end
+
       # Re-resolve secrets for any identity-scoped lease:// refs (task 2.25)
       Legion::Settings.resolve_secrets! if Legion::Settings.respond_to?(:resolve_secrets!)
 
@@ -711,7 +717,7 @@ module Legion
       handle_exception(e, level: :warn, operation: 'service.shutdown_api')
     end
 
-    def shutdown # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    def shutdown # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Metrics/MethodLength
       log.info('Legion::Service.shutdown was called')
       @shutdown = true
       Legion::Settings[:client][:shutting_down] = true
@@ -776,7 +782,12 @@ module Legion
       Legion::Readiness.mark_not_ready(:transport)
 
       shutdown_mtls_rotation
-      shutdown_component('Crypt') { Legion::Crypt.shutdown }
+      # Phase 5: Revoke bootstrap RMQ lease on clean shutdown (defense-in-depth;
+      # lease expires naturally if process crashes before identity swap).
+      shutdown_component('Crypt bootstrap lease') do
+        Legion::Crypt.revoke_bootstrap_lease if defined?(Legion::Crypt) && Legion::Crypt.respond_to?(:revoke_bootstrap_lease)
+      end
+      shutdown_component('Crypt') { Legion::Crypt.shutdown if defined?(Legion::Crypt) }
       Legion::Readiness.mark_not_ready(:crypt)
 
       Legion::Settings[:client][:ready] = false
@@ -816,7 +827,7 @@ module Legion
       shutdown_component('Transport') { Legion::Transport::Connection.shutdown }
       Legion::Readiness.mark_not_ready(:transport)
 
-      shutdown_component('Crypt') { Legion::Crypt.shutdown }
+      shutdown_component('Crypt') { Legion::Crypt.shutdown if defined?(Legion::Crypt) }
       Legion::Readiness.mark_not_ready(:crypt)
 
       Legion::Readiness.wait_until_not_ready(:transport, :data, :cache, :crypt)
@@ -825,7 +836,12 @@ module Legion
       Legion::Readiness.mark_ready(:settings)
 
       Legion::Crypt.start if defined?(Legion::Crypt)
-      Legion::Readiness.mark_ready(:crypt)
+      Legion::Readiness.mark_ready(:crypt) if defined?(Legion::Crypt)
+      # Phase 5: fetch bootstrap RMQ creds after Vault reconnects on reload.
+      fetch_phase5_bootstrap_creds unless Legion::Mode.lite?
+
+      # Resolve lease:// URIs with freshly loaded settings + new Vault token.
+      Legion::Settings.resolve_secrets! if Legion::Settings.respond_to?(:resolve_secrets!)
 
       setup_transport
       Legion::Readiness.mark_ready(:transport)
@@ -867,7 +883,9 @@ module Legion
         Legion::Readiness.mark_skipped(:gaia)
       end
 
-      Legion::Readiness.mark_ready(:identity)
+      # Phase 5: re-run identity resolution + credential swap so the reloaded
+      # process gets identity-scoped RMQ creds (not stale bootstrap creds).
+      setup_identity
 
       setup_supervision
       load_extensions
@@ -877,7 +895,7 @@ module Legion
 
       register_core_tools
 
-      Legion::Crypt.cs
+      Legion::Crypt.cs if defined?(Legion::Crypt)
       setup_apm if @api_enabled
       setup_api if @api_enabled
 
@@ -1036,6 +1054,18 @@ module Legion
 
     private
 
+    # Phase 5: fetch short-lived bootstrap RMQ credentials from Vault.
+    # Called after Crypt.start (boot) and after Crypt.start (reload).
+    # Service owns the gate so Crypt.fetch_bootstrap_rmq_creds can be unconditional.
+    def fetch_phase5_bootstrap_creds
+      return unless defined?(Legion::Crypt)
+      return unless Legion::Crypt.respond_to?(:fetch_bootstrap_rmq_creds)
+      return unless Legion::Crypt.respond_to?(:vault_connected?) && Legion::Crypt.vault_connected?
+      return unless Legion::Crypt.respond_to?(:dynamic_rmq_creds?) && Legion::Crypt.dynamic_rmq_creds?
+
+      Legion::Crypt.fetch_bootstrap_rmq_creds
+    end
+
     def resolve_identity_providers
       # Phase 4 adds lex-identity-* providers. For now, check if any are loaded.
       return false unless defined?(Legion::Extensions)
@@ -1145,6 +1175,35 @@ module Legion
       }.compact
     end
 
+    def build_apm_config(apm)
+      {
+        server_url:               apm[:server_url] || 'http://localhost:8200',
+        api_key:                  apm[:api_key],
+        secret_token:             apm[:secret_token],
+        api_buffer_size:          apm[:api_buffer_size] || 256,
+        api_request_size:         apm[:api_request_size] || '750kb',
+        api_request_time:         apm[:api_request_time] || '10s',
+        capture_body:             apm.fetch(:capture_body, 'off'),
+        capture_headers:          apm.fetch(:capture_headers, true),
+        capture_env:              apm.fetch(:capture_env, true),
+        disable_send:             apm.fetch(:disable_send, false),
+        environment:              apm[:environment] || Legion::Settings[:environment] || 'development',
+        framework_name:           'LegionIO',
+        framework_version:        Legion::VERSION,
+        hostname:                 apm[:hostname] || Legion::Settings[:client][:name],
+        ignore_url_patterns:      apm[:ignore_url_patterns] || %w[/api/health /api/ready],
+        logger:                   Legion::Logging.log,
+        pool_size:                apm[:pool_size] || 1,
+        service_name:             apm[:service_name] || 'LegionIO',
+        service_node_name:        apm[:service_node_name] || Legion::Settings[:client][:name],
+        service_version:          apm[:service_version] || Legion::VERSION,
+        transaction_sample_rate:  apm[:sample_rate] || 1.0,
+        verify_server_cert:       apm.fetch(:verify_server_cert, true),
+        central_config:           apm.fetch(:central_config, true),
+        span_frames_min_duration: apm[:span_frames_min_duration]
+      }.compact
+    end
+
     def ssl_server_settings(tls_cfg, bind, port)
       return {} unless tls_cfg
 

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.7.24'
+  VERSION = '1.7.26'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.7.24
+  version: 1.7.26
 platform: ruby
 authors:
 - Esity