legionio 1.8.15 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e89dd57228cd0a6289346f6e88acc388a955843b32f7d7e2b77e1431b20bd67
-  data.tar.gz: 42d1ba78b03b822f55d1a961eed3ea4590ac80611c0002396ffd13172240595a
+  metadata.gz: 69a0d25a5f8ac2e2327e09ca2185099bd87e7b8575d8c941abc807a0b6c03dfb
+  data.tar.gz: f9cb3bcdb322e670a235cc7761e43377d11ed8fed8e7e34b235b8ff77773ef8a
 SHA512:
-  metadata.gz: 3e088fa7bf6bf5d5175b42d6b6e9a4c814a89d44d055713172de17d9b2344082f6ea05738092020b55f080d4bad55e984dc636ac437b82048a43444ba3e645da
-  data.tar.gz: b09b41ef56ba5d471594e7c83e422f53da41b3488816dabf0692456efccf246db61f35a5a5207fa8db8d879b1891fff1e4241b37fcf94865afc24820e4559858
+  metadata.gz: 2d7fe093823d8a62b3bbf31f1cb9733b18d56a208990f314e7b9c9ec9ec1b51af2faf18716b48032fd57039b71aec7f32629d0d2218a9500f4746c0525da432f
+  data.tar.gz: 51b33926ea63e730ee6407e61da81808bb058030fcb1f1f2d3cd87bcafe25b4c82b21d8a914dabb02771795329e601cc1d14f2b147efccc274895da78c11cfc0

data/CHANGELOG.md

@@ -2,6 +2,39 @@
 
 ## [Unreleased]
 
+## [1.9.0] - 2026-04-24
+
+### Added
+- `Legion::Identity::Resolver` — composite identity resolution chain with parallel provider execution, DB persistence, and transport event publishing
+- `Legion::Identity::Trust` — trust level enum (verified, authenticated, configured, cached, unverified)
+- `Legion::Identity::Grant` — frozen value object for credential access auditing
+- `Identity::Process` extended with trust, aliases, providers, profile composite state
+- `Identity::Broker` upgraded to `[provider, qualifier]` tuple-keyed multi-instance storage with `for_context` routing and bounded async audit queue
+- `Resolver.upgrade!` for post-boot identity trust escalation with canonical_name change support
+- Settings client name updated from resolved identity for correct queue naming
+
+### Changed
+- `setup_identity` gate relaxed to run with DB-only nodes (not just transport)
+- `register_credential_providers` gate relaxed for DB-only nodes
+- Reload lifecycle: `Resolver.reset!` preserves providers, re-resolves with existing registrations
+- Middleware `system_principal` uses Resolver identity when available
+
+### Fixed
+- `Request.from_auth_context` canonical normalization now matches DB constraint `^[a-z0-9][a-z0-9_-]*$`
+- `/api/identity/audit` reads from `identity_audit_log` table instead of `AuditRecord`
+
+### Removed
+- Legacy tree-walk identity discovery (`resolve_identity_providers`, `find_identity_providers`, `collect_identity_providers`)
+- `identity_provider?` and `register_identity_provider` from extensions.rb
+
+## [1.8.16] - 2026-04-22
+
+### Added
+- `legion mind-growth wire ID` CLI command — wires a built extension into the cognitive tick cycle via `Orchestrator.post_build_pipeline`; accepts `--phase` override option
+
+### Fixed
+- `MindGrowth#wire` rescue block now logs errors via `Legion::Logging.error` before displaying them, ensuring errors are captured in the daemon log and not only printed to the terminal
+
 ## [1.8.15] - 2026-04-22
 
 ### Fixed

data/lib/legion/api/identity_audit.rb

@@ -8,12 +8,23 @@ module Legion
           app.helpers IdentityAuditHelpers
 
           app.get '/api/identity/audit' do
-            halt 503, json_error('unavailable', 'audit records not available') unless defined?(Legion::Data::Model::AuditRecord)
+            require_data!
+            halt 503, json_error('unavailable', 'identity audit log not available') unless defined?(Legion::Data::Model::IdentityAuditLog)
 
-            dataset = Legion::Data::Model::AuditRecord.where(entity_type: 'identity')
+            dataset = Legion::Data::Model::IdentityAuditLog.dataset
 
             principal = params[:principal]
-            dataset = dataset.where(Sequel.lit("metadata->>'principal' = ?", principal)) if principal
+            if principal && defined?(Legion::Data::Model::Principal)
+              principal_record = Legion::Data::Model::Principal.where(canonical_name: principal).first
+              halt 404, json_error('not_found', "principal '#{principal}' not found") unless principal_record
+              dataset = dataset.where(principal_id: principal_record.id)
+            end
+
+            provider = params[:provider]
+            dataset = dataset.where(provider_name: provider) if provider
+
+            event_type = params[:event_type]
+            dataset = dataset.where(event_type: event_type) if event_type
 
             since = params[:since]
             if since
@@ -23,7 +34,9 @@ module Legion
 
             records = dataset.order(Sequel.desc(:created_at)).limit(100).all
             json_collection(records.map do |r|
-              { id: r.id, action: r.action, entity_type: r.entity_type, metadata: r.parsed_metadata, created_at: r.created_at }
+              { id: r.id, event_type: r.event_type, provider_name: r.provider_name,
+                trust_level: r.trust_level, detail: r.detail,
+                node_id: r.node_id, session_id: r.session_id, created_at: r.created_at }
             end)
           end
         end

data/lib/legion/cli/mind_growth_command.rb

@@ -179,6 +179,28 @@ module Legion
         end
       end
 
+      desc 'wire ID', 'Wire a built extension into the cognitive tick cycle'
+      option :phase, type: :string, desc: 'Override phase (auto-detected if omitted)'
+      def wire(proposal_id)
+        require_mind_growth!
+        result = Legion::Extensions::MindGrowth::Runners::Orchestrator.post_build_pipeline(
+          proposal_id: proposal_id
+        )
+
+        if result[:skipped]
+          say_status :skipped, result[:reason], :yellow
+        elsif result[:activated]
+          say_status :activated, "#{proposal_id} wired and activated", :green
+        elsif result[:error]
+          say_status :error, result[:error], :red
+        else
+          say_status :partial, "Wire: #{result[:wire]}, Test: #{result[:integration_test]}", :yellow
+        end
+      rescue StandardError => e
+        Legion::Logging.error(e.message) if defined?(Legion::Logging)
+        say_status :error, e.message, :red
+      end
+
       desc 'history', 'Show recent proposal history'
       option :limit, type: :numeric, default: 50, desc: 'Max results'
       def history

data/lib/legion/cli.rb

@@ -267,6 +267,9 @@ module Legion
       desc 'init', 'Initialize a new Legion workspace'
       subcommand 'init', Legion::CLI::Init
 
+      desc 'detect SUBCOMMAND', 'Scan environment and recommend extensions'
+      subcommand 'detect', Legion::CLI::Detect
+
       # --- Interactive & shortcuts ---
       desc 'knowledge SUBCOMMAND', 'Search and manage the document knowledge base'
       subcommand 'knowledge', Legion::CLI::Knowledge

data/lib/legion/extensions.rb

@@ -275,8 +275,6 @@ module Legion
         has_logger = extension.respond_to?(:log)
         extension.autobuild
 
-        register_identity_provider(extension, entry) if identity_provider?(extension)
-
         require 'legion/transport/messages/lex_register'
         registration = Legion::Transport::Messages::LexRegister.new(function: 'save', opts: extension.runners)
         if @pending_registrations
@@ -434,39 +432,6 @@ module Legion
 
       private
 
-      def identity_provider?(extension)
-        extension.respond_to?(:provider_name) &&
-          extension.respond_to?(:provider_type) &&
-          extension.respond_to?(:facing)
-      end
-
-      def register_identity_provider(extension, entry)
-        return unless defined?(Legion::Data) && Legion::Data.connected?
-        return unless defined?(Legion::Data::Model::IdentityProvider)
-
-        name = extension.provider_name.to_s
-        attrs = {
-          provider_type: extension.provider_type.to_s,
-          facing:        extension.facing.to_s,
-          priority:      extension.respond_to?(:priority) ? extension.priority : 100,
-          trust_weight:  extension.respond_to?(:trust_weight) ? extension.trust_weight : 50,
-          capabilities:  extension.respond_to?(:capabilities) ? Array(extension.capabilities).map(&:to_s) : [],
-          source:        'gem',
-          enabled:       true
-        }
-
-        existing = Legion::Data::Model::IdentityProvider.where(name: name).first
-        if existing
-          diverged = attrs.any? { |k, v| existing.send(k).to_s != v.to_s }
-          Legion::Logging.info "[identity][provider] name=#{name} source=db/gem diverged=#{diverged}" if defined?(Legion::Logging)
-        else
-          Legion::Data::Model::IdentityProvider.insert_conflict(target: :name, update: attrs).insert(attrs.merge(name: name))
-          Legion::Logging.info "[identity][provider] name=#{name} registered" if defined?(Legion::Logging)
-        end
-      rescue StandardError => e
-        Legion::Logging.warn "[identity][provider] registration failed for #{entry[:gem_name]}: #{e.message}" if defined?(Legion::Logging)
-      end
-
       def write_lex_cli_manifest(entry, extension)
         require 'legion/cli/lex_cli_manifest'
 

data/lib/legion/identity/broker.rb

@@ -6,46 +6,68 @@ module Legion
   module Identity
     module Broker
       GROUPS_CACHE_TTL = 60
+      AUDIT_QUEUE_MAX = 1000
+      AUDIT_DROP_LOG_INTERVAL = 100
 
       class << self
-        def token_for(provider_name)
-          lease = lease_for(provider_name)
-          lease&.valid? ? lease.token : nil
+        def token_for(provider_name, qualifier: nil, for_context: nil, purpose: nil, context: nil)
+          name = provider_name.to_sym
+          resolved = resolve_qualifier(name, qualifier: qualifier, for_context: for_context)
+          lease = lease_for(name, qualifier: resolved)
+          token = lease&.valid? ? lease.token : nil
+          emit_audit(provider: name, qualifier: resolved, purpose: purpose, context: context, granted: !token.nil?)
+          token
         end
 
-        def lease_for(provider_name)
+        def lease_for(provider_name, qualifier: nil)
           name = provider_name.to_sym
-          renewer = renewers[name]
+          resolved = qualifier || default_qualifier_for(name)
+          key = [name, resolved].freeze
+
+          renewer = renewers[key]
           return renewer.current_lease if renewer
 
-          static_ref = static_leases[name]
+          static_ref = static_leases[key]
           static_ref&.get
         end
 
-        def renewer_for(provider_name)
-          renewers[provider_name.to_sym]
+        def renewer_for(provider_name, qualifier: nil)
+          name = provider_name.to_sym
+          resolved = qualifier || default_qualifier_for(name)
+          renewers[[name, resolved].freeze]
         end
 
-        def credentials_for(provider_name, service: nil)
-          lease = lease_for(provider_name)
+        def credentials_for(provider_name, qualifier: nil, service: nil)
+          name = provider_name.to_sym
+          resolved = qualifier || default_qualifier_for(name)
+          lease = lease_for(name, qualifier: resolved)
           return nil unless lease&.valid?
 
-          { token: lease.token, provider: provider_name.to_sym, service: service, lease: lease }
+          { token: lease.token, provider: name, service: service, lease: lease }
         end
 
-        def register_provider(provider_name, provider:, lease:)
+        def register_provider(provider_name, provider:, lease:, qualifier: :default, default: false)
           name = provider_name.to_sym
+          qual = qualifier
+          key = [name, qual].freeze
+
+          # Set default qualifier: first registration or explicit default: true
+          default_qualifiers[name] = qual if default || !default_qualifiers.key?(name)
+
+          # Store provider instance (first-write-wins per provider name)
+          provider_instances[name] ||= provider
+
+          # Stop existing renewer for this specific tuple key
+          renewers[key]&.stop!
 
-          renewers[name]&.stop!
           if lease&.expires_at.nil? && !lease&.renewable
             # Static credential — store without a background renewal thread
-            renewers.delete(name)
-            static_leases[name] = Concurrent::AtomicReference.new(lease)
-            providers_map[name] = provider
+            renewers.delete(key)
+            static_leases[key] = Concurrent::AtomicReference.new(lease)
           else
             # Dynamic credential — create LeaseRenewer
-            static_leases.delete(name)
-            renewers[name] = LeaseRenewer.new(
+            static_leases.delete(key)
+            renewers[key] = LeaseRenewer.new(
               provider_name: name,
               provider:      provider,
               lease:         lease
@@ -53,12 +75,15 @@ module Legion
           end
         end
 
-        def refresh_credential(provider_name)
+        def refresh_credential(provider_name, qualifier: nil)
           name = provider_name.to_sym
-          ref  = static_leases[name]
+          resolved = qualifier || default_qualifier_for(name)
+          key = [name, resolved].freeze
+
+          ref = static_leases[key]
           return false unless ref
 
-          provider = providers_map[name]
+          provider = provider_instances[name]
           return false unless provider.respond_to?(:provide_token)
 
           new_lease = provider.provide_token
@@ -109,13 +134,29 @@ module Legion
         end
 
         def providers
-          (renewers.keys + static_leases.keys).uniq
+          all_keys = (renewers.keys + static_leases.keys)
+          all_keys.map(&:first).uniq
+        end
+
+        def credentials_available(provider_name)
+          name = provider_name.to_sym
+          all_keys = (renewers.keys + static_leases.keys)
+          all_keys.select { |k| k.first == name }.map(&:last).uniq
         end
 
         def leases
-          dynamic = renewers.transform_values { |r| r.current_lease&.to_h }
-          static  = static_leases.transform_values { |ref| ref.get&.to_h }
-          dynamic.merge(static)
+          result = {}
+          renewers.each do |key, renewer|
+            provider_name, qualifier = key
+            result[provider_name] ||= {}
+            result[provider_name][qualifier] = renewer.current_lease&.to_h
+          end
+          static_leases.each do |key, ref|
+            provider_name, qualifier = key
+            result[provider_name] ||= {}
+            result[provider_name][qualifier] = ref.get&.to_h unless result[provider_name].key?(qualifier)
+          end
+          result
         end
 
         def shutdown
@@ -126,17 +167,41 @@ module Legion
           end
           renewers.clear
           static_leases.clear
-          providers_map.clear
+          provider_instances.clear
+          default_qualifiers.clear
+          stop_audit_drainer
         end
 
         def reset!
           shutdown
           @groups_cache = Concurrent::AtomicReference.new(nil)
           @groups_fetch_in_progress = Concurrent::AtomicBoolean.new(false)
+          @audit_queue = Concurrent::Array.new
+          @audit_drops = Concurrent::AtomicFixnum.new(0)
+          @audit_drainer = nil
+          @audit_drainer_started = Concurrent::AtomicBoolean.new(false)
         end
 
         private
 
+        def resolve_qualifier(provider_name, qualifier: nil, for_context: nil)
+          return qualifier if qualifier
+
+          if for_context
+            provider = provider_instances[provider_name]
+            if provider.respond_to?(:resolve_qualifier)
+              resolved = provider.resolve_qualifier(for_context)
+              return resolved if resolved
+            end
+          end
+
+          default_qualifier_for(provider_name)
+        end
+
+        def default_qualifier_for(provider_name)
+          default_qualifiers[provider_name] || :default
+        end
+
         def renewers
           @renewers ||= Concurrent::Hash.new
         end
@@ -145,8 +210,56 @@ module Legion
           @static_leases ||= Concurrent::Hash.new
         end
 
-        def providers_map
-          @providers_map ||= Concurrent::Hash.new
+        def provider_instances
+          @provider_instances ||= Concurrent::Hash.new
+        end
+
+        def default_qualifiers
+          @default_qualifiers ||= Concurrent::Hash.new
+        end
+
+        def audit_queue
+          @audit_queue ||= Concurrent::Array.new
+        end
+
+        def emit_audit(provider:, qualifier:, purpose:, context:, granted:)
+          ensure_audit_drainer_started
+          event = {
+            provider:  provider,
+            qualifier: qualifier,
+            purpose:   purpose,
+            context:   context,
+            granted:   granted,
+            timestamp: Time.now
+          }
+
+          if audit_queue.size >= AUDIT_QUEUE_MAX
+            drops = (@audit_drops ||= Concurrent::AtomicFixnum.new(0)).increment
+            log_warn("Audit queue full, dropping event (total drops: #{drops})") if (drops % AUDIT_DROP_LOG_INTERVAL).zero?
+          else
+            audit_queue.push(event)
+          end
+        end
+
+        def ensure_audit_drainer_started
+          # Intentionally a no-op until publish_audit_event has a real
+          # implementation. Starting a drainer before a durable sink exists
+          # causes queued audit events to be silently discarded.
+          @ensure_audit_drainer_started ||= Concurrent::AtomicBoolean.new(false)
+        end
+
+        def stop_audit_drainer
+          # No background drainer is started until publish_audit_event has a
+          # real implementation. Keep this method for API compatibility.
+          @audit_drainer = nil
+          @audit_drainer_started = Concurrent::AtomicBoolean.new(false)
+        end
+
+        def publish_audit_event(event)
+          # Future: publish to transport / log store.
+          # Until then, events remain in the queue for inspection and are not
+          # drained by a background thread.
+          event
         end
 
         def fetch_groups
@@ -198,6 +311,10 @@ module Legion
       # Initialize atomics at module definition time
       @groups_cache = Concurrent::AtomicReference.new(nil)
       @groups_fetch_in_progress = Concurrent::AtomicBoolean.new(false)
+      @audit_queue = Concurrent::Array.new
+      @audit_drops = Concurrent::AtomicFixnum.new(0)
+      @audit_drainer = nil
+      @audit_drainer_started = Concurrent::AtomicBoolean.new(false)
     end
   end
 end

data/lib/legion/identity/grant.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Legion
+  module Identity
+    class Grant
+      attr_reader :grant_id, :token, :provider, :qualifier, :purpose, :result, :reason, :expires_at
+
+      def initialize(grant_id:, token:, provider:, result:, qualifier: :default, purpose: nil, reason: nil, expires_at: nil) # rubocop:disable Metrics/ParameterLists
+        @grant_id   = grant_id
+        @token      = token
+        @provider   = provider
+        @qualifier  = qualifier
+        @purpose    = purpose
+        @result     = result
+        @reason     = reason
+        @expires_at = expires_at
+        freeze
+      end
+
+      def granted? = result == :granted
+      def denied?  = result == :denied
+    end
+  end
+end

data/lib/legion/identity/middleware.rb

@@ -115,13 +115,22 @@ module Legion
       end
 
       def system_principal
-        @system_principal ||= Identity::Request.new(
-          principal_id:   'system:local',
-          canonical_name: 'system',
-          kind:           :service,
-          groups:         [],
-          source:         :local
-        )
+        canonical = if defined?(Legion::Identity::Process) && Legion::Identity::Process.resolved?
+                      Legion::Identity::Process.canonical_name
+                    else
+                      'system'
+                    end
+
+        if @system_principal&.canonical_name != canonical
+          @system_principal = Identity::Request.new(
+            principal_id:   "system:#{canonical}",
+            canonical_name: canonical,
+            kind:           :service,
+            groups:         [],
+            source:         :local
+          )
+        end
+        @system_principal
       end
     end
   end

data/lib/legion/identity/process.rb

@@ -14,7 +14,11 @@ module Legion
         source:         nil,
         persistent:     false,
         groups:         [].freeze,
-        metadata:       {}.freeze
+        metadata:       {}.freeze,
+        trust:          nil,
+        aliases:        {}.freeze,
+        providers:      {}.freeze,
+        profile:        {}.freeze
       }.freeze
 
       class << self
@@ -58,6 +62,22 @@ module Legion
           @state.get[:source]
         end
 
+        def trust
+          @state.get[:trust]
+        end
+
+        def aliases
+          @state.get[:aliases] || {}.freeze
+        end
+
+        def providers
+          @state.get[:providers] || {}.freeze
+        end
+
+        def profile
+          @state.get[:profile] || {}.freeze
+        end
+
         def identity_hash
           {
             id:             id,
@@ -69,7 +89,11 @@ module Legion
             resolved:       resolved?,
             persistent:     persistent?,
             groups:         @state.get[:groups] || [],
-            metadata:       @state.get[:metadata] || {}
+            metadata:       @state.get[:metadata] || {},
+            trust:          trust,
+            aliases:        aliases,
+            providers:      providers,
+            profile:        profile
           }
         end
 
@@ -83,7 +107,11 @@ module Legion
                        source:         identity_hash.key?(:source) ? identity_hash[:source] : provider_source,
                        persistent:     identity_hash.fetch(:persistent, true),
                        groups:         Array(identity_hash[:groups]).compact.freeze,
-                       metadata:       identity_hash[:metadata].is_a?(Hash) ? identity_hash[:metadata].dup.freeze : {}.freeze
+                       metadata:       identity_hash[:metadata].is_a?(Hash) ? identity_hash[:metadata].dup.freeze : {}.freeze,
+                       trust:          identity_hash[:trust],
+                       aliases:        identity_hash[:aliases].is_a?(Hash) ? identity_hash[:aliases].dup.freeze : {}.freeze,
+                       providers:      identity_hash[:providers].is_a?(Hash) ? identity_hash[:providers].dup.freeze : {}.freeze,
+                       profile:        identity_hash[:profile].is_a?(Hash) ? identity_hash[:profile].dup.freeze : {}.freeze
                      })
           @resolved.make_true
         end
@@ -97,7 +125,11 @@ module Legion
                        source:         :system,
                        persistent:     false,
                        groups:         [].freeze,
-                       metadata:       {}.freeze
+                       metadata:       {}.freeze,
+                       trust:          nil,
+                       aliases:        {}.freeze,
+                       providers:      {}.freeze,
+                       profile:        {}.freeze
                      })
           @resolved.make_false
         end

data/lib/legion/identity/request.rb

@@ -44,7 +44,9 @@ module Legion
       # The source value is normalized via SOURCE_NORMALIZATION at construction time.
       def self.from_auth_context(claims_hash)
         raw_name = claims_hash[:name] || claims_hash[:preferred_username] || ''
-        canonical = raw_name.to_s.strip.downcase.gsub('.', '-')
+        stripped = raw_name.to_s.strip.downcase
+        stripped = stripped.split('@', 2).first if stripped.include?('@')
+        canonical = stripped.gsub('.', '-').gsub(/[^a-z0-9_-]/, '')
         raw_source = claims_hash[:source]&.to_sym
         normalized_source = SOURCE_NORMALIZATION.fetch(raw_source, raw_source)
 

data/lib/legion/identity/resolver.rb

@@ -0,0 +1,442 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+require 'fileutils'
+require 'concurrent/array'
+require 'concurrent/atomic/atomic_reference'
+require 'concurrent/atomic/atomic_boolean'
+require 'concurrent/promises'
+
+module Legion
+  module Identity
+    module Resolver
+      TIMEOUT_SECONDS = 5
+
+      class << self
+        def register(provider)
+          return if @providers.any? { |p| p.provider_name == provider.provider_name }
+
+          @providers << provider
+        end
+
+        def resolve!(timeout: TIMEOUT_SECONDS)
+          drain_pending_registrations
+
+          auth_providers, profile_providers, fallback_providers = partition_providers
+
+          winning_provider, winning_result, provider_results = resolve_auth(auth_providers, timeout: timeout)
+
+          if winning_provider.nil?
+            winning_provider, winning_result, fallback_results = resolve_auth(fallback_providers, timeout: timeout)
+            provider_results.merge!(fallback_results) if fallback_results
+          end
+
+          unless winning_provider
+            @resolved.make_false
+            @composite.set(nil)
+            return nil
+          end
+
+          canonical = winning_result[:canonical_name]
+          trust_level = winning_provider.trust_level
+          source = winning_provider.provider_name
+
+          profile_data = resolve_profiles(profile_providers, canonical, timeout: timeout)
+
+          composite = assemble_composite(
+            provider_results, profile_data,
+            winning_result: winning_result,
+            trust_level:    trust_level,
+            source:         source
+          )
+
+          bind_and_persist(winning_provider, composite, trust_level)
+          composite
+        end
+
+        def upgrade!(provider, result)
+          current = @composite.get
+          return unless current
+
+          new_trust = provider.trust_level
+          new_canonical = result[:canonical_name] || current[:canonical_name]
+          canonical_changed = new_canonical != current[:canonical_name]
+
+          # Only promote the composite trust level when the new provider's trust
+          # is strictly higher (lower rank index) than the current level.
+          # This prevents an accidental downgrade if upgrade! is called with a
+          # lower-trust provider such as one with :unverified trust.
+          current_trust = current[:trust]
+          effective_trust = if defined?(Legion::Identity::Trust) &&
+                               Legion::Identity::Trust.respond_to?(:above?) &&
+                               Legion::Identity::Trust.above?(new_trust, current_trust)
+                              new_trust
+                            else
+                              current_trust
+                            end
+
+          new_aliases = current[:aliases].dup
+          provider_identity = result[:provider_identity]
+          if provider_identity
+            existing = Array(new_aliases[provider.provider_name])
+            new_aliases[provider.provider_name] = (existing + [provider_identity]).uniq
+          end
+
+          new_providers = current[:providers].dup
+          new_providers[provider.provider_name] = {
+            status:      :resolved,
+            trust:       new_trust,
+            resolved_at: Time.now
+          }
+
+          updated = current.merge(
+            canonical_name: new_canonical,
+            trust:          effective_trust,
+            source:         provider.provider_name,
+            aliases:        new_aliases,
+            providers:      new_providers
+          )
+
+          handle_canonical_change(current[:canonical_name], new_canonical, updated) if canonical_changed
+
+          @composite.set(updated)
+          Legion::Identity::Process.bind!(provider, updated) if defined?(Legion::Identity::Process)
+
+          if defined?(Legion::Settings) && Legion::Settings.respond_to?(:loader) && Legion::Settings.loader.respond_to?(:settings)
+            Legion::Settings.loader.settings[:client] ||= {}
+            Legion::Settings.loader.settings[:client][:name] = Legion::Identity::Process.queue_prefix
+          end
+
+          persist_identity_json(new_canonical, updated[:kind]) unless new_trust == :unverified
+
+          updated
+        end
+
+        def resolved?
+          @resolved.true?
+        end
+
+        def composite
+          @composite.get
+        end
+
+        def providers
+          @providers.dup
+        end
+
+        attr_reader :session_id
+
+        def reset!
+          @composite  = Concurrent::AtomicReference.new(nil)
+          @resolved   = Concurrent::AtomicBoolean.new(false)
+          @session_id = SecureRandom.uuid
+        end
+
+        def reset_all!
+          reset!
+          @providers = Concurrent::Array.new
+        end
+
+        private
+
+        def drain_pending_registrations
+          return unless defined?(Legion::Identity) && Legion::Identity.respond_to?(:pending_registrations)
+
+          pending = Legion::Identity.pending_registrations
+          return if pending.nil? || pending.empty?
+
+          drained = []
+          drained << pending.shift until pending.empty?
+          drained.each { |p| register(p) }
+        end
+
+        def partition_providers
+          auth     = []
+          profile  = []
+          fallback = []
+
+          @providers.each do |p|
+            case p.provider_type
+            when :auth     then auth << p
+            when :profile  then profile << p
+            when :fallback then fallback << p
+            end
+          end
+
+          auth.sort_by! { |p| [-p.priority, p.trust_weight] }
+          fallback.sort_by! { |p| [-p.priority, p.trust_weight] }
+
+          [auth, profile, fallback]
+        end
+
+        def resolve_auth(auth_providers, timeout:)
+          return [nil, nil, {}] if auth_providers.empty?
+
+          futures = auth_providers.map do |provider|
+            Concurrent::Promises.future { provider.resolve }
+          end
+
+          deadline = ::Process.clock_gettime(::Process::CLOCK_MONOTONIC) + timeout
+          provider_results = {}
+          auth_providers.zip(futures).each do |provider, future|
+            remaining = deadline - ::Process.clock_gettime(::Process::CLOCK_MONOTONIC)
+            future.wait(remaining.positive? ? remaining : 0)
+            result = future.value(0) if future.resolved?
+            status = auth_future_status(future, result)
+
+            provider_results[provider.provider_name] = {
+              status:      status,
+              trust:       (status == :resolved ? provider.trust_level : nil),
+              resolved_at: (status == :resolved ? Time.now : nil),
+              provider:    provider,
+              result:      (status == :resolved ? result : nil)
+            }
+          end
+
+          resolved_entries = provider_results.select { |_, v| v[:status] == :resolved }
+          if resolved_entries.empty?
+            [nil, nil, provider_results]
+          else
+            winner_name = resolved_entries.min_by do |_, v|
+              p = v[:provider]
+              [-p.priority, p.trust_weight]
+            end&.first
+
+            winner_info = provider_results[winner_name]
+            [winner_info[:provider], winner_info[:result], provider_results]
+          end
+        end
+
+        def auth_future_status(future, result)
+          if future.rejected?
+            :failed
+          elsif !future.resolved?
+            :timeout
+          elsif result.is_a?(Hash) && result[:canonical_name]
+            :resolved
+          else
+            :no_identity
+          end
+        end
+
+        def resolve_profiles(profile_providers, canonical, timeout:)
+          return { groups: [], profile: {}, provider_results: {} } if profile_providers.empty?
+
+          futures = profile_providers.map do |provider|
+            Concurrent::Promises.future { resolve_profile_provider(provider, canonical) }
+          end
+
+          deadline = ::Process.clock_gettime(::Process::CLOCK_MONOTONIC) + timeout
+          groups = []
+          profile = {}
+          pr = {}
+
+          profile_providers.zip(futures).each do |provider, future|
+            remaining = deadline - ::Process.clock_gettime(::Process::CLOCK_MONOTONIC)
+            future.wait(remaining.positive? ? remaining : 0)
+            result = future.resolved? ? future.value(0) : nil
+
+            if future.fulfilled? && result.is_a?(Hash)
+              groups.concat(Array(result[:groups])) if result[:groups]
+              profile.merge!(result[:profile]) if result[:profile].is_a?(Hash)
+              pr[provider.provider_name] = { status: :resolved, trust: provider.trust_level, resolved_at: Time.now }
+            else
+              pr[provider.provider_name] = { status: (future.rejected? ? :failed : :timeout), trust: nil, resolved_at: nil }
+            end
+          end
+
+          { groups: groups.uniq, profile: profile, provider_results: pr }
+        end
+
+        def resolve_profile_provider(provider, canonical)
+          if provider.respond_to?(:resolve_all)
+            provider.resolve_all(canonical_name: canonical)
+          else
+            provider.resolve(canonical_name: canonical)
+          end
+        end
+
+        def assemble_composite(provider_results, profile_data, winning_result:, trust_level:, source:)
+          aliases = build_aliases(provider_results)
+          providers_map = build_providers_map(provider_results, profile_data)
+
+          {
+            id:             nil,
+            canonical_name: winning_result[:canonical_name],
+            kind:           winning_result[:kind] || :human,
+            trust:          trust_level,
+            source:         source,
+            persistent:     true,
+            aliases:        aliases,
+            groups:         profile_data[:groups],
+            profile:        profile_data[:profile],
+            providers:      providers_map,
+            metadata:       {}
+          }
+        end
+
+        def build_aliases(provider_results)
+          aliases = {}
+          provider_results.each do |name, info|
+            next unless info[:status] == :resolved && info[:result]
+
+            pi = info[:result][:provider_identity]
+            aliases[name] = [pi] if pi
+          end
+          aliases
+        end
+
+        def build_providers_map(provider_results, profile_data)
+          providers_map = {}
+          provider_results.each do |name, info|
+            providers_map[name] = {
+              status:      info[:status],
+              trust:       info[:trust],
+              resolved_at: info[:resolved_at]
+            }
+          end
+          profile_data[:provider_results].each do |name, info|
+            providers_map[name] = info
+          end
+          providers_map
+        end
+
+        def bind_and_persist(winning_provider, composite, trust_level)
+          Legion::Identity::Process.bind!(winning_provider, composite) if defined?(Legion::Identity::Process)
+
+          if defined?(Legion::Settings) && Legion::Settings.respond_to?(:loader) && Legion::Settings.loader.respond_to?(:settings)
+            Legion::Settings.loader.settings[:client] ||= {}
+            Legion::Settings.loader.settings[:client][:name] = Legion::Identity::Process.queue_prefix
+          end
+
+          persist_to_db(composite)
+          persist_identity_json(composite[:canonical_name], composite[:kind]) unless trust_level == :unverified
+
+          @composite.set(composite)
+          @resolved.make_true
+        end
+
+        def persist_to_db(composite) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength
+          return unless defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
+          return unless defined?(Legion::Data::Connection) &&
+                        Legion::Data::Connection.respond_to?(:adapter) &&
+                        Legion::Data::Connection.adapter == :postgres
+
+          # upsert identity_providers
+          composite[:providers]&.each do |name, info|
+            Legion::Data.db[:identity_providers].insert_conflict(
+              target: :name,
+              update: { status: info[:status].to_s, trust_level: info[:trust]&.to_s, last_seen_at: Time.now }
+            ).insert(name: name.to_s, status: info[:status].to_s, trust_level: info[:trust]&.to_s, last_seen_at: Time.now)
+          end
+
+          # upsert principals
+          Legion::Data.db[:principals].insert_conflict(
+            target: :canonical_name,
+            update: { kind: composite[:kind].to_s, updated_at: Time.now }
+          ).insert(
+            canonical_name: composite[:canonical_name],
+            kind:           composite[:kind].to_s,
+            created_at:     Time.now,
+            updated_at:     Time.now
+          )
+
+          principal_row = Legion::Data.db[:principals].where(canonical_name: composite[:canonical_name]).first
+          principal_id = principal_row[:id] if principal_row
+
+          # upsert identities per provider alias
+          composite[:aliases]&.each do |provider_name, identities|
+            Array(identities).each do |ident|
+              Legion::Data.db[:identities].insert_conflict(
+                target: %i[principal_id provider_name provider_identity],
+                update: { updated_at: Time.now }
+              ).insert(
+                principal_id:      principal_id,
+                provider_name:     provider_name.to_s,
+                provider_identity: ident,
+                created_at:        Time.now,
+                updated_at:        Time.now
+              )
+            end
+          end
+
+          # insert audit log
+          Legion::Data.db[:identity_audit_log].insert(
+            principal_id:  principal_id,
+            event_type:    'identity.resolved',
+            provider_name: composite[:source].to_s,
+            trust_level:   composite[:trust]&.to_s,
+            detail:        Legion::JSON.dump(
+              {
+                source:     composite[:source],
+                trust:      composite[:trust],
+                node_id:    composite[:node_id],
+                session_id: @session_id
+              }
+            ),
+            node_id:       composite[:node_id],
+            session_id:    @session_id,
+            created_at:    Time.now
+          )
+        rescue StandardError => e
+          log_warn("DB persistence failed: #{e.message}")
+        end
+
+        def persist_identity_json(canonical_name, kind)
+          dir = File.expand_path('~/.legionio/settings')
+          FileUtils.mkdir_p(dir)
+          path = File.join(dir, 'identity.json')
+          payload = { canonical_name: canonical_name, kind: kind }
+          json = if defined?(Legion::JSON)
+                   Legion::JSON.dump(payload)
+                 else
+                   require 'json'
+                   ::JSON.generate(payload)
+                 end
+          File.write(path, json)
+        rescue StandardError => e
+          log_warn("identity.json write failed: #{e.message}")
+        end
+
+        def handle_canonical_change(old_canonical, new_canonical, _composite)
+          if defined?(Legion::Settings) && Legion::Settings.respond_to?(:loader)
+            settings = Legion::Settings.loader.settings
+            settings[:client] ||= {}
+            settings[:client][:name] = new_canonical
+          end
+
+          return unless defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
+          return unless defined?(Legion::Data::Connection) &&
+                        Legion::Data::Connection.respond_to?(:adapter) &&
+                        Legion::Data::Connection.adapter == :postgres
+
+          # Audit the canonical change
+          old_row = Legion::Data.db[:principals].where(canonical_name: old_canonical).first
+          Legion::Data.db[:identity_audit_log].insert(
+            principal_id:  old_row&.dig(:id),
+            event_type:    'identity.canonical_changed',
+            provider_name: '',
+            detail:        Legion::JSON.dump({ old: old_canonical, new: new_canonical }),
+            created_at:    Time.now
+          )
+        rescue StandardError => e
+          log_warn("canonical change handling failed: #{e.message}")
+        end
+
+        def log_warn(message)
+          if defined?(Legion::Logging) && Legion::Logging.respond_to?(:warn)
+            Legion::Logging.warn("[Identity::Resolver] #{message}")
+          else
+            $stderr.puts "[Identity::Resolver] #{message}" # rubocop:disable Style/StderrPuts
+          end
+        end
+      end
+
+      # Initialize atomics at module definition time
+      @providers  = Concurrent::Array.new
+      @composite  = Concurrent::AtomicReference.new(nil)
+      @resolved   = Concurrent::AtomicBoolean.new(false)
+      @session_id = SecureRandom.uuid
+    end
+  end
+end

data/lib/legion/identity/trust.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Legion
+  module Identity
+    module Trust
+      LEVELS = %i[verified authenticated configured cached unverified].freeze
+      RANK = LEVELS.each_with_index.to_h.freeze
+
+      module_function
+
+      def levels
+        LEVELS
+      end
+
+      def rank(level)
+        RANK[level]
+      end
+
+      def above?(level_a, level_b)
+        rank_a = RANK[level_a]
+        rank_b = RANK[level_b]
+        return false if rank_a.nil? || rank_b.nil?
+
+        rank_a < rank_b
+      end
+
+      def at_least?(level, minimum)
+        rank_level = RANK[level]
+        rank_min   = RANK[minimum]
+        return false if rank_level.nil? || rank_min.nil?
+
+        rank_level <= rank_min
+      end
+    end
+  end
+end

data/lib/legion/identity.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'concurrent/array'
+
+module Legion
+  module Identity
+    class << self
+      attr_accessor :pending_registrations
+    end
+    self.pending_registrations = Concurrent::Array.new
+  end
+end
+
+require_relative 'identity/trust'
+require_relative 'identity/resolver'

data/lib/legion/service.rb

@@ -161,6 +161,8 @@ module Legion
       setup_safety_metrics
       setup_supervision if supervision
 
+      require_relative 'identity' if File.exist?(File.expand_path('identity.rb', __dir__))
+
       if extensions
         load_extensions
         Legion::Readiness.mark_ready(:extensions)
@@ -168,8 +170,9 @@ module Legion
       end
 
       # Identity resolution — after extensions so lex-identity-* providers are loaded
-      setup_identity if transport
-      register_credential_providers if extensions && transport
+      db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
+      setup_identity if transport || db_available
+      register_credential_providers if extensions && (transport || db_available)
 
       register_core_tools
 
@@ -506,8 +509,11 @@ module Legion
       require_relative 'identity/middleware'
 
       # Resolve identity from available providers (Phase 4 adds real providers)
-      resolved = resolve_identity_providers
-      unless resolved
+      require_relative 'identity' unless defined?(Legion::Identity::Resolver)
+
+      Legion::Identity::Resolver.resolve!
+
+      unless Legion::Identity::Resolver.resolved?
         Legion::Identity::Process.bind_fallback!
         log.info "[Identity] fallback identity: #{Legion::Identity::Process.canonical_name}"
       end
@@ -897,15 +903,19 @@ module Legion
         Legion::Readiness.mark_skipped(:gaia)
       end
 
-      # Phase 5: re-run identity resolution + credential swap so the reloaded
-      # process gets identity-scoped RMQ creds (not stale bootstrap creds).
-      setup_identity
-
       setup_supervision
       load_extensions
       Legion::Readiness.mark_ready(:extensions)
 
-      register_credential_providers
+      # Phase 5: re-run identity resolution after extensions are loaded so that
+      # any identity providers registered by lex-identity-* extensions are
+      # available to the resolver (mirrors the boot-time ordering).
+      Legion::Identity::Resolver.reset! if defined?(Legion::Identity::Resolver)
+      setup_identity
+
+      db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
+      transport_available = defined?(Legion::Transport::Connection) && Legion::Transport::Connection.respond_to?(:session_open?) && Legion::Transport::Connection.session_open?
+      register_credential_providers if transport_available || db_available
       Legion::Extensions.flush_pending_registrations! if defined?(Legion::Extensions) && Legion::Extensions.respond_to?(:flush_pending_registrations!)
 
       register_core_tools
@@ -1088,64 +1098,6 @@ module Legion
       Legion::Crypt.fetch_bootstrap_rmq_creds
     end
 
-    def resolve_identity_providers
-      # Phase 4 adds lex-identity-* providers. For now, check if any are loaded.
-      return false unless defined?(Legion::Extensions)
-
-      providers = find_identity_providers
-      return false if providers.empty?
-
-      # Parallel resolution with 5s per-provider timeout (NO Timeout.timeout — uses future.value)
-      pool = Concurrent::FixedThreadPool.new([providers.size, 4].min)
-      futures = providers.map do |provider|
-        Concurrent::Promises.future_on(pool, provider, &:resolve)
-      end
-
-      winner_pair = providers.zip(futures).find do |_provider, future|
-        result = begin
-          future.value(5) # 5s timeout per provider
-        rescue StandardError => e
-          handle_exception(e, level: :debug, operation: 'service.resolve_identity_providers.future')
-          nil
-        end
-        result.is_a?(Hash) && result[:canonical_name]
-      end
-
-      if winner_pair
-        provider, future = winner_pair
-        identity = future.value
-        Legion::Identity::Process.bind!(provider, identity)
-        log.info "[Identity] resolved via #{provider.class.name}: #{identity[:canonical_name]}"
-
-        # Phase 8: Register winning auth provider with Broker so extensions can
-        # call Broker.token_for(:provider_name) without managing tokens themselves.
-        register_provider_with_broker(provider)
-
-        true
-      else
-        false
-      end
-    rescue StandardError => e
-      handle_exception(e, level: :warn, operation: 'service.resolve_identity_providers')
-      false
-    ensure
-      pool&.shutdown
-      pool&.kill unless pool&.wait_for_termination(2)
-    end
-
-    def register_provider_with_broker(provider)
-      return unless provider.respond_to?(:provide_token) && defined?(Legion::Identity::Broker)
-
-      lease = provider.provide_token
-      return unless lease
-
-      provider_name = provider.respond_to?(:provider_name) ? provider.provider_name : provider.class.name.to_sym
-      Legion::Identity::Broker.register_provider(provider_name, provider: provider, lease: lease)
-      log.info "[Identity] registered provider #{provider_name} with Broker"
-    rescue StandardError => e
-      handle_exception(e, level: :warn, operation: 'service.register_provider_with_broker')
-    end
-
     def register_credential_providers
       return unless defined?(Legion::Identity::Broker) && defined?(Legion::Extensions)
 
@@ -1176,32 +1128,6 @@ module Legion
       identity
     end
 
-    def find_identity_providers
-      return [] unless defined?(Legion::Extensions)
-
-      collect_identity_providers(Legion::Extensions)
-    end
-
-    def collect_identity_providers(namespace, visited = Set.new)
-      return [] unless namespace.is_a?(Module)
-      return [] if visited.include?(namespace.object_id)
-
-      visited.add(namespace.object_id)
-      providers = []
-
-      namespace.constants(false).each do |const_name|
-        mod = namespace.const_get(const_name, false)
-        next unless mod.is_a?(Module)
-
-        providers << mod if mod.respond_to?(:resolve) && mod.respond_to?(:provider_name)
-        providers.concat(collect_identity_providers(mod, visited))
-      rescue StandardError
-        next
-      end
-
-      providers
-    end
-
     def bootstrap_log_level(cli_level)
       cli_level = nil if cli_level.respond_to?(:empty?) && cli_level.empty?
       return cli_level if cli_level

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.8.15'
+  VERSION = '1.9.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.8.15
+  version: 1.9.0
 platform: ruby
 authors:
 - Esity
@@ -853,12 +853,16 @@ files:
 - lib/legion/graph/exporter.rb
 - lib/legion/guardrails.rb
 - lib/legion/helpers/context.rb
+- lib/legion/identity.rb
 - lib/legion/identity/broker.rb
+- lib/legion/identity/grant.rb
 - lib/legion/identity/lease.rb
 - lib/legion/identity/lease_renewer.rb
 - lib/legion/identity/middleware.rb
 - lib/legion/identity/process.rb
 - lib/legion/identity/request.rb
+- lib/legion/identity/resolver.rb
+- lib/legion/identity/trust.rb
 - lib/legion/ingress.rb
 - lib/legion/isolation.rb
 - lib/legion/leader.rb