legionio 1.9.33 → 1.9.36

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a0e7ab0c576dcf1950fb2dd7d38d1113dfd5f584883cd30286cd990f851ce6a3
-  data.tar.gz: a4dc69a591dd00dbb757f5e1bc5b8913005e374fed607b63d5f28088e51018a1
+  metadata.gz: 1de97753e1f584403f30a43a47049183871b98e7581bee36c892aac9e758983b
+  data.tar.gz: 2042c10f023e59093f60258a65ccec746128c3efef7bb980ee33206dafef446c
 SHA512:
-  metadata.gz: ef50ae89f614aeec8385558444afb27f57aa1797e415ce25361ec57dec5d87ecf1181fdaf9e59bf0e696cc4ec8d68c0aa9c641bb30b1c01c08a72dd5792d0e6e
-  data.tar.gz: e9049722257ccdc3415ec4e33af0100d692dbf85806cd2c1fb1f4094c1189364d575943e0f39907bcc295ec7fecabfd8065aae57c0857997a22dd0904ea958ea
+  metadata.gz: e206bc92436c737aa2046580af9b705d147d8601601703980d69944afbcc10189aa479527ee6f0da128eb0a80912d54dbc635f2c32eab4aaba2f7f21e595062e
+  data.tar.gz: da6fc109223bf64dced09fd289f86a3f67592d2ad9a096f64376e0ecea074d2611671eda9fecadbfc14e528a377ee1c2a06e15cc2cbde0de7ffda24c524dab3f

data/CHANGELOG.md

@@ -2,6 +2,32 @@
 
 ## [Unreleased]
 
+## [1.9.36] - 2026-05-22
+
+### Fixed
+- Identity: preload identity provider gems and resolve process identity before LLM setup so `llm.registry` availability events include Legion identity headers.
+- Identity: use the persisted `identity.json` value as a cached resolver fallback ahead of unverified system identity when fresh auth providers are unavailable.
+- Bundler: load sibling Legion and LLM provider path dependencies outside the test group when those local checkouts exist, so local service boots can use the active workspace gems.
+
+## [1.9.35] - 2026-05-22
+
+### Added
+- CLI: `legionio service start|stop|restart|status` subcommand for direct launchd control
+- Logging transport forwarding now publishes structured log headers/properties, including identity and Legion version headers supplied by `legion-logging`.
+
+### Fixed
+- CLI: `legionio bootstrap --start` now calls `launchctl kickstart` after brew services start to force immediate spawn on macOS 26+ (Tahoe defers `RunAtLoad` for mid-session bootstraps)
+
+## [1.9.34] - 2026-05-18
+
+### Added
+- API: `GET /api/extensions/tools` endpoint with extension, runner, deferred, and triggered filters
+- Tools::Discovery: writes to `Legion::Settings::Extensions.register_tool` (bridges discovery to LLM pipeline)
+
+### Fixed
+- Extensions: `extension_parts_from_const` no longer converts underscores to dashes (fixes lex-microsoft_teams filtering)
+- Core: `generate_runner_messages` strips `?` and `!` from method names before creating constants
+
 ## [1.9.33] - 2026-05-15
 
 ### Added

data/Gemfile

@@ -8,36 +8,39 @@ gem 'pg'
 gem 'kramdown', '>= 2.0'
 gem 'mysql2'
 
-group :test do
-  gem 'legion-data', path: '../legion-data' if File.exist?(File.expand_path('../legion-data', __dir__))
-  gem 'legion-logging', path: '../legion-logging' if File.exist?(File.expand_path('../legion-logging', __dir__))
-  gem 'legion-settings', path: '../legion-settings' if File.exist?(File.expand_path('../legion-settings', __dir__))
-
-  gem 'legion-apollo', path: '../legion-apollo' if File.exist?(File.expand_path('../legion-apollo', __dir__))
-  gem 'legion-gaia', path: '../legion-gaia' if File.exist?(File.expand_path('../legion-gaia', __dir__))
-  gem 'legion-llm', path: '../legion-llm' if File.exist?(File.expand_path('../legion-llm', __dir__))
-  gem 'legion-mcp', path: '../legion-mcp' if File.exist?(File.expand_path('../legion-mcp', __dir__))
-  gem 'legion-tty', path: '../legion-tty' if File.exist?(File.expand_path('../legion-tty', __dir__))
-
-  gem 'lex-apollo', path: '../extensions/lex-apollo' if File.exist?(File.expand_path('../extensions/lex-apollo', __dir__))
-  gem 'lex-llm', path: '../extensions-ai/lex-llm' if File.exist?(File.expand_path('../extensions-ai/lex-llm', __dir__))
-  gem 'lex-llm-ledger', path: '../extensions-ai/lex-llm-ledger' if File.exist?(File.expand_path('../extensions-ai/lex-llm-ledger', __dir__))
-
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-entra', __dir__))
-    gem 'lex-identity-entra', path: '../extensions-identity/lex-identity-entra'
-  end
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-kerberos', __dir__))
-    gem 'lex-identity-kerberos', path: '../extensions-identity/lex-identity-kerberos'
-  end
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-system', __dir__))
-    gem 'lex-identity-system', path: '../extensions-identity/lex-identity-system'
-  end
-
-  %w[anthropic azure-foundry bedrock gemini mlx ollama openai vertex vllm].each do |provider|
-    provider_path = "../extensions-ai/lex-llm-#{provider}"
-    gem "lex-llm-#{provider}", path: provider_path if File.exist?(File.expand_path(provider_path, __dir__))
-  end
+gem 'legion-data', path: '../legion-data' if File.exist?(File.expand_path('../legion-data', __dir__))
+gem 'legion-logging', path: '../legion-logging' if File.exist?(File.expand_path('../legion-logging', __dir__))
+gem 'legion-settings', path: '../legion-settings' if File.exist?(File.expand_path('../legion-settings', __dir__))
+
+gem 'legion-apollo', path: '../legion-apollo' if File.exist?(File.expand_path('../legion-apollo', __dir__))
+gem 'legion-gaia', path: '../legion-gaia' if File.exist?(File.expand_path('../legion-gaia', __dir__))
+gem 'legion-llm', path: '../legion-llm' if File.exist?(File.expand_path('../legion-llm', __dir__))
+gem 'legion-mcp', path: '../legion-mcp' if File.exist?(File.expand_path('../legion-mcp', __dir__))
+gem 'legion-tty', path: '../legion-tty' if File.exist?(File.expand_path('../legion-tty', __dir__))
+
+gem 'lex-apollo', path: '../extensions/lex-apollo' if File.exist?(File.expand_path('../extensions/lex-apollo', __dir__))
+gem 'lex-llm', path: '../extensions-ai/lex-llm' if File.exist?(File.expand_path('../extensions-ai/lex-llm', __dir__))
+# gem 'lex-llm-ledger', path: '../extensions-ai/lex-llm-ledger' if File.exist?(File.expand_path('../extensions-ai/lex-llm-ledger', __dir__))
+
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-entra', __dir__))
+  gem 'lex-identity-entra', path: '../extensions-identity/lex-identity-entra'
+end
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-kerberos', __dir__))
+  gem 'lex-identity-kerberos', path: '../extensions-identity/lex-identity-kerberos'
+end
 
+gem 'lex-kerberos', path: '../extensions-identity/lex-kerberos' if File.exist?(File.expand_path('../extensions-identity/lex-kerberos', __dir__))
+
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-system', __dir__))
+  gem 'lex-identity-system', path: '../extensions-identity/lex-identity-system'
+end
+
+%w[anthropic azure-foundry bedrock gemini mlx ollama openai vertex vllm].each do |provider|
+  provider_path = "../extensions-ai/lex-llm-#{provider}"
+  gem "lex-llm-#{provider}", path: provider_path if File.exist?(File.expand_path(provider_path, __dir__))
+end
+
+group :test do
   gem 'faraday'
   gem 'faraday-net_http'
   gem 'graphql'

data/lib/legion/api/extensions.rb

@@ -6,6 +6,7 @@ module Legion
       module Extensions
         def self.registered(app)
           register_loaded_summary_route(app)
+          register_tools_route(app)
           register_available_route(app)
           register_extension_routes(app)
           register_runner_routes(app)
@@ -29,6 +30,14 @@ module Legion
           end
         end
 
+        def self.register_tools_route(app)
+          app.get '/api/extensions/tools' do
+            entries = filter_tool_entries(Array(Legion::Settings::Extensions.tools), params)
+            tools = entries.map { |e| serialize_tool_entry(e) }
+            json_response({ total: tools.size, tools: tools })
+          end
+        end
+
         def self.register_available_route(app)
           app.get '/api/extension_catalog/available' do
             entries = Legion::Extensions::Catalog::Available.all
@@ -205,8 +214,30 @@ module Legion
               started_at: entry[:started_at]&.iso8601 }
           end
 
-          private :register_loaded_summary_route, :register_available_route, :register_extension_routes,
-                  :register_runner_routes, :register_function_routes, :register_invoke_route
+          def filter_tool_entries(entries, params)
+            entries = entries.select { |e| e[:extension].to_s == params[:extension] } if params[:extension]
+            entries = entries.select { |e| e[:runner].to_s == params[:runner] } if params[:runner]
+            entries = entries.select { |e| e[:deferred] == (params[:deferred] == 'true') } if params.key?(:deferred)
+            entries = entries.select { |e| Array(e[:trigger_words]).any? } if params[:triggered] == 'true'
+            entries
+          end
+
+          def serialize_tool_entry(entry)
+            {
+              name:          entry[:name],
+              description:   entry[:description],
+              extension:     entry[:extension],
+              runner:        entry[:runner],
+              deferred:      entry[:deferred],
+              trigger_words: entry[:trigger_words],
+              source:        entry[:source],
+              sticky:        entry[:sticky]
+            }.compact
+          end
+
+          private :register_loaded_summary_route, :register_tools_route, :register_available_route,
+                  :register_extension_routes, :register_runner_routes, :register_function_routes,
+                  :register_invoke_route
         end
       end
     end

data/lib/legion/cli/bootstrap_command.rb

@@ -3,6 +3,7 @@
 require 'English'
 require 'json'
 require 'fileutils'
+require 'open3'
 require 'rbconfig'
 require 'thor'
 require 'legion/cli/output'
@@ -391,18 +392,29 @@ module Legion
 
         def run_brew_service(service, out)
           output, success = shell_capture("brew services start #{service}")
-          if success
-            out.success("#{service} started") unless options[:json]
-            true
-          else
+          unless success
             out.warn("#{service} failed to start: #{output.strip.lines.last&.strip}") unless options[:json]
-            false
+            return false
           end
+
+          out.success("#{service} started") unless options[:json]
+          kickstart_launchd_service("homebrew.mxcl.#{service}", out)
         rescue StandardError => e
           out.warn("brew services start #{service} raised: #{e.message}") unless options[:json]
           false
         end
 
+        def kickstart_launchd_service(label, out)
+          return true unless RbConfig::CONFIG['host_os'] =~ /darwin/
+
+          uid = ::Process.uid
+          _, status = Open3.capture2e('launchctl', 'kickstart', "gui/#{uid}/#{label}")
+          return true if status.success?
+
+          out.warn("launchctl kickstart #{label} failed (service may already be running)") unless options[:json]
+          false
+        end
+
         def poll_daemon_ready(out, port: 4567, timeout: 30)
           require 'net/http'
           deadline = ::Time.now + timeout

data/lib/legion/cli/service_command.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require 'open3'
+require 'rbconfig'
+require 'thor'
+require 'legion/cli/output'
+
+module Legion
+  module CLI
+    class ServiceCommand < Thor
+      namespace 'service'
+
+      def self.exit_on_failure?
+        true
+      end
+
+      class_option :json,     type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+
+      SERVICE_LABEL = 'homebrew.mxcl.legionio'
+
+      desc 'start', 'Start the Legion launchd service'
+      long_desc <<~DESC
+        Starts the Legion background service via launchd. On macOS 26+ (Tahoe),
+        uses launchctl kickstart to ensure immediate process spawn after bootstrap.
+      DESC
+      def start
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        plist = plist_path
+        unless File.exist?(plist)
+          out.error("Service plist not found at #{plist}")
+          out.info('Run: brew install legionio')
+          raise SystemExit, 1
+        end
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        if service_loaded?(target)
+          out.info('Service already loaded, kicking...')
+        else
+          _, status = Open3.capture2e('launchctl', 'bootstrap', target, plist)
+          out.warn('bootstrap failed (may already be loaded), attempting kickstart anyway') unless status.success?
+        end
+
+        _, status = Open3.capture2e('launchctl', 'kickstart', '-k', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service started')
+        else
+          out.error('Failed to kickstart Legion service')
+          raise SystemExit, 1
+        end
+
+        poll_ready(out)
+      end
+
+      desc 'stop', 'Stop the Legion launchd service'
+      def stop
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        _, status = Open3.capture2e('launchctl', 'bootout', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service stopped')
+        else
+          out.warn('Service was not loaded (already stopped?)')
+        end
+      end
+
+      desc 'restart', 'Restart the Legion launchd service'
+      def restart
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        Open3.capture2e('launchctl', 'bootout', "#{target}/#{SERVICE_LABEL}")
+        sleep 1
+
+        plist = plist_path
+        Open3.capture2e('launchctl', 'bootstrap', target, plist) if File.exist?(plist)
+
+        _, status = Open3.capture2e('launchctl', 'kickstart', '-k', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service restarted')
+        else
+          out.error('Failed to restart Legion service')
+          raise SystemExit, 1
+        end
+
+        poll_ready(out)
+      end
+
+      desc 'status', 'Show Legion launchd service status'
+      def status
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+        output, status = Open3.capture2e('launchctl', 'print', "#{target}/#{SERVICE_LABEL}")
+
+        unless status.success?
+          out.info('Service is not loaded')
+          return
+        end
+
+        state = output[/state = (.+)/, 1] || 'unknown'
+        pid = output[/pid = (\d+)/, 1]
+        runs = output[/runs = (\d+)/, 1]
+
+        if options[:json]
+          puts Legion::JSON.dump({ state: state, pid: pid&.to_i, runs: runs&.to_i })
+        else
+          out.info("State: #{state}")
+          out.info("PID: #{pid}") if pid
+          out.info("Runs: #{runs}") if runs
+        end
+      end
+
+      private
+
+      def ensure_macos!(out)
+        return if RbConfig::CONFIG['host_os'] =~ /darwin/
+
+        out.error('The service command is only available on macOS (uses launchd)')
+        raise SystemExit, 1
+      end
+
+      def plist_path
+        File.expand_path("~/Library/LaunchAgents/#{SERVICE_LABEL}.plist")
+      end
+
+      def service_loaded?(target)
+        _, status = Open3.capture2e('launchctl', 'print', "#{target}/#{SERVICE_LABEL}")
+        status.success?
+      end
+
+      def poll_ready(out, port: 4567, timeout: 15)
+        require 'net/http'
+        deadline = ::Time.now + timeout
+        until ::Time.now > deadline
+          begin
+            resp = Net::HTTP.get_response(URI("http://localhost:#{port}/api/ready"))
+            if resp.is_a?(Net::HTTPSuccess)
+              out.success("Daemon ready on port #{port}")
+              return
+            end
+          rescue StandardError
+            # not ready yet
+          end
+          sleep 1
+        end
+        out.info('Service started but not yet ready (boot in progress)')
+      end
+    end
+  end
+end

data/lib/legion/cli.rb

@@ -69,6 +69,7 @@ module Legion
     autoload :Debug,        'legion/cli/debug_command'
     autoload :CodegenCommand, 'legion/cli/codegen_command'
     autoload :Bootstrap,      'legion/cli/bootstrap_command'
+    autoload :ServiceCommand, 'legion/cli/service_command'
     autoload :Broker,         'legion/cli/broker_command'
     autoload :AdminCommand,   'legion/cli/admin_command'
     autoload :Workflow,       'legion/cli/workflow_command'
@@ -258,6 +259,9 @@ module Legion
       desc 'setup SUBCOMMAND', 'Install feature packs and configure IDE integrations'
       subcommand 'setup', Legion::CLI::Setup
 
+      desc 'service SUBCOMMAND', 'Manage the Legion launchd background service'
+      subcommand 'service', Legion::CLI::ServiceCommand
+
       desc 'bootstrap SOURCE', 'One-command setup: fetch config, scaffold, and install packs'
       subcommand 'bootstrap', Legion::CLI::Bootstrap
 

data/lib/legion/extensions/absorbers/base.rb

@@ -198,7 +198,7 @@ module Legion
         end
 
         def build_chunk_payload(chunk, tags, opts)
-          {
+          payload = {
             content:      chunk[:content],
             content_type: opts[:content_type] || 'absorbed_chunk',
             content_hash: chunk[:content_hash],
@@ -211,6 +211,8 @@ module Legion
               token_count:  chunk[:token_count]
             }.merge(opts.fetch(:metadata, {}))
           }
+          payload[:access_scope] = opts[:access_scope] if opts.key?(:access_scope)
+          payload
         end
       end
     end

data/lib/legion/extensions/core.rb

@@ -174,7 +174,8 @@ module Legion
         return unless runner_module.respond_to?(:definitions)
 
         runner_module.definitions.each_key do |method_name|
-          const_name = "#{camelize(runner_name)}#{camelize(method_name)}"
+          sanitized = method_name.to_s.delete('?!')
+          const_name = "#{camelize(runner_name)}#{camelize(sanitized)}"
           next if ctx[:messages_mod].const_defined?(const_name, false)
 
           rk_value = "#{ctx[:prefix]}.runners.#{runner_name}.#{method_name}"

data/lib/legion/extensions.rb

@@ -132,6 +132,24 @@ module Legion
         Legion::Logging.info "[Extensions] flushed #{count} pending registrations" if defined?(Legion::Logging)
       end
 
+      def require_identity_extensions
+        find_extensions.select { |entry| entry[:category] == :identity }.each do |entry|
+          gem_name = entry[:gem_name]
+          ext_settings = extension_settings_for_entry(entry)
+
+          if ext_settings.is_a?(Hash) && ext_settings.key?(:enabled) && !ext_settings[:enabled]
+            Legion::Logging.info "Skipping #{gem_name} identity preload because it's disabled"
+            next
+          end
+
+          Catalog.register(gem_name)
+          register_extension_handle(gem_name, state:                    :registered,
+                                              latest_installed_version: latest_installed_version(gem_name))
+          ensure_namespace(entry[:const_path]) if entry[:segments].length > 1
+          gem_load(entry)
+        end
+      end
+
       def pause_actors
         @running_instances&.each do |inst|
           timer = inst.instance_variable_get(:@timer)
@@ -1061,7 +1079,7 @@ module Legion
         parts[(idx + 1)..].to_a.each_with_object([]) do |part, extension_parts|
           break extension_parts if %w[Actor Actors Runners Helpers Transport Data Hooks Skills].include?(part)
 
-          extension_parts << camel_to_snake(part).tr('_', '-')
+          extension_parts << camel_to_snake(part)
         end
       end
 

data/lib/legion/identity/broker.rb

@@ -21,6 +21,10 @@ module Legion
           token
         end
 
+        def credential_for(provider_name, qualifier: nil, for_context: nil, purpose: nil, context: nil)
+          token_for(provider_name, qualifier: qualifier, for_context: for_context, purpose: purpose, context: context)
+        end
+
         def lease_for(provider_name, qualifier: nil)
           name = provider_name.to_sym
           resolved = qualifier || default_qualifier_for(name)

data/lib/legion/identity/resolver.rb

@@ -33,6 +33,12 @@ module Legion
 
           winning_provider, winning_result, provider_results = resolve_auth(auth_providers, timeout: timeout)
 
+          if winning_provider.nil?
+            log.debug('resolve!: no auth winner, trying cached identity')
+            winning_provider, winning_result, cached_results = resolve_cached_identity
+            provider_results.merge!(cached_results) if cached_results
+          end
+
           if winning_provider.nil?
             log.debug('resolve!: no auth winner, trying fallback providers')
             winning_provider, winning_result, fallback_results = resolve_auth(fallback_providers, timeout: timeout)
@@ -229,6 +235,67 @@ module Legion
           end
         end
 
+        def resolve_cached_identity
+          cached = read_cached_identity
+          return [nil, nil, {}] unless cached
+
+          provider = cached_identity_provider
+          result = {
+            canonical_name: cached[:canonical_name],
+            kind:           cached[:kind] || :human,
+            source:         :identity_json,
+            persistent:     true
+          }
+
+          [
+            provider,
+            result,
+            {
+              provider.provider_name => {
+                status:      :resolved,
+                trust:       provider.trust_level,
+                resolved_at: Time.now,
+                provider:    provider,
+                result:      result
+              }
+            }
+          ]
+        end
+
+        def read_cached_identity
+          path = File.expand_path('~/.legionio/settings/identity.json')
+          return nil unless File.file?(path)
+
+          data = if defined?(Legion::JSON)
+                   Legion::JSON.load(File.read(path))
+                 else
+                   require 'json'
+                   ::JSON.parse(File.read(path), symbolize_names: true)
+                 end
+          canonical = data[:canonical_name] || data['canonical_name']
+          return nil if canonical.to_s.strip.empty?
+
+          {
+            canonical_name: canonical.to_s,
+            kind:           (data[:kind] || data['kind'] || :human).to_sym
+          }
+        rescue StandardError => e
+          log.warn("identity.json read failed: #{e.message}")
+          nil
+        end
+
+        def cached_identity_provider
+          @cached_identity_provider ||= Module.new do
+            module_function
+
+            def provider_name = :identity_cache
+            def provider_type = :auth
+            def priority = -100
+            def trust_weight = 150
+            def trust_level = :cached
+          end
+        end
+
         def auth_future_status(future, result)
           if future.rejected?
             :failed

data/lib/legion/service.rb

@@ -112,6 +112,8 @@ module Legion
       end
       setup_cluster if data
 
+      setup_identity_before_llm(extensions: extensions, transport: transport)
+
       if llm
         begin
           setup_llm
@@ -161,15 +163,14 @@ module Legion
       setup_safety_metrics
       setup_supervision if supervision
 
-      require_relative 'identity' if File.exist?(File.expand_path('identity.rb', __dir__))
-
       if extensions
         load_extensions
         Legion::Readiness.mark_ready(:extensions)
         setup_generated_functions
       end
 
-      # Identity resolution — after extensions so lex-identity-* providers are loaded
+      # Re-run identity after full extension load so any providers with autobuild-time
+      # registration can upgrade the pre-LLM identity.
       db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
       setup_identity if transport || db_available
       register_credential_providers if extensions && (transport || db_available)
@@ -589,7 +590,7 @@ module Legion
       end
     end
 
-    def setup_logging_transport # rubocop:disable Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+    def setup_logging_transport # rubocop:disable Metrics/CyclomaticComplexity,Metrics/MethodLength,Metrics/PerceivedComplexity
       return unless defined?(Legion::Transport::Connection)
       return unless Legion::Transport::Connection.session_open?
 
@@ -612,11 +613,16 @@ module Legion
       exchange = log_channel.topic('legion.logging', durable: true)
 
       if forward_logs
-        Legion::Logging.log_writer = lambda { |event, routing_key:|
+        Legion::Logging.log_writer = lambda { |event, routing_key:, headers: {}, properties: {}|
           begin
             next unless log_channel&.open?
 
-            exchange.publish(Legion::JSON.dump(event), routing_key: routing_key)
+            exchange.publish(
+              Legion::JSON.dump(event),
+              routing_key: routing_key,
+              headers:     headers,
+              **properties
+            )
           rescue StandardError
             nil
           end
@@ -918,6 +924,8 @@ module Legion
         Legion::Readiness.mark_skipped(:rbac)
       end
 
+      setup_identity_before_llm(extensions: true, transport: true)
+
       if defined?(Legion::LLM)
         setup_llm
       else
@@ -945,7 +953,6 @@ module Legion
       # Phase 5: re-run identity resolution after extensions are loaded so that
       # any identity providers registered by lex-identity-* extensions are
       # available to the resolver (mirrors the boot-time ordering).
-      Legion::Identity::Resolver.reset! if defined?(Legion::Identity::Resolver)
       setup_identity
 
       db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
@@ -976,6 +983,18 @@ module Legion
       Legion::Extensions.hook_extensions
     end
 
+    def setup_identity_before_llm(extensions:, transport:)
+      require_relative 'identity' if File.exist?(File.expand_path('identity.rb', __dir__))
+      Legion::Extensions.require_identity_extensions if extensions &&
+                                                        defined?(Legion::Extensions) &&
+                                                        Legion::Extensions.respond_to?(:require_identity_extensions)
+
+      db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
+      setup_identity if transport || db_available
+    rescue StandardError => e
+      handle_exception(e, level: :warn, operation: 'service.setup_identity_before_llm')
+    end
+
     def register_core_tools
       require 'legion/tools'
       Legion::Tools.register_all

data/lib/legion/tools/discovery.rb

@@ -125,6 +125,7 @@ module Legion
           )
           return unless Legion::Tools::Registry.register(tool_class)
 
+          register_in_settings_extensions(tool_class, ext, runner_mod, is_deferred)
           record_tool_owner(ext, tool_class)
         end
 
@@ -216,6 +217,28 @@ module Legion
           end
         end
 
+        def register_in_settings_extensions(tool_class, ext, runner_mod, is_deferred)
+          return unless defined?(Legion::Settings::Extensions) &&
+                        Legion::Settings::Extensions.respond_to?(:register_tool)
+
+          ext_name = derive_extension_name(ext)
+          Legion::Settings::Extensions.register_tool(tool_class.tool_name, {
+                                                       description:   tool_class.respond_to?(:description) ? tool_class.description : nil,
+                                                       input_schema:  tool_class.respond_to?(:input_schema) ? tool_class.input_schema : {},
+                                                       tool_class:    tool_class,
+                                                       dispatch_type: :class_call,
+                                                       extension:     "lex-#{ext_name}",
+                                                       runner:        derive_runner_snake(runner_mod),
+                                                       source:        :tools_discovery,
+                                                       deferred:      is_deferred,
+                                                       trigger_words: tool_class.respond_to?(:trigger_words) ? tool_class.trigger_words : [],
+                                                       sticky:        tool_class.respond_to?(:sticky?) ? tool_class.sticky? : true,
+                                                       mcp_tier:      tool_class.respond_to?(:mcp_tier) ? tool_class.mcp_tier : nil
+                                                     })
+        rescue StandardError => e
+          handle_exception(e, level: :warn, handled: true, operation: :register_in_settings_extensions)
+        end
+
         def record_tool_owner(ext, tool_class)
           return unless defined?(Legion::Extensions) && Legion::Extensions.respond_to?(:record_extension_resource)
 

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.9.33'
+  VERSION = '1.9.36'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.9.33
+  version: 1.9.36
 platform: ruby
 authors:
 - Esity
@@ -750,6 +750,7 @@ files:
 - lib/legion/cli/relationship.rb
 - lib/legion/cli/review_command.rb
 - lib/legion/cli/schedule_command.rb
+- lib/legion/cli/service_command.rb
 - lib/legion/cli/setup_command.rb
 - lib/legion/cli/skill_command.rb
 - lib/legion/cli/start.rb