legionio 1.9.34 → 1.9.37

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e0fb2242e4fffe902c79cac15713bb57d8b2dd6388f122a9a6f14271faa3b3b2
-  data.tar.gz: c70d462ff6369c61dd5ae9bd786b325e4e53789eddc78d10d97441793eec1360
+  metadata.gz: c5783df4062619770ed62ad40019ba12fd1a9d2eee8bd2ca184fa49c45dccf59
+  data.tar.gz: 275c32aa2d17855942601c525c4b7ac12850c033ee06ff87cc168ed8439791f8
 SHA512:
-  metadata.gz: d7f43d17ba3a681ea09e82678831ba5694a50af90d508eb27acdcc6743d47c74bfec7da597b6d2fe6805e968d8ba247be571f6e26e60d1cfa86d6814974eb9ec
-  data.tar.gz: 198d3a7b98bb187f23f0e5cfedacabd41983dd52b0ae238650197d2ce9a4888016d211123579cd287e5a2b05f496b0dba6fb627b6280124cf39ca92b11917a18
+  metadata.gz: 1d75b48306c1a33c286893958639b503a298c805f8aef441c974b0eadbf77c4e8147bb72d1b03ca09e6df1512a0ae4e816fe0cf3b344e65d6c475a2589369a49
+  data.tar.gz: 0e9f0c9dd9d1a654ce98fb2117690dff57e81c9d83d09d6685451c2b3f847806a5e3d5e5f55641b0cdabdf67499fc61808ee9d63c7e700773d6fea173ec37eb1

data/CHANGELOG.md

@@ -1,6 +1,34 @@
 # Legion Changelog
 
-## [Unreleased]
+## [1.9.37] - 2026-05-29
+
+### Added
+- LLM: namespace API enabled by default — LegionIO now routes all `/v1/` and `/api/llm/` traffic
+  through `Namespaces::Registration` (Sinatra::Namespace, Phases 0-4 complete in legion-llm ≥ 0.8.50)
+- CLI: `legion setup proxy-mode` (alias: `proxy`) writes `~/.codex/config.toml` and
+  `~/.claude/settings.json` env block so Codex CLI and Claude Code connect to LegionIO at
+  `http://localhost:4567` out of the box. Supports `--port`, `--host`, `--force`, `--json`.
+
+### Fixed
+- LLM: Anthropic namespace message translation now properly converts `tool_use`/`tool_result` content blocks to OpenAI format for vLLM dispatch (requires legion-llm ≥ 0.10.1)
+- LLM: streaming tool_use blocks emitted inline with guaranteed ordering before `message_stop`
+- LLM: curator preserves recent turns — no longer curates tool results from the current/previous turn
+
+## [1.9.36] - 2026-05-22
+
+### Fixed
+- Identity: preload identity provider gems and resolve process identity before LLM setup so `llm.registry` availability events include Legion identity headers.
+- Identity: use the persisted `identity.json` value as a cached resolver fallback ahead of unverified system identity when fresh auth providers are unavailable.
+- Bundler: load sibling Legion and LLM provider path dependencies outside the test group when those local checkouts exist, so local service boots can use the active workspace gems.
+
+## [1.9.35] - 2026-05-22
+
+### Added
+- CLI: `legionio service start|stop|restart|status` subcommand for direct launchd control
+- Logging transport forwarding now publishes structured log headers/properties, including identity and Legion version headers supplied by `legion-logging`.
+
+### Fixed
+- CLI: `legionio bootstrap --start` now calls `launchctl kickstart` after brew services start to force immediate spawn on macOS 26+ (Tahoe defers `RunAtLoad` for mid-session bootstraps)
 
 ## [1.9.34] - 2026-05-18
 

data/Gemfile

@@ -8,36 +8,42 @@ gem 'pg'
 gem 'kramdown', '>= 2.0'
 gem 'mysql2'
 
-group :test do
-  gem 'legion-data', path: '../legion-data' if File.exist?(File.expand_path('../legion-data', __dir__))
-  gem 'legion-logging', path: '../legion-logging' if File.exist?(File.expand_path('../legion-logging', __dir__))
-  gem 'legion-settings', path: '../legion-settings' if File.exist?(File.expand_path('../legion-settings', __dir__))
-
-  gem 'legion-apollo', path: '../legion-apollo' if File.exist?(File.expand_path('../legion-apollo', __dir__))
-  gem 'legion-gaia', path: '../legion-gaia' if File.exist?(File.expand_path('../legion-gaia', __dir__))
-  gem 'legion-llm', path: '../legion-llm' if File.exist?(File.expand_path('../legion-llm', __dir__))
-  gem 'legion-mcp', path: '../legion-mcp' if File.exist?(File.expand_path('../legion-mcp', __dir__))
-  gem 'legion-tty', path: '../legion-tty' if File.exist?(File.expand_path('../legion-tty', __dir__))
-
-  gem 'lex-apollo', path: '../extensions/lex-apollo' if File.exist?(File.expand_path('../extensions/lex-apollo', __dir__))
-  gem 'lex-llm', path: '../extensions-ai/lex-llm' if File.exist?(File.expand_path('../extensions-ai/lex-llm', __dir__))
-  gem 'lex-llm-ledger', path: '../extensions-ai/lex-llm-ledger' if File.exist?(File.expand_path('../extensions-ai/lex-llm-ledger', __dir__))
-
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-entra', __dir__))
-    gem 'lex-identity-entra', path: '../extensions-identity/lex-identity-entra'
-  end
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-kerberos', __dir__))
-    gem 'lex-identity-kerberos', path: '../extensions-identity/lex-identity-kerberos'
-  end
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-system', __dir__))
-    gem 'lex-identity-system', path: '../extensions-identity/lex-identity-system'
-  end
-
-  %w[anthropic azure-foundry bedrock gemini mlx ollama openai vertex vllm].each do |provider|
-    provider_path = "../extensions-ai/lex-llm-#{provider}"
-    gem "lex-llm-#{provider}", path: provider_path if File.exist?(File.expand_path(provider_path, __dir__))
-  end
+gem 'legion-data', path: '../legion-data' if File.exist?(File.expand_path('../legion-data', __dir__))
+gem 'legion-logging', path: '../legion-logging' if File.exist?(File.expand_path('../legion-logging', __dir__))
+gem 'legion-settings', path: '../legion-settings' if File.exist?(File.expand_path('../legion-settings', __dir__))
+
+gem 'legion-apollo', path: '../legion-apollo' if File.exist?(File.expand_path('../legion-apollo', __dir__))
+gem 'legion-gaia', path: '../legion-gaia' if File.exist?(File.expand_path('../legion-gaia', __dir__))
+gem 'legion-llm', path: '../legion-llm' if File.exist?(File.expand_path('../legion-llm', __dir__))
+gem 'legion-mcp', path: '../legion-mcp' if File.exist?(File.expand_path('../legion-mcp', __dir__))
+gem 'legion-tty', path: '../legion-tty' if File.exist?(File.expand_path('../legion-tty', __dir__))
+
+gem 'lex-apollo', path: '../extensions/lex-apollo' if File.exist?(File.expand_path('../extensions/lex-apollo', __dir__))
+gem 'lex-lex', path: '../extensions/lex-lex' if File.exist?(File.expand_path('../extensions/lex-lex', __dir__))
+gem 'lex-llm', path: '../extensions-ai/lex-llm' if File.exist?(File.expand_path('../extensions-ai/lex-llm', __dir__))
+gem 'lex-llm-ledger', path: '../extensions-ai/lex-llm-ledger' if File.exist?(File.expand_path('../extensions-ai/lex-llm-ledger', __dir__))
+# gem 'lex-microsoft_teams', path: '../extensions/lex-microsoft_teams' if File.exist?(File.expand_path('../extensions/lex-microsoft_teams', __dir__))
+# gem 'lex-lex', path: '../extensions/lex-lex' if File.exist?(File.expand_path('../extensions/lex-lex', __dir__))
+
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-entra', __dir__))
+  gem 'lex-identity-entra', path: '../extensions-identity/lex-identity-entra'
+end
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-kerberos', __dir__))
+  gem 'lex-identity-kerberos', path: '../extensions-identity/lex-identity-kerberos'
+end
 
+gem 'lex-kerberos', path: '../extensions-identity/lex-kerberos' if File.exist?(File.expand_path('../extensions-identity/lex-kerberos', __dir__))
+
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-system', __dir__))
+  gem 'lex-identity-system', path: '../extensions-identity/lex-identity-system'
+end
+
+%w[anthropic azure-foundry bedrock gemini mlx ollama openai vertex vllm].each do |provider|
+  provider_path = "../extensions-ai/lex-llm-#{provider}"
+  gem "lex-llm-#{provider}", path: provider_path if File.exist?(File.expand_path(provider_path, __dir__))
+end
+
+group :test do
   gem 'faraday'
   gem 'faraday-net_http'
   gem 'graphql'

data/lib/legion/cli/bootstrap_command.rb

@@ -3,6 +3,7 @@
 require 'English'
 require 'json'
 require 'fileutils'
+require 'open3'
 require 'rbconfig'
 require 'thor'
 require 'legion/cli/output'
@@ -292,7 +293,7 @@ module Legion
 
         def install_single_gem(name, gem_bin, out)
           puts "  Installing #{name}..." unless options[:json]
-          output, success = shell_capture("#{gem_bin} install #{name} --no-document")
+          output, success = shell_capture("#{gem_bin} install #{name} --no-document --clear-sources --source https://rubygems.org/")
           if success
             out.success("  #{name} installed") unless options[:json]
             { name: name, status: 'installed' }
@@ -391,18 +392,29 @@ module Legion
 
         def run_brew_service(service, out)
           output, success = shell_capture("brew services start #{service}")
-          if success
-            out.success("#{service} started") unless options[:json]
-            true
-          else
+          unless success
             out.warn("#{service} failed to start: #{output.strip.lines.last&.strip}") unless options[:json]
-            false
+            return false
           end
+
+          out.success("#{service} started") unless options[:json]
+          kickstart_launchd_service("homebrew.mxcl.#{service}", out)
         rescue StandardError => e
           out.warn("brew services start #{service} raised: #{e.message}") unless options[:json]
           false
         end
 
+        def kickstart_launchd_service(label, out)
+          return true unless RbConfig::CONFIG['host_os'] =~ /darwin/
+
+          uid = ::Process.uid
+          _, status = Open3.capture2e('launchctl', 'kickstart', "gui/#{uid}/#{label}")
+          return true if status.success?
+
+          out.warn("launchctl kickstart #{label} failed (service may already be running)") unless options[:json]
+          false
+        end
+
         def poll_daemon_ready(out, port: 4567, timeout: 30)
           require 'net/http'
           deadline = ::Time.now + timeout

data/lib/legion/cli/service_command.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require 'open3'
+require 'rbconfig'
+require 'thor'
+require 'legion/cli/output'
+
+module Legion
+  module CLI
+    class ServiceCommand < Thor
+      namespace 'service'
+
+      def self.exit_on_failure?
+        true
+      end
+
+      class_option :json,     type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+
+      SERVICE_LABEL = 'homebrew.mxcl.legionio'
+
+      desc 'start', 'Start the Legion launchd service'
+      long_desc <<~DESC
+        Starts the Legion background service via launchd. On macOS 26+ (Tahoe),
+        uses launchctl kickstart to ensure immediate process spawn after bootstrap.
+      DESC
+      def start
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        plist = plist_path
+        unless File.exist?(plist)
+          out.error("Service plist not found at #{plist}")
+          out.info('Run: brew install legionio')
+          raise SystemExit, 1
+        end
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        if service_loaded?(target)
+          out.info('Service already loaded, kicking...')
+        else
+          _, status = Open3.capture2e('launchctl', 'bootstrap', target, plist)
+          out.warn('bootstrap failed (may already be loaded), attempting kickstart anyway') unless status.success?
+        end
+
+        _, status = Open3.capture2e('launchctl', 'kickstart', '-k', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service started')
+        else
+          out.error('Failed to kickstart Legion service')
+          raise SystemExit, 1
+        end
+
+        poll_ready(out)
+      end
+
+      desc 'stop', 'Stop the Legion launchd service'
+      def stop
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        _, status = Open3.capture2e('launchctl', 'bootout', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service stopped')
+        else
+          out.warn('Service was not loaded (already stopped?)')
+        end
+      end
+
+      desc 'restart', 'Restart the Legion launchd service'
+      def restart
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        Open3.capture2e('launchctl', 'bootout', "#{target}/#{SERVICE_LABEL}")
+        sleep 1
+
+        plist = plist_path
+        Open3.capture2e('launchctl', 'bootstrap', target, plist) if File.exist?(plist)
+
+        _, status = Open3.capture2e('launchctl', 'kickstart', '-k', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service restarted')
+        else
+          out.error('Failed to restart Legion service')
+          raise SystemExit, 1
+        end
+
+        poll_ready(out)
+      end
+
+      desc 'status', 'Show Legion launchd service status'
+      def status
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+        output, status = Open3.capture2e('launchctl', 'print', "#{target}/#{SERVICE_LABEL}")
+
+        unless status.success?
+          out.info('Service is not loaded')
+          return
+        end
+
+        state = output[/state = (.+)/, 1] || 'unknown'
+        pid = output[/pid = (\d+)/, 1]
+        runs = output[/runs = (\d+)/, 1]
+
+        if options[:json]
+          puts Legion::JSON.dump({ state: state, pid: pid&.to_i, runs: runs&.to_i })
+        else
+          out.info("State: #{state}")
+          out.info("PID: #{pid}") if pid
+          out.info("Runs: #{runs}") if runs
+        end
+      end
+
+      private
+
+      def ensure_macos!(out)
+        return if RbConfig::CONFIG['host_os'] =~ /darwin/
+
+        out.error('The service command is only available on macOS (uses launchd)')
+        raise SystemExit, 1
+      end
+
+      def plist_path
+        File.expand_path("~/Library/LaunchAgents/#{SERVICE_LABEL}.plist")
+      end
+
+      def service_loaded?(target)
+        _, status = Open3.capture2e('launchctl', 'print', "#{target}/#{SERVICE_LABEL}")
+        status.success?
+      end
+
+      def poll_ready(out, port: 4567, timeout: 15)
+        require 'net/http'
+        deadline = ::Time.now + timeout
+        until ::Time.now > deadline
+          begin
+            resp = Net::HTTP.get_response(URI("http://localhost:#{port}/api/ready"))
+            if resp.is_a?(Net::HTTPSuccess)
+              out.success("Daemon ready on port #{port}")
+              return
+            end
+          rescue StandardError
+            # not ready yet
+          end
+          sleep 1
+        end
+        out.info('Service started but not yet ready (boot in progress)')
+      end
+    end
+  end
+end

data/lib/legion/cli/setup_command.rb

@@ -157,6 +157,34 @@ module Legion
         end
       end
 
+      desc 'proxy-mode', 'Configure Codex CLI and Claude Code to use LegionIO as a local API proxy'
+      option :port, type: :numeric, default: 4567, desc: 'LegionIO API port'
+      option :host, type: :string, default: 'localhost', desc: 'LegionIO API host'
+      def proxy_mode
+        out = formatter
+        base_url = "http://#{options[:host]}:#{options[:port]}/v1"
+        written = []
+        skipped = []
+
+        write_codex_config(base_url, written, skipped)
+        write_claude_code_proxy_config(base_url, written, skipped)
+
+        if options[:json]
+          out.json(written: written, skipped: skipped, base_url: base_url)
+        else
+          out.spacer
+          out.success("LegionIO proxy mode configured (#{written.size} written, #{skipped.size} skipped)")
+          written.each { |f| puts "  Written:  #{f}" }
+          skipped.each { |f| puts "  Skipped (already exists, use --force to overwrite): #{f}" }
+          out.spacer
+          puts "  LegionIO API: #{base_url.sub('/v1', '')}"
+          puts '  Codex CLI:    legion llm proxy (uses ~/.codex/config.toml)'
+          puts '  Claude Code:  set ANTHROPIC_BASE_URL in your shell or ~/.claude/settings.json'
+          out.spacer
+        end
+      end
+      map 'proxy' => :proxy_mode
+
       desc 'agentic', 'Install full cognitive stack (GAIA + LLM + Apollo + all agentic extensions)'
       option :dry_run, type: :boolean, default: false, desc: 'Show what would be installed without installing'
       def agentic
@@ -473,7 +501,7 @@ module Legion
 
         def install_gem(name, gem_bin, out)
           puts "  Installing #{name}..." unless options[:json]
-          output = `#{gem_bin} install #{name} --no-document 2>&1`
+          output = `#{gem_bin} install #{name} --no-document --clear-sources --source https://rubygems.org/ 2>&1`
           if $CHILD_STATUS.success?
             out.success("  #{name} installed") unless options[:json]
             { name: name, status: 'installed' }
@@ -712,6 +740,74 @@ module Legion
           end
           { name: 'VS Code', path: path, configured: configured }
         end
+
+        def write_codex_config(base_url, written, skipped)
+          codex_dir  = File.expand_path('~/.codex')
+          codex_path = File.join(codex_dir, 'config.toml')
+
+          if File.exist?(codex_path) && !options[:force]
+            skipped << codex_path
+            return
+          end
+
+          FileUtils.mkdir_p(codex_dir)
+
+          content = <<~TOML
+            model = "legionio"
+            model_provider = "legion"
+
+            [model_providers.legion]
+            name = "LegionIO"
+            env_key = "LEGION_API_KEY"
+            base_url = "#{base_url}"
+            wire_api = "responses"
+          TOML
+
+          File.write(codex_path, content)
+          written << codex_path
+        rescue StandardError => e
+          raise Thor::Error, "Failed to write #{codex_path}: #{e.message}"
+        end
+
+        def write_claude_code_proxy_config(base_url, written, skipped)
+          claude_dir  = File.expand_path('~/.claude')
+          claude_path = File.join(claude_dir, 'settings.json')
+
+          existing = if File.exist?(claude_path)
+                       begin
+                         ::JSON.parse(File.read(claude_path))
+                       rescue ::JSON::ParserError
+                         {}
+                       end
+                     else
+                       {}
+                     end
+
+          proxy_env = {
+            'ANTHROPIC_BASE_URL'             => base_url.sub(%r{/v1$}, ''),
+            'ANTHROPIC_API_KEY'              => 'legion',
+            'ANTHROPIC_AUTH_TOKEN'           => 'legion',
+            'ANTHROPIC_DEFAULT_OPUS_MODEL'   => 'legionio',
+            'ANTHROPIC_DEFAULT_SONNET_MODEL' => 'legionio',
+            'ANTHROPIC_DEFAULT_HAIKU_MODEL'  => 'legionio'
+          }
+
+          current_env = existing['env'] || {}
+
+          already_set = proxy_env.all? { |k, v| current_env[k] == v }
+          if already_set && !options[:force]
+            skipped << claude_path
+            return
+          end
+
+          merged = existing.merge('env' => current_env.merge(proxy_env))
+
+          FileUtils.mkdir_p(claude_dir)
+          File.write(claude_path, ::JSON.pretty_generate(merged))
+          written << claude_path
+        rescue StandardError => e
+          raise Thor::Error, "Failed to write #{claude_path}: #{e.message}"
+        end
       end
     end
   end

data/lib/legion/cli.rb

@@ -69,6 +69,7 @@ module Legion
     autoload :Debug,        'legion/cli/debug_command'
     autoload :CodegenCommand, 'legion/cli/codegen_command'
     autoload :Bootstrap,      'legion/cli/bootstrap_command'
+    autoload :ServiceCommand, 'legion/cli/service_command'
     autoload :Broker,         'legion/cli/broker_command'
     autoload :AdminCommand,   'legion/cli/admin_command'
     autoload :Workflow,       'legion/cli/workflow_command'
@@ -258,6 +259,9 @@ module Legion
       desc 'setup SUBCOMMAND', 'Install feature packs and configure IDE integrations'
       subcommand 'setup', Legion::CLI::Setup
 
+      desc 'service SUBCOMMAND', 'Manage the Legion launchd background service'
+      subcommand 'service', Legion::CLI::ServiceCommand
+
       desc 'bootstrap SOURCE', 'One-command setup: fetch config, scaffold, and install packs'
       subcommand 'bootstrap', Legion::CLI::Bootstrap
 

data/lib/legion/data/local_migrations/20260528000001_add_tbi_patterns_indexes.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  up do
+    alter_table(:tbi_patterns) do
+      add_index :pattern_type, name: :idx_tbi_patterns_type
+      add_index :tier, name: :idx_tbi_patterns_tier
+    end
+  end
+
+  down do
+    alter_table(:tbi_patterns) do
+      drop_index :tier, name: :idx_tbi_patterns_tier
+      drop_index :pattern_type, name: :idx_tbi_patterns_type
+    end
+  end
+end

data/lib/legion/extensions/actors/subscription.rb

@@ -65,8 +65,10 @@ module Legion
         end
 
         def prepare # rubocop:disable Metrics/AbcSize
+          @dedicated_channel = create_dedicated_channel
           @queue = queue.new
-          @queue.channel.prefetch(prefetch) if defined? prefetch
+          reassign_queue_channel(@queue, @dedicated_channel)
+          @dedicated_channel.prefetch(prefetch) if defined? prefetch
           consumer_tag = "#{Legion::Settings[:client][:name]}_#{lex_name}_#{runner_name}_#{SecureRandom.uuid}"
           @consumer = Bunny::Consumer.new(@queue.channel, @queue, consumer_tag, false, false)
           @consumer.on_delivery do |delivery_info, metadata, payload|
@@ -298,6 +300,21 @@ module Legion
           end
         end
 
+        def create_dedicated_channel
+          s = Legion::Transport::Connection.session
+          raise IOError, 'transport session unavailable' unless s&.open?
+
+          settings = Legion::Transport::Connection.settings
+          s.create_channel(nil, settings[:channel][:default_worker_pool_size], false, 10)
+        end
+
+        def reassign_queue_channel(queue_instance, new_channel)
+          old_channel = queue_instance.channel
+          old_channel.deregister_queue(queue_instance) if old_channel.respond_to?(:deregister_queue)
+          queue_instance.instance_variable_set(:@channel, new_channel)
+          new_channel.register_queue(queue_instance) if new_channel.respond_to?(:register_queue)
+        end
+
         def republish_with_retry_count(_delivery_info, metadata, payload, new_count)
           headers = (metadata&.headers || {}).dup
           headers[RetryPolicy::RETRY_COUNT_HEADER] = new_count

data/lib/legion/extensions.rb

@@ -132,6 +132,24 @@ module Legion
         Legion::Logging.info "[Extensions] flushed #{count} pending registrations" if defined?(Legion::Logging)
       end
 
+      def require_identity_extensions
+        find_extensions.select { |entry| entry[:category] == :identity }.each do |entry|
+          gem_name = entry[:gem_name]
+          ext_settings = extension_settings_for_entry(entry)
+
+          if ext_settings.is_a?(Hash) && ext_settings.key?(:enabled) && !ext_settings[:enabled]
+            Legion::Logging.info "Skipping #{gem_name} identity preload because it's disabled"
+            next
+          end
+
+          Catalog.register(gem_name)
+          register_extension_handle(gem_name, state:                    :registered,
+                                              latest_installed_version: latest_installed_version(gem_name))
+          ensure_namespace(entry[:const_path]) if entry[:segments].length > 1
+          gem_load(entry)
+        end
+      end
+
       def pause_actors
         @running_instances&.each do |inst|
           timer = inst.instance_variable_get(:@timer)

data/lib/legion/guardrails.rb

@@ -7,7 +7,10 @@ module Legion
     module EmbeddingSimilarity
       class << self
         def check(input, safe_embeddings:, threshold: 0.3)
-          return { safe: true, reason: 'no embeddings service' } unless defined?(Legion::LLM) && Legion::LLM.respond_to?(:embed)
+          unless defined?(Legion::LLM) && Legion::LLM.respond_to?(:embed) && Legion::LLM.respond_to?(:started?) && Legion::LLM.started?
+            return { safe:   true,
+                     reason: 'no embeddings service' }
+          end
 
           input_vec = Legion::LLM.embed(input)
           return { safe: true, reason: 'embedding failed' } unless input_vec
@@ -18,6 +21,8 @@ module Legion
             Legion::Logging.warn "[Guardrails] EmbeddingSimilarity rejected input: distance=#{min_dist.round(4)} threshold=#{threshold}"
           end
           { safe: safe, distance: min_dist.round(4), threshold: threshold }
+        rescue StandardError
+          { safe: true, reason: 'embedding failed' }
         end
 
         def cosine_distance(vec_a, vec_b)

data/lib/legion/identity/broker.rb

@@ -21,6 +21,10 @@ module Legion
           token
         end
 
+        def credential_for(provider_name, qualifier: nil, for_context: nil, purpose: nil, context: nil)
+          token_for(provider_name, qualifier: qualifier, for_context: for_context, purpose: purpose, context: context)
+        end
+
         def lease_for(provider_name, qualifier: nil)
           name = provider_name.to_sym
           resolved = qualifier || default_qualifier_for(name)

data/lib/legion/identity/resolver.rb

@@ -33,6 +33,12 @@ module Legion
 
           winning_provider, winning_result, provider_results = resolve_auth(auth_providers, timeout: timeout)
 
+          if winning_provider.nil?
+            log.debug('resolve!: no auth winner, trying cached identity')
+            winning_provider, winning_result, cached_results = resolve_cached_identity
+            provider_results.merge!(cached_results) if cached_results
+          end
+
           if winning_provider.nil?
             log.debug('resolve!: no auth winner, trying fallback providers')
             winning_provider, winning_result, fallback_results = resolve_auth(fallback_providers, timeout: timeout)
@@ -229,6 +235,67 @@ module Legion
           end
         end
 
+        def resolve_cached_identity
+          cached = read_cached_identity
+          return [nil, nil, {}] unless cached
+
+          provider = cached_identity_provider
+          result = {
+            canonical_name: cached[:canonical_name],
+            kind:           cached[:kind] || :human,
+            source:         :identity_json,
+            persistent:     true
+          }
+
+          [
+            provider,
+            result,
+            {
+              provider.provider_name => {
+                status:      :resolved,
+                trust:       provider.trust_level,
+                resolved_at: Time.now,
+                provider:    provider,
+                result:      result
+              }
+            }
+          ]
+        end
+
+        def read_cached_identity
+          path = File.expand_path('~/.legionio/settings/identity.json')
+          return nil unless File.file?(path)
+
+          data = if defined?(Legion::JSON)
+                   Legion::JSON.load(File.read(path))
+                 else
+                   require 'json'
+                   ::JSON.parse(File.read(path), symbolize_names: true)
+                 end
+          canonical = data[:canonical_name] || data['canonical_name']
+          return nil if canonical.to_s.strip.empty?
+
+          {
+            canonical_name: canonical.to_s,
+            kind:           (data[:kind] || data['kind'] || :human).to_sym
+          }
+        rescue StandardError => e
+          log.warn("identity.json read failed: #{e.message}")
+          nil
+        end
+
+        def cached_identity_provider
+          @cached_identity_provider ||= Module.new do
+            module_function
+
+            def provider_name = :identity_cache
+            def provider_type = :auth
+            def priority = -100
+            def trust_weight = 150
+            def trust_level = :cached
+          end
+        end
+
         def auth_future_status(future, result)
           if future.rejected?
             :failed

data/lib/legion/service.rb

@@ -112,6 +112,8 @@ module Legion
       end
       setup_cluster if data
 
+      setup_identity_before_llm(extensions: extensions, transport: transport)
+
       if llm
         begin
           setup_llm
@@ -161,15 +163,14 @@ module Legion
       setup_safety_metrics
       setup_supervision if supervision
 
-      require_relative 'identity' if File.exist?(File.expand_path('identity.rb', __dir__))
-
       if extensions
         load_extensions
         Legion::Readiness.mark_ready(:extensions)
         setup_generated_functions
       end
 
-      # Identity resolution — after extensions so lex-identity-* providers are loaded
+      # Re-run identity after full extension load so any providers with autobuild-time
+      # registration can upgrade the pre-LLM identity.
       db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
       setup_identity if transport || db_available
       register_credential_providers if extensions && (transport || db_available)
@@ -451,6 +452,7 @@ module Legion
       log.info 'Setting up Legion::LLM'
       require 'legion/llm'
       Legion::Settings.merge_settings('llm', Legion::LLM::Settings.default)
+      Legion::Settings.loader.settings[:llm][:api][:use_namespaces] = true
       preload_llm_providers
       Legion::LLM.start
       log.info 'Legion::LLM started'
@@ -589,7 +591,7 @@ module Legion
       end
     end
 
-    def setup_logging_transport # rubocop:disable Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+    def setup_logging_transport # rubocop:disable Metrics/CyclomaticComplexity,Metrics/MethodLength,Metrics/PerceivedComplexity
       return unless defined?(Legion::Transport::Connection)
       return unless Legion::Transport::Connection.session_open?
 
@@ -612,11 +614,16 @@ module Legion
       exchange = log_channel.topic('legion.logging', durable: true)
 
       if forward_logs
-        Legion::Logging.log_writer = lambda { |event, routing_key:|
+        Legion::Logging.log_writer = lambda { |event, routing_key:, headers: {}, properties: {}|
           begin
             next unless log_channel&.open?
 
-            exchange.publish(Legion::JSON.dump(event), routing_key: routing_key)
+            exchange.publish(
+              Legion::JSON.dump(event),
+              routing_key: routing_key,
+              headers:     headers,
+              **properties
+            )
           rescue StandardError
             nil
           end
@@ -918,6 +925,8 @@ module Legion
         Legion::Readiness.mark_skipped(:rbac)
       end
 
+      setup_identity_before_llm(extensions: true, transport: true)
+
       if defined?(Legion::LLM)
         setup_llm
       else
@@ -945,7 +954,6 @@ module Legion
       # Phase 5: re-run identity resolution after extensions are loaded so that
       # any identity providers registered by lex-identity-* extensions are
       # available to the resolver (mirrors the boot-time ordering).
-      Legion::Identity::Resolver.reset! if defined?(Legion::Identity::Resolver)
       setup_identity
 
       db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
@@ -976,6 +984,18 @@ module Legion
       Legion::Extensions.hook_extensions
     end
 
+    def setup_identity_before_llm(extensions:, transport:)
+      require_relative 'identity' if File.exist?(File.expand_path('identity.rb', __dir__))
+      Legion::Extensions.require_identity_extensions if extensions &&
+                                                        defined?(Legion::Extensions) &&
+                                                        Legion::Extensions.respond_to?(:require_identity_extensions)
+
+      db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
+      setup_identity if transport || db_available
+    rescue StandardError => e
+      handle_exception(e, level: :warn, operation: 'service.setup_identity_before_llm')
+    end
+
     def register_core_tools
       require 'legion/tools'
       Legion::Tools.register_all

data/lib/legion/tools/embedding_cache/migrations/002_add_tool_name_index.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  up do
+    alter_table(:tool_embedding_cache) do
+      add_index :tool_name, name: :idx_tool_embedding_cache_tool_name
+    end
+  end
+
+  down do
+    alter_table(:tool_embedding_cache) do
+      drop_index :tool_name, name: :idx_tool_embedding_cache_tool_name
+    end
+  end
+end

data/lib/legion/trace_search.rb

@@ -72,6 +72,9 @@ module Legion
         )
         Legion::Logging.error "[TraceSearch] LLM filter generation failed for query: #{query.inspect}" if !result[:valid] && defined?(Legion::Logging)
         result[:data] if result[:valid]
+      rescue Legion::LLM::LLMError => e
+        handle_exception(e, level: :debug, handled: true, operation: 'trace_search.generate_filter') if respond_to?(:handle_exception)
+        nil
       end
 
       def schema_context

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.9.34'
+  VERSION = '1.9.37'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.9.34
+  version: 1.9.37
 platform: ruby
 authors:
 - Esity
@@ -750,6 +750,7 @@ files:
 - lib/legion/cli/relationship.rb
 - lib/legion/cli/review_command.rb
 - lib/legion/cli/schedule_command.rb
+- lib/legion/cli/service_command.rb
 - lib/legion/cli/setup_command.rb
 - lib/legion/cli/skill_command.rb
 - lib/legion/cli/start.rb
@@ -779,6 +780,7 @@ files:
 - lib/legion/data/local_migrations/20250601000001_create_tbi_patterns.rb
 - lib/legion/data/local_migrations/20260319000001_create_extension_catalog.rb
 - lib/legion/data/local_migrations/20260319000002_create_extension_permissions.rb
+- lib/legion/data/local_migrations/20260528000001_add_tbi_patterns_indexes.rb
 - lib/legion/data/models/tbi_pattern.rb
 - lib/legion/digital_worker.rb
 - lib/legion/digital_worker/airb.rb
@@ -913,6 +915,7 @@ files:
 - lib/legion/tools/do.rb
 - lib/legion/tools/embedding_cache.rb
 - lib/legion/tools/embedding_cache/migrations/001_create_tool_embedding_cache.rb
+- lib/legion/tools/embedding_cache/migrations/002_add_tool_name_index.rb
 - lib/legion/tools/registry.rb
 - lib/legion/tools/status.rb
 - lib/legion/tools/trigger_index.rb