legionio 1.4.104 → 1.4.105

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12afbe73936b06db9067ffa5e4fc445fe52c76687cd13aedbdb4b390a5515d7f
-  data.tar.gz: 960ca1400fe432d4ee1dbe51658afaa2e988982b178da080b8f20795bc42fa7e
+  metadata.gz: bc07c77ea1337b17cf9a4be55e6469e9273beaa182e11aa7afac08405fe70275
+  data.tar.gz: e1666f8f6255c3a5cfd418357435fc407d5261be55621ae2cd875e01590c8fb0
 SHA512:
-  metadata.gz: 1ead15dbef330a1329a4b5a7b973235fa0d45d84b95cbaf5d7e0415ebde0d19154ef836fc6a84753780dd0270595bc087159a821b5cf06ed737b911a5707a054
-  data.tar.gz: 61edda120bb39a6868df425f5acb2ba39e602708c9959c5c4ad54ad8d6310ee15e72bbcb024f38907cc46136b5d28548af45e4752cb66df6b46b676fcb6a8a45
+  metadata.gz: 893094d33f99257ec0c2066a77cb680bc44ad6bb952e0ac7fa8a2099729b2a9643043e02bbb07bf7f638e9e0f22f101c35527e3c15578c241aa796ec241b85d8
+  data.tar.gz: 59400eb852207387b9f7df6d22f2f3668ae52a2d5b578e935a11277622029096f51184f8212b7a13cb18a7f733067c652c57d6b09f0e3f6bd1ffc53cbce283f8

data/.rubocop.yml

@@ -45,6 +45,7 @@ Metrics/BlockLength:
     - 'lib/legion/cli/image_command.rb'
     - 'lib/legion/cli/notebook_command.rb'
     - 'lib/legion/api/acp.rb'
+    - 'lib/legion/api/auth_saml.rb'
 
 Metrics/AbcSize:
   Max: 60

data/CHANGELOG.md

@@ -1,5 +1,26 @@
 # Legion Changelog
 
+## [1.4.105] - 2026-03-21
+
+### Added
+- `Legion::API::Routes::AuthSaml` — SAML 2.0 SP authentication flow
+- `GET /api/auth/saml/metadata` — generates SP metadata XML (delegates to `OneLogin::RubySaml::Metadata`)
+- `GET /api/auth/saml/login` — initiates IdP redirect via `OneLogin::RubySaml::Authrequest`
+- `POST /api/auth/saml/acs` — validates SAML assertion, extracts claims (nameid, email, displayName, groups), maps groups to Legion RBAC roles, and issues a Legion JWT
+- Routes are only registered when `OneLogin::RubySaml` is defined and `auth.saml.enabled` is true
+- Claims mapping delegates to `Legion::Rbac::ClaimsMapper.groups_to_roles` when available, falls back to `['worker']`
+- Configuration via `Legion::Settings.dig(:auth, :saml)` — keys: `idp_sso_url`, `idp_cert`, `sp_entity_id`, `sp_acs_url`, `group_map`, `default_role`, `want_assertions_signed`, `want_assertions_encrypted`
+- `Legion::Registry` review workflow: `submit_for_review`, `approve`, `reject`, `deprecate`, `pending_reviews`, `usage_stats` class methods
+- `Legion::Registry::Entry` gains `status`, `review_notes`, `reject_reason`, `successor`, `sunset_date`, and timestamp fields; `deprecated?` and `pending_review?` predicates
+- `legion marketplace submit NAME` — submit extension for review
+- `legion marketplace review` — list extensions pending review
+- `legion marketplace approve NAME [--notes TEXT]` — approve an extension
+- `legion marketplace reject NAME [--reason TEXT]` — reject an extension
+- `legion marketplace deprecate NAME [--successor NAME] [--sunset-date DATE]` — mark extension as deprecated
+- `legion marketplace stats NAME` — show usage statistics (install count, active instances, downloads)
+- `Legion::API::Routes::Marketplace` — full REST API: `GET /api/marketplace`, `GET /api/marketplace/:name`, `POST /api/marketplace/:name/submit`, `POST /api/marketplace/:name/approve`, `POST /api/marketplace/:name/reject`, `POST /api/marketplace/:name/deprecate`, `GET /api/marketplace/:name/stats`
+- 123 new specs across registry, CLI, and API layers
+
 ## [1.4.104] - 2026-03-21
 
 ### Added

data/lib/legion/api/auth_saml.rb

@@ -0,0 +1,181 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module AuthSaml
+        def self.registered(app)
+          return unless saml_enabled?
+
+          app.helpers do
+            define_method(:saml_settings) { Routes::AuthSaml.build_saml_settings }
+          end
+
+          register_metadata(app)
+          register_login(app)
+          register_acs(app)
+        end
+
+        def self.saml_enabled?
+          return false unless defined?(OneLogin::RubySaml)
+
+          cfg = resolve_saml_config
+          cfg.is_a?(Hash) && cfg[:enabled]
+        end
+
+        def self.resolve_saml_config
+          return {} unless defined?(Legion::Settings)
+
+          auth = Legion::Settings[:auth]
+          saml = auth.is_a?(Hash) ? auth[:saml] : nil
+          return saml if saml.is_a?(Hash)
+
+          {}
+        rescue StandardError
+          {}
+        end
+
+        def self.build_saml_settings
+          cfg = resolve_saml_config
+
+          settings                            = OneLogin::RubySaml::Settings.new
+          settings.idp_sso_service_url        = cfg[:idp_sso_url]
+          settings.idp_cert                   = cfg[:idp_cert]
+          settings.sp_entity_id               = cfg[:sp_entity_id]
+          settings.assertion_consumer_service_url = cfg[:sp_acs_url]
+          settings.name_identifier_format = cfg[:name_id_format] ||
+                                            'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+          settings.security[:authn_requests_signed]   = false
+          settings.security[:want_assertions_signed]  = cfg.fetch(:want_assertions_signed, true)
+          settings.security[:want_assertions_encrypted] = cfg.fetch(:want_assertions_encrypted, false)
+          settings
+        end
+
+        def self.register_metadata(app)
+          app.get '/api/auth/saml/metadata' do
+            halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)
+
+            meta = OneLogin::RubySaml::Metadata.new
+            content_type 'application/xml'
+            meta.generate(saml_settings, true)
+          end
+        end
+
+        def self.register_login(app)
+          app.get '/api/auth/saml/login' do
+            halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)
+
+            cfg = Routes::AuthSaml.resolve_saml_config
+            unless cfg[:idp_sso_url] && cfg[:sp_entity_id]
+              halt 500, json_error('saml_misconfigured', 'auth.saml.idp_sso_url and sp_entity_id are required',
+                                   status_code: 500)
+            end
+
+            auth_request = OneLogin::RubySaml::Authrequest.new
+            redirect auth_request.create(saml_settings)
+          end
+        end
+
+        def self.register_acs(app)
+          app.post '/api/auth/saml/acs' do
+            halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)
+
+            unless params['SAMLResponse']
+              halt 400, json_error('missing_saml_response', 'SAMLResponse parameter is required',
+                                   status_code: 400)
+            end
+
+            response = OneLogin::RubySaml::Response.new(
+              params['SAMLResponse'],
+              settings: saml_settings
+            )
+
+            unless response.is_valid?
+              errors = response.errors.join(', ')
+              halt 401, json_error('saml_invalid', "SAML assertion is invalid: #{errors}", status_code: 401)
+            end
+
+            claims = Routes::AuthSaml.extract_claims(response)
+            roles  = Routes::AuthSaml.map_roles(claims[:groups])
+
+            ttl   = 28_800
+            token = Legion::API::Token.issue_human_token(
+              msid:  claims[:nameid],
+              name:  claims[:display_name],
+              roles: roles,
+              ttl:   ttl
+            )
+
+            json_response({
+                            access_token: token,
+                            token_type:   'Bearer',
+                            expires_in:   ttl,
+                            roles:        roles,
+                            name:         claims[:display_name]
+                          })
+          end
+        end
+
+        def self.extract_claims(response)
+          attrs = response.attributes
+
+          email        = first_attr(attrs, 'email', 'mail', 'emailAddress',
+                                    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress')
+          display_name = first_attr(attrs, 'displayName', 'name',
+                                    'http://schemas.microsoft.com/identity/claims/displayname',
+                                    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name')
+          groups       = multi_attr(attrs, 'groups',
+                                    'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups')
+
+          {
+            nameid:       response.nameid,
+            email:        email,
+            display_name: display_name || email,
+            groups:       groups
+          }
+        end
+
+        def self.map_roles(groups)
+          if defined?(Legion::Rbac::ClaimsMapper) && Legion::Rbac::ClaimsMapper.respond_to?(:groups_to_roles)
+            cfg          = resolve_saml_config
+            group_map    = cfg[:group_map] || {}
+            default_role = cfg[:default_role] || 'worker'
+            Legion::Rbac::ClaimsMapper.groups_to_roles(groups, group_map: group_map, default_role: default_role)
+          else
+            ['worker']
+          end
+        end
+
+        class << self
+          private
+
+          def first_attr(attrs, *names)
+            names.each do |n|
+              v = safe_attr(attrs, n)
+              return v if v
+            end
+            nil
+          end
+
+          def multi_attr(attrs, *names)
+            names.each do |n|
+              v = attrs.multi(n)
+              return Array(v) if v
+            rescue StandardError
+              nil
+            end
+            []
+          end
+
+          def safe_attr(attrs, name)
+            attrs[name]
+          rescue StandardError
+            nil
+          end
+
+          private :register_metadata, :register_login, :register_acs
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/marketplace.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require 'date'
+require 'legion/registry'
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module Marketplace
+        module Helpers
+          def parse_sunset_date(date_str)
+            return nil if date_str.nil? || date_str.empty?
+
+            Date.parse(date_str.to_s)
+          rescue ArgumentError
+            nil
+          end
+        end
+
+        def self.registered(app)
+          app.helpers Helpers
+          register_collection(app)
+          register_member(app)
+          register_review_actions(app)
+          register_stats(app)
+        end
+
+        def self.register_collection(app)
+          app.get '/api/marketplace' do
+            query   = params[:q] || params[:query]
+            entries = query ? Legion::Registry.search(query) : Legion::Registry.all
+            entries = entries.select { |e| e.status.to_s == params[:status] } if params[:status]
+            entries = entries.select { |e| e.risk_tier == params[:tier] }     if params[:tier]
+
+            paginated = entries.slice((page_offset)..(page_offset + page_limit - 1)) || []
+            content_type :json
+            status 200
+            Legion::JSON.dump({
+                                data: paginated.map(&:to_h),
+                                meta: response_meta.merge(total: entries.size, limit: page_limit, offset: page_offset)
+                              })
+          end
+        end
+
+        def self.register_member(app)
+          app.get '/api/marketplace/:name' do
+            entry = Legion::Registry.lookup(params[:name])
+            unless entry
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: "Extension #{params[:name]} not found" } })
+            end
+
+            json_response(entry.to_h.merge(stats: Legion::Registry.usage_stats(params[:name])))
+          end
+        end
+
+        def self.register_review_actions(app) # rubocop:disable Metrics/AbcSize
+          app.post '/api/marketplace/:name/submit' do
+            begin
+              Legion::Registry.submit_for_review(params[:name])
+            rescue ArgumentError => e
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: e.message } })
+            end
+            json_response({ name: params[:name], status: 'pending_review' }, status_code: 202)
+          end
+
+          app.post '/api/marketplace/:name/approve' do
+            body = parse_request_body
+            begin
+              Legion::Registry.approve(params[:name], notes: body[:notes])
+            rescue ArgumentError => e
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: e.message } })
+            end
+            entry = Legion::Registry.lookup(params[:name])
+            json_response({ name: params[:name], status: 'approved', entry: entry.to_h })
+          end
+
+          app.post '/api/marketplace/:name/reject' do
+            body = parse_request_body
+            begin
+              Legion::Registry.reject(params[:name], reason: body[:reason])
+            rescue ArgumentError => e
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: e.message } })
+            end
+            entry = Legion::Registry.lookup(params[:name])
+            json_response({ name: params[:name], status: 'rejected', entry: entry.to_h })
+          end
+
+          app.post '/api/marketplace/:name/deprecate' do
+            body = parse_request_body
+            sunset = begin
+              body[:sunset_date] ? Date.parse(body[:sunset_date].to_s) : nil
+            rescue ArgumentError
+              nil
+            end
+            begin
+              Legion::Registry.deprecate(params[:name], successor: body[:successor], sunset_date: sunset)
+            rescue ArgumentError => e
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: e.message } })
+            end
+            entry = Legion::Registry.lookup(params[:name])
+            json_response({ name: params[:name], status: 'deprecated', entry: entry.to_h })
+          end
+        end
+
+        def self.register_stats(app)
+          app.get '/api/marketplace/:name/stats' do
+            data = Legion::Registry.usage_stats(params[:name])
+            unless data
+              halt 404, { 'Content-Type' => 'application/json' },
+                   Legion::JSON.dump({ error: { code: 'not_found', message: "Extension #{params[:name]} not found" } })
+            end
+
+            json_response(data)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/api.rb

@@ -30,6 +30,7 @@ require_relative 'api/rbac'
 require_relative 'api/auth'
 require_relative 'api/auth_worker'
 require_relative 'api/auth_human'
+require_relative 'api/auth_saml'
 require_relative 'api/capacity'
 require_relative 'api/audit'
 require_relative 'api/metrics'
@@ -40,6 +41,7 @@ require_relative 'api/workflow'
 require_relative 'api/governance'
 require_relative 'api/acp'
 require_relative 'api/prompts'
+require_relative 'api/marketplace'
 
 module Legion
   class API < Sinatra::Base
@@ -114,6 +116,7 @@ module Legion
     register Routes::Auth
     register Routes::AuthWorker
     register Routes::AuthHuman
+    register Routes::AuthSaml
     register Routes::Capacity
     register Routes::Audit
     register Routes::Metrics
@@ -123,6 +126,7 @@ module Legion
     register Routes::Governance
     register Routes::Acp
     register Routes::Prompts
+    register Routes::Marketplace
 
     use Legion::API::Middleware::RequestLogger
     use Legion::Rbac::Middleware if defined?(Legion::Rbac::Middleware)

data/lib/legion/cli/marketplace_command.rb

@@ -9,70 +9,285 @@ module Legion
         true
       end
 
+      class_option :json,     type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+
+      # ──────────────────────────────────────────────────────────
+      # search
+      # ──────────────────────────────────────────────────────────
+
       desc 'search QUERY', 'Search extension registry'
       def search(query)
         require 'legion/registry'
+        out = formatter
         results = Legion::Registry.search(query)
+
         if results.empty?
-          say "No extensions found matching '#{query}'", :yellow
+          out.warn("No extensions found matching '#{query}'")
           return
         end
 
-        say "Found #{results.size} extension(s):", :green
-        results.each do |e|
-          status = e.approved? ? '[approved]' : "[#{e.airb_status}]"
-          say "  #{e.name.ljust(25)} #{e.version.to_s.ljust(10)} #{status} #{e.description}"
+        if options[:json]
+          out.json(results.map(&:to_h))
+        else
+          rows = results.map do |e|
+            status_label = e.approved? ? 'approved' : (e.status || e.airb_status).to_s
+            [e.name, e.version.to_s, status_label, (e.description || '')[0..60]]
+          end
+          out.table(%w[Name Version Status Description], rows)
         end
       end
 
+      # ──────────────────────────────────────────────────────────
+      # info
+      # ──────────────────────────────────────────────────────────
+
       desc 'info NAME', 'Show extension details'
       def info(name)
         require 'legion/registry'
+        out = formatter
         entry = Legion::Registry.lookup(name)
+
         unless entry
-          say "Extension '#{name}' not found", :red
+          out.error("Extension '#{name}' not found")
           return
         end
 
-        entry.to_h.each { |k, v| say "  #{k}: #{v}" }
+        if options[:json]
+          out.json(entry.to_h)
+        else
+          out.header("Extension: #{entry.name}")
+          out.spacer
+          out.detail(entry.to_h.compact)
+        end
       end
 
+      # ──────────────────────────────────────────────────────────
+      # list
+      # ──────────────────────────────────────────────────────────
+
       desc 'list', 'List all registered extensions'
       option :approved, type: :boolean, desc: 'Show only approved extensions'
-      option :tier, type: :string, desc: 'Filter by risk tier'
+      option :tier,     type: :string,  desc: 'Filter by risk tier'
+      option :status,   type: :string,  desc: 'Filter by review status'
       def list
         require 'legion/registry'
-        extensions = if options[:approved]
-                       Legion::Registry.approved
-                     elsif options[:tier]
-                       Legion::Registry.by_risk_tier(options[:tier])
-                     else
-                       Legion::Registry.all
-                     end
+        out = formatter
+        extensions = build_extension_list
 
         if extensions.empty?
-          say 'No extensions registered', :yellow
+          out.warn('No extensions registered')
           return
         end
 
-        say "#{extensions.size} extension(s):", :green
-        extensions.each do |e|
-          say "  #{e.name.ljust(25)} #{e.version.to_s.ljust(10)} [#{e.risk_tier}]"
+        if options[:json]
+          out.json(extensions.map(&:to_h))
+        else
+          rows = extensions.map { |e| [e.name, e.version.to_s, e.status.to_s, e.risk_tier] }
+          out.table(%w[Name Version Status Tier], rows)
+          puts "  #{extensions.size} extension(s)"
         end
       end
 
+      # ──────────────────────────────────────────────────────────
+      # scan
+      # ──────────────────────────────────────────────────────────
+
       desc 'scan NAME', 'Run security scan on extension'
       def scan(name)
         require 'legion/registry/security_scanner'
+        out = formatter
         scanner = Legion::Registry::SecurityScanner.new
-        result = scanner.scan(name: name)
+        result  = scanner.scan(name: name)
 
-        result[:checks].each do |check|
-          color = check[:status] == :fail ? :red : :green
-          say "  #{check[:check]}: #{check[:status]} - #{check[:details]}", color
+        if options[:json]
+          out.json(result)
+        else
+          result[:checks].each do |check|
+            color = check[:status] == :fail ? :critical : :nominal
+            puts "  #{out.colorize(check[:check].to_s.ljust(25), color)} #{check[:status]} - #{check[:details]}"
+          end
+          if result[:passed]
+            out.success('Scan PASSED')
+          else
+            out.error('Scan FAILED')
+          end
         end
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # submit
+      # ──────────────────────────────────────────────────────────
+
+      desc 'submit NAME', 'Submit extension for review'
+      def submit(name)
+        require 'legion/registry'
+        out = formatter
+
+        Legion::Registry.submit_for_review(name)
+
+        if options[:json]
+          out.json(success: true, name: name, status: 'pending_review')
+        else
+          out.success("'#{name}' submitted for review")
+        end
+      rescue ArgumentError => e
+        out.error(e.message)
+      end
 
-        say result[:passed] ? 'PASSED' : 'FAILED', result[:passed] ? :green : :red
+      # ──────────────────────────────────────────────────────────
+      # review
+      # ──────────────────────────────────────────────────────────
+
+      desc 'review', 'List extensions pending review'
+      def review
+        require 'legion/registry'
+        out = formatter
+        pending = Legion::Registry.pending_reviews
+
+        if pending.empty?
+          out.warn('No extensions pending review')
+          return
+        end
+
+        if options[:json]
+          out.json(pending.map(&:to_h))
+        else
+          rows = pending.map { |e| [e.name, e.version.to_s, e.author.to_s, e.submitted_at.to_s] }
+          out.table(%w[Name Version Author Submitted], rows)
+          puts "  #{pending.size} pending review(s)"
+        end
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # approve
+      # ──────────────────────────────────────────────────────────
+
+      desc 'approve NAME', 'Approve an extension'
+      option :notes, type: :string, desc: 'Reviewer notes'
+      def approve(name)
+        require 'legion/registry'
+        out = formatter
+
+        Legion::Registry.approve(name, notes: options[:notes])
+
+        if options[:json]
+          out.json(success: true, name: name, status: 'approved')
+        else
+          out.success("'#{name}' approved")
+          out.detail({ 'Notes' => options[:notes] }) if options[:notes]
+        end
+      rescue ArgumentError => e
+        out.error(e.message)
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # reject
+      # ──────────────────────────────────────────────────────────
+
+      desc 'reject NAME', 'Reject an extension'
+      option :reason, type: :string, desc: 'Rejection reason'
+      def reject(name)
+        require 'legion/registry'
+        out = formatter
+
+        Legion::Registry.reject(name, reason: options[:reason])
+
+        if options[:json]
+          out.json(success: true, name: name, status: 'rejected')
+        else
+          out.success("'#{name}' rejected")
+          out.detail({ 'Reason' => options[:reason] }) if options[:reason]
+        end
+      rescue ArgumentError => e
+        out.error(e.message)
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # deprecate
+      # ──────────────────────────────────────────────────────────
+
+      desc 'deprecate NAME', 'Mark an extension as deprecated'
+      option :successor,   type: :string, desc: 'Replacement extension name'
+      option :sunset_date, type: :string, desc: 'Sunset date (YYYY-MM-DD)'
+      def deprecate(name)
+        require 'legion/registry'
+        out = formatter
+
+        sunset = parse_sunset_date(options[:sunset_date])
+        Legion::Registry.deprecate(name, successor: options[:successor], sunset_date: sunset)
+
+        if options[:json]
+          out.json(success: true, name: name, status: 'deprecated',
+                   successor: options[:successor], sunset_date: options[:sunset_date])
+        else
+          out.success("'#{name}' marked as deprecated")
+          detail_hash = {}
+          detail_hash['Successor']   = options[:successor]   if options[:successor]
+          detail_hash['Sunset Date'] = options[:sunset_date] if options[:sunset_date]
+          out.detail(detail_hash) unless detail_hash.empty?
+        end
+      rescue ArgumentError => e
+        out.error(e.message)
+      end
+
+      # ──────────────────────────────────────────────────────────
+      # stats
+      # ──────────────────────────────────────────────────────────
+
+      desc 'stats NAME', 'Show usage statistics for an extension'
+      def stats(name)
+        require 'legion/registry'
+        out = formatter
+        data = Legion::Registry.usage_stats(name)
+
+        unless data
+          out.error("Extension '#{name}' not found")
+          return
+        end
+
+        if options[:json]
+          out.json(data)
+        else
+          out.header("Usage Stats: #{name}")
+          out.spacer
+          out.detail({
+                       'Install Count'    => data[:install_count].to_s,
+                       'Active Instances' => data[:active_instances].to_s,
+                       'Downloads (7d)'   => data[:downloads_7d].to_s,
+                       'Downloads (30d)'  => data[:downloads_30d].to_s,
+                       'Last Updated'     => data[:last_updated].to_s
+                     })
+        end
+      end
+
+      no_commands do
+        def formatter
+          @formatter ||= Output::Formatter.new(
+            json:  options[:json],
+            color: !options[:no_color]
+          )
+        end
+
+        def build_extension_list
+          if options[:approved]
+            Legion::Registry.approved
+          elsif options[:tier]
+            Legion::Registry.by_risk_tier(options[:tier])
+          elsif options[:status]
+            Legion::Registry.all.select { |e| e.status.to_s == options[:status] }
+          else
+            Legion::Registry.all
+          end
+        end
+
+        def parse_sunset_date(date_str)
+          return nil if date_str.nil? || date_str.empty?
+
+          Date.parse(date_str)
+        rescue ArgumentError
+          nil
+        end
       end
     end
   end

data/lib/legion/registry.rb

@@ -2,24 +2,37 @@
 
 module Legion
   module Registry
+    VALID_STATUSES = %i[pending_review approved rejected deprecated sunset active].freeze
+
     class Entry
       ATTRS = %i[name version author risk_tier permissions airb_status
-                 description homepage checksum capabilities].freeze
+                 description homepage checksum capabilities
+                 status review_notes reject_reason successor sunset_date
+                 submitted_at approved_at rejected_at deprecated_at].freeze
 
       attr_reader(*ATTRS)
 
       def initialize(**attrs)
         ATTRS.each { |a| instance_variable_set(:"@#{a}", attrs[a]) }
-        @risk_tier ||= 'low'
+        @risk_tier   ||= 'low'
         @airb_status ||= 'pending'
         @capabilities ||= []
-        @permissions ||= []
+        @permissions  ||= []
+        @status       ||= :active
       end
 
       def approved?
         airb_status == 'approved'
       end
 
+      def deprecated?
+        %i[deprecated sunset].include?(status)
+      end
+
+      def pending_review?
+        status == :pending_review
+      end
+
       def to_h
         ATTRS.to_h { |a| [a, send(a)] }
       end
@@ -62,11 +75,79 @@ module Legion
         @store = {}
       end
 
+      # Review workflow
+
+      def submit_for_review(name)
+        entry = find_or_raise(name)
+        update_entry(name, entry, status: :pending_review, submitted_at: Time.now.utc)
+        true
+      end
+
+      def approve(name, notes: nil)
+        entry = find_or_raise(name)
+        update_entry(name, entry,
+                     status:       :approved,
+                     airb_status:  'approved',
+                     review_notes: notes,
+                     approved_at:  Time.now.utc)
+        true
+      end
+
+      def reject(name, reason: nil)
+        entry = find_or_raise(name)
+        update_entry(name, entry,
+                     status:        :rejected,
+                     reject_reason: reason,
+                     rejected_at:   Time.now.utc)
+        true
+      end
+
+      def deprecate(name, successor: nil, sunset_date: nil)
+        entry = find_or_raise(name)
+        update_entry(name, entry,
+                     status:        :deprecated,
+                     successor:     successor,
+                     sunset_date:   sunset_date,
+                     deprecated_at: Time.now.utc)
+        true
+      end
+
+      def pending_reviews
+        store.values.select(&:pending_review?)
+      end
+
+      def usage_stats(name)
+        entry = lookup(name.to_s)
+        return nil unless entry
+
+        {
+          name:             entry.name,
+          version:          entry.version,
+          install_count:    0,
+          active_instances: 0,
+          last_updated:     nil,
+          downloads_7d:     0,
+          downloads_30d:    0
+        }
+      end
+
       private
 
       def store
         @store ||= {}
       end
+
+      def find_or_raise(name)
+        entry = lookup(name.to_s)
+        raise ArgumentError, "Extension '#{name}' not found in registry" unless entry
+
+        entry
+      end
+
+      def update_entry(name, entry, **overrides)
+        attrs = entry.to_h.merge(overrides)
+        store[name.to_s] = Entry.new(**attrs)
+      end
     end
   end
 end

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.4.104'
+  VERSION = '1.4.105'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.4.104
+  version: 1.4.105
 platform: ruby
 authors:
 - Esity
@@ -357,6 +357,7 @@ files:
 - lib/legion/api/audit.rb
 - lib/legion/api/auth.rb
 - lib/legion/api/auth_human.rb
+- lib/legion/api/auth_saml.rb
 - lib/legion/api/auth_worker.rb
 - lib/legion/api/capacity.rb
 - lib/legion/api/catalog.rb
@@ -370,6 +371,7 @@ files:
 - lib/legion/api/hooks.rb
 - lib/legion/api/lex.rb
 - lib/legion/api/llm.rb
+- lib/legion/api/marketplace.rb
 - lib/legion/api/metrics.rb
 - lib/legion/api/middleware/api_version.rb
 - lib/legion/api/middleware/auth.rb