legionio 1.4.105 → 1.4.107

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc07c77ea1337b17cf9a4be55e6469e9273beaa182e11aa7afac08405fe70275
-  data.tar.gz: e1666f8f6255c3a5cfd418357435fc407d5261be55621ae2cd875e01590c8fb0
+  metadata.gz: 852b32f5818f330941b385f4298e266c2906ff506f8111c58b708be29f83b707
+  data.tar.gz: 7a1ba8bfb20275e5e6fec4c89658c501cf81a63db55e873c9a6c08c0cffaba70
 SHA512:
-  metadata.gz: 893094d33f99257ec0c2066a77cb680bc44ad6bb952e0ac7fa8a2099729b2a9643043e02bbb07bf7f638e9e0f22f101c35527e3c15578c241aa796ec241b85d8
-  data.tar.gz: 59400eb852207387b9f7df6d22f2f3668ae52a2d5b578e935a11277622029096f51184f8212b7a13cb18a7f733067c652c57d6b09f0e3f6bd1ffc53cbce283f8
+  metadata.gz: e8fd883eb244d806bc51a223ff300d12e06d160c8b5096a6e34898dd1f7c0577345c1e2d30f51e168d20da438d28108934cf57645df180c156f91c107d4eb964
+  data.tar.gz: e133ef05dd03f998185d2aa00fe1fe679a69f9e31db58b11987c8bff75ce2f9ed7baedcc4745ebb3a39362d228e1ca33943897b396dd585ce4981d83d1802709

data/CHANGELOG.md

@@ -1,5 +1,41 @@
 # Legion Changelog
 
+## [1.4.107] - 2026-03-21
+
+### Added
+- `Legion::Docs::SiteGenerator` — full static site generator with kramdown + rouge syntax highlighting
+- Converts markdown guides to HTML with navigation sidebar and styled template
+- CLI reference auto-generation via Thor command introspection
+- Extension reference auto-generation via Bundler gem discovery
+- `Legion::CLI::Docs` — `legion docs generate` and `legion docs serve` subcommands
+- 39 new specs (2248 total, 0 failures)
+
+## [1.4.106] - 2026-03-21
+
+### Added
+- `Legion::DigitalWorker::Registration` module with full approval workflow: `register`, `approve`, `reject`, `pending_approvals`, `approval_required?`, and `escalate`
+- Workers with `high` or `critical` risk tiers are created in `pending_approval` state instead of `bootstrap`, triggering an AIRB intake
+- `Legion::DigitalWorker::Airb` module for AIRB integration: `create_intake`, `check_status`, `sync_status` (mock API by default; live API activated via `Legion::Settings.dig(:airb)`)
+- New lifecycle states `pending_approval` and `rejected` in `Lifecycle::TRANSITIONS`, with appropriate `EXTINCTION_MAPPING` and `CONSENT_MAPPING` entries
+- Transition rules: `pending_approval -> active` (approve), `pending_approval -> rejected` (reject)
+- CLI subcommands: `legion worker approvals`, `legion worker approve ID [--notes TEXT]`, `legion worker reject ID --reason TEXT`
+- API routes: `GET /api/workers/approvals`, `POST /api/workers/:id/approve`, `POST /api/workers/:id/reject`
+- 37 new specs across `registration_spec.rb` (28 examples) and `airb_spec.rb` (9 examples)
+- `Legion::Phi` module — HIPAA/BAA PHI tagging and tracking: `PHI_TAG`, `tag`, `tagged?`, `phi_fields`, `redact`, `erase`, `auto_detect_fields`
+- `Legion::Phi::AccessLog` module — PHI access audit trail: `log_access`, `log_access!`, `recent_access`; integrates with `Legion::Audit` when available, falls back to `Legion::Logging`
+- `Legion::Phi::Erasure` module — cryptographic erasure: `erase_record` (AES-256-GCM with throwaway key), `erase_for_subject` (HIPAA right to deletion), `erasure_log`
+- Pattern-based auto-detection of PHI fields (ssn, mrn, dob, patient_name, phone, email, address, diagnosis, npi, insurance_id, etc.) via configurable regex patterns in `legion-settings` at `phi.field_patterns`
+- `Legion::Crypt` guarded throughout — falls back to stdlib OpenSSL when `legion-crypt` is not loaded
+- 59 new specs across `phi_spec.rb` (30 examples), `phi/access_log_spec.rb` (15 examples), `phi/erasure_spec.rb` (14 examples)
+- `Legion::API::Routes::GraphQL` — GraphQL API layer using graphql-ruby (optional dependency, guarded with `defined?(GraphQL)`)
+- `POST /api/graphql` — executes GraphQL queries; parses `query`, `variables`, `operationName` from JSON body
+- `GET /api/graphql` — serves GraphiQL browser IDE for interactive introspection
+- `Legion::API::GraphQL::Schema` — root schema with `max_depth: 10`, `max_complexity: 200`
+- `Legion::API::GraphQL::Types::QueryType` — root query with `workers`, `worker`, `extensions`, `extension`, `tasks`, `node` fields and filtering arguments
+- `Legion::API::GraphQL::Types::WorkerType`, `ExtensionType`, `TaskType`, `NodeType` — field definitions for each domain object
+- Data resolution falls back gracefully: uses `Legion::Data` models when connected, falls back to `Legion::DigitalWorker::Registry` / `Legion::Registry` in-memory stores otherwise
+- 45 new specs in `spec/legion/api/graphql_spec.rb`
+
 ## [1.4.105] - 2026-03-21
 
 ### Added

data/Gemfile

@@ -4,9 +4,11 @@ source 'https://rubygems.org'
 
 gemspec
 
+gem 'kramdown', '>= 2.0'
 gem 'mysql2'
 
 group :test do
+  gem 'graphql'
   gem 'rack-test'
   gem 'rake'
   gem 'rspec'

data/legionio.gemspec

@@ -36,6 +36,8 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'legion-mcp'
 
+  spec.add_dependency 'kramdown', '>= 2.0'
+
   spec.add_dependency 'bootsnap', '>= 1.18'
   spec.add_dependency 'concurrent-ruby', '>= 1.2'
   spec.add_dependency 'concurrent-ruby-ext', '>= 1.2'

data/lib/legion/api/graphql/resolvers/extensions.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Resolvers
+        module Extensions
+          def self.resolve(status: nil)
+            if defined?(Legion::Data) && Legion::Data.respond_to?(:connection) && Legion::Data.connection
+              resolve_from_data(status: status)
+            else
+              resolve_from_registry(status: status)
+            end
+          end
+
+          def self.find(name:)
+            resolve.find { |e| e[:name] == name }
+          end
+
+          def self.resolve_from_data(status: nil)
+            return [] unless defined?(Legion::Data::Model::Extension)
+
+            dataset = Legion::Data::Model::Extension.order(:id)
+            dataset = dataset.where(status: status) if status
+            dataset.all.map { |e| extension_hash(e.values) }
+          rescue StandardError
+            []
+          end
+
+          def self.resolve_from_registry(status: nil)
+            return [] unless defined?(Legion::Registry)
+
+            entries = Legion::Registry.respond_to?(:all) ? Legion::Registry.all : []
+            entries = entries.map { |e| e.is_a?(Hash) ? e : e.to_h }
+            entries = entries.select { |e| e[:status].to_s == status } if status
+            entries.map { |e| extension_hash(e) }
+          rescue StandardError
+            []
+          end
+
+          def self.extension_hash(values)
+            {
+              name:        values[:name],
+              version:     values[:version],
+              status:      values[:status]&.to_s || 'active',
+              description: values[:description],
+              risk_tier:   values[:risk_tier],
+              runners:     Array(values[:runners])
+            }
+          end
+
+          private_class_method :resolve_from_data, :resolve_from_registry, :extension_hash
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/resolvers/node.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Resolvers
+        module Node
+          def self.resolve
+            name    = defined?(Legion::Settings) ? Legion::Settings[:client][:name] : 'legion'
+            version = defined?(Legion::VERSION) ? Legion::VERSION : nil
+            ready   = defined?(Legion::Readiness) ? Legion::Readiness.ready? : true
+            uptime  = defined?(Legion::Process) ? calculate_uptime : nil
+
+            {
+              name:    name,
+              version: version,
+              uptime:  uptime,
+              ready:   ready
+            }
+          rescue StandardError
+            { name: nil, version: nil, uptime: nil, ready: false }
+          end
+
+          def self.calculate_uptime
+            return nil unless defined?(Legion::Process) &&
+                              Legion::Process.respond_to?(:started_at) &&
+                              Legion::Process.started_at
+
+            (Time.now.utc - Legion::Process.started_at).to_i
+          rescue StandardError
+            nil
+          end
+
+          private_class_method :calculate_uptime
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/resolvers/tasks.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Resolvers
+        module Tasks
+          def self.resolve(status: nil, limit: nil)
+            return [] unless defined?(Legion::Data) &&
+                             Legion::Data.respond_to?(:connection) &&
+                             Legion::Data.connection
+
+            resolve_from_data(status: status, limit: limit)
+          rescue StandardError
+            []
+          end
+
+          def self.resolve_from_data(status: nil, limit: nil)
+            return [] unless defined?(Legion::Data::Model::Task)
+
+            dataset = Legion::Data::Model::Task.order(Sequel.desc(:id))
+            dataset = dataset.where(status: status) if status
+            dataset = dataset.limit(limit)          if limit
+            dataset.all.map { |t| task_hash(t.values) }
+          rescue StandardError
+            []
+          end
+
+          def self.task_hash(values)
+            {
+              id:           values[:id],
+              status:       values[:status],
+              extension:    values[:extension],
+              runner:       values[:runner],
+              function:     values[:function],
+              created_at:   values[:created_at]&.to_s,
+              completed_at: values[:completed_at]&.to_s
+            }
+          end
+
+          private_class_method :resolve_from_data, :task_hash
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/resolvers/workers.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Resolvers
+        module Workers
+          def self.resolve(status: nil, risk_tier: nil, limit: nil)
+            if defined?(Legion::Data) && Legion::Data.respond_to?(:connection) && Legion::Data.connection
+              resolve_from_data(status: status, risk_tier: risk_tier, limit: limit)
+            else
+              resolve_from_registry(status: status, risk_tier: risk_tier, limit: limit)
+            end
+          end
+
+          def self.find(id:)
+            if defined?(Legion::Data) && Legion::Data.respond_to?(:connection) && Legion::Data.connection
+              find_from_data(id: id)
+            else
+              resolve(limit: nil).find { |w| w[:id].to_s == id.to_s }
+            end
+          end
+
+          def self.resolve_from_data(status: nil, risk_tier: nil, limit: nil)
+            return [] unless defined?(Legion::Data::Model::DigitalWorker)
+
+            dataset = Legion::Data::Model::DigitalWorker.order(:id)
+            dataset = dataset.where(lifecycle_state: status) if status
+            dataset = dataset.where(risk_tier: risk_tier)    if risk_tier
+            dataset = dataset.limit(limit)                   if limit
+            dataset.all.map { |w| worker_hash(w.values) }
+          rescue StandardError
+            []
+          end
+
+          def self.resolve_from_registry(status: nil, risk_tier: nil, limit: nil)
+            workers = []
+
+            if defined?(Legion::DigitalWorker::Registry)
+              ids = Legion::DigitalWorker::Registry.local_worker_ids
+              ids.each do |wid|
+                workers << { id: wid, name: "worker-#{wid}", status: 'active', risk_tier: nil, team: nil, extension: nil, created_at: nil }
+              end
+            end
+
+            workers = workers.select { |w| w[:status] == status } if status
+            workers = workers.select { |w| w[:risk_tier] == risk_tier } if risk_tier
+            workers = workers.first(limit)                              if limit
+            workers
+          end
+
+          def self.find_from_data(id:)
+            return nil unless defined?(Legion::Data::Model::DigitalWorker)
+
+            worker = Legion::Data::Model::DigitalWorker.first(id: id.to_i)
+            worker ? worker_hash(worker.values) : nil
+          rescue StandardError
+            nil
+          end
+
+          def self.worker_hash(values)
+            {
+              id:         values[:id],
+              name:       values[:name],
+              status:     values[:lifecycle_state] || values[:status],
+              risk_tier:  values[:risk_tier],
+              team:       values[:team],
+              extension:  values[:extension_name],
+              created_at: values[:created_at]&.to_s
+            }
+          end
+
+          private_class_method :resolve_from_data, :resolve_from_registry, :find_from_data, :worker_hash
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/schema.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+return unless defined?(GraphQL)
+
+require_relative 'types/base_object'
+require_relative 'types/node_type'
+require_relative 'types/worker_type'
+require_relative 'types/extension_type'
+require_relative 'types/task_type'
+require_relative 'resolvers/node'
+require_relative 'resolvers/workers'
+require_relative 'resolvers/extensions'
+require_relative 'resolvers/tasks'
+require_relative 'types/query_type'
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      class Schema < ::GraphQL::Schema
+        query Types::QueryType
+
+        max_depth      10
+        max_complexity 200
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/types/base_object.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+return unless defined?(GraphQL)
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Types
+        class BaseObject < ::GraphQL::Schema::Object
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/types/extension_type.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+return unless defined?(GraphQL)
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Types
+        class ExtensionType < BaseObject
+          graphql_name 'Extension'
+          description 'A LegionIO extension (LEX)'
+
+          field :name,        String,         null: true, description: 'Extension gem name'
+          field :version,     String,         null: true, description: 'Extension version'
+          field :status,      String,         null: true, description: 'Extension status'
+          field :description, String,         null: true, description: 'Extension description'
+          field :risk_tier,   String,         null: true, description: 'Risk classification tier'
+          field :runners,     [String],       null: true, description: 'Runner class names'
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/types/node_type.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+return unless defined?(GraphQL)
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Types
+        class NodeType < BaseObject
+          graphql_name 'Node'
+          description 'A LegionIO node'
+
+          field :name,    String,  null: true,  description: 'Node name'
+          field :version, String,  null: true,  description: 'LegionIO version'
+          field :uptime,  Integer, null: true,  description: 'Uptime in seconds'
+          field :ready,   Boolean, null: false, description: 'Whether the node is ready'
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/types/query_type.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+return unless defined?(GraphQL)
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Types
+        class QueryType < BaseObject
+          graphql_name 'Query'
+          description 'Root query type'
+
+          # ── workers ──────────────────────────────────────────────────────────
+
+          field :workers, [WorkerType], null: false, description: 'List digital workers' do
+            argument :status,    String, required: false, description: 'Filter by lifecycle state'
+            argument :risk_tier, String, required: false, description: 'Filter by risk tier'
+            argument :limit,     Integer, required: false, description: 'Maximum results'
+          end
+
+          field :worker, WorkerType, null: true, description: 'Find a digital worker by ID' do
+            argument :id, ID, required: true, description: 'Worker ID'
+          end
+
+          # ── extensions ───────────────────────────────────────────────────────
+
+          field :extensions, [ExtensionType], null: false, description: 'List loaded extensions' do
+            argument :status, String, required: false, description: 'Filter by status'
+          end
+
+          field :extension, ExtensionType, null: true, description: 'Find an extension by name' do
+            argument :name, String, required: true, description: 'Extension gem name'
+          end
+
+          # ── tasks ─────────────────────────────────────────────────────────────
+
+          field :tasks, [TaskType], null: false, description: 'List task records' do
+            argument :status, String,  required: false, description: 'Filter by status'
+            argument :limit,  Integer, required: false, description: 'Maximum results'
+          end
+
+          # ── node ──────────────────────────────────────────────────────────────
+
+          field :node, NodeType, null: true, description: 'Current node information'
+
+          # ── resolvers ────────────────────────────────────────────────────────
+
+          def workers(status: nil, risk_tier: nil, limit: nil)
+            Resolvers::Workers.resolve(status: status, risk_tier: risk_tier, limit: limit)
+          end
+
+          def worker(id:)
+            Resolvers::Workers.find(id: id)
+          end
+
+          def extensions(status: nil)
+            Resolvers::Extensions.resolve(status: status)
+          end
+
+          def extension(name:)
+            Resolvers::Extensions.find(name: name)
+          end
+
+          def tasks(status: nil, limit: nil)
+            Resolvers::Tasks.resolve(status: status, limit: limit)
+          end
+
+          def node
+            Resolvers::Node.resolve
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/types/task_type.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+return unless defined?(GraphQL)
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Types
+        class TaskType < BaseObject
+          graphql_name 'Task'
+          description 'A LegionIO task execution record'
+
+          field :id,           Integer, null: true, description: 'Task database ID'
+          field :status,       String,  null: true, description: 'Task status'
+          field :extension,    String,  null: true, description: 'Extension name'
+          field :runner,       String,  null: true, description: 'Runner namespace'
+          field :function,     String,  null: true, description: 'Function name'
+          field :created_at,   String,  null: true, description: 'Creation timestamp'
+          field :completed_at, String,  null: true, description: 'Completion timestamp'
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql/types/worker_type.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+return unless defined?(GraphQL)
+
+module Legion
+  class API < Sinatra::Base
+    module GraphQL
+      module Types
+        class WorkerType < BaseObject
+          graphql_name 'Worker'
+          description 'A LegionIO digital worker'
+
+          field :id,         Integer, null: true,  description: 'Worker database ID'
+          field :name,       String,  null: true,  description: 'Worker name'
+          field :status,     String,  null: true,  description: 'Lifecycle state'
+          field :risk_tier,  String,  null: true,  description: 'AIRB risk tier'
+          field :team,       String,  null: true,  description: 'Team name'
+          field :extension,  String,  null: true,  description: 'Extension name'
+          field :created_at, String,  null: true,  description: 'Creation timestamp'
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/graphql.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+return unless defined?(GraphQL)
+
+require_relative 'graphql/schema'
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module GraphQL
+        def self.registered(app)
+          app.post '/api/graphql' do
+            content_type :json
+
+            body_str = request.body.read
+            payload  = body_str.empty? ? {} : Legion::JSON.load(body_str)
+            payload  = payload.transform_keys(&:to_sym) if payload.is_a?(Hash)
+
+            query          = payload[:query]
+            variables      = payload[:variables] || {}
+            operation_name = payload[:operationName]
+
+            if query.nil? || query.strip.empty?
+              status 400
+              next Legion::JSON.dump({
+                                       errors: [{ message: 'query is required' }]
+                                     })
+            end
+
+            result = Legion::API::GraphQL::Schema.execute(
+              query,
+              variables:      variables,
+              operation_name: operation_name,
+              context:        { request: request }
+            )
+
+            status 200
+            Legion::JSON.dump(result.to_h)
+          rescue StandardError => e
+            Legion::Logging.error "GraphQL execution error: #{e.message}" if defined?(Legion::Logging)
+            status 500
+            Legion::JSON.dump({ errors: [{ message: e.message }] })
+          end
+
+          app.get '/api/graphql' do
+            content_type 'text/html'
+            Legion::API::Routes::GraphQL.graphiql_html
+          end
+        end
+
+        def self.graphiql_html
+          <<~HTML
+            <!DOCTYPE html>
+            <html>
+              <head>
+                <title>LegionIO GraphiQL</title>
+                <link href="https://cdn.jsdelivr.net/npm/graphiql@3/graphiql.min.css" rel="stylesheet" />
+              </head>
+              <body style="margin:0">
+                <div id="graphiql" style="height:100vh"></div>
+                <script crossorigin src="https://cdn.jsdelivr.net/npm/react@18/umd/react.development.js"></script>
+                <script crossorigin src="https://cdn.jsdelivr.net/npm/react-dom@18/umd/react-dom.development.js"></script>
+                <script crossorigin src="https://cdn.jsdelivr.net/npm/graphiql@3/graphiql.min.js"></script>
+                <script>
+                  const root = ReactDOM.createRoot(document.getElementById('graphiql'));
+                  root.render(React.createElement(GraphiQL, {
+                    fetcher: GraphiQL.createFetcher({ url: '/api/graphql' })
+                  }));
+                </script>
+              </body>
+            </html>
+          HTML
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/workers.rb

@@ -8,6 +8,7 @@ module Legion
           register_collection(app)
           register_member(app)
           register_sub_resources(app)
+          register_approvals(app)
           register_teams(app)
         end
 
@@ -212,6 +213,52 @@ module Legion
           end
         end
 
+        def self.register_approvals(app)
+          require 'legion/digital_worker/registration'
+
+          app.get '/api/workers/approvals' do
+            require_data!
+            workers = Legion::DigitalWorker::Registration.pending_approvals
+            json_response({ data: workers.map(&:values), count: workers.size })
+          end
+
+          app.post '/api/workers/:id/approve' do
+            require_data!
+            body     = parse_request_body
+            approver = body[:approver] || current_owner_msid || 'api'
+            notes    = body[:notes]
+
+            worker = Legion::DigitalWorker::Registration.approve(params[:id], approver: approver, notes: notes)
+            json_response(worker.values)
+          rescue ArgumentError => e
+            json_error('invalid_request', e.message, status_code: 422)
+          rescue Legion::DigitalWorker::Lifecycle::InvalidTransition => e
+            json_error('invalid_transition', e.message, status_code: 422)
+          rescue StandardError => e
+            Legion::Logging.error "API worker approve error: #{e.message}"
+            json_error('approve_error', e.message, status_code: 500)
+          end
+
+          app.post '/api/workers/:id/reject' do
+            require_data!
+            body     = parse_request_body
+            approver = body[:approver] || current_owner_msid || 'api'
+            reason   = body[:reason]
+
+            halt 422, json_error('missing_field', 'reason is required', status_code: 422) unless reason
+
+            worker = Legion::DigitalWorker::Registration.reject(params[:id], approver: approver, reason: reason)
+            json_response(worker.values)
+          rescue ArgumentError => e
+            json_error('invalid_request', e.message, status_code: 422)
+          rescue Legion::DigitalWorker::Lifecycle::InvalidTransition => e
+            json_error('invalid_transition', e.message, status_code: 422)
+          rescue StandardError => e
+            Legion::Logging.error "API worker reject error: #{e.message}"
+            json_error('reject_error', e.message, status_code: 500)
+          end
+        end
+
         def self.register_teams(app)
           app.get '/api/teams/:team/workers' do
             require_data!
@@ -232,7 +279,7 @@ module Legion
         end
 
         class << self
-          private :register_collection, :register_member, :register_sub_resources, :register_teams
+          private :register_collection, :register_member, :register_sub_resources, :register_approvals, :register_teams
         end
       end
     end