legionio 1.4.59 → 1.4.60

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb8c466919694ff3ee71e207099e6cdbc7d93ec3a641c7213a9efa5f624fceec
-  data.tar.gz: 714ca199c88b04b1f6b84680dbffe2c6f5d953d09d6114d115878cc98a10e3fe
+  metadata.gz: d0b17b55ad4c040c0b2f9e4d23d811b2611791b930dfbf434c5ed99136bae3f6
+  data.tar.gz: 7ca5c1823f303b3f54096c5c342c067923bb17ed90e6c891bdff55825209d1b4
 SHA512:
-  metadata.gz: '08cce649982a2b0fabb240cf1ce373bf8b98c7807d5608d4e05caea9f26458b56c98f7b62584950d15376112d3f6396dbd3bd5c91e2779ca61867e1debaab2c5'
-  data.tar.gz: a7d37673e26e87ef65a04100884720da7c762f5fbd8c15f116febd7dc02314df77e0f1243acd2c383bc3e55e4ac940f3ca70ae49e0dfa76ece907871f39e7892
+  metadata.gz: c77d435c1fdb2ce380d06d7c36e7099e96f002d3036579e35a49c8c4ce4de419f160dbef83244f529b86cdba7591afe5eea43464943f596c37fdf3a0ee87a16f
+  data.tar.gz: 7f31653651939165a61d378d4aa0ecf7cc1db427e922288bb7604bafaf4493828c55b4548618b252fcf0000bb54d84b63922759ebf8dd41facfa0eba067c4e3f

data/.rubocop.yml

@@ -39,6 +39,7 @@ Metrics/BlockLength:
     - 'lib/legion/api/auth.rb'
     - 'lib/legion/api/auth_worker.rb'
     - 'lib/legion/api/auth_human.rb'
+    - 'lib/legion/cli/auth_command.rb'
 
 Metrics/AbcSize:
   Max: 60

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Legion Changelog
 
+## [1.4.60] - 2026-03-18
+
+### Fixed
+- Empty Enter in chat REPL no longer exits the session; returns empty string instead of nil to disambiguate from Ctrl+D (EOF)
+
 ## [1.4.59] - 2026-03-17
 
 ### Added

data/CLAUDE.md

@@ -9,7 +9,7 @@ The primary gem for the LegionIO framework. An extensible async job engine for s
 
 **GitHub**: https://github.com/LegionIO/LegionIO
 **Gem**: `legionio`
-**Version**: 1.4.52
+**Version**: 1.4.60
 **License**: Apache-2.0
 **Docker**: `legionio/legion`
 **Ruby**: >= 3.4
@@ -711,7 +711,7 @@ rack-test, rake, rspec, rubocop, rubocop-rspec, simplecov
 
 ```bash
 bundle install
-bundle exec rspec       # 1208 examples, 0 failures
+bundle exec rspec       # 1357 examples, 0 failures
 bundle exec rubocop     # 396 files, 0 offenses
 ```
 

data/lib/legion/api/auth_kerberos.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Legion
+  class API < Sinatra::Base
+    module Routes
+      module AuthKerberos
+        def self.registered(app)
+          register_negotiate(app)
+        end
+
+        def self.resolve_kerberos_role_map
+          return {} unless defined?(Legion::Settings)
+
+          Legion::Settings.dig(:kerberos, :role_map) || {}
+        rescue StandardError
+          {}
+        end
+
+        def self.kerberos_available?
+          defined?(Legion::Extensions::Kerberos::Client) &&
+            defined?(Legion::Rbac::KerberosClaimsMapper)
+        end
+
+        def self.register_negotiate(app)
+          app.get '/api/auth/negotiate' do
+            auth_header = request.env['HTTP_AUTHORIZATION']
+
+            unless auth_header&.match?(/\ANegotiate\s+/i)
+              headers['WWW-Authenticate'] = 'Negotiate'
+              halt 401, json_error('negotiate_required', 'Negotiate token required', status_code: 401)
+            end
+
+            halt 501, json_error('kerberos_not_available', 'Kerberos extension is not loaded', status_code: 501) unless Routes::AuthKerberos.kerberos_available?
+
+            token = auth_header.sub(/\ANegotiate\s+/i, '')
+
+            auth_result = begin
+              client = Legion::Extensions::Kerberos::Client.new
+              client.authenticate(token: token)
+            rescue StandardError
+              nil
+            end
+
+            unless auth_result&.dig(:success)
+              headers['WWW-Authenticate'] = 'Negotiate'
+              halt 401, json_error('kerberos_auth_failed', 'Kerberos authentication failed', status_code: 401)
+            end
+
+            role_map = Routes::AuthKerberos.resolve_kerberos_role_map
+            mapped = Legion::Rbac::KerberosClaimsMapper.map_with_fallback(
+              principal: auth_result[:principal],
+              groups:    auth_result[:groups] || [],
+              role_map:  role_map
+            )
+
+            ttl = 28_800
+            legion_token = Legion::API::Token.issue_human_token(
+              msid: mapped[:sub], name: mapped[:name], roles: mapped[:roles], ttl: ttl
+            )
+
+            output_token = auth_result[:output_token]
+            headers['WWW-Authenticate'] = "Negotiate #{output_token}" if output_token
+
+            json_response({
+                            token:       legion_token,
+                            principal:   auth_result[:principal],
+                            roles:       mapped[:roles],
+                            auth_method: 'kerberos'
+                          })
+          end
+        end
+
+        class << self
+          private :register_negotiate
+        end
+      end
+    end
+  end
+end

data/lib/legion/api/middleware/auth.rb

@@ -4,11 +4,12 @@ module Legion
   class API < Sinatra::Base
     module Middleware
       class Auth
-        SKIP_PATHS      = %w[/api/health /api/ready /api/openapi.json /metrics /api/auth/token /api/auth/worker-token
-                             /api/auth/authorize /api/auth/callback].freeze
-        AUTH_HEADER     = 'HTTP_AUTHORIZATION'
-        BEARER_PATTERN  = /\ABearer\s+(.+)\z/i
-        API_KEY_HEADER  = 'HTTP_X_API_KEY'
+        SKIP_PATHS       = %w[/api/health /api/ready /api/openapi.json /metrics /api/auth/token /api/auth/worker-token
+                              /api/auth/authorize /api/auth/callback /api/auth/negotiate].freeze
+        AUTH_HEADER      = 'HTTP_AUTHORIZATION'
+        BEARER_PATTERN   = /\ABearer\s+(.+)\z/i
+        NEGOTIATE_PATTERN = /\ANegotiate\s+(.+)\z/i
+        API_KEY_HEADER = 'HTTP_X_API_KEY'
 
         def initialize(app, opts = {})
           @app        = app
@@ -21,6 +22,10 @@ module Legion
           return @app.call(env) unless @enabled
           return @app.call(env) if skip_path?(env['PATH_INFO'])
 
+          # Try Negotiate/SPNEGO first (Kerberos)
+          result = try_negotiate(env)
+          return result if result
+
           # Try Bearer JWT first
           token = extract_token(env)
           if token
@@ -54,10 +59,76 @@ module Legion
 
         private
 
+        def try_negotiate(env)
+          negotiate_token = extract_negotiate_token(env)
+          return nil unless negotiate_token
+
+          negotiate_result = verify_negotiate(negotiate_token)
+          unless negotiate_result
+            return kerberos_available? ? unauthorized('Kerberos authentication failed') : nil
+          end
+
+          env['legion.auth']        = negotiate_result[:claims]
+          env['legion.auth_method'] = 'kerberos'
+          env['legion.owner_msid']  = negotiate_result[:claims][:sub]
+          status, app_headers, body = @app.call(env)
+          response_headers = app_headers.dup
+          response_headers['WWW-Authenticate'] = "Negotiate #{negotiate_result[:output_token]}" if negotiate_result[:output_token]
+          [status, response_headers, body]
+        end
+
         def skip_path?(path)
           SKIP_PATHS.any? { |p| path.start_with?(p) }
         end
 
+        def extract_negotiate_token(env)
+          header = env[AUTH_HEADER]
+          return nil unless header
+
+          match = header.match(NEGOTIATE_PATTERN)
+          match&.captures&.first
+        end
+
+        def verify_negotiate(token)
+          return nil unless kerberos_available?
+
+          client = Legion::Extensions::Kerberos::Client.new
+          auth_result = client.authenticate(token: token)
+          return nil unless auth_result[:success]
+
+          claims = Legion::Rbac::KerberosClaimsMapper.map_with_fallback(
+            principal: auth_result[:principal],
+            groups:    auth_result[:groups] || [],
+            role_map:  kerberos_role_map,
+            fallback:  kerberos_fallback
+          )
+
+          { claims: claims, output_token: auth_result[:output_token] }
+        rescue StandardError
+          nil
+        end
+
+        def kerberos_available?
+          defined?(Legion::Extensions::Kerberos::Client) &&
+            defined?(Legion::Rbac::KerberosClaimsMapper)
+        end
+
+        def kerberos_role_map
+          return {} unless defined?(Legion::Settings)
+
+          Legion::Settings.dig(:kerberos, :role_map) || {}
+        rescue StandardError
+          {}
+        end
+
+        def kerberos_fallback
+          return :entra unless defined?(Legion::Settings)
+
+          Legion::Settings.dig(:kerberos, :fallback) || :entra
+        rescue StandardError
+          :entra
+        end
+
         def extract_api_key(env)
           env[API_KEY_HEADER]
         end

data/lib/legion/api.rb

@@ -29,6 +29,7 @@ require_relative 'api/rbac'
 require_relative 'api/auth'
 require_relative 'api/auth_worker'
 require_relative 'api/auth_human'
+require_relative 'api/auth_kerberos'
 require_relative 'api/capacity'
 require_relative 'api/audit'
 require_relative 'api/metrics'
@@ -103,6 +104,7 @@ module Legion
     register Routes::Auth
     register Routes::AuthWorker
     register Routes::AuthHuman
+    register Routes::AuthKerberos
     register Routes::Capacity
     register Routes::Audit
     register Routes::Metrics

data/lib/legion/cli/auth_command.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require 'thor'
+require 'uri'
+require 'fileutils'
 
 module Legion
   module CLI
@@ -72,6 +74,38 @@ module Legion
         out.json({ authenticated: true, scopes: scopes, expires_in: body['expires_in'] })
       end
 
+      desc 'kerberos', 'Authenticate using Kerberos TGT from your workstation'
+      method_option :api_url, type: :string, desc: 'Legion API base URL'
+      method_option :realm,   type: :string, desc: 'Kerberos realm override'
+      def kerberos
+        klist_output = `klist 2>&1`
+        unless $CHILD_STATUS&.success?
+          say 'No Kerberos ticket found. Run kinit first or check your domain connection.', :red
+          return
+        end
+
+        principal_match = klist_output.match(/Principal:\s+(\S+)/)
+        unless principal_match
+          say 'Could not detect Kerberos principal from klist output.', :red
+          return
+        end
+
+        principal = principal_match[1]
+        realm     = options[:realm] || principal.split('@', 2).last
+        say 'Detected Kerberos ticket:', :green
+        say "  Principal: #{principal}"
+        say "  Realm: #{realm}"
+
+        api_url = resolve_api_url
+        say "Authenticating to #{api_url}..."
+
+        token    = build_spnego_token(api_url)
+        response = send_negotiate_request(api_url, token)
+        handle_negotiate_response(response)
+      rescue StandardError => e
+        say "Kerberos auth error: #{e.message}", :red
+      end
+
       default_task :teams
 
       no_commands do
@@ -81,6 +115,56 @@ module Legion
             color: !options[:no_color]
           )
         end
+
+        def resolve_api_url
+          url = options[:api_url]
+          url ||= Legion::Settings.dig(:api, :url) if defined?(Legion::Settings)
+          url || 'http://127.0.0.1:4567'
+        end
+
+        def build_spnego_token(api_url)
+          require 'gssapi'
+          require 'base64'
+          host = ::URI.parse(api_url).host
+          spnego = GSSAPI::Simple.new(host, 'HTTP')
+          ::Base64.strict_encode64(spnego.init_context)
+        end
+
+        def send_negotiate_request(api_url, token)
+          require 'net/http'
+          uri = ::URI.parse("#{api_url}/api/auth/negotiate")
+          http = ::Net::HTTP.new(uri.host, uri.port)
+          request = ::Net::HTTP::Get.new(uri.request_uri)
+          request['Authorization'] = "Negotiate #{token}"
+          http.request(request)
+        end
+
+        def handle_negotiate_response(response)
+          if response.code.to_i == 200
+            body = ::JSON.parse(response.body) rescue {} # rubocop:disable Style/RescueModifier
+            token_val = body.is_a?(Hash) ? (body['token'] || body.dig('data', 'token')) : nil
+            if token_val
+              save_credentials(token_val)
+              roles = body['roles'] || body.dig('data', 'roles') || []
+              say "  Roles: #{Array(roles).join(', ')}", :green
+              say '  Token saved to ~/.legionio/credentials', :green
+              say 'Login successful (kerberos)', :green
+            else
+              say 'Authentication succeeded but no token in response', :yellow
+            end
+          else
+            say "Authentication failed: HTTP #{response.code}", :red
+            say response.body.to_s, :red
+          end
+        end
+
+        def save_credentials(token_val)
+          credentials_dir = ::File.join(::Dir.home, '.legionio')
+          ::FileUtils.mkdir_p(credentials_dir)
+          cred_path = ::File.join(credentials_dir, 'credentials')
+          ::File.write(cred_path, token_val)
+          ::File.chmod(0o600, cred_path)
+        end
       end
     end
   end

data/lib/legion/cli/chat_command.rb

@@ -335,7 +335,7 @@ module Legion
           end
 
           result = lines.join("\n")
-          result.strip.empty? ? nil : result
+          result.strip.empty? ? '' : result
         rescue Interrupt
           raise if first_line
 

data/lib/legion/cli/tty_command.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require 'thor'
+require 'legion/cli/output'
+
+module Legion
+  module CLI
+    class Tty < Thor
+      def self.exit_on_failure?
+        true
+      end
+
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+      class_option :config_dir, type: :string, desc: 'Config directory (~/.legionio/settings)'
+      class_option :skip_rain, type: :boolean, default: false, desc: 'Skip the digital rain intro'
+
+      default_task :interactive
+
+      desc 'interactive', 'Launch the rich terminal UI (default)'
+      long_desc <<~DESC
+        Launches the Legion TTY - a rich terminal interface with:
+        - Onboarding wizard (first run)
+        - AI chat shell with streaming responses
+        - Operational dashboard (Ctrl+D or /dashboard)
+        - Session persistence across runs
+
+        Similar to tools like Claude Code (CLI) and OpenAI Codex,
+        but purpose-built for LegionIO's async cognition engine.
+
+        First run: walks you through identity detection (Kerberos/GitHub),
+        provider selection, and API key setup.
+
+        Subsequent runs: loads saved identity, re-scans environment,
+        and drops straight into the chat shell.
+      DESC
+      def interactive
+        require_tty_gem
+        config_dir = options[:config_dir] || Legion::TTY::App::CONFIG_DIR
+        app = Legion::TTY::App.new(config_dir: config_dir)
+        app.start
+      rescue Interrupt
+        app&.shutdown
+      end
+
+      desc 'reset', 'Clear saved identity and credentials (re-run onboarding)'
+      option :confirm, type: :boolean, default: false, aliases: ['-y'], desc: 'Skip confirmation'
+      def reset
+        out = formatter
+        config_dir = options[:config_dir] || File.expand_path('~/.legionio/settings')
+
+        identity = File.join(config_dir, 'identity.json')
+        credentials = File.join(config_dir, 'credentials.json')
+
+        unless options[:confirm]
+          out.warn('This will delete your saved identity and credentials.')
+          out.warn('You will need to re-run onboarding.')
+          require 'tty-prompt'
+          prompt = ::TTY::Prompt.new
+          return unless prompt.yes?('Continue?')
+        end
+
+        [identity, credentials].each do |path|
+          if File.exist?(path)
+            File.delete(path)
+            out.success("Deleted #{File.basename(path)}")
+          end
+        end
+      end
+
+      desc 'sessions', 'List saved chat sessions'
+      def sessions
+        out = formatter
+        require_tty_gem
+
+        store = Legion::TTY::SessionStore.new
+        list = store.list
+
+        if list.empty?
+          out.detail('No saved sessions.')
+          return
+        end
+
+        list.each do |session|
+          name = session[:name]
+          count = session[:message_count]
+          saved = session[:saved_at] || 'unknown'
+          puts "  #{name.ljust(30)} #{count} messages  #{saved}"
+        end
+      end
+
+      desc 'version', 'Show legion-tty version'
+      def version
+        require_tty_gem
+        puts "legion-tty #{Legion::TTY::VERSION}"
+      end
+
+      no_commands do
+        def formatter
+          @formatter ||= Output::Formatter.new(
+            json:  false,
+            color: !options[:no_color]
+          )
+        end
+
+        private
+
+        def require_tty_gem
+          require 'legion/tty'
+        rescue LoadError => e
+          formatter.error("legion-tty gem not installed: #{e.message}")
+          formatter.detail('Install with: gem install legion-tty')
+          raise SystemExit, 1
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli.rb

@@ -41,6 +41,7 @@ module Legion
     autoload :Cost,        'legion/cli/cost_command'
     autoload :Marketplace, 'legion/cli/marketplace_command'
     autoload :Notebook,    'legion/cli/notebook_command'
+    autoload :Tty,         'legion/cli/tty_command'
 
     class Main < Thor
       def self.exit_on_failure?
@@ -227,6 +228,9 @@ module Legion
       desc 'notebook', 'Read and export Jupyter notebooks'
       subcommand 'notebook', Legion::CLI::Notebook
 
+      desc 'tty', 'Rich terminal UI (onboarding, AI chat, dashboard)'
+      subcommand 'tty', Legion::CLI::Tty
+
       desc 'tree', 'Print a tree of all available commands'
       def tree
         legion_print_command_tree(self.class, 'legion', '')

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.4.59'
+  VERSION = '1.4.60'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.4.59
+  version: 1.4.60
 platform: ruby
 authors:
 - Esity
@@ -319,6 +319,7 @@ files:
 - lib/legion/api/audit.rb
 - lib/legion/api/auth.rb
 - lib/legion/api/auth_human.rb
+- lib/legion/api/auth_kerberos.rb
 - lib/legion/api/auth_worker.rb
 - lib/legion/api/capacity.rb
 - lib/legion/api/chains.rb
@@ -479,6 +480,7 @@ files:
 - lib/legion/cli/theme.rb
 - lib/legion/cli/trace_command.rb
 - lib/legion/cli/trigger.rb
+- lib/legion/cli/tty_command.rb
 - lib/legion/cli/update_command.rb
 - lib/legion/cli/version.rb
 - lib/legion/cli/worker_command.rb