legionio 1.4.79 → 1.4.82

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 833830caa5613e077d49c9a67c1dc00b907a473daf7be9033c9389c51546a5e3
-  data.tar.gz: 9c93197f8b0a9ecd0f784598c9b81e98d0158ab03b94d4b822a3d6ef55419868
+  metadata.gz: be7718191541e7f3c7d122c0df0f74145ef0ed5aa8e4b8a67396932155e4cccf
+  data.tar.gz: 5b4f4e5453fe9667b6424433d8d0ec9cfe524b6f9c35be64f7e4b0edeae1c3f3
 SHA512:
-  metadata.gz: 4689fa56cc6ad0cfd06f1b836fd36211edeaedacc65306ed888bdc97d36e1d430f5c7c6f3eb65427ff7c234cf1908f2fb14f26f448b8d6f2a414c726011c699f
-  data.tar.gz: 3a127117aba989a57d1e1077e6972a2d32d07c02148fb53eae5c083e8752d509d4a9d84a9db9bb3086292a983e3154d8632e7bca41483a5e9740ccb1769c1ec0
+  metadata.gz: dd10e410a69d1cae47dadbaf02f287857410b44e8f8d305c1cd8b555a44a32d2a6b0a63950a3ee2e54d815ef28a25ee7dc08fd7e78a584ec39698b03385bcac0
+  data.tar.gz: ce22d223fd1b67df63878d1e1f4d54273437c01a4359f384dc0658ecf06e1e83481285d2b78afd511ee17fabe75a5cb8342826e5cab6ee63cc49a33ccb3c38e4

data/.dockerignore

@@ -0,0 +1,11 @@
+.git
+.github
+spec
+docs
+*.md
+.rubocop.yml
+.rspec
+tmp
+log
+.dockerignore
+Dockerfile

data/.github/workflow-templates/eval-gate.yml

@@ -0,0 +1,118 @@
+# .github/workflow-templates/eval-gate.yml
+#
+# Eval gate workflow template for LegionIO CI/CD pipelines.
+# Copy this file to .github/workflows/eval-gate.yml in your repo and adjust the
+# env vars to match your dataset and threshold requirements.
+#
+# Required secrets:
+#   LEGIONIO_BOOTSTRAP_CONFIG  (base64-encoded bootstrap JSON, or omit for defaults)
+#
+# Usage:
+#   - Trigger manually (workflow_dispatch) or on push/PR targeting main
+#   - Job exits 0 if avg_score >= threshold, exits 1 and fails the pipeline if below
+
+name: Eval Gate
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      dataset:
+        description: 'Dataset name to evaluate'
+        required: true
+        default: 'default'
+      threshold:
+        description: 'Pass/fail threshold (0.0 - 1.0)'
+        required: false
+        default: '0.8'
+      evaluator:
+        description: 'Evaluator name (leave blank for first builtin template)'
+        required: false
+        default: ''
+
+env:
+  DATASET:   ${{ github.event.inputs.dataset   || 'default' }}
+  THRESHOLD: ${{ github.event.inputs.threshold || '0.8' }}
+  EVALUATOR: ${{ github.event.inputs.evaluator || '' }}
+
+jobs:
+  eval-gate:
+    name: Eval Gate (${{ env.DATASET }} @ ${{ env.THRESHOLD }})
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Install Legion
+        run: gem install legionio --no-document
+
+      - name: Bootstrap config (optional)
+        if: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG != '' }}
+        env:
+          LEGIONIO_BOOTSTRAP_CONFIG: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG }}
+        run: echo "Bootstrap config present"
+
+      - name: Run eval gate
+        id: eval
+        env:
+          LEGIONIO_BOOTSTRAP_CONFIG: ${{ secrets.LEGIONIO_BOOTSTRAP_CONFIG }}
+        run: |
+          EVAL_ARGS="--dataset $DATASET --threshold $THRESHOLD --exit-code --json"
+          if [ -n "$EVALUATOR" ]; then
+            EVAL_ARGS="$EVAL_ARGS --evaluator $EVALUATOR"
+          fi
+          legion eval run $EVAL_ARGS | tee eval-report.json
+
+      - name: Upload eval report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: eval-report-${{ github.run_number }}
+          path: eval-report.json
+          retention-days: 30
+
+      - name: Annotate PR with eval results
+        if: github.event_name == 'pull_request' && always()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            let report;
+            try {
+              report = JSON.parse(fs.readFileSync('eval-report.json', 'utf8'));
+            } catch (e) {
+              console.log('Could not parse eval report:', e.message);
+              return;
+            }
+            const gate   = report.passed ? 'PASSED' : 'FAILED';
+            const score  = (report.avg_score || 0).toFixed(3);
+            const thresh = report.threshold || 0;
+            const body   = [
+              `## Eval Gate: ${gate}`,
+              '',
+              `| Metric | Value |`,
+              `|--------|-------|`,
+              `| Dataset | \`${report.dataset}\` |`,
+              `| Evaluator | \`${report.evaluator}\` |`,
+              `| Avg Score | ${score} |`,
+              `| Threshold | ${thresh} |`,
+              `| Total Rows | ${report.summary?.total ?? 'N/A'} |`,
+              `| Passed | ${report.summary?.passed ?? 'N/A'} |`,
+              `| Failed | ${report.summary?.failed ?? 'N/A'} |`,
+            ].join('\n');
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner:        context.repo.owner,
+              repo:         context.repo.repo,
+              body:         body,
+            });

data/.github/workflows/ci-cd.yml

@@ -0,0 +1,67 @@
+name: CI/CD
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    services:
+      rabbitmq:
+        image: rabbitmq:3.13-management
+        ports: ['5672:5672']
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_PASSWORD: test
+          POSTGRES_DB: legion_test
+        ports: ['5432:5432']
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+      - run: bundle install && bundle exec rspec
+      - run: bundle exec rubocop
+
+  build:
+    name: Build Image
+    needs: test
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/legionio/legion:${{ github.sha }}
+            ghcr.io/legionio/legion:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  helm-lint:
+    name: Helm Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: azure/setup-helm@v3
+      - run: helm lint deploy/helm/legion

data/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Legion Changelog
 
+## [1.4.82] - 2026-03-20
+
+### Added
+- `legion check --privacy` command: verifies enterprise privacy mode (flag set, no cloud API keys, external endpoints unreachable)
+- `PrivacyCheck` class with three probes: flag_set, no_cloud_keys, no_external_endpoints
+- `Legion::Service.log_privacy_mode_status` logs enterprise privacy state at startup
+
+## [1.4.81] - 2026-03-20
+
+### Added
+- `legion eval experiments` subcommand: list all experiment runs with status and summary
+- `legion eval promote --experiment NAME --tag TAG` subcommand: tag a prompt version for production via lex-prompt
+- `legion eval compare --run1 NAME --run2 NAME` subcommand: side-by-side diff of two experiment runs
+- `require_prompt!` guard for lex-prompt extension availability
+
+## [1.4.80] - 2026-03-20
+
+### Added
+- `legion eval run` CLI subcommand for CI/CD threshold-based eval gating
+- `--dataset`, `--threshold`, `--evaluator`, `--exit-code` options on `eval run`
+- JSON report output to stdout with per-row scores, summary, and timestamp
+- `.github/workflow-templates/eval-gate.yml` reusable GitHub Actions workflow template
+- PR annotation step in workflow template for inline eval result comments
+
 ## [1.4.79] - 2026-03-20
 
 ### Added

data/Dockerfile

@@ -1,9 +1,26 @@
-FROM ruby:3.4-alpine
-LABEL maintainer="Matthew Iverson <matthewdiverson@gmail.com>"
+# Build stage
+FROM ruby:3.4-slim AS builder
+WORKDIR /app
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends build-essential libpq-dev git && \
+    rm -rf /var/lib/apt/lists/*
+COPY Gemfile Gemfile.lock ./
+RUN bundle config set --local deployment true && \
+    bundle config set --local without 'development test' && \
+    bundle install --jobs 4 --retry 3
+COPY . .
 
-RUN mkdir /etc/legionio
-RUN apk update && apk add build-base postgresql-dev mysql-client mariadb-dev tzdata gcc git
-
-COPY . ./
-RUN gem install legionio tzinfo-data tzinfo --no-document --no-prerelease
-CMD ruby --yjit $(which legion)
+# Runtime stage
+FROM ruby:3.4-slim AS runtime
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libpq5 curl && \
+    rm -rf /var/lib/apt/lists/* && \
+    groupadd -r legion && useradd -r -g legion -d /app -s /sbin/nologin legion
+WORKDIR /app
+COPY --from=builder --chown=legion:legion /app /app
+USER legion
+EXPOSE 4567
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD curl -sf http://localhost:4567/api/health || exit 1
+ENTRYPOINT ["bundle", "exec"]
+CMD ["legion", "start"]

data/deploy/helm/legion/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: legion
+description: LegionIO async job engine
+version: 0.1.0
+appVersion: "1.4.13"
+type: application

data/deploy/helm/legion/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{- define "legion.fullname" -}}
+{{- .Release.Name }}-legion
+{{- end }}
+
+{{- define "legion.labels" -}}
+app.kubernetes.io/name: legion
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+{{- end }}
+
+{{- define "legion.selectorLabels" -}}
+app.kubernetes.io/name: legion
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

data/deploy/helm/legion/templates/deployment-api.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "legion.fullname" . }}-api
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+    app.kubernetes.io/component: api
+spec:
+  replicas: {{ .Values.api.replicas }}
+  selector:
+    matchLabels:
+      {{- include "legion.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: api
+  template:
+    metadata:
+      labels:
+        {{- include "legion.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: api
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      containers:
+        - name: api
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["bundle", "exec", "legion", "api"]
+          ports:
+            - containerPort: {{ .Values.api.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /api/health
+              port: {{ .Values.api.port }}
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /api/health
+              port: {{ .Values.api.port }}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            {{- toYaml .Values.api.resources | nindent 12 }}
+          env:
+            - name: LEGION_TRANSPORT_HOST
+              value: {{ .Values.rabbitmq.host | quote }}
+            - name: LEGION_DATA_URL
+              value: "postgres://$(DB_USER):$(DB_PASS)@{{ .Values.postgresql.host }}:{{ .Values.postgresql.port }}/{{ .Values.postgresql.database }}"
+            {{- with .Values.api.env }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.rabbitmq.existingSecret }}
+            - secretRef:
+                name: {{ .Values.postgresql.existingSecret }}

data/deploy/helm/legion/templates/deployment-worker.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "legion.fullname" . }}-worker
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+    app.kubernetes.io/component: worker
+spec:
+  replicas: {{ .Values.worker.replicas }}
+  selector:
+    matchLabels:
+      {{- include "legion.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: worker
+  template:
+    metadata:
+      labels:
+        {{- include "legion.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: worker
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      containers:
+        - name: worker
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["bundle", "exec", "legion", "start"]
+          resources:
+            {{- toYaml .Values.worker.resources | nindent 12 }}
+          env:
+            - name: LEGION_TRANSPORT_HOST
+              value: {{ .Values.rabbitmq.host | quote }}
+            - name: LEGION_TRANSPORT_PORT
+              value: {{ .Values.rabbitmq.port | quote }}
+            - name: LEGION_DATA_URL
+              value: "postgres://$(DB_USER):$(DB_PASS)@{{ .Values.postgresql.host }}:{{ .Values.postgresql.port }}/{{ .Values.postgresql.database }}"
+            {{- with .Values.worker.env }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.rabbitmq.existingSecret }}
+            - secretRef:
+                name: {{ .Values.postgresql.existingSecret }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

data/deploy/helm/legion/templates/hpa-worker.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.worker.hpa.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "legion.fullname" . }}-worker
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "legion.fullname" . }}-worker
+  minReplicas: {{ .Values.worker.hpa.minReplicas }}
+  maxReplicas: {{ .Values.worker.hpa.maxReplicas }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.worker.hpa.targetCPUUtilization }}
+{{- end }}

data/deploy/helm/legion/templates/pdb.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "legion.fullname" . }}
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+spec:
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  selector:
+    matchLabels:
+      {{- include "legion.selectorLabels" . | nindent 6 }}
+{{- end }}

data/deploy/helm/legion/templates/service-api.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "legion.fullname" . }}-api
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.api.service.type }}
+  ports:
+    - port: {{ .Values.api.port }}
+      targetPort: {{ .Values.api.port }}
+      protocol: TCP
+  selector:
+    {{- include "legion.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: api

data/deploy/helm/legion/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  labels:
+    {{- include "legion.labels" . | nindent 4 }}
+{{- end }}

data/deploy/helm/legion/values.yaml

@@ -0,0 +1,69 @@
+image:
+  repository: ghcr.io/legionio/legion
+  tag: latest
+  pullPolicy: IfNotPresent
+
+worker:
+  replicas: 2
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+  hpa:
+    enabled: false
+    minReplicas: 2
+    maxReplicas: 20
+    targetCPUUtilization: 70
+  env: []
+
+api:
+  replicas: 2
+  port: 4567
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 256Mi
+  service:
+    type: ClusterIP
+  ingress:
+    enabled: false
+  env: []
+
+rabbitmq:
+  host: rabbitmq
+  port: 5672
+  vhost: /
+  existingSecret: legion-rabbitmq
+
+postgresql:
+  host: postgresql
+  port: 5432
+  database: legion
+  existingSecret: legion-postgresql
+
+redis:
+  host: redis
+  port: 6379
+
+vault:
+  enabled: false
+  address: ""
+  role: legion
+
+serviceAccount:
+  create: true
+  name: legion
+
+podDisruptionBudget:
+  enabled: true
+  minAvailable: 1
+
+nodeSelector: {}
+tolerations: []
+affinity: {}

data/lib/legion/cli/check/privacy_check.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module Legion
+  module CLI
+    module Check
+      class PrivacyCheck
+        CLOUD_PROVIDERS = %i[bedrock anthropic openai gemini azure].freeze
+
+        def run
+          @results = {}
+          @results[:flag_set]              = check_flag_set
+          @results[:no_cloud_keys]         = check_no_cloud_keys
+          @results[:no_external_endpoints] = check_no_external_endpoints
+          @results
+        end
+
+        def overall_pass?
+          run.values.all? { |v| v == :pass }
+        end
+
+        private
+
+        def check_flag_set
+          if settings_loaded? && Legion::Settings.enterprise_privacy?
+            :pass
+          else
+            :fail
+          end
+        end
+
+        def check_no_cloud_keys
+          llm = Legion::Settings[:llm]
+          return :pass unless llm.is_a?(Hash)
+
+          providers = (llm[:providers] || llm['providers'] || {}).transform_keys(&:to_sym)
+          CLOUD_PROVIDERS.each do |provider|
+            cfg = providers[provider]
+            return :fail if raw_credential?(cfg)
+          end
+
+          :pass
+        rescue StandardError
+          :skip
+        end
+
+        def raw_credential?(cfg)
+          return false unless cfg.is_a?(Hash)
+
+          key = cfg[:api_key] || cfg['api_key'] ||
+                cfg[:bearer_token] || cfg['bearer_token'] ||
+                cfg[:secret_key] || cfg['secret_key']
+
+          key.is_a?(String) && !key.empty? && !key.start_with?('env://', 'vault://')
+        end
+
+        def check_no_external_endpoints
+          endpoints = [
+            ['api.anthropic.com', 443],
+            ['api.openai.com', 443],
+            ['generativelanguage.googleapis.com', 443]
+          ]
+          endpoints.each do |host, port|
+            return :fail if tcp_reachable?(host, port)
+          end
+          :pass
+        rescue StandardError
+          :skip
+        end
+
+        def tcp_reachable?(host, port)
+          socket = ::TCPSocket.new(host, port)
+          socket.close
+          true
+        rescue Errno::ECONNREFUSED, Errno::ETIMEDOUT, SocketError, Errno::ENETUNREACH
+          false
+        end
+
+        def settings_loaded?
+          defined?(Legion::Settings) && Legion::Settings.respond_to?(:enterprise_privacy?)
+        rescue StandardError
+          false
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli/check_command.rb

@@ -17,7 +17,53 @@ module Legion
         api:        :transport
       }.freeze
 
+      autoload :PrivacyCheck, 'legion/cli/check/privacy_check'
+
+      PROBE_LABELS = {
+        flag_set:              'Privacy flag set',
+        no_cloud_keys:         'No cloud API keys configured',
+        no_external_endpoints: 'External endpoints unreachable'
+      }.freeze
+
       class << self
+        def run_privacy(formatter, options)
+          require 'legion/settings'
+          dir = Connection.send(:resolve_config_dir)
+          Legion::Settings.load(config_dir: dir)
+
+          checker = PrivacyCheck.new
+          results = checker.run
+
+          if options[:json]
+            formatter.json({ results: results, overall: checker.overall_pass? ? 'pass' : 'fail' })
+            return checker.overall_pass? ? 0 : 1
+          end
+
+          formatter.header('Enterprise Privacy Mode Check')
+          formatter.spacer
+
+          results.each do |probe, status|
+            label = PROBE_LABELS.fetch(probe, probe.to_s).ljust(36)
+            case status
+            when :pass
+              puts "  #{label}#{formatter.colorize('pass', :green)}"
+            when :fail
+              puts "  #{label}#{formatter.colorize('FAIL', :red)}"
+            when :skip
+              puts "  #{label}#{formatter.colorize('skip', :yellow)}"
+            end
+          end
+
+          formatter.spacer
+          if checker.overall_pass?
+            formatter.success('Privacy mode fully engaged')
+          else
+            formatter.error('Privacy mode check failed — see items above')
+          end
+
+          checker.overall_pass? ? 0 : 1
+        end
+
         def run(formatter, options)
           level = if options[:full]
                     :full

data/lib/legion/cli/eval_command.rb

@@ -0,0 +1,217 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Legion
+  module CLI
+    class Eval < Thor
+      def self.exit_on_failure?
+        true
+      end
+
+      class_option :json,       type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color,   type: :boolean, default: false, desc: 'Disable color output'
+      class_option :verbose,    type: :boolean, default: false, aliases: ['-V'], desc: 'Verbose logging'
+      class_option :config_dir, type: :string, desc: 'Config directory path'
+
+      desc 'run', 'Run eval against a dataset and gate on a threshold'
+      map 'run' => :execute
+      option :dataset,   type: :string,  required: true,  aliases: '-d', desc: 'Dataset name'
+      option :threshold, type: :numeric, default: 0.8,    aliases: '-t', desc: 'Pass/fail threshold (0.0-1.0)'
+      option :evaluator, type: :string,  default: nil,    aliases: '-e', desc: 'Evaluator name'
+      option :exit_code, type: :boolean, default: false,                 desc: 'Exit 1 if gate fails (for CI use)'
+      def execute
+        setup_connection
+        require_eval!
+        require_dataset!
+
+        rows   = fetch_dataset_rows(options[:dataset])
+        report = run_evaluations(rows)
+
+        avg_score = report.dig(:summary, :avg_score) || 0.0
+        passed    = avg_score >= options[:threshold]
+
+        ci_report = build_ci_report(report, avg_score, passed)
+
+        if options[:json]
+          formatter.json(ci_report)
+        else
+          render_human_report(ci_report, avg_score, passed)
+        end
+
+        exit(1) if options[:exit_code] && !passed
+      ensure
+        Connection.shutdown
+      end
+
+      desc 'experiments', 'List all tracked experiments'
+      def experiments
+        setup_connection
+        require_dataset!
+
+        client = Legion::Extensions::Dataset::Client.new
+        rows   = client.list_experiments
+        out    = formatter
+
+        if rows.empty?
+          out.warn('no experiments found')
+          return
+        end
+
+        if options[:json]
+          out.json(experiments: rows)
+        else
+          out.header('Experiments')
+          out.spacer
+          table_rows = rows.map do |r|
+            [r[:id].to_s, r[:name].to_s, r[:status].to_s, r[:created_at].to_s, r[:summary].to_s[0, 60]]
+          end
+          out.table(%w[id name status created summary], table_rows)
+        end
+      ensure
+        Connection.shutdown
+      end
+
+      desc 'promote', 'Tag a prompt version from a passing experiment for production'
+      option :experiment, type: :string, required: true, aliases: '-e', desc: 'Experiment name'
+      option :tag,        type: :string, required: true, aliases: '-t', desc: 'Tag to apply (e.g. production)'
+      def promote
+        setup_connection
+        require_dataset!
+        require_prompt!
+
+        dataset_client = Legion::Extensions::Dataset::Client.new
+        experiment     = dataset_client.get_experiment(name: options[:experiment])
+        raise CLI::Error, "Experiment '#{options[:experiment]}' not found" if experiment.nil?
+        raise CLI::Error, "Experiment '#{options[:experiment]}' has no prompt linked" if experiment[:prompt_name].nil?
+
+        prompt_client = Legion::Extensions::Prompt::Client.new
+        result = prompt_client.tag_prompt(
+          name:    experiment[:prompt_name],
+          tag:     options[:tag],
+          version: experiment[:prompt_version]
+        )
+
+        out = formatter
+        if options[:json]
+          out.json(result)
+        else
+          out.success("Tagged prompt '#{experiment[:prompt_name]}' v#{experiment[:prompt_version]} as '#{options[:tag]}'")
+        end
+      ensure
+        Connection.shutdown
+      end
+
+      desc 'compare', 'Compare two experiment runs side by side'
+      option :run1, type: :string, required: true, desc: 'First experiment name'
+      option :run2, type: :string, required: true, desc: 'Second experiment name'
+      def compare
+        setup_connection
+        require_dataset!
+
+        client = Legion::Extensions::Dataset::Client.new
+        diff   = client.compare_experiments(exp1_name: options[:run1], exp2_name: options[:run2])
+        raise CLI::Error, 'One or both experiments not found' if diff[:error]
+
+        out = formatter
+        if options[:json]
+          out.json(diff)
+        else
+          out.header("Compare: #{diff[:exp1]} vs #{diff[:exp2]}")
+          out.spacer
+          table_rows = [
+            ['Rows compared', diff[:rows_compared].to_s],
+            ['Regressions',   diff[:regression_count].to_s],
+            ['Improvements',  diff[:improvement_count].to_s]
+          ]
+          out.table(%w[metric value], table_rows)
+        end
+      ensure
+        Connection.shutdown
+      end
+
+      no_commands do # rubocop:disable Metrics/BlockLength
+        def formatter
+          @formatter ||= Output::Formatter.new(
+            json:  options[:json],
+            color: !options[:no_color]
+          )
+        end
+
+        def setup_connection
+          Connection.config_dir = options[:config_dir] if options[:config_dir]
+          Connection.log_level  = options[:verbose] ? 'debug' : 'error'
+          Connection.ensure_data
+        end
+
+        def require_eval!
+          return if defined?(Legion::Extensions::Eval::Client)
+
+          raise CLI::Error, 'lex-eval extension is not loaded. Install and enable it first.'
+        end
+
+        def require_dataset!
+          return if defined?(Legion::Extensions::Dataset::Client)
+
+          raise CLI::Error, 'lex-dataset extension is not loaded. Install and enable it first.'
+        end
+
+        def require_prompt!
+          return if defined?(Legion::Extensions::Prompt::Client)
+
+          raise CLI::Error, 'lex-prompt extension is not loaded. Install and enable it first.'
+        end
+
+        def fetch_dataset_rows(name)
+          client = Legion::Extensions::Dataset::Client.new
+          result = client.get_dataset(name: name)
+          raise CLI::Error, "Dataset '#{name}' not found" if result[:error]
+
+          result[:rows].map do |r|
+            { input: r[:input], output: r[:input], expected: r[:expected_output] }
+          end
+        end
+
+        def run_evaluations(rows)
+          Legion::Extensions::Eval::Client.new.run_evaluation(inputs: rows)
+        end
+
+        def build_ci_report(report, avg_score, passed)
+          {
+            dataset:   options[:dataset],
+            evaluator: report[:evaluator],
+            threshold: options[:threshold],
+            avg_score: avg_score,
+            passed:    passed,
+            summary:   report[:summary],
+            results:   report[:results],
+            timestamp: Time.now.utc.iso8601
+          }
+        end
+
+        def render_human_report(report, avg_score, passed)
+          out = formatter
+          out.header("Eval Gate: #{report[:dataset]}")
+          out.spacer
+          out.detail({
+                       dataset:   report[:dataset],
+                       evaluator: report[:evaluator],
+                       total:     report.dig(:summary, :total),
+                       passed:    report.dig(:summary, :passed),
+                       failed:    report.dig(:summary, :failed),
+                       avg_score: format('%.3f', avg_score),
+                       threshold: report[:threshold],
+                       gate:      passed ? 'PASSED' : 'FAILED'
+                     })
+          out.spacer
+
+          if passed
+            out.success("Gate PASSED (avg_score=#{format('%.3f', avg_score)} >= threshold=#{report[:threshold]})")
+          else
+            out.warn("Gate FAILED (avg_score=#{format('%.3f', avg_score)} < threshold=#{report[:threshold]})")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/cli.rb

@@ -36,6 +36,7 @@ module Legion
     autoload :Rbac,       'legion/cli/rbac_command'
     autoload :Audit,      'legion/cli/audit_command'
     autoload :Detect,     'legion/cli/detect_command'
+    autoload :Eval,       'legion/cli/eval_command'
     autoload :Update,     'legion/cli/update_command'
     autoload :Init,       'legion/cli/init_command'
     autoload :Skill,      'legion/cli/skill_command'
@@ -137,8 +138,13 @@ module Legion
       DESC
       option :extensions, type: :boolean, default: false, desc: 'Also load extensions'
       option :full, type: :boolean, default: false, desc: 'Full boot cycle (extensions + API)'
+      option :privacy, type: :boolean, default: false, desc: 'Verify enterprise privacy mode'
       def check
-        exit_code = Legion::CLI::Check.run(formatter, options)
+        exit_code = if options[:privacy]
+                      Legion::CLI::Check.run_privacy(formatter, options)
+                    else
+                      Legion::CLI::Check.run(formatter, options)
+                    end
         exit(exit_code) if exit_code != 0
       end
 
@@ -242,6 +248,9 @@ module Legion
       desc 'tty', 'Rich terminal UI (onboarding, AI chat, dashboard)'
       subcommand 'tty', Legion::CLI::Tty
 
+      desc 'eval SUBCOMMAND', 'Eval gating and experiment management'
+      subcommand 'eval', Legion::CLI::Eval
+
       desc 'observe SUBCOMMAND', 'MCP tool observation stats'
       subcommand 'observe', Legion::CLI::ObserveCommand
 

data/lib/legion/service.rb

@@ -141,6 +141,7 @@ module Legion
       Legion::Settings.load(config_dir: config_directory)
       Legion::Readiness.mark_ready(:settings)
       Legion::Logging.info('Legion::Settings Loaded')
+      self.class.log_privacy_mode_status
     end
 
     def apply_cli_overrides(http_port: nil)
@@ -402,5 +403,27 @@ module Legion
       require 'legion/runner'
       Legion::Extensions.hook_extensions
     end
+
+    def self.log_privacy_mode_status
+      privacy = if Legion.const_defined?('Settings') && Legion::Settings.respond_to?(:enterprise_privacy?)
+                  Legion::Settings.enterprise_privacy?
+                else
+                  ENV['LEGION_ENTERPRISE_PRIVACY'] == 'true'
+                end
+
+      message = if privacy
+                  'enterprise_data_privacy enabled: cloud LLM blocked, telemetry suppressed'
+                else
+                  'enterprise_data_privacy disabled: all tiers available'
+                end
+
+      if Legion.const_defined?('Logging')
+        Legion::Logging.info(message)
+      else
+        $stdout.puts "[Legion] #{message}"
+      end
+    rescue StandardError
+      nil
+    end
   end
 end

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.4.79'
+  VERSION = '1.4.82'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.4.79
+  version: 1.4.82
 platform: ruby
 authors:
 - Esity
@@ -313,6 +313,9 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".dockerignore"
+- ".github/workflow-templates/eval-gate.yml"
+- ".github/workflows/ci-cd.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rubocop.yml"
@@ -326,6 +329,15 @@ files:
 - completions/_legionio
 - completions/legion.bash
 - completions/legionio.bash
+- deploy/helm/legion/Chart.yaml
+- deploy/helm/legion/templates/_helpers.tpl
+- deploy/helm/legion/templates/deployment-api.yaml
+- deploy/helm/legion/templates/deployment-worker.yaml
+- deploy/helm/legion/templates/hpa-worker.yaml
+- deploy/helm/legion/templates/pdb.yaml
+- deploy/helm/legion/templates/service-api.yaml
+- deploy/helm/legion/templates/serviceaccount.yaml
+- deploy/helm/legion/values.yaml
 - docker_deploy.rb
 - docs/README.md
 - docs/plans/2026-03-18-config-import-vault-multicluster-design.md
@@ -418,6 +430,7 @@ files:
 - lib/legion/cli/chat/web_fetch.rb
 - lib/legion/cli/chat/web_search.rb
 - lib/legion/cli/chat_command.rb
+- lib/legion/cli/check/privacy_check.rb
 - lib/legion/cli/check_command.rb
 - lib/legion/cli/cohort.rb
 - lib/legion/cli/coldstart_command.rb
@@ -446,6 +459,7 @@ files:
 - lib/legion/cli/doctor/vault_check.rb
 - lib/legion/cli/doctor_command.rb
 - lib/legion/cli/error.rb
+- lib/legion/cli/eval_command.rb
 - lib/legion/cli/function.rb
 - lib/legion/cli/gaia_command.rb
 - lib/legion/cli/generate_command.rb