legionio 1.6.34 → 1.6.36

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f47bba61ed42d34114fc93779bc2c911b6dd67f03f6d06febaae9424bc0c61cf
-  data.tar.gz: c4e45617785c4a31b32f9802b0ec77cc57dceb9ad223b6f71a35a9a54b21c119
+  metadata.gz: fd73445976635c61163ac93a058fd3253bb164956fff00d8b791817b1dd16ddb
+  data.tar.gz: 218c4b3975aa59cb4c0eec3735c2cdbe185cf23f85429b4268d4335a8cb7fdf9
 SHA512:
-  metadata.gz: 92a3fed3a076dc34d63fdb69dbde68d3a73ce4f68c17652dfa862fbc355b8df9ac0e1023edd1a93020806d6af838071dd103dc176b6b32a0d03b51e1f03fec6c
-  data.tar.gz: 13dfb3297160e508288d61f3713d8a97ee930b74cd58eab56311116ab2bbb065c88d20ba279ea6c55b6fb62af5623c8222bcf560a88aa0c93e8f24693ba38aca
+  metadata.gz: 247d06dcfb4d405c1a156bac4c9a4a0aaa00eedd0cf2f3bfef74da95f9027acb39f303bc9afda3dbf50d2f14dee2a41eafd10d5522dbf074017548489f69ebd0
+  data.tar.gz: 840d3c68d9e48e11e3c92a40cf2a0d849079d5ab68aa39629368f88a75615d1dca151b952987de9a882517c84569bcc7aff9c93becbd9d8277b98152a5fdc942

data/.rubocop.yml

@@ -33,6 +33,11 @@ Metrics/BlockLength:
   Exclude:
     - 'spec/**/*'
     - 'integration/**/*'
+    - 'extensions-agentic/**/spec/**/*'
+    - 'extensions-core/**/spec/**/*'
+    - 'extensions/**/spec/**/*'
+    - 'extensions-ai/**/spec/**/*'
+    - 'extensions-other/**/spec/**/*'
     - 'legionio.gemspec'
     - 'lib/legion/cli/chat_command.rb'
     - 'lib/legion/cli/plan_command.rb'

data/CHANGELOG.md

@@ -2,6 +2,27 @@
 
 ## [Unreleased]
 
+## [1.6.36] - 2026-03-29
+
+### Added
+- Knowledge helper: `knowledge_connected?`, `knowledge_global_connected?`, `knowledge_local_connected?` status methods
+- Knowledge helper: `knowledge_default_scope` and `knowledge_default_tags` LEX-overridable layered defaults
+- LLM helper: now includes `Legion::LLM::Helper` following cache/transport pattern (with LoadError guard)
+- Wrapper specs for cache and data helpers
+
+### Fixed
+- Logger helper: add missing `include Base` (was relying on transitive inclusion via Lex)
+- Task helper: add missing `include Base`
+- Knowledge helper: add missing `include Base`, `knowledge_default_tags` auto-merged into `ingest_knowledge`
+
+## [1.6.35] - 2026-03-29
+
+### Added
+- `Legion::Workflow::Manifest` — YAML workflow manifest parser with validation
+- `Legion::Workflow::Loader` — installs/uninstalls workflow chains via lex-lex registry
+- `legion workflow` CLI — install, list, uninstall, status subcommands
+- `workflows/autonomous-github-lifecycle.yml` — sample workflow manifest for codegen pipeline
+
 ## [1.6.34] - 2026-03-29
 
 ### Fixed

data/extensions-agentic/lex-consent/db/migrations/001_create_consent_maps.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  change do
+    create_table(:consent_maps) do
+      primary_key :id
+      String  :worker_id,    null: false
+      String  :from_tier,    null: false
+      String  :to_tier,      null: false
+      String  :requested_by, null: false
+      String  :state,        null: false, default: 'pending_approval'
+      String  :resolved_by
+      Time    :resolved_at
+      String  :notes,        text: true
+      String  :context,      text: true
+      Time    :created_at
+      Time    :updated_at
+
+      index :worker_id
+      index :state
+      index %i[worker_id state]
+    end
+  end
+end

data/extensions-agentic/lex-consent/lex-consent.gemspec

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative 'lib/legion/extensions/agentic/consent/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'lex-consent'
+  spec.version       = Legion::Extensions::Agentic::Consent::VERSION
+  spec.authors       = ['Esity']
+  spec.email         = ['matthewdiverson@gmail.com']
+  spec.summary       = 'LegionIO HITL consent gate for autonomous tier promotion'
+  spec.description   = 'A LegionIO Extension (LEX) that gates agent autonomous tier promotion by human approval'
+  spec.homepage      = 'https://github.com/LegionIO/lex-consent'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 3.4'
+
+  spec.metadata = {
+    'homepage_uri'          => spec.homepage,
+    'source_code_uri'       => spec.homepage,
+    'rubygems_mfa_required' => 'true'
+  }
+
+  spec.files = Dir['lib/**/*', 'LICENSE', 'README.md']
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'legionio', '>= 1.2'
+end

data/extensions-agentic/lex-consent/lib/legion/extensions/agentic/consent/actors/tier_evaluation.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+return unless defined?(Legion::Extensions::Actors::Every)
+
+module Legion
+  module Extensions
+    module Agentic
+      module Consent
+        module Actor
+          class TierEvaluation < Legion::Extensions::Actors::Every
+            # Run tier evaluation and pending approval expiry every hour
+            INTERVAL = 3600
+
+            def perform
+              expire_stale_approvals
+              evaluate_pending_workers
+            rescue StandardError => e
+              Legion::Logging.error "[TierEvaluation] perform failed: #{e.message}" if defined?(Legion::Logging)
+            end
+
+            private
+
+            def expire_stale_approvals
+              return unless runner_available?
+
+              runner = runner_instance
+              ttl_hours = Legion::Settings.dig(:consent, :pending_ttl_hours) || 72
+              result = runner.expire_pending_approvals(ttl_hours: ttl_hours)
+              return unless result[:expired].to_i.positive? && defined?(Legion::Logging)
+
+              Legion::Logging.info "[TierEvaluation] expired #{result[:expired]} stale consent requests"
+            rescue StandardError => e
+              Legion::Logging.warn "[TierEvaluation] expire_stale_approvals failed: #{e.message}" if defined?(Legion::Logging)
+            end
+
+            def evaluate_pending_workers
+              return unless defined?(Legion::Data::Model::DigitalWorker)
+              return unless defined?(Legion::Extensions::Agentic::Consent::Models::ConsentMap)
+
+              # Find active workers that may be eligible for autonomous tier promotion
+              # but do not yet have a pending approval request.
+              active_workers = Legion::Data::Model::DigitalWorker
+                               .where(lifecycle_state: 'active')
+                               .exclude(consent_tier: 'autonomous')
+                               .all
+
+              active_workers.each do |worker|
+                evaluate_worker_for_promotion(worker)
+              rescue StandardError => e
+                Legion::Logging.warn "[TierEvaluation] evaluate failed for worker=#{worker.worker_id}: #{e.message}" if defined?(Legion::Logging)
+              end
+            rescue StandardError => e
+              Legion::Logging.warn "[TierEvaluation] evaluate_pending_workers failed: #{e.message}" if defined?(Legion::Logging)
+            end
+
+            def evaluate_worker_for_promotion(worker)
+              return unless promotion_eligible?(worker)
+              return if pending_request_exists?(worker.worker_id)
+
+              from_tier = worker.consent_tier
+              to_tier   = next_tier(from_tier)
+              return unless to_tier
+
+              runner = runner_instance
+              runner.request_promotion(
+                worker_id:    worker.worker_id,
+                from_tier:    from_tier,
+                to_tier:      to_tier,
+                requested_by: 'system:tier_evaluation'
+              )
+            end
+
+            def promotion_eligible?(worker)
+              return false unless worker.trust_score.to_f >= trust_threshold
+              return false unless (worker.risk_tier || 'low') == 'low'
+
+              true
+            end
+
+            def trust_threshold
+              Legion::Settings.dig(:consent, :promotion_trust_threshold) || 0.85
+            rescue StandardError
+              0.85
+            end
+
+            def next_tier(current_tier)
+              hierarchy = %w[supervised inform consult autonomous]
+              idx = hierarchy.index(current_tier)
+              return nil unless idx
+              return nil if idx >= hierarchy.length - 1
+
+              hierarchy[idx + 1]
+            end
+
+            def pending_request_exists?(worker_id)
+              Legion::Extensions::Agentic::Consent::Models::ConsentMap
+                .pending_for_worker(worker_id).any?
+            end
+
+            def runner_available?
+              defined?(Legion::Extensions::Agentic::Consent::Runners::Consent)
+            end
+
+            def runner_instance
+              Object.new.extend(Legion::Extensions::Agentic::Consent::Runners::Consent)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/extensions-agentic/lex-consent/lib/legion/extensions/agentic/consent/models/consent_map.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+return unless defined?(Legion::Data)
+
+module Legion
+  module Extensions
+    module Agentic
+      module Consent
+        module Models
+          class ConsentMap < Legion::Data::Model::Base
+            set_dataset :consent_maps
+
+            STATES = %w[pending_approval approved rejected expired].freeze
+
+            def self.pending
+              where(state: 'pending_approval')
+            end
+
+            def self.for_worker(worker_id)
+              where(worker_id: worker_id)
+            end
+
+            def self.pending_for_worker(worker_id)
+              where(worker_id: worker_id, state: 'pending_approval')
+            end
+
+            def approve!(approver:, notes: nil)
+              update(
+                state:       'approved',
+                resolved_by: approver,
+                resolved_at: Time.now.utc,
+                notes:       notes,
+                updated_at:  Time.now.utc
+              )
+            end
+
+            def reject!(approver:, reason: nil)
+              update(
+                state:       'rejected',
+                resolved_by: approver,
+                resolved_at: Time.now.utc,
+                notes:       reason,
+                updated_at:  Time.now.utc
+              )
+            end
+
+            def expire!
+              update(
+                state:      'expired',
+                updated_at: Time.now.utc
+              )
+            end
+
+            def pending?
+              state == 'pending_approval'
+            end
+
+            def approved?
+              state == 'approved'
+            end
+
+            def rejected?
+              state == 'rejected'
+            end
+
+            def expired?
+              state == 'expired'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/extensions-agentic/lex-consent/lib/legion/extensions/agentic/consent/runners/consent.rb

@@ -0,0 +1,210 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Agentic
+      module Consent
+        module Runners
+          module Consent
+            # Request human approval for a worker's autonomous tier promotion.
+            # Creates a ConsentMap record in pending_approval state.
+            #
+            # @param worker_id [String] the worker requesting promotion
+            # @param from_tier [String] current consent tier
+            # @param to_tier [String] requested consent tier
+            # @param requested_by [String] identity requesting the promotion
+            # @param context [Hash] optional metadata about why promotion is requested
+            # @return [Hash]
+            def request_promotion(worker_id:, from_tier:, to_tier:, **opts)
+              requested_by = opts.fetch(:requested_by, 'system')
+              context = opts.fetch(:context, {})
+
+              return { success: false, reason: :model_unavailable } unless defined?(Legion::Extensions::Agentic::Consent::Models::ConsentMap)
+
+              existing = Legion::Extensions::Agentic::Consent::Models::ConsentMap
+                         .pending_for_worker(worker_id).first
+
+              if existing
+                Legion::Logging.info "[lex-consent] promotion already pending for worker=#{worker_id}" if defined?(Legion::Logging)
+                return { success: false, reason: :already_pending, consent_map_id: existing.id }
+              end
+
+              record = Legion::Extensions::Agentic::Consent::Models::ConsentMap.create(
+                worker_id:    worker_id,
+                from_tier:    from_tier,
+                to_tier:      to_tier,
+                requested_by: requested_by,
+                state:        'pending_approval',
+                context:      defined?(Legion::JSON) ? Legion::JSON.dump(context) : context.to_json,
+                created_at:   Time.now.utc,
+                updated_at:   Time.now.utc
+              )
+
+              if defined?(Legion::Events)
+                Legion::Events.emit('consent.promotion_requested', {
+                                      worker_id:      worker_id,
+                                      from_tier:      from_tier,
+                                      to_tier:        to_tier,
+                                      requested_by:   requested_by,
+                                      consent_map_id: record.id,
+                                      at:             Time.now.utc
+                                    })
+              end
+
+              Legion::Logging.info "[lex-consent] promotion requested worker=#{worker_id} #{from_tier}->#{to_tier} id=#{record.id}" if defined?(Legion::Logging)
+
+              { success: true, consent_map_id: record.id, state: 'pending_approval' }
+            rescue StandardError => e
+              Legion::Logging.error "[lex-consent] request_promotion failed: #{e.message}" if defined?(Legion::Logging)
+              { success: false, reason: e.message }
+            end
+
+            # Approve a pending tier promotion request.
+            #
+            # @param consent_map_id [Integer] the ConsentMap record to approve
+            # @param approver [String] identity of the approver
+            # @param notes [String] optional approval notes
+            # @return [Hash]
+            def approve_promotion(consent_map_id:, approver:, notes: nil, **)
+              return { success: false, reason: :model_unavailable } unless defined?(Legion::Extensions::Agentic::Consent::Models::ConsentMap)
+
+              record = Legion::Extensions::Agentic::Consent::Models::ConsentMap[consent_map_id.to_i]
+              return { success: false, reason: :not_found } unless record
+              return { success: false, reason: :not_pending, state: record.state } unless record.pending?
+
+              record.approve!(approver: approver, notes: notes)
+
+              apply_promotion(record)
+
+              if defined?(Legion::Events)
+                Legion::Events.emit('consent.promotion_approved', {
+                                      consent_map_id: record.id,
+                                      worker_id:      record.worker_id,
+                                      from_tier:      record.from_tier,
+                                      to_tier:        record.to_tier,
+                                      approver:       approver,
+                                      at:             Time.now.utc
+                                    })
+              end
+
+              Legion::Logging.info "[lex-consent] approved consent_map_id=#{record.id} worker=#{record.worker_id} by=#{approver}" if defined?(Legion::Logging)
+
+              { success: true, consent_map_id: record.id, worker_id: record.worker_id, state: 'approved', to_tier: record.to_tier }
+            rescue StandardError => e
+              Legion::Logging.error "[lex-consent] approve_promotion failed: #{e.message}" if defined?(Legion::Logging)
+              { success: false, reason: e.message }
+            end
+
+            # Reject a pending tier promotion request.
+            #
+            # @param consent_map_id [Integer] the ConsentMap record to reject
+            # @param approver [String] identity of the approver
+            # @param reason [String] rejection reason (required)
+            # @return [Hash]
+            def reject_promotion(consent_map_id:, approver:, reason:, **)
+              return { success: false, reason: :model_unavailable } unless defined?(Legion::Extensions::Agentic::Consent::Models::ConsentMap)
+
+              return { success: false, reason: :missing_reason } if reason.nil? || reason.to_s.strip.empty?
+
+              record = Legion::Extensions::Agentic::Consent::Models::ConsentMap[consent_map_id.to_i]
+              return { success: false, reason: :not_found } unless record
+              return { success: false, reason: :not_pending, state: record.state } unless record.pending?
+
+              record.reject!(approver: approver, reason: reason)
+
+              if defined?(Legion::Events)
+                Legion::Events.emit('consent.promotion_rejected', {
+                                      consent_map_id: record.id,
+                                      worker_id:      record.worker_id,
+                                      from_tier:      record.from_tier,
+                                      to_tier:        record.to_tier,
+                                      approver:       approver,
+                                      reason:         reason,
+                                      at:             Time.now.utc
+                                    })
+              end
+
+              Legion::Logging.info "[lex-consent] rejected consent_map_id=#{record.id} worker=#{record.worker_id} by=#{approver}" if defined?(Legion::Logging)
+
+              { success: true, consent_map_id: record.id, worker_id: record.worker_id, state: 'rejected' }
+            rescue StandardError => e
+              Legion::Logging.error "[lex-consent] reject_promotion failed: #{e.message}" if defined?(Legion::Logging)
+              { success: false, reason: e.message }
+            end
+
+            # Expire all pending promotion requests older than ttl_hours.
+            # Intended to be run on a schedule (e.g. every hour).
+            #
+            # @param ttl_hours [Integer] how many hours before a pending request expires (default 72)
+            # @return [Hash]
+            def expire_pending_approvals(ttl_hours: 72, **)
+              return { success: false, reason: :model_unavailable } unless defined?(Legion::Extensions::Agentic::Consent::Models::ConsentMap)
+
+              cutoff = Time.now.utc - (ttl_hours * 3600)
+              expired_count = 0
+
+              Legion::Extensions::Agentic::Consent::Models::ConsentMap
+                .pending
+                .where { created_at < cutoff }
+                .each do |record|
+                  record.expire!
+                  expired_count += 1
+
+                  if defined?(Legion::Events)
+                    Legion::Events.emit('consent.promotion_expired', {
+                                          consent_map_id: record.id,
+                                          worker_id:      record.worker_id,
+                                          from_tier:      record.from_tier,
+                                          to_tier:        record.to_tier,
+                                          at:             Time.now.utc
+                                        })
+                  end
+                rescue StandardError => e
+                  Legion::Logging.warn "[lex-consent] expire failed for id=#{record.id}: #{e.message}" if defined?(Legion::Logging)
+                end
+
+              Legion::Logging.info "[lex-consent] expired #{expired_count} pending approvals (ttl=#{ttl_hours}h)" if defined?(Legion::Logging)
+
+              { success: true, expired: expired_count, ttl_hours: ttl_hours }
+            rescue StandardError => e
+              Legion::Logging.error "[lex-consent] expire_pending_approvals failed: #{e.message}" if defined?(Legion::Logging)
+              { success: false, reason: e.message }
+            end
+
+            # List pending promotion requests.
+            #
+            # @param worker_id [String] optional filter by worker
+            # @return [Hash]
+            def list_pending(worker_id: nil, **)
+              return { success: false, reason: :model_unavailable } unless defined?(Legion::Extensions::Agentic::Consent::Models::ConsentMap)
+
+              ds = Legion::Extensions::Agentic::Consent::Models::ConsentMap.pending
+              ds = ds.where(worker_id: worker_id) if worker_id
+              records = ds.all
+
+              { success: true, count: records.size, pending: records.map(&:values) }
+            rescue StandardError => e
+              Legion::Logging.error "[lex-consent] list_pending failed: #{e.message}" if defined?(Legion::Logging)
+              { success: false, reason: e.message }
+            end
+
+            private
+
+            def apply_promotion(record)
+              return unless defined?(Legion::Data::Model::DigitalWorker)
+
+              worker = Legion::Data::Model::DigitalWorker.first(worker_id: record.worker_id)
+              return unless worker
+
+              worker.update(consent_tier: record.to_tier, updated_at: Time.now.utc)
+
+              Legion::Logging.info "[lex-consent] applied tier promotion worker=#{record.worker_id} tier=#{record.to_tier}" if defined?(Legion::Logging)
+            rescue StandardError => e
+              Legion::Logging.warn "[lex-consent] apply_promotion failed for worker=#{record.worker_id}: #{e.message}" if defined?(Legion::Logging)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/extensions-agentic/lex-consent/lib/legion/extensions/agentic/consent/version.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Agentic
+      module Consent
+        VERSION = '0.1.0'
+      end
+    end
+  end
+end

data/extensions-agentic/lex-consent/lib/legion/extensions/agentic/consent.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require_relative 'consent/version'
+require_relative 'consent/models/consent_map'
+require_relative 'consent/runners/consent'
+require_relative 'consent/actors/tier_evaluation'
+
+module Legion
+  module Extensions
+    module Agentic
+      module Consent
+      end
+    end
+  end
+end

data/extensions-agentic/lex-reconciliation/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gemspec
+
+group :development, :test do
+  gem 'rspec', '~> 3.12'
+  gem 'rubocop', '~> 1.50'
+  gem 'rubocop-rspec', '~> 2.20'
+end

data/extensions-agentic/lex-reconciliation/README.md

@@ -0,0 +1,73 @@
+# lex-reconciliation
+
+A [LegionIO](https://github.com/LegionIO) extension for drift detection and reconciliation.
+
+Detects drift between expected (desired) state and actual (observed) state for managed resources,
+persists drift events to a log, and runs periodic reconciliation cycles that emit events for
+downstream runners to act on.
+
+## Components
+
+### `Runners::DriftChecker`
+
+Detects drift between expected and actual state for one or more resources.
+
+ruby
+result = drift_checker.check(
+  resource: 'my-service',
+  expected: { status: 'running', replicas: 3 },
+  actual:   { status: 'stopped', replicas: 1 },
+  severity: 'high'
+)
+# => { drifted: true, drift_id: '...', differences: [...], summary: { total: 2 } }
+
+
+### `DriftLog`
+
+Persistent drift event log backed by `legion-data`.
+
+ruby
+Legion::Extensions::Reconciliation::DriftLog.record(
+  resource:   'my-service',
+  expected:   { status: 'running' },
+  actual:     { status: 'stopped' },
+  severity:   'high'
+)
+
+Legion::Extensions::Reconciliation::DriftLog.open_entries(severity: 'high')
+Legion::Extensions::Reconciliation::DriftLog.summary
+
+
+### `Actors::ReconciliationCycle`
+
+Interval actor (default: every 5 minutes) that checks all configured targets and emits
+`reconciliation.drift_detected` and `reconciliation.reconcile_requested` events.
+
+Configure targets in settings:
+
+
+{
+  "extensions": {
+    "reconciliation": {
+      "interval": 300,
+      "targets": [
+        {
+          "resource": "my-service",
+          "expected": { "status": "running", "replicas": 3 },
+          "severity": "high"
+        }
+      ]
+    }
+  }
+}
+
+
+## Installation
+
+ruby
+gem 'lex-reconciliation'
+
+
+## License
+
+MIT

data/extensions-agentic/lex-reconciliation/lex-reconciliation.gemspec

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative 'lib/legion/extensions/reconciliation/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'lex-reconciliation'
+  spec.version       = Legion::Extensions::Reconciliation::VERSION
+  spec.authors       = ['Esity']
+  spec.email         = ['matthewdiverson@gmail.com']
+  spec.summary       = 'A LegionIO Extension for drift detection and reconciliation'
+  spec.description   = 'A LegionIO Extension (LEX) for detecting drift between expected and actual state and reconciling differences'
+  spec.homepage      = 'https://github.com/LegionIO/lex-reconciliation'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 3.4'
+
+  spec.metadata = {
+    'homepage_uri'          => spec.homepage,
+    'source_code_uri'       => spec.homepage,
+    'rubygems_mfa_required' => 'true'
+  }
+
+  spec.files = Dir['lib/**/*', 'LICENSE', 'README.md']
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'legionio', '>= 1.2'
+end