RubyGems - legionio - Versions diffs - 1.6.8 → 1.6.9 - Mend

legionio 1.6.8 → 1.6.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/.rubocop.yml +1 -0
data/CHANGELOG.md +23 -0
data/Gemfile +2 -0
data/integration/self_generate_spec.rb +398 -0
data/lib/legion/extensions/helpers/lex.rb +2 -0
data/lib/legion/extensions/helpers/secret.rb +144 -0
data/lib/legion/version.rb +1 -1
metadata +3 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cd3587ed7997208005a0a8746aca477701811f8e506c1d8d9345a40d180317fc
-  data.tar.gz: e805096f6577c2b1317807d50beab27bbb91527e2a02807231596fbd6a1d91ca
+  metadata.gz: e67d5abaf8c274cad673af9996e29577949a9e945c66ee099b1c8e23eeff4a3f
+  data.tar.gz: 4c3113323f086005de660cd84128036d59919ee2f2482ce84a855334bab007c4
 SHA512:
-  metadata.gz: 5d6c20753f9803fc34cd4bb577304bc31d708df54f9e49f266dbb32073c3d06835e2d625efbed610244b5888085d823222627fb07ad889c1ff85d37d028f603a
-  data.tar.gz: 0a1dbbff5e24580f3b8b97fb434c626f029f449501b138d0a29f9fcb0eb15edd05808c5b34353260a6bdc4808d4f747362d8f4e6e9f3afdd47362b56035c1e0f
+  metadata.gz: d221a3d63b90d155b24fabd47594aef550467d6136a96092208a7f710455f87f416ae4110815e323c7bfcb83aec13ec4c41dff7b2db14b0846dafbe55ca9be66
+  data.tar.gz: b495e7daddcbb0e5cbda7c93f152ca285e044972ee8b74c9d432f91e97c4536d1087539f7b8daf784910cb359935453b6aa1f9e972c8d81b688d55c8986e2f34

data/.rubocop.yml CHANGED Viewed

@@ -32,6 +32,7 @@ Metrics/BlockLength:
   Max: 40
   Exclude:
     - 'spec/**/*'
+    - 'integration/**/*'
     - 'legionio.gemspec'
     - 'lib/legion/cli/chat_command.rb'
     - 'lib/legion/cli/plan_command.rb'

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,28 @@
 # Legion Changelog
+## [Unreleased]
+### Added
+- End-to-end integration test for TBI Phase 5 self-generating functions loop (9 examples)
+- Test dependencies: lex-codegen, lex-eval added to Gemfile for integration testing
+- Specs for `legion codegen` CLI subcommand (8 subcommands, 22 examples)
+- Specs for `/api/codegen/*` API routes (8 routes, 20 examples)
+- Specs for `setup_generated_functions` boot loading in Service (4 examples)
+### Fixed
+- Guard `Legion::Transport::Messages::Dynamic` stub definition in integration spec with `unless defined?` to prevent redefinition conflicts when real implementations are present
+- Wrap `lex-codegen` and `lex-eval` requires in `LoadError` rescue guards in integration spec; sets `LEGION_CODEGEN_EXTENSION_AVAILABLE` / `LEGION_EVAL_EXTENSION_AVAILABLE` flags and skips entire example group via `before(:all)` when extensions are unavailable
+- Move `Legion::LLM.chat` stub to `RSpec.configure before(:each)` block so it always intercepts regardless of whether the real `legion-llm` gem is loaded, preventing external LLM calls in integration tests
+- Fix `service_setup_apollo_spec` "starts Apollo::Local" example: stub `Legion::Apollo.start` to prevent internal double-call of `Apollo::Local.start`
+## [1.6.9] - 2026-03-26
+### Added
+- `Helpers::Secret` mixin with `SecretAccessor` for per-user and per-lex Vault KV v2 secret access
+- Identity resolution chain: Kerberos principal -> Entra UPN -> explicit user -> ENV['USER']
+- `secret[:name]` / `secret[:name] = { ... }` / `secret.write` / `secret.exist?` / `secret.delete`
+- `shared: true` option for extension-scoped (non-user) secrets
 ## [1.6.8] - 2026-03-26
 ### Added

data/Gemfile CHANGED Viewed

@@ -23,6 +23,8 @@ gem 'mysql2'
 group :test do
   gem 'graphql'
+  gem 'lex-codegen'
+  gem 'lex-eval'
   gem 'rack-test'
   gem 'rake'
   gem 'rspec'

data/integration/self_generate_spec.rb ADDED Viewed

@@ -0,0 +1,398 @@
+# frozen_string_literal: true
+require 'rspec'
+require 'tmpdir'
+require 'fileutils'
+# Load core gems
+require 'legion/json'
+require 'legion/logging'
+require 'legion/settings'
+# Stub modules that may not be available in isolation
+unless defined?(Legion::Transport::Messages::Dynamic)
+  module Legion
+    module Transport
+      module Messages
+        class Dynamic
+          attr_reader :function, :data
+          def initialize(function:, data:, **)
+            @function = function
+            @data = data
+          end
+          def publish
+            Legion::Transport::Local.publish('codegen', @function, Legion::JSON.dump(@data))
+          end
+        end
+      end
+    end
+  end
+end
+# Ensure Legion::LLM module exists so it can be stubbed, but don't overwrite a real implementation.
+unless defined?(Legion::LLM)
+  module Legion
+    module LLM
+    end
+  end
+end
+# Load transport Local for InProcess mode
+require 'legion/transport/local'
+# Load codegen extension
+begin
+  require 'legion/extensions/codegen'
+  LEGION_CODEGEN_EXTENSION_AVAILABLE = true
+rescue LoadError => e
+  LEGION_CODEGEN_EXTENSION_AVAILABLE = false
+  warn "lex-codegen / legion codegen extension not available; skipping dependent behavior: #{e.message}"
+end
+# Load eval extension (only code_review runner + security evaluator)
+begin
+  require 'legion/extensions/eval'
+  LEGION_EVAL_EXTENSION_AVAILABLE = true
+rescue LoadError => e
+  LEGION_EVAL_EXTENSION_AVAILABLE = false
+  warn "lex-eval / legion eval extension not available; skipping dependent behavior: #{e.message}"
+end
+# Stub MCP Server if not available
+unless defined?(Legion::MCP::Server)
+  module Legion
+    module MCP
+      module Server
+        @tool_registry = []
+        @tool_registry_lock = Mutex.new
+        class << self
+          attr_reader :tool_registry
+          def register_tool(tool_class)
+            @tool_registry_lock.synchronize do
+              return if tool_registry.any? { |tc| tc.respond_to?(:tool_name) && tc.tool_name == tool_class.tool_name }
+              tool_registry << tool_class
+            end
+          end
+          def unregister_tool(tool_name)
+            @tool_registry_lock.synchronize do
+              tool_registry.reject! { |tc| tc.respond_to?(:tool_name) && tc.tool_name == tool_name }
+            end
+          end
+          def reset_caches!; end
+        end
+      end
+    end
+  end
+end
+LLM_STUB_CODE = <<~RUBY
+  # frozen_string_literal: true
+  module Legion
+    module Generated
+      module GreetUser
+        extend self
+        def greet(name:)
+          { success: true, greeting: "Hello, \#{name}!" }
+        end
+      end
+    end
+  end
+RUBY
+RSpec.configure do |config|
+  config.disable_monkey_patching!
+  config.expect_with(:rspec) { |c| c.syntax = :expect }
+  config.before(:each) do
+    allow(Legion::LLM).to receive(:chat) do |messages:, _caller: nil, **_kwargs|
+      messages.last[:content]
+      Struct.new(:content).new(LLM_STUB_CODE)
+    end
+  end
+end
+RSpec.describe 'Self-Generating Functions End-to-End' do
+  # Skip this entire example group if the required extensions are not available.
+  before(:all) do
+    extensions_unavailable =
+      (defined?(LEGION_CODEGEN_EXTENSION_AVAILABLE) && !LEGION_CODEGEN_EXTENSION_AVAILABLE) ||
+      (defined?(LEGION_EVAL_EXTENSION_AVAILABLE) && !LEGION_EVAL_EXTENSION_AVAILABLE)
+    skip('Legion Codegen/Eval extensions are not available; skipping self-generate integration specs.') if extensions_unavailable
+  end
+  let(:output_dir) { Dir.mktmpdir('legion_e2e_codegen') }
+  before do
+    # Reset Local transport
+    Legion::Transport::Local.reset! if Legion::Transport::Local.respond_to?(:reset!)
+    # Reset GeneratedRegistry (only if Codegen extension is loaded)
+    Legion::Extensions::Codegen::Helpers::GeneratedRegistry.reset! if defined?(Legion::Extensions::Codegen::Helpers::GeneratedRegistry)
+    # Configure settings for test
+    allow(Legion::Settings).to receive(:dig).and_return(nil)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :enabled).and_return(true)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :cooldown_seconds).and_return(0)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :max_gaps_per_cycle).and_return(5)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :runner_method, :output_dir).and_return(output_dir)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :validation).and_return(
+      { syntax_check: true, run_specs: false, llm_review: false, max_retries: 2 }
+    )
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :corroboration, :enabled).and_return(false)
+    allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :corroboration, :min_agents).and_return(2)
+    allow(Legion::Settings).to receive(:dig).with(:node, :name).and_return('test-node')
+    allow(Legion::Settings).to receive(:[]).and_return(nil)
+  end
+  after do
+    FileUtils.rm_rf(output_dir)
+  end
+  describe 'gap detection -> generation -> validation -> registration' do
+    let(:synthetic_gap) do
+      {
+        gap_id:           'gap_e2e_001',
+        gap_type:         'unmatched_intent',
+        intent:           'greet user',
+        occurrence_count: 3,
+        priority:         0.7,
+        metadata:         {}
+      }
+    end
+    it 'generates code from a gap and passes validation' do
+      # Phase 1: GapSubscriber receives a gap and generates code
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      expect(generation[:generation_id]).to start_with('gen_')
+      expect(generation[:tier]).to eq(:simple)
+      expect(generation[:code]).to include('module Legion')
+      expect(generation[:file_path]).to start_with(output_dir)
+      expect(File.exist?(generation[:file_path])).to be true
+    end
+    it 'validates generated code through the review pipeline' do
+      # Phase 1: Generate
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      # Phase 2: Review (simulating what CodeReviewSubscriber does)
+      review = Legion::Extensions::Eval::Runners::CodeReview.review_generated(
+        code:      generation[:code],
+        spec_code: generation[:spec_code],
+        context:   { gap_type: 'unmatched_intent', intent: 'greet user' }
+      )
+      expect(review[:passed]).to be true
+      expect(review[:verdict]).to eq(:approve)
+      expect(review[:confidence]).to be > 0.0
+      expect(review[:stages][:syntax][:passed]).to be true
+      expect(review[:stages][:security][:passed]).to be true
+    end
+    it 'registers approved code via ReviewHandler' do
+      # Phase 1: Generate
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      # Phase 2: Persist to registry
+      registry_record = Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:        generation[:generation_id],
+          gap_id:    generation[:gap_id],
+          gap_type:  generation[:gap_type],
+          tier:      generation[:tier],
+          name:      'greet_user',
+          file_path: generation[:file_path],
+          spec_path: generation[:spec_path]
+        }
+      )
+      expect(registry_record[:status]).to eq('pending')
+      # Phase 3: Review
+      review_result = {
+        generation_id: generation[:generation_id],
+        verdict:       :approve,
+        confidence:    0.95,
+        issues:        [],
+        scores:        {}
+      }
+      # Phase 4: ReviewHandler processes the verdict
+      result = Legion::Extensions::Codegen::Runners::ReviewHandler.handle_verdict(review: review_result)
+      expect(result[:success]).to be true
+      expect(result[:action]).to eq(:approved)
+      # Verify registry updated
+      record = Legion::Extensions::Codegen::Helpers::GeneratedRegistry.get(id: generation[:generation_id])
+      expect(record[:status]).to eq('approved')
+    end
+    it 'parks rejected code' do
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:        generation[:generation_id],
+          gap_id:    generation[:gap_id],
+          gap_type:  generation[:gap_type],
+          tier:      generation[:tier],
+          name:      'greet_user',
+          file_path: generation[:file_path],
+          spec_path: generation[:spec_path]
+        }
+      )
+      result = Legion::Extensions::Codegen::Runners::ReviewHandler.handle_verdict(
+        review: { generation_id: generation[:generation_id], verdict: :reject, confidence: 0.1, issues: ['unsafe code'] }
+      )
+      expect(result[:success]).to be true
+      expect(result[:action]).to eq(:parked)
+      record = Legion::Extensions::Codegen::Helpers::GeneratedRegistry.get(id: generation[:generation_id])
+      expect(record[:status]).to eq('parked')
+    end
+    it 'retries on revise verdict up to max_retries then parks' do
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:            generation[:generation_id],
+          gap_id:        generation[:gap_id],
+          gap_type:      generation[:gap_type],
+          tier:          generation[:tier],
+          name:          'greet_user',
+          file_path:     generation[:file_path],
+          spec_path:     generation[:spec_path],
+          attempt_count: 2
+        }
+      )
+      result = Legion::Extensions::Codegen::Runners::ReviewHandler.handle_verdict(
+        review: { generation_id: generation[:generation_id], verdict: :revise, confidence: 0.4, issues: ['needs improvement'] }
+      )
+      expect(result[:success]).to be true
+      expect(result[:action]).to eq(:parked)
+    end
+    it 'exercises the full loop: generate -> validate -> register -> boot load' do
+      # Step 1: Generate
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(synthetic_gap)
+      expect(generation[:success]).to be true
+      # Step 2: Validate
+      review = Legion::Extensions::Eval::Runners::CodeReview.review_generated(
+        code: generation[:code], spec_code: generation[:spec_code], context: {}
+      )
+      expect(review[:verdict]).to eq(:approve)
+      # Step 3: Persist + Approve
+      Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:        generation[:generation_id],
+          gap_id:    generation[:gap_id],
+          gap_type:  generation[:gap_type],
+          tier:      generation[:tier],
+          name:      'greet_user',
+          file_path: generation[:file_path],
+          spec_path: generation[:spec_path]
+        }
+      )
+      Legion::Extensions::Codegen::Runners::ReviewHandler.handle_verdict(
+        review: { generation_id: generation[:generation_id], verdict: :approve, confidence: 0.95, issues: [] }
+      )
+      # Step 4: Boot load (simulates service restart)
+      loaded = Legion::Extensions::Codegen::Helpers::GeneratedRegistry.load_on_boot
+      expect(loaded).to eq(1)
+      # Step 5: Verify the generated module is actually loaded
+      expect(defined?(Legion::Generated::GreetUser)).to be_truthy
+      result = Legion::Generated::GreetUser.greet(name: 'World')
+      expect(result[:success]).to be true
+      expect(result[:greeting]).to eq('Hello, World!')
+    end
+  end
+  describe 'tier classification' do
+    it 'classifies low occurrence gaps as simple' do
+      tier = Legion::Extensions::Codegen::Helpers::TierClassifier.classify(gap: { occurrence_count: 5 })
+      expect(tier).to eq(:simple)
+    end
+    it 'classifies high occurrence gaps as complex' do
+      allow(Legion::Settings).to receive(:dig).with(:codegen, :self_generate, :tier, :simple_max_occurrences).and_return(10)
+      tier = Legion::Extensions::Codegen::Helpers::TierClassifier.classify(gap: { occurrence_count: 15 })
+      expect(tier).to eq(:complex)
+    end
+  end
+  describe 'ReviewSubscriber actor' do
+    it 'routes verdict through ReviewHandler' do
+      subscriber = Object.new
+      subscriber.extend(Legion::Extensions::Codegen::Actor::GapSubscriber)
+      generation = subscriber.action(
+        gap_id: 'gap_rs_001', gap_type: 'unmatched_intent', intent: 'greet user',
+        occurrence_count: 3, priority: 0.7
+      )
+      expect(generation[:success]).to be true
+      Legion::Extensions::Codegen::Helpers::GeneratedRegistry.persist(
+        generation: {
+          id:        generation[:generation_id],
+          gap_id:    generation[:gap_id],
+          gap_type:  generation[:gap_type],
+          tier:      generation[:tier],
+          name:      'greet_user',
+          file_path: generation[:file_path],
+          spec_path: generation[:spec_path]
+        }
+      )
+      review_sub = Object.new
+      review_sub.extend(Legion::Extensions::Codegen::Actor::ReviewSubscriber)
+      result = review_sub.action(
+        generation_id: generation[:generation_id],
+        verdict:       'approve',
+        confidence:    0.9,
+        issues:        [],
+        scores:        {}
+      )
+      expect(result[:success]).to be true
+      expect(result[:action]).to eq(:approved)
+    end
+  end
+end

data/lib/legion/extensions/helpers/lex.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require 'legion/json/helper'
+require_relative 'secret'
 module Legion
   module Extensions
@@ -9,6 +10,7 @@ module Legion
         include Legion::Extensions::Helpers::Core
         include Legion::Extensions::Helpers::Logger
         include Legion::JSON::Helper
+        include Legion::Extensions::Helpers::Secret
         module ClassMethods
           def expose_as_mcp_tool(value = :_unset)

data/lib/legion/extensions/helpers/secret.rb ADDED Viewed

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+module Legion
+  module Extensions
+    module Helpers
+      class SecretAccessor
+        def initialize(lex_name:)
+          @lex_name = lex_name
+          @warned = false
+        end
+        def [](name, shared: false, user: nil)
+          return nil unless crypt_available?
+          Legion::Crypt.get(resolve_path(name, shared: shared, user: user))
+        rescue StandardError => e
+          log_warn("secret read failed for #{name}: #{e.message}")
+          nil
+        end
+        def []=(name, value)
+          return unless crypt_available?
+          Legion::Crypt.write(resolve_path(name, shared: false, user: nil), **value)
+        rescue StandardError => e
+          log_warn("secret write failed for #{name}: #{e.message}")
+        end
+        def write(name, shared: false, user: nil, **data)
+          return false unless crypt_available?
+          Legion::Crypt.write(resolve_path(name, shared: shared, user: user), **data)
+          true
+        rescue StandardError => e
+          log_warn("secret write failed for #{name}: #{e.message}")
+          false
+        end
+        def exist?(name, shared: false, user: nil)
+          return false unless crypt_available?
+          Legion::Crypt.exist?(resolve_path(name, shared: shared, user: user))
+        rescue StandardError
+          false
+        end
+        def delete(name, shared: false, user: nil)
+          return false unless crypt_available?
+          Legion::Crypt.delete(resolve_path(name, shared: shared, user: user))
+          true
+        rescue StandardError => e
+          log_warn("secret delete failed for #{name}: #{e.message}")
+          false
+        end
+        private
+        def resolve_path(name, shared:, user:)
+          prefix = shared ? 'shared' : "users/#{resolve_user(user)}"
+          "#{prefix}/#{@lex_name}/#{name}"
+        end
+        def resolve_user(explicit_user)
+          return explicit_user if explicit_user
+          Secret.resolved_identity || ENV.fetch('USER', 'default')
+        end
+        def crypt_available?
+          return false unless defined?(Legion::Crypt)
+          unless @warned || vault_connected?
+            log_warn('Vault not connected — secret operations may fail')
+            @warned = true
+          end
+          true
+        end
+        def vault_connected?
+          defined?(Legion::Settings) &&
+            Legion::Settings[:crypt]&.dig(:vault, :connected) == true
+        rescue StandardError
+          false
+        end
+        def log_warn(msg)
+          Legion::Logging.warn("[Secret] #{msg}") if defined?(Legion::Logging)
+        end
+      end
+      module Secret
+        @resolved_identity = nil
+        @identity_source = nil
+        class << self
+          attr_reader :resolved_identity, :identity_source
+          def resolve_identity!
+            @resolved_identity = nil
+            @identity_source = nil
+            if defined?(Legion::Crypt) && Legion::Crypt.respond_to?(:kerberos_principal) &&
+               Legion::Crypt.kerberos_principal
+              @resolved_identity = Legion::Crypt.kerberos_principal
+              @identity_source = :kerberos
+            elsif entra_principal
+              @resolved_identity = entra_principal
+              @identity_source = :entra
+            end
+            @resolved_identity
+          end
+          def reset_identity!
+            @resolved_identity = nil
+            @identity_source = nil
+          end
+          private
+          def entra_principal
+            return nil unless defined?(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache)
+            cache = Legion::Extensions::MicrosoftTeams::Helpers::TokenCache
+            return nil unless cache.respond_to?(:instance)
+            instance = cache.instance
+            return nil unless instance.respond_to?(:user_principal)
+            principal = instance.user_principal
+            principal unless principal.nil? || principal.empty?
+          rescue StandardError
+            nil
+          end
+        end
+        def secret
+          @secret ||= SecretAccessor.new(lex_name: lex_name)
+        end
+      end
+    end
+  end
+end

data/lib/legion/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Legion
-  VERSION = '1.6.8'
+  VERSION = '1.6.9'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.6.8
+  version: 1.6.9
 platform: ruby
 authors:
 - Esity
@@ -433,6 +433,7 @@ files:
 - docs/README.md
 - exe/legion
 - exe/legionio
+- integration/self_generate_spec.rb
 - legionio.gemspec
 - lib/legion.rb
 - lib/legion/alerts.rb
@@ -767,6 +768,7 @@ files:
 - lib/legion/extensions/helpers/lex.rb
 - lib/legion/extensions/helpers/llm.rb
 - lib/legion/extensions/helpers/logger.rb
+- lib/legion/extensions/helpers/secret.rb
 - lib/legion/extensions/helpers/segments.rb
 - lib/legion/extensions/helpers/task.rb
 - lib/legion/extensions/helpers/transport.rb