legionio 1.7.24 → 1.7.25

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8e469923d32f8ead43a892e473c93737139885622f40683a63aa0a757a0c282d
-  data.tar.gz: 2e88c8468007f617c075178410da534337931e37a3c50fb11a67fa3801807689
+  metadata.gz: d65ff77ca667361b558a97d1da1c3d5d2b1090bb4aad5559532406cd18e781a7
+  data.tar.gz: 7583822cc4cf804703b8a733be36bb711d1cae70724a49dc98cafea6583268ab
 SHA512:
-  metadata.gz: 4d7cd5a0513e26ca92bf5b909ac924a7041bbe2b74602d6a552357d155f9101c0d81b75c6d4db0c06b9748b08fd174363ad7d26ffa021f82001923d428ecd5ec
-  data.tar.gz: 252dc15217cf3d320fa9f96703967d9c9320f2d3e26d18d91c992a8819dbf34ced50eca926ddcba0a3c2be1a74619d3f6106d20ca9f09919ba6c32901b8d5197
+  metadata.gz: 06f7712d8c9c6e944890ba2c55efbdf3463a6c39e906017cede6d3401215de9144e7c916c39c8b981e8f6ea6646a5439bcc10a399443fe7642b3ab06e3ef2c7a
+  data.tar.gz: 5e5819fc7973e9cb6de4b64e88c40b74d033fd666c4b9585726a3b1e87b9468f6cf4759fed226a9c3a7bc755a10b9267403dcd001d2c10f08b7aaf36e6264812

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Legion Changelog
 
+## [1.7.25] - 2026-04-06
+
+### Added
+- Wire Format Phase 3 Group 2: `Identity::Request::SOURCE_NORMALIZATION` constant — maps middleware-emitted source values (`:api_key`, `:local`, `:jwt`, `:kerberos`, `:system`) to canonical credential enum at `from_auth_context` construction time
+- Wire Format Phase 3 Group 2: `response_meta` in `API::Helpers` now includes `caller` block (`canonical_name`, `kind`, `source`) when the request is authenticated and `env['legion.principal']` is set by `Identity::Middleware`
+- Wire Format Phase 3 Group 2: `POST /api/llm/inference` wires `to_caller_hash` from the authenticated principal into the pipeline `caller:` field, replacing the hardcoded `{ type: :user, credential: :api }` fallback
+
 ## [1.7.24] - 2026-04-06
 
 ### Fixed

data/lib/legion/api/default_settings.rb

@@ -13,7 +13,8 @@ module Legion
           puma:            puma_defaults,
           bind_retries:    3,
           bind_retry_wait: 2,
-          tls:             tls_defaults
+          tls:             tls_defaults,
+          elastic_apm:     elastic_apm_defaults
         }
       end
 
@@ -31,6 +32,33 @@ module Legion
           enabled: false
         }
       end
+
+      def self.elastic_apm_defaults
+        {
+          enabled:                  false,
+          server_url:               'http://localhost:8200',
+          api_key:                  nil,
+          secret_token:             nil,
+          api_buffer_size:          256,
+          api_request_size:         '750kb',
+          api_request_time:         '10s',
+          capture_body:             'off',
+          capture_headers:          true,
+          capture_env:              true,
+          disable_send:             false,
+          environment:              nil,
+          hostname:                 nil,
+          ignore_url_patterns:      %w[/api/health /api/ready],
+          pool_size:                1,
+          service_name:             'LegionIO',
+          service_node_name:        nil,
+          service_version:          nil,
+          sample_rate:              1.0,
+          verify_server_cert:       true,
+          central_config:           true,
+          span_frames_min_duration: '5ms'
+        }
+      end
     end
   end
 end

data/lib/legion/api/helpers.rb

@@ -173,10 +173,23 @@ module Legion
       private
 
       def response_meta
-        {
+        meta = {
           timestamp: Time.now.utc.iso8601,
           node:      Legion::Settings[:client][:name]
         }
+
+        if authenticated? && defined?(Legion::Identity::Request)
+          req = env['legion.principal']
+          if req
+            meta[:caller] = {
+              canonical_name: req.canonical_name,
+              kind:           req.kind,
+              source:         req.source
+            }
+          end
+        end
+
+        meta
       end
 
       def page_limit

data/lib/legion/api/llm.rb

@@ -280,12 +280,19 @@ module Legion
             require 'legion/llm/pipeline/request' unless defined?(Legion::LLM::Pipeline::Request)
             require 'legion/llm/pipeline/executor' unless defined?(Legion::LLM::Pipeline::Executor)
 
+            principal  = defined?(Legion::Identity::Request) && env['legion.principal']
+            caller_ctx = if principal
+                           principal.to_caller_hash
+                         else
+                           { requested_by: { identity: caller_identity, type: :user, credential: :api } }
+                         end
+
             req = Legion::LLM::Pipeline::Request.build(
               messages:        messages,
               system:          body[:system],
               routing:         { provider: provider, model: model },
               tools:           tool_classes,
-              caller:          { requested_by: { identity: caller_identity, type: :user, credential: :api } },
+              caller:          caller_ctx,
               conversation_id: body[:conversation_id],
               metadata:        { requested_tools: requested_tools },
               stream:          streaming,

data/lib/legion/api/middleware/request_logger.rb

@@ -49,6 +49,25 @@ module Legion
           parts << "query=#{query}" if query
           parts.join(' ')
         end
+
+        def peek_body(env)
+          input = env['rack.input']
+          return '-' unless input.respond_to?(:read) && input.respond_to?(:rewind)
+
+          begin
+            input.rewind
+            raw = input.read(1024)
+            raw.to_s.gsub(/\s+/, ' ')[0, 512]
+          rescue StandardError
+            '-'
+          ensure
+            begin
+              input.rewind
+            rescue StandardError
+              nil
+            end
+          end
+        end
       end
     end
   end

data/lib/legion/api.rb

@@ -222,5 +222,7 @@ module Legion
 
     use Legion::API::Middleware::RequestLogger
     use Legion::Rbac::Middleware if defined?(Legion::Rbac::Middleware)
+    use ElasticAPM::Middleware if defined?(ElasticAPM::Middleware) &&
+                                  Legion::Settings.dig(:api, :elastic_apm, :enabled)
   end
 end

data/lib/legion/identity/request.rb

@@ -3,6 +3,19 @@
 module Legion
   module Identity
     class Request
+      # Maps middleware-emitted source values to the canonical credential enum.
+      # :local is emitted by Middleware#system_principal for unauthenticated loopback
+      # requests and must normalize to :system to maintain audit trail consistency.
+      # :jwt is intentionally kept distinct — JWT is the transport, not the provider.
+      # Entra-specific identification requires issuer inspection (Phase 7 concern).
+      SOURCE_NORMALIZATION = {
+        api_key:  :api,
+        jwt:      :jwt,
+        kerberos: :kerberos,
+        local:    :system,
+        system:   :system
+      }.freeze
+
       attr_reader :principal_id, :canonical_name, :kind, :groups, :source, :metadata
 
       def initialize(principal_id:, canonical_name:, kind:, groups: [], source: nil, metadata: {}) # rubocop:disable Metrics/ParameterLists
@@ -10,7 +23,7 @@ module Legion
         @canonical_name = canonical_name
         @kind           = kind
         @groups         = groups.freeze
-        @source         = source
+        @source         = SOURCE_NORMALIZATION.fetch(source&.to_sym, source)
         @metadata       = metadata.freeze
         freeze
       end
@@ -23,16 +36,19 @@ module Legion
 
       # Builds a Request from a parsed auth claims hash with symbol keys:
       #   { sub:, name:, preferred_username:, kind:, groups:, source: }
+      # The source value is normalized via SOURCE_NORMALIZATION at construction time.
       def self.from_auth_context(claims_hash)
         raw_name = claims_hash[:name] || claims_hash[:preferred_username] || ''
         canonical = raw_name.to_s.strip.downcase.gsub('.', '-')
+        raw_source = claims_hash[:source]&.to_sym
+        normalized_source = SOURCE_NORMALIZATION.fetch(raw_source, raw_source)
 
         new(
           principal_id:   claims_hash[:sub],
           canonical_name: canonical,
           kind:           claims_hash[:kind] || :human,
           groups:         claims_hash[:groups] || [],
-          source:         claims_hash[:source]
+          source:         normalized_source
         )
       end
 

data/lib/legion/service.rb

@@ -327,21 +327,12 @@ module Legion
     end
 
     def setup_apm
-      apm_settings = Legion::Settings[:apm] || {}
+      apm_settings = Legion::Settings.dig(:api, :elastic_apm) || {}
       return unless apm_settings[:enabled]
 
       require 'elastic-apm'
 
-      config = {
-        service_name:            apm_settings[:service_name] || "legion-#{Legion::Settings[:client][:name]}",
-        server_url:              apm_settings[:server_url] || 'http://localhost:8200',
-        environment:             apm_settings[:environment] || Legion::Settings[:environment] || 'development',
-        secret_token:            apm_settings[:secret_token],
-        api_key:                 apm_settings[:api_key],
-        log_level:               apm_settings[:log_level]&.to_sym || Logger::WARN,
-        transaction_sample_rate: apm_settings[:sample_rate] || 1.0
-      }.compact
-
+      config = build_apm_config(apm_settings)
       ElasticAPM.start(**config)
       @apm_running = true
       log.info "Elastic APM started: server=#{config[:server_url]} service=#{config[:service_name]}"
@@ -1145,6 +1136,35 @@ module Legion
       }.compact
     end
 
+    def build_apm_config(apm)
+      {
+        server_url:               apm[:server_url] || 'http://localhost:8200',
+        api_key:                  apm[:api_key],
+        secret_token:             apm[:secret_token],
+        api_buffer_size:          apm[:api_buffer_size] || 256,
+        api_request_size:         apm[:api_request_size] || '750kb',
+        api_request_time:         apm[:api_request_time] || '10s',
+        capture_body:             apm.fetch(:capture_body, 'off'),
+        capture_headers:          apm.fetch(:capture_headers, true),
+        capture_env:              apm.fetch(:capture_env, true),
+        disable_send:             apm.fetch(:disable_send, false),
+        environment:              apm[:environment] || Legion::Settings[:environment] || 'development',
+        framework_name:           'LegionIO',
+        framework_version:        Legion::VERSION,
+        hostname:                 apm[:hostname] || Legion::Settings[:client][:name],
+        ignore_url_patterns:      apm[:ignore_url_patterns] || %w[/api/health /api/ready],
+        logger:                   Legion::Logging.log,
+        pool_size:                apm[:pool_size] || 1,
+        service_name:             apm[:service_name] || 'LegionIO',
+        service_node_name:        apm[:service_node_name] || Legion::Settings[:client][:name],
+        service_version:          apm[:service_version] || Legion::VERSION,
+        transaction_sample_rate:  apm[:sample_rate] || 1.0,
+        verify_server_cert:       apm.fetch(:verify_server_cert, true),
+        central_config:           apm.fetch(:central_config, true),
+        span_frames_min_duration: apm[:span_frames_min_duration]
+      }.compact
+    end
+
     def ssl_server_settings(tls_cfg, bind, port)
       return {} unless tls_cfg
 

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.7.24'
+  VERSION = '1.7.25'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.7.24
+  version: 1.7.25
 platform: ruby
 authors:
 - Esity