legionio 1.9.34 → 1.9.36

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e0fb2242e4fffe902c79cac15713bb57d8b2dd6388f122a9a6f14271faa3b3b2
-  data.tar.gz: c70d462ff6369c61dd5ae9bd786b325e4e53789eddc78d10d97441793eec1360
+  metadata.gz: 1de97753e1f584403f30a43a47049183871b98e7581bee36c892aac9e758983b
+  data.tar.gz: 2042c10f023e59093f60258a65ccec746128c3efef7bb980ee33206dafef446c
 SHA512:
-  metadata.gz: d7f43d17ba3a681ea09e82678831ba5694a50af90d508eb27acdcc6743d47c74bfec7da597b6d2fe6805e968d8ba247be571f6e26e60d1cfa86d6814974eb9ec
-  data.tar.gz: 198d3a7b98bb187f23f0e5cfedacabd41983dd52b0ae238650197d2ce9a4888016d211123579cd287e5a2b05f496b0dba6fb627b6280124cf39ca92b11917a18
+  metadata.gz: e206bc92436c737aa2046580af9b705d147d8601601703980d69944afbcc10189aa479527ee6f0da128eb0a80912d54dbc635f2c32eab4aaba2f7f21e595062e
+  data.tar.gz: da6fc109223bf64dced09fd289f86a3f67592d2ad9a096f64376e0ecea074d2611671eda9fecadbfc14e528a377ee1c2a06e15cc2cbde0de7ffda24c524dab3f

data/CHANGELOG.md

@@ -2,6 +2,22 @@
 
 ## [Unreleased]
 
+## [1.9.36] - 2026-05-22
+
+### Fixed
+- Identity: preload identity provider gems and resolve process identity before LLM setup so `llm.registry` availability events include Legion identity headers.
+- Identity: use the persisted `identity.json` value as a cached resolver fallback ahead of unverified system identity when fresh auth providers are unavailable.
+- Bundler: load sibling Legion and LLM provider path dependencies outside the test group when those local checkouts exist, so local service boots can use the active workspace gems.
+
+## [1.9.35] - 2026-05-22
+
+### Added
+- CLI: `legionio service start|stop|restart|status` subcommand for direct launchd control
+- Logging transport forwarding now publishes structured log headers/properties, including identity and Legion version headers supplied by `legion-logging`.
+
+### Fixed
+- CLI: `legionio bootstrap --start` now calls `launchctl kickstart` after brew services start to force immediate spawn on macOS 26+ (Tahoe defers `RunAtLoad` for mid-session bootstraps)
+
 ## [1.9.34] - 2026-05-18
 
 ### Added

data/Gemfile

@@ -8,36 +8,39 @@ gem 'pg'
 gem 'kramdown', '>= 2.0'
 gem 'mysql2'
 
-group :test do
-  gem 'legion-data', path: '../legion-data' if File.exist?(File.expand_path('../legion-data', __dir__))
-  gem 'legion-logging', path: '../legion-logging' if File.exist?(File.expand_path('../legion-logging', __dir__))
-  gem 'legion-settings', path: '../legion-settings' if File.exist?(File.expand_path('../legion-settings', __dir__))
-
-  gem 'legion-apollo', path: '../legion-apollo' if File.exist?(File.expand_path('../legion-apollo', __dir__))
-  gem 'legion-gaia', path: '../legion-gaia' if File.exist?(File.expand_path('../legion-gaia', __dir__))
-  gem 'legion-llm', path: '../legion-llm' if File.exist?(File.expand_path('../legion-llm', __dir__))
-  gem 'legion-mcp', path: '../legion-mcp' if File.exist?(File.expand_path('../legion-mcp', __dir__))
-  gem 'legion-tty', path: '../legion-tty' if File.exist?(File.expand_path('../legion-tty', __dir__))
-
-  gem 'lex-apollo', path: '../extensions/lex-apollo' if File.exist?(File.expand_path('../extensions/lex-apollo', __dir__))
-  gem 'lex-llm', path: '../extensions-ai/lex-llm' if File.exist?(File.expand_path('../extensions-ai/lex-llm', __dir__))
-  gem 'lex-llm-ledger', path: '../extensions-ai/lex-llm-ledger' if File.exist?(File.expand_path('../extensions-ai/lex-llm-ledger', __dir__))
-
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-entra', __dir__))
-    gem 'lex-identity-entra', path: '../extensions-identity/lex-identity-entra'
-  end
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-kerberos', __dir__))
-    gem 'lex-identity-kerberos', path: '../extensions-identity/lex-identity-kerberos'
-  end
-  if File.exist?(File.expand_path('../extensions-identity/lex-identity-system', __dir__))
-    gem 'lex-identity-system', path: '../extensions-identity/lex-identity-system'
-  end
-
-  %w[anthropic azure-foundry bedrock gemini mlx ollama openai vertex vllm].each do |provider|
-    provider_path = "../extensions-ai/lex-llm-#{provider}"
-    gem "lex-llm-#{provider}", path: provider_path if File.exist?(File.expand_path(provider_path, __dir__))
-  end
+gem 'legion-data', path: '../legion-data' if File.exist?(File.expand_path('../legion-data', __dir__))
+gem 'legion-logging', path: '../legion-logging' if File.exist?(File.expand_path('../legion-logging', __dir__))
+gem 'legion-settings', path: '../legion-settings' if File.exist?(File.expand_path('../legion-settings', __dir__))
+
+gem 'legion-apollo', path: '../legion-apollo' if File.exist?(File.expand_path('../legion-apollo', __dir__))
+gem 'legion-gaia', path: '../legion-gaia' if File.exist?(File.expand_path('../legion-gaia', __dir__))
+gem 'legion-llm', path: '../legion-llm' if File.exist?(File.expand_path('../legion-llm', __dir__))
+gem 'legion-mcp', path: '../legion-mcp' if File.exist?(File.expand_path('../legion-mcp', __dir__))
+gem 'legion-tty', path: '../legion-tty' if File.exist?(File.expand_path('../legion-tty', __dir__))
+
+gem 'lex-apollo', path: '../extensions/lex-apollo' if File.exist?(File.expand_path('../extensions/lex-apollo', __dir__))
+gem 'lex-llm', path: '../extensions-ai/lex-llm' if File.exist?(File.expand_path('../extensions-ai/lex-llm', __dir__))
+# gem 'lex-llm-ledger', path: '../extensions-ai/lex-llm-ledger' if File.exist?(File.expand_path('../extensions-ai/lex-llm-ledger', __dir__))
+
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-entra', __dir__))
+  gem 'lex-identity-entra', path: '../extensions-identity/lex-identity-entra'
+end
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-kerberos', __dir__))
+  gem 'lex-identity-kerberos', path: '../extensions-identity/lex-identity-kerberos'
+end
 
+gem 'lex-kerberos', path: '../extensions-identity/lex-kerberos' if File.exist?(File.expand_path('../extensions-identity/lex-kerberos', __dir__))
+
+if File.exist?(File.expand_path('../extensions-identity/lex-identity-system', __dir__))
+  gem 'lex-identity-system', path: '../extensions-identity/lex-identity-system'
+end
+
+%w[anthropic azure-foundry bedrock gemini mlx ollama openai vertex vllm].each do |provider|
+  provider_path = "../extensions-ai/lex-llm-#{provider}"
+  gem "lex-llm-#{provider}", path: provider_path if File.exist?(File.expand_path(provider_path, __dir__))
+end
+
+group :test do
   gem 'faraday'
   gem 'faraday-net_http'
   gem 'graphql'

data/lib/legion/cli/bootstrap_command.rb

@@ -3,6 +3,7 @@
 require 'English'
 require 'json'
 require 'fileutils'
+require 'open3'
 require 'rbconfig'
 require 'thor'
 require 'legion/cli/output'
@@ -391,18 +392,29 @@ module Legion
 
         def run_brew_service(service, out)
           output, success = shell_capture("brew services start #{service}")
-          if success
-            out.success("#{service} started") unless options[:json]
-            true
-          else
+          unless success
             out.warn("#{service} failed to start: #{output.strip.lines.last&.strip}") unless options[:json]
-            false
+            return false
           end
+
+          out.success("#{service} started") unless options[:json]
+          kickstart_launchd_service("homebrew.mxcl.#{service}", out)
         rescue StandardError => e
           out.warn("brew services start #{service} raised: #{e.message}") unless options[:json]
           false
         end
 
+        def kickstart_launchd_service(label, out)
+          return true unless RbConfig::CONFIG['host_os'] =~ /darwin/
+
+          uid = ::Process.uid
+          _, status = Open3.capture2e('launchctl', 'kickstart', "gui/#{uid}/#{label}")
+          return true if status.success?
+
+          out.warn("launchctl kickstart #{label} failed (service may already be running)") unless options[:json]
+          false
+        end
+
         def poll_daemon_ready(out, port: 4567, timeout: 30)
           require 'net/http'
           deadline = ::Time.now + timeout

data/lib/legion/cli/service_command.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require 'open3'
+require 'rbconfig'
+require 'thor'
+require 'legion/cli/output'
+
+module Legion
+  module CLI
+    class ServiceCommand < Thor
+      namespace 'service'
+
+      def self.exit_on_failure?
+        true
+      end
+
+      class_option :json,     type: :boolean, default: false, desc: 'Output as JSON'
+      class_option :no_color, type: :boolean, default: false, desc: 'Disable color output'
+
+      SERVICE_LABEL = 'homebrew.mxcl.legionio'
+
+      desc 'start', 'Start the Legion launchd service'
+      long_desc <<~DESC
+        Starts the Legion background service via launchd. On macOS 26+ (Tahoe),
+        uses launchctl kickstart to ensure immediate process spawn after bootstrap.
+      DESC
+      def start
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        plist = plist_path
+        unless File.exist?(plist)
+          out.error("Service plist not found at #{plist}")
+          out.info('Run: brew install legionio')
+          raise SystemExit, 1
+        end
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        if service_loaded?(target)
+          out.info('Service already loaded, kicking...')
+        else
+          _, status = Open3.capture2e('launchctl', 'bootstrap', target, plist)
+          out.warn('bootstrap failed (may already be loaded), attempting kickstart anyway') unless status.success?
+        end
+
+        _, status = Open3.capture2e('launchctl', 'kickstart', '-k', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service started')
+        else
+          out.error('Failed to kickstart Legion service')
+          raise SystemExit, 1
+        end
+
+        poll_ready(out)
+      end
+
+      desc 'stop', 'Stop the Legion launchd service'
+      def stop
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        _, status = Open3.capture2e('launchctl', 'bootout', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service stopped')
+        else
+          out.warn('Service was not loaded (already stopped?)')
+        end
+      end
+
+      desc 'restart', 'Restart the Legion launchd service'
+      def restart
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+
+        Open3.capture2e('launchctl', 'bootout', "#{target}/#{SERVICE_LABEL}")
+        sleep 1
+
+        plist = plist_path
+        Open3.capture2e('launchctl', 'bootstrap', target, plist) if File.exist?(plist)
+
+        _, status = Open3.capture2e('launchctl', 'kickstart', '-k', "#{target}/#{SERVICE_LABEL}")
+        if status.success?
+          out.success('Legion service restarted')
+        else
+          out.error('Failed to restart Legion service')
+          raise SystemExit, 1
+        end
+
+        poll_ready(out)
+      end
+
+      desc 'status', 'Show Legion launchd service status'
+      def status
+        out = Output::Formatter.new(json: options[:json], color: !options[:no_color])
+        ensure_macos!(out)
+
+        uid = ::Process.uid
+        target = "gui/#{uid}"
+        output, status = Open3.capture2e('launchctl', 'print', "#{target}/#{SERVICE_LABEL}")
+
+        unless status.success?
+          out.info('Service is not loaded')
+          return
+        end
+
+        state = output[/state = (.+)/, 1] || 'unknown'
+        pid = output[/pid = (\d+)/, 1]
+        runs = output[/runs = (\d+)/, 1]
+
+        if options[:json]
+          puts Legion::JSON.dump({ state: state, pid: pid&.to_i, runs: runs&.to_i })
+        else
+          out.info("State: #{state}")
+          out.info("PID: #{pid}") if pid
+          out.info("Runs: #{runs}") if runs
+        end
+      end
+
+      private
+
+      def ensure_macos!(out)
+        return if RbConfig::CONFIG['host_os'] =~ /darwin/
+
+        out.error('The service command is only available on macOS (uses launchd)')
+        raise SystemExit, 1
+      end
+
+      def plist_path
+        File.expand_path("~/Library/LaunchAgents/#{SERVICE_LABEL}.plist")
+      end
+
+      def service_loaded?(target)
+        _, status = Open3.capture2e('launchctl', 'print', "#{target}/#{SERVICE_LABEL}")
+        status.success?
+      end
+
+      def poll_ready(out, port: 4567, timeout: 15)
+        require 'net/http'
+        deadline = ::Time.now + timeout
+        until ::Time.now > deadline
+          begin
+            resp = Net::HTTP.get_response(URI("http://localhost:#{port}/api/ready"))
+            if resp.is_a?(Net::HTTPSuccess)
+              out.success("Daemon ready on port #{port}")
+              return
+            end
+          rescue StandardError
+            # not ready yet
+          end
+          sleep 1
+        end
+        out.info('Service started but not yet ready (boot in progress)')
+      end
+    end
+  end
+end

data/lib/legion/cli.rb

@@ -69,6 +69,7 @@ module Legion
     autoload :Debug,        'legion/cli/debug_command'
     autoload :CodegenCommand, 'legion/cli/codegen_command'
     autoload :Bootstrap,      'legion/cli/bootstrap_command'
+    autoload :ServiceCommand, 'legion/cli/service_command'
     autoload :Broker,         'legion/cli/broker_command'
     autoload :AdminCommand,   'legion/cli/admin_command'
     autoload :Workflow,       'legion/cli/workflow_command'
@@ -258,6 +259,9 @@ module Legion
       desc 'setup SUBCOMMAND', 'Install feature packs and configure IDE integrations'
       subcommand 'setup', Legion::CLI::Setup
 
+      desc 'service SUBCOMMAND', 'Manage the Legion launchd background service'
+      subcommand 'service', Legion::CLI::ServiceCommand
+
       desc 'bootstrap SOURCE', 'One-command setup: fetch config, scaffold, and install packs'
       subcommand 'bootstrap', Legion::CLI::Bootstrap
 

data/lib/legion/extensions.rb

@@ -132,6 +132,24 @@ module Legion
         Legion::Logging.info "[Extensions] flushed #{count} pending registrations" if defined?(Legion::Logging)
       end
 
+      def require_identity_extensions
+        find_extensions.select { |entry| entry[:category] == :identity }.each do |entry|
+          gem_name = entry[:gem_name]
+          ext_settings = extension_settings_for_entry(entry)
+
+          if ext_settings.is_a?(Hash) && ext_settings.key?(:enabled) && !ext_settings[:enabled]
+            Legion::Logging.info "Skipping #{gem_name} identity preload because it's disabled"
+            next
+          end
+
+          Catalog.register(gem_name)
+          register_extension_handle(gem_name, state:                    :registered,
+                                              latest_installed_version: latest_installed_version(gem_name))
+          ensure_namespace(entry[:const_path]) if entry[:segments].length > 1
+          gem_load(entry)
+        end
+      end
+
       def pause_actors
         @running_instances&.each do |inst|
           timer = inst.instance_variable_get(:@timer)

data/lib/legion/identity/broker.rb

@@ -21,6 +21,10 @@ module Legion
           token
         end
 
+        def credential_for(provider_name, qualifier: nil, for_context: nil, purpose: nil, context: nil)
+          token_for(provider_name, qualifier: qualifier, for_context: for_context, purpose: purpose, context: context)
+        end
+
         def lease_for(provider_name, qualifier: nil)
           name = provider_name.to_sym
           resolved = qualifier || default_qualifier_for(name)

data/lib/legion/identity/resolver.rb

@@ -33,6 +33,12 @@ module Legion
 
           winning_provider, winning_result, provider_results = resolve_auth(auth_providers, timeout: timeout)
 
+          if winning_provider.nil?
+            log.debug('resolve!: no auth winner, trying cached identity')
+            winning_provider, winning_result, cached_results = resolve_cached_identity
+            provider_results.merge!(cached_results) if cached_results
+          end
+
           if winning_provider.nil?
             log.debug('resolve!: no auth winner, trying fallback providers')
             winning_provider, winning_result, fallback_results = resolve_auth(fallback_providers, timeout: timeout)
@@ -229,6 +235,67 @@ module Legion
           end
         end
 
+        def resolve_cached_identity
+          cached = read_cached_identity
+          return [nil, nil, {}] unless cached
+
+          provider = cached_identity_provider
+          result = {
+            canonical_name: cached[:canonical_name],
+            kind:           cached[:kind] || :human,
+            source:         :identity_json,
+            persistent:     true
+          }
+
+          [
+            provider,
+            result,
+            {
+              provider.provider_name => {
+                status:      :resolved,
+                trust:       provider.trust_level,
+                resolved_at: Time.now,
+                provider:    provider,
+                result:      result
+              }
+            }
+          ]
+        end
+
+        def read_cached_identity
+          path = File.expand_path('~/.legionio/settings/identity.json')
+          return nil unless File.file?(path)
+
+          data = if defined?(Legion::JSON)
+                   Legion::JSON.load(File.read(path))
+                 else
+                   require 'json'
+                   ::JSON.parse(File.read(path), symbolize_names: true)
+                 end
+          canonical = data[:canonical_name] || data['canonical_name']
+          return nil if canonical.to_s.strip.empty?
+
+          {
+            canonical_name: canonical.to_s,
+            kind:           (data[:kind] || data['kind'] || :human).to_sym
+          }
+        rescue StandardError => e
+          log.warn("identity.json read failed: #{e.message}")
+          nil
+        end
+
+        def cached_identity_provider
+          @cached_identity_provider ||= Module.new do
+            module_function
+
+            def provider_name = :identity_cache
+            def provider_type = :auth
+            def priority = -100
+            def trust_weight = 150
+            def trust_level = :cached
+          end
+        end
+
         def auth_future_status(future, result)
           if future.rejected?
             :failed

data/lib/legion/service.rb

@@ -112,6 +112,8 @@ module Legion
       end
       setup_cluster if data
 
+      setup_identity_before_llm(extensions: extensions, transport: transport)
+
       if llm
         begin
           setup_llm
@@ -161,15 +163,14 @@ module Legion
       setup_safety_metrics
       setup_supervision if supervision
 
-      require_relative 'identity' if File.exist?(File.expand_path('identity.rb', __dir__))
-
       if extensions
         load_extensions
         Legion::Readiness.mark_ready(:extensions)
         setup_generated_functions
       end
 
-      # Identity resolution — after extensions so lex-identity-* providers are loaded
+      # Re-run identity after full extension load so any providers with autobuild-time
+      # registration can upgrade the pre-LLM identity.
       db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
       setup_identity if transport || db_available
       register_credential_providers if extensions && (transport || db_available)
@@ -589,7 +590,7 @@ module Legion
       end
     end
 
-    def setup_logging_transport # rubocop:disable Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+    def setup_logging_transport # rubocop:disable Metrics/CyclomaticComplexity,Metrics/MethodLength,Metrics/PerceivedComplexity
       return unless defined?(Legion::Transport::Connection)
       return unless Legion::Transport::Connection.session_open?
 
@@ -612,11 +613,16 @@ module Legion
       exchange = log_channel.topic('legion.logging', durable: true)
 
       if forward_logs
-        Legion::Logging.log_writer = lambda { |event, routing_key:|
+        Legion::Logging.log_writer = lambda { |event, routing_key:, headers: {}, properties: {}|
           begin
             next unless log_channel&.open?
 
-            exchange.publish(Legion::JSON.dump(event), routing_key: routing_key)
+            exchange.publish(
+              Legion::JSON.dump(event),
+              routing_key: routing_key,
+              headers:     headers,
+              **properties
+            )
           rescue StandardError
             nil
           end
@@ -918,6 +924,8 @@ module Legion
         Legion::Readiness.mark_skipped(:rbac)
       end
 
+      setup_identity_before_llm(extensions: true, transport: true)
+
       if defined?(Legion::LLM)
         setup_llm
       else
@@ -945,7 +953,6 @@ module Legion
       # Phase 5: re-run identity resolution after extensions are loaded so that
       # any identity providers registered by lex-identity-* extensions are
       # available to the resolver (mirrors the boot-time ordering).
-      Legion::Identity::Resolver.reset! if defined?(Legion::Identity::Resolver)
       setup_identity
 
       db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
@@ -976,6 +983,18 @@ module Legion
       Legion::Extensions.hook_extensions
     end
 
+    def setup_identity_before_llm(extensions:, transport:)
+      require_relative 'identity' if File.exist?(File.expand_path('identity.rb', __dir__))
+      Legion::Extensions.require_identity_extensions if extensions &&
+                                                        defined?(Legion::Extensions) &&
+                                                        Legion::Extensions.respond_to?(:require_identity_extensions)
+
+      db_available = defined?(Legion::Data) && Legion::Data.respond_to?(:connected?) && Legion::Data.connected?
+      setup_identity if transport || db_available
+    rescue StandardError => e
+      handle_exception(e, level: :warn, operation: 'service.setup_identity_before_llm')
+    end
+
     def register_core_tools
       require 'legion/tools'
       Legion::Tools.register_all

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.9.34'
+  VERSION = '1.9.36'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.9.34
+  version: 1.9.36
 platform: ruby
 authors:
 - Esity
@@ -750,6 +750,7 @@ files:
 - lib/legion/cli/relationship.rb
 - lib/legion/cli/review_command.rb
 - lib/legion/cli/schedule_command.rb
+- lib/legion/cli/service_command.rb
 - lib/legion/cli/setup_command.rb
 - lib/legion/cli/skill_command.rb
 - lib/legion/cli/start.rb