lex-mesh 0.2.3 → 0.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 75ab8e1dbc78d725a92257640520bfda3f3acb36ae1dc1f1315cc7e8453ca467
-  data.tar.gz: 269027a72a18770e8bf0338fa7c2941bc354546ffc6157bd2533fc258b054baf
+  metadata.gz: 650958df48e1ad4fa390b3fecb3ab2817dc535c279449dc4ce114e92f59cfff2
+  data.tar.gz: ff13ef5a0e18147daa15b72579de24f3691bec50f5f124627d2b503208cfba82
 SHA512:
-  metadata.gz: 78afa9c435f105a2c18b107d14de0c6d4b9c8850c5181ce394aafe46613c70dedccb24b5b19dbf5ee71f2fa71657905e656d2d4eb916f3429446f0c61398a46d
-  data.tar.gz: 766eb42fd99abaa287af0cd1f48b8daba505f9e4d20dccb927e748cb9734460839915ba2e8513aa8df5bf28817f032f230e08e5bf775f3330d9e4f34d48f47db
+  metadata.gz: fc982147fb2a22e4a5bb40fa8f7a767e87aed754f59474d4937059a831adcfeae6b4f4e4c9add47359c3b6a69200a0cdea21c1bafd1b00dfd74501c93415eb40
+  data.tar.gz: e34a1a0d9ae8481bb40949bda0e47d6e1647856777214d133acf10c121b8e70962bb85c10fda16120b9dd7bc958828fc20a73851ab259c89fa813d7df2236f26

data/Gemfile

@@ -4,5 +4,7 @@ source 'https://rubygems.org'
 
 gemspec
 
+gem 'base64'
+gem 'ed25519', '~> 1.3'
 gem 'rspec', '~> 3.13'
 gem 'rubocop', '~> 1.75', require: false

data/lex-mesh.gemspec

@@ -25,4 +25,7 @@ Gem::Specification.new do |spec|
     Dir.glob('{lib,spec}/**/*') + %w[lex-mesh.gemspec Gemfile]
   end
   spec.require_paths = ['lib']
+
+  spec.add_dependency 'base64'
+  spec.add_dependency 'ed25519', '~> 1.3'
 end

data/lib/legion/extensions/mesh/actors/gossip.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/actors/every'
+
+module Legion
+  module Extensions
+    module Mesh
+      module Actor
+        class Gossip < Legion::Extensions::Actors::Every
+          def runner_class
+            Legion::Extensions::Mesh::Runners::Mesh
+          end
+
+          def runner_function
+            :publish_gossip
+          end
+
+          def time
+            15
+          end
+
+          def use_runner?
+            true
+          end
+
+          def check_subtask?
+            false
+          end
+
+          def generate_task?
+            false
+          end
+
+          def args
+            {}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/mesh/helpers/delegation.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module Legion
+  module Extensions
+    module Mesh
+      module Helpers
+        class Delegation
+          CONSENT_LEVELS = %i[read execute admin].freeze
+
+          attr_reader :delegations
+
+          def initialize(max_depth: 3, max_active_per_agent: 10)
+            @delegations = {}
+            @agent_delegations = Hash.new { |h, k| h[k] = [] }
+            @max_depth = max_depth
+            @max_active_per_agent = max_active_per_agent
+          end
+
+          def create(from:, to:, task_context:, consent_level:, parent_delegation_id: nil)
+            depth = compute_depth(parent_delegation_id)
+            return { error: :max_depth_exceeded } if depth >= @max_depth
+
+            if parent_delegation_id
+              parent = find(parent_delegation_id)
+              return { error: :consent_escalation } if parent && CONSENT_LEVELS.index(consent_level) > CONSENT_LEVELS.index(parent[:consent_level])
+            end
+
+            active_count = (@agent_delegations[from] || []).count do |id|
+              @delegations[id]&.fetch(:status, nil) == :active
+            end
+            return { error: :max_active_exceeded } if active_count >= @max_active_per_agent
+
+            id = "del-#{SecureRandom.uuid}"
+            record = {
+              delegation_id:        id,
+              from_agent_id:        from,
+              to_agent_id:          to,
+              task_context:         task_context,
+              consent_level:        consent_level,
+              parent_delegation_id: parent_delegation_id,
+              depth:                depth,
+              status:               :active,
+              created_at:           Time.now.utc,
+              completed_at:         nil
+            }
+            @delegations[id] = record
+            @agent_delegations[from] << id
+            @agent_delegations[to] << id
+            record
+          end
+
+          def complete(delegation_id)
+            record = @delegations[delegation_id]
+            return nil unless record && record[:status] == :active
+
+            record[:status] = :completed
+            record[:completed_at] = Time.now.utc
+            record
+          end
+
+          def revoke(delegation_id)
+            record = @delegations[delegation_id]
+            return nil unless record && record[:status] == :active
+
+            record[:status] = :revoked
+            record[:completed_at] = Time.now.utc
+            cascade_revoke(delegation_id)
+            record
+          end
+
+          def chain(delegation_id)
+            result = []
+            current = @delegations[delegation_id]
+            while current
+              result.unshift(current)
+              current = current[:parent_delegation_id] ? @delegations[current[:parent_delegation_id]] : nil
+            end
+            result
+          end
+
+          def for_agent(agent_id, status: nil)
+            ids = @agent_delegations[agent_id] || []
+            results = ids.filter_map { |id| @delegations[id] }
+            results = results.select { |d| d[:status] == status } if status
+            results
+          end
+
+          def find(delegation_id)
+            @delegations[delegation_id]
+          end
+
+          def stats
+            active = @delegations.values.count { |d| d[:status] == :active }
+            depths = @delegations.values.map { |d| d[:depth] }
+            {
+              total:     @delegations.size,
+              active:    active,
+              avg_depth: depths.empty? ? 0 : depths.sum.to_f / depths.size,
+              max_depth: depths.max || 0
+            }
+          end
+
+          private
+
+          def compute_depth(parent_delegation_id)
+            return 0 unless parent_delegation_id
+
+            parent = find(parent_delegation_id)
+            (parent&.fetch(:depth, 0) || 0) + 1
+          end
+
+          def cascade_revoke(parent_id)
+            @delegations.each_value do |d|
+              next unless d[:parent_delegation_id] == parent_id && d[:status] == :active
+
+              d[:status] = :revoked
+              d[:completed_at] = Time.now.utc
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/mesh/helpers/peer_verify.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module Legion
+  module Extensions
+    module Mesh
+      module Helpers
+        module PeerVerify
+          class << self
+            def sign_message(payload, private_key_b64)
+              require 'ed25519'
+              key = Ed25519::SigningKey.new(Base64.strict_decode64(private_key_b64))
+              message_bytes = json_dump(payload)
+              signature = key.sign(message_bytes)
+              { payload: payload, signature: Base64.strict_encode64(signature), signed_bytes: message_bytes }
+            end
+
+            def verify_message(signed_message, org_id:)
+              peer = find_peer(org_id)
+              return { valid: false, org_id: org_id, reason: :unknown_peer } unless peer
+
+              require 'ed25519'
+              pub_key_b64 = peer[:public_key].sub(/\Aed25519:/, '')
+              verify_key  = Ed25519::VerifyKey.new(Base64.strict_decode64(pub_key_b64))
+              signature   = Base64.strict_decode64(signed_message[:signature])
+              message_bytes = signed_message[:signed_bytes] || json_dump(signed_message[:payload])
+              verify_key.verify(signature, message_bytes)
+              { valid: true, org_id: org_id }
+            rescue Ed25519::VerifyError
+              { valid: false, org_id: org_id, reason: :invalid_signature }
+            rescue StandardError => e
+              { valid: false, org_id: org_id, reason: :error, message: e.message }
+            end
+
+            def check_rate_limit(org_id)
+              @counters ||= Hash.new { |h, k| h[k] = { count: 0, window_start: Time.now.utc } }
+              counter = @counters[org_id]
+              peer  = find_peer(org_id)
+              limit = peer&.dig(:rate_limit) || 100
+
+              if Time.now.utc - counter[:window_start] > 60
+                counter[:count] = 0
+                counter[:window_start] = Time.now.utc
+              end
+
+              counter[:count] += 1
+              return { allowed: true, remaining: limit - counter[:count] } if counter[:count] <= limit
+
+              { allowed: false, error: :rate_limited, org_id: org_id }
+            end
+
+            def reset_counters!
+              @counters = nil
+            end
+
+            private
+
+            def find_peer(org_id)
+              return nil unless defined?(Legion::Settings)
+
+              peers = Legion::Settings.dig(:mesh, :trusted_peers) || []
+              peers.find { |p| p[:org_id] == org_id }
+            end
+
+            def json_dump(data)
+              if defined?(Legion::JSON)
+                Legion::JSON.dump({ data: data })
+              else
+                require 'json'
+                ::JSON.dump({ data: data })
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/mesh/helpers/registry.rb

@@ -13,11 +13,14 @@ module Legion
             @messages = []
           end
 
-          def register_agent(agent_id, capabilities: [], endpoint: nil)
+          def register_agent(agent_id, capabilities: [], endpoint: nil, source: :native, node: nil)
             @agents[agent_id] = {
               agent_id:      agent_id,
               capabilities:  capabilities,
               endpoint:      endpoint,
+              source:        source,
+              node:          node || local_node_name,
+              generation:    1,
               registered_at: Time.now.utc,
               last_seen:     Time.now.utc,
               status:        :online
@@ -39,6 +42,7 @@ module Legion
 
             agent[:last_seen] = Time.now.utc
             agent[:status] = :online
+            agent[:generation] = (agent[:generation] || 0) + 1
           end
 
           def find_by_capability(capability)
@@ -81,9 +85,21 @@ module Legion
             @agents.values.select { |a| a[:status] == :online }
           end
 
+          def all_agents
+            @agents.values
+          end
+
           def count
             @agents.size
           end
+
+          private
+
+          def local_node_name
+            Legion::Settings[:client][:name]
+          rescue StandardError
+            'unknown'
+          end
         end
       end
     end

data/lib/legion/extensions/mesh/runners/delegation.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require_relative '../helpers/delegation'
+
+module Legion
+  module Extensions
+    module Mesh
+      module Runners
+        module Delegation
+          include Legion::Extensions::Helpers::Lex if defined?(Legion::Extensions::Helpers::Lex)
+
+          def delegate(from:, to:, task_context:, consent_level: :execute, parent_delegation_id: nil, **) # rubocop:disable Metrics/ParameterLists
+            result = delegation_tracker.create(
+              from:                 from,
+              to:                   to,
+              task_context:         task_context,
+              consent_level:        consent_level.to_sym,
+              parent_delegation_id: parent_delegation_id
+            )
+            return { success: false, **result } if result[:error]
+
+            publish_delegation_event('delegation.created', result)
+            { success: true, delegation_id: result[:delegation_id], depth: result[:depth] }
+          end
+
+          def complete_delegation(delegation_id:, **)
+            result = delegation_tracker.complete(delegation_id)
+            return { success: false, reason: :not_found_or_inactive } unless result
+
+            publish_delegation_event('delegation.completed', result)
+            { success: true, delegation_id: delegation_id }
+          end
+
+          def revoke_delegation(delegation_id:, **)
+            result = delegation_tracker.revoke(delegation_id)
+            return { success: false, reason: :not_found_or_inactive } unless result
+
+            publish_delegation_event('delegation.revoked', result)
+            { success: true, delegation_id: delegation_id }
+          end
+
+          def delegation_chain(delegation_id:, **)
+            chain = delegation_tracker.chain(delegation_id)
+            { success: true, chain: chain, depth: [chain.size - 1, 0].max }
+          end
+
+          def agent_delegations(agent_id:, status: nil, **)
+            results = delegation_tracker.for_agent(agent_id, status: status&.to_sym)
+            { success: true, delegations: results, count: results.size }
+          end
+
+          def delegation_stats(**)
+            delegation_tracker.stats.merge(success: true)
+          end
+
+          private
+
+          def publish_delegation_event(event_type, record)
+            return unless defined?(Legion::Extensions::Audit::Transport::Messages::Audit)
+
+            Legion::Extensions::Audit::Transport::Messages::Audit.new(
+              event_type:   event_type,
+              principal_id: record[:from_agent_id],
+              action:       event_type.split('.').last,
+              resource:     "delegation:#{record[:delegation_id]}",
+              detail:       { to: record[:to_agent_id], depth: record[:depth], consent: record[:consent_level] }
+            ).publish
+          rescue StandardError => e
+            Legion::Logging.warn "[mesh] failed to publish #{event_type}: #{e.message}" if defined?(Legion::Logging)
+          end
+
+          def delegation_tracker
+            @delegation_tracker ||= begin
+              max_depth = nil
+              max_active = nil
+              if defined?(Legion::Settings)
+                max_depth  = Legion::Settings.dig(:mesh, :delegation, :max_depth)
+                max_active = Legion::Settings.dig(:mesh, :delegation, :max_active_per_agent)
+              end
+              Helpers::Delegation.new(max_depth: max_depth || 3, max_active_per_agent: max_active || 10)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/mesh/runners/mesh.rb

@@ -64,6 +64,50 @@ module Legion
             { success: true, expired: expired, count: expired.size }
           end
 
+          def publish_gossip(**)
+            registry = mesh_registry
+            peers = registry.all_agents.first(gossip_max_peers).map do |agent|
+              agent.slice(:agent_id, :capabilities, :node, :source, :status, :generation,
+                          :last_seen, :registered_at).transform_values { |v| v.is_a?(Time) ? v.to_s : v }
+            end
+
+            @gossip_round = (@gossip_round || 0) + 1
+            publish_gossip_message(peers)
+            { success: true, peers_broadcast: peers.size, gossip_round: @gossip_round }
+          rescue StandardError => e
+            { success: false, reason: :error, message: e.message }
+          end
+
+          def merge_gossip(incoming_peers:, sender: nil, **) # rubocop:disable Lint/UnusedMethodArgument
+            registry = mesh_registry
+            merged = 0
+
+            incoming_peers.each do |peer|
+              peer = peer.transform_keys(&:to_sym)
+              next if peer[:node] == local_node_name
+
+              local = registry.agents[peer[:agent_id]]
+              if local.nil?
+                registry.register_agent(
+                  peer[:agent_id],
+                  capabilities: (peer[:capabilities] || []).map(&:to_sym),
+                  source:       (peer[:source] || :native).to_sym,
+                  node:         peer[:node]
+                )
+                registry.agents[peer[:agent_id]][:generation] = peer[:generation] || 1
+                merged += 1
+              elsif (peer[:generation] || 0) > (local[:generation] || 0)
+                local.merge!(peer.slice(:capabilities, :status, :generation, :last_seen))
+                local[:capabilities] = (local[:capabilities] || []).map(&:to_sym)
+                merged += 1
+              end
+            end
+
+            { success: true, merged: merged, total_peers: incoming_peers.size }
+          rescue StandardError => e
+            { success: false, reason: :error, message: e.message }
+          end
+
           private
 
           def publish_mesh_departure(agent_id:, capabilities:)
@@ -77,6 +121,29 @@ module Legion
             Legion::Logging.warn "[mesh] failed to publish departure signal: #{e.message}"
           end
 
+          def publish_gossip_message(peers)
+            return unless defined?(Legion::Extensions::Mesh::Transport::Messages::Gossip)
+
+            Legion::Extensions::Mesh::Transport::Messages::Gossip.new(
+              sender:       local_node_name,
+              gossip_round: @gossip_round,
+              peers:        peers
+            ).publish
+          end
+
+          def gossip_max_peers
+            settings = Legion::Settings.dig(:mesh, :gossip)
+            (settings.is_a?(Hash) ? settings[:max_peers_per_message] : nil) || 100
+          rescue StandardError
+            100
+          end
+
+          def local_node_name
+            Legion::Settings[:client][:name]
+          rescue StandardError
+            'unknown'
+          end
+
           def mesh_registry
             @mesh_registry ||= Helpers::Registry.new
           end

data/lib/legion/extensions/mesh/transport/messages/gossip.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Mesh
+      module Transport
+        module Messages
+          class Gossip < Legion::Transport::Message
+            def exchange
+              Legion::Transport::Exchanges::Node
+            end
+
+            def routing_key
+              'mesh.gossip'
+            end
+
+            def message
+              {
+                type:         'mesh_gossip',
+                sender:       @options[:sender],
+                gossip_round: @options[:gossip_round] || 0,
+                peers:        @options[:peers] || []
+              }
+            end
+
+            def type
+              'mesh_gossip'
+            end
+
+            def encrypt?
+              false
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/mesh/transport/queues/gossip.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Mesh
+      module Transport
+        module Queues
+          class Gossip < Legion::Transport::Queue
+            def queue_name
+              'mesh.gossip'
+            end
+
+            def exchange
+              Legion::Transport::Exchanges::Node
+            end
+
+            def routing_key
+              'mesh.gossip'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/mesh/version.rb

@@ -3,7 +3,7 @@
 module Legion
   module Extensions
     module Mesh
-      VERSION = '0.2.3'
+      VERSION = '0.2.5'
     end
   end
 end

data/lib/legion/extensions/mesh.rb

@@ -5,8 +5,11 @@ require 'legion/extensions/mesh/helpers/topology'
 require 'legion/extensions/mesh/helpers/registry'
 require 'legion/extensions/mesh/helpers/preference_profile'
 require 'legion/extensions/mesh/helpers/pending_requests'
+require 'legion/extensions/mesh/helpers/delegation'
+require 'legion/extensions/mesh/helpers/peer_verify'
 require 'legion/extensions/mesh/runners/mesh'
 require 'legion/extensions/mesh/runners/preferences'
+require 'legion/extensions/mesh/runners/delegation'
 
 if defined?(Legion::Transport)
   require 'legion/extensions/mesh/transport/messages/preference_query'

data/spec/legion/extensions/mesh/actors/gossip_spec.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# Stub the framework actor base class since legionio gem is not available in test
+unless defined?(Legion::Extensions::Actors::Every)
+  module Legion
+    module Extensions
+      module Actors
+        class Every # rubocop:disable Lint/EmptyClass
+        end
+      end
+    end
+  end
+end
+
+$LOADED_FEATURES << 'legion/extensions/actors/every' unless $LOADED_FEATURES.include?('legion/extensions/actors/every')
+
+require 'legion/extensions/mesh/actors/gossip'
+
+RSpec.describe Legion::Extensions::Mesh::Actor::Gossip do
+  it 'fires every 15 seconds' do
+    expect(described_class.new.time).to eq(15)
+  end
+
+  it 'calls publish_gossip runner function' do
+    instance = described_class.allocate
+    expect(instance.runner_function).to eq(:publish_gossip)
+  end
+end

data/spec/legion/extensions/mesh/helpers/delegation_spec.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Legion::Extensions::Mesh::Helpers::Delegation do
+  subject(:tracker) { described_class.new(max_depth: 3, max_active_per_agent: 5) }
+
+  describe '#create' do
+    it 'creates a delegation record' do
+      result = tracker.create(from: 'agent-a', to: 'agent-b', task_context: 'task-1', consent_level: :execute)
+      expect(result[:delegation_id]).to start_with('del-')
+      expect(result[:from_agent_id]).to eq('agent-a')
+      expect(result[:to_agent_id]).to eq('agent-b')
+      expect(result[:status]).to eq(:active)
+      expect(result[:depth]).to eq(0)
+    end
+
+    it 'increments depth for chained delegations' do
+      d1 = tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      d2 = tracker.create(from: 'b', to: 'c', task_context: 't', consent_level: :execute,
+                          parent_delegation_id: d1[:delegation_id])
+      expect(d2[:depth]).to eq(1)
+    end
+
+    it 'refuses delegation beyond max depth' do
+      d1 = tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      d2 = tracker.create(from: 'b', to: 'c', task_context: 't', consent_level: :execute,
+                          parent_delegation_id: d1[:delegation_id])
+      d3 = tracker.create(from: 'c', to: 'd', task_context: 't', consent_level: :execute,
+                          parent_delegation_id: d2[:delegation_id])
+      d4 = tracker.create(from: 'd', to: 'e', task_context: 't', consent_level: :execute,
+                          parent_delegation_id: d3[:delegation_id])
+      expect(d4[:error]).to eq(:max_depth_exceeded)
+    end
+
+    it 'refuses consent escalation' do
+      d1 = tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      d2 = tracker.create(from: 'b', to: 'c', task_context: 't', consent_level: :admin,
+                          parent_delegation_id: d1[:delegation_id])
+      expect(d2[:error]).to eq(:consent_escalation)
+    end
+
+    it 'allows consent de-escalation' do
+      d1 = tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :admin)
+      d2 = tracker.create(from: 'b', to: 'c', task_context: 't', consent_level: :read,
+                          parent_delegation_id: d1[:delegation_id])
+      expect(d2[:delegation_id]).to start_with('del-')
+    end
+
+    it 'refuses when max active per agent exceeded' do
+      5.times { |i| tracker.create(from: 'a', to: "b#{i}", task_context: 't', consent_level: :execute) }
+      result = tracker.create(from: 'a', to: 'b6', task_context: 't', consent_level: :execute)
+      expect(result[:error]).to eq(:max_active_exceeded)
+    end
+  end
+
+  describe '#complete' do
+    it 'marks a delegation as completed' do
+      d = tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      result = tracker.complete(d[:delegation_id])
+      expect(result[:status]).to eq(:completed)
+      expect(result[:completed_at]).to be_a(Time)
+    end
+
+    it 'returns nil for non-existent delegation' do
+      expect(tracker.complete('del-nonexistent')).to be_nil
+    end
+  end
+
+  describe '#revoke' do
+    it 'marks delegation and children as revoked' do
+      d1 = tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      d2 = tracker.create(from: 'b', to: 'c', task_context: 't', consent_level: :execute,
+                          parent_delegation_id: d1[:delegation_id])
+      tracker.revoke(d1[:delegation_id])
+
+      expect(tracker.find(d1[:delegation_id])[:status]).to eq(:revoked)
+      expect(tracker.find(d2[:delegation_id])[:status]).to eq(:revoked)
+    end
+  end
+
+  describe '#chain' do
+    it 'returns the full delegation chain' do
+      d1 = tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      d2 = tracker.create(from: 'b', to: 'c', task_context: 't', consent_level: :execute,
+                          parent_delegation_id: d1[:delegation_id])
+      chain = tracker.chain(d2[:delegation_id])
+      expect(chain.size).to eq(2)
+      expect(chain.first[:from_agent_id]).to eq('a')
+      expect(chain.last[:from_agent_id]).to eq('b')
+    end
+  end
+
+  describe '#for_agent' do
+    it 'returns delegations involving an agent' do
+      tracker.create(from: 'a', to: 'b', task_context: 't1', consent_level: :execute)
+      tracker.create(from: 'a', to: 'c', task_context: 't2', consent_level: :execute)
+      tracker.create(from: 'x', to: 'y', task_context: 't3', consent_level: :execute)
+
+      results = tracker.for_agent('a')
+      expect(results.size).to eq(2)
+    end
+
+    it 'filters by status' do
+      d = tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      tracker.create(from: 'a', to: 'c', task_context: 't', consent_level: :execute)
+      tracker.complete(d[:delegation_id])
+
+      active = tracker.for_agent('a', status: :active)
+      expect(active.size).to eq(1)
+    end
+  end
+
+  describe '#stats' do
+    it 'returns summary statistics' do
+      tracker.create(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      d = tracker.create(from: 'a', to: 'c', task_context: 't', consent_level: :execute)
+      tracker.complete(d[:delegation_id])
+
+      stats = tracker.stats
+      expect(stats[:total]).to eq(2)
+      expect(stats[:active]).to eq(1)
+    end
+  end
+end

data/spec/legion/extensions/mesh/helpers/peer_verify_spec.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'ed25519'
+
+RSpec.describe Legion::Extensions::Mesh::Helpers::PeerVerify do
+  let(:signing_key) { Ed25519::SigningKey.generate }
+  let(:verify_key) { signing_key.verify_key }
+  let(:private_key_b64) { Base64.strict_encode64(signing_key.to_bytes) }
+  let(:public_key_b64) { Base64.strict_encode64(verify_key.to_bytes) }
+
+  let(:peer_config) do
+    [{ org_id: 'acme', public_key: "ed25519:#{public_key_b64}",
+       capabilities: %w[query task], rate_limit: 5 }]
+  end
+
+  before do
+    described_class.reset_counters!
+    stub_const('Legion::Settings', Module.new) unless defined?(Legion::Settings)
+    allow(Legion::Settings).to receive(:dig).with(:mesh, :trusted_peers).and_return(peer_config)
+  end
+
+  describe '.sign_message' do
+    it 'signs a payload with Ed25519' do
+      result = described_class.sign_message({ hello: 'world' }, private_key_b64)
+      expect(result[:signature]).to be_a(String)
+      expect(result[:payload]).to eq({ hello: 'world' })
+    end
+  end
+
+  describe '.verify_message' do
+    it 'verifies a validly signed message' do
+      signed = described_class.sign_message({ hello: 'world' }, private_key_b64)
+      result = described_class.verify_message(signed, org_id: 'acme')
+      expect(result[:valid]).to be true
+      expect(result[:org_id]).to eq('acme')
+    end
+
+    it 'rejects a tampered message' do
+      signed = described_class.sign_message({ hello: 'world' }, private_key_b64)
+      signed[:signed_bytes] = 'tampered data'
+      result = described_class.verify_message(signed, org_id: 'acme')
+      expect(result[:valid]).to be false
+      expect(result[:reason]).to eq(:invalid_signature)
+    end
+
+    it 'rejects unknown peers' do
+      signed = described_class.sign_message({ hello: 'world' }, private_key_b64)
+      result = described_class.verify_message(signed, org_id: 'unknown-org')
+      expect(result[:valid]).to be false
+      expect(result[:reason]).to eq(:unknown_peer)
+    end
+  end
+
+  describe '.check_rate_limit' do
+    it 'allows messages within limit' do
+      result = described_class.check_rate_limit('acme')
+      expect(result[:allowed]).to be true
+    end
+
+    it 'blocks messages over limit' do
+      5.times { described_class.check_rate_limit('acme') }
+      result = described_class.check_rate_limit('acme')
+      expect(result[:allowed]).to be false
+      expect(result[:error]).to eq(:rate_limited)
+    end
+
+    it 'resets after window expires' do
+      5.times { described_class.check_rate_limit('acme') }
+      counters = described_class.instance_variable_get(:@counters)
+      counters['acme'][:window_start] = Time.now.utc - 61
+      result = described_class.check_rate_limit('acme')
+      expect(result[:allowed]).to be true
+    end
+  end
+end

data/spec/legion/extensions/mesh/helpers/registry_spec.rb

@@ -313,6 +313,32 @@ RSpec.describe Legion::Extensions::Mesh::Helpers::Registry do
     end
   end
 
+  describe 'gossip fields' do
+    it 'stores source, node, and generation on registration' do
+      registry.register_agent('agent-1', capabilities: [:test], source: :native, node: 'node-01')
+      agent = registry.agents['agent-1']
+      expect(agent[:source]).to eq(:native)
+      expect(agent[:node]).to eq('node-01')
+      expect(agent[:generation]).to eq(1)
+    end
+
+    it 'increments generation on heartbeat' do
+      registry.register_agent('agent-1', capabilities: [:test])
+      registry.heartbeat('agent-1')
+      expect(registry.agents['agent-1'][:generation]).to eq(2)
+    end
+  end
+
+  describe '#all_agents' do
+    it 'returns all agent records as an array' do
+      registry.register_agent('a1', capabilities: [:search])
+      registry.register_agent('a2', capabilities: [:compute])
+      all = registry.all_agents
+      expect(all).to be_an(Array)
+      expect(all.size).to eq(2)
+    end
+  end
+
   describe '#count' do
     it 'returns 0 for an empty registry' do
       expect(registry.count).to eq(0)

data/spec/legion/extensions/mesh/runners/delegation_spec.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Legion::Extensions::Mesh::Runners::Delegation do
+  subject { Object.new.extend(described_class) }
+
+  before do
+    subject.instance_variable_set(:@delegation_tracker, nil)
+  end
+
+  describe '#delegate' do
+    it 'creates a delegation' do
+      result = subject.delegate(from: 'a', to: 'b', task_context: 'task-1', consent_level: :execute)
+      expect(result[:success]).to be true
+      expect(result[:delegation_id]).to start_with('del-')
+      expect(result[:depth]).to eq(0)
+    end
+
+    it 'returns failure for depth exceeded' do
+      d1 = subject.delegate(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      d2 = subject.delegate(from: 'b', to: 'c', task_context: 't', consent_level: :execute,
+                            parent_delegation_id: d1[:delegation_id])
+      d3 = subject.delegate(from: 'c', to: 'd', task_context: 't', consent_level: :execute,
+                            parent_delegation_id: d2[:delegation_id])
+      d4 = subject.delegate(from: 'd', to: 'e', task_context: 't', consent_level: :execute,
+                            parent_delegation_id: d3[:delegation_id])
+      expect(d4[:success]).to be false
+    end
+  end
+
+  describe '#complete_delegation' do
+    it 'completes an active delegation' do
+      d = subject.delegate(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      result = subject.complete_delegation(delegation_id: d[:delegation_id])
+      expect(result[:success]).to be true
+    end
+
+    it 'fails for non-existent delegation' do
+      result = subject.complete_delegation(delegation_id: 'del-fake')
+      expect(result[:success]).to be false
+    end
+  end
+
+  describe '#revoke_delegation' do
+    it 'revokes an active delegation' do
+      d = subject.delegate(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      result = subject.revoke_delegation(delegation_id: d[:delegation_id])
+      expect(result[:success]).to be true
+    end
+  end
+
+  describe '#delegation_chain' do
+    it 'returns the full chain' do
+      d1 = subject.delegate(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      d2 = subject.delegate(from: 'b', to: 'c', task_context: 't', consent_level: :execute,
+                            parent_delegation_id: d1[:delegation_id])
+      result = subject.delegation_chain(delegation_id: d2[:delegation_id])
+      expect(result[:success]).to be true
+      expect(result[:chain].size).to eq(2)
+      expect(result[:depth]).to eq(1)
+    end
+  end
+
+  describe '#agent_delegations' do
+    it 'lists delegations for an agent' do
+      subject.delegate(from: 'a', to: 'b', task_context: 't1', consent_level: :execute)
+      subject.delegate(from: 'a', to: 'c', task_context: 't2', consent_level: :execute)
+      result = subject.agent_delegations(agent_id: 'a')
+      expect(result[:success]).to be true
+      expect(result[:count]).to eq(2)
+    end
+  end
+
+  describe '#delegation_stats' do
+    it 'returns statistics' do
+      subject.delegate(from: 'a', to: 'b', task_context: 't', consent_level: :execute)
+      result = subject.delegation_stats
+      expect(result[:success]).to be true
+      expect(result[:total]).to eq(1)
+      expect(result[:active]).to eq(1)
+    end
+  end
+end

data/spec/legion/extensions/mesh/runners/mesh_gossip_spec.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Gossip runner methods' do
+  subject { Object.new.extend(Legion::Extensions::Mesh::Runners::Mesh) }
+
+  before do
+    allow(subject).to receive(:mesh_registry).and_return(
+      Legion::Extensions::Mesh::Helpers::Registry.new
+    )
+  end
+
+  describe '#merge_gossip' do
+    it 'adds unknown agents from incoming gossip' do
+      incoming = [
+        { agent_id: 'remote-1', capabilities: [:test], node: 'node-02',
+          source: :native, status: :online, generation: 5,
+          last_seen: Time.now.utc.to_s, registered_at: Time.now.utc.to_s }
+      ]
+      result = subject.merge_gossip(incoming_peers: incoming, sender: 'node-02')
+      expect(result[:success]).to be true
+      expect(result[:merged]).to eq(1)
+    end
+
+    it 'updates agents with higher generation' do
+      registry = subject.send(:mesh_registry)
+      registry.register_agent('agent-1', capabilities: [:old], node: 'node-01')
+
+      incoming = [
+        { agent_id: 'agent-1', capabilities: [:updated], node: 'node-01',
+          source: :native, status: :online, generation: 99,
+          last_seen: Time.now.utc.to_s, registered_at: Time.now.utc.to_s }
+      ]
+      result = subject.merge_gossip(incoming_peers: incoming, sender: 'node-01')
+      expect(result[:merged]).to eq(1)
+      expect(registry.agents['agent-1'][:generation]).to eq(99)
+    end
+
+    it 'skips agents from local node' do
+      local_name = 'local-node'
+      allow(subject).to receive(:local_node_name).and_return(local_name)
+
+      incoming = [
+        { agent_id: 'local-agent', node: local_name, generation: 1 }
+      ]
+      result = subject.merge_gossip(incoming_peers: incoming, sender: 'other-node')
+      expect(result[:merged]).to eq(0)
+    end
+
+    it 'ignores agents with lower or equal generation' do
+      registry = subject.send(:mesh_registry)
+      registry.register_agent('agent-1', capabilities: [:test], node: 'node-01')
+      # generation is 1 after register
+
+      incoming = [
+        { agent_id: 'agent-1', capabilities: [:test], node: 'node-01',
+          generation: 1, source: :native, status: :online }
+      ]
+      result = subject.merge_gossip(incoming_peers: incoming, sender: 'node-02')
+      expect(result[:merged]).to eq(0)
+    end
+  end
+
+  describe '#publish_gossip' do
+    it 'returns success with peer count' do
+      allow(subject).to receive(:publish_gossip_message)
+      result = subject.publish_gossip
+      expect(result[:success]).to be true
+      expect(result[:peers_broadcast]).to be_a(Integer)
+    end
+  end
+end

data/spec/legion/extensions/mesh/transport/messages/gossip_spec.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+unless defined?(Legion::Transport::Message)
+  module Legion
+    module Transport
+      class Message
+        def initialize(**options)
+          @options = options
+        end
+      end
+    end
+  end
+end
+
+unless defined?(Legion::Transport::Exchanges::Node)
+  module Legion
+    module Transport
+      module Exchanges
+        class Node # rubocop:disable Lint/EmptyClass
+        end
+      end
+    end
+  end
+end
+
+require 'legion/extensions/mesh/transport/messages/gossip'
+
+RSpec.describe Legion::Extensions::Mesh::Transport::Messages::Gossip do
+  subject do
+    described_class.new(
+      sender:       'node-01',
+      gossip_round: 5,
+      peers:        [{ agent_id: 'w1', capabilities: [:test], node: 'node-01', generation: 3 }]
+    )
+  end
+
+  it 'uses the node exchange' do
+    expect(subject.exchange).to eq(Legion::Transport::Exchanges::Node)
+  end
+
+  it 'routes to mesh.gossip' do
+    expect(subject.routing_key).to eq('mesh.gossip')
+  end
+
+  it 'includes sender and peers in the message body' do
+    msg = subject.message
+    expect(msg[:type]).to eq('mesh_gossip')
+    expect(msg[:sender]).to eq('node-01')
+    expect(msg[:peers]).to be_an(Array)
+    expect(msg[:gossip_round]).to eq(5)
+  end
+end

metadata

@@ -1,14 +1,42 @@
 --- !ruby/object:Gem::Specification
 name: lex-mesh
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.2.5
 platform: ruby
 authors:
 - Esity
 bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
-dependencies: []
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ed25519
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
 description: Agent-to-agent mesh communication protocol for brain-modeled agentic
   AI
 email:
@@ -20,33 +48,45 @@ files:
 - Gemfile
 - lex-mesh.gemspec
 - lib/legion/extensions/mesh.rb
+- lib/legion/extensions/mesh/actors/gossip.rb
 - lib/legion/extensions/mesh/actors/heartbeat.rb
 - lib/legion/extensions/mesh/actors/pending_expiry.rb
 - lib/legion/extensions/mesh/actors/preference_listener.rb
 - lib/legion/extensions/mesh/actors/silence_watchdog.rb
 - lib/legion/extensions/mesh/client.rb
+- lib/legion/extensions/mesh/helpers/delegation.rb
+- lib/legion/extensions/mesh/helpers/peer_verify.rb
 - lib/legion/extensions/mesh/helpers/pending_requests.rb
 - lib/legion/extensions/mesh/helpers/preference_profile.rb
 - lib/legion/extensions/mesh/helpers/registry.rb
 - lib/legion/extensions/mesh/helpers/topology.rb
+- lib/legion/extensions/mesh/runners/delegation.rb
 - lib/legion/extensions/mesh/runners/mesh.rb
 - lib/legion/extensions/mesh/runners/preferences.rb
+- lib/legion/extensions/mesh/transport/messages/gossip.rb
 - lib/legion/extensions/mesh/transport/messages/mesh_departure.rb
 - lib/legion/extensions/mesh/transport/messages/preference_query.rb
 - lib/legion/extensions/mesh/transport/messages/preference_response.rb
+- lib/legion/extensions/mesh/transport/queues/gossip.rb
 - lib/legion/extensions/mesh/transport/queues/preference.rb
 - lib/legion/extensions/mesh/version.rb
+- spec/legion/extensions/mesh/actors/gossip_spec.rb
 - spec/legion/extensions/mesh/actors/heartbeat_spec.rb
 - spec/legion/extensions/mesh/actors/pending_expiry_spec.rb
 - spec/legion/extensions/mesh/actors/preference_listener_spec.rb
 - spec/legion/extensions/mesh/actors/silence_watchdog_spec.rb
 - spec/legion/extensions/mesh/client_spec.rb
+- spec/legion/extensions/mesh/helpers/delegation_spec.rb
+- spec/legion/extensions/mesh/helpers/peer_verify_spec.rb
 - spec/legion/extensions/mesh/helpers/pending_requests_spec.rb
 - spec/legion/extensions/mesh/helpers/preference_profile_spec.rb
 - spec/legion/extensions/mesh/helpers/registry_spec.rb
 - spec/legion/extensions/mesh/helpers/topology_spec.rb
+- spec/legion/extensions/mesh/runners/delegation_spec.rb
+- spec/legion/extensions/mesh/runners/mesh_gossip_spec.rb
 - spec/legion/extensions/mesh/runners/mesh_spec.rb
 - spec/legion/extensions/mesh/runners/preferences_spec.rb
+- spec/legion/extensions/mesh/transport/messages/gossip_spec.rb
 - spec/legion/extensions/mesh/transport/messages/mesh_departure_spec.rb
 - spec/legion/extensions/mesh/transport/messages/preference_query_spec.rb
 - spec/legion/extensions/mesh/transport/messages/preference_response_spec.rb