lex-validator 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 18b5db3a943ad18053278559b952dc861529612e72005265aafa89a3697b8d36
+  data.tar.gz: 5e71f61a7e71cdde4d6e1eacb7d96d026ab24b96f8b57b356f5b673d1a953da2
+SHA512:
+  metadata.gz: ef7ae53288a6e579a36af99a5243303d57c64763e69c2dff126e33c66a93b87d10c301a1b4b5e4ee26387127983b81c366817023410034f545f19ea1767c9f93
+  data.tar.gz: 24c331734f30d6a6ff8d63eee42a3f44ffcbeafe5ec09cfc78c4269934d39d04a5ae9fa0e26297af0ffe7a836494b3af506538540987bb275df1c1d0089dda77

data/.github/workflows/ci.yml

@@ -0,0 +1,34 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    - cron: '0 9 * * 1'
+
+jobs:
+  ci:
+    uses: LegionIO/.github/.github/workflows/ci.yml@main
+
+  excluded-files:
+    uses: LegionIO/.github/.github/workflows/excluded-files.yml@main
+
+  security:
+    uses: LegionIO/.github/.github/workflows/security-scan.yml@main
+
+  version-changelog:
+    uses: LegionIO/.github/.github/workflows/version-changelog.yml@main
+
+  dependency-review:
+    uses: LegionIO/.github/.github/workflows/dependency-review.yml@main
+
+  stale:
+    if: github.event_name == 'schedule'
+    uses: LegionIO/.github/.github/workflows/stale.yml@main
+
+  release:
+    needs: [ci, excluded-files]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    uses: LegionIO/.github/.github/workflows/release.yml@main
+    secrets:
+      rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}

data/.gitignore

@@ -0,0 +1,6 @@
+# Generated test artifacts
+.rspec_status
+tmp/
+*.gem
+pkg/
+Gemfile.lock

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rspec_status

@@ -0,0 +1,50 @@
+example_id                                                                      | status | run_time        |
+------------------------------------------------------------------------------- | ------ | --------------- |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:1]          | passed | 0.00032 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:2]          | passed | 0.00026 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:3]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:4]          | passed | 0.00043 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:5]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:6]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:7]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:8]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:2:1]          | passed | 0.00027 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:2:2]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:2:3]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:2:4]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:3:1]          | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:1:1:1] | passed | 0.00031 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:1:1:2] | passed | 0.00016 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:1:1:3] | passed | 0.001 seconds   |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:1:2:1] | passed | 0.00314 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:1:2:2] | passed | 0.00192 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:1:3:1] | passed | 0.00004 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:1:4:1] | passed | 0.00044 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:1:4:2] | passed | 0.00029 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:2:1]   | passed | 0.00024 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:2:2]   | passed | 0.00003 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:2:3]   | passed | 0.00025 seconds |
+./spec/legion/extensions/validator/helpers/review_orchestrator_spec.rb[1:3:1]   | passed | 0.00003 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:1:1]           | passed | 0.00004 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:1:2]           | passed | 0.00064 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:1:3]           | passed | 0.00003 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:1:4]           | passed | 0.00028 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:2:1]           | passed | 0.00004 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:2:2]           | passed | 0.0003 seconds  |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:2:3]           | passed | 0.00096 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:3:1]           | passed | 0.00028 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:3:2]           | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/helpers/test_runner_spec.rb[1:3:3]           | passed | 0.00002 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:1]             | passed | 0.00039 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:2]             | passed | 0.0003 seconds  |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:3]             | passed | 0.00054 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:4]             | passed | 0.00036 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:5]             | passed | 0.00065 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:6]             | passed | 0.00013 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:7:1]           | passed | 0.00035 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:8:1]           | passed | 0.00052 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:9:1]           | passed | 0.00027 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:10:1]          | passed | 0.00004 seconds |
+./spec/legion/extensions/validator/runners/validator_spec.rb[1:1:11]            | passed | 0.00043 seconds |
+./spec/legion/extensions/validator/version_spec.rb[1:1]                         | passed | 0.00009 seconds |
+./spec/legion/extensions/validator/version_spec.rb[1:2]                         | passed | 0.00002 seconds |

data/.rubocop.yml

@@ -0,0 +1,27 @@
+inherit_gem:
+  rubocop-legion: config/lex.yml
+
+Legion/Extension/RunnerReturnHash:
+  Enabled: false
+
+Legion/HelperMigration/LoggingGuard:
+  Enabled: false
+
+Naming/MethodParameterName:
+  AllowedNames:
+    - as
+    - at
+    - by
+    - cc
+    - db
+    - id
+    - if
+    - in
+    - io
+    - ip
+    - k
+    - of
+    - "on"
+    - os
+    - pp
+    - to

data/CLAUDE.md

@@ -0,0 +1,43 @@
+# lex-validator: Fleet Pipeline Validation
+
+**Level 3 Documentation**
+- **Parent**: `CLAUDE.md` (monorepo root)
+
+## Purpose
+
+Fourth and final stage of the Fleet Pipeline. Receives implemented work items, runs tests (rspec), lint (rubocop), security scan, and adversarial multi-model LLM review. Applies a quality gate with weighted scoring and renders a verdict (approved/rejected). Approved items route to the ship runner. Rejected items route back to the developer for feedback incorporation.
+
+**Gem**: `lex-validator`
+**Version**: 0.1.0
+**Namespace**: `Legion::Extensions::Validator`
+
+## Key Design Decisions
+
+- **Unanimity gate**: All k validators must approve. Any dissent = rejection. Fail closed on LLM errors.
+- **Own implementation**: `ReviewOrchestrator` is NOT inherited from lex-eval `AgenticReview`. Uses `Legion::LLM::Prompt.dispatch` with post-hoc JSON extraction to preserve pipeline tracing.
+- **Quality gate scoring** (absorbed from lex-factory): Completeness 35%, Correctness 35%, Quality 20%, Security 10%. Pass threshold >= 0.8.
+- **Intent variation**: Each reviewer gets a different `intent.capability` to encourage Router model diversity (MAKER paper).
+
+## Runners
+
+### `Runners::Validator`
+- `validate(work_item:, **)` -- Run tests, lint, security scan, adversarial review, quality gate, render verdict
+
+## Helpers
+
+- `Helpers::QualityGate` -- Weighted scoring with configurable threshold (absorbed from lex-factory)
+- `Helpers::TestRunner` -- Delegates to lex-exec for rspec, rubocop, security scan
+- `Helpers::ReviewOrchestrator` -- k-factor adversarial review with unanimity gate, varied intent per reviewer
+
+## Transport
+
+- Exchange: `lex.validator` (topic, durable)
+- Queue: `lex.validator.runners.validator` (durable, routing key `lex.validator.runners.validator.#`)
+
+## Development
+
+```bash
+bundle install
+bundle exec rspec
+bundle exec rubocop
+```

data/Gemfile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gemspec
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.13'
+  gem 'rspec_junit_formatter'
+  gem 'rubocop', '~> 1.75'
+  gem 'rubocop-legion', '~> 0.1', require: false
+  gem 'rubocop-rspec'
+  gem 'simplecov'
+end

data/lex-validator.gemspec

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative 'lib/legion/extensions/validator/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'lex-validator'
+  spec.version       = Legion::Extensions::Validator::VERSION
+  spec.authors       = ['Esity']
+  spec.email         = ['matthewdiverson@gmail.com']
+
+  spec.summary       = 'Legion::Extensions::Validator'
+  spec.description   = 'Fleet pipeline validation: tests, lint, security scan, adversarial LLM review'
+  spec.homepage      = 'https://github.com/LegionIO/lex-validator'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 3.4'
+
+  spec.metadata['homepage_uri']          = spec.homepage
+  spec.metadata['source_code_uri']       = 'https://github.com/LegionIO/lex-validator'
+  spec.metadata['changelog_uri']         = 'https://github.com/LegionIO/lex-validator'
+  spec.metadata['documentation_uri']     = 'https://github.com/LegionIO/lex-validator'
+  spec.metadata['bug_tracker_uri']       = 'https://github.com/LegionIO/lex-validator/issues'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'concurrent-ruby', '>= 1.1'
+  spec.add_dependency 'legion-cache', '>= 1.3.11'
+  spec.add_dependency 'legion-crypt', '>= 1.4.9'
+  spec.add_dependency 'legion-data', '>= 1.4.17'
+  spec.add_dependency 'legion-json', '>= 1.2.1'
+  spec.add_dependency 'legion-llm', '>= 0.1'
+  spec.add_dependency 'legion-logging', '>= 1.3.2'
+  spec.add_dependency 'legion-settings', '>= 1.3.14'
+  spec.add_dependency 'legion-transport', '>= 1.3.9'
+
+  spec.add_development_dependency 'rspec', '~> 3.13'
+  spec.add_development_dependency 'rspec_junit_formatter'
+  spec.add_development_dependency 'rubocop', '~> 1.75'
+  spec.add_development_dependency 'rubocop-rspec'
+  spec.add_development_dependency 'simplecov'
+end

data/lib/legion/extensions/validator/actors/validator.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+return unless defined?(Legion::Extensions::Actors::Subscription)
+
+module Legion
+  module Extensions
+    module Validator
+      module Actor
+        class Validator < Legion::Extensions::Actors::Subscription
+          def runner_function
+            'validate'
+          end
+
+          def check_subtask?
+            true
+          end
+
+          def generate_task?
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/validator/helpers/quality_gate.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Validator
+      module Helpers
+        module QualityGate
+          module_function
+
+          WEIGHTS = {
+            completeness: 0.35,
+            correctness:  0.35,
+            quality:      0.20,
+            security:     0.10
+          }.freeze
+
+          DEFAULT_THRESHOLD = 0.8
+
+          def score(completeness:, correctness:, quality:, security:)
+            w = Legion::Settings.dig(:fleet, :validation, :quality_weights) || WEIGHTS
+
+            aggregate = (
+              (completeness * (w[:completeness] || WEIGHTS[:completeness])) +
+              (correctness * (w[:correctness] || WEIGHTS[:correctness])) +
+              (quality * (w[:quality] || WEIGHTS[:quality])) +
+              (security * (w[:security] || WEIGHTS[:security]))
+            ).round(3)
+
+            {
+              completeness: completeness,
+              correctness:  correctness,
+              quality:      quality,
+              security:     security,
+              aggregate:    aggregate
+            }
+          end
+
+          def passing?(score:, threshold: nil)
+            threshold ||= Legion::Settings.dig(:fleet, :validation, :quality_gate_threshold) || DEFAULT_THRESHOLD
+            score[:aggregate] >= threshold
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/validator/helpers/review_orchestrator.rb

@@ -0,0 +1,195 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'concurrent'
+
+module Legion
+  module Extensions
+    module Validator
+      module Helpers
+        module ReviewOrchestrator
+          extend self
+
+          REVIEW_PROMPT_TEMPLATE = <<~PROMPT
+            You are a senior code reviewer performing an adversarial review of a code change.
+            Your job is to find bugs, security issues, logic errors, and quality problems.
+
+            Be thorough and critical. If you see ANY issue, reject the change.
+
+            ## Work Item
+            Title: %<title>s
+            Repository: %<repo>s
+            Language: %<language>s
+
+            ## Diff
+            %<diff>s
+
+            ## Instructions
+            Respond with a JSON object inside a fenced code block:
+            ```json
+            {
+              "verdict": "approve" or "reject",
+              "confidence": 0.0 to 1.0,
+              "issues": ["list of specific issues found"],
+              "summary": "brief explanation of your verdict"
+            }
+            ```
+          PROMPT
+
+          REVIEW_SCHEMA = {
+            type:       :object,
+            properties: {
+              verdict:    { type: :string, enum: %w[approve reject] },
+              confidence: { type: :number, minimum: 0.0, maximum: 1.0 },
+              issues:     { type: :array, items: { type: :string } },
+              summary:    { type: :string }
+            },
+            required:   %i[verdict confidence issues summary]
+          }.freeze
+
+          CAPABILITY_LEVELS = %i[basic moderate reasoning].freeze
+
+          def review(work_item:, diff:, k:)
+            return { verdict: 'approved', reviews: [], merged_feedback: [] } if k.zero?
+
+            exclude = build_upstream_exclusion(work_item: work_item)
+            timeout = Legion::Settings.dig(:fleet, :llm, :validator_timeout_seconds) || 120
+
+            futures = (0...k).map do |i|
+              Concurrent::Future.execute do
+                run_single_review(work_item: work_item, diff: diff, index: i, exclude: exclude)
+              end
+            end
+
+            reviews = collect_reviews(futures: futures, timeout: timeout)
+            verdict = reviews.all? { |r| r[:verdict] == 'approve' } ? 'approved' : 'rejected'
+            merged_feedback = extract_merged_feedback(reviews: reviews)
+
+            { verdict: verdict, reviews: reviews, merged_feedback: merged_feedback }
+          end
+
+          def parse_review_response(content:)
+            json_str = extract_json(content)
+            parsed = ::JSON.parse(json_str, symbolize_names: true)
+            validate_review(parsed)
+          rescue ::JSON::ParserError, TypeError => e
+            { verdict: 'reject', confidence: 0.0,
+              issues: ["Failed to parse review response: #{e.message}"],
+              summary: 'Review response was not valid JSON' }
+          end
+
+          def intent_for_reviewer(index:, base_difficulty:)
+            base_idx = difficulty_to_capability_index(base_difficulty)
+            shifted = (base_idx + index) % CAPABILITY_LEVELS.size
+            { capability: CAPABILITY_LEVELS[shifted] }
+          end
+
+          private
+
+          def collect_reviews(futures:, timeout:)
+            futures.each_with_index.map do |future, i|
+              result = future.value(timeout)
+              next result unless result.nil?
+
+              if future.rejected?
+                { verdict: 'reject', confidence: 0.0,
+                  issues: ["Reviewer #{i} raised an unhandled exception: #{future.reason&.message}"],
+                  summary: 'Validator exception — fail closed' }
+              else
+                timeout_review(index: i, timeout: timeout)
+              end
+            end
+          end
+
+          def timeout_review(index:, timeout:)
+            { verdict: 'reject', confidence: 0.0,
+              issues: ["Reviewer #{index} timed out after #{timeout}s"],
+              summary: 'Validator timeout — fail closed' }
+          end
+
+          def extract_merged_feedback(reviews:)
+            reviews
+              .flat_map { |r| Array(r[:issues]) }
+              .reject(&:empty?)
+              .uniq
+          end
+
+          def run_single_review(work_item:, diff:, index:, exclude: {})
+            difficulty = work_item.dig(:config, :estimated_difficulty) || 0.5
+            intent = intent_for_reviewer(index: index, base_difficulty: difficulty)
+            prompt = build_review_prompt(work_item: work_item, diff: diff)
+
+            response = Legion::LLM::Prompt.dispatch(
+              prompt,
+              schema:  REVIEW_SCHEMA,
+              tools:   [],
+              exclude: exclude,
+              intent:  intent,
+              caller:  { extension: 'lex-validator', operation: "adversarial_review_#{index}" },
+              agent:   {
+                id:   "fleet:validator:reviewer_#{index}",
+                name: "Fleet Validator Reviewer #{index}",
+                type: :autonomous,
+                goal: "Review: #{work_item[:title]}"
+              },
+              tracing: {
+                trace_id:       work_item[:work_item_id],
+                correlation_id: work_item[:source_ref]
+              }
+            )
+
+            parse_review_response(content: response[:content])
+          rescue StandardError => e
+            { verdict: 'reject', confidence: 0.0,
+              issues: ["Reviewer #{index} failed: #{e.message}"],
+              summary: "LLM review error: #{e.message}" }
+          end
+
+          def build_review_prompt(work_item:, diff:)
+            format(
+              REVIEW_PROMPT_TEMPLATE,
+              title:    work_item[:title],
+              repo:     "#{work_item.dig(:repo, :owner)}/#{work_item.dig(:repo, :name)}",
+              language: work_item.dig(:repo, :language) || 'unknown',
+              diff:     diff
+            )
+          end
+
+          def build_upstream_exclusion(work_item:)
+            exclude = {}
+            Array(work_item.dig(:pipeline, :trace)).each do |t|
+              next unless t[:model]
+
+              (exclude[t[:provider]&.to_sym] ||= []) << t[:model]
+            end
+            exclude.each_value(&:uniq!)
+            exclude
+          end
+
+          def extract_json(content)
+            match = content.match(/```(?:json)?\s*\n?(.*?)\n?```/m)
+            return match[1].strip if match
+
+            content.strip
+          end
+
+          def validate_review(parsed)
+            parsed[:verdict] = parsed[:verdict]&.downcase || 'reject'
+            parsed[:confidence] = (parsed[:confidence] || 0.0).to_f.clamp(0.0, 1.0)
+            parsed[:issues] = Array(parsed[:issues])
+            parsed[:summary] = parsed[:summary] || ''
+            parsed
+          end
+
+          def difficulty_to_capability_index(difficulty)
+            case difficulty
+            when 0.0...0.3 then 0 # :basic
+            when 0.3...0.6 then 1 # :moderate
+            else 2                # :reasoning
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/validator/helpers/test_runner.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Validator
+      module Helpers
+        module TestRunner
+          module_function
+
+          def run_tests(worktree_path:, **_kwargs)
+            # In production, delegates to:
+            #   Legion::Extensions::Exec::Runners::Bundler.exec_rspec(path: worktree_path)
+            # Stubbed here — depends on lex-exec being available.
+            # Phase 1: Ruby only (bundle exec rspec).
+            {
+              success:       true,
+              total:         0,
+              passed:        0,
+              failures:      0,
+              pass_rate:     1.0,
+              output:        '',
+              worktree_path: worktree_path
+            }
+          end
+
+          def run_lint(worktree_path:, **_kwargs)
+            # In production, delegates to:
+            #   Legion::Extensions::Exec::Runners::Bundler.exec_rubocop(path: worktree_path)
+            # Stubbed here — depends on lex-exec being available.
+            # Phase 1: Ruby only (bundle exec rubocop).
+            {
+              success:       true,
+              offenses:      0,
+              clean:         true,
+              output:        '',
+              worktree_path: worktree_path
+            }
+          end
+
+          def run_security_scan(file_paths:, worktree_path:, **_kwargs)
+            # In production, delegates to:
+            #   Legion::Extensions::Eval::Evaluators::SecurityEvaluator.new.check(code: content)
+            # for each changed file. Phase 1: Ruby-only patterns.
+            # For non-Ruby repos, skip and note in review.
+            {
+              success:       true,
+              findings:      [],
+              clean:         true,
+              files_scanned: file_paths.size,
+              worktree_path: worktree_path
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/validator/runners/validator.rb

@@ -0,0 +1,206 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Validator
+      module Runners
+        module Validator
+          extend self
+
+          def validate(results: nil, work_item: nil, args: nil, **)
+            results = json_load(results) if results.is_a?(String)
+            work_item ||= results&.dig(:work_item) || args&.dig(:work_item)
+            raise ArgumentError, "work_item is nil in #{__method__}" if work_item.nil?
+
+            started_at = Time.now.utc.iso8601
+            validation_config = work_item.dig(:config, :validation) || {}
+
+            if validation_config[:enabled] == false
+              return build_result(work_item: work_item, verdict: 'approved',
+                                  score: perfect_score, issues: [], merged_feedback: [],
+                                  skip_reason: 'validation disabled', started_at: started_at)
+            end
+
+            check_tests_lint_security(work_item: work_item, config: validation_config) => {
+              test_result:, lint_result:, security_result:
+            }
+
+            early = pr_guard_check(work_item: work_item, started_at: started_at)
+            return early if early
+
+            review_result = run_review_if_enabled(work_item: work_item, config: validation_config)
+            score = build_score(test_result: test_result, lint_result: lint_result,
+                                security_result: security_result, review_result: review_result)
+            threshold = Legion::Settings.dig(:fleet, :validation, :quality_gate_threshold) || 0.8
+            verdict = determine_verdict(review_result: review_result, score: score, threshold: threshold)
+            merged_feedback = collect_feedback(review_result: review_result, test_result: test_result,
+                                               lint_result: lint_result, security_result: security_result)
+
+            build_result(work_item: work_item, verdict: verdict, score: score,
+                         issues: merged_feedback, merged_feedback: merged_feedback, started_at: started_at)
+          end
+
+          private
+
+          def check_tests_lint_security(work_item:, config:)
+            {
+              test_result:     run_tests_if_enabled(work_item: work_item, config: config),
+              lint_result:     run_lint_if_enabled(work_item: work_item, config: config),
+              security_result: run_security_if_enabled(work_item: work_item, config: config)
+            }
+          end
+
+          def pr_guard_check(work_item:, started_at:)
+            zero_score = Helpers::QualityGate.score(completeness: 0.0, correctness: 0.0,
+                                                    quality: 0.0, security: 0.0)
+            comment_result = check_pr_review_comments(work_item: work_item)
+            if comment_result[:unresolved_external].any?
+              msgs = comment_result[:unresolved_external].map { |c| c[:body] }
+              return build_result(work_item: work_item, verdict: 'rejected', score: zero_score,
+                                  issues: msgs, merged_feedback: msgs, started_at: started_at)
+            end
+
+            return if verify_pr_head_sha(work_item: work_item)
+
+            stale_msg = 'Stale diff: PR head SHA does not match developer push'
+            build_result(work_item: work_item, verdict: 'rejected', score: zero_score,
+                         issues: [stale_msg], merged_feedback: [stale_msg], started_at: started_at)
+          end
+
+          def run_tests_if_enabled(work_item:, config:)
+            return { success: true, pass_rate: 1.0, total: 0, failures: 0 } unless config[:run_tests]
+
+            worktree = cache_get("fleet:worktree:#{work_item[:work_item_id]}") || '/tmp'
+            Helpers::TestRunner.run_tests(worktree_path: worktree)
+          end
+
+          def run_lint_if_enabled(work_item:, config:)
+            return { success: true, offenses: 0, clean: true } unless config[:run_lint]
+
+            worktree = cache_get("fleet:worktree:#{work_item[:work_item_id]}") || '/tmp'
+            Helpers::TestRunner.run_lint(worktree_path: worktree)
+          end
+
+          def run_security_if_enabled(work_item:, config:)
+            return { success: true, findings: [], clean: true } unless config[:security_scan]
+
+            file_paths = Array(work_item.dig(:pipeline, :changes))
+            worktree = cache_get("fleet:worktree:#{work_item[:work_item_id]}") || '/tmp'
+            Helpers::TestRunner.run_security_scan(file_paths: file_paths, worktree_path: worktree)
+          end
+
+          def check_pr_review_comments(work_item:) # rubocop:disable Lint/UnusedMethodArgument
+            # In production, fetches via lex-github. Stubbed pending WS-02.
+            { unresolved_external: [] }
+          end
+
+          def verify_pr_head_sha(work_item:) # rubocop:disable Lint/UnusedMethodArgument
+            # In production, polls list_pull_request_commits. Stubbed pending WS-02.
+            true
+          end
+
+          def run_review_if_enabled(work_item:, config:)
+            return { verdict: 'approved', reviews: [], merged_feedback: [] } unless config[:adversarial_review]
+
+            k = work_item.dig(:config, :implementation, :validators) || 1
+            diff = fetch_diff(work_item: work_item)
+            Helpers::ReviewOrchestrator.review(work_item: work_item, diff: diff, k: k)
+          end
+
+          def fetch_diff(work_item:) # rubocop:disable Lint/UnusedMethodArgument
+            # In production, calls list_pull_request_files. Stubbed pending WS-02.
+            ''
+          end
+
+          def cache_get(key)
+            Legion::Cache.get(key) # rubocop:disable Legion/HelperMigration/DirectCache
+          end
+
+          def json_load(str)
+            Legion::JSON.load(str) # rubocop:disable Legion/HelperMigration/DirectJson
+          end
+
+          def build_score(test_result:, lint_result:, security_result:, review_result:)
+            completeness = test_result[:pass_rate]
+            # security_result[:clean] is intentionally counted in both `correctness` and `security` dimensions.
+            # A security finding halves correctness (0.35 weight) AND zeros out security (0.10 weight),
+            # creating a strong "fail closed" signal. This is intentional design.
+            correctness  = lint_result[:clean] && security_result[:clean] ? 1.0 : 0.5
+            quality      = review_result[:verdict] == 'approved' ? 1.0 : 0.3
+            security     = security_result[:clean] ? 1.0 : 0.0
+
+            Helpers::QualityGate.score(
+              completeness: completeness,
+              correctness:  correctness,
+              quality:      quality,
+              security:     security
+            )
+          end
+
+          def determine_verdict(review_result:, score:, threshold:)
+            return 'rejected' if review_result[:verdict] == 'rejected'
+            return 'approved' if Helpers::QualityGate.passing?(score: score, threshold: threshold)
+
+            'rejected'
+          end
+
+          def collect_feedback(review_result:, test_result:, lint_result:, security_result:)
+            feedback = Array(review_result[:merged_feedback])
+            feedback << 'Tests failing' if test_result[:failures].positive?
+            feedback << "Lint offenses: #{lint_result[:offenses]}" if lint_result[:offenses].positive?
+            feedback << "Security findings: #{security_result[:findings].size}" unless security_result[:clean]
+            feedback
+          end
+
+          def build_result(work_item:, verdict:, score:, issues:, merged_feedback:,
+                           started_at:, skip_reason: nil)
+            review_result = { verdict: verdict, score: score, issues: issues,
+                              merged_feedback: merged_feedback }
+            review_result[:skip_reason] = skip_reason if skip_reason
+
+            feedback_history = work_item.dig(:pipeline, :feedback_history) || []
+            if verdict == 'rejected'
+              feedback_history += [{
+                verdict: verdict,
+                issues:  merged_feedback,
+                round:   work_item.dig(:pipeline, :attempt) || 0
+              }]
+            end
+
+            work_item = work_item.merge(
+              pipeline: work_item[:pipeline].merge(
+                stage:            'validated',
+                review_result:    review_result,
+                feedback_history: feedback_history,
+                trace:            work_item[:pipeline][:trace] + [build_trace_entry(started_at: started_at)]
+              )
+            )
+
+            { success: true, work_item: work_item }
+          end
+
+          def perfect_score
+            Helpers::QualityGate.score(
+              completeness: 1.0,
+              correctness:  1.0,
+              quality:      1.0,
+              security:     1.0
+            )
+          end
+
+          def build_trace_entry(started_at: Time.now.utc.iso8601)
+            {
+              stage:        'validator',
+              node:         Legion::Settings[:client][:name],
+              model:        nil,
+              provider:     nil,
+              started_at:   started_at,
+              completed_at: Time.now.utc.iso8601,
+              token_usage:  {}
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/validator/transport/exchanges/validator.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Validator
+      module Transport
+        module Exchanges
+          class Validator < Legion::Transport::Exchange
+            def exchange_name
+              'lex.validator'
+            end
+
+            def exchange_options
+              { type: 'topic', durable: true }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/validator/transport/queues/validator.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Validator
+      module Transport
+        module Queues
+          class Validator < Legion::Transport::Queue
+            def queue_name
+              'lex.validator.runners.validator'
+            end
+
+            def queue_options
+              { durable: true }
+            end
+
+            def routing_key
+              'lex.validator.runners.validator.#'
+            end
+
+            def exchange
+              Exchanges::Validator
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/validator/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Validator
+      VERSION = '0.1.0'
+    end
+  end
+end

data/lib/legion/extensions/validator.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative 'validator/version'
+require_relative 'validator/helpers/quality_gate'
+require_relative 'validator/helpers/test_runner'
+require_relative 'validator/helpers/review_orchestrator'
+require_relative 'validator/runners/validator'
+
+if defined?(Legion::Transport::Exchange)
+  require_relative 'validator/transport/exchanges/validator'
+  require_relative 'validator/transport/queues/validator'
+end
+
+require_relative 'validator/actors/validator'
+
+module Legion
+  module Extensions
+    module Validator
+      extend Legion::Extensions::Core if defined?(Legion::Extensions::Core)
+
+      def self.llm_required?
+        true
+      end
+    end
+  end
+end

data/tmp/rspec_progress.txt

@@ -0,0 +1,5 @@
+...............
+
+Finished in 0.00422 seconds (files took 0.65089 seconds to load)
+15 examples, 0 failures
+

data/tmp/rspec_results.json

@@ -0,0 +1 @@
+{"version":"3.13.6","examples":[{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:1]","description":"returns a score hash with aggregate","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.score returns a score hash with aggregate","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":5,"run_time":0.000491,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:2]","description":"returns 1.0 aggregate for all perfect scores","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.score returns 1.0 aggregate for all perfect scores","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":15,"run_time":0.000373,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:3]","description":"returns 0.0 aggregate for all zero scores","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.score returns 0.0 aggregate for all zero scores","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":25,"run_time":0.00003,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:4]","description":"weights completeness at 35%","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.score weights completeness at 35%","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":35,"run_time":0.000493,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:5]","description":"weights correctness at 35%","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.score weights correctness at 35%","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":45,"run_time":0.000035,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:6]","description":"weights quality at 20%","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.score weights quality at 20%","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":55,"run_time":0.000027,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:7]","description":"weights security at 10%","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.score weights security at 10%","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":65,"run_time":0.000024,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:1:8]","description":"includes individual scores in the result","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.score includes individual scores in the result","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":75,"run_time":0.000025,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:2:1]","description":"returns true when aggregate >= threshold","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.passing? returns true when aggregate >= threshold","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":90,"run_time":0.00056,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:2:2]","description":"returns false when aggregate < threshold","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.passing? returns false when aggregate < threshold","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":95,"run_time":0.000028,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:2:3]","description":"uses custom threshold when provided","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.passing? uses custom threshold when provided","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":100,"run_time":0.000023,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:2:4]","description":"uses default threshold of 0.8","full_description":"Legion::Extensions::Validator::Helpers::QualityGate.passing? uses default threshold of 0.8","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":105,"run_time":0.000023,"pending_message":null},{"id":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb[1:3:1]","description":"sums to 1.0","full_description":"Legion::Extensions::Validator::Helpers::QualityGate WEIGHTS sums to 1.0","status":"passed","file_path":"./spec/legion/extensions/validator/helpers/quality_gate_spec.rb","line_number":115,"run_time":0.000026,"pending_message":null},{"id":"./spec/legion/extensions/validator/version_spec.rb[1:1]","description":"is defined","full_description":"Legion::Extensions::Validator::VERSION is defined","status":"passed","file_path":"./spec/legion/extensions/validator/version_spec.rb","line_number":4,"run_time":0.000541,"pending_message":null},{"id":"./spec/legion/extensions/validator/version_spec.rb[1:2]","description":"is a valid semver string","full_description":"Legion::Extensions::Validator::VERSION is a valid semver string","status":"passed","file_path":"./spec/legion/extensions/validator/version_spec.rb","line_number":8,"run_time":0.000425,"pending_message":null}],"summary":{"duration":0.004223,"example_count":15,"failure_count":0,"pending_count":0,"errors_outside_of_examples_count":0},"summary_line":"15 examples, 0 failures"}

metadata

@@ -0,0 +1,262 @@
+--- !ruby/object:Gem::Specification
+name: lex-validator
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Esity
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: legion-cache
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.11
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.11
+- !ruby/object:Gem::Dependency
+  name: legion-crypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.9
+- !ruby/object:Gem::Dependency
+  name: legion-data
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.17
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.17
+- !ruby/object:Gem::Dependency
+  name: legion-json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.1
+- !ruby/object:Gem::Dependency
+  name: legion-llm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: legion-logging
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.2
+- !ruby/object:Gem::Dependency
+  name: legion-settings
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.14
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.14
+- !ruby/object:Gem::Dependency
+  name: legion-transport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.9
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.75'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.75'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 'Fleet pipeline validation: tests, lint, security scan, adversarial LLM
+  review'
+email:
+- matthewdiverson@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/ci.yml"
+- ".gitignore"
+- ".rspec"
+- ".rspec_status"
+- ".rubocop.yml"
+- CLAUDE.md
+- Gemfile
+- lex-validator.gemspec
+- lib/legion/extensions/validator.rb
+- lib/legion/extensions/validator/actors/validator.rb
+- lib/legion/extensions/validator/helpers/quality_gate.rb
+- lib/legion/extensions/validator/helpers/review_orchestrator.rb
+- lib/legion/extensions/validator/helpers/test_runner.rb
+- lib/legion/extensions/validator/runners/validator.rb
+- lib/legion/extensions/validator/transport/exchanges/validator.rb
+- lib/legion/extensions/validator/transport/queues/validator.rb
+- lib/legion/extensions/validator/version.rb
+- tmp/rspec_progress.txt
+- tmp/rspec_results.json
+homepage: https://github.com/LegionIO/lex-validator
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/LegionIO/lex-validator
+  source_code_uri: https://github.com/LegionIO/lex-validator
+  changelog_uri: https://github.com/LegionIO/lex-validator
+  documentation_uri: https://github.com/LegionIO/lex-validator
+  bug_tracker_uri: https://github.com/LegionIO/lex-validator/issues
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.4'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Legion::Extensions::Validator
+test_files: []