lex-vault 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 526747f6bb118dd5ab02d67692f4ee8bc76420f3a061ae05a31efab4ec8617ca
+  data.tar.gz: 7310bf9354246b6997d10e208d9dae190fd205bfea113a67d88676f98f8cd3a6
+SHA512:
+  metadata.gz: 359d0220a0aaf429cb445e91e6faca5a7ff9e8720efd37ca5e61145af56b3db118370f1e9fb994495e8c6efbef5cbb33a2d91e64e4dab66d5372798a8c6b4563
+  data.tar.gz: dba4904895ccf4637fafc5a3bc35fc9a27d448b410ffbfb0d47c6bca1d5c659ac23d00c6fc81d13362e46509c8d1449c3d00077edb159f066176488311bcd888

data/.github/workflows/ci.yml

@@ -0,0 +1,16 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  ci:
+    uses: LegionIO/.github/.github/workflows/ci.yml@main
+
+  release:
+    needs: ci
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    uses: LegionIO/.github/.github/workflows/release.yml@main
+    secrets:
+      rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,53 @@
+AllCops:
+  TargetRubyVersion: 3.4
+  NewCops: enable
+  SuggestExtensions: false
+
+Layout/LineLength:
+  Max: 160
+
+Layout/SpaceAroundEqualsInParameterDefault:
+  EnforcedStyle: space
+
+Layout/HashAlignment:
+  EnforcedHashRocketStyle: table
+  EnforcedColonStyle: table
+
+Metrics/MethodLength:
+  Max: 50
+
+Metrics/ClassLength:
+  Max: 1500
+
+Metrics/ModuleLength:
+  Max: 1500
+
+Metrics/BlockLength:
+  Max: 40
+  Exclude:
+    - 'spec/**/*_spec.rb'
+
+Metrics/ParameterLists:
+  Max: 8
+
+Metrics/AbcSize:
+  Max: 60
+
+Metrics/CyclomaticComplexity:
+  Max: 15
+
+Metrics/PerceivedComplexity:
+  Max: 17
+
+Style/Documentation:
+  Enabled: false
+
+Style/SymbolArray:
+  Enabled: true
+
+Style/FrozenStringLiteralComment:
+  Enabled: true
+  EnforcedStyle: always
+
+Naming/FileName:
+  Enabled: false

data/CHANGELOG.md

@@ -0,0 +1,6 @@
+# Changelog
+
+## [0.1.0] - 2026-03-13
+
+### Added
+- Initial release

data/CLAUDE.md

@@ -0,0 +1,50 @@
+# lex-vault: HashiCorp Vault Integration for LegionIO
+
+**Repository Level 3 Documentation**
+- **Parent (Level 2)**: `/Users/miverso2/rubymine/legion/extensions/CLAUDE.md`
+- **Parent (Level 1)**: `/Users/miverso2/rubymine/legion/CLAUDE.md`
+
+## Purpose
+
+Legion Extension that connects LegionIO to HashiCorp Vault. Provides runners for system operations, KV v2 secrets, token auth, Transit encryption, PKI certificates, and lease management.
+
+**GitHub**: https://github.com/LegionIO/lex-vault
+**License**: MIT
+
+## Architecture
+
+```
+Legion::Extensions::Vault
+├── Runners/
+│   ├── System            # Health, seal/unseal, mounts, auth, policies
+│   ├── Kv                # KV v2: read/write/delete/list secrets + metadata
+│   ├── Token             # Token auth: create/lookup/renew/revoke + roles
+│   ├── Transit           # Encrypt/decrypt/sign/verify/hash/random
+│   ├── Pki               # Issue/sign/revoke certs, CA chain, roles
+│   └── Leases            # Lookup/renew/revoke leases
+├── Helpers/
+│   └── Client            # Faraday connection builder (X-Vault-Token + namespace)
+└── Client                # Standalone client class (includes all runners)
+```
+
+## Dependencies
+
+| Gem | Purpose |
+|-----|---------|
+| `faraday` | HTTP client for Vault REST API |
+
+## Connection
+
+The client accepts `address` (matching Vault's `VAULT_ADDR`), `token`, and optional `namespace` (Enterprise). All API calls go through `/v1/` prefix.
+
+## Testing
+
+```bash
+bundle install
+bundle exec rspec
+bundle exec rubocop
+```
+
+---
+
+**Maintained By**: Matthew Iverson (@Esity)

data/Dockerfile

@@ -0,0 +1,6 @@
+FROM legionio/legion
+
+COPY . /usr/src/app/lex-vault
+
+WORKDIR /usr/src/app/lex-vault
+RUN bundle install

data/Gemfile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gemspec
+
+group :test do
+  gem 'rake'
+  gem 'rspec'
+  gem 'rspec_junit_formatter'
+  gem 'rubocop'
+  gem 'simplecov'
+end

data/Gemfile.lock

@@ -0,0 +1,98 @@
+PATH
+  remote: .
+  specs:
+    lex-vault (0.1.0)
+      faraday (>= 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.9)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
+    bigdecimal (4.0.1)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
+    faraday (2.14.1)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.2)
+      net-http (~> 0.5)
+    json (2.19.1)
+    json-schema (6.2.0)
+      addressable (~> 2.8)
+      bigdecimal (>= 3.1, < 5)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    mcp (0.8.0)
+      json-schema (>= 4.1)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
+    parallel (1.27.0)
+    parser (3.3.10.2)
+      ast (~> 2.4.1)
+      racc
+    prism (1.9.0)
+    public_suffix (7.0.5)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.3.1)
+    regexp_parser (2.11.3)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.7)
+    rspec_junit_formatter (0.6.0)
+      rspec-core (>= 2, < 4, != 2.12.0)
+    rubocop (1.85.1)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      mcp (~> 0.6)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    ruby-progressbar (1.13.0)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.2)
+    simplecov_json_formatter (0.1.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    uri (1.1.1)
+
+PLATFORMS
+  arm64-darwin-25
+  ruby
+
+DEPENDENCIES
+  lex-vault!
+  rake
+  rspec
+  rspec_junit_formatter
+  rubocop
+  simplecov
+
+BUNDLED WITH
+   2.6.9

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Esity
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,64 @@
+# lex-vault
+
+HashiCorp Vault integration for [LegionIO](https://github.com/LegionIO/LegionIO). Provides runners for interacting with the Vault HTTP API covering system operations, KV v2 secrets, token auth, Transit encryption, PKI certificates, and lease management.
+
+## Installation
+
+```bash
+gem install lex-vault
+```
+
+## Functions
+
+### System
+`health`, `seal_status`, `seal`, `unseal`, `init`, `list_mounts`, `mount`, `unmount`, `list_auth`, `enable_auth`, `disable_auth`, `list_policies`, `get_policy`, `put_policy`, `delete_policy`
+
+### KV (v2 Secrets)
+`read_secret`, `write_secret`, `patch_secret`, `delete_secret`, `delete_versions`, `undelete_versions`, `destroy_versions`, `list_secrets`, `read_metadata`, `write_metadata`, `delete_metadata`
+
+### Token
+`create_token`, `lookup_token`, `lookup_self`, `renew_token`, `renew_self`, `revoke_token`, `revoke_self`, `list_accessors`, `list_token_roles`, `get_token_role`, `create_token_role`, `delete_token_role`
+
+### Transit
+`create_key`, `read_key`, `list_keys`, `delete_key`, `rotate_key`, `encrypt`, `decrypt`, `rewrap`, `datakey`, `sign`, `verify`, `hash_data`, `random_bytes`
+
+### PKI
+`issue`, `sign_csr`, `revoke`, `list_certs`, `get_cert`, `ca_chain`, `list_pki_roles`, `get_pki_role`, `create_pki_role`, `tidy`
+
+### Leases
+`lookup_lease`, `renew_lease`, `revoke_lease`, `list_leases`
+
+## Standalone Usage
+
+```ruby
+require 'legion/extensions/vault'
+
+client = Legion::Extensions::Vault::Client.new(
+  address: 'https://vault.example.com',
+  token: 'hvs.your-token',
+  namespace: 'admin/team1' # optional, Enterprise only
+)
+
+# Read a secret
+client.read_secret(path: 'myapp/config')
+
+# Write a secret
+client.write_secret(path: 'myapp/config', data: { api_key: 'secret123' })
+
+# Encrypt with Transit
+client.encrypt(name: 'my-key', plaintext: Base64.strict_encode64('hello'))
+
+# Issue a PKI certificate
+client.issue(role: 'web-server', common_name: 'app.example.com')
+```
+
+## Requirements
+
+- Ruby >= 3.4
+- [LegionIO](https://github.com/LegionIO/LegionIO) framework (optional for standalone client usage)
+- HashiCorp Vault server (any version with HTTP API v1)
+- `faraday` >= 2.0
+
+## License
+
+MIT

data/lex-vault.gemspec

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative 'lib/legion/extensions/vault/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'lex-vault'
+  spec.version       = Legion::Extensions::Vault::VERSION
+  spec.authors       = ['Esity']
+  spec.email         = ['matthewdiverson@gmail.com']
+
+  spec.summary       = 'LEX Vault'
+  spec.description   = 'Connects LegionIO to HashiCorp Vault'
+  spec.homepage      = 'https://github.com/LegionIO/lex-vault'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 3.4'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/LegionIO/lex-vault'
+  spec.metadata['documentation_uri'] = 'https://github.com/LegionIO/lex-vault'
+  spec.metadata['changelog_uri'] = 'https://github.com/LegionIO/lex-vault'
+  spec.metadata['bug_tracker_uri'] = 'https://github.com/LegionIO/lex-vault/issues'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'faraday', '>= 2.0'
+end

data/lib/legion/extensions/vault/client.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/vault/helpers/client'
+require 'legion/extensions/vault/runners/system'
+require 'legion/extensions/vault/runners/kv'
+require 'legion/extensions/vault/runners/token'
+require 'legion/extensions/vault/runners/transit'
+require 'legion/extensions/vault/runners/pki'
+require 'legion/extensions/vault/runners/leases'
+
+module Legion
+  module Extensions
+    module Vault
+      class Client
+        include Helpers::Client
+        include Runners::System
+        include Runners::Kv
+        include Runners::Token
+        include Runners::Transit
+        include Runners::Pki
+        include Runners::Leases
+
+        attr_reader :opts
+
+        def initialize(address: 'http://127.0.0.1:8200', token: nil, namespace: nil, **extra)
+          @opts = { address: address, token: token, namespace: namespace, **extra }
+        end
+
+        def connection(**override)
+          super(**@opts.merge(override))
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/vault/helpers/client.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'faraday'
+
+module Legion
+  module Extensions
+    module Vault
+      module Helpers
+        module Client
+          def connection(address: 'http://127.0.0.1:8200', token: nil, namespace: nil, **_opts)
+            Faraday.new(url: address) do |conn|
+              conn.request :json
+              conn.response :json, content_type: /\bjson$/
+              conn.headers['X-Vault-Token'] = token if token
+              conn.headers['X-Vault-Namespace'] = namespace if namespace
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/vault/runners/kv.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/vault/helpers/client'
+
+module Legion
+  module Extensions
+    module Vault
+      module Runners
+        module Kv
+          include Legion::Extensions::Vault::Helpers::Client
+
+          def read_secret(path:, mount: 'secret', version: nil, **)
+            url = "/v1/#{mount}/data/#{path}"
+            params = version ? { version: version } : {}
+            response = connection(**).get(url, params)
+            { result: response.body }
+          end
+
+          def write_secret(path:, data:, mount: 'secret', cas: nil, **)
+            url = "/v1/#{mount}/data/#{path}"
+            body = { data: data }
+            body[:options] = { cas: cas } if cas
+            response = connection(**).post(url, body)
+            { result: response.body }
+          end
+
+          def patch_secret(path:, data:, mount: 'secret', **)
+            url = "/v1/#{mount}/data/#{path}"
+            conn = connection(**)
+            conn.headers['Content-Type'] = 'application/merge-patch+json'
+            response = conn.patch(url, { data: data })
+            { result: response.body }
+          end
+
+          def delete_secret(path:, mount: 'secret', **)
+            response = connection(**).delete("/v1/#{mount}/data/#{path}")
+            { result: response.status == 204 }
+          end
+
+          def delete_versions(path:, versions:, mount: 'secret', **)
+            response = connection(**).post("/v1/#{mount}/delete/#{path}", { versions: versions })
+            { result: response.status == 204 }
+          end
+
+          def undelete_versions(path:, versions:, mount: 'secret', **)
+            response = connection(**).post("/v1/#{mount}/undelete/#{path}", { versions: versions })
+            { result: response.status == 204 }
+          end
+
+          def destroy_versions(path:, versions:, mount: 'secret', **)
+            response = connection(**).put("/v1/#{mount}/destroy/#{path}", { versions: versions })
+            { result: response.status == 204 }
+          end
+
+          def list_secrets(path:, mount: 'secret', **)
+            response = connection(**).get("/v1/#{mount}/metadata/#{path}", { list: true })
+            { result: response.body }
+          end
+
+          def read_metadata(path:, mount: 'secret', **)
+            response = connection(**).get("/v1/#{mount}/metadata/#{path}")
+            { result: response.body }
+          end
+
+          def write_metadata(path:, mount: 'secret', max_versions: nil, cas_required: nil, delete_version_after: nil, **)
+            body = { max_versions: max_versions, cas_required: cas_required,
+                     delete_version_after: delete_version_after }.compact
+            response = connection(**).post("/v1/#{mount}/metadata/#{path}", body)
+            { result: response.status == 204 }
+          end
+
+          def delete_metadata(path:, mount: 'secret', **)
+            response = connection(**).delete("/v1/#{mount}/metadata/#{path}")
+            { result: response.status == 204 }
+          end
+
+          include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&
+                                                      Legion::Extensions::Helpers.const_defined?(:Lex)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/vault/runners/leases.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/vault/helpers/client'
+
+module Legion
+  module Extensions
+    module Vault
+      module Runners
+        module Leases
+          include Legion::Extensions::Vault::Helpers::Client
+
+          def lookup_lease(lease_id:, **)
+            response = connection(**).put('/v1/sys/leases/lookup', { lease_id: lease_id })
+            { result: response.body }
+          end
+
+          def renew_lease(lease_id:, increment: nil, **)
+            body = { lease_id: lease_id, increment: increment }.compact
+            response = connection(**).put('/v1/sys/leases/renew', body)
+            { result: response.body }
+          end
+
+          def revoke_lease(lease_id:, **)
+            response = connection(**).put('/v1/sys/leases/revoke', { lease_id: lease_id })
+            { result: response.status == 204 }
+          end
+
+          def list_leases(prefix:, **)
+            response = connection(**).get("/v1/sys/leases/lookup/#{prefix}", { list: true })
+            { result: response.body }
+          end
+
+          include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&
+                                                      Legion::Extensions::Helpers.const_defined?(:Lex)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/vault/runners/pki.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/vault/helpers/client'
+
+module Legion
+  module Extensions
+    module Vault
+      module Runners
+        module Pki
+          include Legion::Extensions::Vault::Helpers::Client
+
+          def issue(role:, common_name:, mount: 'pki', alt_names: nil, ttl: nil, **)
+            body = { common_name: common_name, alt_names: alt_names, ttl: ttl }.compact
+            response = connection(**).post("/v1/#{mount}/issue/#{role}", body)
+            { result: response.body }
+          end
+
+          def sign_csr(role:, csr:, common_name:, mount: 'pki', alt_names: nil, ttl: nil, **)
+            body = { csr: csr, common_name: common_name, alt_names: alt_names, ttl: ttl }.compact
+            response = connection(**).post("/v1/#{mount}/sign/#{role}", body)
+            { result: response.body }
+          end
+
+          def revoke(serial_number:, mount: 'pki', **)
+            response = connection(**).post("/v1/#{mount}/revoke", { serial_number: serial_number })
+            { result: response.body }
+          end
+
+          def list_certs(mount: 'pki', **)
+            response = connection(**).get("/v1/#{mount}/certs", { list: true })
+            { result: response.body }
+          end
+
+          def get_cert(serial:, mount: 'pki', **)
+            response = connection(**).get("/v1/#{mount}/cert/#{serial}")
+            { result: response.body }
+          end
+
+          def ca_chain(mount: 'pki', **)
+            response = connection(**).get("/v1/#{mount}/ca_chain")
+            { result: response.body }
+          end
+
+          def list_pki_roles(mount: 'pki', **)
+            response = connection(**).get("/v1/#{mount}/roles", { list: true })
+            { result: response.body }
+          end
+
+          def get_pki_role(role_name:, mount: 'pki', **)
+            response = connection(**).get("/v1/#{mount}/roles/#{role_name}")
+            { result: response.body }
+          end
+
+          def create_pki_role(role_name:, mount: 'pki', allowed_domains: nil, allow_subdomains: nil, max_ttl: nil, **)
+            body = { allowed_domains: allowed_domains, allow_subdomains: allow_subdomains,
+                     max_ttl: max_ttl }.compact
+            response = connection(**).post("/v1/#{mount}/roles/#{role_name}", body)
+            { result: response.status == 204 }
+          end
+
+          def tidy(mount: 'pki', tidy_cert_store: true, tidy_revoked_certs: true, **)
+            body = { tidy_cert_store: tidy_cert_store, tidy_revoked_certs: tidy_revoked_certs }
+            response = connection(**).post("/v1/#{mount}/tidy", body)
+            { result: response.body }
+          end
+
+          include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&
+                                                      Legion::Extensions::Helpers.const_defined?(:Lex)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/vault/runners/system.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/vault/helpers/client'
+
+module Legion
+  module Extensions
+    module Vault
+      module Runners
+        module System
+          include Legion::Extensions::Vault::Helpers::Client
+
+          def health(**)
+            response = connection(**).get('/v1/sys/health')
+            { result: response.body }
+          end
+
+          def seal_status(**)
+            response = connection(**).get('/v1/sys/seal-status')
+            { result: response.body }
+          end
+
+          def seal(**)
+            response = connection(**).put('/v1/sys/seal')
+            { result: response.status == 204 }
+          end
+
+          def unseal(key:, **)
+            response = connection(**).put('/v1/sys/unseal', { key: key })
+            { result: response.body }
+          end
+
+          def init(secret_shares: 5, secret_threshold: 3, **)
+            body = { secret_shares: secret_shares, secret_threshold: secret_threshold }
+            response = connection(**).put('/v1/sys/init', body)
+            { result: response.body }
+          end
+
+          def list_mounts(**)
+            response = connection(**).get('/v1/sys/mounts')
+            { result: response.body }
+          end
+
+          def mount(path:, type:, description: nil, config: nil, **)
+            body = { type: type, description: description, config: config }.compact
+            response = connection(**).post("/v1/sys/mounts/#{path}", body)
+            { result: response.status == 204 }
+          end
+
+          def unmount(path:, **)
+            response = connection(**).delete("/v1/sys/mounts/#{path}")
+            { result: response.status == 204 }
+          end
+
+          def list_auth(**)
+            response = connection(**).get('/v1/sys/auth')
+            { result: response.body }
+          end
+
+          def enable_auth(path:, type:, description: nil, **)
+            body = { type: type, description: description }.compact
+            response = connection(**).post("/v1/sys/auth/#{path}", body)
+            { result: response.status == 204 }
+          end
+
+          def disable_auth(path:, **)
+            response = connection(**).delete("/v1/sys/auth/#{path}")
+            { result: response.status == 204 }
+          end
+
+          def list_policies(**)
+            response = connection(**).get('/v1/sys/policies/acl')
+            { result: response.body }
+          end
+
+          def get_policy(name:, **)
+            response = connection(**).get("/v1/sys/policies/acl/#{name}")
+            { result: response.body }
+          end
+
+          def put_policy(name:, policy:, **)
+            response = connection(**).put("/v1/sys/policies/acl/#{name}", { policy: policy })
+            { result: response.status == 204 }
+          end
+
+          def delete_policy(name:, **)
+            response = connection(**).delete("/v1/sys/policies/acl/#{name}")
+            { result: response.status == 204 }
+          end
+
+          include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&
+                                                      Legion::Extensions::Helpers.const_defined?(:Lex)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/vault/runners/token.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/vault/helpers/client'
+
+module Legion
+  module Extensions
+    module Vault
+      module Runners
+        module Token
+          include Legion::Extensions::Vault::Helpers::Client
+
+          def create_token(policies: nil, ttl: nil, renewable: nil, display_name: nil, role_name: nil, **)
+            body = { policies: policies, ttl: ttl, renewable: renewable, display_name: display_name }.compact
+            path = role_name ? "/v1/auth/token/create/#{role_name}" : '/v1/auth/token/create'
+            response = connection(**).post(path, body)
+            { result: response.body }
+          end
+
+          def lookup_token(token_to_lookup:, **)
+            response = connection(**).post('/v1/auth/token/lookup', { token: token_to_lookup })
+            { result: response.body }
+          end
+
+          def lookup_self(**)
+            response = connection(**).get('/v1/auth/token/lookup-self')
+            { result: response.body }
+          end
+
+          def renew_token(token_to_renew:, increment: nil, **)
+            body = { token: token_to_renew, increment: increment }.compact
+            response = connection(**).post('/v1/auth/token/renew', body)
+            { result: response.body }
+          end
+
+          def renew_self(increment: nil, **)
+            body = increment ? { increment: increment } : {}
+            response = connection(**).post('/v1/auth/token/renew-self', body)
+            { result: response.body }
+          end
+
+          def revoke_token(token_to_revoke:, **)
+            response = connection(**).post('/v1/auth/token/revoke', { token: token_to_revoke })
+            { result: response.status == 204 }
+          end
+
+          def revoke_self(**)
+            response = connection(**).post('/v1/auth/token/revoke-self')
+            { result: response.status == 204 }
+          end
+
+          def list_accessors(**)
+            response = connection(**).get('/v1/auth/token/accessors', { list: true })
+            { result: response.body }
+          end
+
+          def list_token_roles(**)
+            response = connection(**).get('/v1/auth/token/roles', { list: true })
+            { result: response.body }
+          end
+
+          def get_token_role(role_name:, **)
+            response = connection(**).get("/v1/auth/token/roles/#{role_name}")
+            { result: response.body }
+          end
+
+          def create_token_role(role_name:, allowed_policies: nil, orphan: nil, renewable: nil, token_ttl: nil, **)
+            body = { allowed_policies: allowed_policies, orphan: orphan, renewable: renewable,
+                     token_ttl: token_ttl }.compact
+            response = connection(**).post("/v1/auth/token/roles/#{role_name}", body)
+            { result: response.status == 204 }
+          end
+
+          def delete_token_role(role_name:, **)
+            response = connection(**).delete("/v1/auth/token/roles/#{role_name}")
+            { result: response.status == 204 }
+          end
+
+          include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&
+                                                      Legion::Extensions::Helpers.const_defined?(:Lex)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/vault/runners/transit.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/vault/helpers/client'
+
+module Legion
+  module Extensions
+    module Vault
+      module Runners
+        module Transit
+          include Legion::Extensions::Vault::Helpers::Client
+
+          def create_key(name:, mount: 'transit', type: nil, **)
+            body = type ? { type: type } : {}
+            response = connection(**).post("/v1/#{mount}/keys/#{name}", body)
+            { result: response.status == 204 }
+          end
+
+          def read_key(name:, mount: 'transit', **)
+            response = connection(**).get("/v1/#{mount}/keys/#{name}")
+            { result: response.body }
+          end
+
+          def list_keys(mount: 'transit', **)
+            response = connection(**).get("/v1/#{mount}/keys", { list: true })
+            { result: response.body }
+          end
+
+          def delete_key(name:, mount: 'transit', **)
+            response = connection(**).delete("/v1/#{mount}/keys/#{name}")
+            { result: response.status == 204 }
+          end
+
+          def rotate_key(name:, mount: 'transit', **)
+            response = connection(**).post("/v1/#{mount}/keys/#{name}/rotate")
+            { result: response.status == 204 }
+          end
+
+          def encrypt(name:, plaintext:, mount: 'transit', context: nil, **)
+            body = { plaintext: plaintext, context: context }.compact
+            response = connection(**).post("/v1/#{mount}/encrypt/#{name}", body)
+            { result: response.body }
+          end
+
+          def decrypt(name:, ciphertext:, mount: 'transit', context: nil, **)
+            body = { ciphertext: ciphertext, context: context }.compact
+            response = connection(**).post("/v1/#{mount}/decrypt/#{name}", body)
+            { result: response.body }
+          end
+
+          def rewrap(name:, ciphertext:, mount: 'transit', **)
+            response = connection(**).post("/v1/#{mount}/rewrap/#{name}", { ciphertext: ciphertext })
+            { result: response.body }
+          end
+
+          def datakey(name:, key_type: 'plaintext', mount: 'transit', **)
+            response = connection(**).post("/v1/#{mount}/datakey/#{key_type}/#{name}")
+            { result: response.body }
+          end
+
+          def sign(name:, input:, mount: 'transit', hash_algorithm: nil, **)
+            body = { input: input, hash_algorithm: hash_algorithm }.compact
+            path = "/v1/#{mount}/sign/#{name}"
+            response = connection(**).post(path, body)
+            { result: response.body }
+          end
+
+          def verify(name:, input:, signature:, mount: 'transit', hash_algorithm: nil, **)
+            body = { input: input, signature: signature, hash_algorithm: hash_algorithm }.compact
+            path = "/v1/#{mount}/verify/#{name}"
+            response = connection(**).post(path, body)
+            { result: response.body }
+          end
+
+          def hash_data(input:, mount: 'transit', algorithm: 'sha2-256', **)
+            response = connection(**).post("/v1/#{mount}/hash/#{algorithm}", { input: input })
+            { result: response.body }
+          end
+
+          def random_bytes(bytes: 32, mount: 'transit', format: 'base64', **)
+            response = connection(**).post("/v1/#{mount}/random/#{bytes}", { format: format })
+            { result: response.body }
+          end
+
+          include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&
+                                                      Legion::Extensions::Helpers.const_defined?(:Lex)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/vault/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Vault
+      VERSION = '0.1.0'
+    end
+  end
+end

data/lib/legion/extensions/vault.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/vault/version'
+require 'legion/extensions/vault/helpers/client'
+require 'legion/extensions/vault/runners/system'
+require 'legion/extensions/vault/runners/kv'
+require 'legion/extensions/vault/runners/token'
+require 'legion/extensions/vault/runners/transit'
+require 'legion/extensions/vault/runners/pki'
+require 'legion/extensions/vault/runners/leases'
+require 'legion/extensions/vault/client'
+
+module Legion
+  module Extensions
+    module Vault
+      extend Legion::Extensions::Core if Legion::Extensions.const_defined? :Core
+    end
+  end
+end

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification
+name: lex-vault
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Esity
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: Connects LegionIO to HashiCorp Vault
+email:
+- matthewdiverson@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/ci.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- CHANGELOG.md
+- CLAUDE.md
+- Dockerfile
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- lex-vault.gemspec
+- lib/legion/extensions/vault.rb
+- lib/legion/extensions/vault/client.rb
+- lib/legion/extensions/vault/helpers/client.rb
+- lib/legion/extensions/vault/runners/kv.rb
+- lib/legion/extensions/vault/runners/leases.rb
+- lib/legion/extensions/vault/runners/pki.rb
+- lib/legion/extensions/vault/runners/system.rb
+- lib/legion/extensions/vault/runners/token.rb
+- lib/legion/extensions/vault/runners/transit.rb
+- lib/legion/extensions/vault/version.rb
+homepage: https://github.com/LegionIO/lex-vault
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/LegionIO/lex-vault
+  source_code_uri: https://github.com/LegionIO/lex-vault
+  documentation_uri: https://github.com/LegionIO/lex-vault
+  changelog_uri: https://github.com/LegionIO/lex-vault
+  bug_tracker_uri: https://github.com/LegionIO/lex-vault/issues
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.4'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: LEX Vault
+test_files: []