Dev v1 5 0

.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# Auto-generated from team-config.yml
+# Team: core
+#
+# To apply: scripts/apply-codeowners.sh legion-crypt
+
+* @LegionIO/maintainers
+* @LegionIO/core

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: bundler
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"

.github/workflows/ci.yml

@@ -0,0 +1,34 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    - cron: '0 9 * * 1'
+
+jobs:
+  ci:
+    uses: LegionIO/.github/.github/workflows/ci.yml@main
+
+  lint:
+    uses: LegionIO/.github/.github/workflows/lint-patterns.yml@main
+
+  security:
+    uses: LegionIO/.github/.github/workflows/security-scan.yml@main
+
+  version-changelog:
+    uses: LegionIO/.github/.github/workflows/version-changelog.yml@main
+
+  dependency-review:
+    uses: LegionIO/.github/.github/workflows/dependency-review.yml@main
+
+  stale:
+    if: github.event_name == 'schedule'
+    uses: LegionIO/.github/.github/workflows/stale.yml@main
+
+  release:
+    needs: [ci, lint]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    uses: LegionIO/.github/.github/workflows/release.yml@main
+    secrets:
+      rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}

.gitignore

@@ -13,3 +13,6 @@
 # rspec failure tracking
 .rspec_status
 legionio.key
+
+# git worktrees
+.worktrees/

.rubocop.yml

@@ -1,26 +1,53 @@
+AllCops:
+  TargetRubyVersion: 3.4
+  NewCops: enable
+  SuggestExtensions: false
+
 Layout/LineLength:
-  Max: 140
+  Max: 160
+
+Layout/SpaceAroundEqualsInParameterDefault:
+  EnforcedStyle: space
+
+Layout/HashAlignment:
+  EnforcedHashRocketStyle: table
+  EnforcedColonStyle: table
+
 Metrics/MethodLength:
   Max: 50
+
 Metrics/ClassLength:
   Max: 1500
+
+Metrics/ModuleLength:
+  Max: 1500
+
 Metrics/BlockLength:
-  Max: 50
-Metrics/CyclomaticComplexity:
-  Max: 14
+  Max: 40
+  Exclude:
+    - 'spec/**/*'
+
 Metrics/AbcSize:
-  Max: 17
+  Max: 60
+
+Metrics/CyclomaticComplexity:
+  Max: 15
+
 Metrics/PerceivedComplexity:
-  Max: 16
-Naming/MethodParameterName:
-  Enabled: false
+  Max: 17
+
 Style/Documentation:
   Enabled: false
-AllCops:
-  TargetRubyVersion: 2.6
-  NewCops: enable
-  SuggestExtensions: false
+
+Style/SymbolArray:
+  Enabled: true
+
 Style/FrozenStringLiteralComment:
+  Enabled: true
+  EnforcedStyle: always
+
+Naming/FileName:
+  Enabled: false
+
+Naming/PredicateMethod:
   Enabled: false
-Gemspec/RequiredRubyVersion:
-  Enabled: false

AGENTS.md

@@ -0,0 +1,38 @@
+# legion-crypt Agent Notes
+
+## Scope
+
+`legion-crypt` handles cryptography and secret workflows for Legion: cipher ops, Vault integration, JWT/JWKS verification, key lifecycle, mTLS, and lease/token renewers.
+
+## Fast Start
+
+```bash
+bundle install
+bundle exec rspec
+bundle exec rubocop
+```
+
+## Primary Entry Points
+
+- `lib/legion/crypt.rb`
+- `lib/legion/crypt/cipher.rb`
+- `lib/legion/crypt/jwt.rb`
+- `lib/legion/crypt/jwks_client.rb`
+- `lib/legion/crypt/vault.rb`
+- `lib/legion/crypt/lease_manager.rb`
+- `lib/legion/crypt/token_renewer.rb`
+- `lib/legion/crypt/mtls.rb`
+
+## Guardrails
+
+- Treat all changes as security-sensitive. Never log secrets, tokens, private keys, or decrypted plaintext.
+- Preserve JWT behavior across HS256/RS256 and external JWKS validation.
+- Keep Vault-dependent logic optional and safely guarded for environments without Vault.
+- Background renewal/rotation threads must stop cleanly on shutdown and handle failure with bounded retry.
+- Maintain compatibility for Kerberos, LDAP, and JWT Vault auth paths.
+- Cryptographic defaults and key lifecycle behavior are contract-sensitive; change only with test coverage.
+
+## Validation
+
+- Run targeted specs for changed auth/crypto paths first.
+- Before handoff, run full `bundle exec rspec` and `bundle exec rubocop`.