PR back to optum

.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# Auto-generated from team-config.yml
+# Team: core
+#
+# To apply: scripts/apply-codeowners.sh legion-crypt
+
+* @LegionIO/maintainers
+* @LegionIO/core

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: bundler
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"

.github/workflows/ci.yml

@@ -0,0 +1,34 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    - cron: '0 9 * * 1'
+
+jobs:
+  ci:
+    uses: LegionIO/.github/.github/workflows/ci.yml@main
+
+  lint:
+    uses: LegionIO/.github/.github/workflows/lint-patterns.yml@main
+
+  security:
+    uses: LegionIO/.github/.github/workflows/security-scan.yml@main
+
+  version-changelog:
+    uses: LegionIO/.github/.github/workflows/version-changelog.yml@main
+
+  dependency-review:
+    uses: LegionIO/.github/.github/workflows/dependency-review.yml@main
+
+  stale:
+    if: github.event_name == 'schedule'
+    uses: LegionIO/.github/.github/workflows/stale.yml@main
+
+  release:
+    needs: [ci, lint]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    uses: LegionIO/.github/.github/workflows/release.yml@main
+    secrets:
+      rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}

.gitignore

@@ -9,7 +9,11 @@
 /tmp/
 /legion/.idea/
 /.idea/
+*.gem
 *.key
 # rspec failure tracking
 .rspec_status
 legionio.key
+
+# git worktrees
+.worktrees/

.pre-commit-config.yaml

@@ -0,0 +1,29 @@
+# Standard LegionIO pre-commit configuration
+# Install: pre-commit install
+# Manual:  pre-commit run --all-files
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-json
+        exclude: Gemfile\.lock
+      - id: check-merge-conflict
+
+  - repo: local
+    hooks:
+      - id: rubocop
+        name: RuboCop (autofix)
+        entry: scripts/pre-commit-rubocop.sh
+        language: script
+        types: [ruby]
+        pass_filenames: true
+
+      - id: ruby-syntax
+        name: Ruby syntax check
+        entry: ruby -c
+        language: system
+        types: [ruby]
+        pass_filenames: true

.rubocop.yml

@@ -1,26 +1,53 @@
+AllCops:
+  TargetRubyVersion: 3.4
+  NewCops: enable
+  SuggestExtensions: false
+
 Layout/LineLength:
-  Max: 140
+  Max: 160
+
+Layout/SpaceAroundEqualsInParameterDefault:
+  EnforcedStyle: space
+
+Layout/HashAlignment:
+  EnforcedHashRocketStyle: table
+  EnforcedColonStyle: table
+
 Metrics/MethodLength:
   Max: 50
+
 Metrics/ClassLength:
   Max: 1500
+
+Metrics/ModuleLength:
+  Max: 1500
+
 Metrics/BlockLength:
-  Max: 50
-Metrics/CyclomaticComplexity:
-  Max: 14
+  Max: 40
+  Exclude:
+    - 'spec/**/*'
+
 Metrics/AbcSize:
-  Max: 17
+  Max: 60
+
+Metrics/CyclomaticComplexity:
+  Max: 15
+
 Metrics/PerceivedComplexity:
-  Max: 16
-Naming/MethodParameterName:
-  Enabled: false
+  Max: 17
+
 Style/Documentation:
   Enabled: false
-AllCops:
-  TargetRubyVersion: 2.6
-  NewCops: enable
-  SuggestExtensions: false
+
+Style/SymbolArray:
+  Enabled: true
+
 Style/FrozenStringLiteralComment:
+  Enabled: true
+  EnforcedStyle: always
+
+Naming/FileName:
+  Enabled: false
+
+Naming/PredicateMethod:
   Enabled: false
-Gemspec/RequiredRubyVersion:
-  Enabled: false

AGENTS.md

@@ -0,0 +1,47 @@
+# legion-crypt Agent Notes
+
+## Scope
+
+`legion-crypt` handles cryptography and secret workflows for Legion: cipher ops, Vault integration, JWT/JWKS verification, key lifecycle, mTLS, and lease/token renewers.
+
+## Fast Start
+
+```bash
+bundle install
+bundle exec rspec
+bundle exec rubocop
+```
+
+## Primary Entry Points
+
+- `lib/legion/crypt.rb`
+- `lib/legion/crypt/cipher.rb`
+- `lib/legion/crypt/jwt.rb`
+- `lib/legion/crypt/jwks_client.rb`
+- `lib/legion/crypt/vault.rb`
+- `lib/legion/crypt/lease_manager.rb`
+- `lib/legion/crypt/token_renewer.rb`
+- `lib/legion/crypt/mtls.rb`
+
+## Guardrails
+
+- Treat all changes as security-sensitive. Never log secrets, tokens, private keys, or decrypted plaintext.
+- Preserve JWT behavior across HS256/RS256 and external JWKS validation.
+- Keep Vault-dependent logic optional and safely guarded for environments without Vault.
+- Background renewal/rotation threads must stop cleanly on shutdown and handle failure with bounded retry.
+- Maintain compatibility for Kerberos, LDAP, and JWT Vault auth paths.
+- Cryptographic defaults and key lifecycle behavior are contract-sensitive; change only with test coverage.
+
+## Known Risks
+
+- Vault-backed cluster secret sync is inconsistent today: config key mismatch, read/write path mismatch, and push happens before the new secret is stored.
+- External JWKS verification currently accepts tokens without issuer/audience enforcement unless the caller passes both explicitly; fail closed when touching this path.
+- Multi-cluster Vault behavior has correctness gaps around LDAP token propagation, default-cluster routing, and lease-manager client selection.
+- SPIFFE X.509 fetch currently falls back to a self-signed SVID on Workload API failure; treat that path as security-sensitive and avoid expanding the fallback behavior.
+- `Ed25519` and `Erasure` include helper paths that call `Legion::Crypt::Vault.read/write` directly; verify runtime behavior before relying on those helpers.
+- Current specs pass, but some of the highest-risk paths above are under-covered or only covered with mocks that preserve the existing behavior.
+
+## Validation
+
+- Run targeted specs for changed auth/crypto paths first.
+- Before handoff, run full `bundle exec rspec` and `bundle exec rubocop`.