v1.5.13

Removed

• Logging compat shims (lib/legion/logging.rb and lib/legion/logging/helper.rb) that redefined Legion::Logging::Helper#log with a CompatLogger, preventing TaggedLogger segment tags from rendering in log output for all modules loaded after crypt

Added

• legion-json gemspec dependency (was used but undeclared)

v1.5.12

Fixed

• LeaseManager#trigger_reconnect for :postgresql now calls Legion::Data::Connection.reconnect_with_fresh_creds (legion-data >= 1.6.26) instead of sequel.disconnect + sequel.test_connection — Sequel bakes credentials into the pool at Sequel.connect time, so the old approach reused stale credentials after Vault lease rotation, causing Apollo and other DB-backed services to silently lose access to data
• Fallback to legacy disconnect/test_connection path when reconnect_with_fresh_creds is not available, with explicit warning about potential stale credentials
• Reconnect failures now log at :error level (was :warn) since a failed reconnect means Apollo and DB-backed services are unavailable until the next rotation cycle
• Lease shutdown, logging fallback, and SPIFFE socket cleanup paths now emit warnings/debug logs instead of silently swallowing unexpected failures.

v1.5.10

Fixed

• handle_exception now passes the caller's level: kwarg through to Legion::Logging.log_exception instead of always defaulting to :error — optional missing-gem LoadErrors log at the intended level (e.g. :debug). Fixes LegionIO/LegionIO#155
• exception_log_message now suppresses backtrace for :debug level — previously only suppressed when the backtrace was empty

v1.5.9

Fixed

• Vault lease cascade revocation: all three service credentials (RabbitMQ, PostgreSQL, Redis) died at exactly 2 hours when the Vault Kerberos auth token expired — Vault cascade-revokes all child leases when the parent token dies, regardless of individual lease TTLs (closes #29)
• TokenRenewer now detects non-renewable tokens (renewable=false) and skips renew_self (which always fails for non-renewable tokens), going straight to reauth_kerberos before the token expires
• TokenRenewer#reauth_kerberos now triggers LeaseManager.reissue_all after obtaining a new token, re-issuing all active leases under the new token so they are not orphaned when the old token expires
• LeaseManager#push_to_settings symbol/string key mismatch: resolve_secrets! registers refs with string keys ("rabbitmq") via lease:// URI parsing, but cache_lease stores leases with symbol keys (:rabbitmq from Legion::JSON.load) — now tries both key types
• LeaseManager#trigger_reconnect for :postgresql — uses surgical Sequel pool disconnect + test_connection instead of Data.shutdown + Data.setup which tore down unrelated connections (Apollo SQLite, Local cache)
• LeaseManager#trigger_reconnect for :redis — uses Cache.restart (the actual method) instead of Cache.reconnect (which does not exist)

Added

• LeaseManager#reissue_all — re-issues all active leases under the current vault client token; called by TokenRenewer after successful Kerberos re-authentication to prevent cascade revocation of orphaned leases

v1.5.8

Added

• Configurable SSL verification for Vault connections via crypt.vault.tls.verify setting (peer/none/mutual, defaults to peer)
• Global Vault client (vault.rb) now sets ::Vault.ssl_verify from vault.tls.verify setting
• Per-cluster Vault clients (vault_cluster.rb) now pass ssl_verify: to ::Vault::Client.new from config[:tls][:verify]
• JWKS client (jwks_client.rb) now sets Net::HTTP#verify_mode from crypt.jwt.jwks_tls_verify setting (peer/none, defaults to peer)
• jwks_tls_verify: 'peer' default added to JWT settings
• tls: { verify: 'peer' } default added to Vault settings

v1.5.7

Fixed

• LeaseManager#cache_lease now stores the :path from static lease definitions, enabling reissue_lease fallback when sys.renew fails or leases hit max_ttl — previously static leases (configured via crypt.vault.leases) would silently expire after their TTL with no recovery (fixes #28)
• LeaseManager#renew_lease now logs a warning and falls back to reissue when the path is available, or warns explicitly when no path is available — previously renewal failures for pathless leases were silent

Added

• LeaseManager#trigger_reconnect(name) — dispatches reconnect to the appropriate service after credential reissue: :rabbitmq → Transport::Connection.force_reconnect, :postgresql → Data.reconnect, :redis → Cache.reconnect; all guarded with defined?/respond_to? and rescue-safe
• Comprehensive INFO/WARN logging across the entire lease lifecycle:
  • INFO on lease fetch attempt, fetch success (with lease_id/ttl/renewable), renewal attempt, renewal success (with new_ttl), reissue attempt, reissue success (with new_lease_id/ttl), approaching expiry detection (with remaining/renewable/has_path), credentials changed during renewal, reconnect triggered, renewal loop start/exit
  • WARN on non-renewable lease with no reissue path, renewal failure with no reissue path, reissue returning no data, reconnect failure, cannot reissue due to missing path

Changed

• LeaseManager#reissue_lease now calls trigger_reconnect(name) instead of inline :rabbitmq-only force_reconnect, extending credential rotation reconnect support to PostgreSQL and Redis

v1.5.5

Added

• RMQ_ROLE_MAP constant mapping :agent/:infra → 'legionio-infra' and :worker → 'legionio-worker' for Vault RabbitMQ role selection (Phase 5 credential scoping)
• dynamic_rmq_creds? helper reads Settings[:crypt][:vault][:dynamic_rmq_creds] flag
• fetch_bootstrap_rmq_creds — fetches short-lived bootstrap RabbitMQ credentials from rabbitmq/creds/legionio-bootstrap and writes them to Settings[:transport][:connection]; gated on vault_connected? && dynamic_rmq_creds?; stores @bootstrap_lease_id for later revocation; rescue-safe
• swap_to_identity_creds(mode:) — fetches identity-scoped RabbitMQ credentials from the role matching mode, registers them with LeaseManager for renewal, updates transport settings, calls Transport::Connection.force_reconnect, and revokes the bootstrap lease; raises if reconnect fails (before revoking bootstrap)
• revoke_bootstrap_lease — revokes @bootstrap_lease_id via LeaseManager#vault_sys; non-fatal on failure; idempotent
• LeaseManager#register_dynamic_lease — registers a dynamically-fetched Vault lease into the cache and active lease tracking with mutex, stores path for reissue_lease, registers settings refs for rotation push-back
• LeaseManager#reissue_lease(name) — performs a full re-read (logical.read(path)) at credential rotation time, updates cache + active_leases in mutex, calls push_to_settings, triggers Transport::Connection.force_reconnect for :rabbitmq leases
• LeaseManager#vault_logical and LeaseManager#vault_sys — public delegators to the private logical/sys methods for use by Crypt bootstrap/swap operations
• dynamic_rmq_creds: false and dynamic_pg_creds: false defaults added to vault settings

Changed

• start_lease_manager now starts the renewal thread when dynamic_rmq_creds: true even if no static leases are configured, ensuring the renewal loop is running before identity-scoped leases are registered post-boot

v1.5.4

Added

• JWT.issue_identity_token — convenience method wrapping JWT.issue with identity claims from Identity::Process (Wire Format Phase 3); accepts issuer: kwarg (defaults to 'legion') passed through to JWT.issue; normalizes and rejects conflicting string-keyed extra claims before merging

v1.5.3

Added

• JwksClient.prefetch!(url) — fire-and-forget JWKS key fetch in background thread
• JwksClient.start_background_refresh!(url, interval:) — Concurrent::TimerTask for hourly key refresh
• JwksClient.stop_background_refresh! — stops background refresh timer task
• bootstrap_lease_ttl: 300 in vault defaults (5-minute TTL for bootstrap credentials)

Changed

• JwksClient.clear_cache now also stops any running background refresh task

v1.5.2

Fixed

• LeaseManager at_exit hook now wraps shutdown in a 10s timeout to prevent process hang when Logger Monitor or network I/O is blocked during crash exit