lex-identity-system

LegionIO identity fallback provider. Reads ENV['USER'] to produce a minimal identity when no other provider resolves. It is the last resort in the identity resolution chain.

Provider contract

Attribute	Value
`provider_name`	`:system`
`provider_type`	`:fallback`
`facing`	`nil`
`priority`	`0` (lowest)
`trust_weight`	`200` (least trusted)
`capabilities`	`[:profile]`

Behavior

Identity.resolve reads ENV['USER']. If present and non-empty after normalization, it returns:

{
  canonical_name: "jsmith",       # normalized: downcase, strip, remove non-alnum except _ and -
  kind: :human,
  source: :system,
  persistent: false,              # ephemeral — no durable principal should be created
  groups: [],
  profile: {
    username: "jsmith",           # original ENV['USER'] value
    hostname: "my-host.example"   # Socket.gethostname
  }
}

Returns nil if ENV['USER'] is nil, empty, or normalizes to an empty string.

persistent: false signals to callers that no durable principal should be created from this identity.

What this provider does NOT do

No token issuance (provide_token)
No Vault authentication (vault_auth)
No group resolution
No actors (nothing to refresh)
No remote calls of any kind (remote_invocable? => false)

Normalization

normalize(val) applies val.to_s.downcase.strip.gsub(/[^a-z0-9_-]/, ''). Dots are stripped because . is an AMQP word separator.

Installation

Add to your Gemfile:

gem 'lex-identity-system'

License

MIT