datamasque-cli 1.1.0__tar.gz → 1.2.0__tar.gz

{datamasque_cli-1.1.0 → datamasque_cli-1.2.0}/CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## v1.2.0
+
+### Added
+- `dm ifm` command group
+  for managing in-flight masking ruleset plans
+  and running mask operations against the IFM service:
+  - `dm ifm list` —
+    list all IFM ruleset plans.
+  - `dm ifm get <name>` —
+    show plan metadata,
+    or the ruleset YAML with `--yaml`.
+  - `dm ifm create --name <name> --file <yaml>` —
+    create a plan from a YAML ruleset,
+    with optional `--enabled/--disabled` and `--log-level`.
+  - `dm ifm update <name>` —
+    update a plan;
+    pass any of `--file`, `--enabled/--disabled`, `--log-level`
+    and only those fields are sent.
+  - `dm ifm delete <name>` —
+    delete a plan
+    (interactive confirm,
+    or `--yes` to skip).
+  - `dm ifm mask <name> --data <file|->` —
+    mask a JSON list of records against a plan,
+    with `--disable-instance-secret`,
+    `--run-secret`,
+    `--log-level`,
+    `--request-id`,
+    and `--json/--no-json` (NDJSON) output.
+  - `dm ifm verify-token` —
+    verify the current IFM token and list its scopes.
+
+  Authentication reuses your existing `dm` profile credentials
+  via the SDK's `DataMasqueIfmClient`,
+  which transparently exchanges admin-server credentials for an IFM JWT.
+
 ## v1.1.0
 
 ### Added

{datamasque_cli-1.1.0 → datamasque_cli-1.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: datamasque-cli
-Version: 1.1.0
+Version: 1.2.0
 Summary: Official command-line interface for the DataMasque data-masking platform.
 Project-URL: Homepage, https://datamasque.com/
 Project-URL: Repository, https://github.com/datamasque/datamasque-cli
@@ -39,6 +39,7 @@ so teams can use production-shaped data in non-production environments without e
 DataMasque CLI `dm` covers:
 
 - connections, rulesets, ruleset libraries, and masking runs
+- in-flight masking (IFM) ruleset plans and on-demand mask requests
 - schema discovery and sensitive-data discovery
 - users, files, and DataMasque instance administration
 
@@ -196,6 +197,26 @@ dm libraries validate <name>                      # Re-validate against current
 dm libraries usage <name>                         # Show rulesets using it
 ```
 
+### In-flight masking
+
+The IFM service runs alongside the admin server,
+reached at `<DataMasque URL>/ifm` via the standard nginx topology.
+
+```console
+dm ifm list                                            # List ruleset plans
+dm ifm get <name>                                      # Show plan metadata
+dm ifm get <name> --yaml                               # Print the ruleset YAML
+dm ifm create --name myplan --file rules.yaml          # Create (server suffixes a random string to the name)
+dm ifm create --name myplan --file rules.yaml --disabled --log-level DEBUG
+dm ifm update <name> --file rules.yaml                 # Replace the ruleset YAML
+dm ifm update <name> --enabled                         # Toggle without re-sending the YAML
+dm ifm update <name> --log-level INFO
+dm ifm delete <name> --yes                             # Delete a plan
+dm ifm mask <name> --data input.json                   # Mask a JSON list of records
+dm ifm mask <name> --data -                            # Read records from stdin
+dm ifm verify-token                                    # Show scopes granted to the current IFM token
+```
+
 ### Masking runs
 
 ```console

{datamasque_cli-1.1.0 → datamasque_cli-1.2.0}/README.md

@@ -9,6 +9,7 @@ so teams can use production-shaped data in non-production environments without e
 DataMasque CLI `dm` covers:
 
 - connections, rulesets, ruleset libraries, and masking runs
+- in-flight masking (IFM) ruleset plans and on-demand mask requests
 - schema discovery and sensitive-data discovery
 - users, files, and DataMasque instance administration
 
@@ -166,6 +167,26 @@ dm libraries validate <name>                      # Re-validate against current
 dm libraries usage <name>                         # Show rulesets using it
 ```
 
+### In-flight masking
+
+The IFM service runs alongside the admin server,
+reached at `<DataMasque URL>/ifm` via the standard nginx topology.
+
+```console
+dm ifm list                                            # List ruleset plans
+dm ifm get <name>                                      # Show plan metadata
+dm ifm get <name> --yaml                               # Print the ruleset YAML
+dm ifm create --name myplan --file rules.yaml          # Create (server suffixes a random string to the name)
+dm ifm create --name myplan --file rules.yaml --disabled --log-level DEBUG
+dm ifm update <name> --file rules.yaml                 # Replace the ruleset YAML
+dm ifm update <name> --enabled                         # Toggle without re-sending the YAML
+dm ifm update <name> --log-level INFO
+dm ifm delete <name> --yes                             # Delete a plan
+dm ifm mask <name> --data input.json                   # Mask a JSON list of records
+dm ifm mask <name> --data -                            # Read records from stdin
+dm ifm verify-token                                    # Show scopes granted to the current IFM token
+```
+
 ### Masking runs
 
 ```console

{datamasque_cli-1.1.0 → datamasque_cli-1.2.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "datamasque-cli"
-version = "1.1.0"
+version = "1.2.0"
 description = "Official command-line interface for the DataMasque data-masking platform."
 authors = [
     { name = "DataMasque Ltd" },

{datamasque_cli-1.1.0 → datamasque_cli-1.2.0}/src/datamasque_cli/client.py

@@ -8,9 +8,10 @@ from __future__ import annotations
 
 import os
 
-from datamasque.client import DataMasqueClient
-from datamasque.client.exceptions import DataMasqueApiError, DataMasqueTransportError
+from datamasque.client import DataMasqueClient, DataMasqueIfmClient
+from datamasque.client.exceptions import DataMasqueApiError, DataMasqueTransportError, IfmAuthError
 from datamasque.client.models.dm_instance import DataMasqueInstanceConfig
+from datamasque.client.models.ifm import DataMasqueIfmInstanceConfig
 
 from datamasque_cli.config import Config, Profile, load_config
 from datamasque_cli.output import ErrorCode, abort
@@ -54,14 +55,38 @@ def _resolve_profile(config: Config, profile_name: str | None) -> Profile:
         abort(
             f"Profile '{name}' is not configured.",
             code=ErrorCode.AUTH_REQUIRED,
-            hint=(
-                f"Run: dm auth login --profile {name} --url <URL> --username <USER>  "
-                f"or set {ENV_URL}, {ENV_USERNAME}, and {ENV_PASSWORD}."
-            ),
+            hint=(f"Run: dm auth login --profile {name} or set {ENV_URL}, {ENV_USERNAME}, and {ENV_PASSWORD}."),
         )
     return profile
 
 
+def _resolve_profile_with_verify(profile_name: str | None) -> tuple[Profile, bool]:
+    """Resolve the active `Profile` and apply env-var overrides for `verify_ssl`."""
+    env_profile = profile_from_env() if profile_name is None else None
+    if env_profile is not None:
+        profile = env_profile
+    else:
+        config = load_config()
+        profile = _resolve_profile(config, profile_name)
+    return profile, _verify_ssl_from_env(default=profile.verify_ssl)
+
+
+def _authenticate_or_abort(
+    client: DataMasqueClient | DataMasqueIfmClient,
+    url: str,
+    *,
+    verify_ssl: bool,
+    failure_label: str = "Authentication",
+    extra_auth_excs: tuple[type[Exception], ...] = (),
+) -> None:
+    try:
+        client.authenticate()
+    except DataMasqueTransportError as e:
+        abort(_format_transport_error(url, e, verify_ssl=verify_ssl), code=ErrorCode.TRANSPORT_ERROR)
+    except (DataMasqueApiError, *extra_auth_excs) as e:
+        abort(f"{failure_label} failed: {e}", code=ErrorCode.AUTH_FAILED)
+
+
 def get_client(profile_name: str | None = None) -> DataMasqueClient:
     """Build and authenticate a `DataMasqueClient`.
 
@@ -69,18 +94,11 @@ def get_client(profile_name: str | None = None) -> DataMasqueClient:
     1. Environment variables (DATAMASQUE_URL, DATAMASQUE_USERNAME, DATAMASQUE_PASSWORD)
     2. Named profile (--profile flag)
     3. Active profile from config file
-    """
-    # Env vars take precedence unless a specific profile was requested.
-    env_profile = profile_from_env() if profile_name is None else None
-    if env_profile is not None:
-        profile = env_profile
-    else:
-        config = load_config()
-        profile = _resolve_profile(config, profile_name)
 
-    # `DATAMASQUE_VERIFY_SSL` always wins over the stored profile so you can
-    # flip TLS verification per-call without re-running `dm auth login`.
-    verify_ssl = _verify_ssl_from_env(default=profile.verify_ssl)
+    `DATAMASQUE_VERIFY_SSL` always wins over the stored profile so you can
+    flip TLS verification per-call without re-running `dm auth login`.
+    """
+    profile, verify_ssl = _resolve_profile_with_verify(profile_name)
     instance_config = DataMasqueInstanceConfig(
         base_url=profile.url,
         username=profile.username,
@@ -89,14 +107,7 @@ def get_client(profile_name: str | None = None) -> DataMasqueClient:
     )
 
     client = DataMasqueClient(instance_config)
-
-    try:
-        client.authenticate()
-    except DataMasqueTransportError as e:
-        abort(_format_transport_error(profile.url, e, verify_ssl=verify_ssl), code=ErrorCode.TRANSPORT_ERROR)
-    except DataMasqueApiError as e:
-        abort(f"Authentication failed: {e}", code=ErrorCode.AUTH_FAILED)
-
+    _authenticate_or_abort(client, profile.url, verify_ssl=verify_ssl)
     return client
 
 
@@ -110,3 +121,30 @@ def _format_transport_error(url: str, error: Exception, *, verify_ssl: bool) ->
     if verify_ssl and any(term in str(error).lower() for term in _SSL_HINT_TERMS):
         message += "\nIf this is a self-signed local build, retry with --insecure or set DATAMASQUE_VERIFY_SSL=false."
     return message
+
+
+def get_ifm_client(profile_name: str | None = None) -> DataMasqueIfmClient:
+    """Build and authenticate a `DataMasqueIfmClient`.
+
+    Credential resolution order matches `get_client`.
+    The IFM base URL is derived as `<admin_url>/ifm`,
+    matching the standard nginx topology that proxies `/ifm/` to the IFM container on the same hostname.
+    """
+    profile, verify_ssl = _resolve_profile_with_verify(profile_name)
+    instance_config = DataMasqueIfmInstanceConfig(
+        admin_server_base_url=profile.url,
+        ifm_base_url=f"{profile.url.rstrip('/')}/ifm",
+        username=profile.username,
+        password=profile.password,
+        verify_ssl=verify_ssl,
+    )
+
+    client = DataMasqueIfmClient(instance_config)
+    _authenticate_or_abort(
+        client,
+        profile.url,
+        verify_ssl=verify_ssl,
+        failure_label="IFM authentication",
+        extra_auth_excs=(IfmAuthError,),
+    )
+    return client

datamasque_cli-1.2.0/src/datamasque_cli/commands/ifm.py

@@ -0,0 +1,354 @@
+"""In-flight masking (IFM) commands.
+
+Wraps `DataMasqueIfmClient` for managing IFM ruleset plans and running mask operations.
+The IFM service exposes a separate HTTP API;
+the SDK handles JWT auth transparently using the same admin-server credentials as `dm rulesets`.
+"""
+
+from __future__ import annotations
+
+import json
+import sys
+from enum import StrEnum
+from pathlib import Path
+from typing import Any, NoReturn
+
+import typer
+from datamasque.client.exceptions import DataMasqueApiError
+from datamasque.client.models.ifm import (
+    IfmMaskRequest,
+    RulesetPlanCreateRequest,
+    RulesetPlanOptions,
+    RulesetPlanPartialUpdateRequest,
+)
+
+from datamasque_cli.client import get_ifm_client
+from datamasque_cli.output import ErrorCode, abort, print_error, print_json, print_success, render_output
+
+app = typer.Typer(help="Manage in-flight-masking (IFM) ruleset plans and execute masks.", no_args_is_help=True)
+
+
+# IFM service maps HTTP statuses to the CLI's stable `ErrorCode` taxonomy so
+# agents and scripts get the right exit code (see "Exit codes" in `README.md`).
+# Anything not listed falls through to `ErrorCode.ERROR` (exit 1).
+_STATUS_TO_ERROR_CODE: dict[int, ErrorCode] = {
+    400: ErrorCode.INVALID_INPUT,
+    404: ErrorCode.NOT_FOUND,
+    409: ErrorCode.CONFLICT,
+    422: ErrorCode.INVALID_INPUT,
+}
+
+
+def _format_pydantic_errors(errors: list[Any]) -> str:
+    """Flatten FastAPI's `detail` list (Pydantic `e.errors()`) into a readable string.
+
+    Each entry looks like `{"loc": [...], "msg": "...", "type": "..."}`;
+    we render `field.path: message` per entry, joined with `; `.
+    Entries that don't match the shape fall back to `str(entry)`.
+    """
+    parts: list[str] = []
+    for entry in errors:
+        if isinstance(entry, dict) and "msg" in entry:
+            loc = entry.get("loc") or []
+            location = ".".join(str(part) for part in loc if part != "body") if isinstance(loc, (list, tuple)) else ""
+            parts.append(f"{location}: {entry['msg']}" if location else str(entry["msg"]))
+        else:
+            parts.append(str(entry))
+    return "; ".join(parts)
+
+
+def _server_error_detail(exc: DataMasqueApiError) -> str | None:
+    """Pull a human-readable error string from the IFM response body, if present.
+
+    The IFM service returns `{"error": "..."}`;
+    FastAPI validation errors come back as `{"detail": ...}`,
+    where `detail` is either a string or a list of Pydantic error dicts (422s).
+    Falls through to `None` if the body is missing or not parseable.
+    """
+    try:
+        body = exc.response.json()
+    except (ValueError, AttributeError):
+        return None
+    if isinstance(body, dict):
+        error = body.get("error")
+        if isinstance(error, str):
+            return error
+        if "detail" in body:
+            detail = body["detail"]
+            if isinstance(detail, str):
+                return detail
+            if isinstance(detail, list):
+                return _format_pydantic_errors(detail)
+            return str(detail)
+    return None
+
+
+def _abort_api_error(prefix: str, exc: DataMasqueApiError) -> NoReturn:
+    """Map an `DataMasqueApiError` to the right `ErrorCode` and surface the body.
+
+    The default `str(exc)` only includes the HTTP status,
+    so the actual server message is hidden without this.
+    """
+    status_code = getattr(exc.response, "status_code", None)
+    code = _STATUS_TO_ERROR_CODE.get(status_code, ErrorCode.ERROR) if isinstance(status_code, int) else ErrorCode.ERROR
+    detail = _server_error_detail(exc)
+    message = f"{prefix}: {detail}" if detail else f"{prefix}: {exc}"
+    abort(message, code=code)
+
+
+class LogLevel(StrEnum):
+    DEBUG = "DEBUG"
+    INFO = "INFO"
+    WARNING = "WARNING"
+    ERROR = "ERROR"
+    CRITICAL = "CRITICAL"
+
+
+def _options_from_flags(
+    enabled: bool | None,
+    log_level: LogLevel | None,
+) -> RulesetPlanOptions | None:
+    if enabled is None and log_level is None:
+        return None
+    return RulesetPlanOptions(enabled=enabled, default_log_level=log_level)
+
+
+def _load_mask_input(data: str) -> list[Any]:
+    if data == "-":
+        raw = sys.stdin.read()
+    else:
+        try:
+            raw = Path(data).read_text()
+        except OSError as exc:
+            code = ErrorCode.NOT_FOUND if isinstance(exc, FileNotFoundError) else ErrorCode.INVALID_INPUT
+            abort(f"Could not read mask input file '{data}': {exc.strerror or exc}", code=code)
+
+    try:
+        parsed = json.loads(raw)
+    except json.JSONDecodeError as exc:
+        abort(f"Failed to parse mask input as JSON: {exc}", code=ErrorCode.INVALID_INPUT)
+
+    if not isinstance(parsed, list):
+        abort("Mask input must be a JSON list (array) of records.", code=ErrorCode.INVALID_INPUT)
+    return parsed
+
+
+@app.command("list")
+def list_plans(
+    profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
+    is_json: bool = typer.Option(False, "--json", help="Output as JSON"),
+) -> None:
+    """List all IFM ruleset plans."""
+    client = get_ifm_client(profile)
+    try:
+        plans = client.list_ruleset_plans()
+    except DataMasqueApiError as exc:
+        _abort_api_error("Failed to list IFM ruleset plans", exc)
+
+    data = [
+        {
+            "name": plan.name,
+            "serial": plan.serial,
+            "created": plan.created_time.isoformat(),
+            "modified": plan.modified_time.isoformat(),
+            "enabled": plan.options.enabled,
+        }
+        for plan in plans
+    ]
+
+    render_output(
+        data,
+        is_json=is_json,
+        columns=["name", "serial", "created", "modified", "enabled"],
+        title="IFM ruleset plans",
+    )
+
+
+@app.command("get")
+def get_plan(
+    name: str = typer.Argument(help="Ruleset plan name"),
+    profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
+    is_yaml: bool = typer.Option(False, "--yaml", help="Output the ruleset YAML only"),
+    is_json: bool = typer.Option(False, "--json", help="Output as JSON"),
+) -> None:
+    """Show an IFM ruleset plan's metadata or YAML."""
+    client = get_ifm_client(profile)
+    try:
+        plan = client.get_ruleset_plan(name)
+    except DataMasqueApiError as exc:
+        _abort_api_error(f"Failed to get IFM ruleset plan '{name}'", exc)
+
+    if is_yaml:
+        if plan.ruleset_yaml is None:
+            abort(f"IFM ruleset plan '{name}' has no ruleset YAML.")
+        typer.echo(plan.ruleset_yaml)
+        return
+
+    data: dict[str, object] = {
+        "name": plan.name,
+        "serial": plan.serial,
+        "created": plan.created_time.isoformat(),
+        "modified": plan.modified_time.isoformat(),
+        "enabled": plan.options.enabled,
+        "default_log_level": plan.options.default_log_level,
+        "ruleset_yaml": plan.ruleset_yaml,
+    }
+    render_output(data, is_json=is_json, title=f"IFM plan: {name}")
+
+
+@app.command("create")
+def create_plan(
+    name: str = typer.Option(..., "--name", help="Ruleset plan name (server may suffix a random string)"),
+    file: Path = typer.Option(..., "--file", "-f", help="Path to YAML ruleset file", exists=True, readable=True),
+    enabled: bool | None = typer.Option(
+        None,
+        "--enabled/--disabled",
+        help="Enable or disable the plan immediately. Defaults to the server default.",
+    ),
+    log_level: LogLevel | None = typer.Option(
+        None,
+        "--log-level",
+        case_sensitive=False,
+        help="Default log level.",
+    ),
+    profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
+) -> None:
+    """Create a new IFM ruleset plan from a YAML file."""
+    client = get_ifm_client(profile)
+    request = RulesetPlanCreateRequest(
+        name=name,
+        ruleset_yaml=file.read_text(),
+        options=_options_from_flags(enabled, log_level),
+    )
+    try:
+        created = client.create_ruleset_plan(request)
+    except DataMasqueApiError as exc:
+        _abort_api_error("Failed to create IFM ruleset plan", exc)
+
+    print_success(f"IFM ruleset plan '{created.name}' created (serial {created.serial}).")
+    if created.url:
+        typer.echo(created.url)
+
+
+@app.command("update")
+def update_plan(
+    name: str = typer.Argument(help="Existing ruleset plan name"),
+    file: Path | None = typer.Option(
+        None, "--file", "-f", help="Path to YAML ruleset file (optional)", exists=True, readable=True
+    ),
+    enabled: bool | None = typer.Option(None, "--enabled/--disabled", help="Enable or disable the plan."),
+    log_level: LogLevel | None = typer.Option(None, "--log-level", case_sensitive=False, help="Default log level."),
+    profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
+) -> None:
+    """Update an IFM ruleset plan: only fields you pass are sent."""
+    if file is None and enabled is None and log_level is None:
+        abort(
+            "Pass at least one of --file, --enabled/--disabled, or --log-level.",
+            code=ErrorCode.INVALID_INPUT,
+        )
+
+    client = get_ifm_client(profile)
+    request = RulesetPlanPartialUpdateRequest(
+        ruleset_yaml=file.read_text() if file is not None else None,
+        options=_options_from_flags(enabled, log_level),
+    )
+    try:
+        updated = client.patch_ruleset_plan(name, request)
+    except DataMasqueApiError as exc:
+        _abort_api_error(f"Failed to update IFM ruleset plan '{name}'", exc)
+
+    print_success(f"IFM ruleset plan '{name}' updated (serial {updated.serial}).")
+
+
+@app.command("delete")
+def delete_plan(
+    name: str = typer.Argument(help="Ruleset plan name to delete"),
+    profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
+    is_confirmed: bool = typer.Option(False, "--yes", "-y", help="Skip confirmation"),
+) -> None:
+    """Delete an IFM ruleset plan."""
+    if not is_confirmed:
+        typer.confirm(f"Delete IFM ruleset plan '{name}'?", abort=True)
+
+    client = get_ifm_client(profile)
+    try:
+        client.delete_ruleset_plan(name)
+    except DataMasqueApiError as exc:
+        _abort_api_error(f"Failed to delete IFM ruleset plan '{name}'", exc)
+
+    print_success(f"IFM ruleset plan '{name}' deleted.")
+
+
+@app.command("mask")
+def mask(
+    name: str = typer.Argument(help="Ruleset plan name to mask against"),
+    data: str = typer.Option(
+        ...,
+        "--data",
+        "-d",
+        help="Path to a JSON file containing a list of records to mask, or '-' to read from stdin.",
+    ),
+    disable_instance_secret: bool = typer.Option(
+        False, "--disable-instance-secret", help="Disable the per-instance secret for this run."
+    ),
+    run_secret: str | None = typer.Option(None, "--run-secret", help="Override the run secret for this call."),
+    log_level: LogLevel | None = typer.Option(
+        None, "--log-level", case_sensitive=False, help="Override the plan's default log level."
+    ),
+    request_id: str | None = typer.Option(None, "--request-id", help="Custom request id (echoed in the response)."),
+    profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
+    is_json: bool = typer.Option(
+        True,
+        "--json/--no-json",
+        help="Output the masked records as a JSON array (default). Use --no-json for NDJSON (one record per line).",
+    ),
+) -> None:
+    """Run an IFM mask against a list of records."""
+    records = _load_mask_input(data)
+    client = get_ifm_client(profile)
+    request = IfmMaskRequest(
+        data=records,
+        disable_instance_secret=disable_instance_secret or None,
+        run_secret=run_secret,
+        log_level=log_level,
+        request_id=request_id,
+    )
+
+    try:
+        result = client.mask(name, request)
+    except DataMasqueApiError as exc:
+        _abort_api_error("Mask request failed", exc)
+
+    if not result.success:
+        print_error("Mask failed.")
+        for log in result.logs or []:
+            print_error(f"  [{log.log_level}] {log.timestamp} {log.message}")
+        raise SystemExit(1)
+
+    if is_json:
+        print_json(result.data or [])
+    else:
+        for record in result.data or []:
+            typer.echo(json.dumps(record, default=str))
+
+
+@app.command("verify-token")
+def verify_token(
+    profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
+    is_json: bool = typer.Option(False, "--json", help="Output as JSON"),
+) -> None:
+    """Verify the current IFM token and list its scopes."""
+    client = get_ifm_client(profile)
+    try:
+        info = client.verify_token()
+    except DataMasqueApiError as exc:
+        _abort_api_error("Failed to verify IFM token", exc)
+    if is_json:
+        print_json({"scopes": info.scopes})
+        return
+    render_output(
+        [{"scope": scope} for scope in info.scopes],
+        is_json=False,
+        columns=["scope"],
+        title="IFM token scopes",
+    )

{datamasque_cli-1.1.0 → datamasque_cli-1.2.0}/src/datamasque_cli/main.py

@@ -22,6 +22,7 @@ from datamasque_cli.commands import (
     connections,
     discovery,
     files,
+    ifm,
     ruleset_libraries,
     rulesets,
     runs,
@@ -47,6 +48,7 @@ app.add_typer(seeds.app, name="seeds")
 app.add_typer(files.app, name="files")
 app.add_typer(system.app, name="system")
 app.add_typer(ruleset_libraries.app, name="libraries")
+app.add_typer(ifm.app, name="ifm")
 
 
 @app.command()

{datamasque_cli-1.1.0 → datamasque_cli-1.2.0}/src/datamasque_cli/output.py

@@ -20,6 +20,7 @@ from typing import Any, NoReturn
 import typer
 from rich.console import Console
 from rich.table import Table
+from rich.text import Text
 from rich.theme import Theme
 
 _DM_THEME = Theme(
@@ -124,6 +125,21 @@ def print_json(data: object) -> None:
     typer.echo(json.dumps(data, indent=2, default=str))
 
 
+def _cell(value: object) -> Text:
+    """Coerce a cell value into a `Text` so Rich treats it literally.
+
+    Without this, square brackets in YAML inline lists (e.g. `path: [a, b]`)
+    are parsed by Rich as console markup tags and silently dropped from the
+    rendered cell. `Text` instances pass through unchanged so callers that
+    *want* styling (see `style_status`) still work.
+    """
+    if value is None:
+        return Text("")
+    if isinstance(value, Text):
+        return value
+    return Text(str(value))
+
+
 def print_table(
     columns: list[str],
     rows: list[list[Any]],
@@ -135,7 +151,7 @@ def print_table(
         # rather than silently ellipsizing them, so IDs stay copyable in narrow terminals.
         table.add_column(col, overflow="fold")
     for row in rows:
-        table.add_row(*[str(v) if v is not None else "" for v in row])
+        table.add_row(*[_cell(v) for v in row])
     stdout_console.print(table)
 
 
@@ -145,7 +161,7 @@ def print_kv(data: dict[str, Any], title: str | None = None) -> None:
     table.add_column("Key", style="bold")
     table.add_column("Value", overflow="fold")
     for key, value in data.items():
-        table.add_row(key, str(value) if value is not None else "")
+        table.add_row(key, _cell(value))
     stdout_console.print(table)
 
 
@@ -171,10 +187,14 @@ def print_info(message: str) -> None:
     console.print(f"[dim]{message}[/dim]")
 
 
-def style_status(status: str) -> str:
-    """Wrap a run status string in the appropriate colour tag."""
-    style_name = f"status.{status}"
-    return f"[{style_name}]{status}[/{style_name}]"
+def style_status(status: str) -> Text:
+    """Wrap a run status string in the appropriate colour tag.
+
+    Returns a `Text` (not a markup string) so it passes through `print_table`
+    and `print_kv` unchanged. Returning a raw markup string would be re-escaped
+    by `_cell` and lose its colour.
+    """
+    return Text(status, style=f"status.{status}")
 
 
 def render_output(