PyPI - datamasque-cli - Versions diffs - 1.3.0__tar.gz → 1.4.0__tar.gz - Mend

datamasque-cli 1.3.0tar.gz → 1.4.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/CHANGELOG.md RENAMED Viewed

@@ -1,5 +1,12 @@
 # Changelog
+## v1.4.0
+### Added
+- `dm connections create --file` now supports Databricks SQL Warehouse
+  (`"type": "databricks"`) and MongoDB (`"type": "mongodb"`) connections.
+  Both list, get, create, and delete like the existing connection types.
 ## v1.3.0
 ### Added

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/CONTRIBUTING.md RENAMED Viewed

@@ -41,6 +41,50 @@ uv sync
 Then either activate the venv (`source .venv/bin/activate`)
 or prefix commands with `uv run`.
+## Running `dm` locally
+`uv sync` installs the CLI in editable mode,
+so the `dm` entry point on the venv reflects your working tree —
+no reinstall after each edit.
+```console
+uv run dm --version              # one-shot, no venv activation needed
+source .venv/bin/activate && dm --version   # or activate once per shell
+```
+Point it at a DataMasque instance.
+For ad-hoc development, env vars are the lowest-friction path
+(no `~/.config/datamasque-cli/config.toml` to clean up afterwards):
+```console
+export DATAMASQUE_URL=http://127.0.0.1:8000
+export DATAMASQUE_USERNAME=admin
+export DATAMASQUE_PASSWORD='P@ssword12'
+export DATAMASQUE_VERIFY_SSL=false   # for self-signed local builds
+dm system health
+dm connections list
+```
+For longer-lived work, save a profile with `dm auth login`
+(stored at `~/.config/datamasque-cli/config.toml`, mode 600).
+### Pairing with a local `datamasque-python` checkout
+`datamasque-cli` depends on the `datamasque-python` package
+for its actual API client.
+If you're changing both repos at once
+(for example, adding a new endpoint that needs a CLI surface),
+install the sibling checkout in editable mode against the CLI's venv:
+```console
+uv pip install -e ../datamasque-python
+```
+The dependency is satisfied by the local checkout
+and edits to either repo are picked up immediately by `dm`.
+A subsequent `uv sync` will re-pin to the registered version —
+re-run the `uv pip install -e` if you want the local override back.
 ## Running the tests
 ```console

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: datamasque-cli
-Version: 1.3.0
+Version: 1.4.0
 Summary: Official command-line interface for the DataMasque data-masking platform.
 Project-URL: Homepage, https://datamasque.com/
 Project-URL: Repository, https://github.com/datamasque/datamasque-cli

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "datamasque-cli"
-version = "1.3.0"
+version = "1.4.0"
 description = "Official command-line interface for the DataMasque data-masking platform."
 authors = [
     { name = "DataMasque Ltd" },

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/src/datamasque_cli/client.py RENAMED Viewed

@@ -48,6 +48,25 @@ def profile_from_env() -> Profile | None:
     return None
+def _profile_from_env_url_only() -> Profile | None:
+    """Build a URL-only profile from `DATAMASQUE_URL`, with empty username/password.
+    Used by the unauthenticated client factory so callers can hit anonymous
+    endpoints (admin-install, health) without setting `DATAMASQUE_USERNAME`
+    and `DATAMASQUE_PASSWORD` -- those fields aren't read by anonymous calls
+    and demanding them is friction for the first-run setup workflow.
+    """
+    url = os.environ.get(ENV_URL)
+    if not url:
+        return None
+    return Profile(
+        url=url.rstrip("/"),
+        username="",
+        password="",
+        verify_ssl=_verify_ssl_from_env(default=True),
+    )
 def _resolve_profile(config: Config, profile_name: str | None) -> Profile:
     profile = config.get_profile(profile_name)
     if not profile.is_configured:
@@ -60,6 +79,25 @@ def _resolve_profile(config: Config, profile_name: str | None) -> Profile:
     return profile
+def _resolve_profile_for_unauthenticated(profile_name: str | None) -> Profile:
+    """Resolve a profile for an unauthenticated call -- only the URL is required.
+    Order: explicit `--profile`, env vars (URL-only is sufficient here),
+    saved active profile. If none yield a URL, abort with a clear hint.
+    """
+    if profile_name is not None:
+        profile = load_config().get_profile(profile_name)
+    else:
+        profile = _profile_from_env_url_only() or load_config().get_profile()
+    if not profile.url:
+        abort(
+            "No DataMasque URL configured.",
+            code=ErrorCode.AUTH_REQUIRED,
+            hint=f"Set {ENV_URL} or run: dm auth login",
+        )
+    return profile
 def _resolve_profile_with_verify(profile_name: str | None) -> tuple[Profile, bool]:
     """Resolve the active `Profile` and apply env-var overrides for `verify_ssl`."""
     env_profile = profile_from_env() if profile_name is None else None
@@ -98,17 +136,43 @@ def get_client(profile_name: str | None = None) -> DataMasqueClient:
     `DATAMASQUE_VERIFY_SSL` always wins over the stored profile so you can
     flip TLS verification per-call without re-running `dm auth login`.
     """
-    profile, verify_ssl = _resolve_profile_with_verify(profile_name)
+    client, profile, verify_ssl = _build_client(profile_name)
+    _authenticate_or_abort(client, profile.url, verify_ssl=verify_ssl)
+    return client
+def get_unauthenticated_client(profile_name: str | None = None) -> DataMasqueClient:
+    """Build a `DataMasqueClient` without performing the up-front login handshake.
+    Used by commands that hit endpoints which don't require — or can't yet
+    use — a token. `admin-install` is the canonical example: on a fresh
+    server there's no user to authenticate as, so `client.authenticate()`
+    would always fail before the command ran.
+    Only `DATAMASQUE_URL` (or a profile with a URL) is required — username
+    and password aren't read by anonymous endpoints, so demanding them
+    would be unnecessary friction for first-run setup.
+    """
+    profile = _resolve_profile_for_unauthenticated(profile_name)
+    verify_ssl = _verify_ssl_from_env(default=profile.verify_ssl)
     instance_config = DataMasqueInstanceConfig(
         base_url=profile.url,
         username=profile.username,
         password=profile.password,
         verify_ssl=verify_ssl,
     )
+    return DataMasqueClient(instance_config)
-    client = DataMasqueClient(instance_config)
-    _authenticate_or_abort(client, profile.url, verify_ssl=verify_ssl)
-    return client
+def _build_client(profile_name: str | None) -> tuple[DataMasqueClient, Profile, bool]:
+    profile, verify_ssl = _resolve_profile_with_verify(profile_name)
+    instance_config = DataMasqueInstanceConfig(
+        base_url=profile.url,
+        username=profile.username,
+        password=profile.password,
+        verify_ssl=verify_ssl,
+    )
+    return DataMasqueClient(instance_config), profile, verify_ssl
 # Substrings that suggest the underlying error was a TLS failure rather than

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/src/datamasque_cli/commands/connections.py RENAMED Viewed

@@ -13,7 +13,9 @@ from datamasque.client.models.connection import (
     ConnectionConfig,
     DatabaseConnectionConfig,
     DatabaseType,
+    DatabricksConnectionConfig,
     DynamoConnectionConfig,
+    MongoConnectionConfig,
     MountedShareConnectionConfig,
     S3ConnectionConfig,
     SnowflakeConnectionConfig,
@@ -37,6 +39,8 @@ class ConnectionType(StrEnum):
     MOUNTED_SHARE = "mounted_share"
     SNOWFLAKE = "snowflake"
     DYNAMODB = "dynamodb"
+    DATABRICKS = "databricks"
+    MONGODB = "mongodb"
 _FILE_CONNECTION_TYPES = (MountedShareConnectionConfig, S3ConnectionConfig, AzureConnectionConfig)
@@ -69,6 +73,8 @@ _CONNECTION_CLASSES: dict[ConnectionType, type[ConnectionConfig]] = {
     ConnectionType.MOUNTED_SHARE: MountedShareConnectionConfig,
     ConnectionType.SNOWFLAKE: SnowflakeConnectionConfig,
     ConnectionType.DYNAMODB: DynamoConnectionConfig,
+    ConnectionType.DATABRICKS: DatabricksConnectionConfig,
+    ConnectionType.MONGODB: MongoConnectionConfig,
 }
@@ -131,7 +137,9 @@ def get_connection(
 def create_connection(
     file: Path | None = typer.Option(None, "--file", "-f", help="JSON file defining the connection"),
     name: str | None = typer.Option(None, help="Connection name"),
-    conn_type: str | None = typer.Option(None, "--type", "-t", help="database, s3, azure, mounted_share"),
+    conn_type: str | None = typer.Option(
+        None, "--type", "-t", help="database, s3, azure, mounted_share, snowflake, dynamodb, databricks, mongodb"
+    ),
     host: str | None = typer.Option(None, help="Database host"),
     port: str | None = typer.Option(None, help="Database port"),
     database: str | None = typer.Option(None, help="Database name"),
@@ -160,6 +168,11 @@ def create_connection(
         # Quick mounted share
         dm connections create --name input --type mounted_share --base-dir my-data --source
+        # Databricks, MongoDB, Snowflake and DynamoDB have many fields, so use --file:
+        #   {"type": "databricks", "name": "dbx", "server_hostname": "...", "http_path": "...",
+        #    "access_token": "...", "catalog": "main", "schema": "default"}
+        dm connections create --file databricks.json
     """
     client = get_client(profile)

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/src/datamasque_cli/commands/runs.py RENAMED Viewed

@@ -5,6 +5,7 @@ from __future__ import annotations
 import json
 import time
 from datetime import UTC, datetime
+from http import HTTPStatus
 from pathlib import Path
 import typer
@@ -31,8 +32,6 @@ app = typer.Typer(help="Manage masking runs.", no_args_is_help=True)
 _POLL_INTERVAL_SECONDS = 5
-_HTTP_NOT_FOUND = 404
 def _format_run_info(run: RunInfo, *, is_styled: bool = False) -> dict[str, object]:
     """Extract the fields most useful for display from a `RunInfo`."""
@@ -350,7 +349,7 @@ def run_report(
         # `GET .../run-report/` 404s for runs that didn't produce one
         # (still in flight, failed early, or a run type that doesn't emit a
         # report). The default error string is opaque, so name the cause.
-        if exc.response is not None and exc.response.status_code == _HTTP_NOT_FOUND:
+        if exc.response is not None and exc.response.status_code == HTTPStatus.NOT_FOUND:
             abort(
                 f"No report available for run {run_id}.",
                 code=ErrorCode.NOT_FOUND,

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/src/datamasque_cli/commands/system.py RENAMED Viewed

@@ -2,13 +2,23 @@
 from __future__ import annotations
+from http import HTTPStatus
 from pathlib import Path
 import typer
+from datamasque.client.exceptions import DataMasqueApiError
-from datamasque_cli.client import get_client
+from datamasque_cli.client import get_client, get_unauthenticated_client
 from datamasque_cli.commands.rulesets import export_bundle, import_bundle
-from datamasque_cli.output import print_json, print_success, print_warning, render_output, should_emit_json
+from datamasque_cli.output import (
+    ErrorCode,
+    abort,
+    print_json,
+    print_success,
+    print_warning,
+    render_output,
+    should_emit_json,
+)
 app = typer.Typer(help="System administration commands.", no_args_is_help=True)
@@ -18,8 +28,14 @@ def health(
     profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
     is_json: bool = typer.Option(False, "--json", help="Output as JSON"),
 ) -> None:
-    """Check DataMasque instance health."""
-    client = get_client(profile)
+    """Check DataMasque instance health.
+    Uses an unauthenticated client because `/api/healthcheck/` does not require a
+    token and should answer even when no admin user has been created yet --
+    the whole point of a health probe is to be the lowest-friction signal of
+    "is the server up?"
+    """
+    client = get_unauthenticated_client(profile)
     client.healthcheck()
     if should_emit_json(is_json):
@@ -101,9 +117,24 @@ def admin_install(
     password: str = typer.Option(..., prompt=True, hide_input=True, help="Admin password"),
     profile: str | None = typer.Option(None, "--profile", "-p", help="Profile to use"),
 ) -> None:
-    """Initial admin setup for a fresh DataMasque instance."""
-    client = get_client(profile)
-    client.admin_install(email=email, username=username, password=password)
+    """Initial admin setup for a fresh DataMasque instance.
+    Uses an unauthenticated client because the admin-install endpoint is itself
+    anonymous and on a fresh server there's no user account to authenticate as.
+    """
+    client = get_unauthenticated_client(profile)
+    try:
+        client.admin_install(email=email, username=username, password=password)
+    except DataMasqueApiError as e:
+        # The server returns 401 on /api/users/admin-install/ once any user exists
+        # DataMasque treats it as a normal auth-required endpoint after that
+        if e.response.status_code == HTTPStatus.UNAUTHORIZED:
+            abort(
+                "Admin install is already complete on this DataMasque instance.",
+                code=ErrorCode.CONFLICT,
+                hint="Use `dm auth login` to sign in as an existing user.",
+            )
+        raise
     print_success(f"Admin user '{username}' created.")

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/tests/commands/test_connections.py RENAMED Viewed

@@ -7,6 +7,8 @@ import pytest
 from datamasque.client.models.connection import (
     DatabaseConnectionConfig,
     DatabaseType,
+    DatabricksConnectionConfig,
+    MongoConnectionConfig,
     MountedShareConnectionConfig,
 )
 from typer.testing import CliRunner
@@ -164,6 +166,64 @@ def test_create_connection_from_json_file(mock_get_client: MagicMock, runner: Cl
     client.create_or_update_connection.assert_called_once()
+@patch(f"{MODULE}.get_client")
+def test_create_databricks_connection_from_json_file(
+    mock_get_client: MagicMock, runner: CliRunner, tmp_path: MagicMock
+) -> None:
+    client = MagicMock()
+    mock_get_client.return_value = client
+    conn_file = tmp_path / "dbx.json"
+    conn_file.write_text(
+        json.dumps(
+            {
+                "type": "databricks",
+                "name": "dbx",
+                "server_hostname": "dbc-1514b142-1c6c.cloud.databricks.com",
+                "http_path": "/sql/1.0/warehouses/ea7d918dd5f236f9",
+                "access_token": "dapiTOKEN",
+                "catalog": "main",
+                "schema": "default",
+            }
+        )
+    )
+    result = runner.invoke(app, ["connections", "create", "--file", str(conn_file)])
+    assert result.exit_code == 0
+    config = client.create_or_update_connection.call_args.args[0]
+    assert isinstance(config, DatabricksConnectionConfig)
+    assert config.db_type == "databricks"
+@patch(f"{MODULE}.get_client")
+def test_create_mongodb_connection_from_json_file(
+    mock_get_client: MagicMock, runner: CliRunner, tmp_path: MagicMock
+) -> None:
+    client = MagicMock()
+    mock_get_client.return_value = client
+    conn_file = tmp_path / "mongo.json"
+    conn_file.write_text(
+        json.dumps(
+            {
+                "type": "mongodb",
+                "name": "mongo",
+                "host": "localhost",
+                "port": "27017",
+                "database": "mydb",
+                "user": "admin",
+                "password": "secret",
+            }
+        )
+    )
+    result = runner.invoke(app, ["connections", "create", "--file", str(conn_file)])
+    assert result.exit_code == 0
+    config = client.create_or_update_connection.call_args.args[0]
+    assert isinstance(config, MongoConnectionConfig)
+    assert config.db_type == "mongodb"
 # -- delete (tests confirmation logic) ------------------------------------

datamasque_cli-1.4.0/tests/commands/test_system.py ADDED Viewed

@@ -0,0 +1,192 @@
+from __future__ import annotations
+from datetime import UTC, datetime
+from unittest.mock import MagicMock, patch
+import pytest
+from datamasque.client.exceptions import DataMasqueApiError
+from datamasque.client.models.license import LicenseInfo, SwitchableLicenseMetadata
+from typer.testing import CliRunner
+from datamasque_cli.main import app
+MODULE = "datamasque_cli.commands.system"
+@patch(f"{MODULE}.get_client")
+def test_licence_projects_to_user_facing_fields(mock_get_client: MagicMock, runner: CliRunner) -> None:
+    client = MagicMock()
+    mock_get_client.return_value = client
+    client.get_current_license_info.return_value = LicenseInfo(
+        uuid="lic-123",
+        name="Test Licence",
+        type="standard",
+        is_expired=False,
+        uploadable=True,
+        expiry_date=datetime(2027, 6, 1, tzinfo=UTC),
+        days_until_expiry=400,
+        platform_name="DataMasque",
+        # Noisy nested field that should NOT appear in the projected output.
+        switchable_license_metadata=SwitchableLicenseMetadata(license_source="aws"),
+    )
+    result = runner.invoke(app, ["system", "licence", "--json"])
+    assert result.exit_code == 0
+    assert '"uuid": "lic-123"' in result.stdout
+    assert '"days_until_expiry": 400' in result.stdout
+    assert '"platform_name": "DataMasque"' in result.stdout
+    assert "switchable_license_metadata" not in result.stdout
+    assert "license_source" not in result.stdout
+@pytest.mark.parametrize(
+    ("extra_args", "settings_url", "expected_output"),
+    [
+        (["--json"], "http://engine.example.com:9021", '"dm_ai_engine_url": "http://engine.example.com:9021"'),
+        ([], "http://engine.example.com:9021", "http://engine.example.com:9021"),
+        ([], None, "<not configured>"),
+        ([], "", "<not configured>"),
+    ],
+)
+@patch(f"{MODULE}.get_client")
+def test_ai_engine_show(
+    mock_get_client: MagicMock,
+    runner: CliRunner,
+    extra_args: list[str],
+    settings_url: str | None,
+    expected_output: str,
+) -> None:
+    client = MagicMock()
+    mock_get_client.return_value = client
+    response = MagicMock()
+    response.json.return_value = {"dm_ai_engine_url": settings_url}
+    client.make_request.return_value = response
+    result = runner.invoke(app, ["system", "ai-engine", "show", *extra_args])
+    assert result.exit_code == 0
+    client.make_request.assert_called_once_with("GET", "/api/settings/")
+    assert expected_output in result.stdout
+@patch(f"{MODULE}.get_client")
+def test_ai_engine_set_patches_settings_with_url(mock_get_client: MagicMock, runner: CliRunner) -> None:
+    client = MagicMock()
+    mock_get_client.return_value = client
+    result = runner.invoke(app, ["system", "ai-engine", "set", "http://engine.example.com:9021"])
+    assert result.exit_code == 0
+    client.make_request.assert_called_once_with(
+        "PATCH", "/api/settings/", data={"dm_ai_engine_url": "http://engine.example.com:9021"}
+    )
+# Commands that hit anonymous endpoints must use `get_unauthenticated_client`, not `get_client`.
+# Using `get_client` would call `authenticate()` first, which always fails on a fresh server
+# (no admin user yet → 401 → SystemExit) and never reaches the actual endpoint.
+@patch(f"{MODULE}.get_unauthenticated_client")
+@patch(f"{MODULE}.get_client")
+def test_admin_install_uses_unauthenticated_client(
+    mock_get_client: MagicMock, mock_get_unauth: MagicMock, runner: CliRunner
+) -> None:
+    client = MagicMock()
+    mock_get_unauth.return_value = client
+    result = runner.invoke(
+        app,
+        [
+            "system",
+            "admin-install",
+            "--email",
+            "admin@example.com",
+            "--username",
+            "admin",
+            "--password",
+            "P@ssword12",
+        ],
+    )
+    assert result.exit_code == 0, result.output
+    mock_get_unauth.assert_called_once()
+    mock_get_client.assert_not_called()
+    client.admin_install.assert_called_once_with(email="admin@example.com", username="admin", password="P@ssword12")
+@patch(f"{MODULE}.get_unauthenticated_client")
+def test_admin_install_translates_401_into_conflict(mock_get_unauth: MagicMock, runner: CliRunner) -> None:
+    """A 401 from /api/users/admin-install/ means the instance is already set up.
+    Translate the raw API error into a user-facing conflict message instead of
+    letting the misleading "Unable to login" traceback bubble up.
+    """
+    client = MagicMock()
+    mock_get_unauth.return_value = client
+    response = MagicMock()
+    response.status_code = 401
+    client.admin_install.side_effect = DataMasqueApiError("401 Unauthorized", response=response)
+    result = runner.invoke(
+        app,
+        [
+            "system",
+            "admin-install",
+            "--email",
+            "admin@example.com",
+            "--username",
+            "admin",
+            "--password",
+            "P@ssword12",
+        ],
+    )
+    assert result.exit_code == 8  # ErrorCode.CONFLICT
+    assert "already complete" in result.stderr
+    assert "dm auth login" in result.stderr
+@patch(f"{MODULE}.get_unauthenticated_client")
+def test_admin_install_does_not_swallow_non_401_errors(mock_get_unauth: MagicMock, runner: CliRunner) -> None:
+    """Only 401 is the "already installed" signal -- other errors must surface."""
+    client = MagicMock()
+    mock_get_unauth.return_value = client
+    response = MagicMock()
+    response.status_code = 400
+    client.admin_install.side_effect = DataMasqueApiError("400 Bad Request", response=response)
+    result = runner.invoke(
+        app,
+        [
+            "system",
+            "admin-install",
+            "--email",
+            "admin@example.com",
+            "--username",
+            "admin",
+            "--password",
+            "weak",
+        ],
+    )
+    assert result.exit_code != 0
+    assert "already complete" not in result.stderr
+@patch(f"{MODULE}.get_unauthenticated_client")
+@patch(f"{MODULE}.get_client")
+def test_health_uses_unauthenticated_client(
+    mock_get_client: MagicMock, mock_get_unauth: MagicMock, runner: CliRunner
+) -> None:
+    client = MagicMock()
+    mock_get_unauth.return_value = client
+    result = runner.invoke(app, ["system", "health", "--json"])
+    assert result.exit_code == 0, result.output
+    mock_get_unauth.assert_called_once()
+    mock_get_client.assert_not_called()
+    client.healthcheck.assert_called_once_with()
+    assert '"status": "healthy"' in result.stdout

datamasque_cli-1.4.0/tests/integration/test_system.py ADDED Viewed

@@ -0,0 +1,97 @@
+"""Integration tests for `dm system` commands that hit anonymous endpoints.
+These end-to-end exercise the `get_unauthenticated_client` path against a real
+DataMasque instance, the regression they guard against (silently re-introducing
+`get_client` on either command) can only be caught against a real server: a unit
+test can mock the factory, but only a live instance reveals that the auth call
+fails on a fresh server.
+"""
+from __future__ import annotations
+import json
+import os
+import uuid
+import pytest
+from typer.testing import CliRunner
+from datamasque_cli.client import get_unauthenticated_client
+from datamasque_cli.main import app
+pytestmark = pytest.mark.integration
+def _is_installed(runner: CliRunner) -> bool:
+    """Check installation state via the dm CLI's health-style probe.
+    `/api/app/check/` is what the admin frontend uses to decide whether to show
+    the install wizard, so it's the canonical signal for "this instance is
+    already set up".
+    Implemented via the python client directly because there's no `dm` command
+    for `/api/app/check/` yet; that's the only thing here that bypasses the CLI.
+    """
+    # Build a URL-only client so this works on a fresh instance too.
+    client = get_unauthenticated_client()
+    response = client.make_request("GET", "/api/app/check/", requires_authorization=False)
+    return bool(response.json().get("installed"))
+def test_health_works_without_authentication(runner: CliRunner, monkeypatch: pytest.MonkeyPatch) -> None:
+    """`dm system health` must succeed even when no credentials are configured.
+    The whole point of a health probe is to be the lowest-friction "is the
+    server up?" signal -- it shouldn't depend on a valid login.
+    """
+    monkeypatch.delenv("DATAMASQUE_USERNAME", raising=False)
+    monkeypatch.delenv("DATAMASQUE_PASSWORD", raising=False)
+    result = runner.invoke(app, ["system", "health", "--json"])
+    assert result.exit_code == 0, result.output
+    assert json.loads(result.stdout)["status"] == "healthy"
+def test_admin_install_creates_admin_user_on_fresh_instance(runner: CliRunner, monkeypatch: pytest.MonkeyPatch) -> None:
+    """End-to-end admin-install against a real instance.
+    Skips when the instance is already configured -- the endpoint is gated on
+    "no user has been created yet" and reusing a server between runs is the
+    common case. To exercise this path, point the integration suite at a
+    freshly-restarted DataMasque (e.g. `docker compose down -v && up -d`).
+    """
+    if _is_installed(runner):
+        pytest.skip(
+            "Instance is already installed. Reset it (e.g. `docker compose down -v && up -d`) "
+            "to exercise the admin-install path."
+        )
+    # `dm system admin-install` needs no credentials -- the password is passed
+    # via --password and the endpoint itself is anonymous. Clear the env vars
+    # the parent fixture set so this test proves the no-creds path works.
+    monkeypatch.delenv("DATAMASQUE_USERNAME", raising=False)
+    monkeypatch.delenv("DATAMASQUE_PASSWORD", raising=False)
+    # Use the same credentials the parent fixture configures, so any
+    # subsequent authenticated tests in this session can log in.
+    username = os.environ["DM_TEST_USERNAME"]
+    password = os.environ["DM_TEST_PASSWORD"]
+    email = f"{uuid.uuid4().hex[:8]}@dm-integration.test"
+    result = runner.invoke(
+        app,
+        [
+            "system",
+            "admin-install",
+            "--email",
+            email,
+            "--username",
+            username,
+            "--password",
+            password,
+        ],
+    )
+    assert result.exit_code == 0, result.output
+    assert _is_installed(runner), "Instance should be marked installed after admin-install"

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/tests/test_client_auth.py RENAMED Viewed

@@ -5,7 +5,7 @@ from unittest.mock import MagicMock, patch
 import pytest
 from datamasque.client.exceptions import DataMasqueApiError, DataMasqueTransportError
-from datamasque_cli.client import _format_transport_error, get_client
+from datamasque_cli.client import _format_transport_error, get_client, get_unauthenticated_client
 from datamasque_cli.config import Config, Profile
@@ -46,6 +46,27 @@ def test_get_client_aborts_on_auth_failure(
     assert exc_info.value.code == 7  # auth_failed
+@patch("datamasque_cli.client.DataMasqueClient")
+@patch("datamasque_cli.client.load_config")
+def test_get_unauthenticated_client_does_not_call_authenticate(
+    mock_load: MagicMock, mock_client_cls: MagicMock, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    """Commands that hit anonymous endpoints (admin-install, health) must not try
+    to log in first -- on a fresh server there's no user to authenticate as."""
+    monkeypatch.delenv("DATAMASQUE_URL", raising=False)
+    monkeypatch.delenv("DATAMASQUE_USERNAME", raising=False)
+    monkeypatch.delenv("DATAMASQUE_PASSWORD", raising=False)
+    config = Config()
+    config.set_profile("default", Profile(url="https://dm", username="admin", password="secret"))
+    mock_load.return_value = config
+    client = get_unauthenticated_client()
+    assert client is mock_client_cls.return_value
+    mock_client_cls.return_value.authenticate.assert_not_called()
 @pytest.mark.parametrize(
     ("error_message", "verify_ssl", "expect_hint"),
     [

{datamasque_cli-1.3.0 → datamasque_cli-1.4.0}/uv.lock RENAMED Viewed

@@ -141,7 +141,7 @@ wheels = [
 [[package]]
 name = "datamasque-cli"
-version = "1.3.0"
+version = "1.4.0"
 source = { editable = "." }
 dependencies = [
     { name = "datamasque-python" },
@@ -174,15 +174,15 @@ dev = [
 [[package]]
 name = "datamasque-python"
-version = "1.0.0"
+version = "1.0.4"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "pydantic" },
     { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/0b/0b/507ed18ee2f73e8cd01ae56955d7c84b1d13b196c190ec137d08f2fb00a4/datamasque_python-1.0.0.tar.gz", hash = "sha256:2acc548c7be659c174c2af45f5a0494868c1571eb8f2c282adeb58a0a73b372c", size = 161412, upload-time = "2026-04-21T22:50:47.836Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/e0/52/1acd8c73b15e07c417a7a90060facc15b8823d5cf3207c6a51a8f9510be6/datamasque_python-1.0.4.tar.gz", hash = "sha256:45d1020364e16cd8200b972960f2bf72a683a2633cacde0c0d3eb8b00a80191a", size = 164063, upload-time = "2026-06-09T06:35:57.719Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/5b/d8/7185251764bbd3455d940383afb8a192910436c0ff917cf6cdace5e33bcd/datamasque_python-1.0.0-py3-none-any.whl", hash = "sha256:1586d14e5006392d4b37ec140c0bf047da03c8e1e0c18dd30a670debf49c8b64", size = 49642, upload-time = "2026-04-21T22:50:46.332Z" },
+    { url = "https://files.pythonhosted.org/packages/50/8e/7323a24cd06116cd2b1fcb3a664df86660fc11dbc49c470afc91d2744819/datamasque_python-1.0.4-py3-none-any.whl", hash = "sha256:893eb5e63814d2862d3f2d5d0b26850cb7367f54cd315bb7e2716ed4cdd69cd3", size = 50839, upload-time = "2026-06-09T06:35:56.328Z" },
 ]
 [[package]]

datamasque_cli-1.3.0/tests/commands/test_system.py DELETED Viewed

@@ -1,82 +0,0 @@
-from __future__ import annotations
-from datetime import UTC, datetime
-from unittest.mock import MagicMock, patch
-import pytest
-from datamasque.client.models.license import LicenseInfo, SwitchableLicenseMetadata
-from typer.testing import CliRunner
-from datamasque_cli.main import app
-MODULE = "datamasque_cli.commands.system"
-@patch(f"{MODULE}.get_client")
-def test_licence_projects_to_user_facing_fields(mock_get_client: MagicMock, runner: CliRunner) -> None:
-    client = MagicMock()
-    mock_get_client.return_value = client
-    client.get_current_license_info.return_value = LicenseInfo(
-        uuid="lic-123",
-        name="Test Licence",
-        type="standard",
-        is_expired=False,
-        uploadable=True,
-        expiry_date=datetime(2027, 6, 1, tzinfo=UTC),
-        days_until_expiry=400,
-        platform_name="DataMasque",
-        # Noisy nested field that should NOT appear in the projected output.
-        switchable_license_metadata=SwitchableLicenseMetadata(license_source="aws"),
-    )
-    result = runner.invoke(app, ["system", "licence", "--json"])
-    assert result.exit_code == 0
-    assert '"uuid": "lic-123"' in result.stdout
-    assert '"days_until_expiry": 400' in result.stdout
-    assert '"platform_name": "DataMasque"' in result.stdout
-    assert "switchable_license_metadata" not in result.stdout
-    assert "license_source" not in result.stdout
-@pytest.mark.parametrize(
-    ("extra_args", "settings_url", "expected_output"),
-    [
-        (["--json"], "http://engine.example.com:9021", '"dm_ai_engine_url": "http://engine.example.com:9021"'),
-        ([], "http://engine.example.com:9021", "http://engine.example.com:9021"),
-        ([], None, "<not configured>"),
-        ([], "", "<not configured>"),
-    ],
-)
-@patch(f"{MODULE}.get_client")
-def test_ai_engine_show(
-    mock_get_client: MagicMock,
-    runner: CliRunner,
-    extra_args: list[str],
-    settings_url: str | None,
-    expected_output: str,
-) -> None:
-    client = MagicMock()
-    mock_get_client.return_value = client
-    response = MagicMock()
-    response.json.return_value = {"dm_ai_engine_url": settings_url}
-    client.make_request.return_value = response
-    result = runner.invoke(app, ["system", "ai-engine", "show", *extra_args])
-    assert result.exit_code == 0
-    client.make_request.assert_called_once_with("GET", "/api/settings/")
-    assert expected_output in result.stdout
-@patch(f"{MODULE}.get_client")
-def test_ai_engine_set_patches_settings_with_url(mock_get_client: MagicMock, runner: CliRunner) -> None:
-    client = MagicMock()
-    mock_get_client.return_value = client
-    result = runner.invoke(app, ["system", "ai-engine", "set", "http://engine.example.com:9021"])
-    assert result.exit_code == 0
-    client.make_request.assert_called_once_with(
-        "PATCH", "/api/settings/", data={"dm_ai_engine_url": "http://engine.example.com:9021"}
-    )