datasecops-cli 0.3.0__tar.gz → 0.3.2__tar.gz

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/CHANGELOG.md

@@ -2,15 +2,30 @@
 
 All notable changes to the DataSecOps CLI are documented in this file.
 
+## [0.3.2] - 2026-05-15
+
+### Added
+
+- **Upstream project version tracking** — if a profile has `upstream_projects` configured in the native app, the main menu header shows each upstream project's current pinned version vs the latest available tag (fetched via `git ls-remote`). Outdated dependencies are highlighted in yellow.
+- **Auto-update upstream packages** — when outdated upstream packages are detected, a new menu option `[5] update pkgs` appears, which updates `packages.yml` revisions to the latest tags and optionally runs `dbtf deps`
+- **`upstream_projects` field on `ProjectProfile`** — new model field to support upstream dependency tracking from the native app
+
 ## [0.3.0] - 2026-05-14
 
 ### Added
 
 - **`datasecops setup` subcommand** — pure-Python replacement for `setup.ps1` / `setup.sh`. Discovers Snowflake connections from `~/.snowflake/connections.toml`, prompts for connection and app database, and writes `.datasecops.yml`. No platform-specific scripts needed.
-- **Interactive profile selection** — when `profile_name` is not set (no `dbt_project.yml` and no profile in `.datasecops.yml`), the CLI prompts the user to choose from available profiles in the native app instead of silently picking the first one
+- **Prerequisite checks during setup** — checks for `dbtf`, `gh`, and `az` on PATH and verifies authentication status (`gh auth status`, `az account show`)
+- **Interactive profile selection** — when `profile_name` is not set (no `dbt_project.yml` and no profile in `.datasecops.yml`), the CLI prompts the user to choose from available profiles in the native app instead of silently picking the first one. Selected profile is saved back to `.datasecops.yml`.
 - **Auto-setup on first run** — running `datasecops` without a `.datasecops.yml` now offers to run setup interactively instead of just exiting with an error
+- **`--connection`, `--app-database`, `--profile` flags on `download`** — allows CI/CD pipelines to run without a committed `.datasecops.yml` by passing connection details as CLI flags (e.g. `datasecops download sqlfluff -c ci -d MY_APP_DB -p my_project`)
+- **Default app database value** — setup now defaults to `DATA_ENGINEERS_DATASECOPS_FRAMEWORK` (press Enter to accept)
 - **dbt project directory resolution from framework** — `dbt_project_dir` is now re-resolved using the framework's `project_dir` setting after native app config is loaded
 
+### Changed
+
+- **Non-interactive mode safety** — `_connect_and_load` accepts an `interactive` flag; the `download` subcommand passes `interactive=False` so it never prompts (missing config exits 1, multiple profiles use the first one silently)
+
 ## [0.2.9] - 2026-05-14
 
 ### Added

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: datasecops-cli
-Version: 0.3.0
+Version: 0.3.2
 Summary: DataSecOps Framework CLI for Snowflake Native App
 License-Expression: MIT
 License-File: LICENSE
@@ -10,7 +10,6 @@ Requires-Dist: gitpython>=3.1
 Requires-Dist: pydantic>=2.0
 Requires-Dist: pyyaml>=6.0
 Requires-Dist: snowflake-connector-python>=3.0
-Requires-Dist: sqlfluff>=3.0
 Provides-Extra: mcp
 Requires-Dist: mcp>=1.0; extra == 'mcp'
 Provides-Extra: test

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "datasecops-cli"
-version = "0.3.0"
+version = "0.3.2"
 description = "DataSecOps Framework CLI for Snowflake Native App"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -14,7 +14,6 @@ dependencies = [
     "snowflake-connector-python>=3.0",
     "colorama>=0.4",
     "pyyaml>=6.0",
-    "sqlfluff>=3.0",
     "pydantic>=2.0",
 ]
 

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/src/datasecops_cli/main.py

@@ -46,6 +46,18 @@ def _build_parser() -> argparse.ArgumentParser:
         choices=DOWNLOAD_ITEMS,
         help="Item(s) to download/install: sqlfluff, pipelines, packages, macros, install-sqlfluff, install-dbt, or all",
     )
+    dl.add_argument(
+        "--connection", "-c",
+        help="Snowflake connection name (overrides .datasecops.yml)",
+    )
+    dl.add_argument(
+        "--app-database", "-d",
+        help="Native app database name (overrides .datasecops.yml)",
+    )
+    dl.add_argument(
+        "--profile", "-p",
+        help="Project profile name (overrides .datasecops.yml)",
+    )
 
     return parser
 
@@ -62,7 +74,9 @@ def main():
     elif args.command == "bootstrap":
         _run_bootstrap(config)
     elif args.command == "download":
-        _run_download(config, args.items)
+        _run_download(config, args.items,
+                      connection=args.connection, app_database=args.app_database,
+                      profile=args.profile)
     else:
         _run_interactive(config)
 
@@ -70,11 +84,40 @@ def main():
 def _run_setup(project_dir: Path):
     """Interactive setup: create .datasecops.yml by prompting for connection and app database."""
     from datasecops_cli.utilities.display import (
-        get_input_string, select_from_list
+        get_input_string, get_input_string_or_default, select_from_list, warning_line
     )
 
     section_header("DataSecOps Setup")
 
+    # --- Check prerequisites ---
+    info_line("Checking prerequisites...")
+
+    if shutil.which("dbtf"):
+        success_line("dbt Fusion (dbtf) found")
+    else:
+        warning_line("dbt Fusion (dbtf) not found — dbt commands will not work")
+        warning_line("  Install: https://docs.getdbt.com/docs/core/installation")
+
+    if shutil.which("gh"):
+        result = subprocess.run(["gh", "auth", "status"], capture_output=True, text=True)
+        if result.returncode == 0:
+            success_line("GitHub CLI (gh) found and authenticated")
+        else:
+            warning_line("GitHub CLI (gh) found but not logged in — run: gh auth login")
+    else:
+        warning_line("GitHub CLI (gh) not found — install from https://cli.github.com if using GitHub")
+
+    if shutil.which("az"):
+        result = subprocess.run(["az", "account", "show"], capture_output=True, text=True)
+        if result.returncode == 0:
+            success_line("Azure CLI (az) found and authenticated")
+        else:
+            warning_line("Azure CLI (az) found but not logged in — run: az login")
+    else:
+        warning_line("Azure CLI (az) not found — install from https://aka.ms/installazurecli if using Azure DevOps")
+
+    info_line("")
+
     # --- Discover Snowflake connections ---
     connections_file = Path.home() / ".snowflake" / "connections.toml"
     connection_names = []
@@ -96,12 +139,10 @@ def _run_setup(project_dir: Path):
         sys.exit(1)
 
     # --- App database ---
-    app_database = get_input_string(
-        "Enter native app database name (e.g. DATA_ENGINEERS_DATASECOPS_FRAMEWORK): "
+    app_database = get_input_string_or_default(
+        "Enter native app database name",
+        "DATA_ENGINEERS_DATASECOPS_FRAMEWORK"
     )
-    if not app_database:
-        error_line("App database name is required")
-        sys.exit(1)
 
     # --- Write config ---
     config_data = {
@@ -124,15 +165,15 @@ def _offer_setup(project_dir: Path):
     _run_setup(project_dir)
 
 
-def _connect_and_load(config: Config) -> SnowflakeService:
+def _connect_and_load(config: Config, interactive: bool = True) -> SnowflakeService:
     """Load config, connect to Snowflake, and load native app settings.
     
     Returns the connected SnowflakeService, or calls sys.exit on failure.
-    If .datasecops.yml is missing and a setup script exists, offers to run it.
+    If .datasecops.yml is missing and interactive is True, offers to run setup.
     """
     if not config.load():
         # Check if the failure is due to missing .datasecops.yml
-        if not (config.project_dir / ".datasecops.yml").exists():
+        if not (config.project_dir / ".datasecops.yml").exists() and interactive:
             _offer_setup(config.project_dir)
             # Retry after setup
             if not config.load():
@@ -157,16 +198,29 @@ def _connect_and_load(config: Config) -> SnowflakeService:
 
     # If profile_name was not explicitly set and there are multiple profiles, ask the user
     if not profile_was_set and len(config.all_profiles) > 1:
-        from datasecops_cli.utilities.display import select_from_list
-        names = [p.profile_name for p in config.all_profiles]
-        info_line(f"Found {len(names)} project profiles:")
-        selected = select_from_list(names, "profile", add_back=False)
-        config.profile = None
-        for p in config.all_profiles:
-            if p.profile_name == selected:
-                config.profile = p
-                config.profile_name = selected
-                break
+        if interactive:
+            from datasecops_cli.utilities.display import select_from_list
+            names = [p.profile_name for p in config.all_profiles]
+            info_line(f"Found {len(names)} project profiles:")
+            selected = select_from_list(names, "profile", add_back=False)
+            config.profile = None
+            for p in config.all_profiles:
+                if p.profile_name == selected:
+                    config.profile = p
+                    config.profile_name = selected
+                    break
+            # Save the selected profile back to .datasecops.yml
+            if config.profile:
+                config_data = {
+                    "connection_name": config.datasecops.connection_name,
+                    "app_database": config.datasecops.app_database,
+                    "profile_name": config.profile_name,
+                }
+                write_datasecops_config(config.project_dir, config_data)
+                success_line(f"Saved profile_name '{config.profile_name}' to .datasecops.yml")
+        else:
+            # Non-interactive: use the auto-selected first profile
+            info_line(f"Using default profile: {config.profile_name}")
 
     # Re-resolve dbt_project_dir using framework project_dir setting
     framework_dbt_dir = config.project_dir / config.project_settings.project_dir
@@ -193,6 +247,15 @@ def _run_interactive(config: Config):
             warning_line("dbt Fusion (dbtf) not found on PATH — dbt commands will not work.")
             warning_line("Install dbt Fusion: https://docs.getdbt.com/docs/core/installation")
 
+        # Check upstream project versions
+        from datasecops_cli.services.upstream_service import check_upstream_versions
+        upstream_statuses = []
+        if config.profile and config.profile.upstream_projects:
+            info_line("Checking upstream project versions...")
+            upstream_statuses = check_upstream_versions(
+                config.profile, config.all_profiles, config.dbt_project_dir
+            )
+
         # Initialize services
         dbt_runner = DbtRunner(
             project_dir=config.dbt_project_dir,
@@ -211,14 +274,34 @@ def _run_interactive(config: Config):
 
         # Main menu loop
         _main_menu(config, dbt_runner, git_service, linting_service,
-                    download_service, skill_service, sf_service)
+                    download_service, skill_service, sf_service,
+                    upstream_statuses=upstream_statuses)
     finally:
         sf_service.close()
 
 
-def _run_download(config: Config, items: list[str]):
+def _run_download(config: Config, items: list[str],
+                   connection: str = None, app_database: str = None,
+                   profile: str = None):
     """Run non-interactive downloads for CI/CD pipelines."""
-    sf_service = _connect_and_load(config)
+    # If CLI flags provided, write/override .datasecops.yml on the fly
+    if connection or app_database:
+        from datasecops_cli.utilities.yaml_utils import read_datasecops_config
+        existing = read_datasecops_config(config.project_dir) or {}
+        config_data = {
+            "connection_name": connection or existing.get("connection_name", ""),
+            "app_database": app_database or existing.get("app_database", ""),
+            "profile_name": profile or existing.get("profile_name", ""),
+        }
+        write_datasecops_config(config.project_dir, config_data)
+        info_line(f"Wrote .datasecops.yml (connection={config_data['connection_name']}, app_database={config_data['app_database']})")
+    elif profile:
+        from datasecops_cli.utilities.yaml_utils import read_datasecops_config
+        existing = read_datasecops_config(config.project_dir) or {}
+        existing["profile_name"] = profile
+        write_datasecops_config(config.project_dir, existing)
+
+    sf_service = _connect_and_load(config, interactive=False)
 
     try:
         download_service = DownloadService(sf_service, config.project_dir)
@@ -240,7 +323,7 @@ def _run_download(config: Config, items: list[str]):
             elif item == "pipelines":
                 platform = config.source_control.source_control_platform.lower()
                 info_line(f"Platform: {platform}")
-                if not download_service.download_pipelines(platform=platform):
+                if not download_service.download_pipelines(platform=platform, profile_name=config.profile_name):
                     failed = True
             elif item == "packages":
                 if not download_service.download_dbt_packages(config.dbt_project_dir):
@@ -268,13 +351,44 @@ def _run_download(config: Config, items: list[str]):
         sf_service.close()
 
 
+def _update_upstream_packages(config: Config, dbt_runner: DbtRunner,
+                               upstream_statuses: list):
+    """Update packages.yml with latest upstream versions and optionally run deps."""
+    from datasecops_cli.services.upstream_service import update_packages_yml
+    from datasecops_cli.utilities.display import display_action_header, get_input_true_false, complete_action
+
+    display_action_header("Update Upstream Packages")
+
+    outdated = [s for s in upstream_statuses if s.needs_update and s.latest_tag != "unknown"]
+    if not outdated:
+        info_line("No packages to update")
+        complete_action()
+        return
+
+    for s in outdated:
+        info_line(f"  {s.profile_name}: {s.current_version} → {s.latest_tag}")
+
+    info_line("")
+    count = update_packages_yml(config.dbt_project_dir, upstream_statuses)
+    if count:
+        success_line(f"Updated {count} package(s) in packages.yml")
+        if get_input_true_false("Run dbtf deps now?"):
+            dbt_runner.deps()
+    else:
+        info_line("No changes made to packages.yml")
+
+    complete_action()
+
+
 def _main_menu(config: Config, dbt_runner: DbtRunner, git_service: GitService,
                linting_service: LintingService, download_service: DownloadService,
-               skill_service: SkillService, sf_service: SnowflakeService):
+               skill_service: SkillService, sf_service: SnowflakeService,
+               upstream_statuses: list = None):
     """Main menu loop."""
     profile_name = config.profile_name
+    has_outdated = upstream_statuses and any(s.needs_update for s in upstream_statuses)
     
-    _show_main_menu(profile_name, git_service)
+    _show_main_menu(profile_name, git_service, upstream_statuses)
     option = get_input_number("Choose an option: ")
     
     while option != 0:
@@ -318,21 +432,34 @@ def _main_menu(config: Config, dbt_runner: DbtRunner, git_service: GitService,
                 profile=config.profile,
             )
             bootstrap.run(platform=platform, install_skills=install_skills, run_deps=run_deps)
+
+        elif option == 5 and has_outdated:
+            _update_upstream_packages(config, dbt_runner, upstream_statuses)
+            # Refresh upstream statuses after update
+            from datasecops_cli.services.upstream_service import check_upstream_versions
+            upstream_statuses = check_upstream_versions(
+                config.profile, config.all_profiles, config.dbt_project_dir
+            )
+            has_outdated = any(s.needs_update for s in upstream_statuses)
         
-        _show_main_menu(profile_name, git_service)
+        _show_main_menu(profile_name, git_service, upstream_statuses)
         option = get_input_number("Choose an option: ")
     
     info_line("Exiting DataSecOps Framework CLI")
 
 
-def _show_main_menu(profile_name: str, git_service: GitService = None):
+def _show_main_menu(profile_name: str, git_service: GitService = None,
+                    upstream_statuses: list = None):
     clear()
     branch = git_service.get_current_branch() if git_service else None
-    section_header("DataSecOps Framework CLI", profile_name, branch)
+    section_header("DataSecOps Framework CLI", profile_name, branch,
+                   upstream_info=upstream_statuses)
     menu_option(1, "development   - dbt Development Commands")
     menu_option(2, "git           - Source Control Operations")
     menu_option(3, "downloads     - Download Configs & Skills")
     menu_option(4, "bootstrap     - Set up a new dbt project with all framework config")
+    if upstream_statuses and any(s.needs_update for s in upstream_statuses):
+        menu_option(5, "update pkgs   - Update upstream packages to latest versions")
     menu_option(0, "exit          - Exit")
 
 

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/src/datasecops_cli/menus/downloads.py

@@ -38,7 +38,7 @@ class DownloadsMenu:
                 display_action_header("Download Pipeline Files")
                 platform = self.source_control.source_control_platform.lower() if self.source_control else "github"
                 info_line(f"Platform: {platform}")
-                self.downloads.download_pipelines(platform=platform)
+                self.downloads.download_pipelines(platform=platform, profile_name=self.profile_name)
                 complete_action()
             elif option == 3:
                 display_action_header("Download dbt Packages")

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/src/datasecops_cli/models/project_config.py

@@ -61,10 +61,12 @@ class ProjectProfile(BaseModel):
     project_description: str = ""
     model_types: list[str] = Field(default_factory=list)
     downstream_projects: list[str] = Field(default_factory=list)
+    upstream_projects: list[str] = Field(default_factory=list)
     git_url: str = ""
     target_database: str = ""
     dbt_version: str = "1.9"
     dbt_packages: list[str] = Field(default_factory=list)
+    pipeline_ids: list[str] = Field(default_factory=list)
 
 class DbtPackage(BaseModel):
     name: str = ""

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/src/datasecops_cli/services/download_service.py

@@ -220,9 +220,13 @@ class DownloadService:
             error_line("No active dbt versions found in framework configuration")
         return dbt_packages
     
-    def download_pipelines(self, platform: str = "github") -> bool:
+    def download_pipelines(self, platform: str = "github", profile_name: str = "") -> bool:
         info_line(f"Downloading {platform} pipeline configurations...")
-        raw = self.sf.get_framework_config("PIPELINES")
+        if profile_name:
+            info_line(f"Filtering pipelines for profile: {profile_name}")
+            raw = self.sf.get_pipelines_for_profile(profile_name)
+        else:
+            raw = self.sf.get_framework_config("PIPELINES")
         if not raw:
             error_line("No pipeline configuration found in native app")
             return False

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/src/datasecops_cli/services/snowflake_service.py

@@ -59,7 +59,10 @@ class SnowflakeService:
     
     def get_project_profiles(self) -> Optional[list[dict]]:
         return self.call_procedure("get_project_profiles")
-    
+
+    def get_pipelines_for_profile(self, profile_name: str) -> Optional[dict]:
+        return self.call_procedure("get_pipelines_for_profile", profile_name)
+
     def get_account_info(self) -> dict:
         rows = self.execute_query("SELECT CURRENT_ACCOUNT_NAME() as account, CURRENT_USER() as user_name")
         return rows[0] if rows else {}

datasecops_cli-0.3.2/src/datasecops_cli/services/upstream_service.py

@@ -0,0 +1,158 @@
+"""Service for checking upstream project versions against packages.yml."""
+
+import re
+import subprocess
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Optional
+
+from datasecops_cli.models.project_config import ProjectProfile
+from datasecops_cli.utilities.display import info_line, warning_line
+from datasecops_cli.utilities.yaml_utils import read_yaml, write_yaml
+
+
+@dataclass
+class UpstreamStatus:
+    """Version status of an upstream project dependency."""
+    profile_name: str
+    git_url: str
+    latest_tag: str = ""
+    current_version: str = ""
+    needs_update: bool = False
+    error: str = ""
+
+
+def get_latest_tag(git_url: str, timeout: int = 10) -> Optional[str]:
+    """Fetch the latest tag from a remote git repo without cloning."""
+    try:
+        result = subprocess.run(
+            ["git", "ls-remote", "--tags", "--sort=-v:refname", git_url],
+            capture_output=True, text=True, timeout=timeout,
+        )
+        if result.returncode != 0:
+            return None
+
+        for line in result.stdout.strip().splitlines():
+            ref = line.split("\t")[-1]
+            # Skip ^{} dereferenced tags
+            if ref.endswith("^{}"):
+                continue
+            tag = ref.replace("refs/tags/", "")
+            # Skip pre-release tags
+            if any(pre in tag.lower() for pre in ("alpha", "beta", "rc", "dev")):
+                continue
+            return tag
+        return None
+    except (subprocess.TimeoutExpired, FileNotFoundError):
+        return None
+
+
+def read_packages_yml(dbt_project_dir: Path) -> Optional[dict]:
+    """Read packages.yml from the dbt project directory."""
+    return read_yaml(dbt_project_dir / "packages.yml")
+
+
+def find_pinned_version(packages_data: dict, git_url: str) -> str:
+    """Find the pinned revision/version for a git URL in packages.yml."""
+    if not packages_data:
+        return ""
+    for pkg in packages_data.get("packages", []):
+        pkg_url = pkg.get("git", "")
+        if pkg_url and _urls_match(pkg_url, git_url):
+            return pkg.get("revision", "")
+    return ""
+
+
+def _urls_match(url1: str, url2: str) -> bool:
+    """Compare two git URLs, ignoring trailing .git and protocol differences."""
+    def normalize(url: str) -> str:
+        url = url.rstrip("/").removesuffix(".git").lower()
+        url = re.sub(r"^https?://", "", url)
+        url = re.sub(r"^git@([^:]+):", r"\1/", url)
+        return url
+    return normalize(url1) == normalize(url2)
+
+
+def check_upstream_versions(
+    profile: ProjectProfile,
+    all_profiles: list[ProjectProfile],
+    dbt_project_dir: Path,
+) -> list[UpstreamStatus]:
+    """Check version status of all upstream project dependencies."""
+    if not profile.upstream_projects:
+        return []
+
+    # Build lookup of profiles by name
+    profile_map = {p.profile_name: p for p in all_profiles}
+
+    # Read current packages.yml
+    packages_data = read_packages_yml(dbt_project_dir)
+
+    results = []
+    for upstream_name in profile.upstream_projects:
+        upstream_profile = profile_map.get(upstream_name)
+        if not upstream_profile:
+            results.append(UpstreamStatus(
+                profile_name=upstream_name,
+                git_url="",
+                error=f"Profile '{upstream_name}' not found",
+            ))
+            continue
+
+        git_url = upstream_profile.git_url
+        if not git_url:
+            results.append(UpstreamStatus(
+                profile_name=upstream_name,
+                git_url="",
+                error="No git_url configured",
+            ))
+            continue
+
+        latest_tag = get_latest_tag(git_url)
+        current_version = find_pinned_version(packages_data, git_url)
+
+        needs_update = False
+        if latest_tag and current_version:
+            needs_update = latest_tag.lstrip("v") != current_version.lstrip("v")
+        elif latest_tag and not current_version:
+            needs_update = True
+
+        results.append(UpstreamStatus(
+            profile_name=upstream_name,
+            git_url=git_url,
+            latest_tag=latest_tag or "unknown",
+            current_version=current_version or "not pinned",
+            needs_update=needs_update,
+        ))
+
+    return results
+
+
+def update_packages_yml(
+    dbt_project_dir: Path,
+    upstream_statuses: list[UpstreamStatus],
+) -> int:
+    """Update packages.yml with latest versions for outdated upstream packages.
+    
+    Returns the number of packages updated.
+    """
+    packages_data = read_packages_yml(dbt_project_dir)
+    if not packages_data:
+        return 0
+
+    updated = 0
+    for status in upstream_statuses:
+        if not status.needs_update or status.latest_tag == "unknown":
+            continue
+        for pkg in packages_data.get("packages", []):
+            pkg_url = pkg.get("git", "")
+            if pkg_url and _urls_match(pkg_url, status.git_url):
+                pkg["revision"] = status.latest_tag
+                updated += 1
+                break
+
+    if updated:
+        dest = dbt_project_dir / "packages.yml"
+        write_yaml(dest, packages_data)
+
+    return updated

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/src/datasecops_cli/utilities/display.py

@@ -16,7 +16,8 @@ def print_long_line(color: str = Fore.GREEN) -> None:
     print_detail("=" * 76, color)
 
 
-def section_header(message: str, active_profile: str = None, current_branch: str = None) -> None:
+def section_header(message: str, active_profile: str = None, current_branch: str = None,
+                   upstream_info: list = None) -> None:
     print_long_line(Fore.GREEN)
     print_detail(message, Fore.GREEN)
     print_long_line(Fore.GREEN)
@@ -24,7 +25,18 @@ def section_header(message: str, active_profile: str = None, current_branch: str
         print_detail(f"  Profile: {active_profile}", Fore.GREEN)
     if current_branch:
         print_detail(f"  Branch:  {current_branch}", Fore.GREEN)
-    if active_profile or current_branch:
+    if upstream_info:
+        for status in upstream_info:
+            if status.error:
+                print_detail(f"  Upstream: {status.profile_name} — {status.error}", Fore.YELLOW)
+            elif status.needs_update:
+                print_detail(
+                    f"  Upstream: {status.profile_name} ({status.current_version} → {status.latest_tag} available)",
+                    Fore.YELLOW,
+                )
+            else:
+                print_detail(f"  Upstream: {status.profile_name} ({status.current_version} ✓)", Fore.GREEN)
+    if active_profile or current_branch or upstream_info:
         print_long_line(Fore.GREEN)
 
 

{datasecops_cli-0.3.0 → datasecops_cli-0.3.2}/tests/test_main.py

@@ -102,7 +102,7 @@ class TestRunDownload:
                 _run_download(config, ["pipelines"])
 
             assert exc.value.code == 0
-            mock_ds.download_pipelines.assert_called_once_with(platform="github")
+            mock_ds.download_pipelines.assert_called_once_with(platform="github", profile_name="test_profile")
 
     @patch("datasecops_cli.main._connect_and_load")
     def test_download_packages(self, mock_connect, tmp_path):
@@ -219,7 +219,7 @@ class TestRunDownload:
                 _run_download(config, ["pipelines"])
 
             assert exc.value.code == 0
-            mock_ds.download_pipelines.assert_called_once_with(platform="azuredevops")
+            mock_ds.download_pipelines.assert_called_once_with(platform="azuredevops", profile_name="test_profile")
 
     @patch("datasecops_cli.main._connect_and_load")
     def test_install_sqlfluff(self, mock_connect, tmp_path):