lkr-dev-cli 0.0.32__tar.gz → 0.0.34__tar.gz

{lkr_dev_cli-0.0.32 → lkr_dev_cli-0.0.34}/.github/workflows/release.yml

@@ -52,6 +52,12 @@ jobs:
             ${{ env.IMAGE_NAME }}:latest \
             --project ${{ secrets.GCP_PROJECT_ID }}
 
+      - name: Trigger Website Deploy
+        run: |
+            curl -fSL "$DEPLOY_URL"
+        env:
+            DEPLOY_URL: ${{ secrets.DEPLOY_URL }}
+
   publish:
     name: python
     runs-on: ubuntu-latest

lkr_dev_cli-0.0.34/Makefile

@@ -0,0 +1,26 @@
+.PHONY: docs test-deps codemode-test codemode-test2 codemode-start
+
+docs:
+	uv run typer lkr/main.py utils docs --output lkr.md
+
+test-deps:
+	python tests/test_dependency_resolution.py 
+
+codemode-test:
+	uv run python tests/test_codemode.py
+
+codemode-test2:
+	uv run python tests/test_codemode2.py
+
+
+codemode-start:
+	@echo "Add this to your mcpServers config:"
+	@echo "{"
+	@echo "  \"mcpServers\": {"
+	@echo "    \"lkr-codemode\": {"
+	@echo "      \"command\": \"uvx\","
+	@echo "      \"args\": [\"--from\", \"lkr-dev-cli[codemode]\", \"lkr\", \"code-mode\", \"run\"]"
+	@echo "    }"
+	@echo "  }"
+	@echo "}"
+	uv run lkr code-mode run

lkr_dev_cli-0.0.32/README.md → lkr_dev_cli-0.0.34/PKG-INFO

@@ -1,10 +1,46 @@
+Metadata-Version: 2.4
+Name: lkr-dev-cli
+Version: 0.0.34
+Summary: lkr: a command line interface for looker
+Author: bwebs
+License-Expression: MIT
+License-File: LICENSE
+Requires-Python: >=3.12
+Requires-Dist: cryptography>=45.0.4
+Requires-Dist: looker-sdk>=25.10.0
+Requires-Dist: pydantic>=2.11.7
+Requires-Dist: pydash>=8.0.5
+Requires-Dist: questionary>=2.1.0
+Requires-Dist: requests>=2.32.4
+Requires-Dist: structlog>=25.4.0
+Requires-Dist: typer>=0.16.0
+Provides-Extra: all
+Requires-Dist: duckdb>=1.3.1; extra == 'all'
+Requires-Dist: fastapi[standard]>=0.115.14; extra == 'all'
+Requires-Dist: mcp[cli]>=1.10.1; extra == 'all'
+Requires-Dist: pydantic-monty; extra == 'all'
+Requires-Dist: selenium>=4.34.0; extra == 'all'
+Provides-Extra: codemode
+Requires-Dist: mcp[cli]>=1.10.1; extra == 'codemode'
+Requires-Dist: pydantic-monty; extra == 'codemode'
+Provides-Extra: mcp
+Requires-Dist: duckdb>=1.3.1; extra == 'mcp'
+Requires-Dist: fastapi[standard]>=0.115.14; extra == 'mcp'
+Requires-Dist: mcp[cli]>=1.10.1; extra == 'mcp'
+Provides-Extra: observability
+Requires-Dist: fastapi[standard]>=0.115.14; extra == 'observability'
+Requires-Dist: selenium>=4.34.0; extra == 'observability'
+Provides-Extra: tools
+Requires-Dist: fastapi[standard]>=0.115.14; extra == 'tools'
+Description-Content-Type: text/markdown
+
 # lkr cli
 
 The `lkr` cli is a tool for interacting with Looker. It combines Looker's SDK and customer logic to interact with Looker in meaninful ways. For a full list of commands, see the full [cli docs](./lkr.md)
 
 ## Usage
 
-`uv` makes everyone's life easier. Go [install it](https://docs.astral.sh/uv/getting-started/installation/). You can start using `lkr` by running `uv run --with lkr-dev-cli[all] lkr --help`.
+`uv` makes everyone's life easier. Go [install it](https://docs.astral.sh/uv/getting-started/installation/). You can start using `lkr` by running `uvx --from lkr-dev-cli[all] lkr --help`.
 
 Alternatively, you can install `lkr` with `pip install lkr-dev-cli[all]` and use commands directly like `lkr <command>`.
 
@@ -24,7 +60,7 @@ See the [prerequisites section](#oauth2-prerequisites)
 Login to `lkr`
 
 ```bash
-uv run --with lkr-dev-cli[all] lkr auth login
+uvx --from lkr-dev-cli[all] lkr auth login
 ```
 
 - Select a new instance
@@ -32,12 +68,12 @@ uv run --with lkr-dev-cli[all] lkr auth login
 - Choose whether you want this login to use production or development mode
 - Give it a name
 
-You will be redirected to the Looker OAuth authorization page, click Allow. If you do not see an allow button, the [prerequisites](#prerequisites) were not done properly.
+You will be redirected to the Looker OAuth authorization page, click Allow. If you do not see an allow button, the [prerequisites](#oauth2-prerequisites) were not done properly.
 
 If everything is successful, you will see `Successfully authenticated!`. Test it with
 
 ```bash
-uv run --with lkr-dev-cli[all] lkr auth whoami
+uvx --from lkr-dev-cli[all] lkr auth whoami
 ```
 
 ### Using API Key
@@ -45,7 +81,7 @@ uv run --with lkr-dev-cli[all] lkr auth whoami
 If you provide environment variables for `LOOKERSDK_CLIENT_ID`, `LOOKERSDK_CLIENT_SECRET`, and `LOOKERSDK_BASE_URL`, `lkr` will use the API key to authenticate and the commands.  We also support command line arguments to pass in the client id, client secret, and base url.
 
 ```bash
-uv run --with lkr-dev-cli[all]  lkr --client-id <your client id> --client-secret <your client secret> --base-url <your instance url> auth whoami
+uvx --from lkr-dev-cli[all]  lkr --client-id <your client id> --client-secret <your client secret> --base-url <your instance url> auth whoami
 ```
 
 
@@ -73,6 +109,10 @@ Go to the Looker API Explorer for Register OAuth App (https://your.looker.instan
 - This only needs to be done once per instance
 
 
+## Code-Mode
+
+Execute Python code safely with full Looker SDK coverage within a secure sandbox environment. Constructed as an MCP tool, it dynamically inspects the Looker SDK for all public methods and injects them into the Monty sandbox safely. For detailed options, safe primitives transformations, and PKCE configurations, view the full [Code-Mode Docs](./codemode.md).
+
 ## MCP
 Built into the `lkr` is an MCP server. Right now its tools are based on helping you work within an IDE. To use it a tool like [Cursor](https://www.cursor.com/), add this to your mcp.json
 
@@ -325,6 +365,30 @@ def delete_user_attribute(user_attribute_name: str, email: str):
     )
     updater.delete_user_attribute_value()
 
+## Permission Deprecation Tool
+
+The `schedule-download-deprecation` tool helps Looker admins ensure that users do not lose access to models they already have when Looker moves towards more granular model-specific permissions for scheduling and downloading.
+
+### How it helps
+Currently, some permissions in Looker can be granted instance-wide. In the future, these permissions may need to be explicitly granted at the model level (via Model Sets). This tool audits all active users and identifies those who:
+- Have "target permissions" (like `download_with_limit`, `schedule_look_emails`, etc.) instance-wide.
+- Do **not** have those same permissions for specific models they otherwise have access to.
+
+By running this tool, an admin can proactively identify and fix permission gaps before any deprecation takes effect, ensuring a seamless experience for end-users.
+
+### Usage
+This command should be run by a **Looker Admin**.
+
+```bash
+uvx --from lkr-dev-cli[all] lkr tools schedule-download-deprecation
+```
+
+Options:
+- `--csv`: Export the results to a CSV file for easier analysis of large instances.
+- `--unfiltered`: Show all users, including those who have all required permissions across all models.
+- `--model-offset`: Slice the table output to show different sets of models (the table shows 5 models at a time).
+
+
 ## Optional Dependencies
 
 The `lkr` CLI supports optional dependencies that enable additional functionality. You can install these individually or all at once.

lkr_dev_cli-0.0.32/PKG-INFO → lkr_dev_cli-0.0.34/README.md

@@ -1,48 +1,10 @@
-Metadata-Version: 2.4
-Name: lkr-dev-cli
-Version: 0.0.32
-Summary: lkr: a command line interface for looker
-Author: bwebs
-License-Expression: MIT
-License-File: LICENSE
-Requires-Python: >=3.12
-Requires-Dist: looker-sdk>=25.4.0
-Requires-Dist: pydantic>=2.11.4
-Requires-Dist: pydash>=8.0.5
-Provides-Extra: all
-Requires-Dist: cryptography>=42.0.0; extra == 'all'
-Requires-Dist: duckdb>=1.2.2; extra == 'all'
-Requires-Dist: fastapi[standard]>=0.115.12; extra == 'all'
-Requires-Dist: mcp[cli]>=1.9.2; extra == 'all'
-Requires-Dist: questionary>=2.1.0; extra == 'all'
-Requires-Dist: requests>=2.31.0; extra == 'all'
-Requires-Dist: selenium>=4.32.0; extra == 'all'
-Requires-Dist: structlog>=25.3.0; extra == 'all'
-Requires-Dist: typer>=0.15.2; extra == 'all'
-Provides-Extra: cli
-Requires-Dist: cryptography>=42.0.0; extra == 'cli'
-Requires-Dist: questionary>=2.1.0; extra == 'cli'
-Requires-Dist: requests>=2.31.0; extra == 'cli'
-Requires-Dist: structlog>=25.3.0; extra == 'cli'
-Requires-Dist: typer>=0.15.2; extra == 'cli'
-Provides-Extra: mcp
-Requires-Dist: duckdb>=1.2.2; extra == 'mcp'
-Requires-Dist: fastapi[standard]>=0.115.12; extra == 'mcp'
-Requires-Dist: mcp[cli]>=1.9.2; extra == 'mcp'
-Provides-Extra: observability
-Requires-Dist: fastapi[standard]>=0.115.12; extra == 'observability'
-Requires-Dist: selenium>=4.32.0; extra == 'observability'
-Provides-Extra: tools
-Requires-Dist: fastapi[standard]>=0.115.12; extra == 'tools'
-Description-Content-Type: text/markdown
-
 # lkr cli
 
 The `lkr` cli is a tool for interacting with Looker. It combines Looker's SDK and customer logic to interact with Looker in meaninful ways. For a full list of commands, see the full [cli docs](./lkr.md)
 
 ## Usage
 
-`uv` makes everyone's life easier. Go [install it](https://docs.astral.sh/uv/getting-started/installation/). You can start using `lkr` by running `uv run --with lkr-dev-cli[all] lkr --help`.
+`uv` makes everyone's life easier. Go [install it](https://docs.astral.sh/uv/getting-started/installation/). You can start using `lkr` by running `uvx --from lkr-dev-cli[all] lkr --help`.
 
 Alternatively, you can install `lkr` with `pip install lkr-dev-cli[all]` and use commands directly like `lkr <command>`.
 
@@ -62,7 +24,7 @@ See the [prerequisites section](#oauth2-prerequisites)
 Login to `lkr`
 
 ```bash
-uv run --with lkr-dev-cli[all] lkr auth login
+uvx --from lkr-dev-cli[all] lkr auth login
 ```
 
 - Select a new instance
@@ -70,12 +32,12 @@ uv run --with lkr-dev-cli[all] lkr auth login
 - Choose whether you want this login to use production or development mode
 - Give it a name
 
-You will be redirected to the Looker OAuth authorization page, click Allow. If you do not see an allow button, the [prerequisites](#prerequisites) were not done properly.
+You will be redirected to the Looker OAuth authorization page, click Allow. If you do not see an allow button, the [prerequisites](#oauth2-prerequisites) were not done properly.
 
 If everything is successful, you will see `Successfully authenticated!`. Test it with
 
 ```bash
-uv run --with lkr-dev-cli[all] lkr auth whoami
+uvx --from lkr-dev-cli[all] lkr auth whoami
 ```
 
 ### Using API Key
@@ -83,7 +45,7 @@ uv run --with lkr-dev-cli[all] lkr auth whoami
 If you provide environment variables for `LOOKERSDK_CLIENT_ID`, `LOOKERSDK_CLIENT_SECRET`, and `LOOKERSDK_BASE_URL`, `lkr` will use the API key to authenticate and the commands.  We also support command line arguments to pass in the client id, client secret, and base url.
 
 ```bash
-uv run --with lkr-dev-cli[all]  lkr --client-id <your client id> --client-secret <your client secret> --base-url <your instance url> auth whoami
+uvx --from lkr-dev-cli[all]  lkr --client-id <your client id> --client-secret <your client secret> --base-url <your instance url> auth whoami
 ```
 
 
@@ -111,6 +73,10 @@ Go to the Looker API Explorer for Register OAuth App (https://your.looker.instan
 - This only needs to be done once per instance
 
 
+## Code-Mode
+
+Execute Python code safely with full Looker SDK coverage within a secure sandbox environment. Constructed as an MCP tool, it dynamically inspects the Looker SDK for all public methods and injects them into the Monty sandbox safely. For detailed options, safe primitives transformations, and PKCE configurations, view the full [Code-Mode Docs](./codemode.md).
+
 ## MCP
 Built into the `lkr` is an MCP server. Right now its tools are based on helping you work within an IDE. To use it a tool like [Cursor](https://www.cursor.com/), add this to your mcp.json
 
@@ -363,6 +329,30 @@ def delete_user_attribute(user_attribute_name: str, email: str):
     )
     updater.delete_user_attribute_value()
 
+## Permission Deprecation Tool
+
+The `schedule-download-deprecation` tool helps Looker admins ensure that users do not lose access to models they already have when Looker moves towards more granular model-specific permissions for scheduling and downloading.
+
+### How it helps
+Currently, some permissions in Looker can be granted instance-wide. In the future, these permissions may need to be explicitly granted at the model level (via Model Sets). This tool audits all active users and identifies those who:
+- Have "target permissions" (like `download_with_limit`, `schedule_look_emails`, etc.) instance-wide.
+- Do **not** have those same permissions for specific models they otherwise have access to.
+
+By running this tool, an admin can proactively identify and fix permission gaps before any deprecation takes effect, ensuring a seamless experience for end-users.
+
+### Usage
+This command should be run by a **Looker Admin**.
+
+```bash
+uvx --from lkr-dev-cli[all] lkr tools schedule-download-deprecation
+```
+
+Options:
+- `--csv`: Export the results to a CSV file for easier analysis of large instances.
+- `--unfiltered`: Show all users, including those who have all required permissions across all models.
+- `--model-offset`: Slice the table output to show different sets of models (the table shows 5 models at a time).
+
+
 ## Optional Dependencies
 
 The `lkr` CLI supports optional dependencies that enable additional functionality. You can install these individually or all at once.

lkr_dev_cli-0.0.34/codemode.md

@@ -0,0 +1,51 @@
+# Looker Code-Mode MCP Server
+
+`lkr code-mode` allows you to invoke a Python-based Model Context Protocol (MCP) server. It offers an AI agent the unique capacity to batched-execute Python commands securely within the Monty sandbox against your active Looker instance!
+
+## How It Works
+
+Instead of dumping hundreds of explicit tool declarations onto your AI agent (token bloat), `lkr code-mode` exposes **exactly one tool**: `run_python_code(code: str)`. 
+
+The tool instantiates Looker SDK natively, searches all bound methods, and passes them safely onto Monty's environment as global functions. When the LLM writes standard Python code (e.g., `me()`, `folder(id)`), Monty will process it correctly locally!
+
+### Key Features:
+- **100% Tool Coverage:** Accesses all Looker SDK public operations smoothly without token limits.
+- **Recursive Translation:** Complex Looker models like User, Folder, Dashboard get string-converted into dictionaries immediately before ingesting them into Monty.
+- **Automatic PKCE Restarter:** Caught an invalid token? Code-Mode immediately catches `InvalidRefreshTokenError` and safely opens up your PKCE authentication browser automatically.
+- **Extremely Secure:** Monty interpreter ensures isolated sandbox processing. No local filesystem accesses are exposed.
+
+## Continuous Usage
+
+### 1. Starting the Server
+To immediately trigger the stdio listener, use:
+```bash
+uvx --from lkr-dev-cli[codemode] lkr code-mode run
+```
+
+### 2. Client Configuration
+To hook this server into Cursor or Claude Desktop natively over stdio, append the following onto your `mcpServers` configuration JSON. Make sure to pass your Looker instance credentials as environment variables (see standard API requirements in [README.md](./README.md#using-api-key)):
+
+```json
+{
+  "mcpServers": {
+    "looker-codemode": {
+      "command": "uvx",
+      "args": ["--from", "lkr-dev-cli[codemode]", "lkr", "code-mode", "run"],
+      "env": {
+        "LOOKERSDK_BASE_URL": "https://your.looker.instance",
+        "LOOKERSDK_CLIENT_ID": "your-client-id",
+        "LOOKERSDK_CLIENT_SECRET": "your-client-secret"
+      }
+    }
+  }
+}
+```
+
+### 3. Visual Inspector
+To check things out on a web panel:
+```bash
+npx @modelcontextprotocol/inspector uvx --from lkr-dev-cli[codemode] lkr code-mode run
+```
+
+```
+

{lkr_dev_cli-0.0.32 → lkr_dev_cli-0.0.34}/lkr/auth/main.py

@@ -191,16 +191,22 @@ def whoami(ctx: typer.Context):
     Check current authentication
     """
     auth = get_auth(ctx)
-    sdk = auth.get_current_sdk(prompt_refresh_invalid_token=True)
-    if not sdk:
-        logger.error(
-            "Not currently authenticated - use `lkr auth login` or `lkr auth switch` to authenticate"
+    try:
+        sdk = auth.get_current_sdk(prompt_refresh_invalid_token=True)
+        if not sdk:
+            logger.error(
+                "Not currently authenticated - use `lkr auth login` or `lkr auth switch` to authenticate"
+            )
+            raise typer.Exit(1)
+        user = sdk.me()
+        logger.info(
+            f"Currently authenticated as {user.first_name} {user.last_name} ({user.email}) to {sdk.auth.settings.base_url}"
         )
-        raise typer.Exit(1)
-    user = sdk.me()
-    logger.info(
-        f"Currently authenticated as {user.first_name} {user.last_name} ({user.email}) to {sdk.auth.settings.base_url}"
-    )
+    except Exception as e:
+        if "invalid_grant" in str(e) or "token expired" in str(e):
+            logger.error("Your Looker OAuth session has expired. Please run 'lkr auth login' to re-authenticate.")
+            raise typer.Exit(1)
+        raise e
 
 
 @group.command()

{lkr_dev_cli-0.0.32 → lkr_dev_cli-0.0.34}/lkr/auth_service.py

@@ -23,7 +23,12 @@ from lkr.constants import LOOKER_API_VERSION, OAUTH_CLIENT_ID, OAUTH_REDIRECT_UR
 from lkr.custom_types import NewTokenCallback
 from lkr.logger import logger
 
-__all__ = ["get_auth", "ApiKeyAuthSession", "DbOAuthSession"]
+__all__ = ["get_auth", "ApiKeyAuthSession", "DbOAuthSession", "is_auth_expired"]
+
+
+def is_auth_expired(e: Exception) -> bool:
+    return "invalid_grant" in str(e) or "token expired" in str(e)
+
 
 
 def get_auth(ctx: Union["typer.Context", LkrCtxObj]) -> Union["SqlLiteAuth", "ApiKeyAuth"]:
@@ -465,11 +470,23 @@ class SqlLiteAuth:
             def refresh_current_token(token: Union[AccessToken, AuthToken]):
                 current_auth.set_token(self.conn, new_token=token, commit=True)
 
-            return init_oauth_sdk(
+            sdk = init_oauth_sdk(
                 current_auth.base_url,
                 new_token_callback=refresh_current_token,
                 access_token=current_auth.to_access_token(),
             )
+            if prompt_refresh_invalid_token:
+                import sys
+                try:
+                    sdk.auth.authenticate({})
+                except Exception as e:
+                    if is_auth_expired(e):
+                        if sys.stdin.isatty():
+                            self._cli_confirm_refresh_token(current_auth, quiet=False)
+                            return self.get_current_sdk(prompt_refresh_invalid_token=False)
+                    raise e
+
+            return sdk
 
         else:
             logger.error("No current instance found, please login")

lkr_dev_cli-0.0.34/lkr/codemode/__init__.py

@@ -0,0 +1,3 @@
+from .main import group
+
+__all__ = ["group"]

lkr_dev_cli-0.0.34/lkr/codemode/main.py

@@ -0,0 +1,104 @@
+import inspect
+from typing import Optional
+
+import typer
+import pydantic_monty
+from mcp.server.fastmcp import FastMCP
+
+from lkr.auth_service import get_auth, is_auth_expired
+from lkr.classes import LkrCtxObj
+from lkr.logger import logger
+
+__all__ = ["group"]
+
+mcp = FastMCP("lkr:codemode")
+group = typer.Typer()
+
+
+
+def get_mcp_sdk(ctx: LkrCtxObj):
+    sdk = get_auth(ctx).get_current_sdk(prompt_refresh_invalid_token=True)
+    sdk.auth.settings.agent_tag += "-codemode"
+    return sdk
+
+
+
+def to_primitive(obj):
+    seen = set()
+
+    def _to_primitive(o):
+        if isinstance(o, (str, int, float, bool, type(None))):
+            return o
+        
+        obj_id = id(o)
+        if obj_id in seen:
+            return f"<Circular reference to {type(o).__name__}>"
+        seen.add(obj_id)
+        
+        try:
+            if isinstance(o, list):
+                return [_to_primitive(item) for item in o]
+            elif isinstance(o, dict):
+                return {k: _to_primitive(v) for k, v in o.items()}
+            else:
+                try:
+                    return _to_primitive(vars(o))
+                except TypeError:
+                    return str(o)
+                except Exception:
+                    return str(o)
+        finally:
+            seen.remove(obj_id)
+
+    return _to_primitive(obj)
+
+
+
+@mcp.tool()
+def run_python_code(code: str) -> str:
+    """
+    Execute Python code safely with access to all Looker SDK methods as global functions.
+    Capture the result and any print outputs.
+    """
+    try:
+        ctx = LkrCtxObj(force_oauth=False)
+        sdk = get_mcp_sdk(ctx)
+        
+        external_funcs = {}
+        for name, method in inspect.getmembers(sdk, predicate=inspect.ismethod):
+            if not name.startswith('_'):
+                # Wrap in a lambda to recursively convert output to primitives
+                def make_wrapper(m):
+                    def wrapper(*args, **kwargs):
+                        res = m(*args, **kwargs)
+                        return to_primitive(res)
+                    return wrapper
+                external_funcs[name] = make_wrapper(method)
+
+        m = pydantic_monty.Monty(code)
+        result = m.run(external_functions=external_funcs)
+        
+        # Monty run returns a MontyComplete or None
+        output = str(getattr(result, "output", "")) if result is not None else ""
+        
+        # Try to append captured stdout if available on the object
+        stdout = getattr(result, "stdout", None) if result is not None else None
+        if stdout:
+            return f"Output:\n{output}\nStdout:\n{stdout}"
+        return output
+    except Exception as e:
+        logger.error(f"Error executing Monty: {e}")
+        if is_auth_expired(e):
+            return "Error: Your Looker OAuth session has expired. Please run 'lkr auth login' to re-authenticate."
+        return f"Error: {str(e)}"
+
+
+@group.command(name="run")
+def run(
+    ctx: typer.Context,
+    debug: bool = typer.Option(False, help="Debug mode"),
+):
+    mcp.run()
+
+if __name__ == "__main__":
+    mcp.run("sse")

{lkr_dev_cli-0.0.32 → lkr_dev_cli-0.0.34}/lkr/main.py

@@ -42,6 +42,7 @@ def add_optional_typer_group(app, import_path, group_name, extra_message=None):
 add_optional_typer_group(app, "lkr.mcp.main.group", "mcp")
 add_optional_typer_group(app, "lkr.observability.main.group", "observability")
 add_optional_typer_group(app, "lkr.tools.main.group", "tools")
+add_optional_typer_group(app, "lkr.codemode.main.group", "code-mode")
 
 @app.callback()
 def callback(