snowglobe-cli 0.1.0__py3-none-any.whl

snowglobe/__init__.py

@@ -0,0 +1,6 @@
+from importlib.metadata import version, PackageNotFoundError
+
+try:
+    __version__ = version("snowglobe-cli")
+except PackageNotFoundError:
+    __version__ = "0.0.0"

snowglobe/__main__.py

@@ -0,0 +1,3 @@
+from snowglobe.cli.app import app
+
+app()

snowglobe/cli/access.py

@@ -0,0 +1,197 @@
+import typer
+from typing import Optional
+from snowglobe.core.access_service import AccessService
+from snowglobe.cli.prompts import resolve_access_inputs
+from snowglobe.output import cli
+
+access_app = typer.Typer(
+    help="Inspect Snowflake access and identify roles/users with access and privileges on database objects",
+    no_args_is_help=True,
+)
+
+
+@access_app.command()
+def check(
+    ctx: typer.Context,
+    ignore_excluded_roles: bool = typer.Option(False, help="Ignore excluded roles"),
+    role: Optional[str] = typer.Option(None, help="Role to inspect access for"),
+    username: Optional[str] = typer.Option(None, help="Username to inspect access for"),
+    object_type: Optional[str] = typer.Option(None, help="Object type (e.g. TABLE)"),
+    object_name: Optional[str] = typer.Option(None, help="Object name (e.g. DB.SCHEMA.TABLE)"),
+    privilege: Optional[str] = typer.Option(None, help="Privilege to check (e.g. SELECT)"),
+    output: str = typer.Option("text", help="Output format: text, json"),
+    refresh_state: bool = typer.Option(False, help="Refresh state from Snowflake")
+):
+    """
+    Check access for a user or role on a specific object.
+
+    In interactive mode (TTY), missing arguments will be prompted for
+    with fuzzy completion. In headless mode (piped/CI), all arguments
+    must be provided or the command will exit with an error.
+    """
+
+    context = ctx.obj
+    access_service = AccessService(context)
+
+    # Load graphs for interactive resolution (needed for completions)
+    access_service.setup_state()
+    if refresh_state:
+        access_service.refresh_state()
+    access_service.load_state()
+
+    # Resolve missing inputs (interactive prompts or headless error)
+    resolved = resolve_access_inputs(
+        username=username,
+        role=role,
+        object_type=object_type,
+        object_name=object_name,
+        privilege=privilege,
+        user_graph=access_service.user_graph,
+        role_graph=access_service.role_graph,
+        grants=[],
+        object_index=access_service.object_index,
+    )
+
+    # Run the access check with fully resolved args
+    try:
+        query_output = access_service.inspect_access(
+            username=resolved["username"],
+            role=resolved["role"],
+            object_type=resolved["object_type"],
+            object_name=resolved["object_name"],
+            privilege=resolved["privilege"],
+            ignore_excluded_roles=ignore_excluded_roles,
+            refresh_state=False,  # Already refreshed above if needed
+        )
+    except ValueError as e:
+        typer.secho(f"Error: {e}", fg=typer.colors.RED)
+        raise typer.Exit(1)
+
+    # Output
+    if output == "text":
+        typer.echo(cli.format_access_text(query_output))
+    elif output == "json":
+        cli.format_json(query_output)
+
+
+@access_app.command()
+def create(
+    ctx: typer.Context,
+    role: Optional[str] = typer.Option(None, help="Role to check CREATE privilege for"),
+    username: Optional[str] = typer.Option(None, help="Username to check CREATE privilege for"),
+    privilege: str = typer.Option("CREATE TABLE", help="CREATE privilege (e.g. 'CREATE TABLE', 'CREATE VIEW')"),
+    scope: Optional[str] = typer.Option(None, help="Optional scope: DB or DB.SCHEMA to filter"),
+    output: str = typer.Option("text", help="Output format: text, json"),
+):
+    """
+    Check CREATE privileges for a user or role.
+
+    Shows where the role/user can create objects — at account level,
+    specific databases, or specific schemas. Optionally filter by a
+    specific database or schema scope.
+
+    Examples:
+        snowglobe access create --role SYSADMIN --privilege "CREATE TABLE"
+        snowglobe access create --role DEV_DW_DESIGNER --privilege "CREATE TABLE" --scope DEV_REFINED.UNIFIED
+    """
+    context = ctx.obj
+
+    if not role and not username:
+        typer.secho("Must provide --role or --username.", fg=typer.colors.RED)
+        raise typer.Exit(1)
+
+    access_service = AccessService(context)
+    try:
+        result = access_service.inspect_create(
+            username=username,
+            role=role,
+            privilege=privilege,
+            scope=scope,
+        )
+    except ValueError as e:
+        typer.secho(f"Error: {e}", fg=typer.colors.RED)
+        raise typer.Exit(1)
+
+    if output == "text":
+        typer.echo(cli.format_create_text(result))
+    elif output == "json":
+        cli.format_json(result)
+
+
+@access_app.command()
+def whoaccess(
+    ctx: typer.Context,
+    object_type: Optional[str] = typer.Option(None, "--object-type", help="Object type (e.g. TABLE, VIEW, SCHEMA)"),
+    object_name: Optional[str] = typer.Option(None, "--object-name", help="Object FQN (e.g. DB.SCHEMA.TABLE)"),
+    privilege: Optional[str] = typer.Option(None, "--privilege", help="Filter to a specific privilege (e.g. SELECT)"),
+    output: str = typer.Option("text", help="Output format: text, json"),
+):
+    """
+    Reverse lookup: who can access this object?
+
+    Shows all roles and users that have access to the specified object,
+    grouped by privilege. Optionally filter to a specific privilege.
+
+    Examples:
+        snowglobe access whoaccess --object-type TABLE --object-name DEV_REFINED.UNIFIED.HUB_EMAIL
+        snowglobe access whoaccess --object-type TABLE --object-name DEV_REFINED.UNIFIED.HUB_EMAIL --privilege SELECT
+    """
+    context = ctx.obj
+    access_service = AccessService(context)
+
+    # Load state for interactive completions
+    access_service.setup_state()
+    access_service.load_state()
+
+    # Resolve missing inputs interactively if TTY
+    if not object_type or not object_name:
+        from snowglobe.cli.prompts import is_interactive
+        if not is_interactive():
+            missing = []
+            if not object_type:
+                missing.append("--object-type")
+            if not object_name:
+                missing.append("--object-name")
+            typer.secho(
+                f"Error: Missing required arguments: {', '.join(missing)}.",
+                fg=typer.colors.RED
+            )
+            raise typer.Exit(1)
+
+        from prompt_toolkit import PromptSession
+        from prompt_toolkit.completion import WordCompleter, FuzzyCompleter
+        from snowglobe.models.access import ObjectType
+
+        session = PromptSession()
+
+        if not object_type:
+            items = [ot.value for ot in ObjectType]
+            word = WordCompleter(items, ignore_case=True)
+            fuzzy = FuzzyCompleter(word)
+            object_type = session.prompt(
+                "Object type: ",
+                completer=fuzzy,
+                complete_while_typing=True,
+            ).strip().upper()
+
+        if not object_name:
+            obj_index = access_service.object_index or {}
+            items = obj_index.get(object_type.upper(), [])
+            word = WordCompleter(items, ignore_case=True, sentence=True)
+            fuzzy = FuzzyCompleter(word)
+            object_name = session.prompt(
+                "Object name (FQN): ",
+                completer=fuzzy,
+                complete_while_typing=True,
+            ).strip()
+
+    result = access_service.inspect_reverse(
+        object_type=object_type,
+        object_name=object_name,
+        privilege=privilege,
+    )
+
+    if output == "text":
+        typer.echo(cli.format_reverse_text(result))
+    elif output == "json":
+        cli.format_json(result)

snowglobe/cli/app.py

@@ -0,0 +1,148 @@
+import typer
+from snowglobe.cli.context import SnowglobeContext
+from snowglobe.cli.access import access_app
+from snowglobe.cli.optimizer import opt_app
+from snowglobe.cli.cost import cost_app
+from snowglobe.cli.diff import diff_app
+from snowglobe.cli.report import report_app
+from snowglobe.cli.debug import debug_app
+
+app = typer.Typer(
+    help="Snowglobe — Explainable cost and access visibility for Snowflake",
+    no_args_is_help=False,
+    context_settings={"ignore_unknown_options": True}
+)
+
+app.add_typer(access_app, name="access")
+app.add_typer(cost_app, name="cost")
+app.add_typer(diff_app, name="diff")
+app.add_typer(opt_app, name="optimize")
+app.add_typer(report_app, name="report")
+app.add_typer(debug_app, name="debug")
+
+
+@app.command()
+def refresh(
+    ctx: typer.Context,
+    full: bool = typer.Option(False, "--full", help="Force full refresh (ignore incremental)")
+):
+    """Refresh cached state from Snowflake. Incremental by default."""
+    from snowglobe.core.access_service import AccessService
+
+    context = ctx.obj
+    service = AccessService(context)
+    service.setup_state()
+
+    service.refresh_state(full=full)
+
+    typer.secho(f"  Users:        {len(service.user_graph.assigned_roles)}", fg=typer.colors.GREEN)
+    typer.secho(f"  Roles:        {len(service.role_graph.parents)}", fg=typer.colors.GREEN)
+    total_objects = sum(len(v) for v in service.object_index.values())
+    typer.secho(f"  Object index: {total_objects} FQNs", fg=typer.colors.GREEN)
+    typer.secho("Done.", fg=typer.colors.GREEN, bold=True)
+
+
+def _launch_tui(context, *, vim_flag: bool = False, fallback_to_shell: bool = False) -> None:
+    """
+    Start the Textual TUI.
+
+    If `fallback_to_shell=True` and Textual isn't installed, drop into the
+    REPL shell instead with a one-line notice. Used by the default
+    `snowglobe` (no-args) path so users without the TUI extra still get
+    something useful. The explicit `snowglobe tui` subcommand passes
+    `fallback_to_shell=False` and exits with an error if Textual is missing.
+    """
+    try:
+        from snowglobe.tui.app import SnowglobeApp, VimSnowglobeApp
+    except ImportError as e:
+        if "textual" in str(e).lower():
+            if fallback_to_shell:
+                typer.secho(
+                    "TUI not available (install with: pip install 'snowglobe[tui]'). "
+                    "Falling back to the REPL shell.",
+                    fg=typer.colors.YELLOW,
+                )
+                from snowglobe.cli.shell import start_shell
+                start_shell(context)
+                return
+            typer.secho(
+                "TUI requires the 'textual' package. Install with:\n"
+                "  pip install 'snowglobe[tui]'   (or)   pip install textual",
+                fg=typer.colors.YELLOW,
+            )
+            raise typer.Exit(1)
+        raise
+
+    # CLI flag wins; otherwise inherit from the active profile's `vim: true`.
+    profile_vim = bool((context.profile or {}).get("vim", False)) if context.profile else False
+    context.vim_mode = vim_flag or profile_vim
+
+    app_cls = VimSnowglobeApp if context.vim_mode else SnowglobeApp
+    app_cls(context=context).run()
+
+
+@app.command()
+def tui(
+    ctx: typer.Context,
+    vim: bool = typer.Option(
+        False, "--vim",
+        help="Enable vim-style navigation (j/k/h/l/g/G/Ctrl-d/Ctrl-u + Esc blurs inputs).",
+    ),
+):
+    """Launch the rich Textual-based TUI (same as running `snowglobe` with no command)."""
+    _launch_tui(ctx.obj, vim_flag=vim, fallback_to_shell=False)
+
+
+@app.command()
+def shell(ctx: typer.Context):
+    """Launch the interactive REPL shell (the prompt_toolkit fuzzy-completion REPL)."""
+    from snowglobe.cli.shell import start_shell
+    start_shell(ctx.obj)
+
+
+@app.callback(invoke_without_command=True)
+def main(
+    ctx: typer.Context,
+    profile_name: str = typer.Option(
+        "default",
+        "--profile",
+        help="Snowflake connection profile to use",
+    ),
+    role: str | None = typer.Option(
+        None,
+        "--role",
+        help="Override Snowflake role",
+    ),
+    output: str = typer.Option(
+        "table",
+        "--output",
+        help="Output format: table | json",
+    ),
+    verbose: bool = typer.Option(
+        False,
+        "--verbose",
+        "-v",
+        help="Enable verbose output"
+    )
+):
+    """
+    Inspect and understand Snowflake cost, access, and ownership.
+
+    Snowglobe is read-only by design.
+
+    Run without a command to launch the TUI.
+    Use `snowglobe shell` for the REPL shell, or any subcommand for headless use.
+    """
+    context = SnowglobeContext(
+        profile_name=profile_name,
+        role=role,
+        output=output,
+        verbose=verbose
+    )
+    context.load_profile()
+    ctx.obj = context
+
+    # No subcommand → launch the TUI (falling back to the REPL shell
+    # if the optional Textual dependency isn't installed).
+    if ctx.invoked_subcommand is None:
+        _launch_tui(context, vim_flag=False, fallback_to_shell=True)

snowglobe/cli/context.py

@@ -0,0 +1,48 @@
+from dataclasses import dataclass, field
+from typing import Optional, Dict, Any, List
+from snowglobe.config.loader import SnowglobeConfig
+from snowglobe.snowflake.connection import SnowflakeReadOnly
+
+
+@dataclass
+class SnowglobeContext:
+    profile_name: str = "default"
+    profile: Optional[Dict[str, Any]] = None
+    role: Optional[str] = None
+    output: str = "table"
+    verbose: bool = False
+    vim_mode: bool = False
+
+    # Working state (used by shell and interactive prompts)
+    target_role: Optional[str] = None
+    username: Optional[str] = None
+    object_type: Optional[str] = None
+    object_name: Optional[str] = None
+    privilege: Optional[str] = None
+
+    # Preloaded graphs (populated by shell or on-demand)
+    user_graph: Any = None
+    role_graph: Any = None
+    object_index: Optional[Dict[str, List[str]]] = None
+
+    def load_profile(self):
+        if self.profile is not None:
+            return
+        config = SnowglobeConfig()
+        self.profile = config.get_profile(self.profile_name)
+        if self.role:
+            self.profile["role"] = self.role
+
+    def connect(self) -> SnowflakeReadOnly:
+        self.load_profile()
+        if not hasattr(self, "_sf"):
+            self._sf = SnowflakeReadOnly(
+                account=self.profile["account"],
+                warehouse=self.profile.get("warehouse"),
+                user=self.profile["user"],
+                role=self.profile.get("role"),
+                password=self.profile.get("password"),
+                private_key_path=self.profile.get("private_key_path"),
+                private_key_pwd=self.profile.get("private_key_pwd")
+            )
+        return self._sf