fix(cli): add json output for policy get

Author: mjamiv

Cargo.lock

@@ -1491,6 +1491,10 @@ enum PolicyCommands {
         #[arg(long)]
         full: bool,
 
+        /// Output as JSON.
+        #[arg(long)]
+        json: bool,
+
         /// Show the global policy revision.
         #[arg(long)]
         global: bool,
@@ -2167,13 +2171,16 @@ async fn main() -> Result<()> {
                     name,
                     rev,
                     full,
+                    json,
                     global,
                 } => {
                     if global {
-                        run::sandbox_policy_get_global(&ctx.endpoint, rev, full, &tls).await?;
+                        run::sandbox_policy_get_global(&ctx.endpoint, rev, full, json, &tls)
+                            .await?;
                     } else {
                         let name = resolve_sandbox_name(name, &ctx.name)?;
-                        run::sandbox_policy_get(&ctx.endpoint, &name, rev, full, &tls).await?;
+                        run::sandbox_policy_get(&ctx.endpoint, &name, rev, full, json, &tls)
+                            .await?;
                     }
                 }
                 PolicyCommands::List {
@@ -3557,6 +3564,33 @@ mod tests {
         }
     }
 
+    #[test]
+    fn policy_get_json_parses() {
+        let cli = Cli::try_parse_from([
+            "openshell",
+            "policy",
+            "get",
+            "my-sandbox",
+            "--full",
+            "--json",
+        ])
+        .expect("policy get --json should parse");
+
+        match cli.command {
+            Some(Commands::Policy {
+                command:
+                    Some(PolicyCommands::Get {
+                        name, full, json, ..
+                    }),
+            }) => {
+                assert_eq!(name.as_deref(), Some("my-sandbox"));
+                assert!(full);
+                assert!(json);
+            }
+            other => panic!("expected policy get command, got: {other:?}"),
+        }
+    }
+
     #[test]
     fn policy_delete_global_parses() {
         let cli = Cli::try_parse_from(["openshell", "policy", "delete", "--global", "--yes"])

crates/openshell-cli/src/main.rs

@@ -5653,6 +5653,7 @@ pub async fn sandbox_policy_get(
     name: &str,
     version: u32,
     full: bool,
+    json: bool,
     tls: &TlsOptions,
 ) -> Result<()> {
     let mut client = grpc_client(server, tls).await?;
@@ -5669,6 +5670,19 @@ pub async fn sandbox_policy_get(
     let inner = status_resp.into_inner();
     if let Some(rev) = inner.revision {
         let status = PolicyStatus::try_from(rev.status).unwrap_or(PolicyStatus::Unspecified);
+        if json {
+            let obj = policy_revision_to_json(
+                "sandbox",
+                Some(name),
+                Some(inner.active_version),
+                &rev,
+                status,
+                full,
+            )?;
+            println!("{}", serde_json::to_string_pretty(&obj).into_diagnostic()?);
+            return Ok(());
+        }
+
         println!("Version:      {}", rev.version);
         println!("Hash:         {}", rev.policy_hash);
         println!("Status:       {status:?}");
@@ -5704,6 +5718,7 @@ pub async fn sandbox_policy_get_global(
     server: &str,
     version: u32,
     full: bool,
+    json: bool,
     tls: &TlsOptions,
 ) -> Result<()> {
     let mut client = grpc_client(server, tls).await?;
@@ -5720,6 +5735,12 @@ pub async fn sandbox_policy_get_global(
     let inner = status_resp.into_inner();
     if let Some(rev) = inner.revision {
         let status = PolicyStatus::try_from(rev.status).unwrap_or(PolicyStatus::Unspecified);
+        if json {
+            let obj = policy_revision_to_json("global", None, None, &rev, status, full)?;
+            println!("{}", serde_json::to_string_pretty(&obj).into_diagnostic()?);
+            return Ok(());
+        }
+
         println!("Scope:        global");
         println!("Version:      {}", rev.version);
         println!("Hash:         {}", rev.policy_hash);
@@ -5748,6 +5769,66 @@ pub async fn sandbox_policy_get_global(
     Ok(())
 }
 
+fn policy_status_json_name(status: PolicyStatus) -> &'static str {
+    match status {
+        PolicyStatus::Unspecified => "unspecified",
+        PolicyStatus::Pending => "pending",
+        PolicyStatus::Loaded => "loaded",
+        PolicyStatus::Failed => "failed",
+        PolicyStatus::Superseded => "superseded",
+    }
+}
+
+fn policy_revision_to_json(
+    scope: &str,
+    sandbox: Option<&str>,
+    active_version: Option<u32>,
+    rev: &openshell_core::proto::SandboxPolicyRevision,
+    status: PolicyStatus,
+    full: bool,
+) -> Result<serde_json::Value> {
+    let mut obj = serde_json::Map::new();
+    obj.insert("scope".to_string(), serde_json::json!(scope));
+    if let Some(sandbox) = sandbox {
+        obj.insert("sandbox".to_string(), serde_json::json!(sandbox));
+    }
+    obj.insert("version".to_string(), serde_json::json!(rev.version));
+    obj.insert("hash".to_string(), serde_json::json!(rev.policy_hash));
+    obj.insert(
+        "status".to_string(),
+        serde_json::json!(policy_status_json_name(status)),
+    );
+    if let Some(active_version) = active_version {
+        obj.insert(
+            "active_version".to_string(),
+            serde_json::json!(active_version),
+        );
+    }
+    if rev.created_at_ms > 0 {
+        obj.insert(
+            "created_at_ms".to_string(),
+            serde_json::json!(rev.created_at_ms),
+        );
+    }
+    if rev.loaded_at_ms > 0 {
+        obj.insert(
+            "loaded_at_ms".to_string(),
+            serde_json::json!(rev.loaded_at_ms),
+        );
+    }
+    if !rev.load_error.is_empty() {
+        obj.insert("load_error".to_string(), serde_json::json!(rev.load_error));
+    }
+    if full {
+        let policy = match rev.policy.as_ref() {
+            Some(policy) => openshell_policy::sandbox_policy_to_json_value(policy)?,
+            None => serde_json::Value::Null,
+        };
+        obj.insert("policy".to_string(), policy);
+    }
+    Ok(serde_json::Value::Object(obj))
+}
+
 pub async fn sandbox_policy_list(
     server: &str,
     name: &str,

crates/openshell-cli/src/run.rs

@@ -13,6 +13,7 @@ repository.workspace = true
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 serde = { workspace = true }
+serde_json = { workspace = true }
 serde_yml = { workspace = true }
 miette = { workspace = true }
 

crates/openshell-policy/Cargo.toml

@@ -558,6 +558,25 @@ pub fn serialize_sandbox_policy(policy: &SandboxPolicy) -> Result<String> {
         .wrap_err("failed to serialize policy to YAML")
 }
 
+/// Convert a proto sandbox policy into the canonical policy JSON representation.
+///
+/// The shape mirrors the YAML schema used by [`serialize_sandbox_policy`], so
+/// automation can use the same documented field names in either format.
+pub fn sandbox_policy_to_json_value(policy: &SandboxPolicy) -> Result<serde_json::Value> {
+    let json_repr = from_proto(policy);
+    serde_json::to_value(&json_repr)
+        .into_diagnostic()
+        .wrap_err("failed to serialize policy to JSON")
+}
+
+/// Serialize a proto sandbox policy to a pretty-printed JSON string.
+pub fn serialize_sandbox_policy_json(policy: &SandboxPolicy) -> Result<String> {
+    let json_repr = sandbox_policy_to_json_value(policy)?;
+    serde_json::to_string_pretty(&json_repr)
+        .into_diagnostic()
+        .wrap_err("failed to serialize policy to JSON")
+}
+
 /// Load a sandbox policy from an explicit source.
 ///
 /// Resolution order:
@@ -881,6 +900,30 @@ mod tests {
         );
     }
 
+    /// Verify that JSON serialization uses the same canonical schema keys as YAML.
+    #[test]
+    fn serialized_json_uses_policy_schema_keys() {
+        let proto = parse_sandbox_policy(
+            r"
+version: 1
+network_policies:
+  github:
+    endpoints:
+      - host: api.github.com
+        port: 443
+        protocol: https
+    binaries:
+      - path: /usr/bin/curl
+",
+        )
+        .expect("parse failed");
+        let json = sandbox_policy_to_json_value(&proto).expect("serialize failed");
+
+        assert_eq!(json["version"], serde_json::json!(1));
+        assert!(json.get("filesystem").is_none());
+        assert!(json.get("network_policies").is_some());
+    }
+
     /// Verify that `allowed_ips` survives the round-trip.
     #[test]
     fn round_trip_preserves_allowed_ips() {