fix(cli): add json output for policy get

[mjamiv]

Summary

• Add -o/--output json to openshell policy get, matching the CLI output flag pattern already used by provider commands.
• Emit revision metadata as JSON for sandbox and global policy lookups.
• Include canonical policy JSON when --full is set.

Related Issue

Closes #1034

Changes

• Wire a new PolicyGetOutput value enum through the policy get CLI path.
• Add JSON formatting for policy revision metadata, including sandbox scope, active version, status, timestamps, and load errors when present.
• Add a policy serializer helper that produces JSON using the documented policy schema keys.
• Cover CLI parsing and canonical policy JSON serialization with focused tests.

Testing

• cargo test -p openshell-cli policy_get_json_output_parses
• cargo test -p openshell-policy serialized_json_uses_policy_schema_keys
• git diff --check
• MISE_DISABLE_UPDATE_CHECK=1 /root/.local/bin/mise run pre-commit

Checklist

• Tests updated or added where appropriate
• Formatting and lint checks pass

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[johntmyers]

We added -o option for providers here: #1170 - we may want to just standardize on that for any CLI command that can output a structure config etc.

[mjamiv]

Updated in 141d190c to use the existing output flag pattern:

• openshell policy get -o json
• openshell policy get --output json

I removed the visible --json CLI surface from this PR and kept the JSON payload behavior unchanged. The PR body now reflects the new command form and validation:

• cargo test -p openshell-cli policy_get_json_output_parses
• cargo test -p openshell-policy serialized_json_uses_policy_schema_keys
• git diff --check
• MISE_DISABLE_UPDATE_CHECK=1 /root/.local/bin/mise run pre-commit

[johntmyers]

Code Review

I reviewed this with @principal-engineer-reviewer. No blocking P1/P2 correctness or security issues found. The implementation reuses the canonical policy serializer and does not affect policy enforcement.

Findings

• [P3] crates/openshell-cli/src/main.rs:1505
  The --full help text still says “Print the full policy as YAML,” but --full -o json now emits JSON. Use format-neutral text like Include the full policy payload.

• [P3] crates/openshell-cli/src/run.rs:5673
  The JSON output path is not covered by a run-level test. Current tests cover clap parsing and policy schema serialization, but not policy get --full -o json stdout. Add a fake-gRPC CLI test that asserts valid JSON with metadata plus .policy.network_policies.

Testing: I did not run tests, builds, CI, or status checks. I inspected the diff and surrounding code; git diff --check origin/main...origin/pr-1410 was clean.