fix: add JSON output for SHOW STRUCTURE and SHOW SECURITY MATRIX

Both commands wrote text output directly via fmt.Fprintf, bypassing
the format dispatcher. Now they detect FormatJSON and emit structured
TableResult output instead.

- SHOW STRUCTURE --json: one row per module with element type counts
- SHOW SECURITY MATRIX --json: one row per access rule across entities,
  microflows, pages, and workflows

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ako

mdl/executor/cmd_security.go

@@ -347,6 +347,10 @@ func (e *Executor) showAccessOnWorkflow(name *ast.QualifiedName) error {
 
 // showSecurityMatrix handles SHOW SECURITY MATRIX [IN module].
 func (e *Executor) showSecurityMatrix(moduleName string) error {
+	if e.format == FormatJSON {
+		return e.showSecurityMatrixJSON(moduleName)
+	}
+
 	h, err := e.getHierarchy()
 	if err != nil {
 		return fmt.Errorf("failed to build hierarchy: %w", err)
@@ -566,6 +570,145 @@ func (e *Executor) showSecurityMatrix(moduleName string) error {
 	return nil
 }
 
+// showSecurityMatrixJSON emits the security matrix as a JSON table
+// with one row per access rule across entities, microflows, pages, and workflows.
+func (e *Executor) showSecurityMatrixJSON(moduleName string) error {
+	h, err := e.getHierarchy()
+	if err != nil {
+		return fmt.Errorf("failed to build hierarchy: %w", err)
+	}
+
+	tr := &TableResult{
+		Columns: []string{"ObjectType", "QualifiedName", "Roles", "Rights"},
+	}
+
+	// Entities
+	dms, _ := e.reader.ListDomainModels()
+	for _, dm := range dms {
+		modID := h.FindModuleID(dm.ContainerID)
+		modName := h.GetModuleName(modID)
+		if moduleName != "" && modName != moduleName {
+			continue
+		}
+		for _, entity := range dm.Entities {
+			for _, rule := range entity.AccessRules {
+				var roleStrs []string
+				for _, rn := range rule.ModuleRoleNames {
+					roleStrs = append(roleStrs, rn)
+				}
+				if len(roleStrs) == 0 {
+					for _, rid := range rule.ModuleRoles {
+						roleStrs = append(roleStrs, string(rid))
+					}
+				}
+
+				var rights []string
+				if rule.AllowCreate {
+					rights = append(rights, "C")
+				}
+				rr := rule.DefaultMemberAccessRights == domainmodel.MemberAccessRightsReadOnly ||
+					rule.DefaultMemberAccessRights == domainmodel.MemberAccessRightsReadWrite
+				rw := rule.DefaultMemberAccessRights == domainmodel.MemberAccessRightsReadWrite
+				for _, ma := range rule.MemberAccesses {
+					if ma.AccessRights == domainmodel.MemberAccessRightsReadOnly || ma.AccessRights == domainmodel.MemberAccessRightsReadWrite {
+						rr = true
+					}
+					if ma.AccessRights == domainmodel.MemberAccessRightsReadWrite {
+						rw = true
+					}
+				}
+				if rr {
+					rights = append(rights, "R")
+				}
+				if rw {
+					rights = append(rights, "W")
+				}
+				if rule.AllowDelete {
+					rights = append(rights, "D")
+				}
+
+				tr.Rows = append(tr.Rows, []any{
+					"Entity",
+					modName + "." + entity.Name,
+					strings.Join(roleStrs, ", "),
+					strings.Join(rights, ""),
+				})
+			}
+		}
+	}
+
+	// Microflows
+	mfs, _ := e.reader.ListMicroflows()
+	for _, mf := range mfs {
+		if len(mf.AllowedModuleRoles) == 0 {
+			continue
+		}
+		modID := h.FindModuleID(mf.ContainerID)
+		modName := h.GetModuleName(modID)
+		if moduleName != "" && modName != moduleName {
+			continue
+		}
+		var roleStrs []string
+		for _, r := range mf.AllowedModuleRoles {
+			roleStrs = append(roleStrs, string(r))
+		}
+		tr.Rows = append(tr.Rows, []any{
+			"Microflow",
+			modName + "." + mf.Name,
+			strings.Join(roleStrs, ", "),
+			"X",
+		})
+	}
+
+	// Pages
+	pages, _ := e.reader.ListPages()
+	for _, pg := range pages {
+		if len(pg.AllowedRoles) == 0 {
+			continue
+		}
+		modID := h.FindModuleID(pg.ContainerID)
+		modName := h.GetModuleName(modID)
+		if moduleName != "" && modName != moduleName {
+			continue
+		}
+		var roleStrs []string
+		for _, r := range pg.AllowedRoles {
+			roleStrs = append(roleStrs, string(r))
+		}
+		tr.Rows = append(tr.Rows, []any{
+			"Page",
+			modName + "." + pg.Name,
+			strings.Join(roleStrs, ", "),
+			"X",
+		})
+	}
+
+	// Workflows
+	wfs, _ := e.reader.ListWorkflows()
+	for _, wf := range wfs {
+		if len(wf.AllowedModuleRoles) == 0 {
+			continue
+		}
+		modID := h.FindModuleID(wf.ContainerID)
+		modName := h.GetModuleName(modID)
+		if moduleName != "" && modName != moduleName {
+			continue
+		}
+		var roleStrs []string
+		for _, r := range wf.AllowedModuleRoles {
+			roleStrs = append(roleStrs, string(r))
+		}
+		tr.Rows = append(tr.Rows, []any{
+			"Workflow",
+			modName + "." + wf.Name,
+			strings.Join(roleStrs, ", "),
+			"X",
+		})
+	}
+
+	return e.writeResult(tr)
+}
+
 // describeModuleRole handles DESCRIBE MODULE ROLE Module.RoleName.
 func (e *Executor) describeModuleRole(name ast.QualifiedName) error {
 	h, err := e.getHierarchy()

mdl/executor/cmd_structure.go

@@ -35,10 +35,19 @@ func (e *Executor) execShowStructure(s *ast.ShowStmt) error {
 	}
 
 	if len(modules) == 0 {
-		fmt.Fprintln(e.output, "(no modules found)")
+		if e.format == FormatJSON {
+			fmt.Fprintln(e.output, "[]")
+		} else {
+			fmt.Fprintln(e.output, "(no modules found)")
+		}
 		return nil
 	}
 
+	// JSON mode: emit structured table
+	if e.format == FormatJSON {
+		return e.structureDepth1JSON(modules)
+	}
+
 	switch depth {
 	case 1:
 		return e.structureDepth1(modules)
@@ -51,6 +60,51 @@ func (e *Executor) execShowStructure(s *ast.ShowStmt) error {
 	}
 }
 
+// structureDepth1JSON emits structure as a JSON table with one row per module
+// and columns for each element type count.
+func (e *Executor) structureDepth1JSON(modules []structureModule) error {
+	entityCounts := e.queryCountByModule("entities")
+	mfCounts := e.queryCountByModule("microflows WHERE MicroflowType = 'MICROFLOW'")
+	nfCounts := e.queryCountByModule("microflows WHERE MicroflowType = 'NANOFLOW'")
+	pageCounts := e.queryCountByModule("pages")
+	enumCounts := e.queryCountByModule("enumerations")
+	snippetCounts := e.queryCountByModule("snippets")
+	jaCounts := e.queryCountByModule("java_actions")
+	wfCounts := e.queryCountByModule("workflows")
+	odataClientCounts := e.queryCountByModule("odata_clients")
+	odataServiceCounts := e.queryCountByModule("odata_services")
+	beServiceCounts := e.queryCountByModule("business_event_services")
+	constantCounts := e.countByModuleFromReader("constants")
+	scheduledEventCounts := e.countByModuleFromReader("scheduled_events")
+
+	tr := &TableResult{
+		Columns: []string{
+			"Module", "Entities", "Enumerations", "Microflows", "Nanoflows",
+			"Workflows", "Pages", "Snippets", "JavaActions", "Constants",
+			"ScheduledEvents", "ODataClients", "ODataServices", "BusinessEventServices",
+		},
+	}
+	for _, m := range modules {
+		tr.Rows = append(tr.Rows, []any{
+			m.Name,
+			entityCounts[m.Name],
+			enumCounts[m.Name],
+			mfCounts[m.Name],
+			nfCounts[m.Name],
+			wfCounts[m.Name],
+			pageCounts[m.Name],
+			snippetCounts[m.Name],
+			jaCounts[m.Name],
+			constantCounts[m.Name],
+			scheduledEventCounts[m.Name],
+			odataClientCounts[m.Name],
+			odataServiceCounts[m.Name],
+			beServiceCounts[m.Name],
+		})
+	}
+	return e.writeResult(tr)
+}
+
 // structureModule holds module info for structure output.
 type structureModule struct {
 	Name string