Merge pull request #3 from ethanolivertroy/feat/investigation-workflows

feat: add curated investigation workflows

Author: ethanolivertroy

README.md

@@ -220,10 +220,15 @@ In addition to raw OpenAPI operations, the CLI includes read-only workflow comma
 ```bash
 drata summary --json --compact
 drata controls failing --json --compact
+drata controls get DCF-71 --json --compact
 drata monitors failing --json --compact
+drata monitors for-control DCF-71 --json --compact
+drata monitors get 31 --workspace-id 12 --json --compact
 drata connections list --status DISCONNECTED --json --compact
 drata personnel issues --json --compact
-drata evidence expiring --days 60 --json --compact
+drata personnel get --email alice@example.com --json --compact
+drata evidence list --workspace-id 12 --json --compact
+drata evidence expiring --days 60 --workspace-id 12 --json --compact
 ```
 
 These workflows use v1 list endpoints where they provide workspace-independent compliance rollups and automatically follow page/limit pagination. `--limit N` caps displayed items in workflow outputs without changing the underlying summary counts or API page size. Use `--max-pages N` to bound collection work for very large tenants.

src/cli.mjs

@@ -13,8 +13,13 @@ import {
   printWorkflowPayload,
   runConnectionsList,
   runControlsFailing,
+  runControlsGet,
   runEvidenceExpiring,
+  runEvidenceList,
   runMonitorsFailing,
+  runMonitorsForControl,
+  runMonitorsGet,
+  runPersonnelGet,
   runPersonnelIssues,
   runSummary,
   runWorkflowOperation,
@@ -51,10 +56,15 @@ Usage:
   drata auth <login|status|check|logout>
   drata summary [--json] [--compact]
   drata controls failing [--json] [--compact]
+  drata controls get <code> [--json] [--compact]
   drata monitors failing [--json] [--compact]
+  drata monitors for-control <code> [--json] [--compact]
+  drata monitors get <id> [--workspace-id ID] [--json] [--compact]
   drata connections list [--status STATUS] [--json] [--compact]
   drata personnel issues [--json] [--compact]
-  drata evidence expiring [--days N] [--json] [--compact]
+  drata personnel get <id>|--email EMAIL [--json] [--compact]
+  drata evidence list [--workspace-id ID] [--json] [--compact]
+  drata evidence expiring [--days N] [--workspace-id ID] [--json] [--compact]
   drata completion <bash|zsh|fish>
   drata agent-schema [v1|v2] [--tag TAG] [--search TEXT]
   drata <operation> [flags]
@@ -95,7 +105,9 @@ Examples:
   drata auth check --json
   drata summary --json --compact
   drata controls failing --json --compact
+  drata controls get DCF-71 --json --compact
   drata monitors failing --json --compact
+  drata monitors for-control DCF-71 --json --compact
   drata connections list --status DISCONNECTED --json --compact
   drata completion zsh
   drata agent-schema v2 --search controls
@@ -519,13 +531,24 @@ async function handleControlsWorkflow(args) {
     return;
   }
 
-  const flags = await parseWorkflowRequestFlags(rest);
   if (subcommand === "failing") {
+    const flags = await parseWorkflowRequestFlags(rest);
     printWorkflowPayload(await runControlsFailing(flags), flags);
     return;
   }
 
-  fail("unknown_controls_command", `Unknown controls command "${subcommand}". Expected failing.`, {
+  if (subcommand === "get") {
+    const [code, ...flagArgs] = rest;
+    if (!code || code === "--help" || code === "help") {
+      printUsage();
+      return;
+    }
+    const flags = await parseWorkflowRequestFlags(flagArgs);
+    printWorkflowPayload(await runControlsGet(flags, { code }), flags);
+    return;
+  }
+
+  fail("unknown_controls_command", `Unknown controls command "${subcommand}". Expected failing or get.`, {
     command: subcommand,
   });
 }
@@ -537,13 +560,36 @@ async function handleMonitorsWorkflow(args) {
     return;
   }
 
-  const flags = await parseWorkflowRequestFlags(rest);
   if (subcommand === "failing") {
+    const flags = await parseWorkflowRequestFlags(rest);
     printWorkflowPayload(await runMonitorsFailing(flags), flags);
     return;
   }
 
-  fail("unknown_monitors_command", `Unknown monitors command "${subcommand}". Expected failing.`, {
+  if (subcommand === "for-control") {
+    const [code, ...flagArgs] = rest;
+    if (!code || code === "--help" || code === "help") {
+      printUsage();
+      return;
+    }
+    const flags = await parseWorkflowRequestFlags(flagArgs);
+    printWorkflowPayload(await runMonitorsForControl(flags, { code }), flags);
+    return;
+  }
+
+  if (subcommand === "get") {
+    const [id, ...flagArgs] = rest;
+    if (!id || id === "--help" || id === "help") {
+      printUsage();
+      return;
+    }
+    const flags = await parseWorkflowRequestFlags(flagArgs);
+    const workspaceId = takeWorkflowNamedFlag(flags, "workspace-id");
+    printWorkflowPayload(await runMonitorsGet(flags, { id, workspaceId }), flags);
+    return;
+  }
+
+  fail("unknown_monitors_command", `Unknown monitors command "${subcommand}". Expected failing, for-control, or get.`, {
     command: subcommand,
   });
 }
@@ -574,13 +620,22 @@ async function handlePersonnelWorkflow(args) {
     return;
   }
 
-  const flags = await parseWorkflowRequestFlags(rest);
   if (subcommand === "issues") {
+    const flags = await parseWorkflowRequestFlags(rest);
     printWorkflowPayload(await runPersonnelIssues(flags), flags);
     return;
   }
 
-  fail("unknown_personnel_command", `Unknown personnel command "${subcommand}". Expected issues.`, {
+  if (subcommand === "get") {
+    const positional = rest[0]?.startsWith("--") ? null : rest[0];
+    const flagArgs = positional ? rest.slice(1) : rest;
+    const flags = await parseWorkflowRequestFlags(flagArgs);
+    const email = takeWorkflowNamedFlag(flags, "email");
+    printWorkflowPayload(await runPersonnelGet(flags, { id: positional, email }), flags);
+    return;
+  }
+
+  fail("unknown_personnel_command", `Unknown personnel command "${subcommand}". Expected issues or get.`, {
     command: subcommand,
   });
 }
@@ -599,12 +654,17 @@ async function handleEvidenceWorkflow(args) {
     fail("invalid_days", `--days must be a non-negative integer`, { days });
   }
 
+  if (subcommand === "list") {
+    printWorkflowPayload(await runEvidenceList(flags, { workspaceId }), flags);
+    return;
+  }
+
   if (subcommand === "expiring") {
     printWorkflowPayload(await runEvidenceExpiring(flags, { days, workspaceId }), flags);
     return;
   }
 
-  fail("unknown_evidence_command", `Unknown evidence command "${subcommand}". Expected expiring.`, {
+  fail("unknown_evidence_command", `Unknown evidence command "${subcommand}". Expected list or expiring.`, {
     command: subcommand,
   });
 }

src/lib/completion.mjs

@@ -44,6 +44,7 @@ const WORKFLOW_FLAGS = [
   "--retry",
   "--timeout-ms",
   "--max-pages",
+  "--workspace-id",
   "--help",
 ];
 const CONNECTION_STATUS_VALUES = ["CONNECTED", "DISCONNECTED", "FAILED", "NEVER_CONNECTED"];
@@ -97,6 +98,7 @@ const FLAGS_REQUIRING_VALUES = new Set([
   "--status",
   "--days",
   "--workspace-id",
+  "--email",
   "--tag",
   "--search",
 ]);
@@ -292,14 +294,14 @@ async function completeWords(index, words) {
 
   if (first === "controls") {
     if (beforeWords.length <= 1 && !current.startsWith("--")) {
-      return filterByPrefix(["failing"], current);
+      return filterByPrefix(["failing", "get"], current);
     }
     return filterByPrefix(WORKFLOW_FLAGS, current);
   }
 
   if (first === "monitors") {
     if (beforeWords.length <= 1 && !current.startsWith("--")) {
-      return filterByPrefix(["failing"], current);
+      return filterByPrefix(["failing", "for-control", "get"], current);
     }
     return filterByPrefix(WORKFLOW_FLAGS, current);
   }
@@ -313,16 +315,16 @@ async function completeWords(index, words) {
 
   if (first === "personnel") {
     if (beforeWords.length <= 1 && !current.startsWith("--")) {
-      return filterByPrefix(["issues"], current);
+      return filterByPrefix(["issues", "get"], current);
     }
-    return filterByPrefix(WORKFLOW_FLAGS, current);
+    return filterByPrefix([...WORKFLOW_FLAGS, "--email"], current);
   }
 
   if (first === "evidence") {
     if (beforeWords.length <= 1 && !current.startsWith("--")) {
-      return filterByPrefix(["expiring"], current);
+      return filterByPrefix(["list", "expiring"], current);
     }
-    return filterByPrefix([...WORKFLOW_FLAGS, "--days", "--workspace-id"], current);
+    return filterByPrefix([...WORKFLOW_FLAGS, "--days"], current);
   }
 
   if (first === "ops") {

src/lib/workflows.mjs

@@ -478,11 +478,70 @@ export async function runControlsFailing(flags) {
   return buildControlsFailingPayload(data, flags);
 }
 
+export async function runControlsGet(flags, options = {}) {
+  const code = String(options.code ?? "");
+  const queryFlags = cloneFlags(flags);
+  pushNamed(queryFlags, "q", code);
+  const { data } = await listV1("controls-get-controls", queryFlags);
+  const control = dataItems(data).map(enrichControl).find((item) => item.code === code);
+  if (!control) {
+    fail("control_not_found", `Control ${code} was not found.`, { code });
+  }
+
+  return flags.compact
+    ? { kind: "controls.get", control: compactControlsPayload({ controls: [control] }).controls[0] }
+    : { kind: "controls.get", control };
+}
+
 export async function runMonitorsFailing(flags) {
   const { data } = await listV1("list-monitors", flags);
   return buildMonitorsFailingPayload(data, flags);
 }
 
+function controlIdentifierMatches(control, target) {
+  return [control.code, control.id].filter((value) => value !== undefined && value !== null).some((value) => String(value) === target);
+}
+
+export async function runMonitorsForControl(flags, options = {}) {
+  const code = String(options.code ?? "");
+  const { data } = await listV1("list-monitors", flags);
+  // This uses controls embedded on the list response; use `monitors get --workspace-id` for detail-only fields.
+  const monitors = dataItems(data).filter((monitor) => (monitor.controls ?? []).some((control) => controlIdentifierMatches(control, code)));
+  const limitedMonitors = applyLimit(monitors, flags);
+  const payload = {
+    kind: "monitors.for-control",
+    code,
+    total: payloadTotal(data, dataItems(data)),
+    matching: monitors.length,
+    showing: limitedMonitors.length,
+    monitors: limitedMonitors,
+  };
+
+  return flags.compact ? compactMonitorsPayload(payload) : payload;
+}
+
+export async function runMonitorsGet(flags, options = {}) {
+  const id = String(options.id ?? "");
+  let monitor = null;
+
+  if (options.workspaceId) {
+    const detailFlags = withPath(flags, { workspaceId: options.workspaceId, testId: id });
+    const { data } = await runWorkflowOperation("v1", "get-control-test-instance", detailFlags);
+    monitor = data;
+  } else {
+    const { data } = await listV1("list-monitors", flags);
+    monitor = dataItems(data).find((item) => String(item.id) === id);
+  }
+
+  if (!monitor) {
+    fail("monitor_not_found", `Monitor ${id} was not found.`, { id });
+  }
+
+  return flags.compact
+    ? { kind: "monitors.get", monitor: compactMonitorsPayload({ monitors: [monitor] }).monitors[0] }
+    : { kind: "monitors.get", monitor };
+}
+
 export async function runConnectionsList(flags, options = {}) {
   const { data } = await listV1("get-connections", flags);
   return buildConnectionsListPayload(data, flags, options.status);
@@ -493,6 +552,43 @@ export async function runPersonnelIssues(flags) {
   return buildPersonnelIssuesPayload(data, flags);
 }
 
+export async function runPersonnelGet(flags, options = {}) {
+  if (options.email && options.id) {
+    fail("conflicting_personnel_lookup", "Use either a personnel id or --email, not both.");
+  }
+
+  if (options.email) {
+    const detailFlags = withPath(flags, { email: options.email });
+    const { data } = await runWorkflowOperation("v1", "get-personnel-details-by-email", detailFlags);
+    return flags.compact ? { kind: "personnel.get", personnel: compactPersonnel(data) } : { kind: "personnel.get", personnel: data };
+  }
+
+  if (options.id) {
+    const detailFlags = withPath(flags, { id: options.id });
+    const { data } = await runWorkflowOperation("v1", "get-personnel-details", detailFlags);
+    return flags.compact ? { kind: "personnel.get", personnel: compactPersonnel(data) } : { kind: "personnel.get", personnel: data };
+  }
+
+  fail("missing_personnel_lookup", "Provide a personnel id or --email.");
+}
+
+export async function runEvidenceList(flags, options = {}) {
+  const workspaceId = options.workspaceId || (await getFirstWorkspaceId(flags));
+  const listFlags = withPath(withListDefaults(flags), { workspaceId });
+  const { data } = await runWorkflowOperation("v1", "list-evidence", listFlags);
+  const evidence = applyLimit(dataItems(data), flags);
+  const payload = {
+    kind: "evidence.list",
+    workspaceId,
+    total: payloadTotal(data, dataItems(data)),
+    matching: dataItems(data).length,
+    showing: evidence.length,
+    evidence,
+  };
+
+  return flags.compact ? compactEvidencePayload(payload) : payload;
+}
+
 export async function runEvidenceExpiring(flags, options = {}) {
   // Defaulting to the first workspace keeps the command ergonomic for single-workspace tenants.
   // Multi-workspace tenants should pass --workspace-id explicitly for deterministic scope.
@@ -533,12 +629,22 @@ function formatWorkflowText(payload) {
         .join("\n");
     case "controls.failing":
       return [`Failing Controls: matching=${payload.matching} showing=${payload.showing}`, ...payload.controls.map((c) => `${c.code ?? c.id} ${c.status} ${c.name}`)].join("\n");
+    case "controls.get":
+      return `${payload.control.code ?? payload.control.id} ${payload.control.status} ${payload.control.name}`;
     case "monitors.failing":
       return [`Failing Monitors: matching=${payload.matching} showing=${payload.showing}`, ...payload.monitors.map((m) => `${m.id} ${monitorStatus(m)} ${m.name}`)].join("\n");
+    case "monitors.for-control":
+      return [`Monitors for ${payload.code}: matching=${payload.matching} showing=${payload.showing}`, ...payload.monitors.map((m) => `${m.id} ${monitorStatus(m)} ${m.name}`)].join("\n");
+    case "monitors.get":
+      return `${payload.monitor.id} ${payload.monitor.status ?? monitorStatus(payload.monitor)} ${payload.monitor.name}`;
     case "connections.list":
       return [`Connections: matching=${payload.matching} showing=${payload.showing}`, ...payload.connections.map((c) => `${c.id} ${connectionState(c)} ${c.clientAlias || c.clientType || ""}`)].join("\n");
     case "personnel.issues":
       return [`Personnel with device issues: matching=${payload.matching} showing=${payload.showing}`, ...payload.personnel.map((p) => `${p.id} ${p.user?.email ?? p.email ?? ""} failing_devices=${p.devicesFailingComplianceCount ?? 0}`)].join("\n");
+    case "personnel.get":
+      return `${payload.personnel.id} ${payload.personnel.user?.email ?? payload.personnel.email ?? ""}`;
+    case "evidence.list":
+      return [`Evidence: workspace=${payload.workspaceId} total=${payload.total} showing=${payload.showing}`, ...payload.evidence.map((e) => `${e.id} ${e.updatedAt ?? "unknown"} ${e.name ?? ""}`)].join("\n");
     case "evidence.expiring":
       return [`Stale Evidence: workspace=${payload.workspaceId ?? "auto"} days=${payload.days} matching=${payload.matching} showing=${payload.showing}`, ...payload.evidence.map((e) => `${e.id} ${e.updatedAt ?? "unknown"} ${e.name ?? ""}`)].join("\n");
     default: