feat: SDElements integration — projects, tasks, threats, users

README.md

@@ -1,8 +1,10 @@
 # pncli — The Paperwork Nightmare CLI
 
+[![npm](https://img.shields.io/npm/v/%40kolatts%2Fpncli?style=flat-square&color=cb3837&logo=npm)](https://www.npmjs.com/package/@kolatts/pncli)
+
 > One command does what three meetings couldn't.
 
-pncli gives AI coding agents (and humans) structured CLI access to Jira, Bitbucket, Confluence, and SonarQube. No MCP servers required. No meetings to schedule. No forms to fill out.
+pncli gives AI coding agents (and humans) structured CLI access to Jira, Bitbucket, Confluence, SonarQube, and SDElements. No MCP servers required. No meetings to schedule. No forms to fill out.
 
 ## Why?
 
@@ -47,6 +49,8 @@ pncli uses a three-layer config system (highest priority wins):
 | `PNCLI_BITBUCKET_PAT` | Bitbucket personal access token |
 | `PNCLI_SONAR_BASE_URL` | SonarQube Server base URL |
 | `PNCLI_SONAR_TOKEN` | SonarQube personal access token |
+| `PNCLI_SDE_BASE_URL` | SDElements base URL |
+| `PNCLI_SDE_TOKEN` | SDElements API token |
 | `PNCLI_CONFIG_PATH` | Override global config file path |
 
 ## For AI Agents
@@ -82,6 +86,7 @@ This project uses Conventional Commits for automatic versioning:
 | Bitbucket | ✅ Active | Server REST v1.0 |
 | Confluence | ✅ Active | Server REST v1 |
 | SonarQube | ✅ Active | Server Web API |
+| SDElements | ✅ Active | REST API v2 (cloud + on-prem) |
 | Artifactory | 🔜 Coming | The nightmare never ends |
 
 ## License

copilot-instructions.md

@@ -4,7 +4,7 @@
 
 ## What is pncli?
 
-pncli is a CLI tool that provides structured JSON access to Jira, Bitbucket, Confluence, SonarQube, and local git state. Use it for all interactions with these services. It exists because MCP servers aren't available in this environment — pncli is your agent-friendly shim layer.
+pncli is a CLI tool that provides structured JSON access to Jira, Bitbucket, Confluence, SonarQube, SDElements, and local git state. Use it for all interactions with these services. It exists because MCP servers aren't available in this environment — pncli is your agent-friendly shim layer.
 
 ## Important
 
@@ -368,6 +368,84 @@ pncli sonar hotspots
   --all                Fetch all pages
 ```
 
+### Sde
+
+```
+pncli sde server-info
+
+pncli sde whoami
+
+pncli sde users
+  --email <email>      Filter by email address
+  --first-name <name>  Filter by first name
+  --last-name <name>   Filter by last name
+  --active <bool>      Filter by active status: true or false
+  --page <n>           Page number (1-based) (default: "1")
+  --page-size <n>      Results per page (default: "100")
+  --all                Fetch all pages
+
+pncli sde projects
+  --name <name>       Filter by project name
+  --search <text>     Text search on name and profile
+  --active <val>      Filter by active status: true, false, or all
+  --ordering <field>  Sort by: name, created, updated (prefix with - for
+  descending)
+  --expand <fields>   Expand nested fields (comma-separated):
+  application,business_unit,creator
+  --include <fields>  Include extra fields (comma-separated):
+  task_counts,permissions
+  --page <n>          Page number (1-based) (default: "1")
+  --page-size <n>     Results per page (default: "100")
+  --all               Fetch all pages
+
+pncli sde project
+  --id <id>           Project ID (or set defaults.sde.project in config)
+  --expand <fields>   Expand nested fields (comma-separated):
+  application,business_unit,creator
+  --include <fields>  Include extra fields (comma-separated):
+  task_counts,permissions
+
+pncli sde tasks
+  --project <id>         Project ID (or set defaults.sde.project in config)
+  --phase <slug>         Filter by phase slug (e.g. development,
+  architecture-design)
+  --priority <n>         Filter by priority (1-10)
+  --status <id>          Filter by status ID (e.g. TS1, TS2)
+  --assigned-to <email>  Filter by assignee email
+  --source <val>         Filter by source: default, custom, manual, project
+  --verification <val>   Filter by verification: pass, fail, partial, none
+  --tag <name>           Filter by tag name
+  --accepted <bool>      Filter by accepted status: true or false
+  --relevant <bool>      Filter by relevant status: true or false
+  --expand <fields>      Expand nested fields (comma-separated):
+  status,phase,problem,text
+  --include <fields>     Include extra fields (comma-separated):
+  how_tos,last_note,references,regulation_sections
+  --page <n>             Page number (1-based) (default: "1")
+  --page-size <n>        Results per page (default: "100")
+  --all                  Fetch all pages
+
+pncli sde task
+  --project <id>      Project ID (or set defaults.sde.project in config)
+  --task <id>         Task ID (e.g. T21)
+  --expand <fields>   Expand nested fields (comma-separated):
+  status,phase,problem,text
+  --include <fields>  Include extra fields (comma-separated):
+  how_tos,last_note,references
+
+pncli sde threats
+  --project <id>       Project ID (or set defaults.sde.project in config)
+  --severity <n>       Filter by severity (1-10)
+  --search <text>      Full-text search on title and threat ID
+  --ordering <field>   Sort by: threat__severity, threat_id, status (prefix -
+  for descending)
+  --capec-id <id>      Filter by CAPEC attack pattern ID
+  --component-id <id>  Filter by component ID
+  --page <n>           Page number (1-based) (default: "1")
+  --page-size <n>      Results per page (default: "100")
+  --all                Fetch all pages
+```
+
 ### Deps
 
 ```

src/cli.ts

@@ -15,6 +15,7 @@ import { registerJiraCommands } from './services/jira/commands.js';
 import { registerBitbucketCommands } from './services/bitbucket/commands.js';
 import { registerConfluenceCommands } from './services/confluence/commands.js';
 import { registerSonarCommands } from './services/sonar/commands.js';
+import { registerSdeCommands } from './services/sde/commands.js';
 import { registerDepsCommands } from './services/deps/commands.js';
 import { registerConfigCommands } from './services/config/commands.js';
 
@@ -55,6 +56,7 @@ registerJiraCommands(program);
 registerBitbucketCommands(program);
 registerConfluenceCommands(program);
 registerSonarCommands(program);
+registerSdeCommands(program);
 registerDepsCommands(program);
 registerConfigCommands(program);
 
@@ -66,6 +68,7 @@ Services:
   bitbucket    Bitbucket Server
   confluence   Confluence
   sonar        SonarQube Server (quality gates, issues, metrics, hotspots)
+  sde          SDElements (threat modeling, countermeasures, compliance)
   config       Manage pncli configuration
 `);
 

src/lib/config.ts

@@ -2,7 +2,7 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import { execSync } from 'child_process';
-import type { GlobalConfig, RepoConfig, ResolvedConfig, JiraDefaults, BitbucketDefaults, SonarDefaults } from '../types/config.js';
+import type { GlobalConfig, RepoConfig, ResolvedConfig, JiraDefaults, BitbucketDefaults, SonarDefaults, SdeDefaults } from '../types/config.js';
 import type { CustomFieldDefinition } from '../types/jira.js';
 
 const ENV_KEYS = {
@@ -21,6 +21,8 @@ const ENV_KEYS = {
   ARTIFACTORY_REPO_MAVEN: 'PNCLI_ARTIFACTORY_REPO_MAVEN',
   SONAR_BASE_URL: 'PNCLI_SONAR_BASE_URL',
   SONAR_TOKEN: 'PNCLI_SONAR_TOKEN',
+  SDE_BASE_URL: 'PNCLI_SDE_BASE_URL',
+  SDE_TOKEN: 'PNCLI_SDE_TOKEN',
   CONFIG_PATH: 'PNCLI_CONFIG_PATH'
 } as const;
 
@@ -61,11 +63,12 @@ function mergeCustomFields(
 function mergeDefaults(
   global: GlobalConfig['defaults'],
   repo: RepoConfig['defaults']
-): { jira: JiraDefaults; bitbucket: BitbucketDefaults; sonar: SonarDefaults } {
+): { jira: JiraDefaults; bitbucket: BitbucketDefaults; sonar: SonarDefaults; sde: SdeDefaults } {
   return {
     jira: { ...global?.jira, ...repo?.jira },
     bitbucket: { ...global?.bitbucket, ...repo?.bitbucket },
-    sonar: { ...global?.sonar, ...repo?.sonar }
+    sonar: { ...global?.sonar, ...repo?.sonar },
+    sde: { ...global?.sde, ...repo?.sde }
   };
 }
 
@@ -115,6 +118,10 @@ export function loadConfig(opts: LoadConfigOptions = {}): ResolvedConfig {
       baseUrl: process.env[ENV_KEYS.SONAR_BASE_URL] ?? globalConfig.sonar?.baseUrl,
       token: process.env[ENV_KEYS.SONAR_TOKEN] ?? globalConfig.sonar?.token
     },
+    sde: {
+      baseUrl: process.env[ENV_KEYS.SDE_BASE_URL] ?? globalConfig.sde?.baseUrl,
+      token: process.env[ENV_KEYS.SDE_TOKEN] ?? globalConfig.sde?.token
+    },
     defaults: mergedDefaults
   };
 }
@@ -176,6 +183,10 @@ export function maskConfig(config: ResolvedConfig): unknown {
     sonar: {
       ...config.sonar,
       token: config.sonar.token ? '***' : undefined
+    },
+    sde: {
+      ...config.sde,
+      token: config.sde.token ? '***' : undefined
     }
   };
 }

src/lib/http.ts

@@ -239,6 +239,61 @@ export class HttpClient {
     return request<T>(url, init, opts.timeoutMs ?? 30000);
   }
 
+  private sdeHeaders(): Record<string, string> {
+    const { token } = this.config.sde;
+    if (!token) throw new PncliError('SDElements credentials not configured. Run: pncli config init');
+    return {
+      'Authorization': `Token ${token}`,
+      'Content-Type': 'application/json',
+      'Accept': 'application/json',
+      'Connection': 'close'
+    };
+  }
+
+  async sde<T>(
+    path: string,
+    opts: HttpRequestOptions = {}
+  ): Promise<T> {
+    const baseUrl = this.config.sde.baseUrl;
+    if (!baseUrl) throw new PncliError('SDElements baseUrl not configured. Run: pncli config init');
+
+    const url = buildUrl(baseUrl, path, opts.params);
+    const headers = this.sdeHeaders();
+    const init: RequestInit = {
+      method: opts.method ?? 'GET',
+      headers,
+      body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined
+    };
+
+    if (this.dryRun) {
+      const safeHeaders = { ...headers, Authorization: '[REDACTED]' };
+      const msg = `DRY RUN: ${init.method} ${url}\nHeaders: ${JSON.stringify(safeHeaders, null, 2)}\n`
+        + (opts.body ? `Body: ${JSON.stringify(opts.body, null, 2)}\n` : '');
+      fs.writeSync(process.stderr.fd, msg);
+      process.exitCode = ExitCode.SUCCESS;
+      throw new PncliError('dry-run', 0);
+    }
+
+    return request<T>(url, init, opts.timeoutMs ?? 30000);
+  }
+
+  async sdePaginate<T>(
+    fetchPage: (page: number, pageSize: number) => Promise<{ count: number; results: T[] }>
+  ): Promise<T[]> {
+    const results: T[] = [];
+    let page = 1;
+    const pageSize = 100;
+
+    while (true) {
+      const response = await fetchPage(page, pageSize);
+      results.push(...response.results);
+      if (results.length >= response.count || response.results.length === 0) break;
+      page++;
+    }
+
+    return results;
+  }
+
   private sonarHeaders(): Record<string, string> {
     const { token } = this.config.sonar;
     if (!token) throw new PncliError('SonarQube credentials not configured. Run: pncli config init');

src/services/config/commands.ts

@@ -125,6 +125,17 @@ export function registerConfigCommands(program: Command): void {
           results.sonar = { ok: null, message: 'not configured' };
         }
 
+        if (cfg.sde.baseUrl) {
+          try {
+            await http.sde<unknown>('/api/v2/users/me/');
+            results.sde = { ok: true, message: 'connected' };
+          } catch (err) {
+            results.sde = { ok: false, message: err instanceof Error ? err.message : String(err) };
+          }
+        } else {
+          results.sde = { ok: null, message: 'not configured' };
+        }
+
         success(results, 'config', 'test', start);
       } catch (err) {
         fail(err, 'config', 'test', start);
@@ -236,6 +247,26 @@ async function initGlobalConfig(start: number): Promise<void> {
     });
   }
 
+  process.stderr.write('\n── SDElements ────────────────────────────────────\n');
+  const useSde = await confirm({
+    message: 'Configure SDElements for threat modeling and countermeasure queries?',
+    default: false
+  });
+
+  let sdeBaseUrl = '';
+  let sdeToken = '';
+
+  if (useSde) {
+    sdeBaseUrl = await input({
+      message: 'SDElements base URL\n  Cloud-hosted: https://your-org.sdelements.com\n  On-premise:   https://sde.your-company.com\n  URL: ',
+      default: ''
+    });
+
+    sdeToken = await password({
+      message: 'SDElements API token:'
+    });
+  }
+
   process.stderr.write('\n── Defaults ──────────────────────────────────────\n');
   const jiraProject = await input({
     message: 'Default Jira project key (optional):',
@@ -247,6 +278,11 @@ async function initGlobalConfig(start: number): Promise<void> {
     default: ''
   }) : '';
 
+  const sdeProject = useSde ? await input({
+    message: 'Default SDElements project ID (optional, numeric):',
+    default: ''
+  }) : '';
+
   process.stderr.write('\n');
   const confirmed = await confirm({
     message: 'Write config to ~/.pncli/config.json?',
@@ -293,6 +329,12 @@ async function initGlobalConfig(start: number): Promise<void> {
         token: sonarToken || undefined
       }
     } : {}),
+    ...(useSde ? {
+      sde: {
+        baseUrl: sdeBaseUrl || undefined,
+        token: sdeToken || undefined
+      }
+    } : {}),
     defaults: {
       jira: {
         project: jiraProject || undefined
@@ -301,6 +343,11 @@ async function initGlobalConfig(start: number): Promise<void> {
         sonar: {
           project: sonarProject || undefined
         }
+      } : {}),
+      ...(useSde && sdeProject ? {
+        sde: {
+          project: sdeProject || undefined
+        }
       } : {})
     }
   });