@sentriflow/cli 0.1.2 → 0.1.4

package/dist/index.js

@@ -10407,7 +10407,7 @@ function generateSarif(results, filePath, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.2",
+            version: "0.1.4",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10513,7 +10513,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.2",
+            version: "0.1.4",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10740,86 +10740,9 @@ var InterfaceDescriptionRequired = {
     };
   }
 };
-var NoPlaintextPasswords = {
-  id: "NET-SEC-001",
-  selector: "password",
-  vendor: "common",
-  metadata: {
-    level: "error",
-    obu: "Security",
-    owner: "SecOps",
-    remediation: 'Use "secret" instead of "password", or ensure password is encrypted (type 7 or higher).'
-  },
-  check: (node) => {
-    const params = node.params;
-    const nodeId = node.id;
-    if (includesIgnoreCase(nodeId, "encryption") || includesIgnoreCase(nodeId, "service")) {
-      return {
-        passed: true,
-        message: "Global password configuration command.",
-        ruleId: "NET-SEC-001",
-        nodeId: node.id,
-        level: "info",
-        loc: node.loc
-      };
-    }
-    if (params.length >= 2) {
-      const typeOrValue = params[1];
-      if (!typeOrValue) {
-        return {
-          passed: false,
-          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "error",
-          loc: node.loc
-        };
-      }
-      if (typeOrValue === "7" || typeOrValue === "5" || typeOrValue === "8" || typeOrValue === "9") {
-        return {
-          passed: true,
-          message: "Password is encrypted.",
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "info",
-          loc: node.loc
-        };
-      }
-      if (typeOrValue === "0") {
-        return {
-          passed: false,
-          message: "Plaintext password detected (type 0).",
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "error",
-          loc: node.loc
-        };
-      }
-      if (!/^\d+$/.test(typeOrValue)) {
-        return {
-          passed: false,
-          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "error",
-          loc: node.loc
-        };
-      }
-    }
-    return {
-      passed: true,
-      message: "Password check passed.",
-      ruleId: "NET-SEC-001",
-      nodeId: node.id,
-      level: "info",
-      loc: node.loc
-    };
-  }
-};
 var allCommonRules = [
   NoMulticastBroadcastIp,
-  InterfaceDescriptionRequired,
-  NoPlaintextPasswords
+  InterfaceDescriptionRequired
 ];
 
 // ../rules-default/src/cisco/ios-rules.ts
@@ -10921,12 +10844,89 @@ var EnableSecretStrong = {
     return { passed: true, message: "Enable secret check passed.", ruleId: "NET-AAA-003", nodeId: node.id, level: "info", loc: node.loc };
   }
 };
+var CiscoNoPlaintextPasswords = {
+  id: "NET-SEC-001",
+  selector: "password",
+  vendor: ["cisco-ios", "cisco-nxos"],
+  metadata: {
+    level: "error",
+    obu: "Security",
+    owner: "SecOps",
+    remediation: 'Use "secret" instead of "password", or ensure password is encrypted (type 7 or higher).'
+  },
+  check: (node) => {
+    const params = node.params;
+    const nodeId = node.id;
+    if (includesIgnoreCase(nodeId, "encryption") || includesIgnoreCase(nodeId, "service")) {
+      return {
+        passed: true,
+        message: "Global password configuration command.",
+        ruleId: "NET-SEC-001",
+        nodeId: node.id,
+        level: "info",
+        loc: node.loc
+      };
+    }
+    if (params.length >= 2) {
+      const typeOrValue = params[1];
+      if (!typeOrValue) {
+        return {
+          passed: false,
+          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
+          ruleId: "NET-SEC-001",
+          nodeId: node.id,
+          level: "error",
+          loc: node.loc
+        };
+      }
+      if (typeOrValue === "7" || typeOrValue === "5" || typeOrValue === "8" || typeOrValue === "9") {
+        return {
+          passed: true,
+          message: "Password is encrypted.",
+          ruleId: "NET-SEC-001",
+          nodeId: node.id,
+          level: "info",
+          loc: node.loc
+        };
+      }
+      if (typeOrValue === "0") {
+        return {
+          passed: false,
+          message: "Plaintext password detected (type 0).",
+          ruleId: "NET-SEC-001",
+          nodeId: node.id,
+          level: "error",
+          loc: node.loc
+        };
+      }
+      if (!/^\d+$/.test(typeOrValue)) {
+        return {
+          passed: false,
+          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
+          ruleId: "NET-SEC-001",
+          nodeId: node.id,
+          level: "error",
+          loc: node.loc
+        };
+      }
+    }
+    return {
+      passed: true,
+      message: "Password check passed.",
+      ruleId: "NET-SEC-001",
+      nodeId: node.id,
+      level: "info",
+      loc: node.loc
+    };
+  }
+};
 var allCiscoRules = [
   // Layer 2 Trunk
   TrunkNoDTP,
   // Layer 2 Access
   AccessExplicitMode,
-  // Service Hardening
+  // Security
+  CiscoNoPlaintextPasswords,
   EnableSecretStrong
 ];
 
@@ -11759,6 +11759,40 @@ var VyosHostnameRequired = {
     };
   }
 };
+var VyosNoPlaintextPassword = {
+  id: "VYOS-SEC-001",
+  selector: "authentication",
+  vendor: "vyos",
+  metadata: {
+    level: "error",
+    obu: "Security",
+    owner: "SecOps",
+    remediation: 'Use "encrypted-password" with a pre-hashed password, or let VyOS hash it during configuration.'
+  },
+  check: (node) => {
+    const hasPlaintext = node.children.some(
+      (child) => startsWithIgnoreCase(child.id, "plaintext-password")
+    );
+    if (hasPlaintext) {
+      return {
+        passed: false,
+        message: "Plaintext password found in configuration. VyOS should store hashed passwords only.",
+        ruleId: "VYOS-SEC-001",
+        nodeId: node.id,
+        level: "error",
+        loc: node.loc
+      };
+    }
+    return {
+      passed: true,
+      message: "No plaintext passwords in configuration.",
+      ruleId: "VYOS-SEC-001",
+      nodeId: node.id,
+      level: "info",
+      loc: node.loc
+    };
+  }
+};
 var VyosInterfaceDescription = {
   id: "VYOS-IF-001",
   selector: "interfaces",
@@ -11855,6 +11889,8 @@ var VyosFirewallDefaultAction = {
 var allVyosRules = [
   // System
   VyosHostnameRequired,
+  // Security
+  VyosNoPlaintextPassword,
   // Firewall
   VyosFirewallDefaultAction,
   // Interfaces
@@ -13093,55 +13129,6 @@ var common_json_rules_default = {
         ]
       },
       failureMessage: "Interface {nodeId} is missing documentation (description)"
-    },
-    {
-      id: "JSON-COMMON-002",
-      selector: "interface",
-      vendor: "common",
-      metadata: {
-        level: "warning",
-        obu: "Network Engineering",
-        owner: "NetOps",
-        description: "Shutdown interfaces should have a description explaining why",
-        remediation: "Add a description to shutdown interfaces documenting the reason"
-      },
-      check: {
-        type: "and",
-        conditions: [
-          {
-            type: "helper",
-            helper: "isInterfaceDefinition",
-            args: [{ $ref: "node" }]
-          },
-          {
-            type: "helper",
-            helper: "isShutdown",
-            args: [{ $ref: "node" }]
-          },
-          {
-            type: "child_not_exists",
-            selector: "description"
-          }
-        ]
-      },
-      failureMessage: "Shutdown interface {nodeId} should have a description explaining why it's disabled"
-    },
-    {
-      id: "JSON-COMMON-003",
-      selector: "ntp",
-      vendor: "common",
-      metadata: {
-        level: "warning",
-        obu: "Operations",
-        owner: "SysOps",
-        description: "NTP should be configured for time synchronization",
-        remediation: "Configure NTP servers for accurate time synchronization"
-      },
-      check: {
-        type: "child_not_exists",
-        selector: "server"
-      },
-      failureMessage: "NTP configuration is missing server entries"
     }
   ]
 };
@@ -13307,6 +13294,16 @@ var allJsonRules = [
   ...commonJsonRules,
   ...juniperJsonRules
 ];
+function getJsonRulesByVendor(vendorId) {
+  return allJsonRules.filter((rule) => {
+    if (!rule.vendor) return true;
+    if (rule.vendor === "common") return true;
+    if (Array.isArray(rule.vendor)) {
+      return rule.vendor.includes(vendorId) || rule.vendor.includes("common");
+    }
+    return rule.vendor === vendorId;
+  });
+}
 
 // ../rules-default/src/index.ts
 var allRules = [
@@ -13341,25 +13338,25 @@ var allRules = [
 ];
 var vendorRulesRegistry = {
   // Cisco platforms share the same rules
-  "cisco-ios": () => [...allCommonRules, ...allCiscoRules],
-  "cisco-nxos": () => [...allCommonRules, ...allCiscoRules],
+  "cisco-ios": () => [...allCommonRules, ...allCiscoRules, ...getJsonRulesByVendor("cisco-ios")],
+  "cisco-nxos": () => [...allCommonRules, ...allCiscoRules, ...getJsonRulesByVendor("cisco-nxos")],
   // Juniper
-  "juniper-junos": () => [...allCommonRules, ...allJuniperRules],
+  "juniper-junos": () => [...allCommonRules, ...allJuniperRules, ...getJsonRulesByVendor("juniper-junos")],
   // Aruba platforms have variant-specific rules
-  "aruba-aoscx": () => getRulesByArubaVendor("aruba-aoscx"),
-  "aruba-aosswitch": () => getRulesByArubaVendor("aruba-aosswitch"),
-  "aruba-wlc": () => getRulesByArubaVendor("aruba-wlc"),
+  "aruba-aoscx": () => [...getRulesByArubaVendor("aruba-aoscx"), ...getJsonRulesByVendor("aruba-aoscx")],
+  "aruba-aosswitch": () => [...getRulesByArubaVendor("aruba-aosswitch"), ...getJsonRulesByVendor("aruba-aosswitch")],
+  "aruba-wlc": () => [...getRulesByArubaVendor("aruba-wlc"), ...getJsonRulesByVendor("aruba-wlc")],
   // Other vendors
-  "paloalto-panos": () => getRulesByPaloAltoVendor(),
-  "arista-eos": () => getRulesByAristaVendor(),
-  "vyos": () => getRulesByVyosVendor(),
-  "fortinet-fortigate": () => getRulesByFortinetVendor(),
-  "extreme-exos": () => getRulesByExtremeVendor("extreme-exos"),
-  "extreme-voss": () => getRulesByExtremeVendor("extreme-voss"),
-  "huawei-vrp": () => getRulesByHuaweiVendor(),
-  "mikrotik-routeros": () => getRulesByMikroTikVendor(),
-  "nokia-sros": () => getRulesByNokiaVendor(),
-  "cumulus-linux": () => getRulesByCumulusVendor()
+  "paloalto-panos": () => [...getRulesByPaloAltoVendor(), ...getJsonRulesByVendor("paloalto-panos")],
+  "arista-eos": () => [...getRulesByAristaVendor(), ...getJsonRulesByVendor("arista-eos")],
+  "vyos": () => [...getRulesByVyosVendor(), ...getJsonRulesByVendor("vyos")],
+  "fortinet-fortigate": () => [...getRulesByFortinetVendor(), ...getJsonRulesByVendor("fortinet-fortigate")],
+  "extreme-exos": () => [...getRulesByExtremeVendor("extreme-exos"), ...getJsonRulesByVendor("extreme-exos")],
+  "extreme-voss": () => [...getRulesByExtremeVendor("extreme-voss"), ...getJsonRulesByVendor("extreme-voss")],
+  "huawei-vrp": () => [...getRulesByHuaweiVendor(), ...getJsonRulesByVendor("huawei-vrp")],
+  "mikrotik-routeros": () => [...getRulesByMikroTikVendor(), ...getJsonRulesByVendor("mikrotik-routeros")],
+  "nokia-sros": () => [...getRulesByNokiaVendor(), ...getJsonRulesByVendor("nokia-sros")],
+  "cumulus-linux": () => [...getRulesByCumulusVendor(), ...getJsonRulesByVendor("cumulus-linux")]
 };
 function getRulesByVendor(vendorId) {
   const getRules = vendorRulesRegistry[vendorId];
@@ -14194,7 +14191,7 @@ function validateDirectoryPath(dirPath, allowedBaseDirs) {
 
 // index.ts
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.2").argument("[file]", "Path to the configuration file").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.4").argument("[file]", "Path to the configuration file").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
   "--encrypted-pack <path...>",
   "SEC-012: Path(s) to encrypted rule pack(s) (.grpx), can specify multiple"
 ).option(
@@ -14601,4 +14598,19 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     process.exit(2);
   }
 });
-program.parse();
+async function loadLicensingExtension() {
+  try {
+    const licensingModulePath = "@sentriflow/licensing/cli";
+    const licensing = await import(
+      /* @vite-ignore */
+      licensingModulePath
+    );
+    if (licensing.registerCommands) {
+      licensing.registerCommands(program);
+    }
+  } catch {
+  }
+}
+loadLicensingExtension().finally(() => {
+  program.parse();
+});

package/package.json

@@ -1,54 +1,54 @@
-{
-  "name": "@sentriflow/cli",
-  "version": "0.1.2",
-  "description": "SentriFlow CLI - Network configuration linter and validator",
-  "license": "Apache-2.0",
-  "main": "dist/index.js",
-  "module": "dist/index.js",
-  "type": "module",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/sentriflow/sentriflow.git",
-    "directory": "packages/cli"
-  },
-  "homepage": "https://github.com/sentriflow/sentriflow#readme",
-  "bugs": {
-    "url": "https://github.com/sentriflow/sentriflow/issues"
-  },
-  "keywords": [
-    "cli",
-    "network",
-    "configuration",
-    "linter",
-    "security",
-    "compliance",
-    "sarif"
-  ],
-  "files": [
-    "dist",
-    "LICENSE",
-    "README.md"
-  ],
-  "publishConfig": {
-    "access": "public"
-  },
-  "scripts": {
-    "build": "node build.mjs",
-    "prepublishOnly": "bun run build"
-  },
-  "dependencies": {
-    "commander": "^14.0.2"
-  },
-  "devDependencies": {
-    "@sentriflow/core": "workspace:*",
-    "@sentriflow/rules-default": "workspace:*",
-    "bun-types": "latest",
-    "esbuild": "^0.27.0"
-  },
-  "bin": {
-    "sentriflow": "dist/index.js"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  }
-}
+{
+  "name": "@sentriflow/cli",
+  "version": "0.1.4",
+  "description": "SentriFlow CLI - Network configuration linter and validator",
+  "license": "Apache-2.0",
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sentriflow/sentriflow.git",
+    "directory": "packages/cli"
+  },
+  "homepage": "https://github.com/sentriflow/sentriflow#readme",
+  "bugs": {
+    "url": "https://github.com/sentriflow/sentriflow/issues"
+  },
+  "keywords": [
+    "cli",
+    "network",
+    "configuration",
+    "linter",
+    "security",
+    "compliance",
+    "sarif"
+  ],
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "bun build.mjs",
+    "prepublishOnly": "bun run build"
+  },
+  "dependencies": {
+    "commander": "^14.0.2"
+  },
+  "devDependencies": {
+    "@sentriflow/core": "workspace:*",
+    "@sentriflow/rules-default": "workspace:*",
+    "bun-types": "latest",
+    "esbuild": "^0.27.0"
+  },
+  "bin": {
+    "sentriflow": "dist/index.js"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}