@sentriflow/cli 0.1.2 → 0.1.5

package/README.md

@@ -1,6 +1,6 @@
 # @sentriflow/cli
 
-Command-line interface for SentriFlow - lint and validate network configurations.
+Command-line interface for SentriFlow - check network configurations for compliance against best practices or organization-specific policies.
 
 ## Installation
 
@@ -17,10 +17,10 @@ bun add -g @sentriflow/cli
 ## Quick Start
 
 ```bash
-# Validate a single configuration file
+# Check a single configuration file
 sentriflow router.conf
 
-# Validate with specific vendor
+# Check with specific vendor
 sentriflow -v cisco-ios router.conf
 
 # Scan a directory of configs
@@ -44,7 +44,7 @@ sentriflow --list-rules
 ```
 Usage: sentriflow [options] [file]
 
-SentriFlow Network Configuration Validator
+SentriFlow Network Configuration Compliance Checker
 
 Arguments:
   file                          Path to the configuration file
@@ -164,7 +164,7 @@ sentriflow router.conf -f sarif > results.sarif
 ### GitHub Actions
 
 ```yaml
-- name: Lint network configs
+- name: Check network config compliance
   run: |
     npx @sentriflow/cli -D configs/ -R -f sarif > results.sarif
 
@@ -190,8 +190,8 @@ SentriFlow automatically looks for `.sentriflowrc` or `.sentriflowrc.json` in th
 
 ## Related Packages
 
-- [`@sentriflow/core`](https://github.com/sentriflow/sentriflow/tree/main/packages/core) - Core parsing engine
-- [`@sentriflow/rules-default`](https://github.com/sentriflow/sentriflow/tree/main/packages/rules-default) - Default validation rules
+- [`@sentriflow/core`](https://github.com/sentriflow/sentriflow/tree/main/packages/core) - Core parsing and compliance engine
+- [`@sentriflow/rules-default`](https://github.com/sentriflow/sentriflow/tree/main/packages/rules-default) - Default compliance rules
 
 ## License
 

package/dist/index.js

@@ -10407,7 +10407,7 @@ function generateSarif(results, filePath, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.2",
+            version: "0.1.5",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10513,7 +10513,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.2",
+            version: "0.1.5",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10740,86 +10740,9 @@ var InterfaceDescriptionRequired = {
     };
   }
 };
-var NoPlaintextPasswords = {
-  id: "NET-SEC-001",
-  selector: "password",
-  vendor: "common",
-  metadata: {
-    level: "error",
-    obu: "Security",
-    owner: "SecOps",
-    remediation: 'Use "secret" instead of "password", or ensure password is encrypted (type 7 or higher).'
-  },
-  check: (node) => {
-    const params = node.params;
-    const nodeId = node.id;
-    if (includesIgnoreCase(nodeId, "encryption") || includesIgnoreCase(nodeId, "service")) {
-      return {
-        passed: true,
-        message: "Global password configuration command.",
-        ruleId: "NET-SEC-001",
-        nodeId: node.id,
-        level: "info",
-        loc: node.loc
-      };
-    }
-    if (params.length >= 2) {
-      const typeOrValue = params[1];
-      if (!typeOrValue) {
-        return {
-          passed: false,
-          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "error",
-          loc: node.loc
-        };
-      }
-      if (typeOrValue === "7" || typeOrValue === "5" || typeOrValue === "8" || typeOrValue === "9") {
-        return {
-          passed: true,
-          message: "Password is encrypted.",
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "info",
-          loc: node.loc
-        };
-      }
-      if (typeOrValue === "0") {
-        return {
-          passed: false,
-          message: "Plaintext password detected (type 0).",
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "error",
-          loc: node.loc
-        };
-      }
-      if (!/^\d+$/.test(typeOrValue)) {
-        return {
-          passed: false,
-          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "error",
-          loc: node.loc
-        };
-      }
-    }
-    return {
-      passed: true,
-      message: "Password check passed.",
-      ruleId: "NET-SEC-001",
-      nodeId: node.id,
-      level: "info",
-      loc: node.loc
-    };
-  }
-};
 var allCommonRules = [
   NoMulticastBroadcastIp,
-  InterfaceDescriptionRequired,
-  NoPlaintextPasswords
+  InterfaceDescriptionRequired
 ];
 
 // ../rules-default/src/cisco/ios-rules.ts
@@ -10921,12 +10844,89 @@ var EnableSecretStrong = {
     return { passed: true, message: "Enable secret check passed.", ruleId: "NET-AAA-003", nodeId: node.id, level: "info", loc: node.loc };
   }
 };
+var CiscoNoPlaintextPasswords = {
+  id: "NET-SEC-001",
+  selector: "password",
+  vendor: ["cisco-ios", "cisco-nxos"],
+  metadata: {
+    level: "error",
+    obu: "Security",
+    owner: "SecOps",
+    remediation: 'Use "secret" instead of "password", or ensure password is encrypted (type 7 or higher).'
+  },
+  check: (node) => {
+    const params = node.params;
+    const nodeId = node.id;
+    if (includesIgnoreCase(nodeId, "encryption") || includesIgnoreCase(nodeId, "service")) {
+      return {
+        passed: true,
+        message: "Global password configuration command.",
+        ruleId: "NET-SEC-001",
+        nodeId: node.id,
+        level: "info",
+        loc: node.loc
+      };
+    }
+    if (params.length >= 2) {
+      const typeOrValue = params[1];
+      if (!typeOrValue) {
+        return {
+          passed: false,
+          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
+          ruleId: "NET-SEC-001",
+          nodeId: node.id,
+          level: "error",
+          loc: node.loc
+        };
+      }
+      if (typeOrValue === "7" || typeOrValue === "5" || typeOrValue === "8" || typeOrValue === "9") {
+        return {
+          passed: true,
+          message: "Password is encrypted.",
+          ruleId: "NET-SEC-001",
+          nodeId: node.id,
+          level: "info",
+          loc: node.loc
+        };
+      }
+      if (typeOrValue === "0") {
+        return {
+          passed: false,
+          message: "Plaintext password detected (type 0).",
+          ruleId: "NET-SEC-001",
+          nodeId: node.id,
+          level: "error",
+          loc: node.loc
+        };
+      }
+      if (!/^\d+$/.test(typeOrValue)) {
+        return {
+          passed: false,
+          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
+          ruleId: "NET-SEC-001",
+          nodeId: node.id,
+          level: "error",
+          loc: node.loc
+        };
+      }
+    }
+    return {
+      passed: true,
+      message: "Password check passed.",
+      ruleId: "NET-SEC-001",
+      nodeId: node.id,
+      level: "info",
+      loc: node.loc
+    };
+  }
+};
 var allCiscoRules = [
   // Layer 2 Trunk
   TrunkNoDTP,
   // Layer 2 Access
   AccessExplicitMode,
-  // Service Hardening
+  // Security
+  CiscoNoPlaintextPasswords,
   EnableSecretStrong
 ];
 
@@ -11759,6 +11759,40 @@ var VyosHostnameRequired = {
     };
   }
 };
+var VyosNoPlaintextPassword = {
+  id: "VYOS-SEC-001",
+  selector: "authentication",
+  vendor: "vyos",
+  metadata: {
+    level: "error",
+    obu: "Security",
+    owner: "SecOps",
+    remediation: 'Use "encrypted-password" with a pre-hashed password, or let VyOS hash it during configuration.'
+  },
+  check: (node) => {
+    const hasPlaintext = node.children.some(
+      (child) => startsWithIgnoreCase(child.id, "plaintext-password")
+    );
+    if (hasPlaintext) {
+      return {
+        passed: false,
+        message: "Plaintext password found in configuration. VyOS should store hashed passwords only.",
+        ruleId: "VYOS-SEC-001",
+        nodeId: node.id,
+        level: "error",
+        loc: node.loc
+      };
+    }
+    return {
+      passed: true,
+      message: "No plaintext passwords in configuration.",
+      ruleId: "VYOS-SEC-001",
+      nodeId: node.id,
+      level: "info",
+      loc: node.loc
+    };
+  }
+};
 var VyosInterfaceDescription = {
   id: "VYOS-IF-001",
   selector: "interfaces",
@@ -11855,6 +11889,8 @@ var VyosFirewallDefaultAction = {
 var allVyosRules = [
   // System
   VyosHostnameRequired,
+  // Security
+  VyosNoPlaintextPassword,
   // Firewall
   VyosFirewallDefaultAction,
   // Interfaces
@@ -13093,55 +13129,6 @@ var common_json_rules_default = {
         ]
       },
       failureMessage: "Interface {nodeId} is missing documentation (description)"
-    },
-    {
-      id: "JSON-COMMON-002",
-      selector: "interface",
-      vendor: "common",
-      metadata: {
-        level: "warning",
-        obu: "Network Engineering",
-        owner: "NetOps",
-        description: "Shutdown interfaces should have a description explaining why",
-        remediation: "Add a description to shutdown interfaces documenting the reason"
-      },
-      check: {
-        type: "and",
-        conditions: [
-          {
-            type: "helper",
-            helper: "isInterfaceDefinition",
-            args: [{ $ref: "node" }]
-          },
-          {
-            type: "helper",
-            helper: "isShutdown",
-            args: [{ $ref: "node" }]
-          },
-          {
-            type: "child_not_exists",
-            selector: "description"
-          }
-        ]
-      },
-      failureMessage: "Shutdown interface {nodeId} should have a description explaining why it's disabled"
-    },
-    {
-      id: "JSON-COMMON-003",
-      selector: "ntp",
-      vendor: "common",
-      metadata: {
-        level: "warning",
-        obu: "Operations",
-        owner: "SysOps",
-        description: "NTP should be configured for time synchronization",
-        remediation: "Configure NTP servers for accurate time synchronization"
-      },
-      check: {
-        type: "child_not_exists",
-        selector: "server"
-      },
-      failureMessage: "NTP configuration is missing server entries"
     }
   ]
 };
@@ -13307,6 +13294,16 @@ var allJsonRules = [
   ...commonJsonRules,
   ...juniperJsonRules
 ];
+function getJsonRulesByVendor(vendorId) {
+  return allJsonRules.filter((rule) => {
+    if (!rule.vendor) return true;
+    if (rule.vendor === "common") return true;
+    if (Array.isArray(rule.vendor)) {
+      return rule.vendor.includes(vendorId) || rule.vendor.includes("common");
+    }
+    return rule.vendor === vendorId;
+  });
+}
 
 // ../rules-default/src/index.ts
 var allRules = [
@@ -13341,25 +13338,25 @@ var allRules = [
 ];
 var vendorRulesRegistry = {
   // Cisco platforms share the same rules
-  "cisco-ios": () => [...allCommonRules, ...allCiscoRules],
-  "cisco-nxos": () => [...allCommonRules, ...allCiscoRules],
+  "cisco-ios": () => [...allCommonRules, ...allCiscoRules, ...getJsonRulesByVendor("cisco-ios")],
+  "cisco-nxos": () => [...allCommonRules, ...allCiscoRules, ...getJsonRulesByVendor("cisco-nxos")],
   // Juniper
-  "juniper-junos": () => [...allCommonRules, ...allJuniperRules],
+  "juniper-junos": () => [...allCommonRules, ...allJuniperRules, ...getJsonRulesByVendor("juniper-junos")],
   // Aruba platforms have variant-specific rules
-  "aruba-aoscx": () => getRulesByArubaVendor("aruba-aoscx"),
-  "aruba-aosswitch": () => getRulesByArubaVendor("aruba-aosswitch"),
-  "aruba-wlc": () => getRulesByArubaVendor("aruba-wlc"),
+  "aruba-aoscx": () => [...getRulesByArubaVendor("aruba-aoscx"), ...getJsonRulesByVendor("aruba-aoscx")],
+  "aruba-aosswitch": () => [...getRulesByArubaVendor("aruba-aosswitch"), ...getJsonRulesByVendor("aruba-aosswitch")],
+  "aruba-wlc": () => [...getRulesByArubaVendor("aruba-wlc"), ...getJsonRulesByVendor("aruba-wlc")],
   // Other vendors
-  "paloalto-panos": () => getRulesByPaloAltoVendor(),
-  "arista-eos": () => getRulesByAristaVendor(),
-  "vyos": () => getRulesByVyosVendor(),
-  "fortinet-fortigate": () => getRulesByFortinetVendor(),
-  "extreme-exos": () => getRulesByExtremeVendor("extreme-exos"),
-  "extreme-voss": () => getRulesByExtremeVendor("extreme-voss"),
-  "huawei-vrp": () => getRulesByHuaweiVendor(),
-  "mikrotik-routeros": () => getRulesByMikroTikVendor(),
-  "nokia-sros": () => getRulesByNokiaVendor(),
-  "cumulus-linux": () => getRulesByCumulusVendor()
+  "paloalto-panos": () => [...getRulesByPaloAltoVendor(), ...getJsonRulesByVendor("paloalto-panos")],
+  "arista-eos": () => [...getRulesByAristaVendor(), ...getJsonRulesByVendor("arista-eos")],
+  "vyos": () => [...getRulesByVyosVendor(), ...getJsonRulesByVendor("vyos")],
+  "fortinet-fortigate": () => [...getRulesByFortinetVendor(), ...getJsonRulesByVendor("fortinet-fortigate")],
+  "extreme-exos": () => [...getRulesByExtremeVendor("extreme-exos"), ...getJsonRulesByVendor("extreme-exos")],
+  "extreme-voss": () => [...getRulesByExtremeVendor("extreme-voss"), ...getJsonRulesByVendor("extreme-voss")],
+  "huawei-vrp": () => [...getRulesByHuaweiVendor(), ...getJsonRulesByVendor("huawei-vrp")],
+  "mikrotik-routeros": () => [...getRulesByMikroTikVendor(), ...getJsonRulesByVendor("mikrotik-routeros")],
+  "nokia-sros": () => [...getRulesByNokiaVendor(), ...getJsonRulesByVendor("nokia-sros")],
+  "cumulus-linux": () => [...getRulesByCumulusVendor(), ...getJsonRulesByVendor("cumulus-linux")]
 };
 function getRulesByVendor(vendorId) {
   const getRules = vendorRulesRegistry[vendorId];
@@ -13493,6 +13490,43 @@ function validateInputFilePath(filePath, maxSize = 10 * 1024 * 1024, baseDirs) {
   });
 }
 
+// src/loaders/index.ts
+function validatePathOrThrow(path, pathValidator, errorContext, baseDirs) {
+  const validation = pathValidator(path, baseDirs);
+  if (!validation.valid) {
+    throw new SentriflowConfigError(
+      `Invalid ${errorContext} path: ${validation.error}`
+    );
+  }
+  return validation.canonicalPath;
+}
+async function wrapLoadError(operation, errorContext) {
+  try {
+    return await operation();
+  } catch (error) {
+    if (error instanceof SentriflowConfigError) {
+      throw error;
+    }
+    throw new SentriflowConfigError(`Failed to load ${errorContext} file`);
+  }
+}
+async function loadAndValidate(options) {
+  const { path, baseDirs, pathValidator, loader, validator, errorContext } = options;
+  const canonicalPath = validatePathOrThrow(
+    path,
+    pathValidator,
+    errorContext,
+    baseDirs
+  );
+  return wrapLoadError(async () => {
+    const data = await loader(canonicalPath);
+    if (!validator(data)) {
+      throw new SentriflowConfigError(`Invalid ${errorContext} structure`);
+    }
+    return data;
+  }, errorContext);
+}
+
 // src/config.ts
 var CONFIG_FILES = [
   "sentriflow.config.ts",
@@ -13658,36 +13692,30 @@ function isValidRulePack(pack) {
   return true;
 }
 async function loadConfigFile(configPath, baseDirs) {
-  const validation = validateConfigPath(configPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(`Invalid config path: ${validation.error}`);
-  }
-  try {
-    const module = await import(validation.canonicalPath);
-    const config = module.default ?? module;
-    if (!isValidSentriflowConfig(config)) {
-      throw new SentriflowConfigError("Invalid configuration structure");
-    }
-    return config;
-  } catch (error) {
-    if (error instanceof SentriflowConfigError) {
-      throw error;
-    }
-    throw new SentriflowConfigError("Failed to load configuration file");
-  }
+  return loadAndValidate({
+    path: configPath,
+    baseDirs,
+    pathValidator: validateConfigPath,
+    loader: async (p) => {
+      const m = await import(p);
+      return m.default ?? m;
+    },
+    validator: isValidSentriflowConfig,
+    errorContext: "config"
+  });
 }
 async function loadExternalRules(rulesPath, baseDirs) {
-  const validation = validateConfigPath(rulesPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(`Invalid rules path: ${validation.error}`);
-  }
-  try {
-    const module = await import(validation.canonicalPath);
+  const canonicalPath = validatePathOrThrow(
+    rulesPath,
+    validateConfigPath,
+    "rules",
+    baseDirs
+  );
+  return wrapLoadError(async () => {
+    const module = await import(canonicalPath);
     const rules = module.default ?? module.rules ?? module;
     if (!Array.isArray(rules)) {
-      throw new SentriflowConfigError(
-        "Rules file must export an array of rules"
-      );
+      throw new SentriflowConfigError("Rules file must export an array of rules");
     }
     const validRules = [];
     for (const rule of rules) {
@@ -13695,29 +13723,24 @@ async function loadExternalRules(rulesPath, baseDirs) {
         validRules.push(rule);
       } else {
         const safeRuleId = typeof rule === "object" && rule !== null && "id" in rule ? String(rule.id).slice(0, 50) : "unknown";
-        console.warn(
-          `Skipping invalid rule: ${safeRuleId} (validation failed)`
-        );
+        console.warn(`Skipping invalid rule: ${safeRuleId} (validation failed)`);
       }
     }
     if (validRules.length === 0 && rules.length > 0) {
       throw new SentriflowConfigError("No valid rules found in rules file");
     }
     return validRules;
-  } catch (error) {
-    if (error instanceof SentriflowConfigError) {
-      throw error;
-    }
-    throw new SentriflowConfigError("Failed to load rules file");
-  }
+  }, "rules");
 }
 async function loadJsonRules(jsonPath, baseDirs) {
-  const validation = validateJsonRulesPath(jsonPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(`Invalid JSON rules path: ${validation.error}`);
-  }
-  try {
-    const content = await readFileAsync(validation.canonicalPath, "utf-8");
+  const canonicalPath = validatePathOrThrow(
+    jsonPath,
+    validateJsonRulesPath,
+    "JSON rules",
+    baseDirs
+  );
+  return wrapLoadError(async () => {
+    const content = await readFileAsync(canonicalPath, "utf-8");
     let jsonData;
     try {
       jsonData = JSON.parse(content);
@@ -13726,16 +13749,12 @@ async function loadJsonRules(jsonPath, baseDirs) {
     }
     const validationResult = validateJsonRuleFile(jsonData);
     if (!validationResult.valid) {
-      const errorMessages = validationResult.errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
-      throw new SentriflowConfigError(
-        `Invalid JSON rules file:
-${errorMessages}`
-      );
+      const errors = validationResult.errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
+      throw new SentriflowConfigError(`Invalid JSON rules file:
+${errors}`);
     }
-    if (validationResult.warnings.length > 0) {
-      for (const warning of validationResult.warnings) {
-        console.warn(`[JSON Rules] Warning: ${warning.path}: ${warning.message}`);
-      }
+    for (const warning of validationResult.warnings) {
+      console.warn(`[JSON Rules] Warning: ${warning.path}: ${warning.message}`);
     }
     const ruleFile = jsonData;
     const compiledRules = compileJsonRules(ruleFile.rules);
@@ -13743,12 +13762,7 @@ ${errorMessages}`
       throw new SentriflowConfigError("No valid rules compiled from JSON file");
     }
     return compiledRules;
-  } catch (error) {
-    if (error instanceof SentriflowConfigError) {
-      throw error;
-    }
-    throw new SentriflowConfigError("Failed to load JSON rules file");
-  }
+  }, "JSON rules");
 }
 function ruleAppliesToVendor(rule, vendorId) {
   if (!rule.vendor) return true;
@@ -13769,70 +13783,52 @@ function isDefaultRuleDisabled(ruleId, vendorId, packs, legacyDisableIds) {
   return false;
 }
 async function loadRulePackFile(packPath, baseDirs) {
-  const validation = validateConfigPath(packPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(
-      `Invalid rule pack path: ${validation.error}`
-    );
-  }
-  try {
-    const module = await import(validation.canonicalPath);
-    const pack = module.default ?? module;
-    if (!isValidRulePack(pack)) {
-      throw new SentriflowConfigError("Invalid rule pack structure");
-    }
-    return pack;
-  } catch (error) {
-    if (error instanceof SentriflowConfigError) throw error;
-    throw new SentriflowConfigError("Failed to load rule pack file");
-  }
+  return loadAndValidate({
+    path: packPath,
+    baseDirs,
+    pathValidator: validateConfigPath,
+    loader: async (p) => {
+      const m = await import(p);
+      return m.default ?? m;
+    },
+    validator: isValidRulePack,
+    errorContext: "rule pack"
+  });
+}
+function mapPackLoadError(error) {
+  const messages = {
+    DECRYPTION_FAILED: "Invalid license key for encrypted pack",
+    EXPIRED: "Encrypted pack has expired",
+    MACHINE_MISMATCH: "License is not valid for this machine",
+    ACTIVATION_LIMIT: "Maximum activations exceeded for this license"
+  };
+  throw new SentriflowConfigError(
+    messages[error.code] ?? `Failed to load encrypted pack: ${error.message}`
+  );
 }
 async function loadEncryptedRulePack(packPath, licenseKey, baseDirs) {
-  const validation = validateEncryptedPackPath(packPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(
-      `Invalid encrypted pack path: ${validation.error}`
-    );
-  }
+  const canonicalPath = validatePathOrThrow(
+    packPath,
+    validateEncryptedPackPath,
+    "encrypted pack",
+    baseDirs
+  );
   try {
-    const packData = await readFileAsync(validation.canonicalPath);
+    const packData = await readFileAsync(canonicalPath);
     if (!validatePackFormat(packData)) {
       throw new SentriflowConfigError("Invalid encrypted pack format");
     }
     const loadedPack = await loadEncryptedPack(packData, {
       licenseKey,
       timeout: 1e4
-      // 10 seconds for pack validation
     });
     return {
       ...loadedPack.metadata,
       priority: 200,
-      // High priority for licensed packs
       rules: loadedPack.rules
     };
   } catch (error) {
-    if (error instanceof PackLoadError) {
-      switch (error.code) {
-        case "DECRYPTION_FAILED":
-          throw new SentriflowConfigError(
-            "Invalid license key for encrypted pack"
-          );
-        case "EXPIRED":
-          throw new SentriflowConfigError("Encrypted pack has expired");
-        case "MACHINE_MISMATCH":
-          throw new SentriflowConfigError(
-            "License is not valid for this machine"
-          );
-        case "ACTIVATION_LIMIT":
-          throw new SentriflowConfigError(
-            "Maximum activations exceeded for this license"
-          );
-        default:
-          throw new SentriflowConfigError(
-            `Failed to load encrypted pack: ${error.message}`
-          );
-      }
-    }
+    if (error instanceof PackLoadError) mapPackLoadError(error);
     if (error instanceof SentriflowConfigError) throw error;
     throw new SentriflowConfigError("Failed to load encrypted rule pack");
   }
@@ -14194,7 +14190,7 @@ function validateDirectoryPath(dirPath, allowedBaseDirs) {
 
 // index.ts
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.2").argument("[file]", "Path to the configuration file").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.5").argument("[file]", "Path to the configuration file").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
   "--encrypted-pack <path...>",
   "SEC-012: Path(s) to encrypted rule pack(s) (.grpx), can specify multiple"
 ).option(
@@ -14601,4 +14597,19 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     process.exit(2);
   }
 });
-program.parse();
+async function loadLicensingExtension() {
+  try {
+    const licensingModulePath = "@sentriflow/licensing/cli";
+    const licensing = await import(
+      /* @vite-ignore */
+      licensingModulePath
+    );
+    if (licensing.registerCommands) {
+      licensing.registerCommands(program);
+    }
+  } catch {
+  }
+}
+loadLicensingExtension().finally(() => {
+  program.parse();
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentriflow/cli",
-  "version": "0.1.2",
+  "version": "0.1.5",
   "description": "SentriFlow CLI - Network configuration linter and validator",
   "license": "Apache-2.0",
   "main": "dist/index.js",
@@ -33,7 +33,7 @@
     "access": "public"
   },
   "scripts": {
-    "build": "node build.mjs",
+    "build": "bun build.mjs",
     "prepublishOnly": "bun run build"
   },
   "dependencies": {