@sentriflow/cli 0.1.4 → 0.1.6

package/README.md

@@ -1,6 +1,6 @@
 # @sentriflow/cli
 
-Command-line interface for SentriFlow - lint and validate network configurations.
+Command-line interface for SentriFlow - check network configurations for compliance against best practices or organization-specific policies.
 
 ## Installation
 
@@ -17,10 +17,10 @@ bun add -g @sentriflow/cli
 ## Quick Start
 
 ```bash
-# Validate a single configuration file
+# Check a single configuration file
 sentriflow router.conf
 
-# Validate with specific vendor
+# Check with specific vendor
 sentriflow -v cisco-ios router.conf
 
 # Scan a directory of configs
@@ -44,7 +44,7 @@ sentriflow --list-rules
 ```
 Usage: sentriflow [options] [file]
 
-SentriFlow Network Configuration Validator
+SentriFlow Network Configuration Compliance Checker
 
 Arguments:
   file                          Path to the configuration file
@@ -164,7 +164,7 @@ sentriflow router.conf -f sarif > results.sarif
 ### GitHub Actions
 
 ```yaml
-- name: Lint network configs
+- name: Check network config compliance
   run: |
     npx @sentriflow/cli -D configs/ -R -f sarif > results.sarif
 
@@ -190,8 +190,8 @@ SentriFlow automatically looks for `.sentriflowrc` or `.sentriflowrc.json` in th
 
 ## Related Packages
 
-- [`@sentriflow/core`](https://github.com/sentriflow/sentriflow/tree/main/packages/core) - Core parsing engine
-- [`@sentriflow/rules-default`](https://github.com/sentriflow/sentriflow/tree/main/packages/rules-default) - Default validation rules
+- [`@sentriflow/core`](https://github.com/sentriflow/sentriflow/tree/main/packages/core) - Core parsing and compliance engine
+- [`@sentriflow/rules-default`](https://github.com/sentriflow/sentriflow/tree/main/packages/rules-default) - Default compliance rules
 
 ## License
 

package/dist/index.js

@@ -10407,7 +10407,7 @@ function generateSarif(results, filePath, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.4",
+            version: "0.1.6",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10513,7 +10513,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.4",
+            version: "0.1.6",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -13490,6 +13490,43 @@ function validateInputFilePath(filePath, maxSize = 10 * 1024 * 1024, baseDirs) {
   });
 }
 
+// src/loaders/index.ts
+function validatePathOrThrow(path, pathValidator, errorContext, baseDirs) {
+  const validation = pathValidator(path, baseDirs);
+  if (!validation.valid) {
+    throw new SentriflowConfigError(
+      `Invalid ${errorContext} path: ${validation.error}`
+    );
+  }
+  return validation.canonicalPath;
+}
+async function wrapLoadError(operation, errorContext) {
+  try {
+    return await operation();
+  } catch (error) {
+    if (error instanceof SentriflowConfigError) {
+      throw error;
+    }
+    throw new SentriflowConfigError(`Failed to load ${errorContext} file`);
+  }
+}
+async function loadAndValidate(options) {
+  const { path, baseDirs, pathValidator, loader, validator, errorContext } = options;
+  const canonicalPath = validatePathOrThrow(
+    path,
+    pathValidator,
+    errorContext,
+    baseDirs
+  );
+  return wrapLoadError(async () => {
+    const data = await loader(canonicalPath);
+    if (!validator(data)) {
+      throw new SentriflowConfigError(`Invalid ${errorContext} structure`);
+    }
+    return data;
+  }, errorContext);
+}
+
 // src/config.ts
 var CONFIG_FILES = [
   "sentriflow.config.ts",
@@ -13565,8 +13602,110 @@ function isValidSentriflowConfig(config) {
       }
     }
   }
+  if (obj.directory !== void 0) {
+    if (!isValidDirectoryConfig(obj.directory)) {
+      return false;
+    }
+  }
   return true;
 }
+function isValidDirectoryConfig(config) {
+  if (config === null || config === void 0) {
+    return false;
+  }
+  if (typeof config !== "object") {
+    return false;
+  }
+  const obj = config;
+  if (obj.excludePatterns !== void 0) {
+    if (!Array.isArray(obj.excludePatterns)) {
+      return false;
+    }
+    for (const pattern of obj.excludePatterns) {
+      if (typeof pattern !== "string") {
+        return false;
+      }
+      try {
+        new RegExp(pattern);
+      } catch {
+        return false;
+      }
+    }
+  }
+  if (obj.extensions !== void 0) {
+    if (!Array.isArray(obj.extensions)) {
+      return false;
+    }
+    for (const ext of obj.extensions) {
+      if (typeof ext !== "string") {
+        return false;
+      }
+    }
+  }
+  if (obj.recursive !== void 0 && typeof obj.recursive !== "boolean") {
+    return false;
+  }
+  if (obj.maxDepth !== void 0) {
+    if (typeof obj.maxDepth !== "number") {
+      return false;
+    }
+    if (obj.maxDepth < 0 || obj.maxDepth > 1e3) {
+      return false;
+    }
+  }
+  if (obj.exclude !== void 0) {
+    if (!Array.isArray(obj.exclude)) {
+      return false;
+    }
+    for (const pattern of obj.exclude) {
+      if (typeof pattern !== "string") {
+        return false;
+      }
+    }
+  }
+  return true;
+}
+function mergeDirectoryOptions(cliOptions, configOptions) {
+  const result = {};
+  if (cliOptions.excludePatterns) {
+    result.excludePatterns = [...cliOptions.excludePatterns];
+  } else {
+    result.excludePatterns = [];
+  }
+  if (configOptions?.excludePatterns) {
+    for (const pattern of configOptions.excludePatterns) {
+      try {
+        const regex = new RegExp(pattern);
+        result.excludePatterns.push(regex);
+      } catch {
+      }
+    }
+  }
+  const excludeSet = /* @__PURE__ */ new Set();
+  if (cliOptions.exclude) {
+    for (const p of cliOptions.exclude) excludeSet.add(p);
+  }
+  if (configOptions?.exclude) {
+    for (const p of configOptions.exclude) excludeSet.add(p);
+  }
+  result.exclude = [...excludeSet];
+  if (cliOptions.recursive !== void 0) {
+    result.recursive = cliOptions.recursive;
+  } else if (configOptions?.recursive !== void 0) {
+    result.recursive = configOptions.recursive;
+  }
+  if (cliOptions.maxDepth !== void 0) {
+    result.maxDepth = cliOptions.maxDepth;
+  } else if (configOptions?.maxDepth !== void 0) {
+    result.maxDepth = configOptions.maxDepth;
+  }
+  if (cliOptions.extensions !== void 0) {
+    result.extensions = cliOptions.extensions;
+  } else if (configOptions?.extensions !== void 0) {
+    result.extensions = configOptions.extensions;
+  }
+  return result;
+}
 function isValidRule(rule) {
   if (typeof rule !== "object" || rule === null) {
     return false;
@@ -13655,36 +13794,30 @@ function isValidRulePack(pack) {
   return true;
 }
 async function loadConfigFile(configPath, baseDirs) {
-  const validation = validateConfigPath(configPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(`Invalid config path: ${validation.error}`);
-  }
-  try {
-    const module = await import(validation.canonicalPath);
-    const config = module.default ?? module;
-    if (!isValidSentriflowConfig(config)) {
-      throw new SentriflowConfigError("Invalid configuration structure");
-    }
-    return config;
-  } catch (error) {
-    if (error instanceof SentriflowConfigError) {
-      throw error;
-    }
-    throw new SentriflowConfigError("Failed to load configuration file");
-  }
+  return loadAndValidate({
+    path: configPath,
+    baseDirs,
+    pathValidator: validateConfigPath,
+    loader: async (p) => {
+      const m = await import(p);
+      return m.default ?? m;
+    },
+    validator: isValidSentriflowConfig,
+    errorContext: "config"
+  });
 }
 async function loadExternalRules(rulesPath, baseDirs) {
-  const validation = validateConfigPath(rulesPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(`Invalid rules path: ${validation.error}`);
-  }
-  try {
-    const module = await import(validation.canonicalPath);
+  const canonicalPath = validatePathOrThrow(
+    rulesPath,
+    validateConfigPath,
+    "rules",
+    baseDirs
+  );
+  return wrapLoadError(async () => {
+    const module = await import(canonicalPath);
     const rules = module.default ?? module.rules ?? module;
     if (!Array.isArray(rules)) {
-      throw new SentriflowConfigError(
-        "Rules file must export an array of rules"
-      );
+      throw new SentriflowConfigError("Rules file must export an array of rules");
     }
     const validRules = [];
     for (const rule of rules) {
@@ -13692,29 +13825,24 @@ async function loadExternalRules(rulesPath, baseDirs) {
         validRules.push(rule);
       } else {
         const safeRuleId = typeof rule === "object" && rule !== null && "id" in rule ? String(rule.id).slice(0, 50) : "unknown";
-        console.warn(
-          `Skipping invalid rule: ${safeRuleId} (validation failed)`
-        );
+        console.warn(`Skipping invalid rule: ${safeRuleId} (validation failed)`);
       }
     }
     if (validRules.length === 0 && rules.length > 0) {
       throw new SentriflowConfigError("No valid rules found in rules file");
     }
     return validRules;
-  } catch (error) {
-    if (error instanceof SentriflowConfigError) {
-      throw error;
-    }
-    throw new SentriflowConfigError("Failed to load rules file");
-  }
+  }, "rules");
 }
 async function loadJsonRules(jsonPath, baseDirs) {
-  const validation = validateJsonRulesPath(jsonPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(`Invalid JSON rules path: ${validation.error}`);
-  }
-  try {
-    const content = await readFileAsync(validation.canonicalPath, "utf-8");
+  const canonicalPath = validatePathOrThrow(
+    jsonPath,
+    validateJsonRulesPath,
+    "JSON rules",
+    baseDirs
+  );
+  return wrapLoadError(async () => {
+    const content = await readFileAsync(canonicalPath, "utf-8");
     let jsonData;
     try {
       jsonData = JSON.parse(content);
@@ -13723,16 +13851,12 @@ async function loadJsonRules(jsonPath, baseDirs) {
     }
     const validationResult = validateJsonRuleFile(jsonData);
     if (!validationResult.valid) {
-      const errorMessages = validationResult.errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
-      throw new SentriflowConfigError(
-        `Invalid JSON rules file:
-${errorMessages}`
-      );
+      const errors = validationResult.errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
+      throw new SentriflowConfigError(`Invalid JSON rules file:
+${errors}`);
     }
-    if (validationResult.warnings.length > 0) {
-      for (const warning of validationResult.warnings) {
-        console.warn(`[JSON Rules] Warning: ${warning.path}: ${warning.message}`);
-      }
+    for (const warning of validationResult.warnings) {
+      console.warn(`[JSON Rules] Warning: ${warning.path}: ${warning.message}`);
     }
     const ruleFile = jsonData;
     const compiledRules = compileJsonRules(ruleFile.rules);
@@ -13740,12 +13864,7 @@ ${errorMessages}`
       throw new SentriflowConfigError("No valid rules compiled from JSON file");
     }
     return compiledRules;
-  } catch (error) {
-    if (error instanceof SentriflowConfigError) {
-      throw error;
-    }
-    throw new SentriflowConfigError("Failed to load JSON rules file");
-  }
+  }, "JSON rules");
 }
 function ruleAppliesToVendor(rule, vendorId) {
   if (!rule.vendor) return true;
@@ -13766,70 +13885,52 @@ function isDefaultRuleDisabled(ruleId, vendorId, packs, legacyDisableIds) {
   return false;
 }
 async function loadRulePackFile(packPath, baseDirs) {
-  const validation = validateConfigPath(packPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(
-      `Invalid rule pack path: ${validation.error}`
-    );
-  }
-  try {
-    const module = await import(validation.canonicalPath);
-    const pack = module.default ?? module;
-    if (!isValidRulePack(pack)) {
-      throw new SentriflowConfigError("Invalid rule pack structure");
-    }
-    return pack;
-  } catch (error) {
-    if (error instanceof SentriflowConfigError) throw error;
-    throw new SentriflowConfigError("Failed to load rule pack file");
-  }
+  return loadAndValidate({
+    path: packPath,
+    baseDirs,
+    pathValidator: validateConfigPath,
+    loader: async (p) => {
+      const m = await import(p);
+      return m.default ?? m;
+    },
+    validator: isValidRulePack,
+    errorContext: "rule pack"
+  });
+}
+function mapPackLoadError(error) {
+  const messages = {
+    DECRYPTION_FAILED: "Invalid license key for encrypted pack",
+    EXPIRED: "Encrypted pack has expired",
+    MACHINE_MISMATCH: "License is not valid for this machine",
+    ACTIVATION_LIMIT: "Maximum activations exceeded for this license"
+  };
+  throw new SentriflowConfigError(
+    messages[error.code] ?? `Failed to load encrypted pack: ${error.message}`
+  );
 }
 async function loadEncryptedRulePack(packPath, licenseKey, baseDirs) {
-  const validation = validateEncryptedPackPath(packPath, baseDirs);
-  if (!validation.valid) {
-    throw new SentriflowConfigError(
-      `Invalid encrypted pack path: ${validation.error}`
-    );
-  }
+  const canonicalPath = validatePathOrThrow(
+    packPath,
+    validateEncryptedPackPath,
+    "encrypted pack",
+    baseDirs
+  );
   try {
-    const packData = await readFileAsync(validation.canonicalPath);
+    const packData = await readFileAsync(canonicalPath);
     if (!validatePackFormat(packData)) {
       throw new SentriflowConfigError("Invalid encrypted pack format");
     }
     const loadedPack = await loadEncryptedPack(packData, {
       licenseKey,
       timeout: 1e4
-      // 10 seconds for pack validation
     });
     return {
       ...loadedPack.metadata,
       priority: 200,
-      // High priority for licensed packs
       rules: loadedPack.rules
     };
   } catch (error) {
-    if (error instanceof PackLoadError) {
-      switch (error.code) {
-        case "DECRYPTION_FAILED":
-          throw new SentriflowConfigError(
-            "Invalid license key for encrypted pack"
-          );
-        case "EXPIRED":
-          throw new SentriflowConfigError("Encrypted pack has expired");
-        case "MACHINE_MISMATCH":
-          throw new SentriflowConfigError(
-            "License is not valid for this machine"
-          );
-        case "ACTIVATION_LIMIT":
-          throw new SentriflowConfigError(
-            "Maximum activations exceeded for this license"
-          );
-        default:
-          throw new SentriflowConfigError(
-            `Failed to load encrypted pack: ${error.message}`
-          );
-      }
-    }
+    if (error instanceof PackLoadError) mapPackLoadError(error);
     if (error instanceof SentriflowConfigError) throw error;
     throw new SentriflowConfigError("Failed to load encrypted rule pack");
   }
@@ -14049,6 +14150,19 @@ function isExcluded(relativePath, excludePatterns) {
   if (excludePatterns.length === 0) return false;
   return excludePatterns.some((pattern) => matchesPattern(relativePath, pattern));
 }
+function validateRegexPattern(pattern) {
+  try {
+    const regex = new RegExp(pattern);
+    return { valid: true, regex };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Invalid regex pattern";
+    return { valid: false, error: message };
+  }
+}
+function isExcludedByRegex(relativePath, patterns) {
+  if (patterns.length === 0 || relativePath === "") return false;
+  return patterns.some((pattern) => pattern.test(relativePath));
+}
 async function scanDirectory(dirPath, options = {}) {
   const {
     recursive = false,
@@ -14057,7 +14171,8 @@ async function scanDirectory(dirPath, options = {}) {
     maxFileSize = MAX_CONFIG_SIZE,
     maxDepth = 100,
     allowedBaseDirs,
-    exclude = []
+    exclude = [],
+    excludePatterns = []
   } = options;
   const result = {
     files: [],
@@ -14103,7 +14218,11 @@ async function scanDirectory(dirPath, options = {}) {
     for (const entry of entries) {
       const fullPath = join(currentDir, entry);
       const relativePath = join(basePath, entry);
-      if (isExcluded(relativePath, exclude)) {
+      const normalizedRelativePath = normalizeSeparators2(relativePath);
+      if (isExcluded(normalizedRelativePath, exclude)) {
+        continue;
+      }
+      if (isExcludedByRegex(normalizedRelativePath, excludePatterns)) {
         continue;
       }
       let stats;
@@ -14189,9 +14308,96 @@ function validateDirectoryPath(dirPath, allowedBaseDirs) {
   }
 }
 
+// src/loaders/stdin.ts
+async function readStdin() {
+  return new Promise((resolve5) => {
+    const stdin = process.stdin;
+    const chunks = [];
+    let totalSize = 0;
+    let sizeLimitExceeded = false;
+    stdin.setEncoding("utf8");
+    if (stdin.isTTY) {
+      resolve5({
+        success: false,
+        error: "No input received from stdin"
+      });
+      return;
+    }
+    stdin.on("data", (chunk) => {
+      if (sizeLimitExceeded) return;
+      const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, "utf8");
+      totalSize += buffer.length;
+      if (totalSize > MAX_CONFIG_SIZE) {
+        sizeLimitExceeded = true;
+        resolve5({
+          success: false,
+          error: `Input exceeds maximum size (${totalSize} > ${MAX_CONFIG_SIZE} bytes)`
+        });
+        stdin.destroy();
+        return;
+      }
+      chunks.push(buffer);
+    });
+    stdin.on("end", () => {
+      if (sizeLimitExceeded) return;
+      const content = Buffer.concat(chunks).toString("utf8");
+      if (content.length === 0) {
+        resolve5({
+          success: false,
+          error: "No input received from stdin"
+        });
+        return;
+      }
+      resolve5({
+        success: true,
+        content
+      });
+    });
+    stdin.on("error", (err) => {
+      resolve5({
+        success: false,
+        error: `Failed to read from stdin: ${err.message}`
+      });
+    });
+    const timeout = setTimeout(() => {
+      if (chunks.length === 0 && !sizeLimitExceeded) {
+        stdin.destroy();
+        resolve5({
+          success: false,
+          error: "No input received from stdin (timeout)"
+        });
+      }
+    }, 100);
+    stdin.on("end", () => clearTimeout(timeout));
+    stdin.on("error", () => clearTimeout(timeout));
+  });
+}
+function validateStdinArgument(files, hasDirectory) {
+  const hasStdin = files.includes("-");
+  if (!hasStdin) {
+    return { valid: true };
+  }
+  if (files.length > 1) {
+    return {
+      valid: false,
+      error: "Cannot combine stdin (-) with other file arguments"
+    };
+  }
+  if (hasDirectory) {
+    return {
+      valid: false,
+      error: "Cannot combine stdin (-) with directory mode (-D)"
+    };
+  }
+  return { valid: true };
+}
+function isStdinRequested(files) {
+  return files.length === 1 && files[0] === "-";
+}
+
 // index.ts
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.4").argument("[file]", "Path to the configuration file").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.6").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
   "--encrypted-pack <path...>",
   "SEC-012: Path(s) to encrypted rule pack(s) (.grpx), can specify multiple"
 ).option(
@@ -14232,7 +14438,14 @@ program.name("sentriflow").description("SentriFlow Network Configuration Validat
   "--exclude <patterns>",
   "Exclude patterns (comma-separated glob patterns)",
   (val) => val.split(",")
-).option("--progress", "Show progress during directory scanning").action(async (file, options) => {
+).option(
+  "--exclude-pattern <pattern...>",
+  "Regex pattern(s) to exclude files (JavaScript regex syntax, can specify multiple)"
+).option(
+  "--max-depth <number>",
+  "Maximum recursion depth for directory scanning (use with -R)",
+  (val) => parseInt(val, 10)
+).option("--progress", "Show progress during directory scanning").action(async (files, options) => {
   try {
     if (options.listVendors) {
       console.log("Supported vendors:\n");
@@ -14259,8 +14472,21 @@ Use: sentriflow --vendor <vendor> <file>`);
     }
     const workingDir = process.cwd();
     const allowedBaseDirs = options.allowExternal ? void 0 : [workingDir];
+    const excludePatterns = [];
+    if (options.excludePattern) {
+      for (const pattern of options.excludePattern) {
+        const result = validateRegexPattern(pattern);
+        if (!result.valid) {
+          console.error(`Error: Invalid regex pattern '${pattern}'`);
+          console.error(`  ${result.error}`);
+          process.exit(2);
+        }
+        excludePatterns.push(result.regex);
+      }
+    }
     const licenseKey = options.licenseKey || process.env.SENTRIFLOW_LICENSE_KEY;
-    const configSearchDir = file ? dirname2(resolve4(file)) : workingDir;
+    const firstFile = files.length > 0 ? files[0] : void 0;
+    const configSearchDir = firstFile ? dirname2(resolve4(firstFile)) : workingDir;
     const rules = await resolveRules({
       configPath: options.config,
       noConfig: options.config === false,
@@ -14314,18 +14540,44 @@ Config file: ${configFile}`);
         process.exit(2);
       }
       const canonicalDir = dirValidation.canonicalPath;
+      let directoryConfig;
+      if (options.config !== false) {
+        const configPath = options.config ?? findConfigFile(canonicalDir);
+        if (configPath) {
+          try {
+            const config = await loadConfigFile(configPath, allowedBaseDirs);
+            directoryConfig = config.directory;
+          } catch (err) {
+            if (options.progress) {
+              const msg = err instanceof Error ? err.message : "Unknown error";
+              console.error(`Warning: Failed to load config: ${msg}`);
+            }
+          }
+        }
+      }
+      const cliDirOptions = {
+        recursive: options.recursive,
+        extensions: options.extensions,
+        exclude: options.exclude,
+        excludePatterns: excludePatterns.length > 0 ? excludePatterns : void 0,
+        maxDepth: options.maxDepth
+      };
+      const mergedOptions = mergeDirectoryOptions(cliDirOptions, directoryConfig);
       if (options.progress) {
+        const recursive = mergedOptions.recursive ?? false;
         console.error(
-          `Scanning directory: ${canonicalDir}${options.recursive ? " (recursive)" : ""}`
+          `Scanning directory: ${canonicalDir}${recursive ? " (recursive)" : ""}`
         );
       }
       const scanResult = await scanDirectory(canonicalDir, {
-        recursive: options.recursive ?? false,
+        recursive: mergedOptions.recursive ?? false,
         patterns: options.glob ? [options.glob] : [],
-        extensions: options.extensions ?? DEFAULT_CONFIG_EXTENSIONS,
+        extensions: mergedOptions.extensions ?? DEFAULT_CONFIG_EXTENSIONS,
         maxFileSize: MAX_CONFIG_SIZE,
+        maxDepth: mergedOptions.maxDepth,
         allowedBaseDirs,
-        exclude: options.exclude ?? []
+        exclude: mergedOptions.exclude ?? [],
+        excludePatterns: mergedOptions.excludePatterns ?? []
       });
       if (scanResult.errors.length > 0 && options.progress) {
         console.error(`
@@ -14489,10 +14741,176 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       }
       return;
     }
-    if (!file) {
+    if (files.length === 0) {
       program.help();
       return;
     }
+    const stdinValidation = validateStdinArgument(files, !!options.directory);
+    if (!stdinValidation.valid) {
+      console.error(`Error: ${stdinValidation.error}`);
+      process.exit(2);
+    }
+    if (isStdinRequested(files)) {
+      const stdinResult = await readStdin();
+      if (!stdinResult.success) {
+        console.error(`Error: ${stdinResult.error}`);
+        process.exit(2);
+      }
+      const content2 = stdinResult.content;
+      let vendor2;
+      if (options.vendor === "auto") {
+        vendor2 = detectVendor(content2);
+        if (!options.quiet && !options.ast) {
+          console.error(`Detected vendor: ${vendor2.name} (${vendor2.id})`);
+        }
+      } else {
+        try {
+          vendor2 = getVendor(options.vendor);
+        } catch {
+          console.error(`Error: Unknown vendor '${options.vendor}'`);
+          console.error(`Available vendors: ${getAvailableVendors().join(", ")}, auto`);
+          process.exit(2);
+        }
+      }
+      const stdinRules = await resolveRules({
+        configPath: options.config,
+        noConfig: options.config === false,
+        rulesPath: options.rules,
+        rulePackPath: options.rulePack,
+        encryptedPackPaths: options.encryptedPack,
+        licenseKey,
+        strictPacks: options.strictPacks,
+        jsonRulesPaths: options.jsonRules,
+        disableIds: options.disable ?? [],
+        vendorId: vendor2.id,
+        cwd: workingDir,
+        allowedBaseDirs
+      });
+      const parser2 = new SchemaAwareParser({ vendor: vendor2 });
+      const nodes2 = parser2.parse(content2);
+      if (options.ast) {
+        const output = {
+          vendor: { id: vendor2.id, name: vendor2.name },
+          ast: nodes2
+        };
+        console.log(JSON.stringify(output, null, 2));
+        return;
+      }
+      const engine2 = new RuleEngine();
+      let results2 = engine2.run(nodes2, stdinRules);
+      if (options.quiet) {
+        results2 = results2.filter((r) => !r.passed);
+      }
+      if (options.format === "sarif") {
+        const sarifOptions = {
+          relativePaths: options.relativePaths,
+          baseDir: process.cwd()
+        };
+        console.log(generateSarif(results2, "<stdin>", stdinRules, sarifOptions));
+      } else {
+        const output = {
+          file: "<stdin>",
+          vendor: { id: vendor2.id, name: vendor2.name },
+          results: results2
+        };
+        console.log(JSON.stringify(output, null, 2));
+      }
+      const hasFailures2 = results2.some((r) => !r.passed);
+      if (hasFailures2) {
+        process.exit(1);
+      }
+      return;
+    }
+    if (files.length > 1) {
+      const allFileResults = [];
+      let totalFailures = 0;
+      let totalPassed = 0;
+      const engine2 = new RuleEngine();
+      for (let i = 0; i < files.length; i++) {
+        const file2 = files[i];
+        if (!file2) continue;
+        const fileValidation2 = validateInputFilePath(
+          file2,
+          MAX_CONFIG_SIZE,
+          allowedBaseDirs
+        );
+        if (!fileValidation2.valid) {
+          console.error(`Error processing ${file2}: ${fileValidation2.error}`);
+          allFileResults.push({
+            filePath: file2,
+            results: []
+          });
+          continue;
+        }
+        const filePath2 = fileValidation2.canonicalPath;
+        try {
+          const stats2 = statSync2(filePath2);
+          if (stats2.size > MAX_CONFIG_SIZE) {
+            console.error(`Error: ${file2} exceeds maximum size`);
+            allFileResults.push({ filePath: file2, results: [] });
+            continue;
+          }
+          const content2 = await readFile(filePath2, "utf-8");
+          let vendor2;
+          if (options.vendor === "auto") {
+            vendor2 = detectVendor(content2);
+          } else {
+            vendor2 = getVendor(options.vendor);
+          }
+          const fileRules = rules.filter(
+            (rule) => ruleAppliesToVendor(rule, vendor2.id)
+          );
+          const parser2 = new SchemaAwareParser({ vendor: vendor2 });
+          const nodes2 = parser2.parse(content2);
+          let results2 = engine2.run(nodes2, fileRules);
+          if (options.quiet) {
+            results2 = results2.filter((r) => !r.passed);
+          }
+          const failures = results2.filter((r) => !r.passed).length;
+          const passed = results2.filter((r) => r.passed).length;
+          totalFailures += failures;
+          totalPassed += passed;
+          allFileResults.push({
+            filePath: filePath2,
+            results: results2,
+            vendor: { id: vendor2.id, name: vendor2.name }
+          });
+        } catch (err) {
+          const errMsg = err instanceof Error ? err.message : "Unknown error";
+          console.error(`Error processing ${basename(file2)}: ${errMsg}`);
+          allFileResults.push({ filePath: file2, results: [] });
+        }
+      }
+      if (options.format === "sarif") {
+        const sarifOptions = {
+          relativePaths: options.relativePaths,
+          baseDir: process.cwd()
+        };
+        console.log(
+          generateMultiFileSarif(allFileResults, rules, sarifOptions)
+        );
+      } else {
+        const output = {
+          summary: {
+            filesScanned: allFileResults.length,
+            totalResults: totalFailures + totalPassed,
+            failures: totalFailures,
+            passed: totalPassed
+          },
+          files: allFileResults.map((fr) => ({
+            file: fr.filePath,
+            vendor: fr.vendor,
+            results: fr.results
+          }))
+        };
+        console.log(JSON.stringify(output, null, 2));
+      }
+      if (totalFailures > 0) {
+        process.exit(1);
+      }
+      return;
+    }
+    const file = files[0];
     const fileValidation = validateInputFilePath(
       file,
       MAX_CONFIG_SIZE,

package/package.json

@@ -1,54 +1,54 @@
-{
-  "name": "@sentriflow/cli",
-  "version": "0.1.4",
-  "description": "SentriFlow CLI - Network configuration linter and validator",
-  "license": "Apache-2.0",
-  "main": "dist/index.js",
-  "module": "dist/index.js",
-  "type": "module",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/sentriflow/sentriflow.git",
-    "directory": "packages/cli"
-  },
-  "homepage": "https://github.com/sentriflow/sentriflow#readme",
-  "bugs": {
-    "url": "https://github.com/sentriflow/sentriflow/issues"
-  },
-  "keywords": [
-    "cli",
-    "network",
-    "configuration",
-    "linter",
-    "security",
-    "compliance",
-    "sarif"
-  ],
-  "files": [
-    "dist",
-    "LICENSE",
-    "README.md"
-  ],
-  "publishConfig": {
-    "access": "public"
-  },
-  "scripts": {
-    "build": "bun build.mjs",
-    "prepublishOnly": "bun run build"
-  },
-  "dependencies": {
-    "commander": "^14.0.2"
-  },
-  "devDependencies": {
-    "@sentriflow/core": "workspace:*",
-    "@sentriflow/rules-default": "workspace:*",
-    "bun-types": "latest",
-    "esbuild": "^0.27.0"
-  },
-  "bin": {
-    "sentriflow": "dist/index.js"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  }
-}
+{
+  "name": "@sentriflow/cli",
+  "version": "0.1.6",
+  "description": "SentriFlow CLI - Network configuration linter and validator",
+  "license": "Apache-2.0",
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sentriflow/sentriflow.git",
+    "directory": "packages/cli"
+  },
+  "homepage": "https://github.com/sentriflow/sentriflow#readme",
+  "bugs": {
+    "url": "https://github.com/sentriflow/sentriflow/issues"
+  },
+  "keywords": [
+    "cli",
+    "network",
+    "configuration",
+    "linter",
+    "security",
+    "compliance",
+    "sarif"
+  ],
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "bun build.mjs",
+    "prepublishOnly": "bun run build"
+  },
+  "dependencies": {
+    "commander": "^14.0.2"
+  },
+  "devDependencies": {
+    "@sentriflow/core": "workspace:*",
+    "@sentriflow/rules-default": "workspace:*",
+    "bun-types": "latest",
+    "esbuild": "^0.27.0"
+  },
+  "bin": {
+    "sentriflow": "dist/index.js"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}