@sentriflow/cli 0.1.5 → 0.1.6

package/dist/index.js

@@ -10407,7 +10407,7 @@ function generateSarif(results, filePath, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.5",
+            version: "0.1.6",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10513,7 +10513,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.5",
+            version: "0.1.6",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -13602,8 +13602,110 @@ function isValidSentriflowConfig(config) {
       }
     }
   }
+  if (obj.directory !== void 0) {
+    if (!isValidDirectoryConfig(obj.directory)) {
+      return false;
+    }
+  }
+  return true;
+}
+function isValidDirectoryConfig(config) {
+  if (config === null || config === void 0) {
+    return false;
+  }
+  if (typeof config !== "object") {
+    return false;
+  }
+  const obj = config;
+  if (obj.excludePatterns !== void 0) {
+    if (!Array.isArray(obj.excludePatterns)) {
+      return false;
+    }
+    for (const pattern of obj.excludePatterns) {
+      if (typeof pattern !== "string") {
+        return false;
+      }
+      try {
+        new RegExp(pattern);
+      } catch {
+        return false;
+      }
+    }
+  }
+  if (obj.extensions !== void 0) {
+    if (!Array.isArray(obj.extensions)) {
+      return false;
+    }
+    for (const ext of obj.extensions) {
+      if (typeof ext !== "string") {
+        return false;
+      }
+    }
+  }
+  if (obj.recursive !== void 0 && typeof obj.recursive !== "boolean") {
+    return false;
+  }
+  if (obj.maxDepth !== void 0) {
+    if (typeof obj.maxDepth !== "number") {
+      return false;
+    }
+    if (obj.maxDepth < 0 || obj.maxDepth > 1e3) {
+      return false;
+    }
+  }
+  if (obj.exclude !== void 0) {
+    if (!Array.isArray(obj.exclude)) {
+      return false;
+    }
+    for (const pattern of obj.exclude) {
+      if (typeof pattern !== "string") {
+        return false;
+      }
+    }
+  }
   return true;
 }
+function mergeDirectoryOptions(cliOptions, configOptions) {
+  const result = {};
+  if (cliOptions.excludePatterns) {
+    result.excludePatterns = [...cliOptions.excludePatterns];
+  } else {
+    result.excludePatterns = [];
+  }
+  if (configOptions?.excludePatterns) {
+    for (const pattern of configOptions.excludePatterns) {
+      try {
+        const regex = new RegExp(pattern);
+        result.excludePatterns.push(regex);
+      } catch {
+      }
+    }
+  }
+  const excludeSet = /* @__PURE__ */ new Set();
+  if (cliOptions.exclude) {
+    for (const p of cliOptions.exclude) excludeSet.add(p);
+  }
+  if (configOptions?.exclude) {
+    for (const p of configOptions.exclude) excludeSet.add(p);
+  }
+  result.exclude = [...excludeSet];
+  if (cliOptions.recursive !== void 0) {
+    result.recursive = cliOptions.recursive;
+  } else if (configOptions?.recursive !== void 0) {
+    result.recursive = configOptions.recursive;
+  }
+  if (cliOptions.maxDepth !== void 0) {
+    result.maxDepth = cliOptions.maxDepth;
+  } else if (configOptions?.maxDepth !== void 0) {
+    result.maxDepth = configOptions.maxDepth;
+  }
+  if (cliOptions.extensions !== void 0) {
+    result.extensions = cliOptions.extensions;
+  } else if (configOptions?.extensions !== void 0) {
+    result.extensions = configOptions.extensions;
+  }
+  return result;
+}
 function isValidRule(rule) {
   if (typeof rule !== "object" || rule === null) {
     return false;
@@ -14048,6 +14150,19 @@ function isExcluded(relativePath, excludePatterns) {
   if (excludePatterns.length === 0) return false;
   return excludePatterns.some((pattern) => matchesPattern(relativePath, pattern));
 }
+function validateRegexPattern(pattern) {
+  try {
+    const regex = new RegExp(pattern);
+    return { valid: true, regex };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Invalid regex pattern";
+    return { valid: false, error: message };
+  }
+}
+function isExcludedByRegex(relativePath, patterns) {
+  if (patterns.length === 0 || relativePath === "") return false;
+  return patterns.some((pattern) => pattern.test(relativePath));
+}
 async function scanDirectory(dirPath, options = {}) {
   const {
     recursive = false,
@@ -14056,7 +14171,8 @@ async function scanDirectory(dirPath, options = {}) {
     maxFileSize = MAX_CONFIG_SIZE,
     maxDepth = 100,
     allowedBaseDirs,
-    exclude = []
+    exclude = [],
+    excludePatterns = []
   } = options;
   const result = {
     files: [],
@@ -14102,7 +14218,11 @@ async function scanDirectory(dirPath, options = {}) {
     for (const entry of entries) {
       const fullPath = join(currentDir, entry);
       const relativePath = join(basePath, entry);
-      if (isExcluded(relativePath, exclude)) {
+      const normalizedRelativePath = normalizeSeparators2(relativePath);
+      if (isExcluded(normalizedRelativePath, exclude)) {
+        continue;
+      }
+      if (isExcludedByRegex(normalizedRelativePath, excludePatterns)) {
         continue;
       }
       let stats;
@@ -14188,9 +14308,96 @@ function validateDirectoryPath(dirPath, allowedBaseDirs) {
   }
 }
 
+// src/loaders/stdin.ts
+async function readStdin() {
+  return new Promise((resolve5) => {
+    const stdin = process.stdin;
+    const chunks = [];
+    let totalSize = 0;
+    let sizeLimitExceeded = false;
+    stdin.setEncoding("utf8");
+    if (stdin.isTTY) {
+      resolve5({
+        success: false,
+        error: "No input received from stdin"
+      });
+      return;
+    }
+    stdin.on("data", (chunk) => {
+      if (sizeLimitExceeded) return;
+      const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, "utf8");
+      totalSize += buffer.length;
+      if (totalSize > MAX_CONFIG_SIZE) {
+        sizeLimitExceeded = true;
+        resolve5({
+          success: false,
+          error: `Input exceeds maximum size (${totalSize} > ${MAX_CONFIG_SIZE} bytes)`
+        });
+        stdin.destroy();
+        return;
+      }
+      chunks.push(buffer);
+    });
+    stdin.on("end", () => {
+      if (sizeLimitExceeded) return;
+      const content = Buffer.concat(chunks).toString("utf8");
+      if (content.length === 0) {
+        resolve5({
+          success: false,
+          error: "No input received from stdin"
+        });
+        return;
+      }
+      resolve5({
+        success: true,
+        content
+      });
+    });
+    stdin.on("error", (err) => {
+      resolve5({
+        success: false,
+        error: `Failed to read from stdin: ${err.message}`
+      });
+    });
+    const timeout = setTimeout(() => {
+      if (chunks.length === 0 && !sizeLimitExceeded) {
+        stdin.destroy();
+        resolve5({
+          success: false,
+          error: "No input received from stdin (timeout)"
+        });
+      }
+    }, 100);
+    stdin.on("end", () => clearTimeout(timeout));
+    stdin.on("error", () => clearTimeout(timeout));
+  });
+}
+function validateStdinArgument(files, hasDirectory) {
+  const hasStdin = files.includes("-");
+  if (!hasStdin) {
+    return { valid: true };
+  }
+  if (files.length > 1) {
+    return {
+      valid: false,
+      error: "Cannot combine stdin (-) with other file arguments"
+    };
+  }
+  if (hasDirectory) {
+    return {
+      valid: false,
+      error: "Cannot combine stdin (-) with directory mode (-D)"
+    };
+  }
+  return { valid: true };
+}
+function isStdinRequested(files) {
+  return files.length === 1 && files[0] === "-";
+}
+
 // index.ts
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.5").argument("[file]", "Path to the configuration file").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.6").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
   "--encrypted-pack <path...>",
   "SEC-012: Path(s) to encrypted rule pack(s) (.grpx), can specify multiple"
 ).option(
@@ -14231,7 +14438,14 @@ program.name("sentriflow").description("SentriFlow Network Configuration Validat
   "--exclude <patterns>",
   "Exclude patterns (comma-separated glob patterns)",
   (val) => val.split(",")
-).option("--progress", "Show progress during directory scanning").action(async (file, options) => {
+).option(
+  "--exclude-pattern <pattern...>",
+  "Regex pattern(s) to exclude files (JavaScript regex syntax, can specify multiple)"
+).option(
+  "--max-depth <number>",
+  "Maximum recursion depth for directory scanning (use with -R)",
+  (val) => parseInt(val, 10)
+).option("--progress", "Show progress during directory scanning").action(async (files, options) => {
   try {
     if (options.listVendors) {
       console.log("Supported vendors:\n");
@@ -14258,8 +14472,21 @@ Use: sentriflow --vendor <vendor> <file>`);
     }
     const workingDir = process.cwd();
     const allowedBaseDirs = options.allowExternal ? void 0 : [workingDir];
+    const excludePatterns = [];
+    if (options.excludePattern) {
+      for (const pattern of options.excludePattern) {
+        const result = validateRegexPattern(pattern);
+        if (!result.valid) {
+          console.error(`Error: Invalid regex pattern '${pattern}'`);
+          console.error(`  ${result.error}`);
+          process.exit(2);
+        }
+        excludePatterns.push(result.regex);
+      }
+    }
     const licenseKey = options.licenseKey || process.env.SENTRIFLOW_LICENSE_KEY;
-    const configSearchDir = file ? dirname2(resolve4(file)) : workingDir;
+    const firstFile = files.length > 0 ? files[0] : void 0;
+    const configSearchDir = firstFile ? dirname2(resolve4(firstFile)) : workingDir;
     const rules = await resolveRules({
       configPath: options.config,
       noConfig: options.config === false,
@@ -14313,18 +14540,44 @@ Config file: ${configFile}`);
         process.exit(2);
       }
       const canonicalDir = dirValidation.canonicalPath;
+      let directoryConfig;
+      if (options.config !== false) {
+        const configPath = options.config ?? findConfigFile(canonicalDir);
+        if (configPath) {
+          try {
+            const config = await loadConfigFile(configPath, allowedBaseDirs);
+            directoryConfig = config.directory;
+          } catch (err) {
+            if (options.progress) {
+              const msg = err instanceof Error ? err.message : "Unknown error";
+              console.error(`Warning: Failed to load config: ${msg}`);
+            }
+          }
+        }
+      }
+      const cliDirOptions = {
+        recursive: options.recursive,
+        extensions: options.extensions,
+        exclude: options.exclude,
+        excludePatterns: excludePatterns.length > 0 ? excludePatterns : void 0,
+        maxDepth: options.maxDepth
+      };
+      const mergedOptions = mergeDirectoryOptions(cliDirOptions, directoryConfig);
       if (options.progress) {
+        const recursive = mergedOptions.recursive ?? false;
         console.error(
-          `Scanning directory: ${canonicalDir}${options.recursive ? " (recursive)" : ""}`
+          `Scanning directory: ${canonicalDir}${recursive ? " (recursive)" : ""}`
         );
       }
       const scanResult = await scanDirectory(canonicalDir, {
-        recursive: options.recursive ?? false,
+        recursive: mergedOptions.recursive ?? false,
         patterns: options.glob ? [options.glob] : [],
-        extensions: options.extensions ?? DEFAULT_CONFIG_EXTENSIONS,
+        extensions: mergedOptions.extensions ?? DEFAULT_CONFIG_EXTENSIONS,
         maxFileSize: MAX_CONFIG_SIZE,
+        maxDepth: mergedOptions.maxDepth,
         allowedBaseDirs,
-        exclude: options.exclude ?? []
+        exclude: mergedOptions.exclude ?? [],
+        excludePatterns: mergedOptions.excludePatterns ?? []
       });
       if (scanResult.errors.length > 0 && options.progress) {
         console.error(`
@@ -14488,10 +14741,176 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       }
       return;
     }
-    if (!file) {
+    if (files.length === 0) {
       program.help();
       return;
     }
+    const stdinValidation = validateStdinArgument(files, !!options.directory);
+    if (!stdinValidation.valid) {
+      console.error(`Error: ${stdinValidation.error}`);
+      process.exit(2);
+    }
+    if (isStdinRequested(files)) {
+      const stdinResult = await readStdin();
+      if (!stdinResult.success) {
+        console.error(`Error: ${stdinResult.error}`);
+        process.exit(2);
+      }
+      const content2 = stdinResult.content;
+      let vendor2;
+      if (options.vendor === "auto") {
+        vendor2 = detectVendor(content2);
+        if (!options.quiet && !options.ast) {
+          console.error(`Detected vendor: ${vendor2.name} (${vendor2.id})`);
+        }
+      } else {
+        try {
+          vendor2 = getVendor(options.vendor);
+        } catch {
+          console.error(`Error: Unknown vendor '${options.vendor}'`);
+          console.error(`Available vendors: ${getAvailableVendors().join(", ")}, auto`);
+          process.exit(2);
+        }
+      }
+      const stdinRules = await resolveRules({
+        configPath: options.config,
+        noConfig: options.config === false,
+        rulesPath: options.rules,
+        rulePackPath: options.rulePack,
+        encryptedPackPaths: options.encryptedPack,
+        licenseKey,
+        strictPacks: options.strictPacks,
+        jsonRulesPaths: options.jsonRules,
+        disableIds: options.disable ?? [],
+        vendorId: vendor2.id,
+        cwd: workingDir,
+        allowedBaseDirs
+      });
+      const parser2 = new SchemaAwareParser({ vendor: vendor2 });
+      const nodes2 = parser2.parse(content2);
+      if (options.ast) {
+        const output = {
+          vendor: { id: vendor2.id, name: vendor2.name },
+          ast: nodes2
+        };
+        console.log(JSON.stringify(output, null, 2));
+        return;
+      }
+      const engine2 = new RuleEngine();
+      let results2 = engine2.run(nodes2, stdinRules);
+      if (options.quiet) {
+        results2 = results2.filter((r) => !r.passed);
+      }
+      if (options.format === "sarif") {
+        const sarifOptions = {
+          relativePaths: options.relativePaths,
+          baseDir: process.cwd()
+        };
+        console.log(generateSarif(results2, "<stdin>", stdinRules, sarifOptions));
+      } else {
+        const output = {
+          file: "<stdin>",
+          vendor: { id: vendor2.id, name: vendor2.name },
+          results: results2
+        };
+        console.log(JSON.stringify(output, null, 2));
+      }
+      const hasFailures2 = results2.some((r) => !r.passed);
+      if (hasFailures2) {
+        process.exit(1);
+      }
+      return;
+    }
+    if (files.length > 1) {
+      const allFileResults = [];
+      let totalFailures = 0;
+      let totalPassed = 0;
+      const engine2 = new RuleEngine();
+      for (let i = 0; i < files.length; i++) {
+        const file2 = files[i];
+        if (!file2) continue;
+        const fileValidation2 = validateInputFilePath(
+          file2,
+          MAX_CONFIG_SIZE,
+          allowedBaseDirs
+        );
+        if (!fileValidation2.valid) {
+          console.error(`Error processing ${file2}: ${fileValidation2.error}`);
+          allFileResults.push({
+            filePath: file2,
+            results: []
+          });
+          continue;
+        }
+        const filePath2 = fileValidation2.canonicalPath;
+        try {
+          const stats2 = statSync2(filePath2);
+          if (stats2.size > MAX_CONFIG_SIZE) {
+            console.error(`Error: ${file2} exceeds maximum size`);
+            allFileResults.push({ filePath: file2, results: [] });
+            continue;
+          }
+          const content2 = await readFile(filePath2, "utf-8");
+          let vendor2;
+          if (options.vendor === "auto") {
+            vendor2 = detectVendor(content2);
+          } else {
+            vendor2 = getVendor(options.vendor);
+          }
+          const fileRules = rules.filter(
+            (rule) => ruleAppliesToVendor(rule, vendor2.id)
+          );
+          const parser2 = new SchemaAwareParser({ vendor: vendor2 });
+          const nodes2 = parser2.parse(content2);
+          let results2 = engine2.run(nodes2, fileRules);
+          if (options.quiet) {
+            results2 = results2.filter((r) => !r.passed);
+          }
+          const failures = results2.filter((r) => !r.passed).length;
+          const passed = results2.filter((r) => r.passed).length;
+          totalFailures += failures;
+          totalPassed += passed;
+          allFileResults.push({
+            filePath: filePath2,
+            results: results2,
+            vendor: { id: vendor2.id, name: vendor2.name }
+          });
+        } catch (err) {
+          const errMsg = err instanceof Error ? err.message : "Unknown error";
+          console.error(`Error processing ${basename(file2)}: ${errMsg}`);
+          allFileResults.push({ filePath: file2, results: [] });
+        }
+      }
+      if (options.format === "sarif") {
+        const sarifOptions = {
+          relativePaths: options.relativePaths,
+          baseDir: process.cwd()
+        };
+        console.log(
+          generateMultiFileSarif(allFileResults, rules, sarifOptions)
+        );
+      } else {
+        const output = {
+          summary: {
+            filesScanned: allFileResults.length,
+            totalResults: totalFailures + totalPassed,
+            failures: totalFailures,
+            passed: totalPassed
+          },
+          files: allFileResults.map((fr) => ({
+            file: fr.filePath,
+            vendor: fr.vendor,
+            results: fr.results
+          }))
+        };
+        console.log(JSON.stringify(output, null, 2));
+      }
+      if (totalFailures > 0) {
+        process.exit(1);
+      }
+      return;
+    }
+    const file = files[0];
     const fileValidation = validateInputFilePath(
       file,
       MAX_CONFIG_SIZE,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentriflow/cli",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "SentriFlow CLI - Network configuration linter and validator",
   "license": "Apache-2.0",
   "main": "dist/index.js",