@sentriflow/cli 0.1.9 → 0.2.0

package/README.md

@@ -37,6 +37,15 @@ sentriflow --list-vendors
 
 # List active rules
 sentriflow --list-rules
+
+# List rules by category
+sentriflow --list-rules --category authentication
+
+# List all categories
+sentriflow --list-categories
+
+# Read from stdin
+cat router.conf | sentriflow -
 ```
 
 ## Usage
@@ -47,7 +56,7 @@ Usage: sentriflow [options] [file]
 SentriFlow Network Configuration Compliance Checker
 
 Arguments:
-  file                          Path to the configuration file
+  file                          Path to the configuration file (use - for stdin)
 
 Options:
   -V, --version                 output the version number
@@ -80,10 +89,20 @@ Supported vendors: `cisco-ios`, `juniper-junos`, `palo-alto`, `fortinet`, `arist
 | `--no-config` | Ignore config file |
 | `-d, --disable <ids>` | Comma-separated rule IDs to disable |
 | `--list-rules` | List all active rules and exit |
+| `--list-categories` | List all rule categories with counts |
+| `--category <name>` | Filter `--list-rules` by category |
+| `--list-format <fmt>` | Format for `--list-rules`: `table` (default), `json`, `csv` |
 | `-p, --rule-pack <path>` | Rule pack file to load |
 | `--json-rules <path...>` | Path(s) to JSON rules file(s) |
 | `-r, --rules <path>` | Additional rules file (legacy) |
 
+### IP Extraction
+
+| Option | Description |
+|--------|-------------|
+| `--extract-ips` | Extract and display all IP addresses/subnets from configuration |
+| `--copy-ips` | Copy extracted IPs to clipboard (requires xclip/pbcopy) |
+
 ### Encrypted Rule Packs
 
 | Option | Description |
@@ -125,7 +144,11 @@ Supported vendors: `cisco-ios`, `juniper-junos`, `palo-alto`, `fortinet`, `arist
       "passed": false,
       "message": "Telnet is enabled - use SSH instead",
       "line": 12,
-      "column": 1
+      "column": 1,
+      "category": "authentication",
+      "tags": [
+        { "type": "security", "label": "plaintext-protocol" }
+      ]
     }
   ]
 }
@@ -159,6 +182,38 @@ Produces SARIF 2.1.0 compliant output for integration with GitHub Code Scanning,
 sentriflow router.conf -f sarif > results.sarif
 ```
 
+SARIF output includes rule categories and tags in the `properties` block:
+
+```json
+{
+  "rules": [{
+    "id": "SEC-001",
+    "properties": {
+      "category": "authentication",
+      "tags": ["security:plaintext-protocol"]
+    }
+  }]
+}
+```
+
+## Rule Categories
+
+List all available categories:
+
+```bash
+sentriflow --list-categories
+```
+
+Filter rules by category:
+
+```bash
+# List only authentication rules
+sentriflow --list-rules --category authentication
+
+# Output as JSON
+sentriflow --list-rules --category encryption --list-format json
+```
+
 ## CI/CD Integration
 
 ### GitHub Actions

package/dist/index.js

@@ -10334,7 +10334,42 @@ function validateRegex(pattern, flags, path, ctx) {
   }
 }
 
+// ../core/src/ip/types.ts
+var DEFAULT_MAX_CONTENT_SIZE = 50 * 1024 * 1024;
+var InputValidationError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "InputValidationError";
+  }
+};
+
 // ../core/src/ip/extractor.ts
+function stripZoneId(ip) {
+  const zoneIndex = ip.indexOf("%");
+  return zoneIndex !== -1 ? ip.substring(0, zoneIndex) : ip;
+}
+function createIPv4Pattern() {
+  return /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b/g;
+}
+function createIPv4CidrPattern() {
+  return /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:3[0-2]|[12]?[0-9])\b/g;
+}
+function createIPv4WithMaskPattern() {
+  return /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
+}
+function createIPv4WithMaskKeywordPattern() {
+  return /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+mask\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/gi;
+}
+function createIPv4WithWildcardPattern() {
+  return /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(0\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
+}
+function createIPv6Pattern() {
+  return /(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::/g;
+}
+function createIPv6CidrPattern() {
+  return /(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::)\/(?:12[0-8]|1[01][0-9]|[1-9]?[0-9])(?!\d)/g;
+}
 function isValidIPv4(ip) {
   if (!ip || typeof ip !== "string") return false;
   const octets = ip.split(".");
@@ -10349,11 +10384,7 @@ function isValidIPv4(ip) {
 }
 function isValidIPv6(ip) {
   if (!ip || typeof ip !== "string") return false;
-  let addr = ip;
-  const zoneIndex = ip.indexOf("%");
-  if (zoneIndex !== -1) {
-    addr = ip.substring(0, zoneIndex);
-  }
+  const addr = stripZoneId(ip);
   if (!addr.includes(":")) return false;
   if (addr.includes(":::")) return false;
   const doubleColonCount = (addr.match(/::/g) || []).length;
@@ -10392,12 +10423,7 @@ function normalizeIPv4(ip) {
   return ip.split(".").map((octet) => parseInt(octet, 10).toString()).join(".");
 }
 function normalizeIPv6(ip) {
-  let addr = ip;
-  const zoneIndex = ip.indexOf("%");
-  if (zoneIndex !== -1) {
-    addr = ip.substring(0, zoneIndex);
-  }
-  addr = addr.toLowerCase();
+  const addr = stripZoneId(ip).toLowerCase();
   if (addr.includes("::")) {
     const sides = addr.split("::");
     const left = sides[0] ? sides[0].split(":").filter((p) => p !== "") : [];
@@ -10424,8 +10450,17 @@ function normalizeIPv6(ip) {
   }
   return result.join(":");
 }
+function clampOctet(n) {
+  if (!Number.isInteger(n)) {
+    return 0;
+  }
+  if (n < 0 || n > 255) {
+    return 0;
+  }
+  return n;
+}
 function ipv4ToNumber(ip) {
-  const octets = ip.split(".").map(Number);
+  const octets = ip.split(".").map((n) => clampOctet(Number(n)));
   const o0 = octets[0] ?? 0;
   const o1 = octets[1] ?? 0;
   const o2 = octets[2] ?? 0;
@@ -10438,11 +10473,7 @@ function compareIPv4(a, b) {
   return numA < numB ? -1 : numA > numB ? 1 : 0;
 }
 function expandIPv6(ip) {
-  let addr = ip;
-  const zoneIndex = ip.indexOf("%");
-  if (zoneIndex !== -1) {
-    addr = ip.substring(0, zoneIndex);
-  }
+  const addr = stripZoneId(ip);
   const parts = addr.split(":");
   const result = [];
   for (let i = 0; i < parts.length; i++) {
@@ -10489,9 +10520,23 @@ function sortIPv6Addresses(ips) {
 }
 function parseSubnet(subnet) {
   const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) {
+    throw new InputValidationError(
+      `Invalid subnet format (missing /): ${subnet}`,
+      "INVALID_FORMAT"
+    );
+  }
+  const prefixStr = subnet.substring(slashIndex + 1);
+  const prefix = parseInt(prefixStr, 10);
+  if (isNaN(prefix)) {
+    throw new InputValidationError(
+      `Invalid subnet prefix: ${prefixStr}`,
+      "INVALID_FORMAT"
+    );
+  }
   return {
     network: subnet.substring(0, slashIndex),
-    prefix: parseInt(subnet.substring(slashIndex + 1), 10)
+    prefix
   };
 }
 function sortSubnets(subnets, type) {
@@ -10541,13 +10586,6 @@ function wildcardToCidr(wildcard) {
   }
   return prefix;
 }
-var IPV4_PATTERN = /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b/g;
-var IPV4_CIDR_PATTERN = /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:3[0-2]|[12]?[0-9])\b/g;
-var IPV4_WITH_MASK_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
-var IPV4_WITH_MASK_KEYWORD_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+mask\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/gi;
-var IPV4_WITH_WILDCARD_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(0\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
-var IPV6_PATTERN = /(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::/g;
-var IPV6_CIDR_PATTERN = /(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::)\/(?:12[0-8]|1[01][0-9]|[1-9]?[0-9])/g;
 function createEmptyIPSummary() {
   return {
     ipv4Addresses: [],
@@ -10567,6 +10605,13 @@ function extractIPSummary(content, options = {}) {
   if (!content || typeof content !== "string") {
     return createEmptyIPSummary();
   }
+  const maxSize = options.maxContentSize ?? DEFAULT_MAX_CONTENT_SIZE;
+  if (content.length > maxSize) {
+    throw new InputValidationError(
+      `Content exceeds maximum size of ${maxSize} bytes`,
+      "SIZE_LIMIT_EXCEEDED"
+    );
+  }
   const ipv4Set = /* @__PURE__ */ new Set();
   const ipv6Set = /* @__PURE__ */ new Set();
   const ipv4SubnetSet = /* @__PURE__ */ new Set();
@@ -10574,7 +10619,7 @@ function extractIPSummary(content, options = {}) {
   const subnetNetworks = /* @__PURE__ */ new Set();
   const ipsWithMasks = /* @__PURE__ */ new Set();
   if (!options.skipSubnets) {
-    const ipv4CidrMatches = content.matchAll(IPV4_CIDR_PATTERN);
+    const ipv4CidrMatches = content.matchAll(createIPv4CidrPattern());
     for (const match of ipv4CidrMatches) {
       const subnet = match[0];
       if (isValidSubnet(subnet)) {
@@ -10584,7 +10629,7 @@ function extractIPSummary(content, options = {}) {
         subnetNetworks.add(normalizedNetwork);
       }
     }
-    const ipMaskMatches = content.matchAll(IPV4_WITH_MASK_PATTERN);
+    const ipMaskMatches = content.matchAll(createIPv4WithMaskPattern());
     for (const match of ipMaskMatches) {
       const ip = match[1];
       const mask = match[2];
@@ -10597,7 +10642,7 @@ function extractIPSummary(content, options = {}) {
         }
       }
     }
-    const ipMaskKeywordMatches = content.matchAll(IPV4_WITH_MASK_KEYWORD_PATTERN);
+    const ipMaskKeywordMatches = content.matchAll(createIPv4WithMaskKeywordPattern());
     for (const match of ipMaskKeywordMatches) {
       const ip = match[1];
       const mask = match[2];
@@ -10610,7 +10655,7 @@ function extractIPSummary(content, options = {}) {
         }
       }
     }
-    const ipWildcardMatches = content.matchAll(IPV4_WITH_WILDCARD_PATTERN);
+    const ipWildcardMatches = content.matchAll(createIPv4WithWildcardPattern());
     for (const match of ipWildcardMatches) {
       const ip = match[1];
       const wildcard = match[2];
@@ -10624,7 +10669,7 @@ function extractIPSummary(content, options = {}) {
       }
     }
   }
-  const ipv4Matches = content.matchAll(IPV4_PATTERN);
+  const ipv4Matches = content.matchAll(createIPv4Pattern());
   for (const match of ipv4Matches) {
     const ip = match[0];
     if (isValidIPv4(ip)) {
@@ -10636,7 +10681,7 @@ function extractIPSummary(content, options = {}) {
   }
   if (!options.skipIPv6) {
     if (!options.skipSubnets) {
-      const ipv6CidrMatches = content.matchAll(IPV6_CIDR_PATTERN);
+      const ipv6CidrMatches = content.matchAll(createIPv6CidrPattern());
       for (const match of ipv6CidrMatches) {
         const subnet = match[0];
         if (isValidSubnet(subnet)) {
@@ -10647,7 +10692,7 @@ function extractIPSummary(content, options = {}) {
         }
       }
     }
-    const ipv6Matches = content.matchAll(IPV6_PATTERN);
+    const ipv6Matches = content.matchAll(createIPv6Pattern());
     for (const match of ipv6Matches) {
       const ip = match[0];
       if (isValidIPv6(ip)) {
@@ -10658,6 +10703,16 @@ function extractIPSummary(content, options = {}) {
       }
     }
   }
+  if (options.includeSubnetNetworks) {
+    for (const subnet of ipv4SubnetSet) {
+      const { network } = parseSubnet(subnet);
+      ipv4Set.add(network);
+    }
+    for (const subnet of ipv6SubnetSet) {
+      const { network } = parseSubnet(subnet);
+      ipv6Set.add(network);
+    }
+  }
   const ipv4Addresses = sortIPv4Addresses([...ipv4Set]);
   const ipv6Addresses = sortIPv6Addresses([...ipv6Set]);
   const ipv4Subnets = sortSubnets([...ipv4SubnetSet], "ipv4");
@@ -10729,8 +10784,12 @@ function generateSarif(results, filePath, rules, options = {}, ipSummary) {
     }
     const hasCvss = secMeta?.cvssScore !== void 0 || secMeta?.cvssVector;
     const hasTags = rule.metadata.tags && rule.metadata.tags.length > 0;
-    if (hasCvss || hasTags) {
+    const hasCategory = rule.category !== void 0;
+    if (hasCvss || hasTags || hasCategory) {
       base.properties = {};
+      if (hasCategory) {
+        base.properties.category = rule.category;
+      }
       if (secMeta?.cvssScore !== void 0) {
         base.properties["security-severity"] = String(secMeta.cvssScore);
       }
@@ -10754,7 +10813,7 @@ function generateSarif(results, filePath, rules, options = {}, ipSummary) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.9",
+            version: "0.2.0",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10878,8 +10937,12 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
     }
     const hasCvss = secMeta?.cvssScore !== void 0 || secMeta?.cvssVector;
     const hasTags = rule.metadata.tags && rule.metadata.tags.length > 0;
-    if (hasCvss || hasTags) {
+    const hasCategory = rule.category !== void 0;
+    if (hasCvss || hasTags || hasCategory) {
       base.properties = {};
+      if (hasCategory) {
+        base.properties.category = rule.category;
+      }
       if (secMeta?.cvssScore !== void 0) {
         base.properties["security-severity"] = String(secMeta.cvssScore);
       }
@@ -10910,7 +10973,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.9",
+            version: "0.2.0",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -14872,8 +14935,19 @@ function isStdinRequested(files) {
 }
 
 // index.ts
+function enrichResultsWithRuleMetadata(results, rules) {
+  const ruleMap = new Map(rules.map((r) => [r.id, r]));
+  return results.map((result) => {
+    const rule = ruleMap.get(result.ruleId);
+    return {
+      ...result,
+      category: rule?.category,
+      tags: rule?.metadata.tags ?? []
+    };
+  });
+}
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.9").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.2.0").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
   "--encrypted-pack <path...>",
   "SEC-012: Path(s) to encrypted rule pack(s) (.grpx), can specify multiple"
 ).option(
@@ -14889,7 +14963,14 @@ program.name("sentriflow").description("SentriFlow Network Configuration Validat
   "-d, --disable <ids>",
   "Comma-separated rule IDs to disable",
   (val) => val.split(",")
-).option("--list-rules", "List all active rules and exit").option("--relative-paths", "Use relative paths in SARIF output").option(
+).option("--list-rules", "List all active rules and exit").option("--list-categories", "List all rule categories with counts and exit").option(
+  "--category <category>",
+  "Filter rules by category (use with --list-rules)"
+).option(
+  "--list-format <format>",
+  "Output format for --list-rules: table, json, csv (default: table)",
+  "table"
+).option("--relative-paths", "Use relative paths in SARIF output").option(
   "--allow-external",
   "Allow reading files outside the current directory (use with caution)"
 ).option(
@@ -14983,17 +15064,73 @@ Use: sentriflow --vendor <vendor> <file>`);
       allowedBaseDirs
       // SEC-011: Pass allowed base dirs for rule file validation
     });
-    if (options.listRules) {
-      console.log("Active rules:\n");
+    if (options.listCategories) {
+      const counts = /* @__PURE__ */ new Map();
       for (const rule of rules) {
+        const cats = Array.isArray(rule.category) ? rule.category : [rule.category ?? "uncategorized"];
+        for (const cat of cats) {
+          counts.set(cat, (counts.get(cat) ?? 0) + 1);
+        }
+      }
+      const sorted = [...counts.entries()].sort((a, b) => b[1] - a[1]);
+      console.log("CATEGORY              COUNT");
+      console.log("\u2500".repeat(35));
+      for (const [cat, count] of sorted) {
+        console.log(`${cat.padEnd(22)}${count}`);
+      }
+      console.log("\u2500".repeat(35));
+      console.log(`TOTAL                 ${rules.length}`);
+      return;
+    }
+    if (options.listRules) {
+      let filteredRules = rules;
+      if (options.category) {
+        filteredRules = rules.filter((r) => {
+          const cats = Array.isArray(r.category) ? r.category : [r.category];
+          return cats.includes(options.category);
+        });
+      }
+      if (options.listFormat === "json") {
+        const output = filteredRules.map((r) => ({
+          id: r.id,
+          category: r.category,
+          vendor: r.vendor,
+          level: r.metadata.level,
+          obu: r.metadata.obu,
+          description: r.metadata.description,
+          tags: r.metadata.tags
+        }));
+        console.log(JSON.stringify(output, null, 2));
+      } else if (options.listFormat === "csv") {
+        console.log("id,category,vendor,level,obu,description");
+        for (const rule of filteredRules) {
+          const cat = Array.isArray(rule.category) ? rule.category.join(";") : rule.category ?? "";
+          const vendor2 = Array.isArray(rule.vendor) ? rule.vendor.join(";") : rule.vendor ?? "common";
+          const desc = (rule.metadata.description ?? "").replace(/"/g, '""');
+          console.log(
+            `"${rule.id}","${cat}","${vendor2}","${rule.metadata.level}","${rule.metadata.obu}","${desc}"`
+          );
+        }
+      } else {
         console.log(
-          `  ${rule.id} [${rule.metadata.level}] - ${rule.metadata.obu}`
+          "ID                CATEGORY              VENDOR          LEVEL    OBU"
         );
+        console.log("\u2500".repeat(85));
+        for (const rule of filteredRules) {
+          const cat = Array.isArray(rule.category) ? rule.category[0] ?? "general" : rule.category ?? "general";
+          const vendor2 = Array.isArray(rule.vendor) ? rule.vendor[0] ?? "common" : rule.vendor ?? "common";
+          console.log(
+            `${rule.id.padEnd(18)}${cat.padEnd(22)}${vendor2.padEnd(16)}${rule.metadata.level.padEnd(9)}${rule.metadata.obu}`
+          );
+        }
+        console.log("\u2500".repeat(85));
+        console.log(`Total: ${filteredRules.length} rules`);
+        if (options.category) {
+          console.log(`Filtered by category: ${options.category}`);
+        }
       }
-      console.log(`
-Total: ${rules.length} rules`);
       const configFile = findConfigFile(configSearchDir);
-      if (configFile) {
+      if (configFile && options.listFormat === "table") {
         console.log(`
 Config file: ${configFile}`);
       }
@@ -15166,7 +15303,7 @@ Parsing complete: ${allAsts.length} files`);
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2);
+          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -15203,7 +15340,7 @@ Parsing complete: ${allAsts.length} files`);
           files: allFileResults.map((fr) => ({
             file: fr.filePath,
             vendor: fr.vendor,
-            results: fr.results,
+            results: enrichResultsWithRuleMetadata(fr.results, rules),
             ipSummary: fr.ipSummary
           }))
         };
@@ -15280,7 +15417,16 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       if (options.quiet) {
         results2 = results2.filter((r) => !r.passed);
       }
-      const stdinIpSummary = extractIPSummary(content2);
+      let stdinIpSummary;
+      try {
+        stdinIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+      } catch (error) {
+        if (error instanceof InputValidationError) {
+          console.error(`Input validation error: ${error.message}`);
+          process.exit(2);
+        }
+        throw error;
+      }
       if (options.format === "sarif") {
         const sarifOptions = {
           relativePaths: options.relativePaths,
@@ -15291,7 +15437,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
         const output = {
           file: "<stdin>",
           vendor: { id: vendor2.id, name: vendor2.name },
-          results: results2,
+          results: enrichResultsWithRuleMetadata(results2, stdinRules),
           ipSummary: stdinIpSummary
         };
         console.log(JSON.stringify(output, null, 2));
@@ -15351,7 +15497,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2);
+          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -15383,7 +15529,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           files: allFileResults.map((fr) => ({
             file: fr.filePath,
             vendor: fr.vendor,
-            results: fr.results,
+            results: enrichResultsWithRuleMetadata(fr.results, rules),
             ipSummary: fr.ipSummary
           }))
         };
@@ -15469,7 +15615,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     if (options.quiet) {
       results = results.filter((r) => !r.passed);
     }
-    const ipSummary = extractIPSummary(content);
+    const ipSummary = extractIPSummary(content, { includeSubnetNetworks: true });
     if (options.format === "sarif") {
       const sarifOptions = {
         relativePaths: options.relativePaths,
@@ -15484,7 +15630,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           id: vendor.id,
           name: vendor.name
         },
-        results,
+        results: enrichResultsWithRuleMetadata(results, singleFileRules),
         ipSummary
       };
       console.log(JSON.stringify(output, null, 2));
@@ -15496,6 +15642,8 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
   } catch (error) {
     if (error instanceof SentriflowError) {
       console.error(`Error: ${error.toUserMessage()}`);
+    } else if (error instanceof InputValidationError) {
+      console.error(`Input validation error: ${error.message}`);
     } else {
       console.error("Error: An unexpected error occurred");
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentriflow/cli",
-  "version": "0.1.9",
+  "version": "0.2.0",
   "description": "SentriFlow CLI - Network configuration linter and validator",
   "license": "Apache-2.0",
   "main": "dist/index.js",