@sentriflow/cli 0.2.1 → 0.3.2

package/dist/index.js

@@ -3811,8 +3811,6 @@ var MAX_NESTING_DEPTH = 50;
 var MAX_LINE_COUNT = 1e5;
 var MAX_TRAVERSAL_DEPTH = 20;
 var ALLOWED_CONFIG_EXTENSIONS = [".js", ".ts", ".mjs", ".cjs"];
-var ALLOWED_ENCRYPTED_PACK_EXTENSIONS = [".grpx"];
-var ALLOWED_GRX2_PACK_EXTENSIONS = [".grx2"];
 var ALLOWED_JSON_RULES_EXTENSIONS = [".json"];
 var MAX_CONFIG_FILE_SIZE = 1024 * 1024;
 var MAX_ENCRYPTED_PACK_SIZE = 5 * 1024 * 1024;
@@ -10012,16 +10010,16 @@ var hasFloodProtection = (zppNode) => {
   const udp = findStanza6(flood, "udp");
   const icmp = findStanza6(flood, "icmp");
   const otherIp = findStanza6(flood, "other-ip");
-  const isEnabled5 = (stanza) => {
+  const isEnabled6 = (stanza) => {
     if (!stanza) return false;
     const enableCmd = getChildCommand(stanza, "enable");
     return enableCmd?.id.toLowerCase().includes("yes") ?? false;
   };
   return {
-    hasSyn: isEnabled5(tcpSyn),
-    hasUdp: isEnabled5(udp),
-    hasIcmp: isEnabled5(icmp),
-    hasOtherIp: isEnabled5(otherIp)
+    hasSyn: isEnabled6(tcpSyn),
+    hasUdp: isEnabled6(udp),
+    hasIcmp: isEnabled6(icmp),
+    hasOtherIp: isEnabled6(otherIp)
   };
 };
 var hasReconProtection = (zppNode) => {
@@ -10631,6 +10629,62 @@ function validatePackFormat(packData) {
   return true;
 }
 
+// ../core/src/pack-loader/format-detector.ts
+import { open } from "node:fs/promises";
+import { resolve } from "node:path";
+var FORMAT_PRIORITIES = {
+  unknown: 0,
+  unencrypted: 100,
+  grpx: 200,
+  grx2: 300
+};
+var MAGIC_BYTES = {
+  GRX2: Buffer.from("GRX2", "ascii"),
+  GRPX: Buffer.from("GRPX", "ascii")
+};
+var MAGIC_BYTES_LENGTH = 4;
+async function detectPackFormat(filePath) {
+  const absolutePath = resolve(filePath);
+  let fileHandle;
+  try {
+    fileHandle = await open(absolutePath, "r");
+    const stats = await fileHandle.stat();
+    if (stats.size < MAGIC_BYTES_LENGTH) {
+      return "unencrypted";
+    }
+    const buffer = Buffer.alloc(MAGIC_BYTES_LENGTH);
+    const { bytesRead } = await fileHandle.read(
+      buffer,
+      0,
+      MAGIC_BYTES_LENGTH,
+      0
+    );
+    if (bytesRead < MAGIC_BYTES_LENGTH) {
+      return "unencrypted";
+    }
+    if (buffer.equals(MAGIC_BYTES.GRX2)) {
+      return "grx2";
+    }
+    if (buffer.equals(MAGIC_BYTES.GRPX)) {
+      return "grpx";
+    }
+    return "unencrypted";
+  } catch (error) {
+    if (error instanceof Error) {
+      const nodeError = error;
+      if (nodeError.code === "ENOENT") {
+        throw new Error(`Pack file not found: ${absolutePath}`);
+      }
+      if (nodeError.code === "EACCES") {
+        throw new Error(`Permission denied reading pack file: ${absolutePath}`);
+      }
+    }
+    throw error;
+  } finally {
+    await fileHandle?.close();
+  }
+}
+
 // ../core/src/grx2-loader/types.ts
 import { homedir } from "node:os";
 import { join } from "node:path";
@@ -12075,10 +12129,301 @@ function extractIPSummary(content, options = {}) {
   };
 }
 
+// ../core/src/ip/classifier.ts
+var DEFAULT_FILTER_OPTIONS = {
+  keepPublic: true,
+  keepPrivate: true,
+  keepLoopback: false,
+  keepLinkLocal: false,
+  keepMulticast: false,
+  keepReserved: false,
+  keepUnspecified: false,
+  keepBroadcast: false,
+  keepDocumentation: false,
+  keepCgnat: true
+};
+function ipv4ToNumber2(ip) {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return 0;
+  let result = 0;
+  for (let i = 0; i < 4; i++) {
+    const octet = parseInt(parts[i] ?? "0", 10);
+    if (isNaN(octet) || octet < 0 || octet > 255) return 0;
+    result = (result << 8) + octet;
+  }
+  return result >>> 0;
+}
+function isInIPv4Range(ip, network, prefix) {
+  const ipNum = ipv4ToNumber2(ip);
+  const netNum = ipv4ToNumber2(network);
+  const mask = prefix === 0 ? 0 : ~0 << 32 - prefix >>> 0;
+  return (ipNum & mask) === (netNum & mask);
+}
+function classifyIPv4(ip) {
+  if (ip === "0.0.0.0") return "unspecified";
+  if (ip === "255.255.255.255") return "broadcast";
+  if (isInIPv4Range(ip, "0.0.0.0", 8)) return "unspecified";
+  if (isInIPv4Range(ip, "127.0.0.0", 8)) return "loopback";
+  if (isInIPv4Range(ip, "169.254.0.0", 16)) return "link-local";
+  if (isInIPv4Range(ip, "10.0.0.0", 8)) return "private";
+  if (isInIPv4Range(ip, "172.16.0.0", 12)) return "private";
+  if (isInIPv4Range(ip, "192.168.0.0", 16)) return "private";
+  if (isInIPv4Range(ip, "100.64.0.0", 10)) return "cgnat";
+  if (isInIPv4Range(ip, "192.0.2.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "198.51.100.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "203.0.113.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "224.0.0.0", 4)) return "multicast";
+  if (isInIPv4Range(ip, "240.0.0.0", 4)) return "reserved";
+  return "public";
+}
+function classifyIPv4Subnet(subnet) {
+  const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) return classifyIPv4(subnet);
+  const network = subnet.substring(0, slashIndex);
+  return classifyIPv4(network);
+}
+function expandIPv62(ip) {
+  const zoneIndex = ip.indexOf("%");
+  const addr = zoneIndex !== -1 ? ip.substring(0, zoneIndex) : ip;
+  const parts = addr.split(":");
+  const result = [];
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i] ?? "";
+    if (part === "" && i > 0 && i < parts.length - 1) {
+      const nonEmpty = parts.filter((p) => p !== "").length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push(0);
+      }
+    } else if (part !== "") {
+      result.push(parseInt(part, 16) || 0);
+    } else if (i === 0 && (parts[1] ?? "") === "") {
+      const nonEmpty = parts.filter((p) => p !== "").length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push(0);
+      }
+    }
+  }
+  while (result.length < 8) {
+    result.push(0);
+  }
+  return result.slice(0, 8);
+}
+function classifyIPv6(ip) {
+  const parts = expandIPv62(ip);
+  if (parts.every((p) => p === 0)) return "unspecified";
+  if (parts.slice(0, 7).every((p) => p === 0) && parts[7] === 1) return "loopback";
+  if ((parts[0] ?? 0) >= 65152 && (parts[0] ?? 0) <= 65215) return "link-local";
+  if (((parts[0] ?? 0) & 65280) === 65280) return "multicast";
+  if (parts[0] === 8193 && parts[1] === 3512) return "documentation";
+  if (((parts[0] ?? 0) & 65024) === 64512) return "private";
+  return "public";
+}
+function classifyIPv6Subnet(subnet) {
+  const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) return classifyIPv6(subnet);
+  const network = subnet.substring(0, slashIndex);
+  return classifyIPv6(network);
+}
+function shouldKeepClassification(classification, options) {
+  switch (classification) {
+    case "public":
+      return options.keepPublic;
+    case "private":
+      return options.keepPrivate;
+    case "loopback":
+      return options.keepLoopback;
+    case "link-local":
+      return options.keepLinkLocal;
+    case "multicast":
+      return options.keepMulticast;
+    case "reserved":
+      return options.keepReserved;
+    case "unspecified":
+      return options.keepUnspecified;
+    case "broadcast":
+      return options.keepBroadcast;
+    case "documentation":
+      return options.keepDocumentation;
+    case "cgnat":
+      return options.keepCgnat;
+    default:
+      return true;
+  }
+}
+function filterIPv4Addresses(addresses, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return addresses.filter((ip) => {
+    const classification = classifyIPv4(ip);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv6Addresses(addresses, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return addresses.filter((ip) => {
+    const classification = classifyIPv6(ip);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv4Subnets(subnets, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return subnets.filter((subnet) => {
+    const classification = classifyIPv4Subnet(subnet);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv6Subnets(subnets, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return subnets.filter((subnet) => {
+    const classification = classifyIPv6Subnet(subnet);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPSummary(summary, options = {}) {
+  const ipv4Addresses = filterIPv4Addresses(summary.ipv4Addresses, options);
+  const ipv6Addresses = filterIPv6Addresses(summary.ipv6Addresses, options);
+  const ipv4Subnets = filterIPv4Subnets(summary.ipv4Subnets, options);
+  const ipv6Subnets = filterIPv6Subnets(summary.ipv6Subnets, options);
+  const counts = {
+    ipv4: ipv4Addresses.length,
+    ipv6: ipv6Addresses.length,
+    ipv4Subnets: ipv4Subnets.length,
+    ipv6Subnets: ipv6Subnets.length,
+    total: ipv4Addresses.length + ipv6Addresses.length + ipv4Subnets.length + ipv6Subnets.length
+  };
+  return {
+    ipv4Addresses,
+    ipv6Addresses,
+    ipv4Subnets,
+    ipv6Subnets,
+    counts
+  };
+}
+
+// ../core/src/validation/rule-validation.ts
+function validateRule2(rule) {
+  if (typeof rule !== "object" || rule === null) {
+    return "Rule is not an object";
+  }
+  const obj = rule;
+  if (typeof obj.id !== "string") {
+    return "Rule id is not a string";
+  }
+  if (!RULE_ID_PATTERN.test(obj.id)) {
+    return `Rule id "${obj.id}" does not match pattern ${RULE_ID_PATTERN}`;
+  }
+  if (typeof obj.check !== "function") {
+    return `Rule ${obj.id}: check is not a function (got ${typeof obj.check})`;
+  }
+  if (obj.selector !== void 0 && typeof obj.selector !== "string") {
+    return `Rule ${obj.id}: selector is not a string`;
+  }
+  if (obj.vendor !== void 0) {
+    if (Array.isArray(obj.vendor)) {
+      for (const v of obj.vendor) {
+        if (typeof v !== "string") {
+          return `Rule ${obj.id}: vendor array contains non-string`;
+        }
+        if (!isValidVendorId(v)) {
+          return `Rule ${obj.id}: invalid vendor "${v}"`;
+        }
+      }
+    } else if (typeof obj.vendor !== "string") {
+      return `Rule ${obj.id}: vendor is not a string`;
+    } else if (!isValidVendorId(obj.vendor)) {
+      return `Rule ${obj.id}: invalid vendor "${obj.vendor}"`;
+    }
+  }
+  if (typeof obj.metadata !== "object" || obj.metadata === null) {
+    return `Rule ${obj.id}: metadata is not an object`;
+  }
+  const metadata = obj.metadata;
+  if (!["error", "warning", "info"].includes(metadata.level)) {
+    return `Rule ${obj.id}: invalid metadata.level "${metadata.level}"`;
+  }
+  return null;
+}
+function isValidRule(rule) {
+  return validateRule2(rule) === null;
+}
+function validateRulePack(pack, reservedPackName) {
+  if (typeof pack !== "object" || pack === null) {
+    return "Pack is not an object";
+  }
+  const obj = pack;
+  if (typeof obj.name !== "string" || obj.name.length === 0) {
+    return "Pack name is missing or empty";
+  }
+  if (reservedPackName && obj.name === reservedPackName) {
+    return `Pack name "${obj.name}" is reserved`;
+  }
+  if (typeof obj.version !== "string" || obj.version.length === 0) {
+    return "Pack version is missing or empty";
+  }
+  if (typeof obj.publisher !== "string" || obj.publisher.length === 0) {
+    return "Pack publisher is missing or empty";
+  }
+  if (typeof obj.priority !== "number" || obj.priority < 0) {
+    return `Pack priority is invalid (got ${obj.priority})`;
+  }
+  if (!Array.isArray(obj.rules)) {
+    return "Pack rules is not an array";
+  }
+  for (let i = 0; i < obj.rules.length; i++) {
+    const ruleError = validateRule2(obj.rules[i]);
+    if (ruleError) {
+      return `Rule[${i}]: ${ruleError}`;
+    }
+  }
+  if (obj.disables !== void 0) {
+    if (typeof obj.disables !== "object" || obj.disables === null) {
+      return "Pack disables is not an object";
+    }
+    const disables = obj.disables;
+    if (disables.all !== void 0 && typeof disables.all !== "boolean") {
+      return "Pack disables.all is not a boolean";
+    }
+    if (disables.vendors !== void 0) {
+      if (!Array.isArray(disables.vendors)) {
+        return "Pack disables.vendors is not an array";
+      }
+      for (const v of disables.vendors) {
+        if (typeof v !== "string" || !isValidVendorId(v)) {
+          return `Pack disables.vendors contains invalid vendor "${v}"`;
+        }
+      }
+    }
+    if (disables.rules !== void 0) {
+      if (!Array.isArray(disables.rules)) {
+        return "Pack disables.rules is not an array";
+      }
+      for (const r of disables.rules) {
+        if (typeof r !== "string") {
+          return "Pack disables.rules contains non-string";
+        }
+      }
+    }
+  }
+  return null;
+}
+function isValidRulePack(pack, reservedPackName) {
+  return validateRulePack(pack, reservedPackName) === null;
+}
+function ruleAppliesToVendor(rule, vendorId) {
+  if (!rule.vendor) {
+    return true;
+  }
+  if (Array.isArray(rule.vendor)) {
+    return rule.vendor.includes("common") || rule.vendor.includes(vendorId);
+  }
+  return rule.vendor === "common" || rule.vendor === vendorId;
+}
+
 // index.ts
 import { readFile as readFile2 } from "fs/promises";
 import { statSync as statSync2 } from "fs";
-import { resolve as resolve4, dirname as dirname2, basename } from "path";
+import { resolve as resolve6, dirname as dirname2, basename } from "path";
 
 // src/sarif.ts
 import { relative } from "path";
@@ -12155,7 +12500,7 @@ function generateSarif(results, filePath, rules, options = {}, ipSummary) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.2.1",
+            version: "0.3.2",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -12315,7 +12660,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.2.1",
+            version: "0.3.2",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -12529,10 +12874,10 @@ var InterfaceDescriptionRequired = {
         loc: node.loc
       };
     }
-    const hasDescription5 = node.children.some(
+    const hasDescription9 = node.children.some(
       (child) => startsWithIgnoreCase(child.id, "description")
     );
-    if (!hasDescription5) {
+    if (!hasDescription9) {
       return {
         passed: false,
         message: `Interface "${node.params.slice(1).join(" ")}" is missing a description.`,
@@ -12557,6 +12902,59 @@ var allCommonRules = [
   InterfaceDescriptionRequired
 ];
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/common/validation.ts
+var equalsIgnoreCase2 = (a, b) => a != null && b != null && a.toLowerCase() === b.toLowerCase();
+var includesIgnoreCase2 = (haystack, needle) => haystack != null && needle != null && haystack.toLowerCase().includes(needle.toLowerCase());
+var startsWithIgnoreCase2 = (str, prefix) => str != null && prefix != null && str.toLowerCase().startsWith(prefix.toLowerCase());
+
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/common/helpers.ts
+var hasChildCommand5 = (node, prefix) => {
+  if (!node?.children || !prefix) return false;
+  return node.children.some(
+    (child) => child?.id?.toLowerCase().startsWith(prefix.toLowerCase()) ?? false
+  );
+};
+var getChildCommand5 = (node, prefix) => {
+  if (!node?.children || !prefix) return void 0;
+  return node.children.find(
+    (child) => child?.id?.toLowerCase().startsWith(prefix.toLowerCase()) ?? false
+  );
+};
+var isShutdown6 = (node) => {
+  if (!node?.children) return false;
+  return node.children.some((child) => {
+    const id = child?.id?.toLowerCase().trim();
+    return id === "shutdown" || id === "disable";
+  });
+};
+
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/cisco/helpers.ts
+var isShutdown7 = (node) => {
+  if (!node?.children) return false;
+  return node.children.some((child) => {
+    return child?.id && equalsIgnoreCase2(child.id.trim(), "shutdown");
+  });
+};
+var isPhysicalPort4 = (interfaceName) => {
+  return !includesIgnoreCase2(interfaceName, "loopback") && !includesIgnoreCase2(interfaceName, "null") && !includesIgnoreCase2(interfaceName, "vlan") && !includesIgnoreCase2(interfaceName, "tunnel") && !includesIgnoreCase2(interfaceName, "port-channel") && !includesIgnoreCase2(interfaceName, "bvi") && !includesIgnoreCase2(interfaceName, "nve");
+};
+var isTrunkPort4 = (node) => {
+  return hasChildCommand5(node, "switchport mode trunk");
+};
+var isTrunkToNonCisco2 = (node) => {
+  const desc = getChildCommand5(node, "description");
+  if (desc) {
+    const descText = desc.rawText;
+    if (includesIgnoreCase2(descText, "server:") || includesIgnoreCase2(descText, "storage:") || includesIgnoreCase2(descText, "esx") || includesIgnoreCase2(descText, "vmware") || includesIgnoreCase2(descText, "hyperv") || includesIgnoreCase2(descText, "hyper-v") || includesIgnoreCase2(descText, "linux") || includesIgnoreCase2(descText, "appliance") || includesIgnoreCase2(descText, "firewall") || includesIgnoreCase2(descText, "loadbalancer") || includesIgnoreCase2(descText, "lb:") || includesIgnoreCase2(descText, "nas:") || includesIgnoreCase2(descText, "san:")) {
+      return true;
+    }
+    if (includesIgnoreCase2(descText, "uplink:") || includesIgnoreCase2(descText, "downlink:") || includesIgnoreCase2(descText, "isl:") || includesIgnoreCase2(descText, "po-member:")) {
+      return false;
+    }
+  }
+  return false;
+};
+
 // ../rules-default/src/cisco/ios-rules.ts
 var TrunkNoDTP = {
   id: "NET-TRUNK-001",
@@ -12570,16 +12968,16 @@ var TrunkNoDTP = {
     remediation: 'Add "switchport nonegotiate" to disable DTP on trunk ports connected to non-Cisco devices.'
   },
   check: (node) => {
-    if (!isPhysicalPort(node.id) || isShutdown3(node)) {
+    if (!isPhysicalPort4(node.id) || isShutdown7(node)) {
       return { passed: true, message: "Not applicable.", ruleId: "NET-TRUNK-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isTrunkPort2(node)) {
+    if (!isTrunkPort4(node)) {
       return { passed: true, message: "Not a trunk port.", ruleId: "NET-TRUNK-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isTrunkToNonCisco(node)) {
+    if (!isTrunkToNonCisco2(node)) {
       return { passed: true, message: "Trunk to Cisco device - DTP acceptable.", ruleId: "NET-TRUNK-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!hasChildCommand(node, "switchport nonegotiate")) {
+    if (!hasChildCommand5(node, "switchport nonegotiate")) {
       return {
         passed: false,
         message: `Trunk port "${node.params.slice(1).join(" ")}" connected to non-Cisco device needs "switchport nonegotiate".`,
@@ -12604,11 +13002,11 @@ var AccessExplicitMode = {
     remediation: 'Add "switchport mode access" to explicitly configure access mode.'
   },
   check: (node) => {
-    if (!isPhysicalPort(node.id) || isShutdown3(node)) {
+    if (!isPhysicalPort4(node.id) || isShutdown7(node)) {
       return { passed: true, message: "Not applicable.", ruleId: "NET-ACCESS-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    const hasAccessVlan = hasChildCommand(node, "switchport access vlan");
-    const hasExplicitMode = hasChildCommand(node, "switchport mode");
+    const hasAccessVlan = hasChildCommand5(node, "switchport access vlan");
+    const hasExplicitMode = hasChildCommand5(node, "switchport mode");
     if (hasAccessVlan && !hasExplicitMode) {
       return {
         passed: false,
@@ -12746,6 +13144,38 @@ var allCiscoRules = [
   EnableSecretStrong
 ];
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/juniper/helpers.ts
+var findStanza8 = (node, stanzaName) => {
+  if (!node?.children) return void 0;
+  return node.children.find(
+    (child) => child?.id && equalsIgnoreCase2(child.id, stanzaName)
+  );
+};
+var findStanzas7 = (node, pattern) => {
+  if (!node?.children) return [];
+  return node.children.filter((child) => child?.id && pattern.test(child.id));
+};
+var isFilterTermDrop2 = (termNode) => {
+  if (!termNode?.children) return false;
+  for (const child of termNode.children) {
+    const id = child?.id?.trim();
+    if (!id) continue;
+    if (equalsIgnoreCase2(id, "then discard") || equalsIgnoreCase2(id, "then discard;") || equalsIgnoreCase2(id, "then reject") || equalsIgnoreCase2(id, "then reject;")) {
+      return true;
+    }
+  }
+  const thenStanza = findStanza8(termNode, "then");
+  if (!thenStanza?.children) return false;
+  for (const child of thenStanza.children) {
+    const id = child?.id?.trim();
+    if (!id) continue;
+    if (equalsIgnoreCase2(id, "discard") || equalsIgnoreCase2(id, "discard;") || equalsIgnoreCase2(id, "reject") || equalsIgnoreCase2(id, "reject;")) {
+      return true;
+    }
+  }
+  return false;
+};
+
 // ../rules-default/src/juniper/junos-rules.ts
 var RootAuthRequired = {
   id: "JUN-SYS-001",
@@ -12759,7 +13189,7 @@ var RootAuthRequired = {
     remediation: 'Configure "root-authentication" under system stanza with encrypted-password or ssh-rsa.'
   },
   check: (node) => {
-    const rootAuth = findStanza4(node, "root-authentication");
+    const rootAuth = findStanza8(node, "root-authentication");
     if (!rootAuth) {
       return {
         passed: false,
@@ -12770,8 +13200,8 @@ var RootAuthRequired = {
         loc: node.loc
       };
     }
-    const hasPassword = hasChildCommand(rootAuth, "encrypted-password");
-    const hasSshKey = hasChildCommand(rootAuth, "ssh-rsa") || hasChildCommand(rootAuth, "ssh-ecdsa");
+    const hasPassword = hasChildCommand5(rootAuth, "encrypted-password");
+    const hasSshKey = hasChildCommand5(rootAuth, "ssh-rsa") || hasChildCommand5(rootAuth, "ssh-ecdsa");
     if (!hasPassword && !hasSshKey) {
       return {
         passed: false,
@@ -12804,7 +13234,7 @@ var JunosBgpRouterId = {
     remediation: 'Configure "router-id" under routing-options stanza.'
   },
   check: (node) => {
-    const hasRouterId = hasChildCommand(node, "router-id");
+    const hasRouterId = hasChildCommand5(node, "router-id");
     if (!hasRouterId) {
       return {
         passed: false,
@@ -12855,7 +13285,7 @@ var JunosFirewallDefaultDeny = {
     }
     const issues = [];
     for (const filter of filters) {
-      const terms = findStanzas3(filter, /^term/i);
+      const terms = findStanzas7(filter, /^term/i);
       if (terms.length === 0) {
         continue;
       }
@@ -12863,7 +13293,7 @@ var JunosFirewallDefaultDeny = {
       if (!lastTerm) {
         continue;
       }
-      if (!isFilterTermDrop(lastTerm)) {
+      if (!isFilterTermDrop2(lastTerm)) {
         issues.push(`Filter "${filter.id}" does not end with a deny term.`);
       }
     }
@@ -12896,6 +13326,69 @@ var allJuniperRules = [
   JunosFirewallDefaultDeny
 ];
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/aruba/helpers.ts
+var getInterfaceName4 = (node) => {
+  if (!node?.id) return void 0;
+  const match = node.id.match(/interface\s+(.+)/i);
+  const ifName = match?.[1]?.trim();
+  return ifName && ifName.length > 0 ? ifName : void 0;
+};
+var isAosCxPhysicalPort2 = (interfaceName) => {
+  return /^\d+\/\d+\/\d+$/.test(interfaceName.trim());
+};
+var isAosCxLag2 = (interfaceName) => {
+  return /^lag\s*\d+$/i.test(interfaceName.trim());
+};
+var isAosCxTrunk2 = (node) => {
+  return hasChildCommand5(node, "vlan trunk");
+};
+var getAosCxTrunkAllowed2 = (node) => {
+  const cmd = getChildCommand5(node, "vlan trunk allowed");
+  if (!cmd) return [];
+  const match = cmd.id.match(/vlan\s+trunk\s+allowed\s+([\d,]+)/i);
+  const vlanList = match?.[1];
+  if (!vlanList) return [];
+  return vlanList.split(",").map((v) => parseInt(v.trim(), 10)).filter((v) => !isNaN(v));
+};
+var getAosSwitchVlanName2 = (node) => {
+  const cmd = getChildCommand5(node, "name");
+  if (!cmd) return void 0;
+  const match = cmd.id.match(/name\s+["']?([^"']+)["']?/i);
+  const name = match?.[1];
+  return name?.trim();
+};
+var getWlanEncryption2 = (node) => {
+  const cmd = getChildCommand5(node, "opmode");
+  if (!cmd) return null;
+  const match = cmd.id.match(/opmode\s+(\S+)/i);
+  const mode = match?.[1];
+  return mode ? mode.toLowerCase() : null;
+};
+var hasSecureEncryption2 = (node) => {
+  const opmode = getWlanEncryption2(node);
+  if (!opmode) return false;
+  return opmode.includes("wpa2") || opmode.includes("wpa3") || opmode.includes("aes");
+};
+var isOpenSsid2 = (node) => {
+  const opmode = getWlanEncryption2(node);
+  return opmode === "opensystem" || opmode === "open";
+};
+var getRadiusHost2 = (node) => {
+  const cmd = getChildCommand5(node, "host");
+  if (!cmd) return void 0;
+  const match = cmd.id.match(/host\s+(\S+)/i);
+  const host = match?.[1];
+  return host?.trim();
+};
+var extractProfileName2 = (nodeId) => {
+  const match = nodeId.match(/(?:ssid-profile|virtual-ap|profile|server-group|ap-group|arm-profile)\s+["']?([^"'\n]+)["']?$/i);
+  const profile = match?.[1];
+  return profile ? profile.trim() : void 0;
+};
+var hasDescription5 = (node) => {
+  return hasChildCommand5(node, "description");
+};
+
 // ../rules-default/src/aruba/common-rules.ts
 var SshEnabled = {
   id: "ARU-SEC-001",
@@ -12983,17 +13476,17 @@ var AosCxInterfaceDescription = {
     remediation: "Add a description to physical interfaces for documentation."
   },
   check: (node) => {
-    const ifName = getInterfaceName(node);
+    const ifName = getInterfaceName4(node);
     if (!ifName) {
       return { passed: true, message: "Not an interface.", ruleId: "AOSCX-IF-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isAosCxPhysicalPort(ifName) && !isAosCxLag(ifName)) {
+    if (!isAosCxPhysicalPort2(ifName) && !isAosCxLag2(ifName)) {
       return { passed: true, message: "Not a physical interface.", ruleId: "AOSCX-IF-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (isShutdown(node)) {
+    if (isShutdown6(node)) {
       return { passed: true, message: "Interface is shutdown.", ruleId: "AOSCX-IF-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!hasDescription(node)) {
+    if (!hasDescription5(node)) {
       return {
         passed: false,
         message: `Interface ${ifName} missing description.`,
@@ -13025,17 +13518,17 @@ var AosCxTrunkAllowedVlans = {
     remediation: 'Configure "vlan trunk allowed <vlans>" on trunk interfaces.'
   },
   check: (node) => {
-    const ifName = getInterfaceName(node);
+    const ifName = getInterfaceName4(node);
     if (!ifName) {
       return { passed: true, message: "Not an interface.", ruleId: "AOSCX-L2-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isAosCxPhysicalPort(ifName) && !isAosCxLag(ifName)) {
+    if (!isAosCxPhysicalPort2(ifName) && !isAosCxLag2(ifName)) {
       return { passed: true, message: "Not a switchport interface.", ruleId: "AOSCX-L2-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isAosCxTrunk(node)) {
+    if (!isAosCxTrunk2(node)) {
       return { passed: true, message: "Not a trunk port.", ruleId: "AOSCX-L2-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    const allowedVlans = getAosCxTrunkAllowed(node);
+    const allowedVlans = getAosCxTrunkAllowed2(node);
     if (allowedVlans.length === 0) {
       return {
         passed: false,
@@ -13085,7 +13578,7 @@ var AosSwitchVlanName = {
     if (vlanId === null || isDefaultVlan(vlanId)) {
       return { passed: true, message: "Default VLAN 1.", ruleId: "AOSSW-L2-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    const vlanName = getAosSwitchVlanName(node);
+    const vlanName = getAosSwitchVlanName2(node);
     if (!vlanName) {
       return {
         passed: false,
@@ -13159,8 +13652,8 @@ var WlcSsidEncryption = {
     remediation: 'Configure "opmode wpa2-aes" or "opmode wpa3-sae-aes" for secure encryption.'
   },
   check: (node) => {
-    const profileName = extractProfileName(node.id);
-    const opmode = getWlanEncryption(node);
+    const profileName = extractProfileName2(node.id);
+    const opmode = getWlanEncryption2(node);
     if (!opmode) {
       return {
         passed: false,
@@ -13171,7 +13664,7 @@ var WlcSsidEncryption = {
         loc: node.loc
       };
     }
-    if (isOpenSsid(node)) {
+    if (isOpenSsid2(node)) {
       return {
         passed: false,
         message: `SSID profile "${profileName}" is open/unencrypted. Use WPA2 or WPA3.`,
@@ -13181,7 +13674,7 @@ var WlcSsidEncryption = {
         loc: node.loc
       };
     }
-    if (!hasSecureEncryption(node)) {
+    if (!hasSecureEncryption2(node)) {
       return {
         passed: false,
         message: `SSID profile "${profileName}" uses weak encryption (${opmode}). Use WPA2 or WPA3.`,
@@ -13213,8 +13706,8 @@ var WlcRadiusHost = {
     remediation: 'Configure "host <ip-address>" for the RADIUS server.'
   },
   check: (node) => {
-    const profileName = extractProfileName(node.id);
-    const host = getRadiusHost(node);
+    const profileName = extractProfileName2(node.id);
+    const host = getRadiusHost2(node);
     if (!host) {
       return {
         passed: false,
@@ -13262,20 +13755,48 @@ function getRulesByArubaVendor(vendorId) {
   }
 }
 
-// ../rules-default/src/paloalto/panos-rules.ts
-var HostnameRequired = {
-  id: "PAN-SYS-001",
-  selector: "deviceconfig",
-  vendor: "paloalto-panos",
-  category: "Documentation",
-  metadata: {
-    level: "warning",
-    obu: "Network Engineering",
-    owner: "NetOps",
-    remediation: "Configure hostname under deviceconfig > system."
-  },
-  check: (node) => {
-    const system = findStanza6(node, "system");
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/paloalto/helpers.ts
+var findStanza9 = (node, stanzaName) => {
+  if (!node?.children) return void 0;
+  return node.children.find(
+    (child) => child?.id?.toLowerCase() === stanzaName.toLowerCase()
+  );
+};
+var hasLogging3 = (ruleNode) => {
+  const logStart = hasChildCommand5(ruleNode, "log-start");
+  const logEnd = hasChildCommand5(ruleNode, "log-end");
+  return { logStart, logEnd };
+};
+var isRuleDisabled2 = (ruleNode) => {
+  const disabled = getChildCommand5(ruleNode, "disabled");
+  if (!disabled) return false;
+  return disabled.id.toLowerCase().includes("yes") || disabled.id.toLowerCase().includes("true");
+};
+var getSecurityRules2 = (rulebaseNode) => {
+  const security = findStanza9(rulebaseNode, "security");
+  if (!security) return [];
+  const rules = findStanza9(security, "rules");
+  if (!rules?.children) return [];
+  return rules.children;
+};
+var hasZoneProtectionProfile2 = (zoneNode) => {
+  return hasChildCommand5(zoneNode, "zone-protection-profile");
+};
+
+// ../rules-default/src/paloalto/panos-rules.ts
+var HostnameRequired = {
+  id: "PAN-SYS-001",
+  selector: "deviceconfig",
+  vendor: "paloalto-panos",
+  category: "Documentation",
+  metadata: {
+    level: "warning",
+    obu: "Network Engineering",
+    owner: "NetOps",
+    remediation: "Configure hostname under deviceconfig > system."
+  },
+  check: (node) => {
+    const system = findStanza9(node, "system");
     if (!system) {
       return {
         passed: false,
@@ -13286,7 +13807,7 @@ var HostnameRequired = {
         loc: node.loc
       };
     }
-    const hasHostname = hasChildCommand(system, "hostname");
+    const hasHostname = hasChildCommand5(system, "hostname");
     if (!hasHostname) {
       return {
         passed: false,
@@ -13319,7 +13840,7 @@ var SecurityRuleLogging = {
     remediation: "Enable log-end (and optionally log-start) on all security rules."
   },
   check: (node) => {
-    const rules = getSecurityRules(node);
+    const rules = getSecurityRules2(node);
     if (rules.length === 0) {
       return {
         passed: true,
@@ -13332,8 +13853,8 @@ var SecurityRuleLogging = {
     }
     const issues = [];
     for (const rule of rules) {
-      if (isRuleDisabled(rule)) continue;
-      const logging = hasLogging2(rule);
+      if (isRuleDisabled2(rule)) continue;
+      const logging = hasLogging3(rule);
       if (!logging.logEnd) {
         issues.push(`Rule "${rule.id}" does not have log-end enabled.`);
       }
@@ -13372,7 +13893,7 @@ var ZoneProtectionRequired = {
   check: (node) => {
     const issues = [];
     for (const zone of node.children) {
-      if (!hasZoneProtectionProfile(zone)) {
+      if (!hasZoneProtectionProfile2(zone)) {
         issues.push(`Zone "${zone.id}" does not have a Zone Protection Profile applied.`);
       }
     }
@@ -13420,6 +13941,34 @@ function getRulesByPaloAltoVendor() {
   return [...allCommonRules, ...allPaloAltoRules];
 }
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/arista/helpers.ts
+var checkMlagRequirements2 = (mlagNode) => {
+  return {
+    hasDomainId: hasChildCommand5(mlagNode, "domain-id"),
+    hasPeerLink: hasChildCommand5(mlagNode, "peer-link"),
+    hasPeerAddress: hasChildCommand5(mlagNode, "peer-address"),
+    hasLocalInterface: hasChildCommand5(mlagNode, "local-interface")
+  };
+};
+var isShutdown8 = (interfaceNode) => {
+  if (!interfaceNode?.children) return false;
+  const hasShutdown = interfaceNode.children.some(
+    (child) => child?.id && equalsIgnoreCase2(child.id, "shutdown")
+  );
+  const hasNoShutdown = interfaceNode.children.some(
+    (child) => child?.id && equalsIgnoreCase2(child.id, "no shutdown")
+  );
+  return hasShutdown && !hasNoShutdown;
+};
+var getInterfaceDescription2 = (interfaceNode) => {
+  if (!interfaceNode?.children) return void 0;
+  const descCmd = interfaceNode.children.find(
+    (child) => child?.id && startsWithIgnoreCase2(child.id, "description ")
+  );
+  if (!descCmd) return void 0;
+  return descCmd.id.replace(/^description\s+/i, "").trim();
+};
+
 // ../rules-default/src/arista/eos-rules.ts
 var HostnameRequired2 = {
   id: "ARI-SYS-001",
@@ -13468,7 +14017,7 @@ var MlagConfigComplete = {
     remediation: "MLAG configuration requires: domain-id, peer-link, peer-address, and local-interface."
   },
   check: (node, context) => {
-    const requirements = checkMlagRequirements(node);
+    const requirements = checkMlagRequirements2(node);
     const issues = [];
     if (!requirements.hasDomainId) {
       issues.push("domain-id");
@@ -13514,7 +14063,7 @@ var InterfaceDescription = {
     remediation: "Add description to interface: description <text>"
   },
   check: (node, context) => {
-    if (isShutdown2(node)) {
+    if (isShutdown8(node)) {
       return {
         passed: true,
         message: "Interface is shutdown, description not required.",
@@ -13524,7 +14073,7 @@ var InterfaceDescription = {
         loc: node.loc
       };
     }
-    const description = getInterfaceDescription(node);
+    const description = getInterfaceDescription2(node);
     if (!description) {
       return {
         passed: false,
@@ -13559,6 +14108,37 @@ function getRulesByAristaVendor() {
   return [...allCommonRules, ...allAristaRules];
 }
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/vyos/helpers.ts
+var isDisabled4 = (node) => {
+  if (!node?.children) return false;
+  return node.children.some((child) => child?.id?.toLowerCase().trim() === "disable");
+};
+var findStanzasByPrefix3 = (node, prefix) => {
+  if (!node?.children) return [];
+  return node.children.filter(
+    (child) => child?.id?.toLowerCase().startsWith(prefix.toLowerCase())
+  );
+};
+var getEthernetInterfaces2 = (interfacesNode) => {
+  if (!interfacesNode?.children) return [];
+  return interfacesNode.children.filter(
+    (child) => child?.id?.toLowerCase().startsWith("ethernet eth")
+  );
+};
+var getFirewallDefaultAction2 = (rulesetNode) => {
+  if (!rulesetNode?.children) return void 0;
+  for (const child of rulesetNode.children) {
+    const id = child?.id?.toLowerCase().trim();
+    if (!id) continue;
+    if (id.startsWith("default-action")) {
+      if (id.includes("drop")) return "drop";
+      if (id.includes("accept")) return "accept";
+      if (id.includes("reject")) return "reject";
+    }
+  }
+  return void 0;
+};
+
 // ../rules-default/src/vyos/vyos-rules.ts
 var VyosHostnameRequired = {
   id: "VYOS-SYS-001",
@@ -13572,7 +14152,7 @@ var VyosHostnameRequired = {
     remediation: 'Configure "host-name" under system stanza.'
   },
   check: (node) => {
-    const hasHostname = hasChildCommand(node, "host-name");
+    const hasHostname = hasChildCommand5(node, "host-name");
     if (!hasHostname) {
       return {
         passed: false,
@@ -13641,12 +14221,12 @@ var VyosInterfaceDescription = {
   },
   check: (node) => {
     const issues = [];
-    const ethernetInterfaces = getEthernetInterfaces(node);
+    const ethernetInterfaces = getEthernetInterfaces2(node);
     for (const iface of ethernetInterfaces) {
-      if (isDisabled2(iface)) {
+      if (isDisabled4(iface)) {
         continue;
       }
-      const hasDesc = hasChildCommand(iface, "description");
+      const hasDesc = hasChildCommand5(iface, "description");
       if (!hasDesc) {
         const ifaceName = iface.id.split(/\s+/).pop() || iface.id;
         issues.push(`Interface "${ifaceName}" missing description.`);
@@ -13684,7 +14264,7 @@ var VyosFirewallDefaultAction = {
     remediation: 'Set "default-action drop" or "default-action reject" for each firewall ruleset.'
   },
   check: (node) => {
-    const rulesets = findStanzasByPrefix2(node, "name");
+    const rulesets = findStanzasByPrefix3(node, "name");
     if (rulesets.length === 0) {
       return {
         passed: true,
@@ -13697,7 +14277,7 @@ var VyosFirewallDefaultAction = {
     }
     const issues = [];
     for (const ruleset of rulesets) {
-      const defaultAction = getFirewallDefaultAction(ruleset);
+      const defaultAction = getFirewallDefaultAction2(ruleset);
       if (!defaultAction) {
         const rulesetName = ruleset.id.split(/\s+/)[1] || ruleset.id;
         issues.push(`Firewall ruleset "${rulesetName}" has no default-action configured.`);
@@ -13739,6 +14319,65 @@ function getRulesByVyosVendor() {
   return [...allCommonRules, ...allVyosRules];
 }
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/fortinet/helpers.ts
+var getEditEntries2 = (configSection) => {
+  if (!configSection?.children) return [];
+  return configSection.children.filter(
+    (child) => child?.id?.toLowerCase().startsWith("edit ")
+  );
+};
+var getEditEntryName2 = (editEntry) => {
+  const match = editEntry.id.match(/^edit\s+["']?([^"']+)["']?$/i);
+  const entryName = match?.[1];
+  return entryName ?? editEntry.id;
+};
+var getSetValue2 = (node, paramName) => {
+  if (!node?.children) return void 0;
+  const normalizedParam = paramName.toLowerCase();
+  for (const child of node.children) {
+    const childId = child?.id?.toLowerCase();
+    if (!childId) continue;
+    const match = childId.match(new RegExp(`^set\\s+${normalizedParam}\\s+(.+)$`, "i"));
+    const value = match?.[1];
+    if (value) {
+      return value.replace(/^["']|["']$/g, "").trim();
+    }
+  }
+  return void 0;
+};
+var isPolicyDisabled2 = (policyNode) => {
+  const status = getSetValue2(policyNode, "status");
+  return status?.toLowerCase() === "disable";
+};
+var hasLogging4 = (policyNode) => {
+  const logtraffic = getSetValue2(policyNode, "logtraffic");
+  const logtrafficStart = getSetValue2(policyNode, "logtraffic-start");
+  return {
+    logtraffic,
+    logtrafficStart: logtrafficStart?.toLowerCase() === "enable"
+  };
+};
+var getAdminProfile2 = (adminNode) => {
+  return getSetValue2(adminNode, "accprofile");
+};
+var isSuperAdmin2 = (adminNode) => {
+  const profile = getAdminProfile2(adminNode);
+  return profile?.toLowerCase() === "super_admin";
+};
+var getAdminTrustedHosts2 = (adminNode) => {
+  const trustedHosts = [];
+  for (let i = 1; i <= 10; i++) {
+    const host = getSetValue2(adminNode, `trusthost${i}`);
+    if (host && host !== "0.0.0.0 0.0.0.0") {
+      trustedHosts.push(host);
+    }
+  }
+  return trustedHosts;
+};
+var hasAdminTrustedHosts2 = (adminNode) => {
+  return getAdminTrustedHosts2(adminNode).length > 0;
+};
+
 // ../rules-default/src/fortinet/fortigate-rules.ts
 var HostnameRequired3 = {
   id: "FGT-SYS-001",
@@ -13752,7 +14391,7 @@ var HostnameRequired3 = {
     remediation: 'Configure hostname under "config system global" using "set hostname <name>".'
   },
   check: (node) => {
-    const hostname = getSetValue(node, "hostname");
+    const hostname = getSetValue2(node, "hostname");
     if (!hostname) {
       return {
         passed: false,
@@ -13785,7 +14424,7 @@ var AdminTrustedHostRequired = {
     remediation: 'Configure trusted hosts for each admin user using "set trusthost1", "set trusthost2", etc.'
   },
   check: (node) => {
-    const admins = getEditEntries(node);
+    const admins = getEditEntries2(node);
     if (admins.length === 0) {
       return {
         passed: true,
@@ -13798,11 +14437,11 @@ var AdminTrustedHostRequired = {
     }
     const issues = [];
     for (const admin of admins) {
-      const adminName = getEditEntryName(admin);
-      if (hasAdminTrustedHosts(admin)) {
+      const adminName = getEditEntryName2(admin);
+      if (hasAdminTrustedHosts2(admin)) {
         continue;
       }
-      if (isSuperAdmin(admin)) {
+      if (isSuperAdmin2(admin)) {
         issues.push(`Super admin "${adminName}" has no trusted host restrictions. This is a critical security issue.`);
       } else {
         issues.push(`Admin "${adminName}" has no trusted host restrictions.`);
@@ -13840,7 +14479,7 @@ var PolicyLoggingRequired = {
     remediation: 'Enable logging on all firewall policies using "set logtraffic all" or "set logtraffic utm".'
   },
   check: (node) => {
-    const policies = getEditEntries(node);
+    const policies = getEditEntries2(node);
     if (policies.length === 0) {
       return {
         passed: true,
@@ -13853,10 +14492,10 @@ var PolicyLoggingRequired = {
     }
     const issues = [];
     for (const policy of policies) {
-      if (isPolicyDisabled(policy)) continue;
-      const logging = hasLogging(policy);
+      if (isPolicyDisabled2(policy)) continue;
+      const logging = hasLogging4(policy);
       if (!logging.logtraffic || isFeatureDisabled(logging.logtraffic)) {
-        const policyId = getEditEntryName(policy);
+        const policyId = getEditEntryName2(policy);
         issues.push(`Policy ${policyId} does not have logging enabled.`);
       }
     }
@@ -13894,6 +14533,44 @@ function getRulesByFortinetVendor() {
   return [...allCommonRules, ...allFortinetRules];
 }
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/extreme/helpers.ts
+var getExosVlanName2 = (node) => {
+  const match = node.id.match(/^(?:create|configure)\s+vlan\s+["']?(\w+)["']?/i);
+  const vlanName = match?.[1];
+  return vlanName?.trim();
+};
+var isVossVlanCreate2 = (node) => {
+  return /^vlan\s+create\s+\d+/i.test(node.id);
+};
+var getVossVlanId2 = (node) => {
+  const match = node.id.match(/^vlan\s+(?:create|members|i-sid)\s+(\d+)/i);
+  const vlanId = match?.[1];
+  return vlanId ? parseInt(vlanId, 10) : void 0;
+};
+var isVossGigabitEthernet2 = (node) => {
+  return /^interface\s+GigabitEthernet\s+\d+\/\d+/i.test(node.id);
+};
+var isVossShutdown2 = (node) => {
+  if (!node?.children) return false;
+  const hasShutdown = node.children.some(
+    (child) => child?.id?.toLowerCase() === "shutdown"
+  );
+  const hasNoShutdown = node.children.some(
+    (child) => child?.id?.toLowerCase() === "no shutdown"
+  );
+  return hasShutdown && !hasNoShutdown;
+};
+var getVossDefaultVlan2 = (node) => {
+  if (!node?.children) return void 0;
+  const defaultVlan = node.children.find(
+    (child) => child?.id && /^default-vlan-id\s+\d+/i.test(child.id)
+  );
+  if (!defaultVlan?.id) return void 0;
+  const match = defaultVlan.id.match(/default-vlan-id\s+(\d+)/i);
+  const vlanId = match?.[1];
+  return vlanId ? parseInt(vlanId, 10) : void 0;
+};
+
 // ../rules-default/src/extreme/exos-rules.ts
 var ExosSysnameRequired = {
   id: "EXOS-SYS-001",
@@ -13973,7 +14650,7 @@ var ExosVlanNaming = {
     remediation: 'Use descriptive VLAN names: create vlan "<meaningful-name>" tag <id>'
   },
   check: (node, context) => {
-    const vlanName = getExosVlanName(node);
+    const vlanName = getExosVlanName2(node);
     if (!vlanName) {
       return {
         passed: false,
@@ -14064,7 +14741,7 @@ var VossVlanIsidRequired = {
     remediation: "Configure I-SID for VLAN: vlan i-sid <vlan-id> <isid>"
   },
   check: (node, context) => {
-    if (!isVossVlanCreate(node)) {
+    if (!isVossVlanCreate2(node)) {
       return {
         passed: true,
         message: "Not a VLAN create command.",
@@ -14074,7 +14751,7 @@ var VossVlanIsidRequired = {
         loc: node.loc
       };
     }
-    const vlanId = getVossVlanId(node);
+    const vlanId = getVossVlanId2(node);
     if (!vlanId) {
       return {
         passed: false,
@@ -14117,7 +14794,7 @@ var VossInterfaceDefaultVlan = {
     remediation: "Configure default VLAN: default-vlan-id <vlan-id>"
   },
   check: (node, context) => {
-    if (!isVossGigabitEthernet(node)) {
+    if (!isVossGigabitEthernet2(node)) {
       return {
         passed: true,
         message: "Not a GigabitEthernet interface.",
@@ -14127,7 +14804,7 @@ var VossInterfaceDefaultVlan = {
         loc: node.loc
       };
     }
-    if (isVossShutdown(node)) {
+    if (isVossShutdown2(node)) {
       return {
         passed: true,
         message: "Interface is shutdown.",
@@ -14137,7 +14814,7 @@ var VossInterfaceDefaultVlan = {
         loc: node.loc
       };
     }
-    const defaultVlan = getVossDefaultVlan(node);
+    const defaultVlan = getVossDefaultVlan2(node);
     if (!defaultVlan) {
       return {
         passed: false,
@@ -14189,6 +14866,22 @@ function getRulesByExtremeVendor(vendorId) {
   }
 }
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/huawei/helpers.ts
+var isEnabled4 = (node) => {
+  if (!node?.children) return false;
+  return node.children.some((child) => {
+    const rawText = child?.rawText?.toLowerCase().trim();
+    return rawText === "undo shutdown";
+  });
+};
+var isPhysicalPort5 = (interfaceName) => {
+  const name = interfaceName.toLowerCase();
+  return !name.includes("vlanif") && !name.includes("loopback") && !name.includes("null") && !name.includes("tunnel") && !name.includes("eth-trunk") && !name.includes("nve") && !name.includes("vbdif");
+};
+var hasDescription6 = (node) => {
+  return hasChildCommand5(node, "description");
+};
+
 // ../rules-default/src/huawei/vrp-rules.ts
 var SysnameRequired = {
   id: "HUAWEI-SYS-001",
@@ -14236,7 +14929,7 @@ var InterfaceDescriptionRequired2 = {
   },
   check: (node) => {
     const interfaceName = node.id.replace(/^interface\s+/i, "").trim();
-    if (!isPhysicalPort2(interfaceName)) {
+    if (!isPhysicalPort5(interfaceName)) {
       return {
         passed: true,
         message: "Non-physical interface, description optional.",
@@ -14246,7 +14939,7 @@ var InterfaceDescriptionRequired2 = {
         loc: node.loc
       };
     }
-    if (!isEnabled(node)) {
+    if (!isEnabled4(node)) {
       return {
         passed: true,
         message: "Interface is shutdown, description optional.",
@@ -14256,7 +14949,7 @@ var InterfaceDescriptionRequired2 = {
         loc: node.loc
       };
     }
-    if (!hasDescription3(node)) {
+    if (!hasDescription6(node)) {
       return {
         passed: false,
         message: `Interface ${interfaceName} is enabled but has no description.`,
@@ -14340,6 +15033,55 @@ function getRulesByHuaweiVendor() {
   return [...allCommonRules, ...allHuaweiRules];
 }
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/mikrotik/helpers.ts
+var parseProperty2 = (commandStr, propertyName) => {
+  const regex = new RegExp(`\\b${propertyName}=(?:"([^"]+)"|'([^']+)'|(\\S+))`, "i");
+  const match = commandStr.match(regex);
+  if (match) {
+    return match[1] || match[2] || match[3];
+  }
+  return void 0;
+};
+var getFirewallChain2 = (nodeOrCommand) => {
+  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
+  return parseProperty2(str, "chain");
+};
+var getFirewallAction2 = (nodeOrCommand) => {
+  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
+  return parseProperty2(str, "action");
+};
+var getName2 = (nodeOrCommand) => {
+  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
+  return parseProperty2(str, "name");
+};
+var isAddCommand2 = (nodeOrCommand) => {
+  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
+  return /^add\s+/i.test(str.trim());
+};
+var isSetCommand2 = (nodeOrCommand) => {
+  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
+  return /^set\s+/i.test(str.trim());
+};
+var getAddCommands2 = (node) => {
+  if (!node?.children) return [];
+  return node.children.filter((child) => isAddCommand2(child));
+};
+var isServiceDisabled2 = (nodeOrCommand) => {
+  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
+  const disabled = parseProperty2(str, "disabled");
+  return disabled?.toLowerCase() === "yes";
+};
+var getSystemIdentity2 = (node) => {
+  if (!node?.children) return void 0;
+  for (const child of node.children) {
+    if (isSetCommand2(child)) {
+      const name = getName2(child);
+      if (name) return name;
+    }
+  }
+  return void 0;
+};
+
 // ../rules-default/src/mikrotik/routeros-rules.ts
 var MikrotikSystemIdentity = {
   id: "MIK-SYS-001",
@@ -14353,7 +15095,7 @@ var MikrotikSystemIdentity = {
     remediation: "Configure system identity: /system identity set name=MyRouter"
   },
   check: (node) => {
-    const identity = getSystemIdentity(node);
+    const identity = getSystemIdentity2(node);
     if (!identity || equalsIgnoreCase(identity, "mikrotik") || equalsIgnoreCase(identity, "routerboard")) {
       return {
         passed: false,
@@ -14391,8 +15133,8 @@ var MikrotikDisableUnusedServices = {
     for (const child of node.children) {
       const childId = child.id.toLowerCase();
       for (const service of dangerousServices) {
-        if (childId.includes(service) && !isServiceDisabled(child)) {
-          const disabled = parseProperty(child.id, "disabled");
+        if (childId.includes(service) && !isServiceDisabled2(child)) {
+          const disabled = parseProperty2(child.id, "disabled");
           if (!disabled || !equalsIgnoreCase(disabled, "yes")) {
             issues.push(`Service '${service}' is enabled. Consider disabling it.`);
           }
@@ -14431,11 +15173,11 @@ var MikrotikInputChainDrop = {
     remediation: "Add drop rule for input chain: add chain=input action=drop"
   },
   check: (node) => {
-    const addCommands = getAddCommands(node);
+    const addCommands = getAddCommands2(node);
     let hasInputDrop = false;
     for (const cmd of addCommands) {
-      const chain = getFirewallChain(cmd);
-      const action = getFirewallAction(cmd);
+      const chain = getFirewallChain2(cmd);
+      const action = getFirewallAction2(cmd);
       if (chain && equalsIgnoreCase(chain, "input") && action && equalsIgnoreCase(action, "drop")) {
         hasInputDrop = true;
         break;
@@ -14472,6 +15214,60 @@ function getRulesByMikroTikVendor() {
   return [...allCommonRules, ...allMikroTikRules];
 }
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/nokia/helpers.ts
+var isAdminStateDisabled2 = (node) => {
+  if (!node?.children) return false;
+  const directCheck = node.children.some((child) => {
+    const rawText = child?.rawText?.toLowerCase().trim();
+    return rawText === "admin-state disable";
+  });
+  if (directCheck) return true;
+  return node?.rawText?.toLowerCase().includes("admin-state disable") ?? false;
+};
+var isPhysicalPort6 = (portName) => {
+  const name = portName.toLowerCase();
+  return /^\d+\/\d+\/\d+/.test(name);
+};
+var hasDescription7 = (node) => {
+  return hasChildCommand5(node, "description");
+};
+var getDescription4 = (node) => {
+  const descCmd = getChildCommand5(node, "description");
+  if (descCmd?.rawText) {
+    const match = descCmd.rawText.match(/description\s+"([^"]+)"|description\s+(\S+)/i);
+    if (match) {
+      return match[1] || match[2];
+    }
+  }
+  return void 0;
+};
+var getSystemName2 = (node) => {
+  if (!node?.children) return void 0;
+  const nameCmd = node.children.find((child) => {
+    return child?.id?.toLowerCase().startsWith("name");
+  });
+  if (nameCmd?.rawText) {
+    const match = nameCmd.rawText.match(/name\s+"([^"]+)"/i);
+    if (match) {
+      return match[1];
+    }
+  }
+  return void 0;
+};
+var hasBgpRouterId3 = (node) => {
+  return hasChildCommand5(node, "router-id");
+};
+var getBgpRouterId2 = (node) => {
+  const routerIdCmd = getChildCommand5(node, "router-id");
+  if (routerIdCmd?.rawText) {
+    const match = routerIdCmd.rawText.match(/router-id\s+([\d.]+)/i);
+    if (match) {
+      return match[1];
+    }
+  }
+  return void 0;
+};
+
 // ../rules-default/src/nokia/sros-rules.ts
 var SystemNameRequired = {
   id: "NOKIA-SYS-001",
@@ -14485,7 +15281,7 @@ var SystemNameRequired = {
     remediation: 'Configure system name using: system > name "<hostname>"'
   },
   check: (node) => {
-    const name = getSystemName(node);
+    const name = getSystemName2(node);
     if (!name || name.length === 0) {
       return {
         passed: false,
@@ -14519,7 +15315,7 @@ var PortDescriptionRequired = {
   },
   check: (node) => {
     const portName = node.id.replace(/^port\s+/i, "").trim();
-    if (!isPhysicalPort3(portName)) {
+    if (!isPhysicalPort6(portName)) {
       return {
         passed: true,
         message: "Not a physical port, description optional.",
@@ -14529,7 +15325,7 @@ var PortDescriptionRequired = {
         loc: node.loc
       };
     }
-    if (isAdminStateDisabled(node)) {
+    if (isAdminStateDisabled2(node)) {
       return {
         passed: true,
         message: "Port is disabled, description optional.",
@@ -14539,7 +15335,7 @@ var PortDescriptionRequired = {
         loc: node.loc
       };
     }
-    if (!hasDescription4(node)) {
+    if (!hasDescription7(node)) {
       return {
         passed: false,
         message: `Port ${portName} is enabled but has no description.`,
@@ -14551,7 +15347,7 @@ var PortDescriptionRequired = {
     }
     return {
       passed: true,
-      message: `Port ${portName} has description: ${getDescription3(node)}`,
+      message: `Port ${portName} has description: ${getDescription4(node)}`,
       ruleId: "NOKIA-PORT-001",
       nodeId: node.id,
       level: "info",
@@ -14571,7 +15367,7 @@ var BgpRouterIdRequired = {
     remediation: "Configure BGP router-id: bgp > router-id <ip-address>"
   },
   check: (node) => {
-    if (isAdminStateDisabled(node)) {
+    if (isAdminStateDisabled2(node)) {
       return {
         passed: true,
         message: "BGP is disabled.",
@@ -14581,7 +15377,7 @@ var BgpRouterIdRequired = {
         loc: node.loc
       };
     }
-    if (!hasBgpRouterId2(node)) {
+    if (!hasBgpRouterId3(node)) {
       return {
         passed: false,
         message: "BGP router-id is not configured. Configure a stable router-id.",
@@ -14593,7 +15389,7 @@ var BgpRouterIdRequired = {
     }
     return {
       passed: true,
-      message: `BGP router-id is configured: ${getBgpRouterId(node)}`,
+      message: `BGP router-id is configured: ${getBgpRouterId2(node)}`,
       ruleId: "NOKIA-BGP-001",
       nodeId: node.id,
       level: "info",
@@ -14615,6 +15411,40 @@ function getRulesByNokiaVendor() {
   return [...allCommonRules, ...allNokiaRules];
 }
 
+// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/cumulus/helpers.ts
+var isSwitchPort2 = (interfaceName) => {
+  const name = interfaceName.toLowerCase();
+  return /swp\d+/.test(name);
+};
+var isBridgeInterface4 = (interfaceName) => {
+  const name = interfaceName.toLowerCase();
+  return name.includes("bridge") || name === "br_default" || /^br\d+$/.test(name);
+};
+var isVlanAwareBridge2 = (node) => {
+  return node.children.some(
+    (child) => child.id.toLowerCase().includes("bridge-vlan-aware") && child.id.toLowerCase().includes("yes")
+  );
+};
+var getInterfaceName6 = (node) => {
+  const parts = node.id.split(/\s+/);
+  return parts[1] || node.id;
+};
+var hasDescription8 = (node) => {
+  return node.children.some(
+    (child) => child.id.toLowerCase().startsWith("alias ")
+  );
+};
+var hasBridgeVids2 = (node) => {
+  return node.children.some(
+    (child) => child.id.toLowerCase().startsWith("bridge-vids ")
+  );
+};
+var hasBgpRouterId4 = (node) => {
+  return node.children.some(
+    (child) => child.id.toLowerCase().startsWith("bgp router-id ")
+  );
+};
+
 // ../rules-default/src/cumulus/cumulus-rules.ts
 var CumulusInterfaceDescription = {
   id: "CUM-IF-001",
@@ -14628,8 +15458,8 @@ var CumulusInterfaceDescription = {
     remediation: 'Add "alias <description>" under the interface stanza.'
   },
   check: (node) => {
-    const ifaceName = getInterfaceName2(node);
-    if (!isSwitchPort(ifaceName)) {
+    const ifaceName = getInterfaceName6(node);
+    if (!isSwitchPort2(ifaceName)) {
       return {
         passed: true,
         message: "Not a switch port interface.",
@@ -14639,7 +15469,7 @@ var CumulusInterfaceDescription = {
         loc: node.loc
       };
     }
-    if (!hasDescription2(node)) {
+    if (!hasDescription8(node)) {
       return {
         passed: false,
         message: `Switch port "${ifaceName}" missing description (alias).`,
@@ -14671,8 +15501,8 @@ var CumulusBridgeVlans = {
     remediation: 'Add "bridge-vids <vlan-ids>" to define allowed VLANs on the bridge.'
   },
   check: (node) => {
-    const ifaceName = getInterfaceName2(node);
-    if (!isBridgeInterface(ifaceName)) {
+    const ifaceName = getInterfaceName6(node);
+    if (!isBridgeInterface4(ifaceName)) {
       return {
         passed: true,
         message: "Not a bridge interface.",
@@ -14682,7 +15512,7 @@ var CumulusBridgeVlans = {
         loc: node.loc
       };
     }
-    if (!isVlanAwareBridge(node)) {
+    if (!isVlanAwareBridge2(node)) {
       return {
         passed: true,
         message: "Not a VLAN-aware bridge.",
@@ -14692,7 +15522,7 @@ var CumulusBridgeVlans = {
         loc: node.loc
       };
     }
-    if (!hasBridgeVids(node)) {
+    if (!hasBridgeVids2(node)) {
       return {
         passed: false,
         message: `VLAN-aware bridge "${ifaceName}" has no VLANs (bridge-vids) configured.`,
@@ -14724,7 +15554,7 @@ var CumulusBgpRouterId = {
     remediation: 'Add "bgp router-id <ip>" to explicitly set router ID.'
   },
   check: (node) => {
-    if (!hasBgpRouterId(node)) {
+    if (!hasBgpRouterId4(node)) {
       return {
         passed: false,
         message: "BGP missing explicit router-id configuration.",
@@ -14760,7 +15590,7 @@ function getRulesByCumulusVendor() {
 
 // ../rules-default/src/json/cisco-json-rules.json
 var cisco_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Cisco IOS JSON Rules",
@@ -14957,7 +15787,7 @@ var cisco_json_rules_default = {
 
 // ../rules-default/src/json/common-json-rules.json
 var common_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Common JSON Rules",
@@ -15005,7 +15835,7 @@ var common_json_rules_default = {
 
 // ../rules-default/src/json/juniper-json-rules.json
 var juniper_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Juniper JunOS JSON Rules",
@@ -15250,11 +16080,11 @@ function getRulesByVendor(vendorId) {
 // src/config.ts
 import { existsSync as existsSync2 } from "fs";
 import { readFile as readFileAsync } from "fs/promises";
-import { resolve as resolve2, dirname } from "path";
+import { resolve as resolve4, dirname } from "path";
 
 // src/security/pathValidator.ts
 import { existsSync, statSync, realpathSync } from "fs";
-import { extname, resolve } from "path";
+import { extname, resolve as resolve2 } from "path";
 function normalizeSeparators(p) {
   return p.replace(/\\/g, "/");
 }
@@ -15272,7 +16102,7 @@ function validatePath(inputPath, options = {}) {
         error: "Network (UNC) paths are not allowed"
       };
     }
-    const absolutePath = resolve(inputPath);
+    const absolutePath = resolve2(inputPath);
     const ext = extname(absolutePath).toLowerCase();
     if (allowedExtensions.length > 0 && !allowedExtensions.includes(ext)) {
       return {
@@ -15315,7 +16145,7 @@ function validatePath(inputPath, options = {}) {
       const normalizedCanonical = normalizeSeparators(canonicalPath);
       const isWithinBounds2 = allowedBaseDirs.some((baseDir) => {
         try {
-          const canonicalBase = realpathSync(resolve(baseDir));
+          const canonicalBase = realpathSync(resolve2(baseDir));
           const normalizedBase = normalizeSeparators(canonicalBase);
           return normalizedCanonical === normalizedBase || normalizedCanonical.startsWith(normalizedBase + "/");
         } catch {
@@ -15345,22 +16175,6 @@ function validateConfigPath(configPath, baseDirs) {
     mustExist: true
   });
 }
-function validateEncryptedPackPath(packPath, baseDirs) {
-  return validatePath(packPath, {
-    allowedBaseDirs: baseDirs,
-    allowedExtensions: ALLOWED_ENCRYPTED_PACK_EXTENSIONS,
-    maxFileSize: MAX_ENCRYPTED_PACK_SIZE,
-    mustExist: true
-  });
-}
-function validateGrx2PackPath(packPath, baseDirs) {
-  return validatePath(packPath, {
-    allowedBaseDirs: baseDirs,
-    allowedExtensions: ALLOWED_GRX2_PACK_EXTENSIONS,
-    maxFileSize: MAX_ENCRYPTED_PACK_SIZE,
-    mustExist: true
-  });
-}
 function validateJsonRulesPath(jsonPath, baseDirs) {
   return validatePath(jsonPath, {
     allowedBaseDirs: baseDirs,
@@ -15378,6 +16192,40 @@ function validateInputFilePath(filePath, maxSize = 10 * 1024 * 1024, baseDirs) {
     mustExist: true
   });
 }
+function validatePackPath(packPath, baseDirs) {
+  return validatePath(packPath, {
+    allowedBaseDirs: baseDirs,
+    allowedExtensions: [],
+    // Allow any extension - format detected via magic bytes
+    maxFileSize: MAX_ENCRYPTED_PACK_SIZE,
+    mustExist: true
+  });
+}
+
+// src/loaders/pack-detector.ts
+import { resolve as resolve3 } from "node:path";
+async function createPackDescriptor(filePath, orderIndex) {
+  const absolutePath = resolve3(filePath);
+  const format = await detectPackFormat(absolutePath);
+  const basePriority = FORMAT_PRIORITIES[format];
+  return {
+    path: absolutePath,
+    format,
+    basePriority,
+    priority: basePriority + orderIndex
+  };
+}
+async function createPackDescriptors(packPaths) {
+  const descriptors = [];
+  for (let i = 0; i < packPaths.length; i++) {
+    const packPath = packPaths[i];
+    if (packPath !== void 0) {
+      const descriptor = await createPackDescriptor(packPath, i);
+      descriptors.push(descriptor);
+    }
+  }
+  return descriptors;
+}
 
 // src/loaders/index.ts
 function validatePathOrThrow(path, pathValidator, errorContext, baseDirs) {
@@ -15424,11 +16272,11 @@ var CONFIG_FILES = [
   ".sentriflowrc.js"
 ];
 function findConfigFile(startDir) {
-  let currentDir = resolve2(startDir);
+  let currentDir = resolve4(startDir);
   let depth = 0;
   while (depth < MAX_TRAVERSAL_DEPTH) {
     for (const configFile of CONFIG_FILES) {
-      const configPath = resolve2(currentDir, configFile);
+      const configPath = resolve4(currentDir, configFile);
       if (existsSync2(configPath)) {
         const validation = validateConfigPath(configPath);
         if (validation.valid) {
@@ -15496,6 +16344,9 @@ function isValidSentriflowConfig(config) {
       return false;
     }
   }
+  if (obj.filterSpecialIps !== void 0 && typeof obj.filterSpecialIps !== "boolean") {
+    return false;
+  }
   return true;
 }
 function isValidDirectoryConfig(config) {
@@ -15595,93 +16446,6 @@ function mergeDirectoryOptions(cliOptions, configOptions) {
   }
   return result;
 }
-function isValidRule(rule) {
-  if (typeof rule !== "object" || rule === null) {
-    return false;
-  }
-  const obj = rule;
-  if (typeof obj.id !== "string" || !RULE_ID_PATTERN.test(obj.id)) {
-    return false;
-  }
-  if (typeof obj.check !== "function") {
-    return false;
-  }
-  if (obj.vendor !== void 0) {
-    if (Array.isArray(obj.vendor)) {
-      for (const v of obj.vendor) {
-        if (typeof v !== "string" || !isValidVendorId(v)) {
-          return false;
-        }
-      }
-    } else if (typeof obj.vendor !== "string" || !isValidVendorId(obj.vendor)) {
-      return false;
-    }
-  }
-  if (typeof obj.metadata !== "object" || obj.metadata === null) {
-    return false;
-  }
-  const metadata = obj.metadata;
-  if (!["error", "warning", "info"].includes(metadata.level)) {
-    return false;
-  }
-  return true;
-}
-function isValidRulePack(pack) {
-  if (typeof pack !== "object" || pack === null) {
-    return false;
-  }
-  const obj = pack;
-  if (typeof obj.name !== "string" || obj.name.length === 0) {
-    return false;
-  }
-  if (typeof obj.version !== "string" || obj.version.length === 0) {
-    return false;
-  }
-  if (typeof obj.publisher !== "string" || obj.publisher.length === 0) {
-    return false;
-  }
-  if (typeof obj.priority !== "number" || obj.priority < 0) {
-    return false;
-  }
-  if (!Array.isArray(obj.rules)) {
-    return false;
-  }
-  for (const rule of obj.rules) {
-    if (!isValidRule(rule)) {
-      return false;
-    }
-  }
-  if (obj.disables !== void 0) {
-    if (typeof obj.disables !== "object" || obj.disables === null) {
-      return false;
-    }
-    const disables = obj.disables;
-    if (disables.all !== void 0 && typeof disables.all !== "boolean") {
-      return false;
-    }
-    if (disables.vendors !== void 0) {
-      if (!Array.isArray(disables.vendors)) {
-        return false;
-      }
-      for (const v of disables.vendors) {
-        if (typeof v !== "string" || !isValidVendorId(v)) {
-          return false;
-        }
-      }
-    }
-    if (disables.rules !== void 0) {
-      if (!Array.isArray(disables.rules)) {
-        return false;
-      }
-      for (const r of disables.rules) {
-        if (typeof r !== "string") {
-          return false;
-        }
-      }
-    }
-  }
-  return true;
-}
 async function loadConfigFile(configPath, baseDirs) {
   return loadAndValidate({
     path: configPath,
@@ -15755,13 +16519,6 @@ ${errors}`);
     return compiledRules;
   }, "JSON rules");
 }
-function ruleAppliesToVendor(rule, vendorId) {
-  if (!rule.vendor) return true;
-  if (Array.isArray(rule.vendor)) {
-    return rule.vendor.includes("common") || rule.vendor.includes(vendorId);
-  }
-  return rule.vendor === "common" || rule.vendor === vendorId;
-}
 function isDefaultRuleDisabled(ruleId, vendorId, packs, legacyDisableIds) {
   if (legacyDisableIds.has(ruleId)) return true;
   for (const pack of packs) {
@@ -15800,7 +16557,7 @@ function mapPackLoadError(error) {
 async function loadEncryptedRulePack(packPath, licenseKey, baseDirs) {
   const canonicalPath = validatePathOrThrow(
     packPath,
-    validateEncryptedPackPath,
+    validatePackPath,
     "encrypted pack",
     baseDirs
   );
@@ -15829,13 +16586,9 @@ async function resolveRules(options = {}) {
     configPath,
     noConfig = false,
     rulesPath,
-    rulePackPath,
-    encryptedPackPaths,
+    packPaths,
     licenseKey,
     strictPacks = false,
-    // SEC-012: Default to graceful handling
-    grx2PackPaths,
-    strictGrx2 = false,
     // Default to graceful handling
     jsonRulesPaths,
     disableIds = [],
@@ -15844,9 +16597,8 @@ async function resolveRules(options = {}) {
     allowedBaseDirs
     // SEC-011: Allowed base directories for file path validation
   } = options;
-  const packPathsArray = encryptedPackPaths ? Array.isArray(encryptedPackPaths) ? encryptedPackPaths : [encryptedPackPaths] : [];
+  const packPathsArray = packPaths ? Array.isArray(packPaths) ? packPaths : [packPaths] : [];
   const jsonPathsArray = jsonRulesPaths ? Array.isArray(jsonRulesPaths) ? jsonRulesPaths : [jsonRulesPaths] : [];
-  const grx2PathsArray = grx2PackPaths ? Array.isArray(grx2PackPaths) ? grx2PackPaths : [grx2PackPaths] : [];
   let config = { includeDefaults: true };
   if (!noConfig) {
     const foundConfigPath = configPath ?? findConfigFile(cwd);
@@ -15879,10 +16631,6 @@ async function resolveRules(options = {}) {
       });
     }
   }
-  if (rulePackPath) {
-    const cliPack = await loadRulePackFile(rulePackPath, allowedBaseDirs);
-    allPacks.push(cliPack);
-  }
   if (config.jsonRules && config.jsonRules.length > 0) {
     for (const jsonPath of config.jsonRules) {
       try {
@@ -15927,118 +16675,128 @@ async function resolveRules(options = {}) {
     }
   }
   if (packPathsArray.length > 0) {
-    if (!licenseKey) {
-      const errorMsg = "License key required for encrypted packs (use --license-key or set SENTRIFLOW_LICENSE_KEY)";
+    let packDescriptors;
+    try {
+      packDescriptors = await createPackDescriptors(packPathsArray);
+    } catch (error) {
+      const errorMsg = error instanceof Error ? error.message : "Unknown error";
       if (strictPacks) {
-        throw new SentriflowConfigError(errorMsg);
-      }
-      console.error(`Warning: ${errorMsg}`);
-      console.error(
-        `Warning: Skipping ${packPathsArray.length} encrypted pack(s)`
-      );
-    } else {
-      for (let i = 0; i < packPathsArray.length; i++) {
-        const packPath = packPathsArray[i];
-        if (!packPath) continue;
-        try {
-          const encryptedPack = await loadEncryptedRulePack(
-            packPath,
-            licenseKey,
-            allowedBaseDirs
-          );
-          encryptedPack.priority = 200 + i;
-          allPacks.push(encryptedPack);
-        } catch (error) {
-          const errorMsg = error instanceof Error ? error.message : "Unknown error";
-          if (strictPacks) {
-            throw error;
-          }
-          console.error(`Warning: Failed to load encrypted pack: ${errorMsg}`);
-          console.error(`Warning: Skipping encrypted pack: ${packPath}`);
-        }
+        throw new SentriflowConfigError(`Pack detection failed: ${errorMsg}`);
       }
+      console.error(`Warning: Pack detection failed: ${errorMsg}`);
+      packDescriptors = [];
     }
-  }
-  if (grx2PathsArray.length > 0) {
-    if (!licenseKey) {
-      const errorMsg = "License key required for GRX2 packs (use --license-key or set SENTRIFLOW_LICENSE_KEY)";
-      if (strictGrx2) {
+    const hasEncryptedPacks = packDescriptors.some(
+      (d) => d.format === "grx2" || d.format === "grpx"
+    );
+    if (hasEncryptedPacks && !licenseKey) {
+      const errorMsg = "License key required for encrypted packs (use --license-key or set SENTRIFLOW_LICENSE_KEY)";
+      if (strictPacks) {
         throw new SentriflowConfigError(errorMsg);
       }
       console.error(`Warning: ${errorMsg}`);
-      console.error(
-        `Warning: Skipping ${grx2PathsArray.length} GRX2 pack(s)`
-      );
-    } else {
-      let machineId2;
+    }
+    let machineId2;
+    const hasGrx2Packs = packDescriptors.some((d) => d.format === "grx2");
+    if (hasGrx2Packs && licenseKey) {
       try {
         machineId2 = await getMachineId();
       } catch (error) {
         const errorMsg = "Failed to retrieve machine ID for license validation";
-        if (strictGrx2) {
+        if (strictPacks) {
           throw new SentriflowConfigError(errorMsg);
         }
         console.error(`Warning: ${errorMsg}`);
-        console.error(
-          `Warning: Skipping ${grx2PathsArray.length} GRX2 pack(s)`
-        );
-        machineId2 = "";
       }
-      if (machineId2) {
-        let loadedCount = 0;
-        let totalRules = 0;
-        const failedPacks = [];
-        for (let i = 0; i < grx2PathsArray.length; i++) {
-          const packPath = grx2PathsArray[i];
-          if (!packPath) continue;
-          try {
-            const validation = validateGrx2PackPath(packPath, allowedBaseDirs);
-            if (!validation.valid) {
-              throw new SentriflowConfigError(validation.error ?? "Invalid pack path");
+    }
+    let loadedCount = 0;
+    let totalRules = 0;
+    const failedPacks = [];
+    for (const desc of packDescriptors) {
+      try {
+        const validation = validatePackPath(desc.path, allowedBaseDirs);
+        if (!validation.valid) {
+          throw new SentriflowConfigError(validation.error ?? "Invalid pack path");
+        }
+        let loadedPack;
+        switch (desc.format) {
+          case "grx2": {
+            if (!licenseKey) {
+              console.error(`Warning: Skipping GRX2 pack (no license key): ${desc.path}`);
+              continue;
+            }
+            if (!machineId2) {
+              console.error(`Warning: Skipping GRX2 pack (no machine ID): ${desc.path}`);
+              continue;
             }
-            const grx2Pack = await loadExtendedPack(
+            loadedPack = await loadExtendedPack(
               validation.canonicalPath,
               licenseKey,
               machineId2
             );
-            grx2Pack.priority = 300 + i;
-            allPacks.push(grx2Pack);
-            loadedCount++;
-            totalRules += grx2Pack.rules.length;
-          } catch (error) {
-            let errorMsg;
-            if (error instanceof EncryptedPackError) {
-              const messages = {
-                LICENSE_MISSING: "Invalid or missing license key",
-                LICENSE_EXPIRED: "License has expired",
-                LICENSE_INVALID: "License key is invalid for this pack",
-                DECRYPTION_FAILED: "Failed to decrypt pack (invalid key or corrupted data)",
-                MACHINE_MISMATCH: "License is not valid for this machine",
-                PACK_CORRUPTED: "Pack file is corrupted or invalid",
-                NOT_EXTENDED_FORMAT: "Pack is not in extended GRX2 format"
-              };
-              errorMsg = messages[error.code] ?? `Pack load error: ${error.message}`;
-            } else {
-              errorMsg = error instanceof Error ? error.message : "Unknown error";
-            }
-            if (strictGrx2) {
-              throw new SentriflowConfigError(
-                `Failed to load GRX2 pack '${packPath}': ${errorMsg}`
-              );
+            loadedPack.priority = desc.priority;
+            break;
+          }
+          case "grpx": {
+            if (!licenseKey) {
+              console.error(`Warning: Skipping GRPX pack (no license key): ${desc.path}`);
+              continue;
             }
-            console.error(`Warning: Failed to load GRX2 pack: ${errorMsg}`);
-            console.error(`Warning: Skipping GRX2 pack: ${packPath}`);
-            failedPacks.push(packPath);
+            loadedPack = await loadEncryptedRulePack(
+              validation.canonicalPath,
+              licenseKey,
+              allowedBaseDirs
+            );
+            loadedPack.priority = desc.priority;
+            break;
           }
-        }
-        if (grx2PathsArray.length > 0) {
-          const successMsg = `GRX2 packs: ${loadedCount} of ${grx2PathsArray.length} loaded (${totalRules} rules)`;
-          if (failedPacks.length > 0) {
-            console.error(`${successMsg}, ${failedPacks.length} failed`);
-          } else {
-            console.error(successMsg);
+          case "unencrypted": {
+            loadedPack = await loadRulePackFile(
+              validation.canonicalPath,
+              allowedBaseDirs
+            );
+            loadedPack.priority = desc.priority;
+            break;
           }
+          default:
+            console.error(`Warning: Unknown pack format, skipping: ${desc.path}`);
+            continue;
         }
+        allPacks.push(loadedPack);
+        loadedCount++;
+        totalRules += loadedPack.rules.length;
+      } catch (error) {
+        let errorMsg;
+        if (error instanceof EncryptedPackError) {
+          const messages = {
+            LICENSE_MISSING: "Invalid or missing license key",
+            LICENSE_EXPIRED: "License has expired",
+            LICENSE_INVALID: "License key is invalid for this pack",
+            DECRYPTION_FAILED: "Failed to decrypt pack (invalid key or corrupted data)",
+            MACHINE_MISMATCH: "License is not valid for this machine",
+            PACK_CORRUPTED: "Pack file is corrupted or invalid",
+            NOT_EXTENDED_FORMAT: "Pack is not in extended GRX2 format"
+          };
+          errorMsg = messages[error.code] ?? `Pack load error: ${error.message}`;
+        } else {
+          errorMsg = error instanceof Error ? error.message : "Unknown error";
+        }
+        if (strictPacks) {
+          throw new SentriflowConfigError(
+            `Failed to load pack '${desc.path}': ${errorMsg}`
+          );
+        }
+        console.error(`Warning: Failed to load pack: ${errorMsg}`);
+        console.error(`Warning: Skipping pack: ${desc.path}`);
+        failedPacks.push(desc.path);
+      }
+    }
+    if (packPathsArray.length > 0) {
+      const successMsg = `Packs: ${loadedCount} of ${packPathsArray.length} loaded (${totalRules} rules)`;
+      if (failedPacks.length > 0) {
+        console.error(`${successMsg}, ${failedPacks.length} failed`);
+      } else if (loadedCount > 0) {
+        console.error(successMsg);
       }
     }
   }
@@ -16072,7 +16830,7 @@ async function resolveRules(options = {}) {
 
 // src/scanner/DirectoryScanner.ts
 import { readdir as readdir2, stat } from "fs/promises";
-import { join as join2, resolve as resolve3, extname as extname2 } from "path";
+import { join as join2, resolve as resolve5, extname as extname2 } from "path";
 import { realpathSync as realpathSync2, existsSync as existsSync3 } from "fs";
 var DEFAULT_CONFIG_EXTENSIONS = [
   "txt",
@@ -16101,7 +16859,7 @@ function isWithinBounds(filePath, allowedBaseDirs) {
   const normalizedPath = normalizeSeparators2(filePath);
   return allowedBaseDirs.some((baseDir) => {
     try {
-      const canonicalBase = realpathSync2(resolve3(baseDir));
+      const canonicalBase = realpathSync2(resolve5(baseDir));
       const normalizedBase = normalizeSeparators2(canonicalBase);
       return normalizedPath === normalizedBase || normalizedPath.startsWith(normalizedBase + "/");
     } catch (error) {
@@ -16157,7 +16915,7 @@ async function scanDirectory(dirPath, options = {}) {
   };
   let canonicalDir;
   try {
-    canonicalDir = realpathSync2(resolve3(dirPath));
+    canonicalDir = realpathSync2(resolve5(dirPath));
   } catch {
     result.errors.push({
       path: dirPath,
@@ -16257,7 +17015,7 @@ function validateDirectoryPath(dirPath, allowedBaseDirs) {
         error: "Network (UNC) paths are not allowed"
       };
     }
-    const absolutePath = resolve3(dirPath);
+    const absolutePath = resolve5(dirPath);
     if (!existsSync3(absolutePath)) {
       return { valid: false, error: "Directory not found" };
     }
@@ -16286,14 +17044,14 @@ function validateDirectoryPath(dirPath, allowedBaseDirs) {
 
 // src/loaders/stdin.ts
 async function readStdin() {
-  return new Promise((resolve5) => {
+  return new Promise((resolve7) => {
     const stdin = process.stdin;
     const chunks = [];
     let totalSize = 0;
     let sizeLimitExceeded = false;
     stdin.setEncoding("utf8");
     if (stdin.isTTY) {
-      resolve5({
+      resolve7({
         success: false,
         error: "No input received from stdin"
       });
@@ -16305,7 +17063,7 @@ async function readStdin() {
       totalSize += buffer.length;
       if (totalSize > MAX_CONFIG_SIZE) {
         sizeLimitExceeded = true;
-        resolve5({
+        resolve7({
           success: false,
           error: `Input exceeds maximum size (${totalSize} > ${MAX_CONFIG_SIZE} bytes)`
         });
@@ -16318,19 +17076,19 @@ async function readStdin() {
       if (sizeLimitExceeded) return;
       const content = Buffer.concat(chunks).toString("utf8");
       if (content.length === 0) {
-        resolve5({
+        resolve7({
           success: false,
           error: "No input received from stdin"
         });
         return;
       }
-      resolve5({
+      resolve7({
         success: true,
         content
       });
     });
     stdin.on("error", (err) => {
-      resolve5({
+      resolve7({
         success: false,
         error: `Failed to read from stdin: ${err.message}`
       });
@@ -16338,7 +17096,7 @@ async function readStdin() {
     const timeout = setTimeout(() => {
       if (chunks.length === 0 && !sizeLimitExceeded) {
         stdin.destroy();
-        resolve5({
+        resolve7({
           success: false,
           error: "No input received from stdin (timeout)"
         });
@@ -16384,21 +17142,15 @@ function enrichResultsWithRuleMetadata(results, rules) {
   });
 }
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.2.1").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
-  "--encrypted-pack <path...>",
-  "SEC-012: Path(s) to encrypted rule pack(s) (.grpx), can specify multiple"
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.3.2").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option(
+  "--pack <path...>",
+  "Path(s) to rule pack(s) (auto-detects format: .grx2, .grpx, or unencrypted)"
 ).option(
   "--license-key <key>",
-  "SEC-012: License key for encrypted rule packs (or set SENTRIFLOW_LICENSE_KEY)"
+  "License key for encrypted rule packs (or set SENTRIFLOW_LICENSE_KEY)"
 ).option(
   "--strict-packs",
-  "Fail if encrypted pack cannot be loaded (default: warn and continue)"
-).option(
-  "--grx2-pack <path...>",
-  "Path(s) to extended encrypted rule pack(s) (.grx2), can specify multiple"
-).option(
-  "--strict-grx2",
-  "Fail immediately if any GRX2 pack cannot be loaded"
+  "Fail immediately if any pack cannot be loaded (default: warn and continue)"
 ).option(
   "--show-machine-id",
   "Display the current machine ID (for license binding support)"
@@ -16448,7 +17200,10 @@ program.name("sentriflow").description("SentriFlow Network Configuration Validat
   "--max-depth <number>",
   "Maximum recursion depth for directory scanning (use with -R)",
   (val) => parseInt(val, 10)
-).option("--progress", "Show progress during directory scanning").action(async (files, options) => {
+).option("--progress", "Show progress during directory scanning").option(
+  "--filter-special-ips",
+  "Filter out special IP ranges (loopback, multicast, reserved, broadcast) from IP summary"
+).action(async (files, options) => {
   try {
     if (options.showMachineId) {
       try {
@@ -16502,23 +17257,18 @@ Use: sentriflow --vendor <vendor> <file>`);
     }
     const licenseKey = options.licenseKey || process.env.SENTRIFLOW_LICENSE_KEY;
     const firstFile = files.length > 0 ? files[0] : void 0;
-    const configSearchDir = firstFile ? dirname2(resolve4(firstFile)) : workingDir;
+    const configSearchDir = firstFile ? dirname2(resolve6(firstFile)) : workingDir;
     const rules = await resolveRules({
       configPath: options.config,
       noConfig: options.config === false,
       // --no-config sets this to false
       rulesPath: options.rules,
-      rulePackPath: options.rulePack,
-      encryptedPackPaths: options.encryptedPack,
-      // SEC-012: Now supports array
+      packPaths: options.pack,
+      // Unified pack loading with auto-format detection
       licenseKey,
-      // SEC-012: From CLI or SENTRIFLOW_LICENSE_KEY env var
+      // From CLI or SENTRIFLOW_LICENSE_KEY env var
       strictPacks: options.strictPacks,
-      // SEC-012: Fail on pack load errors
-      grx2PackPaths: options.grx2Pack,
-      // Extended GRX2 packs
-      strictGrx2: options.strictGrx2,
-      // Fail on GRX2 pack load errors
+      // Fail on pack load errors
       jsonRulesPaths: options.jsonRules,
       // JSON rules files
       disableIds: options.disable ?? [],
@@ -16527,6 +17277,19 @@ Use: sentriflow --vendor <vendor> <file>`);
       allowedBaseDirs
       // SEC-011: Pass allowed base dirs for rule file validation
     });
+    let filterSpecialIps = options.filterSpecialIps ?? false;
+    if (!options.filterSpecialIps && options.config !== false) {
+      const configPath = options.config ?? findConfigFile(configSearchDir);
+      if (configPath) {
+        try {
+          const config = await loadConfigFile(configPath, allowedBaseDirs);
+          if (config.filterSpecialIps) {
+            filterSpecialIps = true;
+          }
+        } catch {
+        }
+      }
+    }
     if (options.listCategories) {
       const counts = /* @__PURE__ */ new Map();
       for (const rule of rules) {
@@ -16766,7 +17529,21 @@ Parsing complete: ${allAsts.length} files`);
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          let fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          if (filterSpecialIps) {
+            fileIpSummary = filterIPSummary(fileIpSummary, {
+              keepPublic: true,
+              keepPrivate: true,
+              keepCgnat: true,
+              keepLoopback: false,
+              keepLinkLocal: false,
+              keepMulticast: false,
+              keepReserved: false,
+              keepUnspecified: false,
+              keepBroadcast: false,
+              keepDocumentation: false
+            });
+          }
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -16855,12 +17632,9 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
         configPath: options.config,
         noConfig: options.config === false,
         rulesPath: options.rules,
-        rulePackPath: options.rulePack,
-        encryptedPackPaths: options.encryptedPack,
+        packPaths: options.pack,
         licenseKey,
         strictPacks: options.strictPacks,
-        grx2PackPaths: options.grx2Pack,
-        strictGrx2: options.strictGrx2,
         jsonRulesPaths: options.jsonRules,
         disableIds: options.disable ?? [],
         vendorId: vendor2.id,
@@ -16885,6 +17659,20 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       let stdinIpSummary;
       try {
         stdinIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+        if (filterSpecialIps) {
+          stdinIpSummary = filterIPSummary(stdinIpSummary, {
+            keepPublic: true,
+            keepPrivate: true,
+            keepCgnat: true,
+            keepLoopback: false,
+            keepLinkLocal: false,
+            keepMulticast: false,
+            keepReserved: false,
+            keepUnspecified: false,
+            keepBroadcast: false,
+            keepDocumentation: false
+          });
+        }
       } catch (error) {
         if (error instanceof InputValidationError) {
           console.error(`Input validation error: ${error.message}`);
@@ -16962,7 +17750,21 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          let fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          if (filterSpecialIps) {
+            fileIpSummary = filterIPSummary(fileIpSummary, {
+              keepPublic: true,
+              keepPrivate: true,
+              keepCgnat: true,
+              keepLoopback: false,
+              keepLinkLocal: false,
+              keepMulticast: false,
+              keepReserved: false,
+              keepUnspecified: false,
+              keepBroadcast: false,
+              keepDocumentation: false
+            });
+          }
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -17050,14 +17852,10 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       configPath: options.config,
       noConfig: options.config === false,
       rulesPath: options.rules,
-      rulePackPath: options.rulePack,
-      encryptedPackPaths: options.encryptedPack,
+      packPaths: options.pack,
       licenseKey,
       strictPacks: options.strictPacks,
-      grx2PackPaths: options.grx2Pack,
-      strictGrx2: options.strictGrx2,
       jsonRulesPaths: options.jsonRules,
-      // JSON rules files
       disableIds: options.disable ?? [],
       vendorId: vendor.id,
       // Now we have the actual detected vendor
@@ -17082,7 +17880,21 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     if (options.quiet) {
       results = results.filter((r) => !r.passed);
     }
-    const ipSummary = extractIPSummary(content, { includeSubnetNetworks: true });
+    let ipSummary = extractIPSummary(content, { includeSubnetNetworks: true });
+    if (filterSpecialIps) {
+      ipSummary = filterIPSummary(ipSummary, {
+        keepPublic: true,
+        keepPrivate: true,
+        keepCgnat: true,
+        keepLoopback: false,
+        keepLinkLocal: false,
+        keepMulticast: false,
+        keepReserved: false,
+        keepUnspecified: false,
+        keepBroadcast: false,
+        keepDocumentation: false
+      });
+    }
     if (options.format === "sarif") {
       const sarifOptions = {
         relativePaths: options.relativePaths,
@@ -17128,6 +17940,23 @@ async function loadLicensingExtension() {
       licensing.registerCommands(program);
     }
   } catch {
+    const licensingMessage = `
+Cloud licensing features require the @sentriflow/licensing package.
+
+This package is provided to customers after purchasing a license.
+Visit https://sentriflow.com.au/pricing for more information.
+
+Once you have a license, you'll receive access to the private package
+and can enable cloud features like pack downloads and license activation.
+`.trim();
+    const fallbackAction = () => {
+      console.log(licensingMessage);
+      process.exit(0);
+    };
+    program.command("activate").description("Activate your SentriFlow license (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("update").description("Check and download pack updates (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("offline").description("Manage offline bundles (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("license").description("Show license status (requires @sentriflow/licensing)").action(fallbackAction);
   }
 }
 loadLicensingExtension().finally(() => {