npm - @sentriflow/cli - Versions diffs - 0.3.0 → 0.3.2 - Mend

@sentriflow/cli 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -151,6 +151,41 @@ sentriflow --show-machine-id
 # Output: Machine ID: a1b2c3d4...
 ```
+### Cloud Licensing Commands
+Cloud licensing features require the `@sentriflow/licensing` package, which is provided to customers after purchasing a license. Visit [sentriflow.com.au/pricing](https://sentriflow.com.au/pricing) for more information.
+| Command | Description |
+|---------|-------------|
+| `sentriflow activate --license-key <key>` | Activate license and download entitled packs |
+| `sentriflow update` | Check for and download pack updates |
+| `sentriflow offline --bundle <path>` | Create offline bundle for air-gapped environments |
+| `sentriflow license` | Show license status and entitled feeds |
+**Activate a license:**
+```bash
+# Activate license and download all entitled packs
+sentriflow activate --license-key eyJhbGciOiJIUzI1Ni...
+# Or use environment variable
+export SENTRIFLOW_LICENSE_KEY=eyJhbGciOiJIUzI1Ni...
+sentriflow activate
+```
+**Check for updates:**
+```bash
+# Check and download available pack updates
+sentriflow update
+```
+**Offline mode:**
+Downloaded packs are cached in `~/.sentriflow/cache/` and work offline for 72 hours (entitlement cache). The pack files themselves work indefinitely once downloaded.
+If `@sentriflow/licensing` is not installed, these commands display a message with information on how to obtain access.
 ### Directory Scanning
 | Option | Description |

package/dist/index.js CHANGED Viewed

@@ -12129,6 +12129,178 @@ function extractIPSummary(content, options = {}) {
   };
 }
+// ../core/src/ip/classifier.ts
+var DEFAULT_FILTER_OPTIONS = {
+  keepPublic: true,
+  keepPrivate: true,
+  keepLoopback: false,
+  keepLinkLocal: false,
+  keepMulticast: false,
+  keepReserved: false,
+  keepUnspecified: false,
+  keepBroadcast: false,
+  keepDocumentation: false,
+  keepCgnat: true
+};
+function ipv4ToNumber2(ip) {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return 0;
+  let result = 0;
+  for (let i = 0; i < 4; i++) {
+    const octet = parseInt(parts[i] ?? "0", 10);
+    if (isNaN(octet) || octet < 0 || octet > 255) return 0;
+    result = (result << 8) + octet;
+  }
+  return result >>> 0;
+}
+function isInIPv4Range(ip, network, prefix) {
+  const ipNum = ipv4ToNumber2(ip);
+  const netNum = ipv4ToNumber2(network);
+  const mask = prefix === 0 ? 0 : ~0 << 32 - prefix >>> 0;
+  return (ipNum & mask) === (netNum & mask);
+}
+function classifyIPv4(ip) {
+  if (ip === "0.0.0.0") return "unspecified";
+  if (ip === "255.255.255.255") return "broadcast";
+  if (isInIPv4Range(ip, "0.0.0.0", 8)) return "unspecified";
+  if (isInIPv4Range(ip, "127.0.0.0", 8)) return "loopback";
+  if (isInIPv4Range(ip, "169.254.0.0", 16)) return "link-local";
+  if (isInIPv4Range(ip, "10.0.0.0", 8)) return "private";
+  if (isInIPv4Range(ip, "172.16.0.0", 12)) return "private";
+  if (isInIPv4Range(ip, "192.168.0.0", 16)) return "private";
+  if (isInIPv4Range(ip, "100.64.0.0", 10)) return "cgnat";
+  if (isInIPv4Range(ip, "192.0.2.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "198.51.100.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "203.0.113.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "224.0.0.0", 4)) return "multicast";
+  if (isInIPv4Range(ip, "240.0.0.0", 4)) return "reserved";
+  return "public";
+}
+function classifyIPv4Subnet(subnet) {
+  const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) return classifyIPv4(subnet);
+  const network = subnet.substring(0, slashIndex);
+  return classifyIPv4(network);
+}
+function expandIPv62(ip) {
+  const zoneIndex = ip.indexOf("%");
+  const addr = zoneIndex !== -1 ? ip.substring(0, zoneIndex) : ip;
+  const parts = addr.split(":");
+  const result = [];
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i] ?? "";
+    if (part === "" && i > 0 && i < parts.length - 1) {
+      const nonEmpty = parts.filter((p) => p !== "").length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push(0);
+      }
+    } else if (part !== "") {
+      result.push(parseInt(part, 16) || 0);
+    } else if (i === 0 && (parts[1] ?? "") === "") {
+      const nonEmpty = parts.filter((p) => p !== "").length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push(0);
+      }
+    }
+  }
+  while (result.length < 8) {
+    result.push(0);
+  }
+  return result.slice(0, 8);
+}
+function classifyIPv6(ip) {
+  const parts = expandIPv62(ip);
+  if (parts.every((p) => p === 0)) return "unspecified";
+  if (parts.slice(0, 7).every((p) => p === 0) && parts[7] === 1) return "loopback";
+  if ((parts[0] ?? 0) >= 65152 && (parts[0] ?? 0) <= 65215) return "link-local";
+  if (((parts[0] ?? 0) & 65280) === 65280) return "multicast";
+  if (parts[0] === 8193 && parts[1] === 3512) return "documentation";
+  if (((parts[0] ?? 0) & 65024) === 64512) return "private";
+  return "public";
+}
+function classifyIPv6Subnet(subnet) {
+  const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) return classifyIPv6(subnet);
+  const network = subnet.substring(0, slashIndex);
+  return classifyIPv6(network);
+}
+function shouldKeepClassification(classification, options) {
+  switch (classification) {
+    case "public":
+      return options.keepPublic;
+    case "private":
+      return options.keepPrivate;
+    case "loopback":
+      return options.keepLoopback;
+    case "link-local":
+      return options.keepLinkLocal;
+    case "multicast":
+      return options.keepMulticast;
+    case "reserved":
+      return options.keepReserved;
+    case "unspecified":
+      return options.keepUnspecified;
+    case "broadcast":
+      return options.keepBroadcast;
+    case "documentation":
+      return options.keepDocumentation;
+    case "cgnat":
+      return options.keepCgnat;
+    default:
+      return true;
+  }
+}
+function filterIPv4Addresses(addresses, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return addresses.filter((ip) => {
+    const classification = classifyIPv4(ip);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv6Addresses(addresses, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return addresses.filter((ip) => {
+    const classification = classifyIPv6(ip);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv4Subnets(subnets, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return subnets.filter((subnet) => {
+    const classification = classifyIPv4Subnet(subnet);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv6Subnets(subnets, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return subnets.filter((subnet) => {
+    const classification = classifyIPv6Subnet(subnet);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPSummary(summary, options = {}) {
+  const ipv4Addresses = filterIPv4Addresses(summary.ipv4Addresses, options);
+  const ipv6Addresses = filterIPv6Addresses(summary.ipv6Addresses, options);
+  const ipv4Subnets = filterIPv4Subnets(summary.ipv4Subnets, options);
+  const ipv6Subnets = filterIPv6Subnets(summary.ipv6Subnets, options);
+  const counts = {
+    ipv4: ipv4Addresses.length,
+    ipv6: ipv6Addresses.length,
+    ipv4Subnets: ipv4Subnets.length,
+    ipv6Subnets: ipv6Subnets.length,
+    total: ipv4Addresses.length + ipv6Addresses.length + ipv4Subnets.length + ipv6Subnets.length
+  };
+  return {
+    ipv4Addresses,
+    ipv6Addresses,
+    ipv4Subnets,
+    ipv6Subnets,
+    counts
+  };
+}
 // ../core/src/validation/rule-validation.ts
 function validateRule2(rule) {
   if (typeof rule !== "object" || rule === null) {
@@ -12328,7 +12500,7 @@ function generateSarif(results, filePath, rules, options = {}, ipSummary) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.3.0",
+            version: "0.3.2",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -12488,7 +12660,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.3.0",
+            version: "0.3.2",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -15418,7 +15590,7 @@ function getRulesByCumulusVendor() {
 // ../rules-default/src/json/cisco-json-rules.json
 var cisco_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Cisco IOS JSON Rules",
@@ -15615,7 +15787,7 @@ var cisco_json_rules_default = {
 // ../rules-default/src/json/common-json-rules.json
 var common_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Common JSON Rules",
@@ -15663,7 +15835,7 @@ var common_json_rules_default = {
 // ../rules-default/src/json/juniper-json-rules.json
 var juniper_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Juniper JunOS JSON Rules",
@@ -16172,6 +16344,9 @@ function isValidSentriflowConfig(config) {
       return false;
     }
   }
+  if (obj.filterSpecialIps !== void 0 && typeof obj.filterSpecialIps !== "boolean") {
+    return false;
+  }
   return true;
 }
 function isValidDirectoryConfig(config) {
@@ -16967,7 +17142,7 @@ function enrichResultsWithRuleMetadata(results, rules) {
   });
 }
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.3.0").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.3.2").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option(
   "--pack <path...>",
   "Path(s) to rule pack(s) (auto-detects format: .grx2, .grpx, or unencrypted)"
 ).option(
@@ -17025,7 +17200,10 @@ program.name("sentriflow").description("SentriFlow Network Configuration Validat
   "--max-depth <number>",
   "Maximum recursion depth for directory scanning (use with -R)",
   (val) => parseInt(val, 10)
-).option("--progress", "Show progress during directory scanning").action(async (files, options) => {
+).option("--progress", "Show progress during directory scanning").option(
+  "--filter-special-ips",
+  "Filter out special IP ranges (loopback, multicast, reserved, broadcast) from IP summary"
+).action(async (files, options) => {
   try {
     if (options.showMachineId) {
       try {
@@ -17099,6 +17277,19 @@ Use: sentriflow --vendor <vendor> <file>`);
       allowedBaseDirs
       // SEC-011: Pass allowed base dirs for rule file validation
     });
+    let filterSpecialIps = options.filterSpecialIps ?? false;
+    if (!options.filterSpecialIps && options.config !== false) {
+      const configPath = options.config ?? findConfigFile(configSearchDir);
+      if (configPath) {
+        try {
+          const config = await loadConfigFile(configPath, allowedBaseDirs);
+          if (config.filterSpecialIps) {
+            filterSpecialIps = true;
+          }
+        } catch {
+        }
+      }
+    }
     if (options.listCategories) {
       const counts = /* @__PURE__ */ new Map();
       for (const rule of rules) {
@@ -17338,7 +17529,21 @@ Parsing complete: ${allAsts.length} files`);
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          let fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          if (filterSpecialIps) {
+            fileIpSummary = filterIPSummary(fileIpSummary, {
+              keepPublic: true,
+              keepPrivate: true,
+              keepCgnat: true,
+              keepLoopback: false,
+              keepLinkLocal: false,
+              keepMulticast: false,
+              keepReserved: false,
+              keepUnspecified: false,
+              keepBroadcast: false,
+              keepDocumentation: false
+            });
+          }
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -17454,6 +17659,20 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       let stdinIpSummary;
       try {
         stdinIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+        if (filterSpecialIps) {
+          stdinIpSummary = filterIPSummary(stdinIpSummary, {
+            keepPublic: true,
+            keepPrivate: true,
+            keepCgnat: true,
+            keepLoopback: false,
+            keepLinkLocal: false,
+            keepMulticast: false,
+            keepReserved: false,
+            keepUnspecified: false,
+            keepBroadcast: false,
+            keepDocumentation: false
+          });
+        }
       } catch (error) {
         if (error instanceof InputValidationError) {
           console.error(`Input validation error: ${error.message}`);
@@ -17531,7 +17750,21 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          let fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          if (filterSpecialIps) {
+            fileIpSummary = filterIPSummary(fileIpSummary, {
+              keepPublic: true,
+              keepPrivate: true,
+              keepCgnat: true,
+              keepLoopback: false,
+              keepLinkLocal: false,
+              keepMulticast: false,
+              keepReserved: false,
+              keepUnspecified: false,
+              keepBroadcast: false,
+              keepDocumentation: false
+            });
+          }
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -17647,7 +17880,21 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     if (options.quiet) {
       results = results.filter((r) => !r.passed);
     }
-    const ipSummary = extractIPSummary(content, { includeSubnetNetworks: true });
+    let ipSummary = extractIPSummary(content, { includeSubnetNetworks: true });
+    if (filterSpecialIps) {
+      ipSummary = filterIPSummary(ipSummary, {
+        keepPublic: true,
+        keepPrivate: true,
+        keepCgnat: true,
+        keepLoopback: false,
+        keepLinkLocal: false,
+        keepMulticast: false,
+        keepReserved: false,
+        keepUnspecified: false,
+        keepBroadcast: false,
+        keepDocumentation: false
+      });
+    }
     if (options.format === "sarif") {
       const sarifOptions = {
         relativePaths: options.relativePaths,
@@ -17693,6 +17940,23 @@ async function loadLicensingExtension() {
       licensing.registerCommands(program);
     }
   } catch {
+    const licensingMessage = `
+Cloud licensing features require the @sentriflow/licensing package.
+This package is provided to customers after purchasing a license.
+Visit https://sentriflow.com.au/pricing for more information.
+Once you have a license, you'll receive access to the private package
+and can enable cloud features like pack downloads and license activation.
+`.trim();
+    const fallbackAction = () => {
+      console.log(licensingMessage);
+      process.exit(0);
+    };
+    program.command("activate").description("Activate your SentriFlow license (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("update").description("Check and download pack updates (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("offline").description("Manage offline bundles (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("license").description("Show license status (requires @sentriflow/licensing)").action(fallbackAction);
   }
 }
 loadLicensingExtension().finally(() => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sentriflow/cli",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "SentriFlow CLI - Network configuration linter and validator",
   "license": "Apache-2.0",
   "main": "dist/index.js",