@sentriflow/cli 0.3.0 → 0.4.0

package/dist/index.js

@@ -4738,6 +4738,7 @@ __export(helpers_exports, {
   cumulus: () => cumulus_exports,
   equalsIgnoreCase: () => equalsIgnoreCase,
   extreme: () => extreme_exports,
+  findParentSection: () => findParentSection,
   fortinet: () => fortinet_exports,
   getAllVendorModules: () => getAllVendorModules,
   getChildCommand: () => getChildCommand,
@@ -4953,6 +4954,20 @@ var isShutdown = (node) => {
     return id === "shutdown" || id === "disable";
   });
 };
+var findParentSection = (ast, targetNode) => {
+  for (const node of ast) {
+    if (node.type === "section") {
+      if (node.children.some(
+        (child) => child.loc.startLine === targetNode.loc.startLine
+      )) {
+        return node;
+      }
+      const found = findParentSection(node.children, targetNode);
+      if (found) return found;
+    }
+  }
+  return void 0;
+};
 var isInterfaceDefinition = (node) => {
   if (!node?.id) return false;
   const id = node.id.toLowerCase();
@@ -6109,6 +6124,7 @@ var getDescription = (node) => {
 // ../core/src/helpers/cisco/index.ts
 var cisco_exports = {};
 __export(cisco_exports, {
+  findParentSection: () => findParentSection,
   getBgpNeighbors: () => getBgpNeighbors,
   getChildCommand: () => getChildCommand,
   getChildCommands: () => getChildCommands,
@@ -6143,6 +6159,7 @@ __export(cisco_exports, {
   isEndpointPort: () => isEndpointPort,
   isExternalFacing: () => isExternalFacing,
   isLikelyTrunk: () => isLikelyTrunk,
+  isLineConfigPassword: () => isLineConfigPassword,
   isLoopbackInterface: () => isLoopbackInterface,
   isPhoneOrAP: () => isPhoneOrAP,
   isPhysicalPort: () => isPhysicalPort,
@@ -6240,6 +6257,12 @@ var hasWeakUsernamePassword = (node) => {
   }
   return false;
 };
+var isLineConfigPassword = (ast, node) => {
+  const parent = findParentSection(ast, node);
+  if (!parent) return false;
+  const parentId = parent.id.toLowerCase();
+  return parentId.startsWith("line vty") || parentId.startsWith("line console") || parentId.startsWith("line aux");
+};
 var getSshVersion = (node) => {
   if (includesIgnoreCase(node.rawText, "ip ssh version")) {
     const match = node.params.find((p) => p === "1" || p === "2");
@@ -10010,16 +10033,16 @@ var hasFloodProtection = (zppNode) => {
   const udp = findStanza6(flood, "udp");
   const icmp = findStanza6(flood, "icmp");
   const otherIp = findStanza6(flood, "other-ip");
-  const isEnabled6 = (stanza) => {
+  const isEnabled5 = (stanza) => {
     if (!stanza) return false;
     const enableCmd = getChildCommand(stanza, "enable");
     return enableCmd?.id.toLowerCase().includes("yes") ?? false;
   };
   return {
-    hasSyn: isEnabled6(tcpSyn),
-    hasUdp: isEnabled6(udp),
-    hasIcmp: isEnabled6(icmp),
-    hasOtherIp: isEnabled6(otherIp)
+    hasSyn: isEnabled5(tcpSyn),
+    hasUdp: isEnabled5(udp),
+    hasIcmp: isEnabled5(icmp),
+    hasOtherIp: isEnabled5(otherIp)
   };
 };
 var hasReconProtection = (zppNode) => {
@@ -10702,8 +10725,10 @@ var GRX2_EXTENDED_FLAG = 1;
 var GRX2_PORTABLE_FLAG = 2;
 var GRX2_ALGORITHM_AES_256_GCM = 1;
 var GRX2_KDF_PBKDF2 = 1;
-var DEFAULT_PACKS_DIRECTORY = join(homedir(), ".sentriflow", "packs");
-var CACHE_DIRECTORY = join(homedir(), ".sentriflow", "cache");
+var SENTRIFLOW_HOME = join(homedir(), ".sentriflow");
+var DEFAULT_PACKS_DIRECTORY = join(SENTRIFLOW_HOME, "packs");
+var DEFAULT_RULES_DIRECTORY = join(SENTRIFLOW_HOME, "rules");
+var CACHE_DIRECTORY = join(SENTRIFLOW_HOME, "cache");
 
 // ../core/src/grx2-loader/MachineId.ts
 var import_node_machine_id = __toESM(require_dist(), 1);
@@ -10865,7 +10890,6 @@ function parseExtendedHeader(data) {
 }
 async function loadExtendedPack(filePath, licenseKey, machineId2, debug) {
   debug?.(`[GRX2Loader] Loading pack: ${filePath}`);
-  debug?.(`[GRX2Loader] License key length: ${licenseKey.length}, first 20 chars: ${licenseKey.substring(0, 20)}...`);
   debug?.(`[GRX2Loader] Machine ID: "${machineId2}" (length: ${machineId2.length})`);
   const data = await readFile(filePath);
   debug?.(`[GRX2Loader] Pack file size: ${data.length} bytes`);
@@ -12129,6 +12153,178 @@ function extractIPSummary(content, options = {}) {
   };
 }
 
+// ../core/src/ip/classifier.ts
+var DEFAULT_FILTER_OPTIONS = {
+  keepPublic: true,
+  keepPrivate: true,
+  keepLoopback: false,
+  keepLinkLocal: false,
+  keepMulticast: false,
+  keepReserved: false,
+  keepUnspecified: false,
+  keepBroadcast: false,
+  keepDocumentation: false,
+  keepCgnat: true
+};
+function ipv4ToNumber2(ip) {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return 0;
+  let result = 0;
+  for (let i = 0; i < 4; i++) {
+    const octet = parseInt(parts[i] ?? "0", 10);
+    if (isNaN(octet) || octet < 0 || octet > 255) return 0;
+    result = (result << 8) + octet;
+  }
+  return result >>> 0;
+}
+function isInIPv4Range(ip, network, prefix) {
+  const ipNum = ipv4ToNumber2(ip);
+  const netNum = ipv4ToNumber2(network);
+  const mask = prefix === 0 ? 0 : ~0 << 32 - prefix >>> 0;
+  return (ipNum & mask) === (netNum & mask);
+}
+function classifyIPv4(ip) {
+  if (ip === "0.0.0.0") return "unspecified";
+  if (ip === "255.255.255.255") return "broadcast";
+  if (isInIPv4Range(ip, "0.0.0.0", 8)) return "unspecified";
+  if (isInIPv4Range(ip, "127.0.0.0", 8)) return "loopback";
+  if (isInIPv4Range(ip, "169.254.0.0", 16)) return "link-local";
+  if (isInIPv4Range(ip, "10.0.0.0", 8)) return "private";
+  if (isInIPv4Range(ip, "172.16.0.0", 12)) return "private";
+  if (isInIPv4Range(ip, "192.168.0.0", 16)) return "private";
+  if (isInIPv4Range(ip, "100.64.0.0", 10)) return "cgnat";
+  if (isInIPv4Range(ip, "192.0.2.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "198.51.100.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "203.0.113.0", 24)) return "documentation";
+  if (isInIPv4Range(ip, "224.0.0.0", 4)) return "multicast";
+  if (isInIPv4Range(ip, "240.0.0.0", 4)) return "reserved";
+  return "public";
+}
+function classifyIPv4Subnet(subnet) {
+  const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) return classifyIPv4(subnet);
+  const network = subnet.substring(0, slashIndex);
+  return classifyIPv4(network);
+}
+function expandIPv62(ip) {
+  const zoneIndex = ip.indexOf("%");
+  const addr = zoneIndex !== -1 ? ip.substring(0, zoneIndex) : ip;
+  const parts = addr.split(":");
+  const result = [];
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i] ?? "";
+    if (part === "" && i > 0 && i < parts.length - 1) {
+      const nonEmpty = parts.filter((p) => p !== "").length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push(0);
+      }
+    } else if (part !== "") {
+      result.push(parseInt(part, 16) || 0);
+    } else if (i === 0 && (parts[1] ?? "") === "") {
+      const nonEmpty = parts.filter((p) => p !== "").length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push(0);
+      }
+    }
+  }
+  while (result.length < 8) {
+    result.push(0);
+  }
+  return result.slice(0, 8);
+}
+function classifyIPv6(ip) {
+  const parts = expandIPv62(ip);
+  if (parts.every((p) => p === 0)) return "unspecified";
+  if (parts.slice(0, 7).every((p) => p === 0) && parts[7] === 1) return "loopback";
+  if ((parts[0] ?? 0) >= 65152 && (parts[0] ?? 0) <= 65215) return "link-local";
+  if (((parts[0] ?? 0) & 65280) === 65280) return "multicast";
+  if (parts[0] === 8193 && parts[1] === 3512) return "documentation";
+  if (((parts[0] ?? 0) & 65024) === 64512) return "private";
+  return "public";
+}
+function classifyIPv6Subnet(subnet) {
+  const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) return classifyIPv6(subnet);
+  const network = subnet.substring(0, slashIndex);
+  return classifyIPv6(network);
+}
+function shouldKeepClassification(classification, options) {
+  switch (classification) {
+    case "public":
+      return options.keepPublic;
+    case "private":
+      return options.keepPrivate;
+    case "loopback":
+      return options.keepLoopback;
+    case "link-local":
+      return options.keepLinkLocal;
+    case "multicast":
+      return options.keepMulticast;
+    case "reserved":
+      return options.keepReserved;
+    case "unspecified":
+      return options.keepUnspecified;
+    case "broadcast":
+      return options.keepBroadcast;
+    case "documentation":
+      return options.keepDocumentation;
+    case "cgnat":
+      return options.keepCgnat;
+    default:
+      return true;
+  }
+}
+function filterIPv4Addresses(addresses, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return addresses.filter((ip) => {
+    const classification = classifyIPv4(ip);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv6Addresses(addresses, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return addresses.filter((ip) => {
+    const classification = classifyIPv6(ip);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv4Subnets(subnets, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return subnets.filter((subnet) => {
+    const classification = classifyIPv4Subnet(subnet);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPv6Subnets(subnets, options = {}) {
+  const opts = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return subnets.filter((subnet) => {
+    const classification = classifyIPv6Subnet(subnet);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+function filterIPSummary(summary, options = {}) {
+  const ipv4Addresses = filterIPv4Addresses(summary.ipv4Addresses, options);
+  const ipv6Addresses = filterIPv6Addresses(summary.ipv6Addresses, options);
+  const ipv4Subnets = filterIPv4Subnets(summary.ipv4Subnets, options);
+  const ipv6Subnets = filterIPv6Subnets(summary.ipv6Subnets, options);
+  const counts = {
+    ipv4: ipv4Addresses.length,
+    ipv6: ipv6Addresses.length,
+    ipv4Subnets: ipv4Subnets.length,
+    ipv6Subnets: ipv6Subnets.length,
+    total: ipv4Addresses.length + ipv6Addresses.length + ipv4Subnets.length + ipv6Subnets.length
+  };
+  return {
+    ipv4Addresses,
+    ipv6Addresses,
+    ipv4Subnets,
+    ipv6Subnets,
+    counts
+  };
+}
+
 // ../core/src/validation/rule-validation.ts
 function validateRule2(rule) {
   if (typeof rule !== "object" || rule === null) {
@@ -12328,7 +12524,7 @@ function generateSarif(results, filePath, rules, options = {}, ipSummary) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.3.0",
+            version: "0.4.0",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -12488,7 +12684,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.3.0",
+            version: "0.4.0",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -12702,10 +12898,10 @@ var InterfaceDescriptionRequired = {
         loc: node.loc
       };
     }
-    const hasDescription9 = node.children.some(
+    const hasDescription5 = node.children.some(
       (child) => startsWithIgnoreCase(child.id, "description")
     );
-    if (!hasDescription9) {
+    if (!hasDescription5) {
       return {
         passed: false,
         message: `Interface "${node.params.slice(1).join(" ")}" is missing a description.`,
@@ -12730,59 +12926,6 @@ var allCommonRules = [
   InterfaceDescriptionRequired
 ];
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/common/validation.ts
-var equalsIgnoreCase2 = (a, b) => a != null && b != null && a.toLowerCase() === b.toLowerCase();
-var includesIgnoreCase2 = (haystack, needle) => haystack != null && needle != null && haystack.toLowerCase().includes(needle.toLowerCase());
-var startsWithIgnoreCase2 = (str, prefix) => str != null && prefix != null && str.toLowerCase().startsWith(prefix.toLowerCase());
-
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/common/helpers.ts
-var hasChildCommand5 = (node, prefix) => {
-  if (!node?.children || !prefix) return false;
-  return node.children.some(
-    (child) => child?.id?.toLowerCase().startsWith(prefix.toLowerCase()) ?? false
-  );
-};
-var getChildCommand5 = (node, prefix) => {
-  if (!node?.children || !prefix) return void 0;
-  return node.children.find(
-    (child) => child?.id?.toLowerCase().startsWith(prefix.toLowerCase()) ?? false
-  );
-};
-var isShutdown6 = (node) => {
-  if (!node?.children) return false;
-  return node.children.some((child) => {
-    const id = child?.id?.toLowerCase().trim();
-    return id === "shutdown" || id === "disable";
-  });
-};
-
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/cisco/helpers.ts
-var isShutdown7 = (node) => {
-  if (!node?.children) return false;
-  return node.children.some((child) => {
-    return child?.id && equalsIgnoreCase2(child.id.trim(), "shutdown");
-  });
-};
-var isPhysicalPort4 = (interfaceName) => {
-  return !includesIgnoreCase2(interfaceName, "loopback") && !includesIgnoreCase2(interfaceName, "null") && !includesIgnoreCase2(interfaceName, "vlan") && !includesIgnoreCase2(interfaceName, "tunnel") && !includesIgnoreCase2(interfaceName, "port-channel") && !includesIgnoreCase2(interfaceName, "bvi") && !includesIgnoreCase2(interfaceName, "nve");
-};
-var isTrunkPort4 = (node) => {
-  return hasChildCommand5(node, "switchport mode trunk");
-};
-var isTrunkToNonCisco2 = (node) => {
-  const desc = getChildCommand5(node, "description");
-  if (desc) {
-    const descText = desc.rawText;
-    if (includesIgnoreCase2(descText, "server:") || includesIgnoreCase2(descText, "storage:") || includesIgnoreCase2(descText, "esx") || includesIgnoreCase2(descText, "vmware") || includesIgnoreCase2(descText, "hyperv") || includesIgnoreCase2(descText, "hyper-v") || includesIgnoreCase2(descText, "linux") || includesIgnoreCase2(descText, "appliance") || includesIgnoreCase2(descText, "firewall") || includesIgnoreCase2(descText, "loadbalancer") || includesIgnoreCase2(descText, "lb:") || includesIgnoreCase2(descText, "nas:") || includesIgnoreCase2(descText, "san:")) {
-      return true;
-    }
-    if (includesIgnoreCase2(descText, "uplink:") || includesIgnoreCase2(descText, "downlink:") || includesIgnoreCase2(descText, "isl:") || includesIgnoreCase2(descText, "po-member:")) {
-      return false;
-    }
-  }
-  return false;
-};
-
 // ../rules-default/src/cisco/ios-rules.ts
 var TrunkNoDTP = {
   id: "NET-TRUNK-001",
@@ -12796,16 +12939,16 @@ var TrunkNoDTP = {
     remediation: 'Add "switchport nonegotiate" to disable DTP on trunk ports connected to non-Cisco devices.'
   },
   check: (node) => {
-    if (!isPhysicalPort4(node.id) || isShutdown7(node)) {
+    if (!isPhysicalPort(node.id) || isShutdown3(node)) {
       return { passed: true, message: "Not applicable.", ruleId: "NET-TRUNK-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isTrunkPort4(node)) {
+    if (!isTrunkPort2(node)) {
       return { passed: true, message: "Not a trunk port.", ruleId: "NET-TRUNK-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isTrunkToNonCisco2(node)) {
+    if (!isTrunkToNonCisco(node)) {
       return { passed: true, message: "Trunk to Cisco device - DTP acceptable.", ruleId: "NET-TRUNK-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!hasChildCommand5(node, "switchport nonegotiate")) {
+    if (!hasChildCommand(node, "switchport nonegotiate")) {
       return {
         passed: false,
         message: `Trunk port "${node.params.slice(1).join(" ")}" connected to non-Cisco device needs "switchport nonegotiate".`,
@@ -12830,11 +12973,11 @@ var AccessExplicitMode = {
     remediation: 'Add "switchport mode access" to explicitly configure access mode.'
   },
   check: (node) => {
-    if (!isPhysicalPort4(node.id) || isShutdown7(node)) {
+    if (!isPhysicalPort(node.id) || isShutdown3(node)) {
       return { passed: true, message: "Not applicable.", ruleId: "NET-ACCESS-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    const hasAccessVlan = hasChildCommand5(node, "switchport access vlan");
-    const hasExplicitMode = hasChildCommand5(node, "switchport mode");
+    const hasAccessVlan = hasChildCommand(node, "switchport access vlan");
+    const hasExplicitMode = hasChildCommand(node, "switchport mode");
     if (hasAccessVlan && !hasExplicitMode) {
       return {
         passed: false,
@@ -12894,15 +13037,26 @@ var CiscoNoPlaintextPasswords = {
     level: "error",
     obu: "Security",
     owner: "SecOps",
-    remediation: 'Use "secret" instead of "password", or ensure password is encrypted (type 7 or higher).'
+    remediation: 'Use "secret" instead of "password", or encrypt with type 7/8/9.'
   },
-  check: (node) => {
+  check: (node, context) => {
     const params = node.params;
-    const nodeId = node.id;
-    if (includesIgnoreCase(nodeId, "encryption") || includesIgnoreCase(nodeId, "service")) {
+    const nodeId = node.id.toLowerCase();
+    if (nodeId.includes("encryption") || nodeId.includes("service")) {
       return {
         passed: true,
-        message: "Global password configuration command.",
+        message: "Global password configuration.",
+        ruleId: "NET-SEC-001",
+        nodeId: node.id,
+        level: "info",
+        loc: node.loc
+      };
+    }
+    const ast = context.getAst?.();
+    if (ast && isLineConfigPassword(ast, node)) {
+      return {
+        passed: true,
+        message: "Line password - use AAA authentication for security (line passwords cannot be encrypted).",
         ruleId: "NET-SEC-001",
         nodeId: node.id,
         level: "info",
@@ -12911,20 +13065,10 @@ var CiscoNoPlaintextPasswords = {
     }
     if (params.length >= 2) {
       const typeOrValue = params[1];
-      if (!typeOrValue) {
-        return {
-          passed: false,
-          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
-          ruleId: "NET-SEC-001",
-          nodeId: node.id,
-          level: "error",
-          loc: node.loc
-        };
-      }
-      if (typeOrValue === "7" || typeOrValue === "5" || typeOrValue === "8" || typeOrValue === "9") {
+      if (typeOrValue && ["5", "7", "8", "9"].includes(typeOrValue)) {
         return {
           passed: true,
-          message: "Password is encrypted.",
+          message: `Password is encrypted (type ${typeOrValue}).`,
           ruleId: "NET-SEC-001",
           nodeId: node.id,
           level: "info",
@@ -12934,17 +13078,17 @@ var CiscoNoPlaintextPasswords = {
       if (typeOrValue === "0") {
         return {
           passed: false,
-          message: "Plaintext password detected (type 0).",
+          message: 'Plaintext password detected (type 0). Use "secret" or encrypt with type 7.',
           ruleId: "NET-SEC-001",
           nodeId: node.id,
           level: "error",
           loc: node.loc
         };
       }
-      if (!/^\d+$/.test(typeOrValue)) {
+      if (typeOrValue && !/^\d+$/.test(typeOrValue)) {
         return {
           passed: false,
-          message: 'Possible plaintext password detected. Use encryption type 7 or "secret" command.',
+          message: 'Plaintext password detected. Use "secret" or encrypt with type 7.',
           ruleId: "NET-SEC-001",
           nodeId: node.id,
           level: "error",
@@ -12972,38 +13116,6 @@ var allCiscoRules = [
   EnableSecretStrong
 ];
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/juniper/helpers.ts
-var findStanza8 = (node, stanzaName) => {
-  if (!node?.children) return void 0;
-  return node.children.find(
-    (child) => child?.id && equalsIgnoreCase2(child.id, stanzaName)
-  );
-};
-var findStanzas7 = (node, pattern) => {
-  if (!node?.children) return [];
-  return node.children.filter((child) => child?.id && pattern.test(child.id));
-};
-var isFilterTermDrop2 = (termNode) => {
-  if (!termNode?.children) return false;
-  for (const child of termNode.children) {
-    const id = child?.id?.trim();
-    if (!id) continue;
-    if (equalsIgnoreCase2(id, "then discard") || equalsIgnoreCase2(id, "then discard;") || equalsIgnoreCase2(id, "then reject") || equalsIgnoreCase2(id, "then reject;")) {
-      return true;
-    }
-  }
-  const thenStanza = findStanza8(termNode, "then");
-  if (!thenStanza?.children) return false;
-  for (const child of thenStanza.children) {
-    const id = child?.id?.trim();
-    if (!id) continue;
-    if (equalsIgnoreCase2(id, "discard") || equalsIgnoreCase2(id, "discard;") || equalsIgnoreCase2(id, "reject") || equalsIgnoreCase2(id, "reject;")) {
-      return true;
-    }
-  }
-  return false;
-};
-
 // ../rules-default/src/juniper/junos-rules.ts
 var RootAuthRequired = {
   id: "JUN-SYS-001",
@@ -13017,7 +13129,7 @@ var RootAuthRequired = {
     remediation: 'Configure "root-authentication" under system stanza with encrypted-password or ssh-rsa.'
   },
   check: (node) => {
-    const rootAuth = findStanza8(node, "root-authentication");
+    const rootAuth = findStanza4(node, "root-authentication");
     if (!rootAuth) {
       return {
         passed: false,
@@ -13028,8 +13140,8 @@ var RootAuthRequired = {
         loc: node.loc
       };
     }
-    const hasPassword = hasChildCommand5(rootAuth, "encrypted-password");
-    const hasSshKey = hasChildCommand5(rootAuth, "ssh-rsa") || hasChildCommand5(rootAuth, "ssh-ecdsa");
+    const hasPassword = hasChildCommand(rootAuth, "encrypted-password");
+    const hasSshKey = hasChildCommand(rootAuth, "ssh-rsa") || hasChildCommand(rootAuth, "ssh-ecdsa");
     if (!hasPassword && !hasSshKey) {
       return {
         passed: false,
@@ -13062,7 +13174,7 @@ var JunosBgpRouterId = {
     remediation: 'Configure "router-id" under routing-options stanza.'
   },
   check: (node) => {
-    const hasRouterId = hasChildCommand5(node, "router-id");
+    const hasRouterId = hasChildCommand(node, "router-id");
     if (!hasRouterId) {
       return {
         passed: false,
@@ -13113,7 +13225,7 @@ var JunosFirewallDefaultDeny = {
     }
     const issues = [];
     for (const filter of filters) {
-      const terms = findStanzas7(filter, /^term/i);
+      const terms = findStanzas3(filter, /^term/i);
       if (terms.length === 0) {
         continue;
       }
@@ -13121,7 +13233,7 @@ var JunosFirewallDefaultDeny = {
       if (!lastTerm) {
         continue;
       }
-      if (!isFilterTermDrop2(lastTerm)) {
+      if (!isFilterTermDrop(lastTerm)) {
         issues.push(`Filter "${filter.id}" does not end with a deny term.`);
       }
     }
@@ -13154,69 +13266,6 @@ var allJuniperRules = [
   JunosFirewallDefaultDeny
 ];
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/aruba/helpers.ts
-var getInterfaceName4 = (node) => {
-  if (!node?.id) return void 0;
-  const match = node.id.match(/interface\s+(.+)/i);
-  const ifName = match?.[1]?.trim();
-  return ifName && ifName.length > 0 ? ifName : void 0;
-};
-var isAosCxPhysicalPort2 = (interfaceName) => {
-  return /^\d+\/\d+\/\d+$/.test(interfaceName.trim());
-};
-var isAosCxLag2 = (interfaceName) => {
-  return /^lag\s*\d+$/i.test(interfaceName.trim());
-};
-var isAosCxTrunk2 = (node) => {
-  return hasChildCommand5(node, "vlan trunk");
-};
-var getAosCxTrunkAllowed2 = (node) => {
-  const cmd = getChildCommand5(node, "vlan trunk allowed");
-  if (!cmd) return [];
-  const match = cmd.id.match(/vlan\s+trunk\s+allowed\s+([\d,]+)/i);
-  const vlanList = match?.[1];
-  if (!vlanList) return [];
-  return vlanList.split(",").map((v) => parseInt(v.trim(), 10)).filter((v) => !isNaN(v));
-};
-var getAosSwitchVlanName2 = (node) => {
-  const cmd = getChildCommand5(node, "name");
-  if (!cmd) return void 0;
-  const match = cmd.id.match(/name\s+["']?([^"']+)["']?/i);
-  const name = match?.[1];
-  return name?.trim();
-};
-var getWlanEncryption2 = (node) => {
-  const cmd = getChildCommand5(node, "opmode");
-  if (!cmd) return null;
-  const match = cmd.id.match(/opmode\s+(\S+)/i);
-  const mode = match?.[1];
-  return mode ? mode.toLowerCase() : null;
-};
-var hasSecureEncryption2 = (node) => {
-  const opmode = getWlanEncryption2(node);
-  if (!opmode) return false;
-  return opmode.includes("wpa2") || opmode.includes("wpa3") || opmode.includes("aes");
-};
-var isOpenSsid2 = (node) => {
-  const opmode = getWlanEncryption2(node);
-  return opmode === "opensystem" || opmode === "open";
-};
-var getRadiusHost2 = (node) => {
-  const cmd = getChildCommand5(node, "host");
-  if (!cmd) return void 0;
-  const match = cmd.id.match(/host\s+(\S+)/i);
-  const host = match?.[1];
-  return host?.trim();
-};
-var extractProfileName2 = (nodeId) => {
-  const match = nodeId.match(/(?:ssid-profile|virtual-ap|profile|server-group|ap-group|arm-profile)\s+["']?([^"'\n]+)["']?$/i);
-  const profile = match?.[1];
-  return profile ? profile.trim() : void 0;
-};
-var hasDescription5 = (node) => {
-  return hasChildCommand5(node, "description");
-};
-
 // ../rules-default/src/aruba/common-rules.ts
 var SshEnabled = {
   id: "ARU-SEC-001",
@@ -13304,17 +13353,17 @@ var AosCxInterfaceDescription = {
     remediation: "Add a description to physical interfaces for documentation."
   },
   check: (node) => {
-    const ifName = getInterfaceName4(node);
+    const ifName = getInterfaceName(node);
     if (!ifName) {
       return { passed: true, message: "Not an interface.", ruleId: "AOSCX-IF-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isAosCxPhysicalPort2(ifName) && !isAosCxLag2(ifName)) {
+    if (!isAosCxPhysicalPort(ifName) && !isAosCxLag(ifName)) {
       return { passed: true, message: "Not a physical interface.", ruleId: "AOSCX-IF-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (isShutdown6(node)) {
+    if (isShutdown(node)) {
       return { passed: true, message: "Interface is shutdown.", ruleId: "AOSCX-IF-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!hasDescription5(node)) {
+    if (!hasDescription(node)) {
       return {
         passed: false,
         message: `Interface ${ifName} missing description.`,
@@ -13346,17 +13395,17 @@ var AosCxTrunkAllowedVlans = {
     remediation: 'Configure "vlan trunk allowed <vlans>" on trunk interfaces.'
   },
   check: (node) => {
-    const ifName = getInterfaceName4(node);
+    const ifName = getInterfaceName(node);
     if (!ifName) {
       return { passed: true, message: "Not an interface.", ruleId: "AOSCX-L2-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isAosCxPhysicalPort2(ifName) && !isAosCxLag2(ifName)) {
+    if (!isAosCxPhysicalPort(ifName) && !isAosCxLag(ifName)) {
       return { passed: true, message: "Not a switchport interface.", ruleId: "AOSCX-L2-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    if (!isAosCxTrunk2(node)) {
+    if (!isAosCxTrunk(node)) {
       return { passed: true, message: "Not a trunk port.", ruleId: "AOSCX-L2-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    const allowedVlans = getAosCxTrunkAllowed2(node);
+    const allowedVlans = getAosCxTrunkAllowed(node);
     if (allowedVlans.length === 0) {
       return {
         passed: false,
@@ -13406,7 +13455,7 @@ var AosSwitchVlanName = {
     if (vlanId === null || isDefaultVlan(vlanId)) {
       return { passed: true, message: "Default VLAN 1.", ruleId: "AOSSW-L2-001", nodeId: node.id, level: "info", loc: node.loc };
     }
-    const vlanName = getAosSwitchVlanName2(node);
+    const vlanName = getAosSwitchVlanName(node);
     if (!vlanName) {
       return {
         passed: false,
@@ -13480,8 +13529,8 @@ var WlcSsidEncryption = {
     remediation: 'Configure "opmode wpa2-aes" or "opmode wpa3-sae-aes" for secure encryption.'
   },
   check: (node) => {
-    const profileName = extractProfileName2(node.id);
-    const opmode = getWlanEncryption2(node);
+    const profileName = extractProfileName(node.id);
+    const opmode = getWlanEncryption(node);
     if (!opmode) {
       return {
         passed: false,
@@ -13492,7 +13541,7 @@ var WlcSsidEncryption = {
         loc: node.loc
       };
     }
-    if (isOpenSsid2(node)) {
+    if (isOpenSsid(node)) {
       return {
         passed: false,
         message: `SSID profile "${profileName}" is open/unencrypted. Use WPA2 or WPA3.`,
@@ -13502,7 +13551,7 @@ var WlcSsidEncryption = {
         loc: node.loc
       };
     }
-    if (!hasSecureEncryption2(node)) {
+    if (!hasSecureEncryption(node)) {
       return {
         passed: false,
         message: `SSID profile "${profileName}" uses weak encryption (${opmode}). Use WPA2 or WPA3.`,
@@ -13534,8 +13583,8 @@ var WlcRadiusHost = {
     remediation: 'Configure "host <ip-address>" for the RADIUS server.'
   },
   check: (node) => {
-    const profileName = extractProfileName2(node.id);
-    const host = getRadiusHost2(node);
+    const profileName = extractProfileName(node.id);
+    const host = getRadiusHost(node);
     if (!host) {
       return {
         passed: false,
@@ -13583,34 +13632,6 @@ function getRulesByArubaVendor(vendorId) {
   }
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/paloalto/helpers.ts
-var findStanza9 = (node, stanzaName) => {
-  if (!node?.children) return void 0;
-  return node.children.find(
-    (child) => child?.id?.toLowerCase() === stanzaName.toLowerCase()
-  );
-};
-var hasLogging3 = (ruleNode) => {
-  const logStart = hasChildCommand5(ruleNode, "log-start");
-  const logEnd = hasChildCommand5(ruleNode, "log-end");
-  return { logStart, logEnd };
-};
-var isRuleDisabled2 = (ruleNode) => {
-  const disabled = getChildCommand5(ruleNode, "disabled");
-  if (!disabled) return false;
-  return disabled.id.toLowerCase().includes("yes") || disabled.id.toLowerCase().includes("true");
-};
-var getSecurityRules2 = (rulebaseNode) => {
-  const security = findStanza9(rulebaseNode, "security");
-  if (!security) return [];
-  const rules = findStanza9(security, "rules");
-  if (!rules?.children) return [];
-  return rules.children;
-};
-var hasZoneProtectionProfile2 = (zoneNode) => {
-  return hasChildCommand5(zoneNode, "zone-protection-profile");
-};
-
 // ../rules-default/src/paloalto/panos-rules.ts
 var HostnameRequired = {
   id: "PAN-SYS-001",
@@ -13624,7 +13645,7 @@ var HostnameRequired = {
     remediation: "Configure hostname under deviceconfig > system."
   },
   check: (node) => {
-    const system = findStanza9(node, "system");
+    const system = findStanza6(node, "system");
     if (!system) {
       return {
         passed: false,
@@ -13635,7 +13656,7 @@ var HostnameRequired = {
         loc: node.loc
       };
     }
-    const hasHostname = hasChildCommand5(system, "hostname");
+    const hasHostname = hasChildCommand(system, "hostname");
     if (!hasHostname) {
       return {
         passed: false,
@@ -13668,7 +13689,7 @@ var SecurityRuleLogging = {
     remediation: "Enable log-end (and optionally log-start) on all security rules."
   },
   check: (node) => {
-    const rules = getSecurityRules2(node);
+    const rules = getSecurityRules(node);
     if (rules.length === 0) {
       return {
         passed: true,
@@ -13681,8 +13702,8 @@ var SecurityRuleLogging = {
     }
     const issues = [];
     for (const rule of rules) {
-      if (isRuleDisabled2(rule)) continue;
-      const logging = hasLogging3(rule);
+      if (isRuleDisabled(rule)) continue;
+      const logging = hasLogging2(rule);
       if (!logging.logEnd) {
         issues.push(`Rule "${rule.id}" does not have log-end enabled.`);
       }
@@ -13721,7 +13742,7 @@ var ZoneProtectionRequired = {
   check: (node) => {
     const issues = [];
     for (const zone of node.children) {
-      if (!hasZoneProtectionProfile2(zone)) {
+      if (!hasZoneProtectionProfile(zone)) {
         issues.push(`Zone "${zone.id}" does not have a Zone Protection Profile applied.`);
       }
     }
@@ -13769,34 +13790,6 @@ function getRulesByPaloAltoVendor() {
   return [...allCommonRules, ...allPaloAltoRules];
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/arista/helpers.ts
-var checkMlagRequirements2 = (mlagNode) => {
-  return {
-    hasDomainId: hasChildCommand5(mlagNode, "domain-id"),
-    hasPeerLink: hasChildCommand5(mlagNode, "peer-link"),
-    hasPeerAddress: hasChildCommand5(mlagNode, "peer-address"),
-    hasLocalInterface: hasChildCommand5(mlagNode, "local-interface")
-  };
-};
-var isShutdown8 = (interfaceNode) => {
-  if (!interfaceNode?.children) return false;
-  const hasShutdown = interfaceNode.children.some(
-    (child) => child?.id && equalsIgnoreCase2(child.id, "shutdown")
-  );
-  const hasNoShutdown = interfaceNode.children.some(
-    (child) => child?.id && equalsIgnoreCase2(child.id, "no shutdown")
-  );
-  return hasShutdown && !hasNoShutdown;
-};
-var getInterfaceDescription2 = (interfaceNode) => {
-  if (!interfaceNode?.children) return void 0;
-  const descCmd = interfaceNode.children.find(
-    (child) => child?.id && startsWithIgnoreCase2(child.id, "description ")
-  );
-  if (!descCmd) return void 0;
-  return descCmd.id.replace(/^description\s+/i, "").trim();
-};
-
 // ../rules-default/src/arista/eos-rules.ts
 var HostnameRequired2 = {
   id: "ARI-SYS-001",
@@ -13845,7 +13838,7 @@ var MlagConfigComplete = {
     remediation: "MLAG configuration requires: domain-id, peer-link, peer-address, and local-interface."
   },
   check: (node, context) => {
-    const requirements = checkMlagRequirements2(node);
+    const requirements = checkMlagRequirements(node);
     const issues = [];
     if (!requirements.hasDomainId) {
       issues.push("domain-id");
@@ -13891,7 +13884,7 @@ var InterfaceDescription = {
     remediation: "Add description to interface: description <text>"
   },
   check: (node, context) => {
-    if (isShutdown8(node)) {
+    if (isShutdown2(node)) {
       return {
         passed: true,
         message: "Interface is shutdown, description not required.",
@@ -13901,7 +13894,7 @@ var InterfaceDescription = {
         loc: node.loc
       };
     }
-    const description = getInterfaceDescription2(node);
+    const description = getInterfaceDescription(node);
     if (!description) {
       return {
         passed: false,
@@ -13936,37 +13929,6 @@ function getRulesByAristaVendor() {
   return [...allCommonRules, ...allAristaRules];
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/vyos/helpers.ts
-var isDisabled4 = (node) => {
-  if (!node?.children) return false;
-  return node.children.some((child) => child?.id?.toLowerCase().trim() === "disable");
-};
-var findStanzasByPrefix3 = (node, prefix) => {
-  if (!node?.children) return [];
-  return node.children.filter(
-    (child) => child?.id?.toLowerCase().startsWith(prefix.toLowerCase())
-  );
-};
-var getEthernetInterfaces2 = (interfacesNode) => {
-  if (!interfacesNode?.children) return [];
-  return interfacesNode.children.filter(
-    (child) => child?.id?.toLowerCase().startsWith("ethernet eth")
-  );
-};
-var getFirewallDefaultAction2 = (rulesetNode) => {
-  if (!rulesetNode?.children) return void 0;
-  for (const child of rulesetNode.children) {
-    const id = child?.id?.toLowerCase().trim();
-    if (!id) continue;
-    if (id.startsWith("default-action")) {
-      if (id.includes("drop")) return "drop";
-      if (id.includes("accept")) return "accept";
-      if (id.includes("reject")) return "reject";
-    }
-  }
-  return void 0;
-};
-
 // ../rules-default/src/vyos/vyos-rules.ts
 var VyosHostnameRequired = {
   id: "VYOS-SYS-001",
@@ -13980,7 +13942,7 @@ var VyosHostnameRequired = {
     remediation: 'Configure "host-name" under system stanza.'
   },
   check: (node) => {
-    const hasHostname = hasChildCommand5(node, "host-name");
+    const hasHostname = hasChildCommand(node, "host-name");
     if (!hasHostname) {
       return {
         passed: false,
@@ -14049,12 +14011,12 @@ var VyosInterfaceDescription = {
   },
   check: (node) => {
     const issues = [];
-    const ethernetInterfaces = getEthernetInterfaces2(node);
+    const ethernetInterfaces = getEthernetInterfaces(node);
     for (const iface of ethernetInterfaces) {
-      if (isDisabled4(iface)) {
+      if (isDisabled2(iface)) {
         continue;
       }
-      const hasDesc = hasChildCommand5(iface, "description");
+      const hasDesc = hasChildCommand(iface, "description");
       if (!hasDesc) {
         const ifaceName = iface.id.split(/\s+/).pop() || iface.id;
         issues.push(`Interface "${ifaceName}" missing description.`);
@@ -14092,7 +14054,7 @@ var VyosFirewallDefaultAction = {
     remediation: 'Set "default-action drop" or "default-action reject" for each firewall ruleset.'
   },
   check: (node) => {
-    const rulesets = findStanzasByPrefix3(node, "name");
+    const rulesets = findStanzasByPrefix2(node, "name");
     if (rulesets.length === 0) {
       return {
         passed: true,
@@ -14105,7 +14067,7 @@ var VyosFirewallDefaultAction = {
     }
     const issues = [];
     for (const ruleset of rulesets) {
-      const defaultAction = getFirewallDefaultAction2(ruleset);
+      const defaultAction = getFirewallDefaultAction(ruleset);
       if (!defaultAction) {
         const rulesetName = ruleset.id.split(/\s+/)[1] || ruleset.id;
         issues.push(`Firewall ruleset "${rulesetName}" has no default-action configured.`);
@@ -14147,65 +14109,6 @@ function getRulesByVyosVendor() {
   return [...allCommonRules, ...allVyosRules];
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/fortinet/helpers.ts
-var getEditEntries2 = (configSection) => {
-  if (!configSection?.children) return [];
-  return configSection.children.filter(
-    (child) => child?.id?.toLowerCase().startsWith("edit ")
-  );
-};
-var getEditEntryName2 = (editEntry) => {
-  const match = editEntry.id.match(/^edit\s+["']?([^"']+)["']?$/i);
-  const entryName = match?.[1];
-  return entryName ?? editEntry.id;
-};
-var getSetValue2 = (node, paramName) => {
-  if (!node?.children) return void 0;
-  const normalizedParam = paramName.toLowerCase();
-  for (const child of node.children) {
-    const childId = child?.id?.toLowerCase();
-    if (!childId) continue;
-    const match = childId.match(new RegExp(`^set\\s+${normalizedParam}\\s+(.+)$`, "i"));
-    const value = match?.[1];
-    if (value) {
-      return value.replace(/^["']|["']$/g, "").trim();
-    }
-  }
-  return void 0;
-};
-var isPolicyDisabled2 = (policyNode) => {
-  const status = getSetValue2(policyNode, "status");
-  return status?.toLowerCase() === "disable";
-};
-var hasLogging4 = (policyNode) => {
-  const logtraffic = getSetValue2(policyNode, "logtraffic");
-  const logtrafficStart = getSetValue2(policyNode, "logtraffic-start");
-  return {
-    logtraffic,
-    logtrafficStart: logtrafficStart?.toLowerCase() === "enable"
-  };
-};
-var getAdminProfile2 = (adminNode) => {
-  return getSetValue2(adminNode, "accprofile");
-};
-var isSuperAdmin2 = (adminNode) => {
-  const profile = getAdminProfile2(adminNode);
-  return profile?.toLowerCase() === "super_admin";
-};
-var getAdminTrustedHosts2 = (adminNode) => {
-  const trustedHosts = [];
-  for (let i = 1; i <= 10; i++) {
-    const host = getSetValue2(adminNode, `trusthost${i}`);
-    if (host && host !== "0.0.0.0 0.0.0.0") {
-      trustedHosts.push(host);
-    }
-  }
-  return trustedHosts;
-};
-var hasAdminTrustedHosts2 = (adminNode) => {
-  return getAdminTrustedHosts2(adminNode).length > 0;
-};
-
 // ../rules-default/src/fortinet/fortigate-rules.ts
 var HostnameRequired3 = {
   id: "FGT-SYS-001",
@@ -14219,7 +14122,7 @@ var HostnameRequired3 = {
     remediation: 'Configure hostname under "config system global" using "set hostname <name>".'
   },
   check: (node) => {
-    const hostname = getSetValue2(node, "hostname");
+    const hostname = getSetValue(node, "hostname");
     if (!hostname) {
       return {
         passed: false,
@@ -14252,7 +14155,7 @@ var AdminTrustedHostRequired = {
     remediation: 'Configure trusted hosts for each admin user using "set trusthost1", "set trusthost2", etc.'
   },
   check: (node) => {
-    const admins = getEditEntries2(node);
+    const admins = getEditEntries(node);
     if (admins.length === 0) {
       return {
         passed: true,
@@ -14265,11 +14168,11 @@ var AdminTrustedHostRequired = {
     }
     const issues = [];
     for (const admin of admins) {
-      const adminName = getEditEntryName2(admin);
-      if (hasAdminTrustedHosts2(admin)) {
+      const adminName = getEditEntryName(admin);
+      if (hasAdminTrustedHosts(admin)) {
         continue;
       }
-      if (isSuperAdmin2(admin)) {
+      if (isSuperAdmin(admin)) {
         issues.push(`Super admin "${adminName}" has no trusted host restrictions. This is a critical security issue.`);
       } else {
         issues.push(`Admin "${adminName}" has no trusted host restrictions.`);
@@ -14307,7 +14210,7 @@ var PolicyLoggingRequired = {
     remediation: 'Enable logging on all firewall policies using "set logtraffic all" or "set logtraffic utm".'
   },
   check: (node) => {
-    const policies = getEditEntries2(node);
+    const policies = getEditEntries(node);
     if (policies.length === 0) {
       return {
         passed: true,
@@ -14320,10 +14223,10 @@ var PolicyLoggingRequired = {
     }
     const issues = [];
     for (const policy of policies) {
-      if (isPolicyDisabled2(policy)) continue;
-      const logging = hasLogging4(policy);
+      if (isPolicyDisabled(policy)) continue;
+      const logging = hasLogging(policy);
       if (!logging.logtraffic || isFeatureDisabled(logging.logtraffic)) {
-        const policyId = getEditEntryName2(policy);
+        const policyId = getEditEntryName(policy);
         issues.push(`Policy ${policyId} does not have logging enabled.`);
       }
     }
@@ -14361,44 +14264,6 @@ function getRulesByFortinetVendor() {
   return [...allCommonRules, ...allFortinetRules];
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/extreme/helpers.ts
-var getExosVlanName2 = (node) => {
-  const match = node.id.match(/^(?:create|configure)\s+vlan\s+["']?(\w+)["']?/i);
-  const vlanName = match?.[1];
-  return vlanName?.trim();
-};
-var isVossVlanCreate2 = (node) => {
-  return /^vlan\s+create\s+\d+/i.test(node.id);
-};
-var getVossVlanId2 = (node) => {
-  const match = node.id.match(/^vlan\s+(?:create|members|i-sid)\s+(\d+)/i);
-  const vlanId = match?.[1];
-  return vlanId ? parseInt(vlanId, 10) : void 0;
-};
-var isVossGigabitEthernet2 = (node) => {
-  return /^interface\s+GigabitEthernet\s+\d+\/\d+/i.test(node.id);
-};
-var isVossShutdown2 = (node) => {
-  if (!node?.children) return false;
-  const hasShutdown = node.children.some(
-    (child) => child?.id?.toLowerCase() === "shutdown"
-  );
-  const hasNoShutdown = node.children.some(
-    (child) => child?.id?.toLowerCase() === "no shutdown"
-  );
-  return hasShutdown && !hasNoShutdown;
-};
-var getVossDefaultVlan2 = (node) => {
-  if (!node?.children) return void 0;
-  const defaultVlan = node.children.find(
-    (child) => child?.id && /^default-vlan-id\s+\d+/i.test(child.id)
-  );
-  if (!defaultVlan?.id) return void 0;
-  const match = defaultVlan.id.match(/default-vlan-id\s+(\d+)/i);
-  const vlanId = match?.[1];
-  return vlanId ? parseInt(vlanId, 10) : void 0;
-};
-
 // ../rules-default/src/extreme/exos-rules.ts
 var ExosSysnameRequired = {
   id: "EXOS-SYS-001",
@@ -14478,7 +14343,7 @@ var ExosVlanNaming = {
     remediation: 'Use descriptive VLAN names: create vlan "<meaningful-name>" tag <id>'
   },
   check: (node, context) => {
-    const vlanName = getExosVlanName2(node);
+    const vlanName = getExosVlanName(node);
     if (!vlanName) {
       return {
         passed: false,
@@ -14569,7 +14434,7 @@ var VossVlanIsidRequired = {
     remediation: "Configure I-SID for VLAN: vlan i-sid <vlan-id> <isid>"
   },
   check: (node, context) => {
-    if (!isVossVlanCreate2(node)) {
+    if (!isVossVlanCreate(node)) {
       return {
         passed: true,
         message: "Not a VLAN create command.",
@@ -14579,7 +14444,7 @@ var VossVlanIsidRequired = {
         loc: node.loc
       };
     }
-    const vlanId = getVossVlanId2(node);
+    const vlanId = getVossVlanId(node);
     if (!vlanId) {
       return {
         passed: false,
@@ -14622,7 +14487,7 @@ var VossInterfaceDefaultVlan = {
     remediation: "Configure default VLAN: default-vlan-id <vlan-id>"
   },
   check: (node, context) => {
-    if (!isVossGigabitEthernet2(node)) {
+    if (!isVossGigabitEthernet(node)) {
       return {
         passed: true,
         message: "Not a GigabitEthernet interface.",
@@ -14632,7 +14497,7 @@ var VossInterfaceDefaultVlan = {
         loc: node.loc
       };
     }
-    if (isVossShutdown2(node)) {
+    if (isVossShutdown(node)) {
       return {
         passed: true,
         message: "Interface is shutdown.",
@@ -14642,7 +14507,7 @@ var VossInterfaceDefaultVlan = {
         loc: node.loc
       };
     }
-    const defaultVlan = getVossDefaultVlan2(node);
+    const defaultVlan = getVossDefaultVlan(node);
     if (!defaultVlan) {
       return {
         passed: false,
@@ -14694,22 +14559,6 @@ function getRulesByExtremeVendor(vendorId) {
   }
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/huawei/helpers.ts
-var isEnabled4 = (node) => {
-  if (!node?.children) return false;
-  return node.children.some((child) => {
-    const rawText = child?.rawText?.toLowerCase().trim();
-    return rawText === "undo shutdown";
-  });
-};
-var isPhysicalPort5 = (interfaceName) => {
-  const name = interfaceName.toLowerCase();
-  return !name.includes("vlanif") && !name.includes("loopback") && !name.includes("null") && !name.includes("tunnel") && !name.includes("eth-trunk") && !name.includes("nve") && !name.includes("vbdif");
-};
-var hasDescription6 = (node) => {
-  return hasChildCommand5(node, "description");
-};
-
 // ../rules-default/src/huawei/vrp-rules.ts
 var SysnameRequired = {
   id: "HUAWEI-SYS-001",
@@ -14757,7 +14606,7 @@ var InterfaceDescriptionRequired2 = {
   },
   check: (node) => {
     const interfaceName = node.id.replace(/^interface\s+/i, "").trim();
-    if (!isPhysicalPort5(interfaceName)) {
+    if (!isPhysicalPort2(interfaceName)) {
       return {
         passed: true,
         message: "Non-physical interface, description optional.",
@@ -14767,7 +14616,7 @@ var InterfaceDescriptionRequired2 = {
         loc: node.loc
       };
     }
-    if (!isEnabled4(node)) {
+    if (!isEnabled(node)) {
       return {
         passed: true,
         message: "Interface is shutdown, description optional.",
@@ -14777,7 +14626,7 @@ var InterfaceDescriptionRequired2 = {
         loc: node.loc
       };
     }
-    if (!hasDescription6(node)) {
+    if (!hasDescription3(node)) {
       return {
         passed: false,
         message: `Interface ${interfaceName} is enabled but has no description.`,
@@ -14861,55 +14710,6 @@ function getRulesByHuaweiVendor() {
   return [...allCommonRules, ...allHuaweiRules];
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/mikrotik/helpers.ts
-var parseProperty2 = (commandStr, propertyName) => {
-  const regex = new RegExp(`\\b${propertyName}=(?:"([^"]+)"|'([^']+)'|(\\S+))`, "i");
-  const match = commandStr.match(regex);
-  if (match) {
-    return match[1] || match[2] || match[3];
-  }
-  return void 0;
-};
-var getFirewallChain2 = (nodeOrCommand) => {
-  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
-  return parseProperty2(str, "chain");
-};
-var getFirewallAction2 = (nodeOrCommand) => {
-  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
-  return parseProperty2(str, "action");
-};
-var getName2 = (nodeOrCommand) => {
-  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
-  return parseProperty2(str, "name");
-};
-var isAddCommand2 = (nodeOrCommand) => {
-  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
-  return /^add\s+/i.test(str.trim());
-};
-var isSetCommand2 = (nodeOrCommand) => {
-  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
-  return /^set\s+/i.test(str.trim());
-};
-var getAddCommands2 = (node) => {
-  if (!node?.children) return [];
-  return node.children.filter((child) => isAddCommand2(child));
-};
-var isServiceDisabled2 = (nodeOrCommand) => {
-  const str = typeof nodeOrCommand === "string" ? nodeOrCommand : nodeOrCommand.id;
-  const disabled = parseProperty2(str, "disabled");
-  return disabled?.toLowerCase() === "yes";
-};
-var getSystemIdentity2 = (node) => {
-  if (!node?.children) return void 0;
-  for (const child of node.children) {
-    if (isSetCommand2(child)) {
-      const name = getName2(child);
-      if (name) return name;
-    }
-  }
-  return void 0;
-};
-
 // ../rules-default/src/mikrotik/routeros-rules.ts
 var MikrotikSystemIdentity = {
   id: "MIK-SYS-001",
@@ -14923,7 +14723,7 @@ var MikrotikSystemIdentity = {
     remediation: "Configure system identity: /system identity set name=MyRouter"
   },
   check: (node) => {
-    const identity = getSystemIdentity2(node);
+    const identity = getSystemIdentity(node);
     if (!identity || equalsIgnoreCase(identity, "mikrotik") || equalsIgnoreCase(identity, "routerboard")) {
       return {
         passed: false,
@@ -14961,8 +14761,8 @@ var MikrotikDisableUnusedServices = {
     for (const child of node.children) {
       const childId = child.id.toLowerCase();
       for (const service of dangerousServices) {
-        if (childId.includes(service) && !isServiceDisabled2(child)) {
-          const disabled = parseProperty2(child.id, "disabled");
+        if (childId.includes(service) && !isServiceDisabled(child)) {
+          const disabled = parseProperty(child.id, "disabled");
           if (!disabled || !equalsIgnoreCase(disabled, "yes")) {
             issues.push(`Service '${service}' is enabled. Consider disabling it.`);
           }
@@ -15001,11 +14801,11 @@ var MikrotikInputChainDrop = {
     remediation: "Add drop rule for input chain: add chain=input action=drop"
   },
   check: (node) => {
-    const addCommands = getAddCommands2(node);
+    const addCommands = getAddCommands(node);
     let hasInputDrop = false;
     for (const cmd of addCommands) {
-      const chain = getFirewallChain2(cmd);
-      const action = getFirewallAction2(cmd);
+      const chain = getFirewallChain(cmd);
+      const action = getFirewallAction(cmd);
       if (chain && equalsIgnoreCase(chain, "input") && action && equalsIgnoreCase(action, "drop")) {
         hasInputDrop = true;
         break;
@@ -15042,60 +14842,6 @@ function getRulesByMikroTikVendor() {
   return [...allCommonRules, ...allMikroTikRules];
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/nokia/helpers.ts
-var isAdminStateDisabled2 = (node) => {
-  if (!node?.children) return false;
-  const directCheck = node.children.some((child) => {
-    const rawText = child?.rawText?.toLowerCase().trim();
-    return rawText === "admin-state disable";
-  });
-  if (directCheck) return true;
-  return node?.rawText?.toLowerCase().includes("admin-state disable") ?? false;
-};
-var isPhysicalPort6 = (portName) => {
-  const name = portName.toLowerCase();
-  return /^\d+\/\d+\/\d+/.test(name);
-};
-var hasDescription7 = (node) => {
-  return hasChildCommand5(node, "description");
-};
-var getDescription4 = (node) => {
-  const descCmd = getChildCommand5(node, "description");
-  if (descCmd?.rawText) {
-    const match = descCmd.rawText.match(/description\s+"([^"]+)"|description\s+(\S+)/i);
-    if (match) {
-      return match[1] || match[2];
-    }
-  }
-  return void 0;
-};
-var getSystemName2 = (node) => {
-  if (!node?.children) return void 0;
-  const nameCmd = node.children.find((child) => {
-    return child?.id?.toLowerCase().startsWith("name");
-  });
-  if (nameCmd?.rawText) {
-    const match = nameCmd.rawText.match(/name\s+"([^"]+)"/i);
-    if (match) {
-      return match[1];
-    }
-  }
-  return void 0;
-};
-var hasBgpRouterId3 = (node) => {
-  return hasChildCommand5(node, "router-id");
-};
-var getBgpRouterId2 = (node) => {
-  const routerIdCmd = getChildCommand5(node, "router-id");
-  if (routerIdCmd?.rawText) {
-    const match = routerIdCmd.rawText.match(/router-id\s+([\d.]+)/i);
-    if (match) {
-      return match[1];
-    }
-  }
-  return void 0;
-};
-
 // ../rules-default/src/nokia/sros-rules.ts
 var SystemNameRequired = {
   id: "NOKIA-SYS-001",
@@ -15109,7 +14855,7 @@ var SystemNameRequired = {
     remediation: 'Configure system name using: system > name "<hostname>"'
   },
   check: (node) => {
-    const name = getSystemName2(node);
+    const name = getSystemName(node);
     if (!name || name.length === 0) {
       return {
         passed: false,
@@ -15143,7 +14889,7 @@ var PortDescriptionRequired = {
   },
   check: (node) => {
     const portName = node.id.replace(/^port\s+/i, "").trim();
-    if (!isPhysicalPort6(portName)) {
+    if (!isPhysicalPort3(portName)) {
       return {
         passed: true,
         message: "Not a physical port, description optional.",
@@ -15153,7 +14899,7 @@ var PortDescriptionRequired = {
         loc: node.loc
       };
     }
-    if (isAdminStateDisabled2(node)) {
+    if (isAdminStateDisabled(node)) {
       return {
         passed: true,
         message: "Port is disabled, description optional.",
@@ -15163,7 +14909,7 @@ var PortDescriptionRequired = {
         loc: node.loc
       };
     }
-    if (!hasDescription7(node)) {
+    if (!hasDescription4(node)) {
       return {
         passed: false,
         message: `Port ${portName} is enabled but has no description.`,
@@ -15175,7 +14921,7 @@ var PortDescriptionRequired = {
     }
     return {
       passed: true,
-      message: `Port ${portName} has description: ${getDescription4(node)}`,
+      message: `Port ${portName} has description: ${getDescription3(node)}`,
       ruleId: "NOKIA-PORT-001",
       nodeId: node.id,
       level: "info",
@@ -15195,7 +14941,7 @@ var BgpRouterIdRequired = {
     remediation: "Configure BGP router-id: bgp > router-id <ip-address>"
   },
   check: (node) => {
-    if (isAdminStateDisabled2(node)) {
+    if (isAdminStateDisabled(node)) {
       return {
         passed: true,
         message: "BGP is disabled.",
@@ -15205,7 +14951,7 @@ var BgpRouterIdRequired = {
         loc: node.loc
       };
     }
-    if (!hasBgpRouterId3(node)) {
+    if (!hasBgpRouterId2(node)) {
       return {
         passed: false,
         message: "BGP router-id is not configured. Configure a stable router-id.",
@@ -15217,7 +14963,7 @@ var BgpRouterIdRequired = {
     }
     return {
       passed: true,
-      message: `BGP router-id is configured: ${getBgpRouterId2(node)}`,
+      message: `BGP router-id is configured: ${getBgpRouterId(node)}`,
       ruleId: "NOKIA-BGP-001",
       nodeId: node.id,
       level: "info",
@@ -15239,40 +14985,6 @@ function getRulesByNokiaVendor() {
   return [...allCommonRules, ...allNokiaRules];
 }
 
-// ../../node_modules/.bun/@sentriflow+core@0.2.1+1fb4c65d43e298b9/node_modules/@sentriflow/core/src/helpers/cumulus/helpers.ts
-var isSwitchPort2 = (interfaceName) => {
-  const name = interfaceName.toLowerCase();
-  return /swp\d+/.test(name);
-};
-var isBridgeInterface4 = (interfaceName) => {
-  const name = interfaceName.toLowerCase();
-  return name.includes("bridge") || name === "br_default" || /^br\d+$/.test(name);
-};
-var isVlanAwareBridge2 = (node) => {
-  return node.children.some(
-    (child) => child.id.toLowerCase().includes("bridge-vlan-aware") && child.id.toLowerCase().includes("yes")
-  );
-};
-var getInterfaceName6 = (node) => {
-  const parts = node.id.split(/\s+/);
-  return parts[1] || node.id;
-};
-var hasDescription8 = (node) => {
-  return node.children.some(
-    (child) => child.id.toLowerCase().startsWith("alias ")
-  );
-};
-var hasBridgeVids2 = (node) => {
-  return node.children.some(
-    (child) => child.id.toLowerCase().startsWith("bridge-vids ")
-  );
-};
-var hasBgpRouterId4 = (node) => {
-  return node.children.some(
-    (child) => child.id.toLowerCase().startsWith("bgp router-id ")
-  );
-};
-
 // ../rules-default/src/cumulus/cumulus-rules.ts
 var CumulusInterfaceDescription = {
   id: "CUM-IF-001",
@@ -15286,8 +14998,8 @@ var CumulusInterfaceDescription = {
     remediation: 'Add "alias <description>" under the interface stanza.'
   },
   check: (node) => {
-    const ifaceName = getInterfaceName6(node);
-    if (!isSwitchPort2(ifaceName)) {
+    const ifaceName = getInterfaceName2(node);
+    if (!isSwitchPort(ifaceName)) {
       return {
         passed: true,
         message: "Not a switch port interface.",
@@ -15297,7 +15009,7 @@ var CumulusInterfaceDescription = {
         loc: node.loc
       };
     }
-    if (!hasDescription8(node)) {
+    if (!hasDescription2(node)) {
       return {
         passed: false,
         message: `Switch port "${ifaceName}" missing description (alias).`,
@@ -15329,8 +15041,8 @@ var CumulusBridgeVlans = {
     remediation: 'Add "bridge-vids <vlan-ids>" to define allowed VLANs on the bridge.'
   },
   check: (node) => {
-    const ifaceName = getInterfaceName6(node);
-    if (!isBridgeInterface4(ifaceName)) {
+    const ifaceName = getInterfaceName2(node);
+    if (!isBridgeInterface(ifaceName)) {
       return {
         passed: true,
         message: "Not a bridge interface.",
@@ -15340,7 +15052,7 @@ var CumulusBridgeVlans = {
         loc: node.loc
       };
     }
-    if (!isVlanAwareBridge2(node)) {
+    if (!isVlanAwareBridge(node)) {
       return {
         passed: true,
         message: "Not a VLAN-aware bridge.",
@@ -15350,7 +15062,7 @@ var CumulusBridgeVlans = {
         loc: node.loc
       };
     }
-    if (!hasBridgeVids2(node)) {
+    if (!hasBridgeVids(node)) {
       return {
         passed: false,
         message: `VLAN-aware bridge "${ifaceName}" has no VLANs (bridge-vids) configured.`,
@@ -15382,7 +15094,7 @@ var CumulusBgpRouterId = {
     remediation: 'Add "bgp router-id <ip>" to explicitly set router ID.'
   },
   check: (node) => {
-    if (!hasBgpRouterId4(node)) {
+    if (!hasBgpRouterId(node)) {
       return {
         passed: false,
         message: "BGP missing explicit router-id configuration.",
@@ -15418,7 +15130,7 @@ function getRulesByCumulusVendor() {
 
 // ../rules-default/src/json/cisco-json-rules.json
 var cisco_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Cisco IOS JSON Rules",
@@ -15615,7 +15327,7 @@ var cisco_json_rules_default = {
 
 // ../rules-default/src/json/common-json-rules.json
 var common_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Common JSON Rules",
@@ -15663,7 +15375,7 @@ var common_json_rules_default = {
 
 // ../rules-default/src/json/juniper-json-rules.json
 var juniper_json_rules_default = {
-  $schema: "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  $schema: "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   version: "1.0",
   meta: {
     name: "Juniper JunOS JSON Rules",
@@ -16172,6 +15884,9 @@ function isValidSentriflowConfig(config) {
       return false;
     }
   }
+  if (obj.filterSpecialIps !== void 0 && typeof obj.filterSpecialIps !== "boolean") {
+    return false;
+  }
   return true;
 }
 function isValidDirectoryConfig(config) {
@@ -16967,7 +16682,7 @@ function enrichResultsWithRuleMetadata(results, rules) {
   });
 }
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.3.0").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.4.0").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option(
   "--pack <path...>",
   "Path(s) to rule pack(s) (auto-detects format: .grx2, .grpx, or unencrypted)"
 ).option(
@@ -17025,7 +16740,10 @@ program.name("sentriflow").description("SentriFlow Network Configuration Validat
   "--max-depth <number>",
   "Maximum recursion depth for directory scanning (use with -R)",
   (val) => parseInt(val, 10)
-).option("--progress", "Show progress during directory scanning").action(async (files, options) => {
+).option("--progress", "Show progress during directory scanning").option(
+  "--filter-special-ips",
+  "Filter out special IP ranges (loopback, multicast, reserved, broadcast) from IP summary"
+).action(async (files, options) => {
   try {
     if (options.showMachineId) {
       try {
@@ -17099,6 +16817,19 @@ Use: sentriflow --vendor <vendor> <file>`);
       allowedBaseDirs
       // SEC-011: Pass allowed base dirs for rule file validation
     });
+    let filterSpecialIps = options.filterSpecialIps ?? false;
+    if (!options.filterSpecialIps && options.config !== false) {
+      const configPath = options.config ?? findConfigFile(configSearchDir);
+      if (configPath) {
+        try {
+          const config = await loadConfigFile(configPath, allowedBaseDirs);
+          if (config.filterSpecialIps) {
+            filterSpecialIps = true;
+          }
+        } catch {
+        }
+      }
+    }
     if (options.listCategories) {
       const counts = /* @__PURE__ */ new Map();
       for (const rule of rules) {
@@ -17338,7 +17069,21 @@ Parsing complete: ${allAsts.length} files`);
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          let fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          if (filterSpecialIps) {
+            fileIpSummary = filterIPSummary(fileIpSummary, {
+              keepPublic: true,
+              keepPrivate: true,
+              keepCgnat: true,
+              keepLoopback: false,
+              keepLinkLocal: false,
+              keepMulticast: false,
+              keepReserved: false,
+              keepUnspecified: false,
+              keepBroadcast: false,
+              keepDocumentation: false
+            });
+          }
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -17454,6 +17199,20 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       let stdinIpSummary;
       try {
         stdinIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+        if (filterSpecialIps) {
+          stdinIpSummary = filterIPSummary(stdinIpSummary, {
+            keepPublic: true,
+            keepPrivate: true,
+            keepCgnat: true,
+            keepLoopback: false,
+            keepLinkLocal: false,
+            keepMulticast: false,
+            keepReserved: false,
+            keepUnspecified: false,
+            keepBroadcast: false,
+            keepDocumentation: false
+          });
+        }
       } catch (error) {
         if (error instanceof InputValidationError) {
           console.error(`Input validation error: ${error.message}`);
@@ -17531,7 +17290,21 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          let fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+          if (filterSpecialIps) {
+            fileIpSummary = filterIPSummary(fileIpSummary, {
+              keepPublic: true,
+              keepPrivate: true,
+              keepCgnat: true,
+              keepLoopback: false,
+              keepLinkLocal: false,
+              keepMulticast: false,
+              keepReserved: false,
+              keepUnspecified: false,
+              keepBroadcast: false,
+              keepDocumentation: false
+            });
+          }
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -17647,7 +17420,21 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     if (options.quiet) {
       results = results.filter((r) => !r.passed);
     }
-    const ipSummary = extractIPSummary(content, { includeSubnetNetworks: true });
+    let ipSummary = extractIPSummary(content, { includeSubnetNetworks: true });
+    if (filterSpecialIps) {
+      ipSummary = filterIPSummary(ipSummary, {
+        keepPublic: true,
+        keepPrivate: true,
+        keepCgnat: true,
+        keepLoopback: false,
+        keepLinkLocal: false,
+        keepMulticast: false,
+        keepReserved: false,
+        keepUnspecified: false,
+        keepBroadcast: false,
+        keepDocumentation: false
+      });
+    }
     if (options.format === "sarif") {
       const sarifOptions = {
         relativePaths: options.relativePaths,
@@ -17693,6 +17480,23 @@ async function loadLicensingExtension() {
       licensing.registerCommands(program);
     }
   } catch {
+    const licensingMessage = `
+Cloud licensing features require the @sentriflow/licensing package.
+
+This package is provided to customers after purchasing a license.
+Visit https://sentriflow.com.au/pricing for more information.
+
+Once you have a license, you'll receive access to the private package
+and can enable cloud features like pack downloads and license activation.
+`.trim();
+    const fallbackAction = () => {
+      console.log(licensingMessage);
+      process.exit(0);
+    };
+    program.command("activate").description("Activate your SentriFlow license (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("update").description("Check and download pack updates (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("offline").description("Manage offline bundles (requires @sentriflow/licensing)").action(fallbackAction);
+    program.command("license").description("Show license status (requires @sentriflow/licensing)").action(fallbackAction);
   }
 }
 loadLicensingExtension().finally(() => {