@sentriflow/cli 0.4.1 → 0.4.2

package/dist/index.js

@@ -4698,36 +4698,6 @@ var RuleEngine = class {
   }
 };
 
-// ../core/src/pack-loader/types.ts
-var PackLoadError = class extends Error {
-  constructor(code, message, details) {
-    super(message);
-    this.code = code;
-    this.details = details;
-    this.name = "PackLoadError";
-    if (Error.captureStackTrace) {
-      Error.captureStackTrace(this, this.constructor);
-    }
-  }
-};
-var GRPX_CONSTANTS = {
-  MAGIC: "GRPX",
-  HEADER_SIZE: 76,
-  CURRENT_VERSION: 1,
-  ALG_AES_256_GCM: 1,
-  KDF_PBKDF2: 1,
-  KDF_ARGON2ID: 2,
-  PBKDF2_ITERATIONS: 1e5,
-  KEY_LENGTH: 32,
-  IV_LENGTH: 12,
-  TAG_LENGTH: 16,
-  SALT_LENGTH: 32
-};
-
-// ../core/src/pack-loader/PackLoader.ts
-import { createDecipheriv, pbkdf2Sync } from "crypto";
-import { createContext, Script } from "vm";
-
 // ../core/src/helpers/index.ts
 var helpers_exports = {};
 __export(helpers_exports, {
@@ -10470,110 +10440,6 @@ function buildAllHelpers() {
   return result;
 }
 var allHelpers = buildAllHelpers();
-async function loadEncryptedPack(packData, options) {
-  const { licenseKey, machineId: machineId2, getActivationCount, timeout = 5e3 } = options;
-  if (packData.length < GRPX_CONSTANTS.HEADER_SIZE) {
-    throw new PackLoadError("INVALID_FORMAT", "Pack file too small");
-  }
-  const magic = packData.toString("utf8", 0, 4);
-  if (magic !== GRPX_CONSTANTS.MAGIC) {
-    throw new PackLoadError("INVALID_FORMAT", "Invalid pack format (bad magic)");
-  }
-  const version = packData.readUInt8(4);
-  const algorithm = packData.readUInt8(5);
-  const kdf = packData.readUInt8(6);
-  const iv = packData.subarray(12, 24);
-  const tag = packData.subarray(24, 40);
-  const salt = packData.subarray(40, 72);
-  const payloadLength = packData.readUInt32BE(72);
-  const encryptedPayload = packData.subarray(
-    GRPX_CONSTANTS.HEADER_SIZE,
-    GRPX_CONSTANTS.HEADER_SIZE + payloadLength
-  );
-  if (version !== GRPX_CONSTANTS.CURRENT_VERSION) {
-    throw new PackLoadError("INVALID_FORMAT", `Unsupported version: ${version}`);
-  }
-  if (algorithm !== GRPX_CONSTANTS.ALG_AES_256_GCM) {
-    throw new PackLoadError("INVALID_FORMAT", `Unsupported algorithm: ${algorithm}`);
-  }
-  let key;
-  if (kdf === GRPX_CONSTANTS.KDF_PBKDF2) {
-    key = pbkdf2Sync(
-      licenseKey,
-      salt,
-      GRPX_CONSTANTS.PBKDF2_ITERATIONS,
-      GRPX_CONSTANTS.KEY_LENGTH,
-      "sha256"
-    );
-  } else {
-    throw new PackLoadError("INVALID_FORMAT", `Unsupported KDF: ${kdf}`);
-  }
-  let decryptedSource;
-  try {
-    const decipher = createDecipheriv("aes-256-gcm", key, iv);
-    decipher.setAuthTag(tag);
-    const decrypted = Buffer.concat([
-      decipher.update(encryptedPayload),
-      decipher.final()
-    ]);
-    decryptedSource = decrypted.toString("utf8");
-  } catch (error) {
-    const errorType = error instanceof Error ? error.name : "Unknown";
-    const errorMsg = error instanceof Error ? error.message : "Unknown error";
-    if (process.env.DEBUG) {
-      console.error(`[PackLoader] Decryption failed: ${errorType} - ${errorMsg}`);
-    }
-    throw new PackLoadError(
-      "DECRYPTION_FAILED",
-      "Invalid license key or corrupted pack"
-    );
-  }
-  const sandbox = createValidationSandbox({ machineId: machineId2, getActivationCount });
-  const context = createContext(sandbox);
-  let vmResult;
-  try {
-    const script = new Script(decryptedSource, {
-      filename: "pack.js",
-      timeout
-    });
-    const factory = script.runInContext(context);
-    vmResult = factory(sandbox);
-    if (!vmResult || !Array.isArray(vmResult.rules)) {
-      throw new PackLoadError("VALIDATION_FAILED", "Invalid pack structure");
-    }
-  } catch (error) {
-    if (error instanceof PackLoadError) {
-      throw error;
-    }
-    const msg = error instanceof Error ? error.message : String(error);
-    if (msg.includes("EXPIRED")) {
-      throw new PackLoadError("EXPIRED", msg);
-    }
-    if (msg.includes("MACHINE_MISMATCH")) {
-      throw new PackLoadError("MACHINE_MISMATCH", msg);
-    }
-    if (msg.includes("ACTIVATION_LIMIT")) {
-      throw new PackLoadError("ACTIVATION_LIMIT", msg);
-    }
-    throw new PackLoadError("VALIDATION_FAILED", msg);
-  }
-  const nativeRules = vmResult.rules.map((ruleDef) => {
-    const checkFn = compileNativeCheckFunction(ruleDef.checkSource);
-    return {
-      id: ruleDef.id,
-      selector: ruleDef.selector,
-      vendor: ruleDef.vendor,
-      metadata: ruleDef.metadata,
-      check: checkFn
-    };
-  });
-  return {
-    metadata: vmResult.metadata,
-    rules: nativeRules,
-    validUntil: vmResult.validUntil,
-    licenseInfo: vmResult.licenseInfo ?? void 0
-  };
-}
 var helperNames = Object.keys(allHelpers).filter(
   (key) => typeof allHelpers[key] === "function" || typeof allHelpers[key] === "object"
 );
@@ -10589,68 +10455,6 @@ function compileNativeCheckFunction(source) {
   const compiledFn = wrapperFn(allHelpers);
   return compiledFn;
 }
-function createValidationSandbox(options) {
-  const RealDate = Date;
-  return Object.freeze({
-    // Safe Date access (read-only, can't be mocked)
-    Date: Object.freeze({
-      now: () => RealDate.now(),
-      parse: (s) => RealDate.parse(s)
-    }),
-    // Safe JSON access
-    JSON: Object.freeze({
-      parse: JSON.parse,
-      stringify: JSON.stringify
-    }),
-    // Safe Math access
-    Math: Object.freeze(Math),
-    // No-op console (for debugging in pack factory)
-    console: Object.freeze({
-      log: () => {
-      },
-      warn: () => {
-      },
-      error: () => {
-      }
-    }),
-    // Provided context for validation
-    machineId: options.machineId,
-    getActivationCount: options.getActivationCount,
-    // Basic primitives
-    undefined: void 0,
-    null: null,
-    NaN: NaN,
-    Infinity: Infinity,
-    // Required for error throwing in factory
-    Error
-  });
-}
-function validatePackFormat(packData) {
-  if (packData.length < GRPX_CONSTANTS.HEADER_SIZE) {
-    return false;
-  }
-  const magic = packData.toString("utf8", 0, 4);
-  if (magic !== GRPX_CONSTANTS.MAGIC) {
-    return false;
-  }
-  const version = packData.readUInt8(4);
-  if (version !== GRPX_CONSTANTS.CURRENT_VERSION) {
-    return false;
-  }
-  const algorithm = packData.readUInt8(5);
-  if (algorithm !== GRPX_CONSTANTS.ALG_AES_256_GCM) {
-    return false;
-  }
-  const kdf = packData.readUInt8(6);
-  if (kdf !== GRPX_CONSTANTS.KDF_PBKDF2) {
-    return false;
-  }
-  const payloadLength = packData.readUInt32BE(72);
-  if (packData.length < GRPX_CONSTANTS.HEADER_SIZE + payloadLength) {
-    return false;
-  }
-  return true;
-}
 
 // ../core/src/pack-loader/format-detector.ts
 import { open } from "node:fs/promises";
@@ -10658,12 +10462,10 @@ import { resolve } from "node:path";
 var FORMAT_PRIORITIES = {
   unknown: 0,
   unencrypted: 100,
-  grpx: 200,
   grx2: 300
 };
 var MAGIC_BYTES = {
-  GRX2: Buffer.from("GRX2", "ascii"),
-  GRPX: Buffer.from("GRPX", "ascii")
+  GRX2: Buffer.from("GRX2", "ascii")
 };
 var MAGIC_BYTES_LENGTH = 4;
 async function detectPackFormat(filePath) {
@@ -10688,9 +10490,6 @@ async function detectPackFormat(filePath) {
     if (buffer.equals(MAGIC_BYTES.GRX2)) {
       return "grx2";
     }
-    if (buffer.equals(MAGIC_BYTES.GRPX)) {
-      return "grpx";
-    }
     return "unencrypted";
   } catch (error) {
     if (error instanceof Error) {
@@ -10738,9 +10537,9 @@ async function getMachineId() {
 
 // ../core/src/grx2-loader/GRX2ExtendedLoader.ts
 import {
-  createDecipheriv as createDecipheriv2,
+  createDecipheriv,
   createHash,
-  pbkdf2Sync as pbkdf2Sync2,
+  pbkdf2Sync,
   timingSafeEqual
 } from "node:crypto";
 import { readFile, readdir } from "node:fs/promises";
@@ -10756,11 +10555,11 @@ function deriveLDK(licenseKey, ldkSalt, machineId2) {
     ldkSalt,
     Buffer.from(machineId2, "utf-8")
   ]);
-  return pbkdf2Sync2(licenseKey, combinedSalt, PBKDF2_ITERATIONS, AES_KEY_SIZE, "sha256");
+  return pbkdf2Sync(licenseKey, combinedSalt, PBKDF2_ITERATIONS, AES_KEY_SIZE, "sha256");
 }
 function decrypt(ciphertext, key, iv, authTag) {
   try {
-    const decipher = createDecipheriv2(AES_ALGORITHM, key, iv);
+    const decipher = createDecipheriv(AES_ALGORITHM, key, iv);
     decipher.setAuthTag(authTag);
     const plaintext = Buffer.concat([
       decipher.update(ciphertext),
@@ -11151,7 +10950,7 @@ function getHelperRegistry() {
 }
 
 // ../core/src/json-rules/ExpressionEvaluator.ts
-import { createContext as createContext2, Script as Script2 } from "vm";
+import { createContext, Script } from "vm";
 var MAX_EXPR_LENGTH = 1e3;
 var EXPR_TIMEOUT_MS = 50;
 var BLOCKED_PATTERNS = [
@@ -11271,7 +11070,7 @@ var ExpressionEvaluator = class {
         sandboxObj[namespace] = Object.freeze({ ...vendorHelpers });
       }
     }
-    return createContext2(Object.freeze(sandboxObj));
+    return createContext(Object.freeze(sandboxObj));
   }
   /**
    * Pre-compile an expression for later evaluation.
@@ -11288,7 +11087,7 @@ var ExpressionEvaluator = class {
       return true;
     }
     try {
-      const script = new Script2(`(${expr})`, {
+      const script = new Script(`(${expr})`, {
         filename: "expr.js"
       });
       scriptCache.set(expr, script);
@@ -11311,7 +11110,7 @@ var ExpressionEvaluator = class {
     let script = scriptCache.get(expr);
     if (!script) {
       try {
-        script = new Script2(`(${expr})`, {
+        script = new Script(`(${expr})`, {
           filename: "expr.js"
         });
         scriptCache.set(expr, script);
@@ -11319,7 +11118,7 @@ var ExpressionEvaluator = class {
         return false;
       }
     }
-    const evalContext = createContext2({
+    const evalContext = createContext({
       ...this.sandbox,
       node: createSafeNode(node)
     });
@@ -12524,7 +12323,7 @@ function generateSarif(results, filePath, rules, options = {}, ipSummary) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.4.1",
+            version: "0.4.2",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -12684,7 +12483,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.4.1",
+            version: "0.4.2",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -15767,6 +15566,101 @@ async function createPackDescriptors(packPaths) {
   return descriptors;
 }
 
+// src/loaders/pack-loader.ts
+async function loadGRX2Pack(options) {
+  const { filePath, licenseKey, machineId: machineId2, cacheDir } = options;
+  try {
+    const rulePack = await loadExtendedPack(filePath, licenseKey, machineId2);
+    return {
+      rulePack,
+      usedLicensingLoader: false
+    };
+  } catch (coreError) {
+    const errorCode = coreError?.code;
+    if (errorCode !== "NOT_EXTENDED_FORMAT") {
+      throw coreError;
+    }
+    try {
+      const licensingModulePath = "@sentriflow/licensing";
+      const licensing = await import(
+        /* @vite-ignore */
+        licensingModulePath
+      );
+      const effectiveCacheDir = cacheDir ?? licensing.getDefaultCacheDir();
+      const cacheManager = licensing.createCacheManager(licenseKey, machineId2, effectiveCacheDir);
+      let tierTMK;
+      let tierTMKs;
+      try {
+        const cachedTMK = await cacheManager.getTierTMK();
+        if (cachedTMK) {
+          tierTMK = Buffer.from(cachedTMK.tmk, "base64");
+        }
+        const allTMKs = await cacheManager.tmkCache.getAllTierTMKs();
+        if (allTMKs.size > 0) {
+          tierTMKs = /* @__PURE__ */ new Map();
+          for (const [tierId, tmkData] of allTMKs) {
+            tierTMKs.set(tierId, Buffer.from(tmkData.tmk, "base64"));
+          }
+        }
+      } catch (cacheError) {
+        if (process.env.DEBUG) {
+          console.debug(
+            "[pack-loader] TMK cache retrieval skipped:",
+            cacheError instanceof Error ? cacheError.message : "Unknown error"
+          );
+        }
+      }
+      const loader = new licensing.GRX2Loader({
+        formatPolicy: "auto",
+        licenseKey,
+        machineId: machineId2,
+        tierTMK,
+        tierTMKs
+      });
+      const result = await loader.loadFromFile(filePath);
+      return {
+        rulePack: result.rulePack,
+        usedLicensingLoader: true
+      };
+    } catch (licensingError) {
+      if (isModuleNotFoundError(licensingError)) {
+        throw new Error('Pack requires v2 format support - run "sentriflow activate" first');
+      }
+      throw licensingError;
+    }
+  }
+}
+function isModuleNotFoundError(error) {
+  return error instanceof Error && (error.message.includes("Cannot find module") || error.message.includes("Cannot find package") || error.code === "ERR_MODULE_NOT_FOUND");
+}
+function sanitizeErrorMessage(msg) {
+  const sanitized = msg.replace(/(?:\/[\w.-]+)+\/([\w.-]+)/g, "$1");
+  return sanitized.replace(/\s+at\s+.+/g, "").trim();
+}
+function mapGRX2LoadError(error) {
+  if (error instanceof Error && "code" in error) {
+    const code = error.code;
+    const messages = {
+      // GRX2LoaderError codes (from licensing)
+      HEADER_INVALID: "Pack file is corrupted or invalid",
+      DECRYPTION_FAILED: "Failed to decrypt pack (invalid key or corrupted data)",
+      PARSE_ERROR: "Pack content is malformed",
+      FILE_READ_ERROR: "Cannot read pack file",
+      HASH_MISMATCH: "Pack integrity check failed",
+      TMK_NOT_AVAILABLE: 'License not activated - run "sentriflow activate" first',
+      // EncryptedPackError codes (from core)
+      LICENSE_MISSING: "Invalid or missing license key",
+      LICENSE_EXPIRED: "License has expired",
+      LICENSE_INVALID: "License key is invalid for this pack",
+      MACHINE_MISMATCH: "License is not valid for this machine",
+      PACK_CORRUPTED: "Pack file is corrupted or invalid",
+      NOT_EXTENDED_FORMAT: "Pack requires extended format (v3) - activate license for v2 pack support"
+    };
+    return messages[code] ?? "Pack load failed";
+  }
+  return error instanceof Error ? sanitizeErrorMessage(error.message) : "Pack load failed";
+}
+
 // src/loaders/index.ts
 function validatePathOrThrow(path, pathValidator, errorContext, baseDirs) {
   const validation = pathValidator(path, baseDirs);
@@ -16083,44 +15977,6 @@ async function loadRulePackFile(packPath, baseDirs) {
     errorContext: "rule pack"
   });
 }
-function mapPackLoadError(error) {
-  const messages = {
-    DECRYPTION_FAILED: "Invalid license key for encrypted pack",
-    EXPIRED: "Encrypted pack has expired",
-    MACHINE_MISMATCH: "License is not valid for this machine",
-    ACTIVATION_LIMIT: "Maximum activations exceeded for this license"
-  };
-  throw new SentriflowConfigError(
-    messages[error.code] ?? `Failed to load encrypted pack: ${error.message}`
-  );
-}
-async function loadEncryptedRulePack(packPath, licenseKey, baseDirs) {
-  const canonicalPath = validatePathOrThrow(
-    packPath,
-    validatePackPath,
-    "encrypted pack",
-    baseDirs
-  );
-  try {
-    const packData = await readFileAsync(canonicalPath);
-    if (!validatePackFormat(packData)) {
-      throw new SentriflowConfigError("Invalid encrypted pack format");
-    }
-    const loadedPack = await loadEncryptedPack(packData, {
-      licenseKey,
-      timeout: 1e4
-    });
-    return {
-      ...loadedPack.metadata,
-      priority: 200,
-      rules: loadedPack.rules
-    };
-  } catch (error) {
-    if (error instanceof PackLoadError) mapPackLoadError(error);
-    if (error instanceof SentriflowConfigError) throw error;
-    throw new SentriflowConfigError("Failed to load encrypted rule pack");
-  }
-}
 async function resolveRules(options = {}) {
   const {
     configPath,
@@ -16226,9 +16082,7 @@ async function resolveRules(options = {}) {
       console.error(`Warning: Pack detection failed: ${errorMsg}`);
       packDescriptors = [];
     }
-    const hasEncryptedPacks = packDescriptors.some(
-      (d) => d.format === "grx2" || d.format === "grpx"
-    );
+    const hasEncryptedPacks = packDescriptors.some((d) => d.format === "grx2");
     if (hasEncryptedPacks && !licenseKey) {
       const errorMsg = "License key required for encrypted packs (use --license-key or set SENTRIFLOW_LICENSE_KEY)";
       if (strictPacks) {
@@ -16269,24 +16123,12 @@ async function resolveRules(options = {}) {
               console.error(`Warning: Skipping GRX2 pack (no machine ID): ${desc.path}`);
               continue;
             }
-            loadedPack = await loadExtendedPack(
-              validation.canonicalPath,
+            const result = await loadGRX2Pack({
+              filePath: validation.canonicalPath,
               licenseKey,
-              machineId2
-            );
-            loadedPack.priority = desc.priority;
-            break;
-          }
-          case "grpx": {
-            if (!licenseKey) {
-              console.error(`Warning: Skipping GRPX pack (no license key): ${desc.path}`);
-              continue;
-            }
-            loadedPack = await loadEncryptedRulePack(
-              validation.canonicalPath,
-              licenseKey,
-              allowedBaseDirs
-            );
+              machineId: machineId2
+            });
+            loadedPack = result.rulePack;
             loadedPack.priority = desc.priority;
             break;
           }
@@ -16306,21 +16148,7 @@ async function resolveRules(options = {}) {
         loadedCount++;
         totalRules += loadedPack.rules.length;
       } catch (error) {
-        let errorMsg;
-        if (error instanceof EncryptedPackError) {
-          const messages = {
-            LICENSE_MISSING: "Invalid or missing license key",
-            LICENSE_EXPIRED: "License has expired",
-            LICENSE_INVALID: "License key is invalid for this pack",
-            DECRYPTION_FAILED: "Failed to decrypt pack (invalid key or corrupted data)",
-            MACHINE_MISMATCH: "License is not valid for this machine",
-            PACK_CORRUPTED: "Pack file is corrupted or invalid",
-            NOT_EXTENDED_FORMAT: "Pack is not in extended GRX2 format"
-          };
-          errorMsg = messages[error.code] ?? `Pack load error: ${error.message}`;
-        } else {
-          errorMsg = error instanceof Error ? error.message : "Unknown error";
-        }
+        const errorMsg = mapGRX2LoadError(error);
         if (strictPacks) {
           throw new SentriflowConfigError(
             `Failed to load pack '${desc.path}': ${errorMsg}`
@@ -16682,9 +16510,9 @@ function enrichResultsWithRuleMetadata(results, rules) {
   });
 }
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.4.1").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.4.2").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option(
   "--pack <path...>",
-  "Path(s) to rule pack(s) (auto-detects format: .grx2, .grpx, or unencrypted)"
+  "Path(s) to rule pack(s) (.grx2 encrypted or unencrypted JS/TS modules)"
 ).option(
   "--license-key <key>",
   "License key for encrypted rule packs (or set SENTRIFLOW_LICENSE_KEY)"
@@ -17380,7 +17208,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     } else {
       try {
         vendor = getVendor(options.vendor);
-      } catch (e) {
+      } catch {
         console.error(`Error: Unknown vendor '${options.vendor}'`);
         console.error(
           `Available vendors: ${getAvailableVendors().join(", ")}, auto`
@@ -17477,7 +17305,7 @@ async function loadLicensingExtension() {
       licensingModulePath
     );
     if (licensing.registerCommands) {
-      licensing.registerCommands(program);
+      licensing.registerCommands(program, { cliVersion: "0.4.2" });
     }
   } catch {
     const licensingMessage = `

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentriflow/cli",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "SentriFlow CLI - Network configuration linter and validator",
   "license": "Apache-2.0",
   "main": "dist/index.js",