@sentriflow/core 0.1.0

package/src/parser/vendors/arista-eos.ts

@@ -0,0 +1,206 @@
+// packages/core/src/parser/vendors/arista-eos.ts
+
+import type { VendorSchema } from '../VendorSchema';
+
+/**
+ * Arista EOS (Extensible Operating System) configuration schema.
+ *
+ * Arista EOS is heavily based on Cisco IOS-like syntax but includes
+ * unique features and constructs specific to Arista switches:
+ *
+ * - **MLAG (Multi-Chassis Link Aggregation)**: peer-link, domain-id
+ * - **VXLAN**: vxlan vni, vxlan flood vtep
+ * - **eAPI**: management api http-commands
+ * - **Daemon**: custom daemon configurations
+ * - **Event-handler**: event-driven automation
+ * - **CVX (CloudVision Exchange)**: CVX service integration
+ * - **Traffic policies**: hardware counters, queuing
+ *
+ * Configuration structure:
+ * - Uses indentation-based hierarchy (like Cisco IOS)
+ * - '!' serves as comment marker and section delimiter
+ * - exit/end commands to close blocks
+ * - No braces for hierarchy
+ *
+ * Example config:
+ * ```
+ * hostname arista-leaf-01
+ * !
+ * interface Ethernet1
+ *    description Uplink to Spine
+ *    mtu 9214
+ *    no switchport
+ *    ip address 10.0.0.1/30
+ * !
+ * mlag configuration
+ *    domain-id MLAG_DOMAIN
+ *    local-interface Vlan4094
+ *    peer-address 10.0.0.2
+ *    peer-link Port-Channel1
+ * !
+ * ```
+ */
+export const AristaEOSSchema: VendorSchema = {
+  id: 'arista-eos',
+  name: 'Arista EOS',
+  useBraceHierarchy: false,
+
+  commentPatterns: [/^!/],
+  sectionDelimiter: '!',
+
+  blockStarters: [
+    // ============ DEPTH 0: Top-level blocks ============
+
+    // Interface blocks (all interface types)
+    { pattern: /^interface\s+\S+/i, depth: 0 },
+
+    // Routing protocols
+    { pattern: /^router\s+(?!router-id)\S+/i, depth: 0 },
+
+    // VLAN configuration
+    { pattern: /^vlan\s+\d+/i, depth: 0 },
+
+    // ACL and Security
+    { pattern: /^ip\s+access-list\s+\S+/i, depth: 0 },
+    { pattern: /^ipv6\s+access-list\s+\S+/i, depth: 0 },
+    { pattern: /^mac\s+access-list\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+prefix-list\s+\S+/i, depth: 0 },
+    { pattern: /^ipv6\s+prefix-list\s+\S+/i, depth: 0 },
+    { pattern: /^route-map\s+\S+/i, depth: 0 },
+    { pattern: /^as-path\s+access-list\s+\S+/i, depth: 0 },
+    { pattern: /^community-list\s+\S+/i, depth: 0 },
+
+    // QoS
+    { pattern: /^class-map\s+\S+/i, depth: 0 },
+    { pattern: /^policy-map\s+\S+/i, depth: 0 },
+    { pattern: /^control-plane/i, depth: 0 },
+
+    // Line and management
+    { pattern: /^line\s+(vty|console)\s+\S+/i, depth: 0 },
+    { pattern: /^line\s+\d+/i, depth: 0 },
+
+    // AAA
+    { pattern: /^aaa\s+\S+/i, depth: 0 },
+    { pattern: /^tacacs-server\s+\S+/i, depth: 0 },
+    { pattern: /^radius-server\s+\S+/i, depth: 0 },
+
+    // VRF
+    { pattern: /^vrf\s+instance\s+\S+/i, depth: 0 },
+    { pattern: /^vrf\s+definition\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+routing\s+vrf\s+\S+/i, depth: 0 },
+
+    // ============ Arista-specific top-level blocks ============
+
+    // MLAG configuration
+    { pattern: /^mlag\s+configuration/i, depth: 0 },
+
+    // VXLAN configuration
+    { pattern: /^interface\s+Vxlan\d*/i, depth: 0 },
+
+    // Management API (eAPI)
+    { pattern: /^management\s+api\s+\S+/i, depth: 0 },
+    { pattern: /^management\s+ssh/i, depth: 0 },
+    { pattern: /^management\s+telnet/i, depth: 0 },
+    { pattern: /^management\s+security/i, depth: 0 },
+    { pattern: /^management\s+console/i, depth: 0 },
+    { pattern: /^management\s+cvx/i, depth: 0 },
+
+    // Daemon configuration
+    { pattern: /^daemon\s+\S+/i, depth: 0 },
+
+    // Event handler
+    { pattern: /^event-handler\s+\S+/i, depth: 0 },
+
+    // CVX (CloudVision Exchange)
+    { pattern: /^cvx/i, depth: 0 },
+
+    // Spanning tree
+    { pattern: /^spanning-tree\s+\S+/i, depth: 0 },
+
+    // Port-channel
+    { pattern: /^port-channel\s+\S+/i, depth: 0 },
+
+    // Monitor session (SPAN)
+    { pattern: /^monitor\s+session\s+\S+/i, depth: 0 },
+
+    // Tap aggregation
+    { pattern: /^tap\s+aggregation/i, depth: 0 },
+
+    // Traffic policy
+    { pattern: /^traffic-policy\s+\S+/i, depth: 0 },
+
+    // Peer filter
+    { pattern: /^peer-filter\s+\S+/i, depth: 0 },
+
+    // Hardware counters
+    { pattern: /^hardware\s+counter\s+\S+/i, depth: 0 },
+
+    // Queue monitor
+    { pattern: /^queue-monitor\s+\S+/i, depth: 0 },
+
+    // SFlow
+    { pattern: /^sflow\s+\S*/i, depth: 0 },
+
+    // LLDP
+    { pattern: /^lldp\s+\S*/i, depth: 0 },
+
+    // BFD
+    { pattern: /^bfd/i, depth: 0 },
+
+    // PTP (Precision Time Protocol)
+    { pattern: /^ptp/i, depth: 0 },
+
+    // MPLS
+    { pattern: /^mpls\s+\S+/i, depth: 0 },
+
+    // IP virtual-router
+    { pattern: /^ip\s+virtual-router\s+\S+/i, depth: 0 },
+
+    // Multicast
+    { pattern: /^ip\s+multicast-routing/i, depth: 0 },
+    { pattern: /^ip\s+pim\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+igmp\s+snooping/i, depth: 0 },
+
+    // EVPN
+    { pattern: /^router\s+bgp\s+\d+/i, depth: 0 },
+
+    // Loopback, SVI, Port-Channel interfaces
+    { pattern: /^interface\s+Loopback\d+/i, depth: 0 },
+    { pattern: /^interface\s+Vlan\d+/i, depth: 0 },
+    { pattern: /^interface\s+Port-Channel\d+/i, depth: 0 },
+    { pattern: /^interface\s+Management\d+/i, depth: 0 },
+
+    // Other common blocks
+    { pattern: /^key\s+chain\s+\S+/i, depth: 0 },
+    { pattern: /^track\s+\d+/i, depth: 0 },
+    { pattern: /^ip\s+sla\s+\d+/i, depth: 0 },
+    { pattern: /^snmp-server\s+\S+/i, depth: 0 },
+    { pattern: /^banner\s+(motd|login|exec)/i, depth: 0 },
+    { pattern: /^logging\s+\S+/i, depth: 0 },
+    { pattern: /^ntp\s+\S+/i, depth: 0 },
+
+    // ============ DEPTH 1: Inside routing protocols ============
+
+    { pattern: /^address-family\s+\S+/i, depth: 1 },
+    { pattern: /^vrf\s+\S+/i, depth: 1 },
+    { pattern: /^neighbor\s+\S+/i, depth: 1 },
+    { pattern: /^network\s+\S+/i, depth: 1 },
+    { pattern: /^class\s+\S+/i, depth: 1 },
+    { pattern: /^redistribute\s+\S+/i, depth: 1 },
+
+    // EVPN address family
+    { pattern: /^address-family\s+evpn/i, depth: 1 },
+
+    // ============ DEPTH 2: Inside address-family ============
+
+    { pattern: /^neighbor\s+\S+\s+activate/i, depth: 2 },
+    { pattern: /^neighbor\s+\S+\s+\S+/i, depth: 2 },
+  ],
+
+  blockEnders: [
+    /^exit-address-family$/i,
+    /^exit-vrf$/i,
+    /^exit$/i,
+    /^end$/i,
+  ],
+};

package/src/parser/vendors/aruba-aoscx.ts

@@ -0,0 +1,123 @@
+// packages/core/src/parser/vendors/aruba-aoscx.ts
+
+import type { VendorSchema } from '../VendorSchema';
+
+/**
+ * Aruba AOS-CX configuration schema.
+ *
+ * AOS-CX is used on modern Aruba CX series switches (6100, 6200, 6300, 8xxx).
+ * It uses a Cisco-like indent-based hierarchy with '!' as comment/delimiter.
+ *
+ * Key characteristics:
+ * - Interface naming: slot/member/port format (e.g., 1/1/1, 1/1/2)
+ * - VLAN interfaces: interface vlan 100
+ * - LAGs: interface lag 100
+ * - Port configuration: vlan access/trunk commands under interface
+ *
+ * Configuration structure:
+ * - Top-level: interface, vlan, router, vrf, access-list, etc.
+ * - Nested: address-family inside router protocols
+ */
+export const ArubaAOSCXSchema: VendorSchema = {
+  id: 'aruba-aoscx',
+  name: 'Aruba AOS-CX',
+  useBraceHierarchy: false,
+
+  commentPatterns: [/^!/],
+  sectionDelimiter: '!',
+
+  blockStarters: [
+    // ============ DEPTH 0: Top-level blocks ============
+
+    // Physical interfaces (slot/member/port format)
+    { pattern: /^interface\s+\d+\/\d+\/\d+/i, depth: 0 },
+
+    // VLAN interfaces
+    { pattern: /^interface\s+vlan\s*\d+/i, depth: 0 },
+
+    // LAG interfaces
+    { pattern: /^interface\s+lag\s*\d+/i, depth: 0 },
+
+    // Loopback interfaces
+    { pattern: /^interface\s+loopback\s*\d+/i, depth: 0 },
+
+    // Management interface
+    { pattern: /^interface\s+mgmt/i, depth: 0 },
+
+    // VLAN definitions
+    { pattern: /^vlan\s+\d+/i, depth: 0 },
+
+    // VRF definitions
+    { pattern: /^vrf\s+\S+/i, depth: 0 },
+
+    // Routing protocols
+    { pattern: /^router\s+ospf\s+\d+/i, depth: 0 },
+    { pattern: /^router\s+ospfv3\s+\d+/i, depth: 0 },
+    { pattern: /^router\s+bgp\s+\d+/i, depth: 0 },
+
+    // Access lists and prefix lists
+    { pattern: /^access-list\s+ip\s+\S+/i, depth: 0 },
+    { pattern: /^access-list\s+ipv6\s+\S+/i, depth: 0 },
+    { pattern: /^access-list\s+mac\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+prefix-list\s+\S+/i, depth: 0 },
+
+    // Route maps
+    { pattern: /^route-map\s+\S+/i, depth: 0 },
+
+    // AAA configuration
+    { pattern: /^aaa\s+authentication\s+\S+/i, depth: 0 },
+    { pattern: /^aaa\s+authorization\s+\S+/i, depth: 0 },
+    { pattern: /^aaa\s+accounting\s+\S+/i, depth: 0 },
+    { pattern: /^aaa\s+group\s+server\s+\S+/i, depth: 0 },
+
+    // RADIUS/TACACS+
+    { pattern: /^radius-server\s+host\s+\S+/i, depth: 0 },
+    { pattern: /^tacacs-server\s+host\s+\S+/i, depth: 0 },
+
+    // SNMP
+    { pattern: /^snmp-server\s+\S+/i, depth: 0 },
+
+    // Spanning tree
+    { pattern: /^spanning-tree\s+\S+/i, depth: 0 },
+
+    // QoS
+    { pattern: /^qos\s+\S+/i, depth: 0 },
+    { pattern: /^class\s+\S+/i, depth: 0 },
+    { pattern: /^policy\s+\S+/i, depth: 0 },
+
+    // VSX (Virtual Switching Extension)
+    { pattern: /^vsx\s*$/i, depth: 0 },
+    { pattern: /^vsx-sync\s+\S+/i, depth: 0 },
+
+    // User accounts
+    { pattern: /^user\s+\S+/i, depth: 0 },
+
+    // SSH configuration
+    { pattern: /^ssh\s+\S+/i, depth: 0 },
+
+    // NTP
+    { pattern: /^ntp\s+\S+/i, depth: 0 },
+
+    // Logging
+    { pattern: /^logging\s+\S+/i, depth: 0 },
+
+    // DHCP
+    { pattern: /^dhcp-server\s+\S+/i, depth: 0 },
+
+    // ============ DEPTH 1: Inside routing protocols ============
+
+    { pattern: /^address-family\s+\S+/i, depth: 1 },
+    { pattern: /^area\s+\S+/i, depth: 1 },
+    { pattern: /^neighbor\s+\S+/i, depth: 1 },
+
+    // ============ DEPTH 2: Inside address-family ============
+
+    { pattern: /^vrf\s+\S+/i, depth: 2 },
+  ],
+
+  blockEnders: [
+    /^exit-address-family$/i,
+    /^exit-vrf$/i,
+    /^exit$/i,
+  ],
+};

package/src/parser/vendors/aruba-aosswitch.ts

@@ -0,0 +1,113 @@
+// packages/core/src/parser/vendors/aruba-aosswitch.ts
+
+import type { VendorSchema } from '../VendorSchema';
+
+/**
+ * Aruba AOS-Switch (ProVision) configuration schema.
+ *
+ * AOS-Switch is used on legacy ProCurve/Aruba switches (2530, 2930, 3810, etc.).
+ * It uses a VLAN-centric configuration model where ports are assigned to VLANs
+ * rather than VLANs being assigned to ports.
+ *
+ * Key characteristics:
+ * - VLAN-centric: VLANs contain port lists with tagged/untagged designations
+ * - Port ranges: 1-24, 25-48, A1-A24 (for stacking)
+ * - Trunks: LAG configuration using 'trunk' command
+ * - Comments: Both ';' and '!' can be comments
+ *
+ * Configuration structure:
+ * - VLANs are the primary configuration unit
+ * - Ports are referenced within VLAN definitions
+ * - Less hierarchical than Cisco/AOS-CX
+ */
+export const ArubaAOSSwitchSchema: VendorSchema = {
+  id: 'aruba-aosswitch',
+  name: 'Aruba AOS-Switch (ProVision)',
+  useBraceHierarchy: false,
+
+  commentPatterns: [/^;/, /^!/],
+  sectionDelimiter: undefined, // Uses 'exit' to end blocks
+
+  blockStarters: [
+    // ============ DEPTH 0: Top-level blocks ============
+
+    // VLAN definitions (primary configuration unit)
+    { pattern: /^vlan\s+\d+/i, depth: 0 },
+
+    // Interface configuration (less common, but supported)
+    { pattern: /^interface\s+\S+/i, depth: 0 },
+
+    // Trunk (LAG) configuration
+    { pattern: /^trunk\s+\S+/i, depth: 0 },
+
+    // Spanning tree configuration
+    { pattern: /^spanning-tree\s+\S+/i, depth: 0 },
+
+    // Routing protocols
+    { pattern: /^router\s+ospf\s*\d*/i, depth: 0 },
+    { pattern: /^router\s+rip/i, depth: 0 },
+
+    // IP routing
+    { pattern: /^ip\s+route\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+routing/i, depth: 0 },
+
+    // RADIUS/TACACS+ servers
+    { pattern: /^radius-server\s+\S+/i, depth: 0 },
+    { pattern: /^tacacs-server\s+\S+/i, depth: 0 },
+
+    // AAA configuration
+    { pattern: /^aaa\s+\S+/i, depth: 0 },
+
+    // Port access (802.1X)
+    { pattern: /^aaa\s+port-access\s+\S+/i, depth: 0 },
+
+    // SNMP configuration
+    { pattern: /^snmp-server\s+\S+/i, depth: 0 },
+
+    // Console configuration
+    { pattern: /^console\s+\S+/i, depth: 0 },
+
+    // Telnet/SSH configuration
+    { pattern: /^telnet-server\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+ssh\s*$/i, depth: 0 },
+
+    // Time/NTP configuration
+    { pattern: /^timesync\s+\S+/i, depth: 0 },
+    { pattern: /^sntp\s+\S+/i, depth: 0 },
+
+    // Logging configuration
+    { pattern: /^logging\s+\S+/i, depth: 0 },
+
+    // Manager/Operator passwords
+    { pattern: /^password\s+\S+/i, depth: 0 },
+
+    // Access control lists
+    { pattern: /^ip\s+access-list\s+\S+/i, depth: 0 },
+
+    // IGMP/Multicast
+    { pattern: /^igmp\s+\S+/i, depth: 0 },
+
+    // LLDP
+    { pattern: /^lldp\s+\S+/i, depth: 0 },
+
+    // Loop protection
+    { pattern: /^loop-protect\s+\S+/i, depth: 0 },
+
+    // QoS
+    { pattern: /^qos\s+\S+/i, depth: 0 },
+
+    // DHCP snooping
+    { pattern: /^dhcp-snooping\s*$/i, depth: 0 },
+
+    // Banner
+    { pattern: /^banner\s+\S+/i, depth: 0 },
+
+    // ============ DEPTH 1: Nested blocks (rare in AOS-Switch) ============
+
+    { pattern: /^area\s+\S+/i, depth: 1 },
+  ],
+
+  blockEnders: [
+    /^exit$/i,
+  ],
+};

package/src/parser/vendors/aruba-wlc.ts

@@ -0,0 +1,173 @@
+// packages/core/src/parser/vendors/aruba-wlc.ts
+
+import type { VendorSchema } from '../VendorSchema';
+
+/**
+ * Aruba ArubaOS WLC (Wireless LAN Controller) configuration schema.
+ *
+ * ArubaOS is used on Aruba Mobility Controllers (7xxx, 9xxx series) and
+ * Mobility Masters. It uses a profile-based architecture with hierarchical
+ * configuration.
+ *
+ * Key characteristics:
+ * - Profile-based: WLAN profiles, AAA profiles, AP groups, RF profiles
+ * - Quoted names: Profile names use double quotes (e.g., "Corp-SSID")
+ * - Context-based: Configuration blocks with '!' delimiters
+ * - Inheritance: Profiles reference other profiles
+ *
+ * Configuration structure:
+ * - WLAN SSID profiles define wireless network settings
+ * - Virtual-AP profiles combine SSID + AAA + other settings
+ * - AP groups apply virtual-APs to sets of access points
+ * - AAA profiles define authentication/authorization
+ */
+export const ArubaWLCSchema: VendorSchema = {
+  id: 'aruba-wlc',
+  name: 'Aruba ArubaOS WLC',
+  useBraceHierarchy: false,
+
+  commentPatterns: [/^!/],
+  sectionDelimiter: '!',
+
+  blockStarters: [
+    // ============ DEPTH 0: Top-level profile blocks ============
+
+    // WLAN SSID profiles
+    { pattern: /^wlan\s+ssid-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^wlan\s+ssid-profile\s+\S+/i, depth: 0 },
+
+    // WLAN Virtual-AP profiles (combine SSID + AAA)
+    { pattern: /^wlan\s+virtual-ap\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^wlan\s+virtual-ap\s+\S+/i, depth: 0 },
+
+    // WLAN handoff profile
+    { pattern: /^wlan\s+handoff-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^wlan\s+handoff-profile\s+\S+/i, depth: 0 },
+
+    // WLAN HT/VHT SSID profile
+    { pattern: /^wlan\s+ht-ssid-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^wlan\s+ht-ssid-profile\s+\S+/i, depth: 0 },
+
+    // AAA profiles
+    { pattern: /^aaa\s+profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^aaa\s+profile\s+\S+/i, depth: 0 },
+
+    // AAA authentication servers
+    { pattern: /^aaa\s+authentication-server\s+radius\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^aaa\s+authentication-server\s+radius\s+\S+/i, depth: 0 },
+    { pattern: /^aaa\s+authentication-server\s+tacacs\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^aaa\s+authentication-server\s+tacacs\s+\S+/i, depth: 0 },
+    { pattern: /^aaa\s+authentication-server\s+ldap\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^aaa\s+authentication-server\s+ldap\s+\S+/i, depth: 0 },
+
+    // AAA server groups
+    { pattern: /^aaa\s+server-group\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^aaa\s+server-group\s+\S+/i, depth: 0 },
+
+    // AAA authentication (method lists)
+    { pattern: /^aaa\s+authentication\s+\S+/i, depth: 0 },
+
+    // AP groups
+    { pattern: /^ap-group\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^ap-group\s+\S+/i, depth: 0 },
+
+    // AP name (specific AP config)
+    { pattern: /^ap-name\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^ap-name\s+\S+/i, depth: 0 },
+
+    // AP system profile
+    { pattern: /^ap\s+system-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^ap\s+system-profile\s+\S+/i, depth: 0 },
+
+    // RF profiles (ARM, dot11a, dot11g)
+    { pattern: /^rf\s+arm-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^rf\s+arm-profile\s+\S+/i, depth: 0 },
+    { pattern: /^rf\s+dot11a-radio-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^rf\s+dot11a-radio-profile\s+\S+/i, depth: 0 },
+    { pattern: /^rf\s+dot11g-radio-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^rf\s+dot11g-radio-profile\s+\S+/i, depth: 0 },
+    { pattern: /^rf\s+ht-radio-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^rf\s+ht-radio-profile\s+\S+/i, depth: 0 },
+
+    // User roles
+    { pattern: /^user-role\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^user-role\s+\S+/i, depth: 0 },
+
+    // Netdestination (network object groups)
+    { pattern: /^netdestination\s+\S+/i, depth: 0 },
+    { pattern: /^netdestination6\s+\S+/i, depth: 0 },
+
+    // IP access lists
+    { pattern: /^ip\s+access-list\s+session\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+access-list\s+eth\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+access-list\s+extended\s+\S+/i, depth: 0 },
+    { pattern: /^ip\s+access-list\s+standard\s+\S+/i, depth: 0 },
+
+    // Controller interfaces
+    { pattern: /^interface\s+\S+/i, depth: 0 },
+
+    // VLANs
+    { pattern: /^vlan\s+\d+/i, depth: 0 },
+    { pattern: /^vlan-name\s+\S+/i, depth: 0 },
+
+    // VLAN pool
+    { pattern: /^vlan-pool\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^vlan-pool\s+\S+/i, depth: 0 },
+
+    // Controller IP
+    { pattern: /^controller-ip\s+\S+/i, depth: 0 },
+
+    // IDS profile
+    { pattern: /^ids\s+\S+-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^ids\s+\S+-profile\s+\S+/i, depth: 0 },
+
+    // Firewall policies
+    { pattern: /^firewall\s+\S+/i, depth: 0 },
+
+    // Captive portal profile
+    { pattern: /^aaa\s+captive-portal\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^aaa\s+captive-portal\s+\S+/i, depth: 0 },
+
+    // Regulatory domain
+    { pattern: /^regulatory-domain-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^regulatory-domain-profile\s+\S+/i, depth: 0 },
+
+    // Mesh cluster profile
+    { pattern: /^mesh\s+cluster-profile\s+"[^"]+"/i, depth: 0 },
+    { pattern: /^mesh\s+cluster-profile\s+\S+/i, depth: 0 },
+
+    // SNMP configuration
+    { pattern: /^snmp-server\s+\S+/i, depth: 0 },
+
+    // NTP
+    { pattern: /^ntp\s+\S+/i, depth: 0 },
+
+    // Logging
+    { pattern: /^logging\s+\S+/i, depth: 0 },
+
+    // ============ DEPTH 1: Nested within profiles ============
+
+    // Authentication methods within AAA profiles
+    { pattern: /^authentication-\S+/i, depth: 1 },
+
+    // References within virtual-AP
+    { pattern: /^ssid-profile\s+"[^"]+"/i, depth: 1 },
+    { pattern: /^ssid-profile\s+\S+/i, depth: 1 },
+    { pattern: /^aaa-profile\s+"[^"]+"/i, depth: 1 },
+    { pattern: /^aaa-profile\s+\S+/i, depth: 1 },
+
+    // Dot1x within AAA
+    { pattern: /^dot1x-\S+/i, depth: 1 },
+
+    // Server references within server-group
+    { pattern: /^auth-server\s+\S+/i, depth: 1 },
+
+    // ============ DEPTH 2: Deeply nested ============
+
+    { pattern: /^server\s+\S+/i, depth: 2 },
+  ],
+
+  blockEnders: [
+    /^exit$/i,
+  ],
+};