npm - @sentriflow/core - Versions diffs - 0.2.0 → 0.2.1 - Mend

@sentriflow/core 0.2.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/README.md +66 -0
package/package.json +7 -2
package/src/constants.ts +4 -1
package/src/engine/RuleExecutor.ts +7 -1
package/src/grx2-loader/GRX2ExtendedLoader.ts +645 -0
package/src/grx2-loader/MachineId.ts +51 -0
package/src/grx2-loader/index.ts +47 -0
package/src/grx2-loader/types.ts +277 -0
package/src/helpers/arista/helpers.ts +165 -95
package/src/helpers/aruba/helpers.ts +11 -5
package/src/helpers/cisco/helpers.ts +16 -8
package/src/helpers/common/helpers.ts +19 -13
package/src/helpers/common/validation.ts +6 -6
package/src/helpers/cumulus/helpers.ts +11 -7
package/src/helpers/extreme/helpers.ts +8 -5
package/src/helpers/fortinet/helpers.ts +16 -6
package/src/helpers/huawei/helpers.ts +112 -61
package/src/helpers/juniper/helpers.ts +36 -20
package/src/helpers/mikrotik/helpers.ts +10 -3
package/src/helpers/nokia/helpers.ts +71 -42
package/src/helpers/paloalto/helpers.ts +51 -41
package/src/helpers/vyos/helpers.ts +58 -31
package/src/index.ts +3 -0
package/src/pack-loader/PackLoader.ts +29 -4
package/src/parser/SchemaAwareParser.ts +84 -0
package/src/parser/vendors/cisco-ios.ts +19 -5
package/src/parser/vendors/cisco-nxos.ts +10 -2

package/src/helpers/arista/helpers.ts CHANGED Viewed

@@ -52,8 +52,9 @@ export const hasPlaintextPassword = (node: ConfigNode): boolean => {
  * @returns true if service password-encryption is configured
  */
 export const hasServicePasswordEncryption = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    equalsIgnoreCase(node.id, 'service password-encryption')
+    equalsIgnoreCase(node?.id ?? '', 'service password-encryption')
   );
 };
@@ -63,8 +64,9 @@ export const hasServicePasswordEncryption = (ast: ConfigNode[]): boolean => {
  * @returns true if SSH v2 is configured
  */
 export const hasSshVersion2 = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^ip\s+ssh\s+version\s+2/i.test(node.id)
+    /^ip\s+ssh\s+version\s+2/i.test(node?.id ?? '')
   );
 };
@@ -74,13 +76,14 @@ export const hasSshVersion2 = (ast: ConfigNode[]): boolean => {
  * @returns Array of weak ciphers found
  */
 export const getWeakSshCiphers = (ast: ConfigNode[]): string[] => {
+  if (!Array.isArray(ast)) return [];
   const weakCiphers = ['3des-cbc', 'aes128-cbc', 'aes192-cbc', 'aes256-cbc', 'blowfish-cbc'];
   const found: string[] = [];
   for (const node of ast) {
-    if (/^ip\s+ssh\s+ciphers/i.test(node.id)) {
+    if (/^ip\s+ssh\s+ciphers/i.test(node?.id ?? '')) {
       for (const cipher of weakCiphers) {
-        if (includesIgnoreCase(node.id, cipher)) {
+        if (includesIgnoreCase(node?.id ?? '', cipher)) {
           found.push(cipher);
         }
       }
@@ -95,21 +98,22 @@ export const getWeakSshCiphers = (ast: ConfigNode[]): string[] => {
  * @returns true if telnet is properly disabled
  */
 export const isTelnetDisabled = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return true;
   // Check for 'no management telnet' or management telnet with shutdown
   const noMgmtTelnet = ast.some((node) =>
-    /^no\s+management\s+telnet/i.test(node.id)
+    node?.id && /^no\s+management\s+telnet/i.test(node.id)
   );
   if (noMgmtTelnet) return true;
   // Check if management telnet section exists and is shutdown
   const mgmtTelnet = ast.find((node) =>
-    /^management\s+telnet/i.test(node.id)
+    node?.id && /^management\s+telnet/i.test(node.id)
   );
-  if (mgmtTelnet) {
+  if (mgmtTelnet?.children) {
     return mgmtTelnet.children.some((child) =>
-      equalsIgnoreCase(child.id, 'shutdown')
+      child?.id && equalsIgnoreCase(child.id, 'shutdown')
     );
   }
@@ -123,11 +127,12 @@ export const isTelnetDisabled = (ast: ConfigNode[]): boolean => {
  * @returns true if HTTP server is disabled
  */
 export const isHttpServerDisabled = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return true;
   const hasNoHttp = ast.some((node) =>
-    /^no\s+ip\s+http\s+server/i.test(node.id)
+    /^no\s+ip\s+http\s+server/i.test(node?.id ?? '')
   );
   const hasHttp = ast.some((node) =>
-    /^ip\s+http\s+server/i.test(node.id) && !/^no\s+/i.test(node.id)
+    /^ip\s+http\s+server/i.test(node?.id ?? '') && !/^no\s+/i.test(node?.id ?? '')
   );
   return hasNoHttp || !hasHttp;
 };
@@ -138,12 +143,13 @@ export const isHttpServerDisabled = (ast: ConfigNode[]): boolean => {
  * @returns Array of insecure community configurations found
  */
 export const getInsecureSnmpCommunities = (ast: ConfigNode[]): string[] => {
+  if (!Array.isArray(ast)) return [];
   const insecure: string[] = [];
   const defaultCommunities = ['public', 'private', 'community'];
   for (const node of ast) {
-    if (/^snmp-server\s+community\s+/i.test(node.id)) {
-      const match = node.id.match(/snmp-server\s+community\s+(\S+)/i);
+    if (/^snmp-server\s+community\s+/i.test(node?.id ?? '')) {
+      const match = node?.id?.match(/snmp-server\s+community\s+(\S+)/i);
       if (match?.[1]) {
         const community = match[1];
         if (defaultCommunities.some((dc) => equalsIgnoreCase(community, dc))) {
@@ -163,9 +169,10 @@ export const getInsecureSnmpCommunities = (ast: ConfigNode[]): string[] => {
  * @returns true if SNMPv3 with priv mode is configured
  */
 export const hasSnmpV3AuthPriv = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^snmp-server\s+group\s+\S+\s+v3\s+priv/i.test(node.id) ||
-    /^snmp-server\s+user\s+\S+\s+\S+\s+v3\s+auth\s+\S+\s+\S+\s+priv/i.test(node.id)
+    /^snmp-server\s+group\s+\S+\s+v3\s+priv/i.test(node?.id ?? '') ||
+    /^snmp-server\s+user\s+\S+\s+\S+\s+v3\s+auth\s+\S+\s+\S+\s+priv/i.test(node?.id ?? '')
   );
 };
@@ -175,11 +182,13 @@ export const hasSnmpV3AuthPriv = (ast: ConfigNode[]): boolean => {
  * @returns true if NTP authentication is configured
  */
 export const hasNtpAuthentication = (ast: ConfigNode[]): boolean => {
+  // Guard against collision: other vendors pass single node, Arista expects array
+  if (!Array.isArray(ast)) return false;
   const hasAuthenticate = ast.some((node) =>
-    /^ntp\s+authenticate$/i.test(node.id)
+    /^ntp\s+authenticate$/i.test(node?.id ?? '')
   );
   const hasTrustedKey = ast.some((node) =>
-    /^ntp\s+trusted-key\s+/i.test(node.id)
+    /^ntp\s+trusted-key\s+/i.test(node?.id ?? '')
   );
   return hasAuthenticate && hasTrustedKey;
 };
@@ -190,8 +199,9 @@ export const hasNtpAuthentication = (ast: ConfigNode[]): boolean => {
  * @returns true if AAA authentication login is configured
  */
 export const hasAaaAuthenticationLogin = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^aaa\s+authentication\s+login\s+/i.test(node.id)
+    /^aaa\s+authentication\s+login\s+/i.test(node?.id ?? '')
   );
 };
@@ -201,8 +211,9 @@ export const hasAaaAuthenticationLogin = (ast: ConfigNode[]): boolean => {
  * @returns true if TACACS+ server is configured
  */
 export const hasTacacsServer = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^tacacs-server\s+host\s+/i.test(node.id)
+    /^tacacs-server\s+host\s+/i.test(node?.id ?? '')
   );
 };
@@ -212,8 +223,9 @@ export const hasTacacsServer = (ast: ConfigNode[]): boolean => {
  * @returns true if AAA accounting is configured
  */
 export const hasAaaAccounting = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^aaa\s+accounting\s+/i.test(node.id)
+    /^aaa\s+accounting\s+/i.test(node?.id ?? '')
   );
 };
@@ -223,9 +235,10 @@ export const hasAaaAccounting = (ast: ConfigNode[]): boolean => {
  * @returns true if management VRF is properly configured
  */
 export const hasManagementVrf = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^vrf\s+instance\s+MGMT/i.test(node.id) ||
-    /^vrf\s+instance\s+management/i.test(node.id)
+    /^vrf\s+instance\s+MGMT/i.test(node?.id ?? '') ||
+    /^vrf\s+instance\s+management/i.test(node?.id ?? '')
   );
 };
@@ -235,6 +248,7 @@ export const hasManagementVrf = (ast: ConfigNode[]): boolean => {
  * @returns Array of information disclosure issues found
  */
 export const getBannerInfoDisclosure = (ast: ConfigNode[]): string[] => {
+  if (!Array.isArray(ast)) return [];
   const issues: string[] = [];
   const sensitivePatterns = [
     { pattern: /version\s+\d+/i, desc: 'software version' },
@@ -245,8 +259,8 @@ export const getBannerInfoDisclosure = (ast: ConfigNode[]): string[] => {
   ];
   for (const node of ast) {
-    if (/^banner\s+(login|motd)/i.test(node.id)) {
-      const bannerText = node.rawText || node.id;
+    if (/^banner\s+(login|motd)/i.test(node?.id ?? '')) {
+      const bannerText = node?.rawText ?? node?.id ?? '';
       for (const { pattern, desc } of sensitivePatterns) {
         if (pattern.test(bannerText)) {
           issues.push(`Banner contains ${desc}`);
@@ -263,10 +277,12 @@ export const getBannerInfoDisclosure = (ast: ConfigNode[]): string[] => {
  * @returns The timeout value in minutes, or undefined if not set
  */
 export const getConsoleIdleTimeout = (ast: ConfigNode[]): number | undefined => {
+  if (!Array.isArray(ast)) return undefined;
   for (const node of ast) {
-    if (/^management\s+console/i.test(node.id)) {
+    if (node?.id && /^management\s+console/i.test(node.id)) {
+      if (!node?.children) continue;
       for (const child of node.children) {
-        const match = child.id.match(/idle-timeout\s+(\d+)/i);
+        const match = child?.id?.match(/idle-timeout\s+(\d+)/i);
         if (match?.[1]) {
           return parseInteger(match[1]) ?? undefined;
         }
@@ -282,9 +298,10 @@ export const getConsoleIdleTimeout = (ast: ConfigNode[]): number | undefined =>
  * @returns true if ZTP is disabled
  */
 export const isZtpDisabled = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^no\s+zerotouch\s+enable/i.test(node.id) ||
-    equalsIgnoreCase(node.id, 'zerotouch cancel')
+    /^no\s+zerotouch\s+enable/i.test(node?.id ?? '') ||
+    equalsIgnoreCase(node?.id ?? '', 'zerotouch cancel')
   );
 };
@@ -298,8 +315,9 @@ export const isZtpDisabled = (ast: ConfigNode[]): boolean => {
  * @returns true if system control-plane ACL is configured
  */
 export const hasControlPlaneAcl = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^system\s+control-plane/i.test(node.id)
+    /^system\s+control-plane/i.test(node?.id ?? '')
   );
 };
@@ -309,8 +327,9 @@ export const hasControlPlaneAcl = (ast: ConfigNode[]): boolean => {
  * @returns true if CoPP policy is customized
  */
 export const hasCoppPolicy = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^policy-map\s+type\s+copp/i.test(node.id)
+    /^policy-map\s+type\s+copp/i.test(node?.id ?? '')
   );
 };
@@ -320,8 +339,9 @@ export const hasCoppPolicy = (ast: ConfigNode[]): boolean => {
  * @returns true if ip redirects are disabled
  */
 export const hasNoIpRedirects = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^no\s+ip\s+redirects/i.test(child.id)
+    child?.id && /^no\s+ip\s+redirects/i.test(child.id)
   );
 };
@@ -331,8 +351,9 @@ export const hasNoIpRedirects = (interfaceNode: ConfigNode): boolean => {
  * @returns true if ip unreachables are disabled
  */
 export const hasNoIpUnreachables = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^no\s+ip\s+unreachables/i.test(child.id)
+    child?.id && /^no\s+ip\s+unreachables/i.test(child.id)
   );
 };
@@ -342,17 +363,18 @@ export const hasNoIpUnreachables = (interfaceNode: ConfigNode): boolean => {
  * @returns true if authentication is configured
  */
 export const hasRoutingProtocolAuth = (routerNode: ConfigNode): boolean => {
+  if (!routerNode?.id || !routerNode?.children) return false;
   // Check for OSPF authentication
   if (/^router\s+ospf/i.test(routerNode.id)) {
     return routerNode.children.some((child) =>
-      /authentication/i.test(child.id)
+      child?.id && /authentication/i.test(child.id)
     );
   }
   // Check for IS-IS authentication
   if (/^router\s+isis/i.test(routerNode.id)) {
     return routerNode.children.some((child) =>
-      /authentication/i.test(child.id)
+      child?.id && /authentication/i.test(child.id)
     );
   }
@@ -365,8 +387,9 @@ export const hasRoutingProtocolAuth = (routerNode: ConfigNode): boolean => {
  * @returns true if BFD is configured
  */
 export const hasBfd = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^bfd\s+/i.test(node.id)
+    /^bfd\s+/i.test(node?.id ?? '')
   );
 };
@@ -380,15 +403,16 @@ export const hasBfd = (ast: ConfigNode[]): boolean => {
  * @returns Object with storm control status for each type
  */
 export const getStormControlStatus = (interfaceNode: ConfigNode): { broadcast: boolean; multicast: boolean; unicast: boolean } => {
+  if (!interfaceNode?.children) return { broadcast: false, multicast: false, unicast: false };
   return {
     broadcast: interfaceNode.children.some((child) =>
-      /^storm-control\s+broadcast/i.test(child.id)
+      child?.id && /^storm-control\s+broadcast/i.test(child.id)
     ),
     multicast: interfaceNode.children.some((child) =>
-      /^storm-control\s+multicast/i.test(child.id)
+      child?.id && /^storm-control\s+multicast/i.test(child.id)
     ),
     unicast: interfaceNode.children.some((child) =>
-      /^storm-control\s+unknown-unicast/i.test(child.id)
+      child?.id && /^storm-control\s+unknown-unicast/i.test(child.id)
     ),
   };
 };
@@ -399,8 +423,9 @@ export const getStormControlStatus = (interfaceNode: ConfigNode): { broadcast: b
  * @returns true if DHCP snooping is configured
  */
 export const hasDhcpSnooping = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^ip\s+dhcp\s+snooping$/i.test(node.id)
+    /^ip\s+dhcp\s+snooping$/i.test(node?.id ?? '')
   );
 };
@@ -410,8 +435,9 @@ export const hasDhcpSnooping = (ast: ConfigNode[]): boolean => {
  * @returns true if interface is DHCP snooping trusted
  */
 export const isDhcpSnoopingTrust = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^ip\s+dhcp\s+snooping\s+trust/i.test(child.id)
+    child?.id && /^ip\s+dhcp\s+snooping\s+trust/i.test(child.id)
   );
 };
@@ -421,8 +447,9 @@ export const isDhcpSnoopingTrust = (interfaceNode: ConfigNode): boolean => {
  * @returns true if DAI is configured
  */
 export const hasDynamicArpInspection = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^ip\s+arp\s+inspection\s+vlan/i.test(node.id)
+    /^ip\s+arp\s+inspection\s+vlan/i.test(node?.id ?? '')
   );
 };
@@ -432,8 +459,9 @@ export const hasDynamicArpInspection = (ast: ConfigNode[]): boolean => {
  * @returns true if interface is ARP inspection trusted
  */
 export const isArpInspectionTrust = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^ip\s+arp\s+inspection\s+trust/i.test(child.id)
+    child?.id && /^ip\s+arp\s+inspection\s+trust/i.test(child.id)
   );
 };
@@ -443,8 +471,9 @@ export const isArpInspectionTrust = (interfaceNode: ConfigNode): boolean => {
  * @returns true if IP verify source is configured
  */
 export const hasIpSourceGuard = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^ip\s+verify\s+source/i.test(child.id)
+    child?.id && /^ip\s+verify\s+source/i.test(child.id)
   );
 };
@@ -454,8 +483,9 @@ export const hasIpSourceGuard = (interfaceNode: ConfigNode): boolean => {
  * @returns true if port security is configured
  */
 export const hasPortSecurity = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^switchport\s+port-security/i.test(child.id)
+    child?.id && /^switchport\s+port-security/i.test(child.id)
   );
 };
@@ -471,17 +501,18 @@ export const hasPortSecurity = (interfaceNode: ConfigNode): boolean => {
  */
 export const getBgpNeighborsWithoutAuth = (routerBgpNode: ConfigNode, neighborIp?: string): string[] => {
   const neighborsWithoutAuth: string[] = [];
+  if (!routerBgpNode?.children) return neighborsWithoutAuth;
   const neighborConfigs = new Map<string, { hasPassword: boolean }>();
   for (const child of routerBgpNode.children) {
-    const neighborMatch = child.id.match(/^neighbor\s+(\S+)/i);
+    const neighborMatch = child?.id?.match(/^neighbor\s+(\S+)/i);
     if (neighborMatch?.[1]) {
       const ip = neighborMatch[1];
       if (!neighborConfigs.has(ip)) {
         neighborConfigs.set(ip, { hasPassword: false });
       }
-      if (/password/i.test(child.id)) {
+      if (child?.id && /password/i.test(child.id)) {
         const config = neighborConfigs.get(ip);
         if (config) {
           config.hasPassword = true;
@@ -508,11 +539,12 @@ export const getBgpNeighborsWithoutAuth = (routerBgpNode: ConfigNode, neighborIp
  */
 export const getBgpNeighborsWithoutTtlSecurity = (routerBgpNode: ConfigNode): string[] => {
   const neighborsWithoutTtl: string[] = [];
+  if (!routerBgpNode?.children) return neighborsWithoutTtl;
   const neighborConfigs = new Map<string, { hasTtl: boolean; isEbgp: boolean }>();
-  const localAs = routerBgpNode.id.match(/router\s+bgp\s+(\d+)/i)?.[1];
+  const localAs = routerBgpNode?.id?.match(/router\s+bgp\s+(\d+)/i)?.[1];
   for (const child of routerBgpNode.children) {
-    const neighborMatch = child.id.match(/^neighbor\s+(\S+)\s+remote-as\s+(\d+)/i);
+    const neighborMatch = child?.id?.match(/^neighbor\s+(\S+)\s+remote-as\s+(\d+)/i);
     if (neighborMatch?.[1] && neighborMatch?.[2]) {
       const ip = neighborMatch[1];
       const remoteAs = neighborMatch[2];
@@ -522,7 +554,7 @@ export const getBgpNeighborsWithoutTtlSecurity = (routerBgpNode: ConfigNode): st
       });
     }
-    const ttlMatch = child.id.match(/^neighbor\s+(\S+)\s+ttl\s+maximum-hops/i);
+    const ttlMatch = child?.id?.match(/^neighbor\s+(\S+)\s+ttl\s+maximum-hops/i);
     if (ttlMatch?.[1]) {
       const config = neighborConfigs.get(ttlMatch[1]);
       if (config) {
@@ -547,15 +579,16 @@ export const getBgpNeighborsWithoutTtlSecurity = (routerBgpNode: ConfigNode): st
  */
 export const getBgpNeighborsWithoutMaxRoutes = (routerBgpNode: ConfigNode): string[] => {
   const neighborsWithoutMax: string[] = [];
+  if (!routerBgpNode?.children) return neighborsWithoutMax;
   const neighborConfigs = new Map<string, boolean>();
   for (const child of routerBgpNode.children) {
-    const neighborMatch = child.id.match(/^neighbor\s+(\S+)\s+remote-as/i);
+    const neighborMatch = child?.id?.match(/^neighbor\s+(\S+)\s+remote-as/i);
     if (neighborMatch?.[1]) {
       neighborConfigs.set(neighborMatch[1], false);
     }
-    const maxMatch = child.id.match(/^neighbor\s+(\S+)\s+maximum-routes/i);
+    const maxMatch = child?.id?.match(/^neighbor\s+(\S+)\s+maximum-routes/i);
     if (maxMatch?.[1]) {
       neighborConfigs.set(maxMatch[1], true);
     }
@@ -576,8 +609,9 @@ export const getBgpNeighborsWithoutMaxRoutes = (routerBgpNode: ConfigNode): stri
  * @returns true if graceful restart is configured
  */
 export const hasBgpGracefulRestart = (routerBgpNode: ConfigNode): boolean => {
+  if (!routerBgpNode?.children) return false;
   return routerBgpNode.children.some((child) =>
-    /^bgp\s+graceful-restart/i.test(child.id)
+    child?.id && /^bgp\s+graceful-restart/i.test(child.id)
   );
 };
@@ -587,8 +621,9 @@ export const hasBgpGracefulRestart = (routerBgpNode: ConfigNode): boolean => {
  * @returns true if log-neighbor-changes is configured
  */
 export const hasBgpLogNeighborChanges = (routerBgpNode: ConfigNode): boolean => {
+  if (!routerBgpNode?.children) return false;
   return routerBgpNode.children.some((child) =>
-    /^bgp\s+log-neighbor-changes/i.test(child.id)
+    child?.id && /^bgp\s+log-neighbor-changes/i.test(child.id)
   );
 };
@@ -602,8 +637,9 @@ export const hasBgpLogNeighborChanges = (routerBgpNode: ConfigNode): boolean =>
  * @returns true if RPKI cache is configured
  */
 export const hasRpkiConfiguration = (routerBgpNode: ConfigNode): boolean => {
+  if (!routerBgpNode?.children) return false;
   return routerBgpNode.children.some((child) =>
-    /^rpki\s+cache/i.test(child.id)
+    child?.id && /^rpki\s+cache/i.test(child.id)
   );
 };
@@ -613,8 +649,9 @@ export const hasRpkiConfiguration = (routerBgpNode: ConfigNode): boolean => {
  * @returns true if origin validation is configured
  */
 export const hasRpkiOriginValidation = (routerBgpNode: ConfigNode): boolean => {
+  if (!routerBgpNode?.children) return false;
   return routerBgpNode.children.some((child) =>
-    /^rpki\s+origin-validation/i.test(child.id)
+    child?.id && /^rpki\s+origin-validation/i.test(child.id)
   );
 };
@@ -628,11 +665,12 @@ export const hasRpkiOriginValidation = (routerBgpNode: ConfigNode): boolean => {
  * @returns Object with uRPF mode if configured
  */
 export const getUrpfMode = (interfaceNode: ConfigNode): { enabled: boolean; mode?: 'strict' | 'loose' } => {
+  if (!interfaceNode?.children) return { enabled: false };
   for (const child of interfaceNode.children) {
-    if (/^ip\s+verify\s+unicast\s+source\s+reachable-via\s+rx/i.test(child.id)) {
+    if (child?.id && /^ip\s+verify\s+unicast\s+source\s+reachable-via\s+rx/i.test(child.id)) {
       return { enabled: true, mode: 'strict' };
     }
-    if (/^ip\s+verify\s+unicast\s+source\s+reachable-via\s+any/i.test(child.id)) {
+    if (child?.id && /^ip\s+verify\s+unicast\s+source\s+reachable-via\s+any/i.test(child.id)) {
       return { enabled: true, mode: 'loose' };
     }
   }
@@ -674,14 +712,16 @@ export const getMlagReloadDelays = (mlagNode: ConfigNode): { mlag: boolean; nonM
  * @returns true if EVPN peer group has password
  */
 export const hasEvpnPeerAuth = (routerBgpNode: ConfigNode): boolean => {
+  if (!routerBgpNode?.children) return false;
   // Look for EVPN peer group with password
   let evpnPeerGroup: string | undefined;
   for (const child of routerBgpNode.children) {
     // Find EVPN address family activation
-    if (/^address-family\s+evpn/i.test(child.id)) {
+    if (child?.id && /^address-family\s+evpn/i.test(child.id)) {
+      if (!child?.children) continue;
       for (const subchild of child.children) {
-        const match = subchild.id.match(/neighbor\s+(\S+)\s+activate/i);
+        const match = subchild?.id?.match(/neighbor\s+(\S+)\s+activate/i);
         if (match?.[1]) {
           evpnPeerGroup = match[1];
         }
@@ -693,7 +733,7 @@ export const hasEvpnPeerAuth = (routerBgpNode: ConfigNode): boolean => {
   // Check if peer group has password
   return routerBgpNode.children.some((child) =>
-    includesIgnoreCase(child.id, `neighbor ${evpnPeerGroup}`) &&
+    child?.id && includesIgnoreCase(child.id, `neighbor ${evpnPeerGroup}`) &&
     includesIgnoreCase(child.id, 'password')
   );
 };
@@ -709,11 +749,12 @@ export const hasEvpnPeerAuth = (routerBgpNode: ConfigNode): boolean => {
  * @returns true if logging meets minimum level requirement
  */
 export const hasLoggingLevel = (ast: ConfigNode[], minLevel: string): boolean => {
+  if (!Array.isArray(ast)) return false;
   const levels = ['emergencies', 'alerts', 'critical', 'errors', 'warnings', 'notifications', 'informational', 'debugging'];
   const minIndex = levels.indexOf(minLevel.toLowerCase());
   for (const node of ast) {
-    const match = node.id.match(/^logging\s+(?:buffered|trap)\s+(\S+)/i);
+    const match = (node?.id ?? '').match(/^logging\s+(?:buffered|trap)\s+(\S+)/i);
     if (match?.[1]) {
       const configuredIndex = levels.indexOf(match[1].toLowerCase());
       if (configuredIndex >= minIndex) {
@@ -730,8 +771,9 @@ export const hasLoggingLevel = (ast: ConfigNode[], minLevel: string): boolean =>
  * @returns true if logging source-interface is configured
  */
 export const hasLoggingSourceInterface = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^logging\s+source-interface/i.test(node.id)
+    /^logging\s+source-interface/i.test(node?.id ?? '')
   );
 };
@@ -741,8 +783,9 @@ export const hasLoggingSourceInterface = (ast: ConfigNode[]): boolean => {
  * @returns true if event-monitor is configured
  */
 export const hasEventMonitor = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^event-monitor$/i.test(node.id)
+    /^event-monitor$/i.test(node?.id ?? '')
   );
 };
@@ -756,8 +799,9 @@ export const hasEventMonitor = (ast: ConfigNode[]): boolean => {
  * @returns true if VRRP authentication is configured
  */
 export const hasVrrpAuthentication = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^vrrp\s+\d+\s+authentication/i.test(child.id)
+    child?.id && /^vrrp\s+\d+\s+authentication/i.test(child.id)
   );
 };
@@ -767,8 +811,9 @@ export const hasVrrpAuthentication = (interfaceNode: ConfigNode): boolean => {
  * @returns true if ip virtual-router mac-address is configured
  */
 export const hasVirtualRouterMac = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^ip\s+virtual-router\s+mac-address/i.test(node.id)
+    /^ip\s+virtual-router\s+mac-address/i.test(node?.id ?? '')
   );
 };
@@ -783,11 +828,12 @@ export const hasVirtualRouterMac = (ast: ConfigNode[]): boolean => {
  * @returns true if interface appears to be external facing
  */
 export const isExternalInterface = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   const description = interfaceNode.children.find((child) =>
-    startsWithIgnoreCase(child.id, 'description ')
+    child?.id && startsWithIgnoreCase(child.id, 'description ')
   );
-  if (description) {
+  if (description?.id) {
     return (
       includesIgnoreCase(description.id, 'wan') ||
       includesIgnoreCase(description.id, 'internet') ||
@@ -807,8 +853,9 @@ export const isExternalInterface = (interfaceNode: ConfigNode): boolean => {
  * @returns true if interface is configured as access port
  */
 export const isAccessPort = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^switchport\s+mode\s+access/i.test(child.id)
+    child?.id && /^switchport\s+mode\s+access/i.test(child.id)
   );
 };
@@ -818,8 +865,9 @@ export const isAccessPort = (interfaceNode: ConfigNode): boolean => {
  * @returns true if interface is configured as trunk port
  */
 export const isTrunkPort = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^switchport\s+mode\s+trunk/i.test(child.id)
+    child?.id && /^switchport\s+mode\s+trunk/i.test(child.id)
   );
 };
@@ -829,8 +877,9 @@ export const isTrunkPort = (interfaceNode: ConfigNode): boolean => {
  * @returns true if mlag configuration block exists
  */
 export const hasMlagConfiguration = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    startsWithIgnoreCase(node.id, 'mlag configuration')
+    startsWithIgnoreCase(node?.id ?? '', 'mlag configuration')
   );
 };
@@ -842,8 +891,9 @@ export const hasMlagConfiguration = (ast: ConfigNode[]): boolean => {
 export const getMlagConfiguration = (
   ast: ConfigNode[]
 ): ConfigNode | undefined => {
+  if (!Array.isArray(ast)) return undefined;
   return ast.find((node) =>
-    startsWithIgnoreCase(node.id, 'mlag configuration')
+    startsWithIgnoreCase(node?.id ?? '', 'mlag configuration')
   );
 };
@@ -869,8 +919,9 @@ export const checkMlagRequirements = (
  * @returns true if management api http-commands is configured
  */
 export const hasManagementApi = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    startsWithIgnoreCase(node.id, 'management api')
+    startsWithIgnoreCase(node?.id ?? '', 'management api')
   );
 };
@@ -880,8 +931,9 @@ export const hasManagementApi = (ast: ConfigNode[]): boolean => {
  * @returns Array of management API configuration nodes
  */
 export const getManagementApiNodes = (ast: ConfigNode[]): ConfigNode[] => {
+  if (!Array.isArray(ast)) return [];
   return ast.filter((node) =>
-    startsWithIgnoreCase(node.id, 'management api')
+    startsWithIgnoreCase(node?.id ?? '', 'management api')
   );
 };
@@ -891,12 +943,13 @@ export const getManagementApiNodes = (ast: ConfigNode[]): ConfigNode[] => {
  * @returns true if HTTPS transport is configured
  */
 export const hasHttpsTransport = (apiNode: ConfigNode): boolean => {
+  if (!apiNode?.children) return false;
   // Check for "protocol https" or "no shutdown" with https
   const hasProtocolHttps = apiNode.children.some((child) =>
-    includesIgnoreCase(child.id, 'protocol https')
+    child?.id && includesIgnoreCase(child.id, 'protocol https')
   );
   const hasTransportHttps = apiNode.children.some((child) =>
-    includesIgnoreCase(child.id, 'transport https')
+    child?.id && includesIgnoreCase(child.id, 'transport https')
   );
   return hasProtocolHttps || hasTransportHttps;
 };
@@ -942,9 +995,10 @@ export const getVxlanVniMappings = (
   vxlanNode: ConfigNode
 ): { vni: string; vlan?: string }[] => {
   const mappings: { vni: string; vlan?: string }[] = [];
+  if (!vxlanNode?.children) return mappings;
   for (const child of vxlanNode.children) {
-    const vniMatch = child.id.match(/vxlan\s+vni\s+(\d+)\s+vlan\s+(\d+)/i);
+    const vniMatch = child?.id?.match(/vxlan\s+vni\s+(\d+)\s+vlan\s+(\d+)/i);
     if (vniMatch) {
       const vni = vniMatch[1];
       if (!vni) {
@@ -955,7 +1009,7 @@ export const getVxlanVniMappings = (
       continue;
     }
-    const simpleMatch = child.id.match(/vxlan\s+vni\s+(\d+)/i);
+    const simpleMatch = child?.id?.match(/vxlan\s+vni\s+(\d+)/i);
     if (simpleMatch) {
       const vni = simpleMatch[1];
       if (!vni) {
@@ -983,8 +1037,9 @@ export const hasVxlanSourceInterface = (vxlanNode: ConfigNode): boolean => {
  * @returns The MLAG ID if configured, undefined otherwise
  */
 export const getMlagId = (interfaceNode: ConfigNode): string | undefined => {
+  if (!interfaceNode?.children) return undefined;
   const mlagCmd = interfaceNode.children.find((child) =>
-    /^mlag\s+\d+/i.test(child.id)
+    child?.id && /^mlag\s+\d+/i.test(child.id)
   );
   if (!mlagCmd) return undefined;
@@ -1044,12 +1099,13 @@ export const isEthernetInterface = (node: ConfigNode): boolean => {
  * @returns true if daemon(s) are configured
  */
 export const hasDaemon = (ast: ConfigNode[], daemonName?: string): boolean => {
+  if (!Array.isArray(ast)) return false;
   if (daemonName) {
     return ast.some((node) =>
-      equalsIgnoreCase(node.id, `daemon ${daemonName}`)
+      equalsIgnoreCase(node?.id ?? '', `daemon ${daemonName}`)
     );
   }
-  return ast.some((node) => startsWithIgnoreCase(node.id, 'daemon '));
+  return ast.some((node) => startsWithIgnoreCase(node?.id ?? '', 'daemon '));
 };
 /**
@@ -1058,7 +1114,8 @@ export const hasDaemon = (ast: ConfigNode[], daemonName?: string): boolean => {
  * @returns true if event-handler(s) are configured
  */
 export const hasEventHandler = (ast: ConfigNode[]): boolean => {
-  return ast.some((node) => startsWithIgnoreCase(node.id, 'event-handler '));
+  if (!Array.isArray(ast)) return false;
+  return ast.some((node) => startsWithIgnoreCase(node?.id ?? '', 'event-handler '));
 };
 /**
@@ -1067,8 +1124,9 @@ export const hasEventHandler = (ast: ConfigNode[]): boolean => {
  * @returns Array of VRF instance nodes
  */
 export const getVrfInstances = (ast: ConfigNode[]): ConfigNode[] => {
+  if (!Array.isArray(ast)) return [];
   return ast.filter((node) =>
-    /^vrf\s+instance\s+\S+/i.test(node.id)
+    /^vrf\s+instance\s+\S+/i.test(node?.id ?? '')
   );
 };
@@ -1078,8 +1136,9 @@ export const getVrfInstances = (ast: ConfigNode[]): ConfigNode[] => {
  * @returns The VRF name if configured, undefined otherwise
  */
 export const getInterfaceVrf = (interfaceNode: ConfigNode): string | undefined => {
+  if (!interfaceNode?.children) return undefined;
   const vrfCmd = interfaceNode.children.find((child) =>
-    /^vrf\s+\S+/i.test(child.id)
+    child?.id && /^vrf\s+\S+/i.test(child.id)
   );
   if (!vrfCmd) return undefined;
@@ -1093,8 +1152,9 @@ export const getInterfaceVrf = (interfaceNode: ConfigNode): string | undefined =
  * @returns true if EVPN address-family is configured
  */
 export const hasEvpnAddressFamily = (routerBgpNode: ConfigNode): boolean => {
+  if (!routerBgpNode?.children) return false;
   return routerBgpNode.children.some((child) =>
-    /^address-family\s+evpn/i.test(child.id)
+    child?.id && /^address-family\s+evpn/i.test(child.id)
   );
 };
@@ -1104,8 +1164,9 @@ export const hasEvpnAddressFamily = (routerBgpNode: ConfigNode): boolean => {
  * @returns true if ip virtual-router address is configured
  */
 export const hasVirtualRouterAddress = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^ip\s+virtual-router\s+address/i.test(child.id)
+    child?.id && /^ip\s+virtual-router\s+address/i.test(child.id)
   );
 };
@@ -1115,8 +1176,9 @@ export const hasVirtualRouterAddress = (interfaceNode: ConfigNode): boolean => {
  * @returns true if ip address is configured
  */
 export const hasIpAddress = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   return interfaceNode.children.some((child) =>
-    /^ip\s+address\s+\d+\.\d+\.\d+\.\d+/i.test(child.id)
+    child?.id && /^ip\s+address\s+\d+\.\d+\.\d+\.\d+/i.test(child.id)
   );
 };
@@ -1126,11 +1188,12 @@ export const hasIpAddress = (interfaceNode: ConfigNode): boolean => {
  * @returns true if interface is shutdown
  */
 export const isShutdown = (interfaceNode: ConfigNode): boolean => {
+  if (!interfaceNode?.children) return false;
   const hasShutdown = interfaceNode.children.some((child) =>
-    equalsIgnoreCase(child.id, 'shutdown')
+    child?.id && equalsIgnoreCase(child.id, 'shutdown')
   );
   const hasNoShutdown = interfaceNode.children.some((child) =>
-    equalsIgnoreCase(child.id, 'no shutdown')
+    child?.id && equalsIgnoreCase(child.id, 'no shutdown')
   );
   return hasShutdown && !hasNoShutdown;
 };
@@ -1141,8 +1204,9 @@ export const isShutdown = (interfaceNode: ConfigNode): boolean => {
  * @returns The description if configured, undefined otherwise
  */
 export const getInterfaceDescription = (interfaceNode: ConfigNode): string | undefined => {
+  if (!interfaceNode?.children) return undefined;
   const descCmd = interfaceNode.children.find((child) =>
-    startsWithIgnoreCase(child.id, 'description ')
+    child?.id && startsWithIgnoreCase(child.id, 'description ')
   );
   if (!descCmd) return undefined;
@@ -1155,8 +1219,9 @@ export const getInterfaceDescription = (interfaceNode: ConfigNode): string | und
  * @returns true if NTP server(s) are configured
  */
 export const hasNtpServer = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^ntp\s+server\s+/i.test(node.id)
+    /^ntp\s+server\s+/i.test(node?.id ?? '')
   );
 };
@@ -1166,8 +1231,9 @@ export const hasNtpServer = (ast: ConfigNode[]): boolean => {
  * @returns true if logging host is configured
  */
 export const hasLoggingHost = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^logging\s+host\s+/i.test(node.id)
+    /^logging\s+host\s+/i.test(node?.id ?? '')
   );
 };
@@ -1177,8 +1243,9 @@ export const hasLoggingHost = (ast: ConfigNode[]): boolean => {
  * @returns true if SNMP is configured
  */
 export const hasSnmpServer = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^snmp-server\s+/i.test(node.id)
+    /^snmp-server\s+/i.test(node?.id ?? '')
   );
 };
@@ -1188,8 +1255,9 @@ export const hasSnmpServer = (ast: ConfigNode[]): boolean => {
  * @returns true if AAA is configured
  */
 export const hasAaa = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^aaa\s+/i.test(node.id)
+    /^aaa\s+/i.test(node?.id ?? '')
   );
 };
@@ -1199,8 +1267,9 @@ export const hasAaa = (ast: ConfigNode[]): boolean => {
  * @returns true if spanning-tree is configured
  */
 export const hasSpanningTree = (ast: ConfigNode[]): boolean => {
+  if (!Array.isArray(ast)) return false;
   return ast.some((node) =>
-    /^spanning-tree\s+/i.test(node.id)
+    /^spanning-tree\s+/i.test(node?.id ?? '')
   );
 };
@@ -1210,11 +1279,12 @@ export const hasSpanningTree = (ast: ConfigNode[]): boolean => {
  * @returns The spanning-tree mode (mstp, rapid-pvst, none, etc.)
  */
 export const getSpanningTreeMode = (ast: ConfigNode[]): string | undefined => {
+  if (!Array.isArray(ast)) return undefined;
   const stpNode = ast.find((node) =>
-    /^spanning-tree\s+mode\s+/i.test(node.id)
+    /^spanning-tree\s+mode\s+/i.test(node?.id ?? '')
   );
   if (!stpNode) return undefined;
-  const match = stpNode.id.match(/spanning-tree\s+mode\s+(\S+)/i);
+  const match = stpNode?.id?.match(/spanning-tree\s+mode\s+(\S+)/i);
   return match ? match[1] : undefined;
 };