@sentriflow/core 0.2.0 → 0.2.1

package/src/helpers/paloalto/helpers.ts

@@ -14,8 +14,9 @@ export const findStanza = (
   node: ConfigNode,
   stanzaName: string
 ): ConfigNode | undefined => {
+  if (!node?.children) return undefined;
   return node.children.find(
-    (child) => child.id.toLowerCase() === stanzaName.toLowerCase()
+    (child) => child?.id?.toLowerCase() === stanzaName.toLowerCase()
   );
 };
 
@@ -26,7 +27,8 @@ export const findStanza = (
  * @returns Array of matching child nodes
  */
 export const findStanzas = (node: ConfigNode, pattern: RegExp): ConfigNode[] => {
-  return node.children.filter((child) => pattern.test(child.id.toLowerCase()));
+  if (!node?.children) return [];
+  return node.children.filter((child) => child?.id && pattern.test(child.id.toLowerCase()));
 };
 
 /**
@@ -102,8 +104,8 @@ export const isDenyRule = (ruleNode: ConfigNode): boolean => {
  */
 export const getSourceZones = (ruleNode: ConfigNode): string[] => {
   const from = findStanza(ruleNode, 'from');
-  if (!from) return [];
-  return from.children.map((child) => child.id.trim());
+  if (!from?.children) return [];
+  return from.children.map((child) => child?.id?.trim() ?? '').filter(Boolean);
 };
 
 /**
@@ -113,8 +115,8 @@ export const getSourceZones = (ruleNode: ConfigNode): string[] => {
  */
 export const getDestinationZones = (ruleNode: ConfigNode): string[] => {
   const to = findStanza(ruleNode, 'to');
-  if (!to) return [];
-  return to.children.map((child) => child.id.trim());
+  if (!to?.children) return [];
+  return to.children.map((child) => child?.id?.trim() ?? '').filter(Boolean);
 };
 
 /**
@@ -123,21 +125,22 @@ export const getDestinationZones = (ruleNode: ConfigNode): string[] => {
  * @returns Array of application names
  */
 export const getApplications = (ruleNode: ConfigNode): string[] => {
+  if (!ruleNode?.children) return [];
   // Check for "application" stanza with children
   const application = findStanza(ruleNode, 'application');
-  if (application && application.children.length > 0) {
-    return application.children.map((child) => child.id.trim());
+  if (application?.children && application.children.length > 0) {
+    return application.children.map((child) => child?.id?.trim() ?? '').filter(Boolean);
   }
 
   // Also check for inline "application <value>" commands
   const appCommands = ruleNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('application ')
+    child?.id?.toLowerCase().startsWith('application ')
   );
   if (appCommands.length > 0) {
     return appCommands.map((cmd) => {
-      const parts = cmd.id.split(/\s+/);
+      const parts = cmd?.id?.split(/\s+/) ?? [];
       return parts.slice(1).join(' ').replace(/;$/, '').trim();
-    });
+    }).filter(Boolean);
   }
 
   return [];
@@ -159,22 +162,23 @@ export const hasAnyApplication = (ruleNode: ConfigNode): boolean => {
  * @returns true if source is "any"
  */
 export const hasAnySource = (ruleNode: ConfigNode): boolean => {
+  if (!ruleNode?.children) return false;
   // Check for "source" stanza with children
   const source = findStanza(ruleNode, 'source');
-  if (source && source.children.length > 0) {
+  if (source?.children && source.children.length > 0) {
     return source.children.some((child) => {
-      const id = child.id.toLowerCase().trim().replace(/;$/, '');
+      const id = child?.id?.toLowerCase().trim().replace(/;$/, '');
       return id === 'any' || id === '0.0.0.0/0';
     });
   }
 
   // Also check for inline "source any" or "source <value>" commands
   const sourceCommands = ruleNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('source ')
+    child?.id?.toLowerCase().startsWith('source ')
   );
   if (sourceCommands.length > 0) {
     return sourceCommands.some((cmd) => {
-      const value = cmd.id.split(/\s+/).slice(1).join(' ').toLowerCase().replace(/;$/, '').trim();
+      const value = cmd?.id?.split(/\s+/).slice(1).join(' ').toLowerCase().replace(/;$/, '').trim();
       return value === 'any' || value === '0.0.0.0/0';
     });
   }
@@ -188,22 +192,23 @@ export const hasAnySource = (ruleNode: ConfigNode): boolean => {
  * @returns true if destination is "any"
  */
 export const hasAnyDestination = (ruleNode: ConfigNode): boolean => {
+  if (!ruleNode?.children) return false;
   // Check for "destination" stanza with children
   const destination = findStanza(ruleNode, 'destination');
-  if (destination && destination.children.length > 0) {
+  if (destination?.children && destination.children.length > 0) {
     return destination.children.some((child) => {
-      const id = child.id.toLowerCase().trim().replace(/;$/, '');
+      const id = child?.id?.toLowerCase().trim().replace(/;$/, '');
       return id === 'any' || id === '0.0.0.0/0';
     });
   }
 
   // Also check for inline "destination any" or "destination <value>" commands
   const destCommands = ruleNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('destination ')
+    child?.id?.toLowerCase().startsWith('destination ')
   );
   if (destCommands.length > 0) {
     return destCommands.some((cmd) => {
-      const value = cmd.id.split(/\s+/).slice(1).join(' ').toLowerCase().replace(/;$/, '').trim();
+      const value = cmd?.id?.split(/\s+/).slice(1).join(' ').toLowerCase().replace(/;$/, '').trim();
       return value === 'any' || value === '0.0.0.0/0';
     });
   }
@@ -217,22 +222,23 @@ export const hasAnyDestination = (ruleNode: ConfigNode): boolean => {
  * @returns true if service is "any"
  */
 export const hasAnyService = (ruleNode: ConfigNode): boolean => {
+  if (!ruleNode?.children) return false;
   // Check for "service" stanza with children
   const service = findStanza(ruleNode, 'service');
-  if (service && service.children.length > 0) {
+  if (service?.children && service.children.length > 0) {
     return service.children.some((child) => {
-      const id = child.id.toLowerCase().trim().replace(/;$/, '');
+      const id = child?.id?.toLowerCase().trim().replace(/;$/, '');
       return id === 'any';
     });
   }
 
   // Also check for inline "service any" or "service <value>" commands
   const serviceCommands = ruleNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('service ')
+    child?.id?.toLowerCase().startsWith('service ')
   );
   if (serviceCommands.length > 0) {
     return serviceCommands.some((cmd) => {
-      const value = cmd.id.split(/\s+/).slice(1).join(' ').toLowerCase().replace(/;$/, '').trim();
+      const value = cmd?.id?.split(/\s+/).slice(1).join(' ').toLowerCase().replace(/;$/, '').trim();
       return value === 'any';
     });
   }
@@ -261,7 +267,7 @@ export const getSecurityRules = (rulebaseNode: ConfigNode): ConfigNode[] => {
   if (!security) return [];
 
   const rules = findStanza(security, 'rules');
-  if (!rules) return [];
+  if (!rules?.children) return [];
 
   return rules.children;
 };
@@ -276,7 +282,7 @@ export const getNatRules = (rulebaseNode: ConfigNode): ConfigNode[] => {
   if (!nat) return [];
 
   const rules = findStanza(nat, 'rules');
-  if (!rules) return [];
+  if (!rules?.children) return [];
 
   return rules.children;
 };
@@ -288,7 +294,7 @@ export const getNatRules = (rulebaseNode: ConfigNode): ConfigNode[] => {
  */
 export const isHAConfigured = (deviceconfigNode: ConfigNode): boolean => {
   const ha = findStanza(deviceconfigNode, 'high-availability');
-  if (!ha) return false;
+  if (!ha?.children) return false;
   return ha.children.length > 0;
 };
 
@@ -420,7 +426,7 @@ export const parsePanosAddress = (
  */
 export const hasWildfireProfile = (profilesNode: ConfigNode): boolean => {
   const wildfire = findStanza(profilesNode, 'wildfire-analysis');
-  return wildfire !== undefined && wildfire.children.length > 0;
+  return wildfire !== undefined && (wildfire?.children?.length ?? 0) > 0;
 };
 
 /**
@@ -430,7 +436,7 @@ export const hasWildfireProfile = (profilesNode: ConfigNode): boolean => {
  */
 export const hasUrlFilteringProfile = (profilesNode: ConfigNode): boolean => {
   const urlFiltering = findStanza(profilesNode, 'url-filtering');
-  return urlFiltering !== undefined && urlFiltering.children.length > 0;
+  return urlFiltering !== undefined && (urlFiltering?.children?.length ?? 0) > 0;
 };
 
 /**
@@ -440,7 +446,7 @@ export const hasUrlFilteringProfile = (profilesNode: ConfigNode): boolean => {
  */
 export const hasAntiVirusProfile = (profilesNode: ConfigNode): boolean => {
   const virus = findStanza(profilesNode, 'virus');
-  return virus !== undefined && virus.children.length > 0;
+  return virus !== undefined && (virus?.children?.length ?? 0) > 0;
 };
 
 /**
@@ -450,7 +456,7 @@ export const hasAntiVirusProfile = (profilesNode: ConfigNode): boolean => {
  */
 export const hasAntiSpywareProfile = (profilesNode: ConfigNode): boolean => {
   const spyware = findStanza(profilesNode, 'spyware');
-  return spyware !== undefined && spyware.children.length > 0;
+  return spyware !== undefined && (spyware?.children?.length ?? 0) > 0;
 };
 
 /**
@@ -460,7 +466,7 @@ export const hasAntiSpywareProfile = (profilesNode: ConfigNode): boolean => {
  */
 export const hasVulnerabilityProfile = (profilesNode: ConfigNode): boolean => {
   const vuln = findStanza(profilesNode, 'vulnerability');
-  return vuln !== undefined && vuln.children.length > 0;
+  return vuln !== undefined && (vuln?.children?.length ?? 0) > 0;
 };
 
 /**
@@ -470,7 +476,7 @@ export const hasVulnerabilityProfile = (profilesNode: ConfigNode): boolean => {
  */
 export const hasFileBlockingProfile = (profilesNode: ConfigNode): boolean => {
   const fileBlocking = findStanza(profilesNode, 'file-blocking');
-  return fileBlocking !== undefined && fileBlocking.children.length > 0;
+  return fileBlocking !== undefined && (fileBlocking?.children?.length ?? 0) > 0;
 };
 
 /**
@@ -811,7 +817,7 @@ export const getLogForwardingStatus = (
   logSettingsNode: ConfigNode
 ): { hasSyslog: boolean; hasPanorama: boolean; hasEmail: boolean } => {
   const profiles = findStanza(logSettingsNode, 'profiles');
-  if (!profiles) {
+  if (!profiles?.children) {
     return { hasSyslog: false, hasPanorama: false, hasEmail: false };
   }
 
@@ -822,12 +828,12 @@ export const getLogForwardingStatus = (
   // Check each profile for forwarding destinations
   for (const profile of profiles.children) {
     const matchList = findStanza(profile, 'match-list');
-    if (matchList) {
+    if (matchList?.children) {
       for (const match of matchList.children) {
         if (findStanza(match, 'send-syslog')) hasSyslog = true;
         if (hasChildCommand(match, 'send-to-panorama')) {
           const cmd = getChildCommand(match, 'send-to-panorama');
-          if (cmd?.id.toLowerCase().includes('yes')) hasPanorama = true;
+          if (cmd?.id?.toLowerCase().includes('yes')) hasPanorama = true;
         }
         if (findStanza(match, 'send-email')) hasEmail = true;
       }
@@ -868,9 +874,9 @@ export const getUpdateScheduleStatus = (
   }
 
   return {
-    hasThreats: threats !== undefined && threats.children.length > 0,
-    hasAntivirus: antivirus !== undefined && antivirus.children.length > 0,
-    hasWildfire: wildfire !== undefined && wildfire.children.length > 0,
+    hasThreats: threats !== undefined && (threats?.children?.length ?? 0) > 0,
+    hasAntivirus: antivirus !== undefined && (antivirus?.children?.length ?? 0) > 0,
+    hasWildfire: wildfire !== undefined && (wildfire?.children?.length ?? 0) > 0,
     wildfireRealtime,
   };
 };
@@ -885,7 +891,7 @@ export const getDecryptionRules = (rulebaseNode: ConfigNode): ConfigNode[] => {
   if (!decryption) return [];
 
   const rules = findStanza(decryption, 'rules');
-  if (!rules) return [];
+  if (!rules?.children) return [];
 
   return rules.children;
 };
@@ -916,15 +922,19 @@ export const getInterfaceManagementServices = (
   ping: boolean;
   snmp: boolean;
 } => {
+  if (!profileNode?.children) {
+    return { https: false, http: false, ssh: false, telnet: false, ping: false, snmp: false };
+  }
   // Use exact matching with word boundary to avoid "https" matching "http"
   const isServiceEnabled = (serviceName: string): boolean => {
     // Look for exact service name followed by space/end (e.g., "http yes" not "https yes")
     const cmd = profileNode.children.find((child) => {
-      const lowerId = child.id.toLowerCase();
+      const lowerId = child?.id?.toLowerCase();
+      if (!lowerId) return false;
       // Match exact service name: "http yes", "http no", etc.
       return lowerId === serviceName || lowerId.startsWith(serviceName + ' ');
     });
-    if (!cmd) return false;
+    if (!cmd?.id) return false;
     return cmd.id.toLowerCase().includes('yes');
   };
 

package/src/helpers/vyos/helpers.ts

@@ -11,7 +11,8 @@ export { hasChildCommand, getChildCommand, getChildCommands, parseIp } from '../
  * Check if a VyOS interface is disabled (has "disable" statement)
  */
 export const isDisabled = (node: ConfigNode): boolean => {
-  return node.children.some((child) => child.id.toLowerCase().trim() === 'disable');
+  if (!node?.children) return false;
+  return node.children.some((child) => child?.id?.toLowerCase().trim() === 'disable');
 };
 
 /**
@@ -114,8 +115,9 @@ export const findStanza = (
   node: ConfigNode,
   stanzaName: string
 ): ConfigNode | undefined => {
+  if (!node?.children) return undefined;
   return node.children.find(
-    (child) => child.id.toLowerCase() === stanzaName.toLowerCase()
+    (child) => child?.id?.toLowerCase() === stanzaName.toLowerCase()
   );
 };
 
@@ -129,8 +131,9 @@ export const findStanzaByPrefix = (
   node: ConfigNode,
   prefix: string
 ): ConfigNode | undefined => {
+  if (!node?.children) return undefined;
   return node.children.find((child) =>
-    child.id.toLowerCase().startsWith(prefix.toLowerCase())
+    child?.id?.toLowerCase().startsWith(prefix.toLowerCase())
   );
 };
 
@@ -141,7 +144,8 @@ export const findStanzaByPrefix = (
  * @returns Array of matching child nodes
  */
 export const findStanzas = (node: ConfigNode, pattern: RegExp): ConfigNode[] => {
-  return node.children.filter((child) => pattern.test(child.id.toLowerCase()));
+  if (!node?.children) return [];
+  return node.children.filter((child) => child?.id && pattern.test(child.id.toLowerCase()));
 };
 
 /**
@@ -151,8 +155,9 @@ export const findStanzas = (node: ConfigNode, pattern: RegExp): ConfigNode[] =>
  * @returns Array of matching child nodes
  */
 export const findStanzasByPrefix = (node: ConfigNode, prefix: string): ConfigNode[] => {
+  if (!node?.children) return [];
   return node.children.filter((child) =>
-    child.id.toLowerCase().startsWith(prefix.toLowerCase())
+    child?.id?.toLowerCase().startsWith(prefix.toLowerCase())
   );
 };
 
@@ -162,8 +167,9 @@ export const findStanzasByPrefix = (node: ConfigNode, prefix: string): ConfigNod
  * @returns Array of ethernet interface nodes
  */
 export const getEthernetInterfaces = (interfacesNode: ConfigNode): ConfigNode[] => {
+  if (!interfacesNode?.children) return [];
   return interfacesNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('ethernet eth')
+    child?.id?.toLowerCase().startsWith('ethernet eth')
   );
 };
 
@@ -173,8 +179,9 @@ export const getEthernetInterfaces = (interfacesNode: ConfigNode): ConfigNode[]
  * @returns Array of vif nodes
  */
 export const getVifInterfaces = (interfaceNode: ConfigNode): ConfigNode[] => {
+  if (!interfaceNode?.children) return [];
   return interfaceNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('vif')
+    child?.id?.toLowerCase().startsWith('vif')
   );
 };
 
@@ -186,8 +193,10 @@ export const getVifInterfaces = (interfaceNode: ConfigNode): ConfigNode[] => {
 export const getFirewallDefaultAction = (
   rulesetNode: ConfigNode
 ): 'drop' | 'accept' | 'reject' | undefined => {
+  if (!rulesetNode?.children) return undefined;
   for (const child of rulesetNode.children) {
-    const id = child.id.toLowerCase().trim();
+    const id = child?.id?.toLowerCase().trim();
+    if (!id) continue;
     if (id.startsWith('default-action')) {
       if (id.includes('drop')) return 'drop';
       if (id.includes('accept')) return 'accept';
@@ -203,8 +212,9 @@ export const getFirewallDefaultAction = (
  * @returns Array of rule nodes
  */
 export const getFirewallRules = (rulesetNode: ConfigNode): ConfigNode[] => {
+  if (!rulesetNode?.children) return [];
   return rulesetNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('rule')
+    child?.id?.toLowerCase().startsWith('rule')
   );
 };
 
@@ -216,8 +226,10 @@ export const getFirewallRules = (rulesetNode: ConfigNode): ConfigNode[] => {
 export const getFirewallRuleAction = (
   ruleNode: ConfigNode
 ): 'drop' | 'accept' | 'reject' | undefined => {
+  if (!ruleNode?.children) return undefined;
   for (const child of ruleNode.children) {
-    const id = child.id.toLowerCase().trim();
+    const id = child?.id?.toLowerCase().trim();
+    if (!id) continue;
     if (id.startsWith('action')) {
       if (id.includes('drop')) return 'drop';
       if (id.includes('accept')) return 'accept';
@@ -233,8 +245,9 @@ export const getFirewallRuleAction = (
  * @returns true if translation is configured
  */
 export const hasNatTranslation = (ruleNode: ConfigNode): boolean => {
+  if (!ruleNode?.children) return false;
   return ruleNode.children.some((child) =>
-    child.id.toLowerCase().startsWith('translation')
+    child?.id?.toLowerCase().startsWith('translation')
   );
 };
 
@@ -244,8 +257,9 @@ export const hasNatTranslation = (ruleNode: ConfigNode): boolean => {
  * @returns true if SSH is configured
  */
 export const hasSshService = (serviceNode: ConfigNode): boolean => {
+  if (!serviceNode?.children) return false;
   return serviceNode.children.some((child) =>
-    child.id.toLowerCase().startsWith('ssh')
+    child?.id?.toLowerCase().startsWith('ssh')
   );
 };
 
@@ -255,8 +269,9 @@ export const hasSshService = (serviceNode: ConfigNode): boolean => {
  * @returns The SSH configuration node, or undefined
  */
 export const getSshConfig = (serviceNode: ConfigNode): ConfigNode | undefined => {
+  if (!serviceNode?.children) return undefined;
   return serviceNode.children.find((child) =>
-    child.id.toLowerCase().startsWith('ssh')
+    child?.id?.toLowerCase().startsWith('ssh')
   );
 };
 
@@ -266,8 +281,9 @@ export const getSshConfig = (serviceNode: ConfigNode): ConfigNode | undefined =>
  * @returns true if DHCP server is configured
  */
 export const hasDhcpServer = (serviceNode: ConfigNode): boolean => {
+  if (!serviceNode?.children) return false;
   return serviceNode.children.some((child) =>
-    child.id.toLowerCase().startsWith('dhcp-server')
+    child?.id?.toLowerCase().startsWith('dhcp-server')
   );
 };
 
@@ -277,8 +293,9 @@ export const hasDhcpServer = (serviceNode: ConfigNode): boolean => {
  * @returns The DNS configuration node, or undefined
  */
 export const getDnsConfig = (serviceNode: ConfigNode): ConfigNode | undefined => {
+  if (!serviceNode?.children) return undefined;
   return serviceNode.children.find((child) =>
-    child.id.toLowerCase().startsWith('dns')
+    child?.id?.toLowerCase().startsWith('dns')
   );
 };
 
@@ -288,8 +305,9 @@ export const getDnsConfig = (serviceNode: ConfigNode): ConfigNode | undefined =>
  * @returns true if NTP is configured
  */
 export const hasNtpConfig = (systemNode: ConfigNode): boolean => {
+  if (!systemNode?.children) return false;
   return systemNode.children.some((child) =>
-    child.id.toLowerCase().startsWith('ntp')
+    child?.id?.toLowerCase().startsWith('ntp')
   );
 };
 
@@ -299,8 +317,9 @@ export const hasNtpConfig = (systemNode: ConfigNode): boolean => {
  * @returns true if syslog is configured
  */
 export const hasSyslogConfig = (systemNode: ConfigNode): boolean => {
+  if (!systemNode?.children) return false;
   return systemNode.children.some((child) =>
-    child.id.toLowerCase().startsWith('syslog')
+    child?.id?.toLowerCase().startsWith('syslog')
   );
 };
 
@@ -310,8 +329,9 @@ export const hasSyslogConfig = (systemNode: ConfigNode): boolean => {
  * @returns The login configuration node, or undefined
  */
 export const getLoginConfig = (systemNode: ConfigNode): ConfigNode | undefined => {
+  if (!systemNode?.children) return undefined;
   return systemNode.children.find((child) =>
-    child.id.toLowerCase().startsWith('login')
+    child?.id?.toLowerCase().startsWith('login')
   );
 };
 
@@ -321,8 +341,9 @@ export const getLoginConfig = (systemNode: ConfigNode): ConfigNode | undefined =
  * @returns Array of user nodes
  */
 export const getUserConfigs = (loginNode: ConfigNode): ConfigNode[] => {
+  if (!loginNode?.children) return [];
   return loginNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('user')
+    child?.id?.toLowerCase().startsWith('user')
   );
 };
 
@@ -334,22 +355,24 @@ export const getUserConfigs = (loginNode: ConfigNode): ConfigNode[] => {
  */
 export const getSwitchPortMembers = (interfacesNode: ConfigNode): Set<string> => {
   const members = new Set<string>();
+  if (!interfacesNode?.children) return members;
 
   // Find all switch interfaces (switch switchX)
   const switches = interfacesNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('switch ')
+    child?.id?.toLowerCase().startsWith('switch ')
   );
 
   for (const switchNode of switches) {
+    if (!switchNode?.children) continue;
     // Find switch-port section
     const switchPort = switchNode.children.find((child) =>
-      child.id.toLowerCase() === 'switch-port'
+      child?.id?.toLowerCase() === 'switch-port'
     );
 
-    if (switchPort) {
+    if (switchPort?.children) {
       // Find all interface members (interface ethX)
       for (const child of switchPort.children) {
-        const match = child.id.toLowerCase().match(/^interface\s+(eth\d+)$/);
+        const match = child?.id?.toLowerCase().match(/^interface\s+(eth\d+)$/);
         if (match?.[1]) {
           members.add(match[1]);
         }
@@ -368,22 +391,24 @@ export const getSwitchPortMembers = (interfacesNode: ConfigNode): Set<string> =>
  */
 export const getBridgeMembers = (interfacesNode: ConfigNode): Set<string> => {
   const members = new Set<string>();
+  if (!interfacesNode?.children) return members;
 
   // Find all bridge interfaces (bridge brX)
   const bridges = interfacesNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('bridge ')
+    child?.id?.toLowerCase().startsWith('bridge ')
   );
 
   for (const bridgeNode of bridges) {
+    if (!bridgeNode?.children) continue;
     // Find member section
     const memberSection = bridgeNode.children.find((child) =>
-      child.id.toLowerCase() === 'member'
+      child?.id?.toLowerCase() === 'member'
     );
 
-    if (memberSection) {
+    if (memberSection?.children) {
       // Find all interface members within the member section
       for (const child of memberSection.children) {
-        const match = child.id.toLowerCase().match(/^interface\s+(\S+)$/);
+        const match = child?.id?.toLowerCase().match(/^interface\s+(\S+)$/);
         if (match?.[1]) {
           members.add(match[1]);
         }
@@ -402,22 +427,24 @@ export const getBridgeMembers = (interfacesNode: ConfigNode): Set<string> => {
  */
 export const getBondingMembers = (interfacesNode: ConfigNode): Set<string> => {
   const members = new Set<string>();
+  if (!interfacesNode?.children) return members;
 
   // Find all bonding interfaces (bonding bondX)
   const bonds = interfacesNode.children.filter((child) =>
-    child.id.toLowerCase().startsWith('bonding ')
+    child?.id?.toLowerCase().startsWith('bonding ')
   );
 
   for (const bondNode of bonds) {
+    if (!bondNode?.children) continue;
     // Find member section
     const memberSection = bondNode.children.find((child) =>
-      child.id.toLowerCase() === 'member'
+      child?.id?.toLowerCase() === 'member'
     );
 
-    if (memberSection) {
+    if (memberSection?.children) {
       // Find all interface members within the member section
       for (const child of memberSection.children) {
-        const match = child.id.toLowerCase().match(/^interface\s+(\S+)$/);
+        const match = child?.id?.toLowerCase().match(/^interface\s+(\S+)$/);
         if (match?.[1]) {
           members.add(match[1]);
         }

package/src/index.ts

@@ -18,6 +18,9 @@ export * from './pack-loader';
 // Pack Provider abstraction for cloud licensing extension
 export * from './pack-provider';
 
+// GRX2 Extended Pack Loader - for CLI and VS Code extension
+export * from './grx2-loader';
+
 // SEC-001: Declarative rules and sandboxed execution
 export * from './types/DeclarativeRule';
 export * from './engine/SandboxedExecutor';

package/src/pack-loader/PackLoader.ts

@@ -35,12 +35,31 @@ import { getAllVendorModules } from '../helpers';
  * All rule helpers merged into a single object for injection.
  * This allows compiled check functions to access helpers by name.
  * Dynamically built from the helpers module.
+ *
+ * IMPORTANT: Vendor modules may have colliding helper names (e.g., both Cisco
+ * and Cumulus export `hasBgpNeighborPassword` with different signatures).
+ * To handle this:
+ * 1. Vendor namespaces are added (e.g., `cisco.hasBgpNeighborPassword`)
+ * 2. For flat/short names, FIRST vendor wins (no overwrites)
+ *
+ * Rules should use namespaced helpers for vendor-specific functions.
  */
 function buildAllHelpers(): Record<string, unknown> {
     const result: Record<string, unknown> = { ...helpers };
     const vendorModules = getAllVendorModules();
-    for (const [_name, module] of Object.entries(vendorModules)) {
-        Object.assign(result, module);
+
+    for (const [name, module] of Object.entries(vendorModules)) {
+        // Add the entire vendor module under its namespace
+        // e.g., result.cisco = { hasBgpNeighborPassword, getBgpNeighbors, ... }
+        result[name] = module;
+
+        // Add flat/short names ONLY if not already present (first vendor wins)
+        // This prevents Cumulus from overwriting Cisco's hasBgpNeighborPassword
+        for (const [key, value] of Object.entries(module as Record<string, unknown>)) {
+            if (!(key in result)) {
+                result[key] = value;
+            }
+        }
     }
     return result;
 }
@@ -215,9 +234,13 @@ export async function loadEncryptedPack(
 /**
  * Generate helper names list for destructuring.
  * Cached to avoid recomputing on every function compilation.
+ *
+ * Includes:
+ * - All function helpers (flat names)
+ * - All vendor namespace objects (e.g., cisco, cumulus)
  */
 const helperNames = Object.keys(allHelpers).filter(
-    key => typeof allHelpers[key] === 'function'
+    key => typeof allHelpers[key] === 'function' || typeof allHelpers[key] === 'object'
 );
 const helperDestructure = helperNames.join(', ');
 
@@ -229,8 +252,10 @@ const helperDestructure = helperNames.join(', ');
  *
  * The function is wrapped to inject all rule helpers into scope, allowing
  * serialized check functions to use helpers like hasChildCommand, findStanza, etc.
+ *
+ * @public Exported for use by GRX2ExtendedLoader
  */
-function compileNativeCheckFunction(
+export function compileNativeCheckFunction(
     source: string
 ): (node: ConfigNode, ctx: Context) => ReturnType<IRule['check']> {
     // The source is trusted (from authenticated encrypted pack)